extending oracle sso

Extending the Oracle Single Sign On (SSO) Server

Kurt Van MeerbeeckAXI NV/[email protected]

www.axi.bewww.axi.nl

session 389

Extending Oracle SSO Server

[ Who am i[ Kurt Van Meerbeeck

[ Engineer in electronics[ Working with Java since 1996 (jdk 1.0.2)[ Working with Oracle products since 1997 (Oracle 7.3.x, OAS 3.0)

[ Currently work for AXI NV/BV[ Oracle Partner in the Benelux area (www.axi.be/www.axi.nl)[ Oracle rdbms/ias

[ Author of DUDE [ Data Unloader tool (www.ora600.be)

[ Member of the Oaktable Network[ www.oaktable.net


[ Agenda[ Case study – the challenge

[ Customer requirements

[ SSO – a small recap[ Components[ Workflow[ SSO Plugins

[ Solution[ LAN access[ Internet access using OCA certificate[ Internet access using eID passport[ DIY federated authentication

Presenting the case

[ Insurance company

[ 800 broker offices[ 3000 brokers

[ Backoffice application[ Visual Basic[ Citrix[ Oracle RDBMS [ All business logic in PLSQL

Presenting the case

Databasetier

Citrix Farm

COM+servers

Fax

Brokers

BackofficeApp

[ Proposal processing via FAX Company

A

CompanyC

Presenting the case

Databasetier

COM+servers

PrivateNetwork

PortimaBrokers

CompanyA

Companyn

Com

pan

yB

BrokerApp

BrokerApp

BrokerApp

BrokerApp

BrokerApp

BrokerApp

BrokerApp

BrokerApp

Third party app (PORTIMA)Authentication usingOffice ID & suboffice ID

[ Proposal processing via 3th party broker app

Presenting the case

[ Web-enable it !!!

[ Technology – Internet Application Server[ Oracle Portal[ Oracle Webforms[ Using existing PLSQL packages – business logic

Presenting the case

[ 3 options to connect

LANBackoffice

user

INTERNETbroker

PORTIMAbroker

private networkinternet

Presenting the case

[ 4 ways to authenticate

LANBackoffice

user

INTERNETBroker

- eID (certificate) + pincode- OCA digital certificate+password

PORTIMAbroker

private network (http)Internet (https)

Username+password

Office ID/Suboffice ID

PortimaAuthentication

server

Map portima ID to oracle ID

The challenge

[ Multiple complex authentication schemes[ using Belgian eID

[ only eID pin code required[ automatic logon to IAS

[ authentication using certificates signed by OCA[ SSO password required to logon to IAS

[ federated authentication [ private network[ brokers already authenticated with our partners SSO server[ map partner identity to IAS SSO identity [ automatic logon to IAS

[ internal LAN users[ SSO username/password required

inte

rnet

pri

vate

LAN

The challenge

[ Other requirements (challenges)

[ only develop in PLSQL[ Technology : Oracle Webforms & Portal

• only java / signed jar files – eID– printing

[ custom multiple logon screens• Holding has multiple companies• Company Look & feel • PLSQL using OWA, UTL_HTTP, & Mod_plsql

[ custom PLSQL APIs (for use in webforms)• Oracle Certificate Authority (OCA) (integration with openSSL)• Single Sign On Server (SSO) • Identity Management (IM) instead of OIDDAS ( dbms_ldap )

Yeah well ...

and

I WANT

A PORSCHE

A small recap

[ Oracle AS Components[ Middle tiers

[ OHS – apache 1.3, mod_oc4j, mod_plsql, mod_rewrite, mod_osso, ...

[ Webcache[ J2EE [ Forms, Reports, Disco[ Portal

A small recap

[ Oracle AS Components[ Infrastructure

[ OHS – apache 1.3, mod_oc4j, mod_plsql, mod_rewrite, mod_osso, ...

