case study: plus retail - moving from the old world to the new world
DESCRIPTION
A case study covering Plus Retail's transition from Oracle to ForgeRock's OpenAM, presented by AXI BV/NV Consultant Kurt Van Meerbeeck.TRANSCRIPT
2013 Open Stack Identity Summit - France
OpenAM in an Oracle Environment
Case Study
www.axi.be
BIO • Whoami
• Kurt Van Meerbeeck • Working with java since 1996 (jdk1.0.x) • Working with Oracle products since 1997 (Oracle 7, OAS 3, Forms 3.x)
• Currently work for AXI NV/BV • Oracle | IBM | ForgeRock partner
• Database & Middleware consultant
www.axi.be
History Internet Application Server 9i (IAS9i)
Internet Application Server 10g (IAS10g) Fusion Middleware 11g (FMW/WLS)
www.axi.be
IAS Architecture • Infrastructure Tier
• OHS : apache 1.3, mod_oc4j, mod_plsql, mod_osso
• OID (LDAP) • OC4J (Orion J2EE) • OCA • SSO Server • RDBMS
• Multiple Middle Tiers • OHS : apache 1.3, mod_oc4j,
mod_plsql, mod_osso
• OC4J
• Oracle Forms, Reports, Discoverer
• Oracle Portal
www.axi.be
OSSO flow
INFRA.axi.be
MID.axi.be apache
Mod_osso
Mod_oc4j Mod_plsql
J2ee
apache
Mod_osso
Mod_oc4j Mod_plsql
J2ee Oc4j_security
oca
OID LDAP
IASDB
http://my.company.com
Apache virtual host - Make it a SSO partner app - ossoreg.jar – mod_osso - mod_osso.conf <location /app> require valid-user AuthType basic </location>
www.axi.be
INFRA.axi.be
MID.axi.be apache
Mod_osso
Mod_oc4j Mod_plsql
J2ee
apache
Mod_osso
Mod_oc4j Mod_plsql
J2ee Oc4j_security
oca
OID LDAP
IASDB
http://my.company.com
NameVirtualHost *:80 <VirtualHost *:80> ServerName my.company.com Port 80 # Include the configuration files # needed for mod_osso OssoConfigFile /OH/my_comp_osso.conf </VirtualHost>
infra.axi.be/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=<y>
Partner cookie available ?
SSO cookie ? -> Generate Redirect to logon page http://infra.axi.be/sso/jsp/login.jsp $OH/sso/policy.properties
OSSO flow
www.axi.be
INFRA.axi.be
MID.axi.be apache
Mod_osso
Mod_oc4j Mod_plsql
J2ee
apache
Mod_osso
Mod_oc4j Mod_plsql
J2ee Oc4j_security
oca
OID LDAP
IASDB
http://my.company.com
OSSO flow
www.axi.be
INFRA.axi.be
MID.axi.be apache
Mod_osso
Mod_oc4j Mod_plsql
J2ee
apache
Mod_osso
Mod_oc4j Mod_plsql
J2ee Oc4j_security
oca
OID LDAP
IASDB
http://my.company.com
HTTP POST - Username - Password - Site-token
Check credentials in LDAP/OID
If OK - Generate SSO cookie (SSO_ID) - Generate redirect to http://my.company.com/osso_login_success?urlc=<sitetoken>
Generate Partner cookie Generate redirect to the original URL (sitetoken)
OSSO flow
www.axi.be
INFRA.axi.be
MID.axi.be apache
Mod_osso
Mod_oc4j Mod_plsql
J2ee
apache
Mod_osso
Mod_oc4j Mod_plsql
J2ee Oc4j_security
oca
OID LDAP
IASDB
http://my.company.com
IPASAuthInterface
SSOServerAuth
Custom Plugin
SSOX509CertAuth
SSOKerbeAuth
implements
extends
Custom Plugin
Important for integration - Custom plugins by subclassing OSSO server
Custom Plugins
www.axi.be
• Problem FMW • No Infrastrure tier
• No SSO/OID/WNA
Oracle 11g FMW / WLS
www.axi.be
Desupport notice • Premier Support for Oracle Single Sign-On 10gR3 ends on December 31,
2011
• Limited Extended Support for Oracle Single Sign-On from January 2012 through December 2012
• It is strongly recommended that you use this additional time to integrate your single sign-on deployment with Oracle Access Manager
www.axi.be
Extra licenses and server
[ Oracle Access Manager
[ Oracle Weblogic Server
[ Directory Services Plus
Oracle Access Manager
www.axi.be
www.axi.be
PLUS Retail Migrating to OpenAM
Customer Case
www.axi.be
Requirements - integrate with legacy IAS/OSSO
- Portal 10g - Forms 10g - OC4J - OBIEE 10g
- integrate with Forms 11g (FMW/WLS) - special case as Forms *needs* OID
- integrate with OBIEE 11g (FMW/WLS)
- integrate with J2EE apps (FMW/WLS)
- integrate apps in the cloud using federated authentication
www.axi.be
OpenDJ OpenAM
Linux Server (cluster) Tomcat J2EE Server
LDAP sync
Oracle SSO
Server
Oracle 10g Infrastructure
Oracle 10g Midtiers • Forms 10g • Portal 10g • J2EE • OBIEE 10g
Oracle 11g Weblogic • Forms 11g • J2EE • OBIEE 11g
LDAP sync
Legacy environment
New environment
