Monday Jun 04, 2012

Addressing threats introduced by the BYOD trend

With the growth of the mobile technology segment, enterprises are facing a new type of threats introduced by the BYOD (Bring Your Own Device) trend, where employees use their own devices (laptops, tablets or smartphones) not necessarily secured to access corporate network and information.

In the past - actually even right now, enterprises used to provide laptops to their employees for their daily work, with specific operating systems including anti-virus and desktop management tools, in order to make sure that the pools of laptop allocated are spyware or trojan-horse free to access the internal network and sensitive information. But the BYOD reality is breaking this paradigm and open new security breaches for enterprises as most of the username/password based systems, especially the internal web applications, can be accessed by less or none protected device.

To address this reality we can adopt 3 approaches:

1. Coué's approach: Close your eyes and assume that your employees are mature enough to know what he/she should or should not do.

2. Consensus approach: Provide a list of restricted and 'certified' devices to the internal network. 

3. Military approach: Access internal systems with certified laptop ONLY

If you choose option 1: Thanks for visiting my blog and I hope you find the others entries more useful :)

If you choose option 2: The proliferation of new hardware and software updates every quarter makes this approach very costly and difficult to maintain.

If you choose option 3: You need to find a way to allow the access into your sensitive application from the corporate authorized machines only, managed by the IT administrators... but how? 

The challenge with option 3 is to find out how end-users can restrict access to certain sensitive applications only from authorized machines, or from another angle end-users can not access the sensitive applications if they are not using the authorized machine... So what if we find a way to store the applications credential secretly from the end-users, and then automatically submit them when the end-users access the application? With this model, end-users do not know the username/password to access the applications so even if the end-users use their own devices they will not able to login. Also, there's no need to reconfigure existing applications to adapt to the new authenticate scheme given that we are still leverage the same username/password authenticate model at the application level.

To adopt this model, you can leverage Oracle Enterprise Single Sign On. In short, Oracle ESSO is a desktop based solution, capable to store credentials of Web and Native based applications. At the application startup and if it is configured as an esso-enabled application - check out my previous post on how to make Skype essso-enabled, Oracle ESSO takes over automatically the sign-in sequence with the store credential on behalf of the end-users.
Combined with Oracle ESSO Provisioning Gateway, the credentials can be 'pushed' in advance from an actual provisioning server, like Oracle Identity Manager or Tivoli Identity Manager, so the end-users can login into sensitive application without even knowing the actual username and password, so they can not login with other machines rather than those secured by Oracle ESSO.

Below is a graphical illustration of this approach:

With this model, not only you can protect the access to sensitive applications only from authorized machine, you can also implement much stronger Password Policies in terms of Password Complexity as well as Password Reset Frequency but end-users will not need to remember the passwords anymore.

If you are interested, do not hesitate to check out the Oracle Enterprise Single Sign-on products from OTN !

Tuesday May 29, 2012

Handling Hybrid Applications in Oracle ESSO

In a recent project involving Oracle ESSO (Oracle Enterprise Single Sign-On, a Desktop-based Single Sign-On solution that Oracle acquired from Passlogix in 2011), I stated to the customer that Oracle ESSO was flexible enough to handle Automatic Sign-on on most of the web and native applications running on PCs, including Text-based applications through a Terminal... And of course, after such a statement, you can imagine how satisfied the customer was when he found a very common application to prove that I was wrong ! And this application was nothing more than Skype, the popular VOIP application from the web...

Without getting into technical details, this is basically how Oracle ESSO works: it is able to identify the login form of any Web-Based application (by recognizing the URL and the HTML form) or any Windows-Native application (by recognizing the executable signature, and the UI forms within application). Once recognized, it takes over the login process by providing the appropriate credential, either recorded in a previous manual login, or provisioned by a Provisioning system such as Oracle Identity Manager or Tivoli Identity Manager.

The challenge with Skype was... it is not web nor windows based application. It is a new type of application called Hybrid application, with an embedded web server and browser to serve the HTML pages to render the UIs. The business logics (javascripts) are either stored locally, or accessed remotely through SOAP or REST services from Skype servers. This is a way to simplify development effort by having a consistent UIs and logics across different platform, including mobile devices.

Now it is not completely true that ESSO is not able to handle Skype. It does actually recognize the application as a web application, and then it is able to store the credential into the ESSO repository. This is an out-of-the-box mode which allows ESSO to store any website credential centrally and in a secure way, rather than utilizing the browser "remember credentials" capability. But in this mode we do not have control on the web application, such as preventing the automatic re-login after an explicite logout.

