Wednesday, November 9, 2016

OAM Identity Context

Configuring Identity Context Service Components

1.    Configuring FMW
    The application to be protected must be deployed in a WebLogic Server domain built on 11.1.1.PS5 with Oracle Platform Security Services (OPSS) Optach for Ps5 or OFMW PS6 or later. WebLogic Server Domain in which the application is running must be protected by the Access Manager Identity Asserter component that will validate the Identity Assertion received from Access Manager and start the process of creating the Identity Context Runtime. Acces Manager Identity Asserter must be configured to detect the token type, OAM_IDENTITY_ASSERTION.Also, the protected application working with the Identity Context Runtime directly must be granted source code grants to work with the OPSS Attribute Service.
   
2.    Configuring OAM

    2.1        Configuring Identity Assertion
    Oracle recommends that you define Asserted Attributes in Access Manager Authorization policies for proper enforcement of end-to-end security between the Web and application tiers.
    In addition to ensuring trust between the WebGate protecting a Web resource and the Application Server container, Identity Assertion (a SAML Session token) is used to publish the Identity Context data as SAML attributes.
    Identity Assertion must be enabled and populated with Asserted Attributes as required by the business logic expecting specific attributes in the Identity Context. It is configured within the OAM Policy Responses tab and can be defined for both Authentication and Authorization policies.
   
    2.2        Configuring Federation Attributes
    Once a resource is protected by the Access Manager authentication scheme FederationScheme, Access Manager will act as the service provider and receive the SAML assertion as provided by the federation partner. After the federation single sign on (SSO) operation, the following attributes will be present in the authenticated identity's Access Manager session:
   
    $session.attr.fed.partner (partner name)
    $session.attr.fed.nameidvalue (SAML NameID Value)
    $session.attr.fed.nameidformat (SAML NameID Format)
    $session.attr.fed.attr (SAML Assertion received from partner)
   
   
    2.3        Configuring Session Attributes
    Access Manager session attributes can be used in configuring Identity Assertion by selecting oracle:idm:claims:session:attributes as the Asserted Attribute and setting the value to "attr-name=$session.attr.name" where attr-name is the name given to Identity Context attribute and name is the name of the Access Manager session attribute.
   
    oracle:idm:claims:session:attributes with the value of authn-strength=$session.attr.authnlevel
    oracle:idm:claims:session:attributes:authn-strength
   
   
   
    2.4        Configuring Identity Store Attributes
    Identity Store attributes can be used to configure an Access Manager Identity Assertion by selecting oracle:idm:claims:ids:attributes as the Asserted Attribute and setting the value to "attr-name=$user.attr.name" where attr-name is the name given to the Identity Context attribute and name is the name of the Identity Store attribute.
   
    oracle:idm:claims:ids:attributes with the value of first-name=$user.attr.fname
    oracle:idm:claims:ids:attributes:first-name
   
3. Configuring OAAM
   
    3.1        Setting Up Oracle Adaptive Access Manager
   
    oracle.oaam.idcontext.enabled = true (property)
    bharosa.uio.default.registerdevice.enabled = true
    oaam.uio.oam.dap_token.version=v2.1
   
    3.2        Configuring Access Manager for OAAM Integration
   
    Perform the following steps. Using the TAPScheme forces the user to authenticate using the OAAM authentication schemes.
    Do not use OAAM Advanced or OAAM Basic.

    Authentication Scheme
    Name : TAPScheme
    Add the following challenge parameter
    TAPOverrideResource=http://IAMSuiteAgent:80/oamTAPAuthenticate

    3.3     Validating Identity Context Data Published by OAAM
   
    oracle:idm:claims:risk:newdevice will be true after a login from a new device; false otherwise.

    oracle:idm:claims:risk:level will have a high value after a couple of unsuccessful logins followed by a successful login. To test for this, try a few unsuccessful logins and then a successful one.

    oracle:idm:claims:risk:safeforuser will have true after a user successfully answers the challenge question.

    oracle:idm:claims:risk:fingerprint contains the user's device's fingerprint. By default, the fingerprint built out of HTTP header data is used; if that is not available, fingerprint data built out of Flash will be used. To test for different fingerprints, try different devices.


