Reducing SPAM on Identity Registration Services
By Scott Fehrman on Jan 04, 2012
Are you human?
Agencies are reducing costs and providing new services for their citizens and business partners through the use of on-line applications. These applications may allow the anonymous user to "browse" basic information. The application may offer advanced features or detailed information if the End-User registers with the agency. The registration process should be easy-to-use and be capable of determining that the registration data is from a legitimate (human) user.
One of the on-line security concerns, related to an Identity Registration Service, are the various SPAM mechanisms that can attack your site. These types of attacks (bots) will attempt to overload the Identity Registration Service with invalid data.
Oracle Identity Manager (OIM) 11g has an integrated registration mechanism that collects End-User data (OOTB interface or Java APIs), queues the registration request and leverages its configurable workflow processing to handle registration provisioning.
The Internet community has been leveraging Reverse Turing Test techniques to limit the risk of SPAM attacks against on-line applications, which are intended for human interactive input. The most common "test" (to determine if input data comes from a human) involves displaying an image containing words and then have the End-User type the words into the form. This type of "human" test is called CAPTCHA.
An Identity Registration application that leverages both Oracle's Identity Manager 11g and a CAPTCHA process will reduce an agency's exposure to SPAM-type attacks.
A end-to-end sample Identity Registration Application was created to demonstrate how Oracle Identity Manager (OIM) 11g and the reCAPTCHA service were integrated. The diagram below is an overview of the sample Registration Application's architecture.
The sample Registration Application is built using standard Java Server Pages (JSPs), Java Servlets and JSP Tag Libraries. The Registration Application obtains the CAPTCHA test (using the reCAPTCHA service) and integrates it into the user interface. The End-User must fill-in the required registration data and answer the CAPTCHA questions. The Registration Application checks the CAPTCHA answers (using the reCAPTCHA service), performs any necessary processing on the End-User's profile data, and then sends the registration data to Oracle Identity Manager (OIM) 11g. The image below is a screen shot of the sample Registration Application's input form, the CAPTCHA capability has been integrated into it.
The registration data is submitted to Oracle Identity Manager (OIM) 11g through the use of Project OpenPTK's provisioning JSP Tag Library (TAGLIB). The TAGLIB sends the registration data to the Project OpenPTK Server (via its RESTful Web Service). The Project OpenPTK Server leverages Oracle Identity Manager's Java API to register the user. The Oracle Identity Manager (OIM) 11g workflow processes the registration request, invokes the necessary approvals and finally provisions the end-user account to the target resources.
The complete sample Registration Application is available as part of Project OpenPTK, an open source provisioning toolkit.