28.3 Understanding OpenSSO Agent Registration Parameters

Whether you migrate existing OpenSSO Agents to Access Manager or register a fresh OpenSSO Agent, the Oracle Access Management Console provides centralized registration and management of OpenSSO Agents.

28.3.1 OpenSSO Agent Registration Parameters

Administrators can enter information in the New OpenSSO Agent page during new OpenSSO agent registration.

Figure 28-2 shows the New OpenSSO Agent page.

Figure 28-2 Create OpenSSO Agent Page

Description of Figure 28-2 follows
Description of "Figure 28-2 Create OpenSSO Agent Page"

Table 28-5 describes the elements on the New OpenSSO Agent page.

Table 28-5 Elements on the New OpenSSO Agent Page

Element Description

Agent Type

OpenSSO agent types can be either:

  • Web: Use with Web resources and Web resource URLs.

  • J2EE: Default agent type. Use J2EE type agents for Java EE resources and applications.

    For the J2EE Agent, Filter modes must be set by choosing either:

    SSO_ONLY (Access Manager Authentication Only): Enables the least restrictive mode of operation for the filter; the agent simply ensures that all users who try to access protected web resources are authenticated.

    URL_Policy (Access Manager Authentication and Authorization): Enables the agent filter to enforce URL policies. By default, with Web Agents, .com.sun.identity.agents.config.sso.onlyattribute is set to "false".

Note: Both agent types provide access protection when you also choose SSO only.

Agent Name

Unique name for this agent.

Password

Re-enter Password

A required, unique password for this OpenSSO agent, which can be assigned during this registration process. The entry will appear in obfuscated format in the console, in oam-config.xml, and in OpenSSOAgentBootstrap.properties.

When a registered agent connects to an OAM Server, the user is prompted for the password. The password is used for authentication to prevent unauthorized agents from connecting and obtaining policy information.

Host Identifier

A name that identifies the host and port for the OpenSSO agent.

Default: Agent Name

See Also: "About Virtual Web Hosting".

Base URL

The protocol, host, and port of the computer on which the OpenSSO agent is installed.

For example, http://host.example.domain.com:port or https://example.domain.com:port.

Auto Create Policies

During agent registration, you can have authentication and authorization policies created automatically. This option is checked (enabled) by default. The agent name is used as the Application Domain name by default.

Default: Enabled

See Also: "Generated Artifacts: OpenSSO".

Notes: An Application Domain in Access Manager corresponds to a Realm in OpenSSO. If you already have an Application Domain and policies, you can simply add new resources to it. If you clear this option (no check), no Application Domain or policies are generated automatically.

OpenSSO Agent Properties

OpenSSO Agent properties are stored in the following files, which are updated during agent registration and configuration changes and consumed during run time:

  • OpenSSOAgentBootstrap.properties

  • OpenSSOAgentConfiguration.properties

These files are stored on the console host (AdminServer) and must be relocated to the OpenSSO Agent /config directory as shown in Table 28-6.

Table 28-6 Relocating OpenSSO Artifacts

From AdminServer . . . To OpenSSO Agent /config Directory

$<MW_HOME>/Oracle_IDM1/oam/server/rreg/client/rreg/output

$Policy-Agent-base/AgentInstance-Dir/config/

For details about the generated Application Domain for an Open SSO Agent, see "Generated Artifacts: OpenSSO".

28.3.2 The Expanded OpenSSO Agent Page and Parameters

The expanded OpenSSO Agent page is available when managing the agent using the Oracle Access Management Console. During registration, only a small subset of available parameters is displayed to streamline the process.

Whether you registered the agent using the Oracle Access Management Console or the remote registration utility, you can view the full agent configuration page in the console. Default values populate the page after initial registration and are displayed when you open the Agent's page, as shown in Figure 28-3.

Figure 28-3 Expanded OpenSSO Web Agent Registration Page

Description of Figure 28-3 follows
Description of "Figure 28-3 Expanded OpenSSO Web Agent Registration Page"

Information on the J2EE Agent registration page is nearly the same as details for Web Agents. The J2EE Agent registration page is shown in Figure 28-4.

Figure 28-4 Expanded OpenSSO J2EE Agent Registration Page

Description of Figure 28-4 follows
Description of "Figure 28-4 Expanded OpenSSO J2EE Agent Registration Page"

Table 28-7 describes all elements on expanded OpenSSO Agent registration pages.

Table 28-7 Expanded OpenSSO Agent Registration Elements

Element Description

Status

The state of this agent registration: Enabled or Disabled.