4.    Configuring OWSM
   
    Configure Security Policy by modifying the Identity Context supported OWSSM security policies to contain the propagate.identity.context element with a value of true
   
    Configure the Keystore and Credential Store to sign the SAML assertion and messages: copy the updated Keystore and Credential Store to your  domain_home/config/fmwconfig/ directory.
   
5.    Configuring Oracle Entitlements Server
   
    PepRequestFactory requestFactory = 
   PepRequestFactoryImpl.getPepRequestFactory();
    PepRequest request = requestFactory.newPepRequest (subject,
       action, resource, new HashMap<String, Object>());
    PepResponse response = request.decide();
    boolean isAuthorized = response.allowed();

   
    ASSERT_IDENTITY_CONTEXT
    GET_STRING_IDENTITY_CONTEXT
    GET_INTEGER_IDENTITY_CONTEXT
    GET_BOOLEAN_IDENTITY_CONTEXT

6.    Configuring Oracle Access Management Mobile and Social

        Service Provider : MobileOAMAuthentication
        Attributes
            Add   
                IDContextEnabled = true


7.    Configuring Oracle Enterprise Single Sign On

    As part of the Identity Context Service, Oracle Enterprise Single Sign-on (OESSO) can publish and propagate client-based Identity Context attributes. Once full integration has been configured, client-specific Identity Context attributes (as documented in Section 41.3.1, "Using the Identity Context Dictionary") will be sent by OESSO to OAM in the session initiation request together with the user credentials submitted in the access request.

    After the request has been received, OESSO makes a call to an SSL-protected OAM REST API (previously configured by the OESSO Administrator and included as part of the OESSO client distribution). This API returns the OAM_ID cookie to OESSO. OESSO then propagates the valid OAM_ID cookie to the client browsers (Internet Explorer and Firefox) which enables OESSO resources to be protected and enables single sign-on (SSO) with those resources that are protected by the OAM Embedded Credential Collector. (This does not include resources that are protected by the Distributed Credential Collector.) OESSO then provides OAM credentials that are acceptable to the OAM Embedded Credential Collector as well as client context information in the payload.               
               
               
8.    Validating Identity Context
    OAM to protect the /testidc
    Use the OAM Tester to validate that the Identity Assertion is returned as an OAM_IDENTITY_ASSERTION attribute in response to the authorization request for /testidc
   
   
    Perform the following to validate that WebGate is creating an HTTP header that contains the Identity Assertion.
        /cgi-bin/printenv.pl script is protected by the same policy that protects the /testidc
       
        printenv.pl ships as part of OHS and must have permission to execute. Any script to display header information can be used instead.
       
        HTTP_OAM_IDENTITY_ASSERTION header contains a SAML token with Asserted Attributes
       
        Access the printenv.pl to trigger a login and display the HTTP headers


--------------------------------------------------------------------------------------------------------------