LAMP in de CLOUD • SAMLv2 • Service Provider
AXI OSSO-OpenAM Integration (custom osso plugin)
SSO using Oracle SSO server
SSO using OpenAM Policy agents SSO using SAMLv2
Custom plugins
J2EE Policy agent
Overview
www.axi.be
Create an HA OpenAM Environment
www.axi.be
snsrv615:8080 snsrv616:8080
ldap.axi.be:389 Tcp loadbalancer
snsrv615:1389 snsrv616:1389
Master-master replication
Master-master replication
sso.axi.be:80 http loadbalancer
www.axi.be
Logical Overview
OpenDJ
OpenAM OpenAM
OpenDJ
L4 LB
L7 LB
Apache2.2 RP Apache2.2 RP
HAProxy
HAProxy
Active/passive cluster Sync config
Active/active cluster Session replication
Active/active cluster Multimaster replication
Active/passive cluster
www.axi.be
Integrate OSSO using a custom plugin
www.axi.be
OpenDJ OpenAM
Linux Server (cluster) Tomcat J2EE Server
LDAP sync
Oracle SSO
Server
Oracle 10g Infrastructure
Oracle 10g Midtiers • Forms 10g • Portal 10g • J2EE • OBIEE 10g
LDAP sync
Legacy environment
AXI OSSO-OpenAM Integration (custom osso plugin)
SSO using Oracle SSO server
public class OpenAMAuth extends SSOServerAuth
IPASAuthInterface
SSOServerAuth
Custom Plugin
SSOX509CertAuth
SSOKerbeAuth
implements
extends
Custom Plugin
www.axi.be
OpenDJ OpenAM
Linux Server (cluster) Tomcat J2EE Server
LDAP sync
Oracle SSO
Server
Oracle 10g Infrastructure
Oracle 10g Midtiers • Forms 10g • Portal 10g • J2EE • OBIEE 10g
LDAP sync
Legacy environment
AXI OSSO-OpenAM Integration (custom osso plugin)
SSO using Oracle SSO server
www.axi.be
Integrate Forms 11g
www.axi.be
Oracle Forms • RAD – Oracle Developer / Designer - productivity
• Large install base
• Many incarnations • Server-side character based (terminal) • C/S • Web based
www.axi.be
Oracle Forms OHS
Mod_osso
Mod_oc4j Mod_plsql
J2ee
RDBMS Forms Servlet
Forms Runtime
Forms Runtime
Forms Runtime
Browser Java plugin
Forms Client
www.axi.be
Oracle Forms
Extra LDAP queries [ RAD’s [ Root DSE orcldirectoryversion
Osso-user-dn Osso-subscriber-dn
Forms is *SPECIAL* - It will check the version of OID in SSO mode ! - What if you want to get rid of OID ???
www.axi.be
• Forms is *SPECIAL*
- Forms 11g can be plugged into an OID LDAP
- What if we could mimic OID using OpenDJ
1. Recreate OID LDAP schema in OpenDJ (ldapsearch)
2. Add orcldirectoryversion to OpenDJ root DSE
3. Plugin Forms11g into OpenDJ !!!
Oracle Forms
www.axi.be
Oracle Forms
Extra LDAP queries [ RAD’s [ Root DSE orcldirectoryversion
Osso-user-dn Osso-subscriber-dn
Forms is *SPECIAL* but can make use of OpenAM/OpenDJ without OID
www.axi.be
Integrate OBIEE 11g
www.axi.be
OBIEE 11g • OBIEE 11g runs on top of WLS
- Makes use of Oracle Platform Security Services
- Switch from embedded ldap to OpenDJ (iplanetAuthenticator)
- Configure http header identity asserter (Generic SSO)
- Configure OpenDJ (OBIEE groups / BIAuthor, BIAdministrators, etc)
- Deploy OpenAM J2EE Policy Agent
- Modify OIBIEE analytics war to add J2EE filter (redeploy)
- Resync identity GUID attribute with OpenDJ
- Modify RPD to use LDAP in initialisation blocks
www.axi.be
OBIEE 11g / WLS
OBI
OPSS ID store
Policy store Credential
store
DefaultAuthenticator
Embedded LDAP
OpenAM J2EE policy agent
(J2EE filter)
OpenDJ LDAP OpenDJ
LDAP
http header id asserter
Generic SSO
OpenAM
Apache rp/ssl
IPlanetAuthenticator
1 2
3
4
6
7
5
OBIEE 11g
www.axi.be
Integrate Cloud Applications
www.axi.be
OpenAM as SAML IdP • PLUS Retail & cloud applications
• MS .NET (fedlet) • LAMP (SimpleSAMLphp) • MS Azure (ADFS)
• Custom SAML attribute mapper • Using JDBC <-> Oracle RDBMS
www.axi.be
OpenAM as SAML IdP
Policy Agents Policy Agents Policy Agents
SAML SP
SAML based SSO
SAML Identity Provider (IdP) OpenAM cluster https://idp.axi.nl AXI
SAML SP SAML SP
Internal app servers
External app servers
At this point …
Users logged on to legacy Oracle applications
…
can seamlessly log on to new cloud based apps using SSO !!!
www.axi.be
In conclusion
• Open solution for PLUS providing extreme flexibility • Hooks – custom SAML attribute mapper • Custom Auth modules
• Bridging between • legacy and new Oracle applications • Internal and cloud based applications
www.axi.be