Default: Enabled

See Also: Table 28-5

Filter mode

J2EE Agent Type only

The Agent filter is installed within the protected application. It facilitates the enforcement of security policies, governing the access to all resources within the protected application. Every application protected by the J2EE Agent must have its deployment descriptors changed to reflect that it is configured to use the agent filter. Applications that do not have this setting are not protected by J2EE the Agent and might malfunction or become unusable if deployed on a deployment container where the Agent realm is installed.

Filter modes must be set for the J2EE Agent by choosing one of the following options: SSO_ONLY or URL_Policy.

Default: URL_Policy

  • SSO_ONLY (Access Manager Authentication Only): Enables the least restrictive mode of operation for the filter; the agent simply ensures that all users who try to access protected web resources are authenticated.

  • URL_Policy (Access Manager Authentication and Authorization): Enables the agent filter to enforce URL policies. By default, with Web Agents, .com.sun.identity.agents.config.sso.onlyattribute is set to "false".

Process overview: Authentication Only (SSO_ONLY J2EE Filter Mode)

  1. End user requests access to an application or resource protected by OpenSSO Agent.

  2. OpenSSO Agent redirects this un-authenticated user to OAM Server for authentication.

  3. After successful authentication, OpenSSO Proxy redirects the user back to the protected resource with OpenSSO session ID set in the response cookie.

  4. Authenticated end user with valid OpenSSO session, accesses application or resource protected by OpenSSO Agent.

  5. OpenSSO Agent validates the OpenSSO Session against OAM Server through the OpenSSO Proxy and enables SSO for the end user.

  6. End user gets access to the protected application or resource.

Process overview: Authentication and Authorization with URL_Policy J2EE Filter Mode

  1. End user requests access to an application or resource protected by OpenSSO agent.

  2. OpenSSO Agent redirects this un-authenticated user to OAM Server for authentication.

  3. After successful authentication, OpenSSO Proxy redirects the user back to the protected resource with OpenSSO session ID set in the response cookie.

  4. Authenticated end user with valid OpenSSO session, accesses application or resource protected by OpenSSO Agent.

  5. OpenSSO Agent validates the OpenSSO Session against OAM Server through the OpenSSO Proxy.

  6. OpenSSO Agent sends Policy requests to OAM Server through the OpenSSO Proxy to ensure the authenticated user is authorized to access the resource.

  7. OpenSSO Proxy evaluates the Policies for the protected resource (using OAM Policy Engine) and sends the Policy decision to the Agent: Allow or Deny.

  8. End user gets access if the Policy decision is Allow.

Note: The following Filter Modes are not supported: NONE, J2EE_Policy, All.

See Also: "Understanding OpenSSO Agent Registration Parameters".

Session Timeout in seconds (User)

Click the arrows to specify the period, after which the session times out and the user must re-authenticate. You must set "Max Sessions" to a non-zero value to enable this setting.

Default: 0

Max Sessions

Maximum number of sessions allowed per user.

Default: 0

Cookie Name

The default name of the OpenSSO cookie is:

Default: iPlanetDirectoryPro

Cookie Separator

Defines the character to be used as a separator when multiple values of the same attribute are being set as a cookie. For example, the pipe symbol "|", can be used.

Default:

Enable Cookie Encoding

J2EE-type Agent Only

Identifies whether cookie encoding is enabled or not.

Default: Enabled

SSO Only

Web-type Agent Only

Enables OpenSSO Agent to bootstrap and authenticate with the OAM Server using the OpenSSO proxy provided by Access Manager:

The end user accesses the application or resource protected by the OpenSSO Agent, which redirects the unauthenticated user to the OAM Server for authentication.

After successful authentication, the OpenSSO proxy redirects the user back to the protected application or resource and sets the OpenSSO Session ID in the response cookie.

The authenticated user with a valid OpenSSO session accesses the application or resource protected by the OpenSSO Agent, which validates the session against the OAM Server using the OpenSSO Proxy.

The end user gets access based on Access Manager authorization policy.

Urls

  

Login URLs

Enter the login URL, which must include the appropriate protocol (HTTP or HTTPS), host, domain, and port in the following form:

http://example.domain.com:port

Default: http://oamhost:port/opensso/UI/Login

Note: The port number is optional.

Logout URLs

The Logout URL triggers the logout handler, which requires the user to re-authenticate the next time he accesses a resource protected by Access Manager.

When yo enter the Logout URL, it must include the appropriate protocol (HTTP or HTTPS), host, domain, and port. For example:

http://example.domain.com:port/opensso/UI/Logout

Default: http://oamhost:port/opensso/UI/Logout

Note: The port number is optional. The user must be logged out from resources protected by other agents (WebGate and MOD_OSSO, for instance). Agent logout is not required other than in the multi-domain environment.