Identity Context Schema Attributes
NamespaceAttributeTypeVirtualPrimary PublisherDescription
oracle:idm:claims:nameid
value
string
no
OAM
Indicates a unique user identifier. Access Manager currently publishes User DN
oracle:idm:claims:nameid
format
string
no
OAM
Indicates the type of user identifier. Access Manager currently publishes "urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName"
oracle:idm:claims:nameid
qualifier
string
no
OAM
Indicates a logical Identity Domain to whom the user belongs. Access Manager currently publishes a logical name of the identity store, such as UserIdentityStore1.
oracle:idm:claims:nameid
spprovidedid
string
no
OAM
Indicates unique identifier that can be used by any SP to locate the user in SP's own identity store(s). Access Manager currently publishes the value of the unique id attribute as configured in a registered identity store.
oracle:idm:claims:client
firewallenabled
boolean
no
OESSO
Indicates client device has firewall enabled.
oracle:idm:claims:client
antivirusenabled
boolean
no
OESSO
Indicates client device has antivirus enabled.
oracle:idm:claims:client
fingerprint
string
no
OESSO, Oracle Access Management Mobile and Social (OMS)
Indicates fingerprint of the client device.
oracle:idm:claims:client
ostype
string
no
OMS
Indicates client device's Operating System type.
oracle:idm:claims:client
osversion
string
no
OMS
Indicates client device's operating system version.
oracle:idm:claims:client
jailbroken
boolean
no
OMS
Indicates if client device is Jailbroken (iOS) or Rooted (Android).
oracle:idm:claims:client
macaddress
string
no
OMS
Indicates client device's Ethernet (MAC) Address.
oracle:idm:claims:client
ipaddress
string
no
OMS
Indicates client device's Client IP Address.
oracle:idm:claims:client
vpnenabled
boolean
no
OMS
Indicates if client's device has VPN enabled.
oracle:idm:claims:client
geolocation
string
no
OMS
Indicates client device location's geographical coordinates in the form of "latitude,longitude.
oracle:idm:claims:risk
newdevice
boolean
no
OAAM
Indicates if the client device has been seen before. True when logging in from a device never seen before; otherwise, false.
oracle:idm:claims:risk
level
integer
no
OAAM
Indicates risk level. Level increases after unsuccessful logins.
oracle:idm:claims:risk
safeforuser
boolean
no
OAAM
Indicates if the user answered a secondary challenge question. True after the user successfully answers it; otherwise false.
oracle:idm:claims:risk
fingerprint
string
no
OAAM
Indicates device fingerprint as measured by OAAM. Different devices will leave different fingerprints; can be switched between device (obtained via Flash) fingerprint and browser (http-only) fingerprint
oracle:idm:claims:session
authnlevel
integer
no
OAM
Indicates authentication level for Access Manager
oracle:idm:claims:session
usercount
integer
no
OAM
Indicates number of sessions held by the users
oracle:idm:claims:session
appdomain
string
no
OAM
Indicates name of the Access Manager Application Domain containing policies
oracle:idm:claims:session
apppolicy
string
no
OAM
Indicates name of the Access Manager policy that allowed access
oracle:idm:claims:session
appagent
string
no
OAM
Indicates the name of the agent from which the request came to Access Manager
oracle:idm:claims:session
appclientip
string
no
OAM
Indicates the IP address of the client sending the request to Access Manager
oracle:idm:claims:session
sessionid
string
no
OAM
Indicates the Access Manager session ID
oracle:idm:claims:session
attributes
string
yes
OAM
Indicates session attributes as retrieved from the session store. For example, in Access Manager, select "oracle:idm:claims:session:attributes" as the claim name and then specify the session attribute using the following notation: "attr-name=$session.attr.name where name is the name of the attribute stored in the session. The claim will be created with the name of "oracle:idm:claims:session:attributes:attr-name" and value equal to session's nameattribute.
oracle:idm:claims:fed
partner
string
no
OAM--or IF?
Indicates partner ID as determined by Identity Federation
oracle:idm:claims:fed
nameidvalue
string
no
OAM--or IF?
Indicates user ID from a federation partner as determined by Identity Federation
oracle:idm:claims:fed
nameidformat
string
no
OAM--or IF?
Indicates format of the user ID from a federation partner as determined by Identity Federation
oracle:idm:claims:fed
attributes
string
yes
OAM
Indicates federation attribute as supplied by the partner and determined by Identity Federation. For example, in Access Manager, select "oracle:idm:claims:fed:attributes" as the claim name and then specify the federation attribute using the following notation: "attr-name=$session.attr.fed.attr.name, where name is the name of the SAML attribute in the partner's SAML assertion. The claim will be created with the name of "oracle:idm:claims:fed:attributes:attr-name" and value equal to the partner's assertion provided in the SAML's name attribute.
oracle:idm:claims:ids
attributes
string
yes
OAM
For example, in Access Manager, select "oracle:idm:claims:ids:attributes" as the claim name, and then specify the ID Store attribute using the following notation: "attr-name=$user.attr.name where name is the name of the attribute on the user profile. The claim will be created with the name of "oracle:idm:claims:ids:attributes:attr-name" and value equal to user profile's nameattribute.
oracle:idm:claims:tenant
tenantid
string
no
OAM
Currently reserved for future use. (Indicates tenant id.)
oracle:idm:claims:tenant
attributes
string
yes
OAM
Currently reserved for future use. (Indicates tenant attributes as supplied by the Publisher. The claim value is meant to contain "attr-name=attr-value". The claim will be created with the name of "oracle.idm:claims:tenant:attr-name" and value of attr-value.)