Showing posts from 2011

A Custom OIF Authentication Engine

Oracle Identity Federation (OIF) provides a flexible architecture that enables new authentication engines to be plugged in to the IdP flow.

There are a number of standard Authentication Engines that come out of the box such as Oracle Access Manager (OAM), LDAP and Oracle SSO (OSSO). Most deployments will use the OAM integration, but there are some scenarios where another mechanism is desired.

This posting will show you how to create and configure a custom authentication engine for OIF. In this example we will demonstrate the engine calling out to a simple web service that implements the authentication logic.

Authentication Flow

The authentication flow for our custom auth module is shown below.

Recall the Fedlet from our previous article, which is a light weight SAML relying party implementation. The interesting bits here are the CustomAuth engine and the WebService that  implements our authentication logic.

Project Sample Code

The sample code for this project can be viewed and download…

Using the Fedlet with Oracle Identity Federation (OIF)

The Fedlet was first introduced in Sun's OpenSSO product. In a nutshell the Fedlet is a light weight SAML relying party implementation that is "pre-baked" with all of the right meta data needed to join a federation.

Typically a large Identity Provider creates a Fedlets for smaller partners that wish to leverage the providers identity infrastructure. These partners do not need to know the intricacies of SAML as the Fedlet is pre-configured. The Identity provider packages a Fedlet as a Java .war file or a .Net assembly that the partner can deploy.

The Fedlet has a simple API that is used to log the user in at the Identity provider and obtain information about the federated user that the provider has chosen to share.

As a prerequisite OIF must be installed, and the Fedlet distribution downloaded and unzipped.  The latest version of the Fedlet is and can be downloaded from Oracle EDelivery (look under Fusion Middleware).

You also need a servlet container to deploy …

A simple weblogic startup script for interactive use

The Oracle IAM suite requires starting quite a few admin and managed server instances.

During development you often want to watch the server output to diagnose errors.

Here is a sample script to launch an Admin server and the associated managed servers. The output for each server will go to a new gnome-terminal window.

You might want to create a master shell script that invokes this script for each of your instances.

Apache reverse proxy with LDAP authentication

Here is a sample Apache conf file that demonstrates the following
Reverse proxy to a backend Java application (/ui is proxied to an app running on port 9010).LDAP authentication against a local LDAP server running on port 1389The REMOTE_USER header is set to the authenticated ldap uid, and passed to the back end Java application.  
My purpose here is to have a super light weight proxy that simulates having a "real" Access Management system in front of the application.  This is strictly for development. The idea is to move authentication out of the application. In production the application is going to be front ended by a PEP (an Oracle OAM Webgate, for example) that will set the REMOTE_USER header based on the users established SSO session.

Here is the config file

Running the Oracle RCU on OEL 6.1

The current Repository Creation Utility - RCU (  does not run successfully on Oracle Enterprise Linux OEL 6.1 - or at least it didn't on my VirtualBox image.  You will get an error about a missing library (libXext).

You can get around this problem by editing the bin/rcu script and changing the JRE home directory to use the  native JRE from the O/S instead of the one bundled with the RCU.  For example - /usr/java/latest/jre.

Please note that OEL 6.1 is not yet certified for FMW and the above is  *NOT SUPPORTED*. Use at your own risk.

An Oracle Startup Script

A script to startup up oracle on boot. Put this in your /etc/init.d directory, and run

chkconfig --add oracle

JQuery.proxy is your friend

I'm a Javascript/JQuery newbie and one of the first puzzles that I ran into is callback functions and the value of "this".

You set up a callback handler like so:

jQuery.getJSON('/address/list', this.myCallback);

And you expect that when your callback is invoked that "this" will be set to the value of the enclosing object:

myCallback: function(json) {
    this.doSomething(); // doesnt work!},
doSomething: function() // ...

What you (not so quickly) discover is that JQuery sets the value of "this" to the DOM object (or the element within the DOM that triggered the callback).  It is *not* set to the object that holds your callback function!

The solution is to use JQuery's proxy wrapper:

jQuery.getJSON('/address/list', JQuery.proxy(this.myCallback,this));

You will want to read  this and this for a full explanation.

BTW - none of these results floated to the top of the Google machine. If you are newbie, you probably don't know that yo…

Adding an OpenID Relying Party to Oracle Identity Federation (OIF)

Since January of 2011 (, OIF (Oracle Identity Federation) supports OpenID 2.0 both as a Relying Party and as an OpenID provider.

During a recent POC we demonstrated OpenID configured as a RP with Google as the OpenID Provider. What follows is a bit of a cook book on configuring OIF to work with Google as the IdP.

OIF is administered through Enterprise Manager. Log on the OIF EM console (for example,

Step 1: Enable OpenID RP support
Navigate to OIF Administration -> Service provider
Select OpenId 2.0 tabSelect Map User via Federated IdentityUnselect Map user via attribute query Expand Protocol Settings

Click Enable OpenID 2.0 supportClick APPLY to save your changes NOTE: I found that you can not unselect "Map User via Attribute Query". As long as you override this in the IDP specific settings, this should not matter (i.e. I think this is the default if you dont set it in the IDP)

Step 2: Add Google as an IDP
In this step you will c…