Wednesday Dec 16, 2015

Using OUD plugin for SAML authentication with OAM against users stored in SQLServer

Here is a practical example about how to use a custom OUD plugin to speed up deployment of an Identity Management solution for a fraction of the price compared to developing a custom connector:

The use-case is to enable SAML authentication as an IDP where some of the users are stored in a SQLServer database and some in AD (external users in DB, internal users in AD).

The customer is planning to have OAM authenticate the users and perform the role of a SAML IDP doing LDAP authentication for users stored in the database and Kerberos for the users stored in AD. In order to allow OAM to authenticate users that are stored in the database, OUD can be deployed as a RDBMS proxy thanks to the RDBMS workflow element feature, so that users stored in a database table are exposed as a LDAP tree that OAM will authenticate against.

Problem is with the password field in the database that is hashed in a specific way.  

The trick is to deploy a custom OUD plugin component ahead of the RDBMS workflow element. That plugin is responsible for processing bind requests only. Upon reception of a bind request against a user stored in SQLServer, the custon plugin retrieves the user entry containing hashed password and salt, accesses the plain text password provided in the bind request, and performs the password comparison based on custom logic. 

Design, dev and testing took me a couple of days, much simpler and cost effective than adding support for this new source in OAM/OIM.


 

Tuesday May 19, 2015

Oracle Unified Directory 11gR2 PS3 available for download

The Identity Management 11gR2 PS3 release, including OUD 11gR2 PS3 is available on eDelivery.  
To download OUD, go to http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/oid-11gr2-2104316.html
and select OUD 11gR2 PS3 

R2PS3 documentation is available at http://docs.oracle.com/cd/E52734_01/oud/docs.htm

Certification Matrix is available at http://www.oracle.com/technetwork/middleware/id-mgmt/documentation/identity-access-111230certmatrix-2539086.xlsx

Tuesday Mar 10, 2015

Support Dates for ODSEE have been updated

FYI, the End of support dates for ODSEE have been updated. See link below (page 37 and 42):

http://www.oracle.com/us/support/library/lifetime-support-middleware-069163.pdf

Tuesday Apr 08, 2014

OUD External change log and rootDSE search

Some LDAP client applications perform subtree searches with search base set to the rootDSE (empty DN).
Oracle Unified Directory (OUD) nicely routes the search to every top level suffix automatically.

When the replication is enabled, OUD automatically publicizes all changes that have occurred in a directory server database in the cn=changelog suffix. This is particularly useful for synchronizing the LDAP directory with other subsystems.  The cn=changelog suffix may contains millions of changes depending on the modification rate on the replication topology and the change retention policy (purge delay).

Subtree searches with search base set to the rootDSE are routed to the cn=changelog suffix as well as long as the replication is enabled. In general, this is not a problem in testing/stagging area, because the changelog is almost empty. However, in production, this may have big impact on performances as this suffix may contain many entries. Furthermore, custom  indexes corresponding to client access pattern do not exist on that suffix, so they can't be used to speed up entry processing.

In order to address that problem, you can disable the so-called external changelog, without disabling the underlying replication changelog used by the replication. To do so, run the following command on the OUD servers for each user suffixes:

dsconfig -h <hostname> -p <admin port>  -D "cn=directory manager" -w <admin password> -n \
  set-external-changelog-domain-prop \
  --provider-name "Multimaster Synchronization" --domain-name <your suffix>  \
  --set enabled:false

Note: some provisoning apps may require the external changelog to synchronize with external systems. If so, keep the external changelog enabled on a couple of OUD servers and reserve them for these apps.


Monday Mar 24, 2014

Deploying the IAM Suite and OUD with the Deployment Wizard

Identity & Access Management suite R2 PS2 (11.1.2.2.0) ships with a new deployment tool to automate the installation and configuration of products related to the IAM suite. This tool is named Oracle Identity and Access Management Deployment Wizard.

This tools automates the installation, configuration and integration of WebLogic Server, SOA Suite, Oracle Identity Manager, Oracle Access Management, Oracle Unified Directory, Oracle HTTP Server and Webgates. The tool allows you to select one of three deployment topologies: OIM, OAM or OIM integrated with OAM and OUD.

More details about this wizard on Idm.guru at http://idm.guru/access-governance/deploying-the-iam-suite-with-the-deployment-wizard/

Thursday Apr 11, 2013

Oracle Unified Directory 11g R2 PS1 released

Oracle Identity and Access Management 11g R2 (11.1.2.1.0) is now generally available. Media is available for download on the Oracle Software Delivery Cloud (OSDC). This includes the following products:
  • Oracle Identity and Access Management
  • Oracle Entitlements Server Security Module
  • Oracle Access Manager OHS 11g WebGates
  • Oracle Access Manager IHS 7.0 WebGates
  • Oracle Access Manager Access SDK
  • Oracle Access Manager JBoss 5 Agent
  • Oracle Unified Directory
  • Oracle Enterprise Single Sign-On
  • Oracle Access Management Mobile and Social SDK

To download OUD,go to https://edelivery.oracle.com/ , select "Oracle Fusion MiddleWare" and the target platform, select  "Oracle Fusion Middleware Identity Management 11gR2 Media Pack"  then "Oracle Unified DIrectory 11g (11.1.2.1.0)"

Documentation is avilable at http://docs.oracle.com/cd/E37116_01/index.htm

Certification Matric is available at http://www.oracle.com/technetwork/middleware/id-mgmt/identity-accessmgmt-11gr2certmatrix-1714221.xls

Tuesday Aug 21, 2012

Shortcuts to download Oracle IDM and OUD 11g R2

Oracle Identity Management 11g R2 is now available for download from Oracle edelivery. It is sometimes a bit difficult to quickly find the right link to OUD R2, so here is the 7-steps procedure:

  1. Go to the edelivery portal , login and accept the legal aggrements if any
  2. Select "Oracle Fusion Middleware" from  the Product Pack menu
  3. Select Linux x86-64 from the Platform menu (no matter what target platform you plan to use, as the OUD link does not appear yet for some supported platforms)
  4. Click GO
  5. In the search result table, select "Oracle Fusion Middleware Identity Management 11g R2 Media Pack"
  6. Click on Continue.
  7. Locate "Oracle Unified Directory 11g (11.1.2.0.0)" in the list (close to the end) then download the 152M  file (V33641-01.zip)

 That's it!


About


My name is Sylvain Duloutre, I worked as a Software Architect in the Oracle Directory Integration Team, the customer-facing part of Directory Services & Identity Management Product Development, working on Technical Field Enablement and Solutions Architecture.

The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

A mirror of this blog is available on Wordpress here.

Search

Archives
« May 2016
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today