With a complete new Identity/Access Management Suite on the Oracle market,
one might forget the good old SSO server, bundled with each and every IAS server.
Although it has some out-of-the-box capabilities like WNA and X509 certificate support,
it can be quite hard to set up an authentication scheme just the way you (or your customers) like it.
Using a case study, this presentation discusses how you can extend Oracle’s Single
Sign On (SSO) server to your needs. It will discuss :
- Integration & authentication with smartcard passports (eID)
- Authentication with digital certificates
- Implementing fallback authentication schemes
- Integration with SSL terminators and reverse proxies
- DIY federated authentication
- writing your own SSO plugin
The solutions presented are part of AXI NV/BV's portfolio.
18. SSO workflow – not yet authenticated INFRA.axi.be MID.axi.be apache Mod_osso Mod_oc4j Mod_plsql J2ee apache Mod_osso Mod_oc4j Mod_plsql J2ee Oc4j_security oca OID LDAP IASDB http://my.company.com NameVirtualHost *:80 <VirtualHost *:80> ServerName my.company.com Port 80 # Include the configuration files # needed for mod_osso OssoConfigFile /OH/my_comp_osso.conf </VirtualHost> infra.axi.be/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=<y> Partner cookie available ? SSO cookie ? -> Generate Redirect to logon page http://infra.axi.be/sso/jsp/login.jsp $OH/sso/policy.properties
19. SSO workflow – not yet authenticated INFRA.axi.be MID.axi.be apache Mod_osso Mod_oc4j Mod_plsql J2ee apache Mod_osso Mod_oc4j Mod_plsql J2ee Oc4j_security oca OID LDAP IASDB http://my.company.com
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32. SSO custom logon screen INFRA.axi.be MID.axi.be apache J2ee SSO PLUGIN OID LDAP IASDB http://my.company.com apache J2ee OID LDAP PLSQL using OWA_UTIL $OH/sso/policy.properties http://infra.axi.be/pls/login_page Plsql Login_page What site do you want to enter ? ORASSO.WWSSO_UTL.unbake_site2pstore_token -> my.company.com Generate a different logon screen
33.
34.
35.
36.
37.
38. Public Key Infrastructure Chain of trust Valid ? (CRL) Example of authenticatie United Nations US Belgium Me and my passport The nice officer at JFK And his passport
39. Public Key Infrastructure Chain of trust Valid ? (CRL) Example of authenticatie United Nations US Belgium Flanders region Walloon region If Belgium splits in the Flanders region and Walloon Region I will be screwed if the United Nations do not recognize them
45. SSO integration with PKI apache Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO OCA OID LDAP IASDB J2ee OID LDAP Plsql Login_page Client certificate (OCA, eID) (private/public key in keystore) Root certificate Government CA Oracle CA Server Certificate Server Certificate Root Certificate Root Certificate SSL SSL
46. SSO integration with PKI – SSL terminator apache Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO OCA OID LDAP IASDB J2ee OID LDAP Plsql Login_page HTTPS SSL Terminator Accelerator HTTP HTTP OCSP LDAP Download CRL Government CA’s (eID) LDAP Download CRL OCA
47.
48.
49. SSO integration with PKI – workflow apache Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO OCA OID LDAP IASDB J2ee OID LDAP Plsql Login_page HTTPS SSL Terminator Accelerator HTTP HTTP OCSP LDAP Download CRL Government CA’s (eID) LDAP Download CRL OCA OCA Digital certificate My.company.com Login.company.com ProxyPass /forms/ http://MID.axi.be:7782/forms/ ProxyPass /osso_login_success http://MID.axi.be:7782/osso_login_success ProxyPass /login/ http://INFRA.axi.be:7780/ ProxyPassReverse /forms/ http://MID.axi.be:7782/ ProxyPassReverse /sso/ http://INFRA.axi.be:7780/ ProxyHTMLURLMap http://INFRA.axi.be:7780 /login <Location /sso/> SSLVerifyClient require RequestHeader set SUBJECT "%{SSL_CLIENT_S_DN}e" </location>
50. SSO integration with PKI – workflow apache Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO OCA OID LDAP IASDB J2ee OID LDAP Plsql Login_page HTTPS SSL Terminator Accelerator HTTP HTTP OCSP LDAP Download CRL Government CA’s (eID) LDAP Download CRL OCA My.company.com Login.company.com Only need to enter SSO password Map certificate subject to SSO username
51. SSO integration with PKI – workflow apache Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO OCA OID LDAP IASDB J2ee OID LDAP Plsql Login_page HTTPS SSL Terminator Accelerator HTTP HTTP OCSP LDAP Download CRL Government CA’s (eID) LDAP Download CRL OCA OCA Digital certificate
52.
53. SSO integration with PKI – workflow apache Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO OCA OID LDAP IASDB J2ee OID LDAP Plsql Login_page HTTPS SSL Terminator Accelerator HTTP HTTP OCSP LDAP Download CRL Government CA’s (eID) LDAP Download CRL OCA eID Digital certificate My.company.com Login.company.com ProxyPass /forms/ http://MID.axi.be:7782/forms/ ProxyPass /osso_login_success http://MID.axi.be:7782/osso_login_success ProxyPass /login/ http://INFRA.axi.be:7780/ ProxyPassReverse /forms/ http://MID.axi.be:7782/ ProxyPassReverse /sso/ http://INFRA.axi.be:7780/ ProxyHTMLURLMap http://INFRA.axi.be:7780 /login <Location /sso/> SSLVerifyClient require RequestHeader set SUBJECT "%{SSL_CLIENT_S_DN}e" </location>
54. SSO integration with PKI – workflow apache Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO OCA OID LDAP IASDB J2ee OID LDAP Plsql Login_page HTTPS SSL Terminator Accelerator HTTP HTTP OCSP LDAP Download CRL Government CA’s (eID) LDAP Download CRL OCA eID Digital certificate My.company.com Login.company.com <Location /sso/> SSLVerifyClient require RequestHeader set SUBJECT "%{SSL_CLIENT_S_DN}e" </location>
55.
56. DIY federated authentication - workflow Plsql Login_page apache Apache 2.x RP Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO PLUGIN OID LDAP IASDB J2ee OID LDAP Portima Authentication server My.private-company.com Login.private-company.com Officeid/suboffice password
57. DIY federated authentication - workflow Plsql Login_page apache Apache 2.x RP Plsql Login_proxy INFRA.axi.be MID.axi.be apache J2ee SSO PLUGIN OID LDAP IASDB J2ee OID LDAP Portima Authentication server My.private-company.com Login.private-company.com Officeid/suboffice password Replaced with SAML v2 Federated Authentication In 2008 (integrated with Oracle SSO)
58. Architecture HTTP/S HTTP CA LB (linux vips ldirector) INFRA MID CRL HTTP HTTP SSL/RP (apache2) RP (apache2)