[ OID – LDAP[ J2EE [ SSO server[ OCA[ Rdbms – portal, sso,

oca and other configuration & meta data

Understanding the SSO Architectuur

[ Lots of moving parts[ http redirects[ SSO & Partner cookies[ Token obfuscation

PLSQL APIin case of

Oracle Portal

SSO workflow – not yet authenticated

INFRA.axi.be

MID.axi.be

apacheapache

Mod_ossoMod_osso

Mod_oc4jMod_plsql

Mod_oc4jMod_plsql

J2eeJ2ee

apacheapache

Mod_ossoMod_osso

Mod_oc4jMod_plsql

Mod_oc4jMod_plsql

J2eeOc4j_security

oca

J2eeOc4j_security

oca

OIDLDAP

OIDLDAP

IASDB

http://my.company.com

Apache virtual host- Make it a SSO partner app- register it

- ptlconfig – portal- ossoreg.jar – mod_osso

- mod_osso.conf<location /app> require valid-user AuthType basic</location>


INFRA.axi.be

MID.axi.be

apacheapache

Mod_ossoMod_osso

Mod_oc4jMod_plsql

Mod_oc4jMod_plsql

J2eeJ2ee

apacheapache

Mod_ossoMod_osso

Mod_oc4jMod_plsql

Mod_oc4jMod_plsql

J2eeOc4j_security

oca

J2eeOc4j_security

oca

OIDLDAP

OIDLDAP

IASDB


NameVirtualHost *:80

<VirtualHost *:80> ServerName my.company.com Port 80 # Include the configuration files # needed for mod_osso OssoConfigFile /OH/my_comp_osso.conf</VirtualHost>

infra.axi.be/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=<y>

Partner cookie available ?

SSO cookie ?-> Generate Redirect to logon pagehttp://infra.axi.be/sso/jsp/login.jsp $OH/sso/policy.properties


INFRA.axi.be

MID.axi.be

apacheapache

Mod_ossoMod_osso

Mod_oc4jMod_plsql

Mod_oc4jMod_plsql

J2eeJ2ee

apacheapache

Mod_ossoMod_osso

Mod_oc4jMod_plsql

Mod_oc4jMod_plsql

J2eeOc4j_security

oca

J2eeOc4j_security

oca

OIDLDAP

OIDLDAP

IASDB



INFRA.axi.be

MID.axi.be

apacheapache

Mod_ossoMod_osso

Mod_oc4jMod_plsql

Mod_oc4jMod_plsql

J2eeJ2ee

apacheapache

Mod_ossoMod_osso

Mod_oc4jMod_plsql

Mod_oc4jMod_plsql

J2eeOc4j_security

oca

J2eeOc4j_security

oca

OIDLDAP

OIDLDAP

IASDB


HTTP POST- Username- Password- Site-token

Check credentials in LDAP/OID

If OK-Generate SSO cookie (SSO_ID) -Generate redirect tohttp://my.company.com/osso_login_success?urlc=<sitetoken>

Generate Partner cookieGenerate redirect to the original URL (sitetoken)

SSO workflow – already authenticated

INFRA.axi.be

MID.axi.be

apacheapache

Mod_ossoMod_osso

Mod_oc4jMod_plsql

Mod_oc4jMod_plsql

J2eeJ2ee

apacheapache

Mod_ossoMod_osso

Mod_oc4jMod_plsql

Mod_oc4jMod_plsql

J2eeOc4j_security

oca

J2eeOc4j_security

oca

OIDLDAP

OIDLDAP

IASDB


- Mod_osso intercepts URL- finds partner cookie on client- request continues ...

SSO workflow – already authenticated

INFRA.axi.be

MID.axi.be

apacheapache

Mod_ossoMod_osso

Mod_oc4jMod_plsql

Mod_oc4jMod_plsql

J2eeJ2ee

apacheapache

Mod_ossoMod_osso

Mod_oc4jMod_plsql

Mod_oc4jMod_plsql

J2eeOc4j_security

oca

J2eeOc4j_security

oca

OIDLDAP

OIDLDAP

IASDB


- Mod_osso intercepts URL- NO partner cookie on client(there is one – but the cookieDomain is .company.com)

http://my.other-company.com

Redirect toinfra.axi.be/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=<y>

There’s already an SSO cookie (SSO_ID)on the client – and my.other-company.com is a partner app-Generate redirect tohttp://my.other-company.com/osso_login_success?urlc=<sitetoken>

Mod_osso deobfuscates the site-tokenRedirects to original URL

SSO workflow - recap

[ Things to remember[ Cookies

[ 1 SSO cookie – infrastructure – shared [ 1 cookie / partner app (virtual host)

[ Site-token[ Obfuscated in the beginning[ De-obfuscated at the end

[ Lots of moving parts[ Different technologies

SSO plugins

[ Out-of-the box[ Default : username/password

[ supports X509 digital certificates[ supports fallback authentication (but we don’t want that)[ SSOX509CertAuth plugin

[ supports WNA [ supports fallback authentication (but we don’t want that)[ SSOKerbeAuth plugin

[ multilevel authentication (but we don’t need that)[ <location x> requires username/password[ <location y> requires digital certificate

SSO plugins

[ But we need more complex authentication[ LAN: username/password[ Private network : federated authentication[ Internet : digital certificates/passwords &

pincodes

[ SSO server allows custom plugins !

