Thursday, November 9, 2017

OIF 11g: Federation Fails With time sync issue between SP and IDP

Issue:

OIF 11g partners are running out of sync in the time.  
That let's fail the federation with the error message: "AuthnResponse failed validation due to an invalid condition related to time".

Available solutions to fix the issue.

Solution 1: Solution Make sure that all the OIF partners are timely in sync.

Solution 2: But as a complete time sync accross all OIF partners could be challenging to accomplishand and verify, then there is actually this ... :
ER 16906719 - FEDERATION FAILS WHEN IDP AND SP ARE NOT TIMLY IN SYNC - CLOCKS SKEW NEEDED

... that has been implemented, and which allows now to set a time clockdrift delta for the times on the SAML Assertion Conditions->NotBefore

The ER (Enhancement Request) bug is implemented only in 11.1.2.2.0 (11gR2 PS2).
So, the OAM/OIF Federation 11.1.2.2.0 has been enhanced to support setting outgoing clock drift adjustment, using WLST command updatePartnerProperty with "senderserverclockdrift" property.

The relevant documentation the WLST command as for this  11.1.2.2.0  release is available at : http://docs.oracle.com/cd/E40329_01/web.1112/e28155/custom_infra_security.htm#CHDEECBH

PS: Oracle Support strongly suggests and recommends the customers to move to the newer releases versions of the products as they use, and thus to benefit to the new available features as well as known bugs fixes.


Solution 3: If you cannot really move or plan to upgrade to OIF 11gR2PS2 for now, but still desperately need this ER fix, then an One-Off patch for the ER (Enhancement Request) bug 16906719  backport as on top of OIF 11gR1 11.1.1.6.0 has been completed.

The patch 16906719 is available from My Oracle Support as per patch 16906719

--> Patch 16906719: FEDERATION FAILS WHEN IDP AND SP ARE NOT TIMELY IN SYNC - CLOCKS SKEW NEEDED (Patch)

p16906719_111160_Generic.zip   59.2 KB

So, if you use the exact release of OIF 11gR1 11.1.1.6.0 version and still would like the fix of this, then please download 
Patch 16906719 and review the patch README file as included in the zip for patch installation.

Please test this on your testing environment, before moving it to Production environment.

As per this patch 
16906719, the OIF 11gR1 11.1.1.6.0 is enhanced with the backport of this bug in order to support setting outgoing clock drift adjustment, using the below WLST command to configure OIF 11.1.1.6.0 :

- setConfigProperty("serverconfig", "senderserverclockdrift", "VALUE_IN_SECONDS", "long")
for OIF global setting, replace VALUE_IN_SECONDS by the value in seconds

- setFederationProperty("PROVIDER_ID", "senderserverclockdrift", "VALUE_IN_SECONDS", "long")
replace VALUE_IN_SECONDS by the value in seconds and PROVIDER_ID by the partner's ProviderID

Test case:
- set up Fed SSO for SAML2.0
- configure IdP using the WLST commands listed above
- at SP, go to test sp sso
- perform Fed SSO with IdP
- in the result, see the SAML assertion
- look for Conditions->NotBefore

Without fix it will be equals to IssueInstant (in Assertion)

With fix it will be equals to IssueInstant (in Assertion) minus senderserverclockdrift

PS: This patch is only applicable to OIF 11gR1 11.1.1.6.0 and you might need to double-check with possible patches conflict (as if you might have other existing OIF 11gR1 patches as running on the same environment).

4)* If you use any other OIF 11gR1 11.1.1.x (other than the OIF 11.1.1.6.0), then there is currently no other patch available on the same for OIF 11.1.1.x, and thus you would need to double check with OIF product support team on any further specific request on the same.
But still, the best option and recommended solution is to really move to newer version of OAM/OIF 11gR2PS2 11.1.2.2.0 and/or any later/newer version coming after it.


Thanks
Siva Pokuri

Tuesday, October 10, 2017

How to allow multiple login attributes in OAM/OAAM integrated environment

Requirement:

The requirement is to allow users to choose at login time from 2 different attributes from LDAP (e.g. uid and email address). 

Oracle solution:

Ref: How to allow multiple login attributes in OAM/OAAM integration using a custom TAP module (Doc ID 2190079.1)

For login user enters username and password on the OAAM page used when integrated with OAM (oaam_server/oamLoginPage.jsp).

Doing so, however, will imply that OAAM will have to keep two security profiles corresponding to each login attribute. When user is authenticated using a different attribute for the first time he will be seen as a new user (OAAM will create a new user record with login_id set to the new attribute value in the VCRYPT_USERS database table) so the registration process will take place again.

This will affect as well any pattern, behavior data which OAAM registers for that user (which will actually be seen by OAAM as 2 users now) so it's not recommended in case one wants to have highly accurate login and pattern data for each user.

Custom solution:

Since there is a limitation when OAAM is part of solution as mentioned in Oracle solution. Below custom solution will prevent creating duplicate OAAM security profiles for same user who login with either username or email address and no custom TAP modules need to be created in OAM.

By customizing OAAM login flow using OAAM extensions it can be achieved.

High level steps below.

  1. Copy struts config file action mapping for /login.do from oaam_server.ear to OAAM extensions WAR file struts XML file.
  2. Change the "/login.do" action mapping "success" redirect to custom action(Example: /validateUser.do)
  3. Write an action class extending struts action with below logic.
    1. Get user entered email address/username entered in OAAM login page screen from OAAM session.
    2. Write custom logic(JNDI code) to get user login attribute(uid) from user store in custom action class
    3. Update UIOSessionData instance with user login attribute(uid) retrieved from user store
    4. Recreate VcryptAuthUser with login username(uid attribute retrieved from user store) if user has already OAAM security profile already created.
    5. Send action forward to "/loginJump.do" to continue login process with username(uid attribute) even though user entered email address.
  4. Build custom action class into a custom jar file and deploy in OAAM extensions war under /WEB-INF/lib folder
Thanks
Siva Pokuri.