Showing posts from 2012

Configuring Oracle OIF for SAML SSO

Here is a quick how-to on configuring Oracle Identity Federation (OIF) as the SAML Identity Provider for

This turns out to be surprisingly easy to set up. For pre-requisites you should have the following in place:

 It is easiest if your OIF instance is configured to use POST SAML bindings by default. You can  override this on a provider basis but most often you will use POST, so it makes sense to set it as the default.You need a account. Developer accounts are free and support SAML.Create a user in your ldap for testing SAML SSO. We will match on the users "mail" attribute. Set this to a relevant value ( The mail attribute does not need to match the account id. This example assumes we are using OAM as the authentication engine for OIF, and they both are referencing the same ldap server. 

Step 1 is to import your OIF IdP cert into  The cert is available at (wher…

Enabling SSL Termination for OAM and OAAM

Some components of the identity stack need to verify the user connected via SSL.

If you are proxying connections through OHS to your OAM servers you can set up OHS to terminate SSL and pass through the connection to OAM (usually running on port 14100). But there is a little trick that is needed to tell Weblogic that the connection is secure - even though it may be coming in over a non secure port (14100).

Chris Johnson has a comprehensive write up on SSL offloading which covers the more complex scenario where an external load balancer is doing the termination.

The recipe I describe here is for the simpler case where OHS is terminating SSL and forwarding the connections to OAM vi the mod_weblogic plugin.

First validate that your Weblogic domain has the Weblogic Plugin enabled (see Chris's article above). I found that it was enabled by default. YMMV.

Login to /oamconsole and navigate to

System Configuration -> Access Manager -> Access Manager Settings

Edit your load balancer …

SAML Federation in OAM 11g R2

Oracle Access Manger 11G R2 adds SAML Relying Party support as a native feature. You no longer need to stand up and integrate OIF if you want to federate with another IdP.

SAML IdP support didn't quite make it into the first OAM R2 release - so you will still need OIF. This is on the roadmap - so stay tuned.

In this article I will show how easy it is to set up OAM as a SAML relying party.

I am using OIF configured as the sample IdP. See my previous article on setting up OIF to self federate (handy for experimenting). Assuming you have OIF configured you should be able to bring up the test SP SSO page: http://demo:7499/fed/user/testspsso

You will be challenged for credentials. After logging in you will see this:

Great. Now we have a working IdP we can proceed to setting up OAM as a relying party.

As a pre-requisite make sure you have federation services enabled in OAM 11G (System Configuration -> Available Services)

Bring up the OAM Console and navigate to System Configuration …

OAM R2 REST APIs for Policy Management

Oracle Access Manager 11g R2 provides several new REST APIs. This continues a trend to expose key functionality via Web Services.

The OAM Mobile and Social service provides APIs for Authentication, Authorization  and User Profile services.  I will cover those APIs in a future article (have a look here for examples) - but today I want to focus on the  policy management APIs.

The Policy Administration API enables to you to interact with OAM to create a variety of Policy objects such as Application Domains, Resources, AuthN Schemes, and AuthN/AuthZ policies. The policy model is shown below:

For example, if you want to retrieve all of the resources in an Application Domain you can perform a GET against the /resource URI:

curl -u USER:PASSWORD http://<SERVER>:<PORT>/oam/services/rest/"IAM Suite"

Note: The port above is where the OAM Admin Server is deployed (often 7001). It is NOT the managed server (oam_server1 - 14100 by …

Stupid Oracle vktm tricks to improve VirtualBox performance

In the process of creating a demo VirtualBox image running OEL 6 and the Oracle database I noticed the idle CPU consumption was quite high (8% on the guest, 35% on the host).

The culprit turned out to be the Oracle database vktm process. This is a time keeping process - and it calls gettimeofday() *very* frequently.  This can have a negative performance impact in virtualized environments.

A colleague who is a database whiz suggested the following trick:

sqlplus / as sysdba
alter system set "_high_priority_processes"='LMS*' scope=spfile; 

This removes the vktm process from the list of high priority processes.

After this change (you need to bounce the database) the idle CPU consumption comes down to 1-2% or so. A nice improvement!

It goes without saying that this is:

a) Totally unsupported
b) Probably dangerous. This will most certainly break things in the database - such as statistics, auditing, etc.
c) For demo/development use only. If you care about your d…

Getting bitten by SELinux and sshd authorized_keys

TL;DR:  If you can't ssh using a public key, it could be a SELinux thing.

Logging in to a server with ssh using your public key is pretty handy.  While setting up an OEL 6 VM  I ran into a strange error where sshd would not let me log in with a public key, even though my key was in ~oracle/.ssh/authorized_keys.  Password logins worked just fine.

Somewhat puzzling: I could ssh into the root account using my public key and without a password.

Nine times out of ten, this is a permission problem. Sshd is picky about the permissions on your home directory, ~/.ssh, and the authorized_keys file.  I carefully checked this over - but in this instance permissions were not the problem.

The standard advice to debug SSH problems is to run sshd in the foreground with debugging turned on:

service sshd stop
/usr/sbin/sshd -dD

And of course my problem promptly disappeared. Hmmm, so it works in debug mode, but not when running as a daemon. It also works fine to ssh into the root account, but not ~…

Oracle Identity Federation: Federate yourself!

A customer asked me how they could test their OIF IdP configuration without standing up another relying party.

Since OIF can act in both roles (IdP and SP), in turns out you can configure OIF to federate against itself.  It's seems somewhat crazy, and its not all that intuitive, so I thought I would include a few notes on how to set this up.

The key is that you must export OIFs SP and IdP metadata and re-import it back into OIF as configured federations. The "/fed/user/testspsso" test page can be then be used to initiate the federation.

Here are the basics of how to accomplish this.

Step 1: Export your SP and IdP metadata. This is done from the em console.
Administration -> Security and Trust:

Step 2) Import the exported meta data back into OIF:

Click on the "Choose File" button and select the meta-data files you exported in step 1

You should now have an IdP and SP configured under your federations.  You may want to edit your f…

Some useful shell scripts for setting up Oracle Linux

Do you frequently need to setup new instances of Oracle Linux to host the database, Weblogic, and  IAM Middleware?

I nabbed some great scripts from my colleagues Chris Johnson (of Fusion Security fame) and Art Mattson. I threw in a couple of my own scripts (great artists steal, right?), and have assembled these as a github project.

If you are setting up a new system grab the scripts with:

Standard disclaimer: These scripts come with no warranty. Use at your own risk!

If you have some useful scripts that you would like to contribute drop me a line.

Integrating Oracle Identity Federation (OIF) with Service-Now

Oracle Identity Federation (OIF) provides SAML and OpenId federation services. OIF helps organizations to leverage SAAS  as part of their IT strategy by providing identity federation.

As part of  a recent POC we completed an OIF integration with Service-Now,  a cloud base IT Service management platform.

John Andersen is a rock star consultant from Service-Now who worked with me on the integration. We have documented the procedure and included a few screen shots (see link below).  Your environment will be a little different - but this recipe should get you going. Comments or corrections  are welcome!

Reference:  Configuring OIF and Service-Now