Introduction
This document talks about how to achieve identity propagation for OIM API’s exposed as web service. The web service will be protected using OWSM. OAG is used to create the required identity assertion. They key here is authenticating to OIM without the users password.
Typical use case here is users might log into a portal and then click on a link which will invoke OIM API’s exposed as webservice. Since user is already authenticated to portal. We won’t have the password of the user.
The custom OIM web service API won’t have access to user password. The goal is to get a OIM client handle for the propagated user without the need to have password of the user
Components required
This Article Assumes following has been installed & configured
- Domain in which OIM WLS server is created also has the EM (on Admin Server)
- OIM with couple of users created.
- OAG Node Manager
- OAG Gateway
- OAG Policy Studio
- OAG API Gateway Explorer (This is for testing the Web service request. If not installed you can also test the request using SOAPUI)
Source Code
The webservice jDeveloper Project is also distributed with this document. You need to look at the TestWS.java for the source code
There are two methods
- getSelfServiceDetails – This doesn’t require credentials of the users which means that identity has been propagated to the WLS/OIM and Identity assertion has been done at the WLS layer.
- modifyUser – You need to pass the user who has the privileges to modify other users profile attributes.
Notice that in both methods, we are not passing the password of the user to get OIMClient handle. WLS layer will assert the identity of the user who is passed in through webservice call which we will explore.
Here is the link to source code zip file. You can open it in JDeveloper.
The final war is in deploy directory of folder TestWebService.
Create the required certificate for Encryption of WebService Request
Start OAG Node Manager, Gateway and Policy Studio
Login to Policy Studio
Click on Certificates -> Certificate with Keys -> Create/Import
Click on Edit button and add the certificate information. Click Ok to create the certificate request
For the Alias Name enter OWSM
Click on Sign Certificate
Click on Yes for self sign
Click on Yes for generating a Key Pair
You can see that private key has been created.
Click OK to close the window
Now we have to create a keystore so that this certificate can be exported and used for OWSM on the server side.
Click on KeyStore
Click on New KeyStore
Provide the Name as owsm.jks and click Ok
Enter a keystore password, Click Ok
Keystore should be created successfully
Let’s add our certificate. Click on Add to KeyStore
Search the certificate we created. We created with the Alias owsm. Select the certificate and click Ok
Now it will ask for the alias to store the certificate in keystore. Provide alias as owsm and enter the password you would like. Click Ok
Now you should see the certificate in keystore. Click Ok to close the dialog
Note: If you already have a keystore configured for OIM domain, you can export the certificate with key and import into your existing keystore
Update the WLS Domain with newly created KeyStore
Now we need to update the WLS domain for OIM to use the keystore we created. Since OWSM also is deployed in the same domain, it will use the certificate from keystore for decrypting the identity assertion on the server side
Copy the owsm.jks keystore created in previous step to DOMAIN_HOME/config/fmwconfig directory
Start the WLS Admin Server.
Login to EM
Select the domain -> security -> Security Provider Configuration
Under the KeyStore section click on Configure
Provide the keystore path as ./owsm.jks . Provide the Password of Keystore
Provide the key and crypt alias as owsm (you created this alias during keystore creation) & the password. Click Ok
Restart the WLS Admin Server. Also Restart the OIM server if it’s running
Deploy the WebService
Make sure Admin Server is running
Make sure OIM server is running
Deploy the myWS.war to oim_server1 using WLS console
Now Login to EM and attach the id propagation OWSM policy to the webservice
Click on TestWSPort
Click on Attach/Detach
Select the identity propagation policy and attch
Policy should be now attached to this webservice. Click Ok
Click to get the WSDL.
Save the opened WSDL locally (Open the WSDL in IE, Firefox won’t save it properly).
Cross check the WSDL. You should see the certificate you have created being used for webservice.
Virtualize the WebService using OAG
Now lets virtualize our webservice and also attach the id propagation client policy. The use case here is that from Webservice client it will only send the header containing the remote user. OAG will attach the id propagation client policy and send the request to OIM which has the OWSM id propagation service policy attached.
In Policy Studio click on WebServices -> Register a Web Service
Select the WSDL file you saved in the last step and click on Next
Provide the User Name and Comments and click on Next
Select the WSDL operations and click Next
Let’s attach the client side policy. Click Next
Select the default services and click Finish
Now it will present the screen where you are configuring id propagation policy . Click on Signing key
Select the key owsm from the certificate store and click Next
Click Next again
Make sure you uncheck the Include password and click Finish
Click Ok
Your virtualized end point will be http://:8000/myWS/TestWSService assuming you have kept the default OAG port.
