Custom Authenticator Use Case1 – A user accesses the J2EE application directly because there is no WebGate in this scenario.. 3 – To fulfill the authentication, the OAM identity authent
Trang 1Policy Configuration: Shared Components
and Application Domains
Trang 2Custom Resource Types
non-HTTP resources.
other JEE applications as a basis for AuthN and AuthZ
when communicating with the OAM server.
scenario)
Trang 3Custom Authenticator Use Case
1 – A user accesses the J2EE application directly because there is
no WebGate in this scenario.
2 – The application authenticates with the OAM identity
authenticator implementation in the CSS layer by passing the
username and password.
3 – To fulfill the authentication, the OAM identity authenticator
contacts OAM on a NAP channel.
4 – Upon successful authentication, the OAM identity authenticator returns the subject to the J2EE application.
Trang 4Fusion Applications SSO Use Case
1 – A client accesses an ADF application, which is protected by an anonymous authentication The ADF
application determines that authentication is required, so it redirects to a WebGate-protected ADF
authentication servlet.
2 – The WebGate connects to OAM for the authentication policy.
3 – If AuthN is successful, access to the ADF AuthN servlet is granted, which then redirects to the original ADF controller application.
4 – The OAM identity asserter intercepts the request and asserts the identity of the user.
5 – This step is optional The identity asserter may or may not contact OAM to assert the user It can be
configured to trust the connections from the WebGate, in which case it does not need to contact OAM.
6 – The request goes back to the ADF controller application.
Trang 5Creating Custom Resources
Note:
No host ID is prefixed for custom resources; no support for virtual
hosts.
No patterns are supported for custom resource types (they are all
literals)
Trang 6Authentication Parity with OAM 10g
Support for SSO over protected resources within domain YES YES Support for multi-level and step-up authentication YES YES
Authentication step (authentication module chaining) YES NO Orchestration across multiple authentication steps YES NO Support for centralized Web server for credential collection YES YES Support for distributed/external credential collection YES NO BASIC/FORM/X.509 authentication YES YES
EXT Authentication/CRL Support YES NO
Trang 7OAM 10g Parity Items
Features Not Implemented in 11g R1
Feature
Authorization expressions
URL query string-based resource matching
Additional wildcarding support
Policies scoped to a specific HTTP operation
Chained authentication schemes
AuthN/AuthZ extensibility SPIs
User properties, mapping LDAP attributes (or other sources) into the
deployment
Referential objects (constraints, responses), used from policies in multiple domains
Trang 8Authentication: Troubleshooting Tips
The logger name used by the authentication engine components
is oracle.oam.engine.authn.
passed in a request (NTLM is not supported).
Trang 9Success and Failure URL
This shows an example of redirection where a more meaningful
message is returned than “File not found.”
Requests access to
resource
Authorization fails
WebGate redirects to AuthzFailure.html
We are sorry but you are not authorized to access
this resource
If you would like to request
access, contact Application Administrator
AuthzFailure.html
WebGate
Web server
Content
OAM server
1
2 3
Trang 10Returning Session or Cookie or HTTP Header
Variable
Requests access to
resource
Authorization succeeds
Welcome John Smith!
WebGate
Web server
Content
OAM server
1
2
Authorization success
5
3
4 Application processes
header variable and embeds the CN attribute in
returned page Set header variable HTTP_WELCOME_CN
Trang 11Validating Authentication and Authorization in an
Application Domain
registered agent.
Trang 12Authentication Module Features
Trang 13Shared Components: Authentication Schemes
Trang 14Shared Components: Authentication Schemes
AuthN Scheme AuthN Module Challenge
Method AuthN Level
LDAPNoPasswordValidation LDAPNoPasswordAuth Form 2
OAM 10g LDAPNoPasswordAuth OAM 10g 2