Not enforced URLs

Web-type Agent Only

The URLs you enter in this list have no policy enforcement. These equate to Public URLs, with no protection and access is allowed by all.

Access Denied URI

The URI to which the user is directed if access to the requested resource is denied. This is available for both Web and J2EE Agents, each with its own format requirements:

Web Agent (full URL): http://host:port/context/accessDeniedURL.html

J2EE Agent (relative URI): /context/accessDeniedURL.htm

Default: (blank)

Audit

  

Debug Level

J2EE-type Agent Only

When set, the OAM Server logs messages for:

  • Login success and login failure events

  • Logout success and logout failure events

  • Log messages at different logging levels (ERROR, WARNING, MESSAGE, each of which indicates severity in descending order.

Default: Error

See Also: Logging Component Event Messages

Debug Directory

J2EE-type Agent Only

The filesystem directory path for audit logs from the OAM Server:

  • Audit Login events

  • Audit Logout success events

See Also: Auditing Administrative and Run-time Events

Debug File

Web-type Agent Only

Defines the filesystem directory path to the local component event logging file.

Default:

Local Log File

Defines the filesystem directory path to the local component event logging file.

Default:

User Mapping

  

Mapping Mode

  • HTTP_HEADER

  • USER_ID

  • PROFILE_ATTRIBUTE

  • SESSION_PROPERTY

Default: User_ID

User Identity

Default: User ID

User Attribute Name

Default:

Attribute Mapping

Attribute retrieval fetches and sets user attributes in the HTTP request for consumption by the applications.

The following Attribute Mapping panels are available:

  • Profile Attributes

  • Response Attributes

  • Session Attributes

Fetch Mode: Certain applications rely on the presence of user-specific profile information in some form to process user requests appropriately. The agent can make these attributes from the user's profile available in various forms. when you specify a Fetch Mode for Profile, Response, or Session Attributes:

  • NONE: No attributes are fetched.

  • HTTP_HEADER: When the agent is configured to provide the LDAP attributes as HTTP headers, these attributes can be retrieved.

  • REQUEST_ATTRIBUTE: When the agent is configured to provide the LDAP attributes as request attributes, the agent populates these attribute values into HttpServletRequest as attributes that can later be used by the application as necessary. For example, fetch profile attributes, assign a mode to the profile attribute property, and map the profile attributes to be populated under specific names for the currently authenticated user.

  • HTTP_COOKIE: When the agent is configured to provide the LDAP attributes as cookies, the necessary values are set as server specific cookies by the agent with the path specified as "/." Multi-valued attributes are set as a single cookie value such that all values of the attribute are concatenated into a single string using a separator character that can be specified by the property labeled Cookie Separator.

Default: None

Profile Attributes

User profile information can be populated under specific names for the currently authenticated user. For example:

Fetch Mode: REQUEST_ATTRIBUTE

Name (Map key): cn

Value: CUSTOM-Common-Name

Name (Map key): mail

Value: CUSTOM-Email

Default: No data

Response Attributes

Obtains user-specific information by fetching policy response attributes, assigns a mode to the policy response attribute property, and maps the policy response attributes to be populated under specific names for the currently authenticated user.

Fetch Mode: REQUEST_ATTRIBUTE

Name (Map key): cn

Value: CUSTOM-Common-Name

Name (Map key): mail

Value: CUSTOM-Email_Addr

Default: No data

Session Attributes

The attributes in the session object maintained by the OAM Server. These are sent as part of a session validation response to the Agents.

Fetch Mode: REQUEST_ATTRIBUTE

Name (Map key): UserToken

Value: CUSTOM-userid

Default: No data

Miscellaneous

Most agent properties are hot-swap enabled. Changing configuration properties can have unexpected results. Hot-swappable properties take effect immediately. Therefore, mistakes are instantly implemented.Most agent properties are presented in a format that is most useful for configuring using Oracle Access Management Console. However, this format is not used in the OpenSSOAgentBootstrap.properties file.

List Properties: Certain properties are specified as lists composed of a key that represents the property name; a positive number (starting from 0) that increments by 1 for every value specified in the list; and a value. For example:

com.sun.identity.agents.config.notenforced.uri[0]=/agentsample/public/*
com.sun.identity.agents.config.notenforced.uri[1]=/agentsample/images/*
com.sun.identity.agents.config.notenforced.uri[2]=/agentsample/index.html

Map Constructs: Certain properties are specified as map constructs composed of a key that represents the property name; a name string that forms the lookup key as available in the map; and the value associated with the name in the map. For example:

com.sun.identity.agents.config.filter.mode[app1]=ALL
com.sun.identity.agents.config.filter.mode[app2]=SSO_ONLY

Note: For a given name, there can only be one entry in the configuration for a given configuration key. If multiple entries with the same <name> for a given configuration key are present only one of the values will be loaded in the system and the other values are discarded.

