Saturday, September 5, 2020

Painfull process of Renewing IDP's Signing Certificate in SAML Integration

I learned my first SAML integration in 2005 using a product called SHARE-id developed by Oblix that was later part of IAM product suite of Oracle. Last 10 years there is a huge adaption of SAML protocol for a seamless integration with a centralized Authentication service providers like Azure, Ping, Forgerock, Google and so on. You can also write your own Authentication service supporting SAML. Its is easy to find free library to implement a SAML IDP (Identity Provider) or SAML Assertion consumption service for a SP (Service Provider). 


Here is a diagram of a standard SAML flow.
 


I will not describe how SAML integration work as many good articles are already available in the net. This write-up specifically focus on "Certificate Renewal" aspect of SAML integration. It is one of the major pain point in SAML integration. 

Context  :- 
One or many Service-Providers (SP/ web application) tied to a Identity-Provider (IDP/ Azure, Forgerock, ping, home-grown) in a “Circle of Trust”, where IDP shares the certificate with all SPs.  SP uses this certificate to verify the digital signature in SAML-Response that proves that it has indeed come from the chosen IDP.
 
Now the Issue :- 
Just like any other certificate, IDP’s certificate also expires every 3yrs. All the participating SP need to replace the expired cert with the new one.  When you have 100+ SAML apps in production,  co-ordinating with so many AppOwners and getting the cert replaced requires good amount of planning and effort

Possible Solutions :- 
(1) Plan it out in advance :- 
This is the bare minimum an IDP owner can do :-
o  Add a new certificate to each IDP in non-prod env 3 months before the expiry.  Coexistence of “to-be-expired” certificate with “new” certificate ensure no outage.
o The new cert (and/or IDP-metadata) then distributed to each AppOwner. 
o The expired certificate is removed from the IDP once all AppOwners confirm that their app's SAML integration is working with new certificate.  
o Same processes  followed in production. 

(2) Can we improve this process and automate it ?
Yes, all depends on your organization budget though :)  An IDP-Application-dashboard portal can be built where App-Owners can seamlessly onboard their SAML compatible application thru user friendly App registration process. 
o IDP owner proactively add the new certificate to the IDP before the expiry and portal then notify the app-owners.
o App-owners picks up the certificate and DP meta data and test the SAML integration.
o The portal then remove the old certificate from IDP immediately after app-owner certify the successful integration using the new certificate. 

Basically, the portal replace the the manual co-ordination between IDP-Owner and App-Owner by automating the IDP cert renewal process.  

(3) Any other Options?
Yes, switch to OIDC based integration, which is based on light weight token compared to XML heavy SAML response. OIDC token is signed using either a client-secret or jwks (Json Web Key). We will cover this in the next blog.
 
 

Sunday, April 26, 2020

Practical Tips To Stay Focused In An Ever Distracting Environment

The companies are increasingly adapting Agile methodology, Continuous Integration and Development process to make the delivery efficient.  There is also a noticeable increase of productivity among the developers.  The management expectation has gone up and this creates a quite a bit of stress  on engineers to keep the pace. Staying focused on finishing one logical task becoming increasingly challenging for Lead Engineers when they handle multiple modules with a baggage of supporting many of their previous projects.

Here are few practical tips on staying focused on your high priority tasks.

1. Start your day addressing the Critical item only , not reading the email :-
Many of us starts our day going through the new emails and replying them.  I will suggest spending first two hours of your day addressing the P1 items like :-
  • Any P1 follow-up items from yesterday. Note that you will use the email only for this purpose, not reading the new emails.
  • Any P1 technical issues/ code you are working on.
This will give you a grip over all P1 items.  Reading new emails will distract you to new set of works, rather address the issues that bothering you.


2. Allocate specific time for new email :- 
So when should you read your new emails? Allocate two specific times in a day for new emails and replying them. For example :-
  • Around 10am, two hours after you finish your critical items. 
  • Again at 4pm, before winding down. Now you may have a TO-DO list for tomorrow from these emails.

