.NET interoperability, Kerberos, SPNEGO, Id Propagation - All things Microsoft! - OWSM 11g - Revisited
By Prakash Yamuna-Oracle on Apr 16, 2013
In a previous blog post - I briefly talked about interoperability with Microsoft and support for Kerberos, SPNEGO, NTLM, etc in OWSM. So I wanted to revisit that post and address a few aspects:
In that blog post - I mentioned that SPNEGO is something we don't support in OWSM.
In PS6 with the introduction of the support for REST security - we also added support for SPNEGO. While the key driver was REST services and securing REST services - we support SPNEGO policies for HTTP/SOAP services as well.
In fact one of things customers will notice is that many of the policies introduced for securing REST services are also supported for HTTP/SOAP web services.
SPNEGO support is documented here:
Note: OWSM still doesn't support NTLM.
Interoperability with Microsoft environments.
One of the most common questions from customers is around can we use SAML to do identity propagation b/w Microsoft and Oracle based environments and the use of ADFS as the STS for enabling SAML based identity propagation.
In PS6 - we have certified with ADFS ( in addition to the certification with Oracle STS, OpenSSO STS).
Client side Kerberos support
It appears that many people looked at the figures in the previous blog post and assume we don't support Kerberos on the client side in OSB. I just wanted to clarify that we do in fact support Kerberos policies on the client side - so for - you can do the following:
The key limitation is that you cannot use kerberos across multiple hops as I mentioned in the previous blog post. However you can definitely use Kerberos policies to secure your web services clients.