Application-Specific Properties: Certain properties can be configured for specific applications. Thee agent can use different values of the same property for different applications as defined in the configuration file. Application Specific configuration properties must follow the rules and syntax of the map construct. The following settings for a single property serve as an example which illustrates that for applications other than the ones deployed on the root context and the context /Portal, the value of the property defaults to value3.

com.sun.identity.agents.config.example[Portal] = value1
com.sun.identity.agents.config.example[DefaultWebApp] = value2
com.sun.identity.agents.config.example = value3

Global Properties: Properties that are not configured for specific applications apply to all the applications on that deployment container. Such properties are called global properties.

Serial number: Assigned automatically

Name: Select from one of the following

Value: Enter the appropriate value for the Name you chose.

Note: To enable OpenSSO Agent configuration hotswap, make sure the opensso agents have the following properties in the Miscellaneous properties section of their profile in the OpenSSO Proxy on OAM Server, and the agent servers are restarted:

J2ee Agents: com.sun.identity.client.notification.url =http://<AGENT_SERVER_HOST>:<AGENT_SERVER_PORT>/agentapp/notification

Web Agents:

com.sun.identity.client.notification.url =http://AGENT_SERVER_HOST:AGENT_SERVER_PORT/UpdateAgentCacheServlet?shortcircuit=false

Not Supported, Web Agents: com.sun.identity.agents.config.change.notification.enable = true

See Also:

"OpenSSO Bootstrap Configuration Mappings"

Element

Description

See Also:

Table 28-5

Status

The state of this agent registration: Enabled or Disabled.

Default: Enabled

Filter mode

J2EE Agent Type only

The Agent filter is installed within the protected application. It facilitates the enforcement of security policies, governing the access to all resources within the protected application. Every application protected by the J2EE Agent must have its deployment descriptors changed to reflect that it is configured to use the agent filter. Applications that do not have this setting are not protected by J2EE the Agent and might malfunction or become unusable if deployed on a deployment container where the Agent realm is installed.

Filter modes must be set for the J2EE Agent by choosing one of the following options: SSO_ONLY or URL_Policy.

Default: URL_Policy

  • SSO_ONLY (Access Manager Authentication Only): Enables the least restrictive mode of operation for the filter; the agent simply ensures that all users who try to access protected web resources are authenticated.

  • URL_Policy (Access Manager Authentication and Authorization): Enables the agent filter to enforce URL policies. By default, with Web Agents, .com.sun.identity.agents.config.sso.onlyattribute is set to "false".

Process overview: Authentication Only (SSO_ONLY J2EE Filter Mode)

  1. End user requests access to an application or resource protected by OpenSSO Agent.

  2. OpenSSO Agent redirects this un-authenticated user to OAM Server for authentication.

  3. After successful authentication, OpenSSO Proxy redirects the user back to the protected resource with OpenSSO session ID set in the response cookie.

  4. Authenticated end user with valid OpenSSO session, accesses application or resource protected by OpenSSO Agent.

  5. OpenSSO Agent validates the OpenSSO Session against OAM Server through the OpenSSO Proxy and enables SSO for the end user.

  6. End user gets access to the protected application or resource.

Process overview: Authentication and Authorization with URL_Policy J2EE Filter Mode

  1. End user requests access to an application or resource protected by OpenSSO agent.

  2. OpenSSO Agent redirects this un-authenticated user to OAM Server for authentication.

  3. After successful authentication, OpenSSO Proxy redirects the user back to the protected resource with OpenSSO session ID set in the response cookie.

  4. Authenticated end user with valid OpenSSO session, accesses application or resource protected by OpenSSO Agent.

  5. OpenSSO Agent validates the OpenSSO Session against OAM Server through the OpenSSO Proxy.

  6. OpenSSO Agent sends Policy requests to OAM Server through the OpenSSO Proxy to ensure the authenticated user is authorized to access the resource.

  7. OpenSSO Proxy evaluates the Policies for the protected resource (using OAM Policy Engine) and sends the Policy decision to the Agent: Allow or Deny.

  8. End user gets access if the Policy decision is Allow.

Note: The following Filter Modes are not supported: NONE, J2EE_Policy, All.

See Also: "Understanding OpenSSO Agent Registration Parameters".