1. Developing and Customizing Applications for Oracle Identity Governance
  2. Interfaces to Integrate With Other Applications
  3. Understanding Global Policy Attachments

23 Understanding Global Policy Attachments

When you install Oracle Identity Manager, or upgrade to this release of Oracle Identity Manager, certain OWSM policy sets are created by default. These Policy sets contain attached OWSM policies on application path that make Restful and SOAP services secure. By default, the policies are not SSL-enabled.

This chapter contains the following topics:

23.1 Predefined Policies

As part of Global Policy Attachments, OWSM policies for both RESTful and SOAP web services govern the security access to the REST and SOAP services respectively. These policies can be modified to apply different levels or types of security to the applications.

Table 23-1 lists the RESTful WSM policy sets and the corresponding attached policies.

Table 23-1 RESTful WSM Policy Sets

Policy Set Name Policy Attached Description
policySetAPPONBRD oracle/multi_token_rest_service_policy This policy enforces one of the following authentication policies based on the token sent by the client:

HTTP basic (username/password)

SAML 2.0 Bearer token

JWT token security

HTTP OAM security (disabled by default)
policySetDM oracle/multi_token_rest_service_policy This policy enforces one of the following authentication policies based on the token sent by the client:

HTTP basic (username/password)

SAML 2.0 Bearer token

JWT token security

HTTP OAM security (disabled by default)
policySetREST_Auth oracle/multi_token_rest_service_policy This policy enforces one of the following authentication policies based on the token sent by the client:

HTTP basic (username/password)

SAML 2.0 Bearer token

JWT token security

HTTP OAM security (disabled by default)
policySetREST_Unauth oracle/no_authentication_service_policy This policy facilitates the disabling of a globally attached authentication policy. This includes disabling the whole global policy containing any other assertions in addition to the authentication assertion.
policySetSCIM_Auth oracle/multi_token_rest_service_policy This policy enforces one of the following authentication policies based on the token sent by the client:

HTTP basic (username/password)

SAML 2.0 Bearer token

JWT token security

HTTP OAM security (disabled by default)
policySetSCIM_Unauth oracle/no_authentication_service_policy This policy facilitates the disabling of a globally attached authentication policy. This includes disabling the whole global policy containing any other assertions in addition to the authentication assertion.
policySetTOKEN oracle/multi_token_rest_service_policy This policy enforces one of the following authentication policies based on the token sent by the client:

HTTP basic (username/password)

SAML 2.0 Bearer token

JWT token security

HTTP OAM security (disabled by default)
policySetFacade oracle/http_saml20_token_bearer_client_policy This policy governs generation of SAML token from facade application that is used for authentication at /tokens end point.

Table 23-2 lists the SOAP WSM policy sets and the corresponding attached policies.

Table 23-2 SOAP WSM Policy Sets

Policy Set Name Policy Attached
policySetCertCallbackSvc oracle/wss_username_token_service_policy
policySetIdAuditCallbackSvc oracle/wss_username_token_service_policy
policySetProvCallback oracle/wss11_saml_or_username_token_with_message_protection_service_policy
policySetReqSvc oracle/wss_username_token_service_policy
policySetSPMLXSD oracle/wss_saml_or_username_token_service_policy
policySetWorkflowSvc oracle/wss11_saml_or_username_token_with_message_protection_service_policy

Note:

See Security Policies-Authentication Only in Securing Web Services and Managing Policies with Oracle Web Services Manager for detailed information about the default RESTful and SOAP WSM policies.

23.2 Viewing and Editing Global Policy Attachments

You can view and edit the policy attachments by using Oracle Enterprise Manager Fusion Middleware Control.

To view the policy sets and the attached policies and edit the policy sets, see Attaching Policies to Manage and Secure Web Services in Securing Web Services and Managing Policies with Oracle Web Services Manager.

When you make change to a policy, the change to the policy takes effect at the next polling interval for policy changes. The default polling interval is 10 minutes, which is 600000 milliseconds.

23.3 Enabling SCIM to Run Only on HTTPS

By default, SCIM is configured to run on both HTTP and HTTPs ports. You can enable SCIM to run only on HTTPs ports by editing the policySetSCIM_Auth and policySetSCIM_Unauth policy sets.

SCIM can run on both HTTP and HTTPs ports by default. For example, both the following URLs will work by default without any configuration changes:

http://OIM_HOST:OIM_HTTP_PORT/iam/governance/scim/v1/Users
https://OIM_HOST:OIM_HTTP_PORT/iam/governance/scim/v1/Users
To enable SCIM to run only on HTTPs ports:
  1. Login to Oracle Enterprise Manager Fusion Middleware Control.
  2. Click WebLogic Domain, and select Web Services, WSM Policy Sets.
  3. Edit the WSM policy set policySetSCIM_Auth, and move to the Add Policy References page.
  4. Detach the existing oracle/multi_token_rest_service_policy, and attach the oracle/multi_token_over_ssl_rest_service_policy.
  5. Go to the Summary page and save the policy set.
  6. Edit the WSM policy Set policySetSCIM_Unauth, and move to the Add Policy References page.
  7. Detach the existing oracle/no_authentication_service_policy, and attach the oracle/http_anonymous_rest_over_ssl_service_policy.
  8. Go to the Summary page, and save the policy set.

23.4 Enabling REST to Run Only on HTTPS

By default, REST is configured to run on both HTTP and HTTPs ports. You can enable REST to run only on HTTPS ports by editing the policySetREST_Auth and policySetREST_Unauth policy sets.

To enable REST to run only on HTTPS ports:
  1. Login to Oracle Enterprise Manager Fusion Middleware Control.
  2. Click WebLogic Domain, and select Web Services, WSM Policy Sets.
  3. Edit the WSM policy set policySetREST_Auth, and move to the Add Policy References page.
  4. Detach the existing oracle/multi_token_rest_service_policy and attach the oracle/multi_token_over_ssl_rest_service_policy.
  5. Go to the Summary page and save the policy set.
  6. Edit the WSM policy set policySetREST_Unauth, and move to the Add Policy References page.
  7. Detach the existing oracle/no_authentication_service_policy and attach the oracle/http_anonymous_rest_over_ssl_service_policy.
  8. Go to the Summary page and save the policy set.