SSO plugins

[ Plugins mostly used for integratingThird party authentication devices(example RSA ClearThrust)

[ Bootstrap ID’s

[ Exchange ID tokens through HTTPheaders

[ Lookup the ID token and map it ona Oracle SSO ID

SSO plugins – object model

IPASAuthInterfaceIPASAuthInterface

SSOServerAuth

SSOServerAuth

Custom Plugin

Custom Plugin

SSOX509CertAuth

SSOX509CertAuth

SSOKerbeAuthSSOKerbeAuth

implements

extends

Plugin can either[ Extend SSOServerAuth class

- fallback authentication possible[ Implement IPASAuthInterface interface

Plugin implements methods[ authenticate(HttpServletRequest)

returns instance of IPASUserInfo

package oracle.security.sso.server.auth;Read the user token from HTTP headers ;No token found in HTTP headers ?

-> throw new IPASInsufficientCredException(“No EID header found)-> fallback authentication : super.authenticate(httpservletrequest)

Decode the token to a SSO username ;IPASUserInfo authUser = new IPASUserInfo(username);Return authUser ; -> you’re authenticated !!!

Return new IPASUserInfo(“orcladmin”) ;



SSOServerAuth

SSOServerAuth

Custom Plugin

Custom Plugin

SSOX509CertAuth

SSOX509CertAuth


implements

extends

Plugin implements methods[ getUserCredentialPage

(HttpServletRequest, String)

returns instance of URL

return super.getUserCredentialPage(httpservletrequest, msg);



SSOServerAuth

SSOServerAuth

Custom Plugin

Custom Plugin

SSOX509CertAuth

SSOX509CertAuth


implements

extends

[ Compiling & enabling your plugin

1. Compiling[ CLASSPATH : ipastoolkit.jar, servlet.jar,

ossocls.jar

[ Put it in the right place !INFRA:$OH/j2ee/OC4J_SECURITY/applications/sso/web/WEB-INF/lib

2. Enabling[ INFRA:$OH/sso/conf/policy.properties

MediumSecurity_AuthPlugin = oracle.security.sso.server.auth.eIDSSOAuth

[ Restart SSO serveropmnctl restartproc process-type=OC4J_SECURITY

SSO plugins

[ SSO plugins[ Authenticate users the way you want

[ Trust 3th party authentication[ EID[ PORTIMA authentication server

[ But it’s java[ Deal with it

SSO custom logon screen

INFRA.axi.be

MID.axi.be

apacheapache J2ee

SSOPLUGIN

J2eeSSO

PLUGIN

OIDLDAP

OIDLDAP

IASDB


apacheapache J2ee

J2ee

OIDLDAP

OIDLDAP

PLSQL using OWA_UTIL$OH/sso/policy.properties

http://infra.axi.be/pls/login_page

PlsqlLogin_page

PlsqlLogin_page

What site do you want to enter ?ORASSO.WWSSO_UTL.unbake_site2pstore_token-> my.company.com Generate a different logon screen

apacheapache

PlsqlLogin_proxy

PlsqlLogin_proxy

SSO custom logon screen

INFRA.axi.be

MID.axi.be

apacheapache J2ee

SSOPLUGIN

J2eeSSO

PLUGIN

OIDLDAP

OIDLDAP

IASDB

J2eeJ2ee

OIDLDAP

OIDLDAP

PlsqlLogin_page

PlsqlLogin_page

Submit credentials to plsql proxySSO cookie, http redirect, sitetoken are proxy’d

- offloading functionality from SSO plugin to PLSQL- easier integration with reverse proxies- manipulate redirects/sitetokens (Vista)

SSO custom login

[ LAN users – check ![ Internet brokers ?

[ PKI

LANBackoffice

user

INTERNETBroker


PORTIMAbroker


Username+password



server


Public Key Infrastructure

[ A few slides on PKI ...

PKI is a collection of services, protocols

andstandards supporting

public key cryptography

Public Key Infrastructure

[ Certificate Authorities (CA)[ Request/revoke/renw certificates

[ Registration Authorities (RA)[ Verify identities

[ Online repositories [ LDAP

[ Certificate Revocation List (CRL)[ List with revoked certficates

[ Entities[ Clients, servers, applications

[ Public key certificate (X509, PKCS#)

Public Key InfrastructureC

hain

of

tru

st

PKI equivalent

Root CAEx. GlobalSign, Verisign

United Nations

company CAEx. AXI CA Belgium,

Netherlands...

