Friday, January 16, 2015

OAM 11.1.2.2.0 Custom Login Form

Good afternoon to everyone,

Today I share fresh finding and hope it'd help you t save time and keep your mind (I've almost lost mine). 
It costs me couple days of hard harvesting and log analysis, I had  to create a simple application to check session status. 

After successful Oracle OAM and Tivoli Access Manager (TAM) integration (I'm going to post it sometimes) developement team faced next challenge. Due security reasons we have no access to TAM server so federation works only for external clients.  To provide access for both teams I used new OAM 11.1.2.2.0 feature - Advanced Authentication Policy Rules.  We decided to separate authentication schemes by browser type.  So if user's accessing protected resource with Google Chrome browser OAM uses local form-based authentication scheme otherwise request will be redirected to federation plug (TAM SSO). 
Screenshot below shows advanced rule edit form. 


Simple but effective way to build two factor or more sophisticated resource protection schemes. Detailed description and samples could be found in OAM documentation here.
So far so good,identity federation works, advanced rules works like a charm, custom forms appears and works as expected but result is very well known to everyone who deals with OAM/Webgates.


After log analyze and brainstorming I realized authentication doesn't match with authentication request. It means there is something wrong with login application. It's somewhat confused because the very same application works with OAM 11gR1. 
I'd skip logs mining, documentation sift and JSP analyze descriptions so   there is a gem:
For previous OAM versions  was quite enough to send request id with username and password. OAM 11.1.2.2.0 requires authentication token. Unfortunately our login page send request_id only and code below show how it has to be (additional lines in red).

 <!-- skipped JSP & HTML header -->  
 <%  
 String reqId = null;  
 String reqToken = null;  
 if( reqId == null && request.getAttribute( GenericConstants.REQUEST_ID ) != null )  
      {  
           reqId = ( String )request.getAttribute( GenericConstants.REQUEST_ID );  
      }  
      reqId = CSSUtil.escapeHtmlFull( reqId );  
     reqToken = request.getParameter(GenericConstants.AM_REQUEST_TOKEN_IDENTIFIER);  
 %>  
 <form id="loginData" action="/oam/server/auth_cred_submit" method="post" name="loginData" >  
 <!-- Skipped form declaration and decoration -->  
   <input name="<%=GenericConstants.REQUEST_ID%>" value="<%=reqId%>" type="hidden"/>  
   <input type="hidden" name="<%=GenericConstants.AM_REQUEST_TOKEN_IDENTIFIER%>" value="<%=reqToken%>" type="hidden"/>  
 </form>  
 <!-- skipped JSP & HTML footers -->  

Now it works  and if your have login form with token already you will never face this issue.
If not read my post and save time for upcoming l-o-o-o-ong beautiful weekend.

Enjoy and take care.


4 comments:

Nik Emerson said...

Tried to enter your login method. Nothing works. You should carefully study the problem. Otherwise doubt your professionalism. Very sorry.

Michael M said...

Dear Nik,
You are my biggest fan.
Thank you that you spending your precious time on my crap.

Love your comments.

Anuj said...

Mike.. could you please post the tivoli and oam integration experience. Any possibility of doing this without federation.

Michael Mikhailidi said...

Hi Anuj,
Let me ask you what exactly are you going to integrate?
User databases? They are should be common or mapped for both systems otherwise it will not work due different names/privileges. Actors like WebGate agent? they work with web applications and you can't mix them to avoid double logins. Cookies content are encrypted and I doubt that it could be available to the other SSO.
Single Sign-On" with the stress on single. I doubt if it's a good idea to have multiple complex IDM solutions at the same time. I wouldn't say it's impossible, but this situations should be avoided.
In case when you have to have both solutions - Identity Federation ain't bad at all. It allows you work with both systems across corporate networks/limitations by the nature of protocol.