Friday, May 13, 2011

OAM 11g Authentication as a Webservice

A bit advanced topic for those who want to dive deep into OAM..

Check out other good blogs from Eric and Chris to understand the nitty gritty of how SSO works

A common scenario for an access manager to fulfill authn/authz services is for a client to pass the necessary credentials to an agent and the agent in turn will pass the info to OAM via the http/OAP protocols. The agents used here are ofcourse the webgates and the accessgate. The webgate being specific to the webservers and the accessgate being the customized agent for the client application that may or may not have a webserver.
Now what happens if you are in a situation if the client does not have a webserver that oracle agents normally are compatible with. The client is left alone to use the accessgate that may involve lots of customization or he may just not use access manager as his solution.

What if there's a way if you could remove the clients webserver dependency on webgate/accessgate and yet provide a standard way of communicating to Oracle Access Manager.
The solution is using OAM as a webservice and yet the necessary mechanics for a successful OAM authentication still remains unchanged. In other words the agent(accessgate) is moved to the back-end probably remaining in the same box as the OAM or another box.

So what exactly drives the OAM authentication to trigger. The following diagram depicts the above scenario.

The request for a resource can be done in two ways

From a web client such as a browser




Or from a standalone client such as a java application



Note in both the above cases the client does not require any webgates/accessgate

Before I jump into the details of the above some of the soap features worth mentioning (of which some of you may be already aware of ) are
Soap
  1. Uses standard internet HTTP
  2. Uses XML to send and receive messages
  3. Platform independent
  4. Language independent
  5. A protocol for exchanging information in a decentralized and distributed environment
  6. Soap happens to be one of the key features of Microsoft's .Net Architecture especially, Web Services


Web services describes a standardized way of integrating Web-based applications using the XML, SOAP, WSDL and UDDI open standards over an Internet protocol backbone. XML is used to tag the data, SOAP is used to transfer the data, WSDL is used for describing the services available and UDDI is used for listing what services are available. Used primarily as a means for businesses to communicate with each other and with clients, Web services allow organisations to communicate data without intimate knowledge of each other's IT systems behind the firewall


Flow in a nut shell



  1. The client requests for a resource.
  2. The request is submitted to a proxy client which in turn makes a soap call to OAMAuthService which is a webservice.
  3. This service calls the OAM 10g ASDK API.
  4. The ASDK API invokes the accessgate (which is installed) to communicate to the OAM server .
  5. The OAM server performs authentication and passes an encrypted token back to the client.



Components

The components involved in the above architecture are

OAMServer: The emphasis here will be a OAM 11g server . That provides the authentication service

AccessGate: AccessGate is the building block for all webgates. Unlike webgates where it is always associated to a webserver an accessgate is used by standalone application or by a non web applications. say for eg a java program or an EJB or and C program etc. Accessgates are the only way to communicate with the OAM server

OAMAuthService: A java file that consists of the implementation APIs for the webservice. These API call the AccessGate ASDK API which communicate with the accessgate and in turn talks to the OAM server for authentication check

WebServiceClientProxy: This is a Java proxy that is used to make webservice calls on OAMAuthService All web and non web applications will instantiate this java class for OAM Auth Services

OAMAuthServlet: This is a sample servlet file that instantiates the WebServiceClientProxy and also collects the username and password and submits them to the OAM Server via the WebServiceClient Proxy


Scope
The scope is limited to sesssion token validation between similar agents. i.e the token obtained from one 10g agent can be used with another 10g agent. The 10g token cannot be used with a 11g agent. This is limited in the current release.

Sample Code
https://www.samplecode.oracle.com/tracker/tracking/linkid/prpl1004?id=S757

The sample code folder also consists of a Jdeveloper IDE project file. (Helpful for those who would like to view and deploy from an IDE)

I hope you have enjoyed this article and leave comments if any.

Follow derick_leo on Twitter




Wednesday, May 11, 2011

Tool Talk Webcast: Balancing Strong Authentication and Context-aware Security

On May 4th, Mark Karlstrand presented a webcast on how to augment strong authentication with layered or context-aware security. The replay of the webcast is available from the SANS website (note you will have to register a SANS account in order to view the replay).
Here is an interesting blog on how Symantec exposed a security hole at Facebook, where the Facebook applications is accidentally leaking access to 3rd Parties.