Thursday, August 16, 2018

OAM 11g IDP SAML Federation authorization policies


This post is on how to enable and configure authorization policies for federated applications with OAM 11g as Identity Provider.

Note: Tested with an application integrated with OAM 11g R2 PS2 as IDP and I think this article still applies to later versions also. 

By default, Federation Authorization is disabled. Execute below steps to enable federation authorization using WLST commands.


  • Enter the WLST environment by executing
    $IAM_ORACLE_HOME/common/bin/wlst.sh
  • Connect to the WLS Admin server
    connect()
  • Navigate to the Domain Runtime
    domainRuntime()
  • Execute the configureFedSSOAuthz() command
    • To enable authorization:
      configureFedSSOAuthz("true")
    • To disable authorization:
      configureFedSSOAuthz("false")
  • Exit the WLST environment:
    exit()

Authorization policies can be configured to allow/deny to individual accounts (OR) groups (OR) combination of both groups & individual accounts from OAM 11g backend LDAP server.

Steps to configure Token Issuance policy


  • Go to the OAM Administration Console: https://oam-admin-host:port/oamconsole
  • Navigate to Access Manager -> Application Domains
  • Click Search
  • Click in IAM Suite in the list of results
  • Click on the Token Issuance Policies tab
  • Click “Create Token Issuance Policy”
  • Enter a name (Example: AdministratorsOnlyPolicy)
  • Click on Conditions tab
  • Click Add to add a constraint for the AdministratorsOnly group
  • Enter the details of the constraints:
    • Name: example AdministratorsGroup
    • Type: Token Requestor Identity
Note: If you would like to allow all the users with valid credentials  to login into application just select "True" in condition type drop down and click "Add selected" button.
  • Click Add Selected
  • Select the newly created constraint to configure it
    • In the conditions details, click Add and select Add Identities
    • Select the Identity Store and enter Administrators group name
    • Click search
    • Select the AdministratorsOnly Group
  • Click Add Selected
  • Click on the Rules tab
  • In the Allow Rule section, select the AdministratorsGroup condition and add it to the Selected Conditions, since we want to allow users belonging to the Administrators group to do Federation SSO with the partners listed in this policy
  • Click Apply
Execute the following steps to create a new resource and add it to the AdministratorsOnlyPolicy Token Issuance Policy:

  • Go to the OAM Administration Console: http(s)://oam-admin-host:port/oamconsole
  • Navigate to Access Manager -> Application Domains
  • Click Search
  • Click in IAM Suite in the list of results
  • Click on the Resources tab
  • Click on New Resource and create a new resource for the Token Issuance Policy:
    • Type: TokenServiceRP
    • Resource URL, name of the SP Partner as it was created in the Federation Admin section: Example: XYZAppAdmin
    • Operations: all
    • Token Issuance Policy: AdministratorsOnlyPolicy
    • Apply

Expect "User is not authorized to perform Federation SSO" SAML status message in IDP SAML response in case any user try to login other than user from Admin group.

Happy SSO'ing

Thanks
Siva Pokuri


Wednesday, July 18, 2018

Enable TLS 1.1 & TLS 1.2 in Java JDK

Starting from Java JDK 1.8. XX versions TLS 1.1 & TLS 1.2 is enabled by default.

But, what if you are in JDK 1.7. XX versions you will have to go enable them explicitly.

How you do it? One way is that you can enable from Java Control panel console.

Windows

Navigate to JAVA_HOME\jre\bin folder and execute javacpl.exe from command prompt.

Linux:

 Navigate to JAVA_HOME\jre\bin folder and execute ./ControlPanel from terminal.

This will render Java control panel console. Click on Advanced tab and scroll down where you see Advanced Security settings section.

Select the check boxes associated with "Use TLS 1.1" & "Use TLS 1.2" then click Apply and OK.

Thanks
Siva Pokuri.

Friday, June 29, 2018

Weblogic Stuck threads

One way to check if you have stuck threads is through Weblogic Admin console.

  1. Login to weblogic admin console with admin credentials.
  2. Expand Environment and click on Servers in the left menu
  3. Click on the Admin server or any managed server you want to check the stuck threads
  4. Click on the Monitoring tab in the server properties
  5. click on Threads tab.
  6. Check the Health column in Self-Tuning Thread Pool table. If it says OK there are no stuck threads.
  7. If Health column value shows "Warning" there are stuck threads in JVM.
  8. Next thing is that you will have to find the root cause of the stuck threads. For that JVM thread dump needs to be taken.
  9. There is a tool called jstack starting from JDK 1.6 version.
  10. Find out the process ID of the weblogic service and execute "jstack <<PID>> > threaddump.log"command.
  11. Above command generates threaddump.log file with JVM thread dump.
  12. Check the STUCK threads and fix the issue. It might be in application code or connection to external services.
Happy debugging.

Thanks
Siva Pokuri.