In order to add more control logic onto an application that we want to "eSSO"-enable, we need to use Oracle ESSO Logon Manager Admin Console to create an application template. But in this case we can not capture the application as a native windows application, because we can not drill out into the UI form; and we can not capture as a web application either, because we do not have the actual URL... By chance, in Oracle ESSO 11g, we have a new option to create an application template. In the past we need to specify in advance the type of application that we want to capture (web or native). Now, we can use the Title Bar button directly from the application that we want to add ESSO controls on. Here are the steps, by making sure that ESSO-LM Admin Console and Skype are already started:

1. Create a template from the Skype application Title Bar button

2. Ignore the Javascript errors... we do not need them anyway

3. Double confirm that ESSO has successfully recognized the "username" and "password" fields, and change the form name to match your need (Skype Login in this case)

4. Move to Fields Tab in the [Web] Window

5. Select SendKeys as Transfer method

6. Add 'Enter' key as the last action, because the submit button is not explicitly present so we have to reproduce the login sequence manually:

7. Now your template is completed and you can add your ESSO control to fit your requirements! In this case, I set the Logon Loop Grace Period to 480 minute, so when the end-user is logged in and decides to log out within this window, Oracle ESSO will not attempt to re-login again. And this timer is reset if Skype is restarted manually. 

Hope you enjoy the reading, and don't hesitate to download ESSO for your own testing!

Thursday May 03, 2012

Extract emails list from Group ID for BPEL/BPM Notification service

Within Oracle SOA suite, it is possible to create email, SMS, fax or instant messaging based notification via the Notification task usable within BPEL or BPMN processes. For setting up the different communication channels, you can refer to this excellent blog from Rubicon Red -

However, unlike the notification within the Human Task where we can only provide user id or group id, we need to explicitly specify the email addresses or the phone numbers when using the Notification service independently. 

To address this need we can leverage the Identity Service functions available in BPEL to extract users properties. You can use the instructions below to extract those properties, either from an userid or from a groupid. But if you are lazy, you can download the SOA project with the processes below from here :)

Extract email address and mobile number from an userid

This step is fairly simple. We can use the Identity Service function 'ids:getUserProperty' to extract the user email address, or any other attribute available within the realm.

1. Create a synchronous BPEL process with the following input and output message type

2. Drag an Assign activity into the process 

3. Open the Assign Task, and drag the XPath Expression into the email attribute

4. Use the following expression to extract the email address from the userid ids:getUserProperty($inputVariable.payload/client:userid,'mail')

5. Then map the phone attribute using the expression ids:getUserProperty($inputVariable.payload/client:userid,'mobile') using the same approach

6. Finally, deploy and test the process

Extract email list from from a groupid

To extract an email list from a groupid, the process is a little bit more complicated. To summarize, there are 2 majors steps:

a. Extract the list of userid from the groupid, using the Identity Service function ids:getUsersInGroup()
b. Parse the userid list, and concatenate the email into a list from each userid, using the same ids:getUserProperty() as shown above

The challenge is to be able to extract the userid list, which is dynamic, and then be able to parse over this dynamic list to extract the property that we need. After some investigation, this is a way to achieve with a synchronous BPEL process

1. Create a synchronous BPEL process with the following variables

- usersList is mapped to the Users element specify in the XML schema here
- index and size are two int variables, with index initiated to "1" 

2. Drag and drop the Assign and While activities as shown below

3. In ExtractUsersList assign activity:

- Map the following functions onto $usersList/ns1:Users/ns1:user (using CopyList assignment) and $size:

--> $usersList/ns1:user

--> $size

4. In ParseUsersList while activity, use the following condition to loop over the $usersList/user elements 

5. Finally, in ConstructEmailsList assign activity add the logics to extract each email address and concatenate the result into a list with the seperator:


==>  $outputVariable.payload/client:emails

==> $index

6. The BPEL process is now completed. Deploy, and test it out !


Hi, I am Manh-Kiet Yap (known as Kiet @oracle) and I'm currently the Technical Director at the APAC Advanced Customer Services.

I've recently received my 15 years of long service award, after being successively Technical Consultant in France, Presales at Hong Kong, FMW Product Manager in EMEA, Presales Mgr in APAC and finally Architect at Oracle ACS.

With my 15 years experience around Middleware, I hope you will find this blog valuable if you are navigating around Oracle Fusion Middleware !

View Manh-Kiet Yap's profile on LinkedIn


« July 2016