Integrating Apex into Federated Environment using SAML 2.0 Jon Tupman Portalsoft Solutions Ltd
Introduction Migration challenge Federated vs Single sign-on SAML process flow Integrating Apex and Weblogic with MS ADFS Some pitfalls with SAML and Apex Summary
Current Application Internet facing Apex application for Government agency. Personnel, event management, inventory control About 15,000 named users (1,000 concurrent at peak), 600 Apex pages spread across 3 apps Standard Apex Architecture and authentication mechanism Oracle 10g Application Server Oracle HTTP Server, OC4J and Mod PL/SQL Oracle 11g DB, Portal and BI Publisher Oracle Single Sign-on and OID authentication
Current Application Architecture
Existing Federated Environment You have 2 notifications, 1 requiring action
Migration Challenge Migrate Apex application to a federated environment using MS Active Directory Federation Services (ADFS) Provide the Apex users access to the existing applications within the federated environment Authentication and password management to migrate away from Apex/OSSO/OID to ADFS Migrate from Oracle 10g Application Server to Apex Listener and Weblogic Server Authorisation control to remain with Apex app.
Benefits One username/password providing access to many applications via a landing page. Organisation-wide authentication policies and password management can be centrally enforced. Users have access to new applications within the federated environment.
What is Federation? Different from single sign-on: Federation allows SSO without passwords Uses token-based authentication mechanism Trust between the applications allows the token to be accepted by target app and so can authenticate the user Industry standard protocols used: SAML, Oauth, OpenID Three actors involved: subject (or user), Identity Provider, Service Provider (or relying party). By 2016, Federated Single Sign-On Will Be the Predominant SSO Technology, needed by 80 Percent of Enterprises Gartner June 2013
SAML Explained Security Authentication Markup Language XML-based open standard for securely exchanging identities between web-based apps (OASIS Committee standard) Digital signatures used for authentication and message integrity SAML response token contains the authenticated subject and one or more attributes
SAML Process Flow
ADFS-Weblogic-Apex Integration
Deployment Descriptor Deployment descriptor (web.xml) snippet: <security-constraint> <web-resource-collection> <web-resource-name>securepages</web-resource-name> <description>accessible by authenticated users only</description> <url-pattern>/sso/*</url-pattern> <http-method>get</http-method> </web-resource-collection> <auth-constraint> <description>these are the roles who have access.</description> <role-name>auth_users</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>client-cert</auth-method> <realm-name>myrealm</realm-name> </login-config>
Weblogic Provider Configuration
Weblogic Providers
Weblogic SAML Configuration Setup two weblogic domains: Idp and SP Deploy simple java servlets to both domains Idp app has auth-method set to FORM SP app has auth-method set to CLIENT-CERT Follow the blog post by Edwin Biemond: SSO with WebLogic 10.3.1 and SAML2 : http://biemond.blogspot.co.uk/2009/05/sso-withweblogic-103-and-saml.html
User Migration Federated usernames will initially be different from the usernames stored in Apex custom schema. Need an automated means to map the IdP usernames to SP usernames. Weblogic allows a custom class to extend the default username mapper class Extract SAML attributes from token Check for username mis-match and migrate if required. Placeholder created for new users in Apex app.
Who is Responsible for User and Password Management? Password management and policies now with the Identity Provider (ADFS) Basic user management with ADFS (e.g. username plus identifying user attributes) plus user registration. More detailed user information and authorisation details held with the Service Providers.
BI Integration via SAML Oracle recommends that BI Analytics goes into its own Weblogic Domain. Must be setup as its own SAML 2 Service Provider but (like any SP) shares the same Fed. user session Configure BI Analytics App to require authentication Extract and modify dep. Descriptor in analytics.ear file Change <auth-method> to CLIENT_CERT and add <auth_constraint> to BI roles you want to grant access. Re-package and redeploy app to Weblogic Tech Note: Configure OBIEE to act as a SAML 2.0 Service Provider(Doc ID 1350125.1).
Issues with SAML Authentication SAML is fiddly to configure and difficult to debug. There is no built-in SAML logout function and must be written from scratch. Deep linking to non-public Apex pages is lost if authentication is required. Identity and service provider servers must be timesynched. Idle timeouts difficult to enforce. SAML standard not implemented consistently with Oracle and Microsoft.
Summary Apex Listener combined with Weblogic server opens up new possibilities for Apex applications. Federated SSO now possible for Apex apps, e.g. SAML 2.0 OAuth 2 Integration with Oracle Fusion middleware, e.g. OAM
Questions?
Contact Details Jon Tupman jon@portalsoft.co.uk