tag:blogger.com,1999:blog-4723197811614723818.comments2012-04-26T00:01:58.838-07:00Kavya Muthannahttp://www.blogger.com/profile/04145833105410994600noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-4723197811614723818.post-21737364929876064402011-05-16T16:53:53.988-07:002011-05-16T16:53:53.988-07:00Ranjan..<br /><br />We will be supporting OAM 10g Plugin feature in the upcoming releases..<br /><br />I really cannot say right now it will be a OOTB feature as requirements varies from one customer to another..Derick Leohttp://www.blogger.com/profile/00556030325487304094noreply@blogger.comtag:blogger.com,1999:blog-4723197811614723818.post-52761189336862098932011-05-15T22:56:19.145-07:002011-05-15T22:56:19.145-07:00Don, <br /><br />I believe you are referring to when the user closes the browser without clicking on logout link..<br /><br />In OAM11g we have a max session timeout property and default is something like 8 sessions..You can configure this to a smaller value.Derick Leohttp://www.blogger.com/profile/00556030325487304094noreply@blogger.comtag:blogger.com,1999:blog-4723197811614723818.post-77024356142882312152011-05-13T12:48:31.791-07:002011-05-13T12:48:31.791-07:00Hi Derick,<br />So using this web service 11g feature to support my non-browser clients which can only pass base64 authorization headers to the webgate to do the authentication? These clients cannot handle the cookies and would be passing this Az header with every request.<br /><br />We&#39;ve done customization in 10g to support this by writing a web server plug-in but would like to leverage the out-of-the-box feature without taking this custom piece along with 11g upgrade.<br /><br />Looking forward for your comments.Ranjan Jainhttp://www.blogger.com/profile/14020377565906295641noreply@blogger.comtag:blogger.com,1999:blog-4723197811614723818.post-27130133527139759422011-05-13T12:43:21.237-07:002011-05-13T12:43:21.237-07:00I found the post interesting but at the end I was a bit disappointed that you are still not using a complete OAM 11g solution. The other question I have is have you taken in to consideration how you are going to provide a logout solution? Using the 11g webgate plugin with OHS as a reverse proxy was a bit of a challenge understanding how to create a logout to destroy and inactivate the user session. If you don&#39;t take that in to consideration you need to make sure that your user doesn&#39;t create too many sessions and exceed the number defined in OAM.donhttp://www.blogger.com/profile/16237929004362414079noreply@blogger.comtag:blogger.com,1999:blog-4723197811614723818.post-90484212507142906122011-05-10T08:03:00.423-07:002011-05-10T08:03:00.423-07:00Suneetha,<br /><br />I would definitely recommend taking a look at the Fusion Middleware Security Guide, which covers topics like how SSO integrates with applications running on WLS/FMW.<br /><br />You can find this guide here:<br />http://download.oracle.com/docs/cd/E21764_01/core.1111/e10043/toc.htm<br /><br />Additionally, take a look at the OAM 11g Admin guide. There is a section on integrating ADF applications with OAM 11g SSO, which should give you a sense of the general integration pattern for JEE or .NET applications. You can find this section here:<br /><br />http://download.oracle.com/docs/cd/E21764_01/doc.1111/e15478/opssadf.htm#BDCDHDEC<br /><br />We didn&#39;t cover this in the post in detail, but you can think about this as two step process: 1) identifying/authenticating the user and 2) asserting the user&#39;s identity to the application.<br /><br />In the first step, you will capture information about the original request so that you can redirect the user back to the originally requested resource once authentication successfully completes.<br /><br />Typically step #2 is how you identify the user to the application, and this is usually done by asserting the identity in an HTTP Header. <br /><br />Now if you want to have some synchronicity between OAM managed sessions and application sessions, you will need some infrastructure - such as Oracle Platform Security Services - to bridge between things managed in the application&#39;s context and things managed outside of the app context. This configuration is explained in detail in the ADF-OAM integration section of the docs I mention above.<br /><br />Thanks for the feedback on the samples. We will look at including some additional samples/examples with the product to make this easier to understand.Eric Leachhttp://www.blogger.com/profile/08625731894305941448noreply@blogger.comtag:blogger.com,1999:blog-4723197811614723818.post-57832489198447375092011-05-02T09:14:32.811-07:002011-05-02T09:14:32.811-07:00If a simple J2EE or .Net Web Application participates in a OAM11g based SSO solution (with Webgate, AuthN and AuthZ policies all set)...<br /><br />1) how will this application know which user has logged in to OAM in order to be able to create its own application session so it can keep track of user&#39;s activities/data etc.