Click on Deploy to deploy the new service
Updating the OAG Webservice Policy
We need to make updates to the OAG generated identity propagation policy.
Open the generated policy as shown below
Delete the current success Paths as shown
Search for a new filter with word http and select Retrieve from HTTP Header. Drop this filter onto pane
Provider the Header Name as shown. Select the Attribute ID as shown. Click on Finish
Note: We are extracting the header REMOTE_USER from client request. The REMOTE_USER indicates already authenticated user on the client. User might have authenticated to a Portal etc..
Select the success path and connect as shown
Right click on Retrieve from HTTP Header and Set as Start
Delete the other two disconnected filters which we don’t need.
Now Open the Request to Service : After Operation Hooks
Disconnect the current success path
Search for filter Sign and select the XML Signature generation and drop it on the panel
Provide the Name as Sign Header and Body
Click on the Signing Key and select owsm (alias) certificate from the certificate store
Click on sub Tab Key Info and select the option as shown
Now Click on What to Sign Tab
Select Body (Make sure to select the correct one)
Scroll Down and select UsernameToken
Click on Finish to create the filter
Now choose the Success Path and connect as shown
Right click on Sign Header and Body and Set as Start
You should see the following
Now double click on Encrypted Parts outbound Filter to open it
Now click on What to encrypt Tab and select Body (Make sure you select the correct element)
Scroll down and select UsernameToken as well
Now Click on the Message Attribute Sub Tab and uncheck the current selection
It should be as shown
Now click on Advanced Tab and make sure that following are selected for Encryption and Key Wrapping algoritham
Click on Finish to complete the filter update
Take the success path and connect as shown
Click on Server-> Deploy to deploy the change
Update the WebService Identity Propagation Policy to use AES128 Encryption
Not sure why the default encryption used by the policy is not working with OAG policy, need to check more on this. But lets change the default encryption used.
Login to EM
Click on the - Domain -> webservices ->Policies
Search and select the ID Propagation Policy and click Edit
Make sure that you highlight the policy and click on Edit Pencil mark
Select Basic128 RSA and click Yes
Note: You can enable logging for the policy by enabling log policy as shown
Click on Save to save your changes
Restart Admin Server and OIM Server
Testing the Integration
Let’s test the integration
Start the OAG Gateway Explorer (You can also use tools like SOAPUI)
Import the WSDL exposed by OAG Gateway
Make sure you click on the Design Tab
Click on File-> Import WSDL
Provide the WSDL exposed through API Gateway (Not the original WSDL from OIM)
Select Both Methods and click Finish
You should see the WSDL imported
Now let’s try making a call to OIM Webservice through OAG. Remember that we are simulating the already authenticated user. So we would have to pass this user as REMOTE_USER header
Make sure that getSelfUserDetails method is selected. Click on the Headers tab at the bottom and click Add on the Right side Pane
Specify the Header name as REMOTE_USER and specify any user in your OIM. Click Ok
Header should be added now
Submit the Request
You should see the Response from OIM for the selected user. Click on the Results Tab and click on the result that came back from execution
Now if we look back the flow. Client (Explorer) sends the request with already authenticated user in REMOTE_USER header (this could be user authenticating in a portal in real world and then calling the OIM WebService exposed through OAG). OAG creates the necessary assertion according to attached Identity Propagation Policy,It also signs and encrypts the assertion. OAG calls the OIM Webservice protected by OWSM with identity propagation assertion. OWSM validates the assertion, validates the user (OIM provider at the WLS layer) . At this point the WLS User has been created, hence OIM will allow you to call the API.
Let’s also try the other method exposed which is modifyUser
Since you are modifying the user, add a user who has privilege to modify under the tab Headers
Click on the Body Content tab and add the following
Arg0 – dcrane (user who you would like to modify)
Arg1 – What attribute needs to be modified. Possible values are any one of the below
- Email
- Mobile
- Phone
- address
Arg2- The value for the modified attribute.
Submit the request
Click on the Results tab and look at the result
You can see that the user has been modified. As with the previous operation we have not supplied the password for the admin user xelsysadm
OWSM Message Logging
Since we have enabled the message logging for the OWSM identity propagation service policy. Its possible to look at the assertion logged in the message logs. You can take a look at the logs at
OIMClient Jar file
For the source code provided. In order to compile you need the oimclient.jar file which will also be bundled with the final myWS.war file. If you use the oimclient.war file from directory it has some problem when you deploy the webservice.
Use the oimclient.jar from role-sod.war file. The role-sod.war is located at /server/apps
Extract the role-sod.war file. Navigate to APP-INF/lib directory. Oimclient.jar is included in this directory. Use this jar to compile the code and bundle it with final war as well.
