Introduction The simplest OES API is the one that allows you to ask "is this user authorized to do X?" Also known as isAccessAllowed. As I mentioned back in...
Introduction The simplest OES API is the one that allows you to ask "is this user authorized to do X?" Also known as isAccessAllowed. As I mentioned back in March OES also has a couple of calls that allow you to speed things up by making bulk calls... One (isBulkAcessAllowed / isBulkAccessAllowed) allows you to send a batch of action/resource and context calls and get a list of true/false responses. The other (isChildResourceAccessAllowed / isChildResourceAccessAllowed)...
Introduction The simplest OES API is the one that allows you to ask "is this user authorized to do X?" Also known as isAccessAllowed. As I mentioned back in March OES also has a couple of calls...
First in the interest of full disclosure: this wasn't my idea. It's exactly the sort of thing I usually come up with but in this case someone else suggested it...
First in the interest of full disclosure: this wasn't my idea. It's exactly the sort of thing I usually come up with but in this case someone else suggested it to me. One of the most powerful things about OES is the ability to write policies on attributes. I talked about this in a post about writing OES policies back in December, but for those of you that missed that post here's a cliff's notes version: Objects can have attributes hanging off of them So can Roles, Groups, and...
First in the interest of full disclosure: this wasn't my idea. It's exactly the sort of thing I usually come up with but in this case someone else suggested it to me. One of the most powerful...
My recent posts about SAML got me thinking about a couple of common misconceptions I see from customers surrounding the technology. The first and most important...
My recent posts about SAML got me thinking about a couple of common misconceptions I see from customers surrounding the technology. The first and most important misconception is articulated by this quote: "there is no SAML Fairy" - Brian Eidelman In other words there's nothing magical about SAML. Browsers don't "speak" SAML. SAML isn't like an HTTP cookie (and it's not like a chocolate chip one either, but I digress). SAML is just a means to convey identity from one place to...
My recent posts about SAML got me thinking about a couple of common misconceptions I see from customers surrounding the technology. The first and most important misconception is articulated by...
Introduction A Sales Consultant asked for my opinion in a scenario where a customer wants to propagate end user credentials all the way from OAM (Oracle Access...
Introduction A Sales Consultant asked for my opinion in a scenario where a customer wants to propagate end user credentials all the way from OAM (Oracle Access Manager) to web services responsible for executing business logic. In the customer flow, after being authenticated by OAM, the end user is redirected to a portal UI. The UI makes calls to OSB (Oracle Service Bus) which in turn invokes web services deployed on WebLogic Server. One of use case driving requirements is...
Introduction A Sales Consultant asked for my opinion in a scenario where a customer wants to propagate end user credentials all the way from OAM (Oracle Access Manager) to web services responsible for...
The other day I blogged about database 11g's default password policies and how to disable them for your test environment. Today my passwords for OID expired and...
The other day I blogged about database 11g's default password policies and how to disable them for your test environment. Today my passwords for OID expired and I thought I'd pass along the same information for OID in case anyone anyone needs that information too. The first thing you should know is that there is no oidadmin in OID 11g. I'm going to ignore the GUI tools here and just document how to disable the policies via ldapmodify. First find your default password policy...
The other day I blogged about database 11g's default password policies and how to disable them for your test environment. Today my passwords for OID expired and I thought I'd pass along the...
I recently booted a VM that I hadn't used in some time and found this error appeared when I fired up sqlplus ORA-28002: the password will expire within 7 days...
I recently booted a VM that I hadn't used in some time and found this error appeared when I fired up sqlplus ORA-28002: the password will expire within 7 days From what I've been able to gather Oracle database 11g sets up a password expiration policy by default. This isn't usually a problem for me since I usually create a VM, work on it for a week or six before moving on to another project. But this VM is special - it's my combined IAM stack demo VM from OpenWorld and I need...
I recently booted a VM that I hadn't used in some time and found this error appeared when I fired up sqlplus ORA-28002: the password will expire within 7 days From what I've been able to gather...
Introduction The month of Kerberos continues I got a frantic call late last week asking for help getting WebLogic and Kerberos working. WebLogic would be...
Introduction The month of Kerberos continues I got a frantic call late last week asking for help getting WebLogic and Kerberos working. WebLogic would be deployed on Windows but, unlike in my previous post, this customer wanted IE to talk directly to WebLogic with no IIS server in between. Easy enough, right? It is, but there are some nuances. There are official docs available from download.oracle.com, but some people find them confusing. These are a bit simplified and are...
Introduction The month of Kerberos continues I got a frantic call late last week asking for help getting WebLogic and Kerberos working. WebLogic would be deployed on Windows but, unlike in my previous...
Seems like it's the month of Kerberos. We often see customers wanting authenticate users to Oracle Access Manager (OAM) with Kerberos, and fall back to HTML...
Seems like it's the month of Kerberos. We often see customers wanting authenticate users to Oracle Access Manager (OAM) with Kerberos, and fall back to HTML forms if the Kerberos authentication fails. There's an easy way to set this up, but it's not obvious how to do it. I'm just going to describe the flow here, but that should be enough to help you figure out how to do the actual knob turning yourself. If you run into trouble feel free to ask a question here. user...
Seems like it's the month of Kerberos. We often see customers wanting authenticate users to Oracle Access Manager (OAM) with Kerberos, and fall back to HTML forms if the Kerberos authentication fails....
...or how Josh stole my idea for a post in one paragraph. In a recent post Josh said There is another approach that, unfortunately, is rather common - use a Web...
...or how Josh stole my idea for a post in one paragraph. In a recent post Josh said There is another approach that, unfortunately, is rather common - use a Web Gate in front of WebLogic Server and use a very weak identity asserter or no SSPI connector at all. I'd started writing this post before Josh wrote that and figured I'd post this anyway in hopes that my longer and more detailed write up is helpful to someone unfamiliar with what all of the terms and acronyms mean....
...or how Josh stole my idea for a post in one paragraph. In a recent post Josh said There is another approach that, unfortunately, is rather common - use a Web Gate in front of WebLogic Server and...