RegistrationAuthority (RA)

City hall, police office, court house

Digital Certificate-Signing-Authentication

Driver’s license Passport


hain

of

tru

st

Valid ?(CRL)

Example of authenticatie

United Nations

USBelgium

Me and my passport The nice officer at JFK And his passport


hain

of

tru

st

Valid ?(CRL)

Example of authenticatie

United Nations

USBelgium

Flandersregion

Walloonregion

If Belgium splits in theFlanders region and WalloonRegion I will be screwed if the United Nations do not recognizethem

Public Key Infrastructure - eID

Belgium The Netherlands Germany Austria Italy Portugal Estonia

[ eID emerging in europe[ Smartcard passport


• name• first 2 Christian names• first letter of third Christian name• nationality• place and date of birth• sex• place of issue• start and end dates of validity• card number• owner’s photograph• owner’s signature• National Register Number

From a visual point of view, the information shown will be the same as on the present identity card:


From an electronic point of view, the data on the chip is the same as the information printed on the card, plus:• address• identity and signature keys• identity and signature certificate • Certificate Service Provider• security information (chip number, etc.)

Some information is protected by a pin code

apacheapache

PlsqlLogin_proxy

PlsqlLogin_proxy

SSO integration with PKI

INFRA.axi.be

MID.axi.be

apacheapache J2ee

SSOOCA

J2eeSSOOCA

OIDLDAP

OIDLDAP

IASDB

J2eeJ2ee

OIDLDAP

OIDLDAP

PlsqlLogin_page

PlsqlLogin_page

Client certificate (OCA, eID)(private/public key in keystore)

Root certificateGovernment CAOracle CA

Server Certificate

Server Certificate

Root Certificate

Root Certificate

SSL

SSL

apacheapache

PlsqlLogin_proxy

PlsqlLogin_proxy

SSO integration with PKI – SSL terminator

INFRA.axi.be

MID.axi.be

apacheapache J2ee

SSOOCA

J2eeSSOOCA

OIDLDAP

OIDLDAP

IASDB

J2eeJ2ee

OIDLDAP

OIDLDAP

PlsqlLogin_page

PlsqlLogin_page

HTTPSSSL

TerminatorAccelerator

SSLTerminatorAccelerator

HTTP

HTTP

OCSPLDAPDownload CRL

GovernmentCA’s (eID)

LDAPDownload CRL OCA

[ What kind of SSL terminator to choose ???[ Juniper SSL/VPN 4000 Series

[ Recommend by the network partner[ Should be easy to configure in PKI environment[ It requires no low level http proxy/reverse proxy rules[ Expensive license (per session)[ Encryption of cookies – url masquerading

[ Threw it out because[ It did not work with the combo Vista/Oracle Forms/JPI 1.5.x[ Too high level configuration – no low level http manipulation

possible[ SSO integration had to be done using HTTP POSTs of the certificate

subject to our PLSQL SSO proxy[ Every switch to another partner app resulted in having to logon

again ( ... Euh ... That’s not SSO)


[ What kind of SSL terminator to choose ???[ Blue Coat reverse proxy (RP)

[ SSO – lots of moving parts – made the network guys dizzy[ 6 different consultants in 6 days [ Gave up on it ...[ Blue Coat can probably do it ... Just find the right people

[ Apache2 based RP[ On ubuntu linux/HA with mod_proxy/mod_proxy_html[ Very low level http manipulation possible[ Mod_ssl does not support OCSP [ Managed to set it up in 2 days (incl clustering)


apacheapache

PlsqlLogin_proxy

PlsqlLogin_proxy

SSO integration with PKI – workflow

INFRA.axi.be

MID.axi.be

apacheapache J2ee

SSOOCA

J2eeSSOOCA

OIDLDAP

OIDLDAP

IASDB

J2eeJ2ee

OIDLDAP

OIDLDAP

PlsqlLogin_page

PlsqlLogin_page

HTTPSSSL



HTTP

HTTP




OCADigital certificate

My.company.comLogin.company.com

ProxyPass /forms/ http://MID.axi.be:7782/forms/ProxyPass /osso_login_success http://MID.axi.be:7782/osso_login_successProxyPass /login/ http://INFRA.axi.be:7780/

ProxyPassReverse /forms/ http://MID.axi.be:7782/ProxyPassReverse /sso/ http://INFRA.axi.be:7780/ProxyHTMLURLMap http://INFRA.axi.be:7780 /login

