A case study covering Plus Retail's transition from Oracle to ForgeRock's OpenAM, presented by AXI BV/NV Consultant Kurt Van Meerbeeck.
Learn more about ForgeRock Access Management:
https://www.forgerock.com/platform/access-management/
Learn more about ForgeRock Identity Management:
https://www.forgerock.com/platform/identity-management/
Integrating Oracle Access Manager with Oracle and Cloud Applications
1. 2013 Open Stack Identity Summit - France
OpenAM in an Oracle
Environment
Case Study
2. BIO
•
Whoami
•
Kurt Van Meerbeeck
•
•
•
Working with java since 1996 (jdk1.0.x)
Working with Oracle products since 1997 (Oracle 7, OAS 3, Forms 3.x)
Currently work for AXI NV/BV
•
•
•
Oracle | IBM | ForgeRock partner
Database & Middleware consultant
kvmb@axi.be
www.axi.be
10. Oracle 11g FMW / WLS
•
Problem FMW
•
•
www.axi.be
No Infrastrure tier
No SSO/OID/WNA
11. Desupport notice
• Premier Support for Oracle Single Sign-On 10gR3 ends on December 31,
2011
• Limited Extended Support for Oracle Single Sign-On from January 2012
through December 2012
• It is strongly recommended that you use this additional time to integrate
your single sign-on deployment with Oracle Access Manager
www.axi.be
12. Oracle Access Manager
Extra licenses and server
[
[
Oracle Weblogic Server
[
www.axi.be
Oracle Access Manager
Directory Services Plus
15. Requirements
- integrate with legacy IAS/OSSO
- Portal 10g
- Forms 10g
- OC4J
- OBIEE 10g
- integrate with Forms 11g (FMW/WLS)
- special case as Forms *needs* OID
- integrate with OBIEE 11g (FMW/WLS)
- integrate with J2EE apps (FMW/WLS)
- integrate apps in the cloud using federated authentication
www.axi.be
16. Overview
Legacy environment
LDAP sync
OpenAM
OpenDJ
AXI
OSSO-OpenAM
Integration
(custom osso plugin)
Linux Server (cluster)
Tomcat J2EE Server
Custom plugins
SSO using SAMLv2
LDAP sync
Oracle
SSO
Server
SSO using OpenAM Policy agents
Oracle 10g Infrastructure
New environment
SSO using Oracle SSO server
J2EE Policy agent
LAMP in de CLOUD
• SAMLv2
• Service Provider
www.axi.be
Oracle 11g Weblogic
• Forms 11g
• J2EE
• OBIEE 11g
Oracle 10g Midtiers
• Forms 10g
• Portal 10g
• J2EE
• OBIEE 10g
24. Oracle Forms
• RAD – Oracle Developer / Designer - productivity
• Large install base
• Many incarnations
• Server-side character based (terminal)
• C/S
• Web based
www.axi.be
26. Oracle Forms
Forms is *SPECIAL*
- It will check the version of OID in SSO mode !
- What if you want to get rid of OID ???
Osso-user-dn
Osso-subscriber-dn
Extra LDAP queries
[ RAD’s
[ Root DSE orcldirectoryversion
www.axi.be
27. Oracle Forms
• Forms is *SPECIAL*
- Forms 11g can be plugged into an OID LDAP
- What if we could mimic OID using OpenDJ
1. Recreate OID LDAP schema in OpenDJ (ldapsearch)
2. Add orcldirectoryversion to OpenDJ root DSE
3. Plugin Forms11g into OpenDJ !!!
www.axi.be
28. Oracle Forms
Forms is *SPECIAL*
but can make use of OpenAM/OpenDJ without OID
Osso-user-dn
Osso-subscriber-dn
Extra LDAP queries
[ RAD’s
[ Root DSE orcldirectoryversion
www.axi.be
33. OpenAM as SAML IdP
• PLUS Retail & cloud applications
• MS .NET (fedlet)
• LAMP (SimpleSAMLphp)
• MS Azure (ADFS)
• Custom SAML attribute mapper
• Using JDBC <-> Oracle RDBMS
www.axi.be
34. OpenAM as SAML IdP
At this point …
Users logged on to
legacy Oracle
applications
Policy Agents
Policy Agents
Policy Agents
Internal app servers
…
SAML Identity Provider (IdP)
OpenAM cluster
https://idp.axi.nl
can seamlessly log on to
new cloud based apps
using SSO !!!
www.axi.be
AXI
SAML based SSO
External app servers
SAML SP
SAML SP
SAML SP
35. In conclusion
• Open solution for PLUS providing
extreme flexibility
• Hooks – custom SAML attribute mapper
• Custom Auth modules
• Bridging between
• legacy and new Oracle applications
• Internal and cloud based applications
www.axi.be