<br /><br />2) with every request being redirected by Webgate to OAM Server back to Webgate and then back to the application, does it have any impact on the request parameters/attributes present in the original request submitted by the user&#39;s browser. How are request/page attributes etc kept intact and made available to the application?<br /><br />3) with OAM server being the session manager (handling user&#39;s session life cycle) when the user&#39;s session is destroyed in OAM Server due to reasons like idle timeout or hard-timeout how will the application know that it has to destroy the session on its end?<br /><br />Is there a document explaining with examples how this integration works. It will be nice if the product comes with some samples and code to clearly demonstrate integration of OAM with web applications developed on different platforms/languages and best practices around using the different response types (Header, Cookie, Session) and when to use AuthN responses vs Authz responses.Suneethahttp://www.blogger.com/profile/08387504596130263506noreply@blogger.comtag:blogger.com,1999:blog-4723197811614723818.post-15104958821019663942011-04-22T10:36:27.759-07:002011-04-22T10:36:27.759-07:00Is 11g going to give me a functionality to create cookies for multiple domains instead of just one as in 10g? And if yes, then will I have the flexibility to allow SSO between these cross-DC cookies. I&#39;m not referring to federation here.<br /><br />Thanks<br />Ranjannetcrazyhttp://www.blogger.com/profile/14020377565906295641noreply@blogger.comtag:blogger.com,1999:blog-4723197811614723818.post-69891582724556801402011-04-13T12:15:51.135-07:002011-04-13T12:15:51.135-07:00Ranjan,<br /><br />Chris did a great job of providing a more detailed flow on the Fusion Security Blog:<br />http://fusionsecurity.blogspot.com/2011/04/oam-11g-single-sign-on-and-oam-11g.html<br /><br />To briefly summarize, OAM 11g manages sessions through the combination of a server side session object (stored in a Coherence cache), a server side authentication token called OAM_ID, and a resource based session cookie called OAM_AuthnCookie which is set by the Webgate and is scoped to the host where that Webgate is configured. (That is, if you are using 11g Webgates. If you are using 10g Webgates then the resource session cookie is the ObSSOCookie, which is domain scoped.)<br /><br />The idea is to make it more difficult to get at all the bits of data someone would need to replay another user&#39;s session and to limit the scope of damage in the event that someone does replay a resource session cookie.<br /><br />As explained elsewhere (and far more eloquently that I could), the best way to protect against HTTP session hijacking is to require SSL/TLS or other mechanisms to properly encrypt/verify traffic.Eric Leachhttp://www.blogger.com/profile/08625731894305941448noreply@blogger.comtag:blogger.com,1999:blog-4723197811614723818.post-13259318380582384392011-04-12T10:01:37.654-07:002011-04-12T10:01:37.654-07:00Hi Eric,<br />With 11g, there are quite many changes in the way cookie handling is done and the security around it. So, are we saying that tools like Firesheep would have a tough time in hijacking / re-using OAM cookie for a non-HTTPS request?<br /><br />Thanks<br />Ranjannetcrazyhttp://www.blogger.com/profile/14020377565906295641noreply@blogger.comtag:blogger.com,1999:blog-4723197811614723818.post-29822044944940005462011-03-28T08:09:33.082-07:002011-03-28T08:09:33.082-07:00Wilfred - This certification is complete. As of the Oracle Fusion Middleware 11gR1 PS3 release, Oracle Forms is certified with OAM 11g. We also have the migration utilities and processes documented. You can choose upgrade or a coexistence model. Check out the FMW upgrade guide for IDM:<br />http://download.oracle.com/docs/cd/E17904_01/upgrade.1111/e10129/toc.htmEric Leachhttp://www.blogger.com/profile/08625731894305941448noreply@blogger.comtag:blogger.com,1999:blog-4723197811614723818.post-51599337598352303202011-03-24T00:37:19.378-07:002011-03-24T00:37:19.378-07:00Would love to make the switch from 10.1.4 SSO to OAM 11, but still waiting for Oracle Forms support. Any news on an ETA?Wilfredhttp://www.blogger.com/profile/16041770673036839729noreply@blogger.comtag:blogger.com,1999:blog-4723197811614723818.post-58936961191215655752011-03-23T00:13:34.266-07:002011-03-23T00:13:34.266-07:00Very informative. A nice Read !!Puneet Sharmahttp://www.blogger.com/profile/10808267427429632981noreply@blogger.comtag:blogger.com,1999:blog-4723197811614723818.post-29259460314031306682011-03-22T10:21:29.690-07:002011-03-22T10:21:29.690-07:00Eric,<br /><br />Great blog. <br />One quick comment on #4 in the SSO flow: Should we also mention that additional attributes can be added to the Session Cookie as well, along with the HTTP header?<br /><br />-SheshShesh Kondihttp://www.blogger.com/profile/00915916739541738959noreply@blogger.com