<Location /sso/> SSLVerifyClient require RequestHeader set SUBJECT "%{SSL_CLIENT_S_DN}e"</location>

apacheapache

PlsqlLogin_proxy

PlsqlLogin_proxy


INFRA.axi.be

MID.axi.be

apacheapache J2ee

SSOOCA

J2eeSSOOCA

OIDLDAP

OIDLDAP

IASDB

J2eeJ2ee

OIDLDAP

OIDLDAP

PlsqlLogin_page

PlsqlLogin_page

HTTPSSSL



HTTP

HTTP





Only need to enter SSO password

Map certificate subject to SSOusername

apacheapache

PlsqlLogin_proxy

PlsqlLogin_proxy


INFRA.axi.be

MID.axi.be

apacheapache J2ee

SSOOCA

J2eeSSOOCA

OIDLDAP

OIDLDAP

IASDB

J2eeJ2ee

OIDLDAP

OIDLDAP

PlsqlLogin_page

PlsqlLogin_page

HTTPSSSL



HTTP

HTTP




OCADigital certificate

SSO custom login


[ OCA – check[ EID?

LANBackoffice

user

INTERNETBroker


PORTIMAbroker


Username+password



server


apacheapache

PlsqlLogin_proxy

PlsqlLogin_proxy


INFRA.axi.be

MID.axi.be

apacheapache J2ee

SSOOCA

J2eeSSOOCA

OIDLDAP

OIDLDAP

IASDB

J2eeJ2ee

OIDLDAP

OIDLDAP

PlsqlLogin_page

PlsqlLogin_page

HTTPSSSL



HTTP

HTTP




eIDDigital certificate


ProxyPass /forms/ http://MID.axi.be:7782/forms/ProxyPass /osso_login_success http://MID.axi.be:7782/osso_login_successProxyPass /login/ http://INFRA.axi.be:7780/

ProxyPassReverse /forms/ http://MID.axi.be:7782/ProxyPassReverse /sso/ http://INFRA.axi.be:7780/ProxyHTMLURLMap http://INFRA.axi.be:7780 /login


apacheapache

PlsqlLogin_proxy

PlsqlLogin_proxy


INFRA.axi.be

MID.axi.be

apacheapache J2ee

SSOOCA

J2eeSSOOCA

OIDLDAP

OIDLDAP

IASDB

J2eeJ2ee

OIDLDAP

OIDLDAP

PlsqlLogin_page

PlsqlLogin_page

HTTPSSSL



HTTP

HTTP




eIDDigital certificate



SSO custom login


[ OCA – check[ EID - check

LANBackoffice

user

INTERNETBroker


PORTIMAbroker


Username+password



server


PlsqlLogin_page

PlsqlLogin_page

apacheapache

Apache 2.x RPApache 2.x RP

PlsqlLogin_proxy

PlsqlLogin_proxy

DIY federated authentication - workflow

INFRA.axi.be

MID.axi.be

apacheapache J2ee

SSOPLUGIN

J2eeSSO

PLUGIN

OIDLDAP

OIDLDAP

IASDB

J2eeJ2ee

OIDLDAP

OIDLDAP

Portima Authentication server

My.private-company.comLogin.private-company.com

Officeid/subofficepassword

PlsqlLogin_page

PlsqlLogin_page

apacheapache

Apache 2.x RPApache 2.x RP

PlsqlLogin_proxy

PlsqlLogin_proxy

DIY federated authentication - workflow

INFRA.axi.be

MID.axi.be

apacheapache J2ee

SSOPLUGIN

J2eeSSO

PLUGIN

OIDLDAP

OIDLDAP

IASDB

J2eeJ2ee

OIDLDAP

OIDLDAP

Portima Authentication server

My.private-company.comLogin.private-company.com

Officeid/subofficepassword

Replaced with SAML v2

Federated Authenticatio

n

In 2008

(integrated with

Oracle SSO)

Architecture

HTTP/S HTTP

CA

LB(linux vipsldirector)

INFRA

MIDCRL

HTTP HTTP

SSL/RP (apache2)

RP (apache2)

Solved problem ... And more

[ Multiple authentication schemes[ Depending on physical location[ Automatic logon + identity bootstrapping[ DIY Federated authentication

[ Access control [ Ex. Internet broker is not allowed to logon via a LAN connection and/or

vice versa[ Must change password with first logon

[ Multi-language support in logon page[ Integration with reverse proxies

[ Passing/generating extra http headers for logon logic

[ Detection of windows Vista[ Manipulate http headers (eg Vista/IE bugs) [ Manipulate sitetoken to redirect to other URL [ Custom plugin download pages for forms/java plugin

[ Multiple logon screens for different apps[ Based on unbaking the site token

Questions

[email protected]