3. Dealing with too many emails :- 
A very simple solution for this is to apply effective email-filter, so only the relevant email stays on the top.  All enterprise email program comes with filter utilities.
Here are some filter examples :-
  • All emails where you are CCed should goes to "NotToMe" folder . The reason is obvious, you don't have to reply it immediately.
  • We receives tons of email system generated email like, "server xxxx restarted", "The Certificate xxx is about to expire", etc.  Carefully choose these regular emails that belongs to trash. 
  • Put a similar filter to all regular blah..blaha email straight to trash.
  • Create sub folder for different subcategories.  For example anything coming from Jira should go to Jira subfolder.
Building a custom list of  email-filter will take time as it need constant adjusting. But this is one of the most critical tools that helps you avoid wasting time on non critical items.


4. Block few hours for Technical works :- 
The Senior Engineers spend more time on co-ordination and techno clerical work, thus loosing the focus on core technical work.  The best way to address this issue is block at least 16 to 20hrs of your calendar for development work.


5. Everything has a home :- 
Many external factor helps you stay focused.  Few examples could be :- A clean desk, decluttered workspace, clean email box etc.  How to have a clean desk ?  I got this key take away statement "Everything has a hone"  from a time-management training. Any object lies on your desk should have a home. The home could be a paper tray, drawer, book shelves, trash can etc.  Same goes for email.  Every email has a home (a rule based folder) .


6. Continuous Planning :- 
This is mostly applicable to Senior / Lead engineers who are very often face the questions like when it will be done? Why it is not done? What taking so much of time ? What is the estimation ? and so on .. So continuous planning is THE critical task, that will provide you the tool that will help you answering these questions.

Some useful tips on planning tools :-
  • TO-DO list for the Month/ Quarter - Use tools like a formula based planning spreadsheet or Jira structure that will be handy in getting a near perfect report on the project status. Particularly, the number of remaining-hours required for your project stories. At-least 2 hrs a week need to be spend in updating the story detail. Usually I reserve 2 hrs every alternative Friday. 
  • Ensure that your Monthly plan match the road map time line done by your manager. 
  • TO-DO list for the Week :- Maintain a sticky note or a working journal for listing every-days TO-DO list.  This takes only 10 mins and can be done in the morning.  Plan your day around this weekly TO-DO list.

Conclusion :- 
I learned these over the years working in a very demanding environment.  I try my best to stick to these rules, though I just do fire fighting in some of the chaotic days. These tips are not new to many of you.  Love to hear your experience on dealing with distractions and how to stay focused. 

Wednesday, April 13, 2016

Mistaking Kerberos as Single Sign On

End users often misinterpret the Kerberos authentication mechanism to mean Single Sign-On (SSO) in corporate world.  Kerberos authentication provides seamless sign on to (web) applications by using the Kerberos ticket generated/ refreshed during the user’s authentication to the network (when user first login to the computer).

For example, if web applications AppX and AppY are configured for Kerberos authentication, the user will not see any credential challenge when both of these apps are accessed in two different tabs of same browser. This gives the impression of SSO between AppX and AppY.

The SSO functionality is much broader in any in premises Enterprise SSO infrastructure like OAM, SiteMinder, ForgeRock. The Kerberos mechanism is just one of several Authentication schemes available in SSO server.  The Other authentication scheme like Form Authenticaiton can also provide single sign on between two different web apps thru a secure cookie generated by sso server when user first login thru the Form in a Web-Agent based SSO architecture.  

Wednesday, July 30, 2014

OAM R2 Persistent Login (Keep Me logged In/ Remember Me) Set up

I remember struggling with this one in OAM R1.  Since this feature was not available in R1, we implemented this by our own custom code.  Finally this is available in R2.  Here is the link (http://docs.oracle.com/cd/E40329_01/admin.1112/e27239/getstarted.htm#CIHBEEAI) to set this up and test in 30 minutes max.

I am just posting the 1st step of exact WLST command taht I ran to enable it in OAM 11g R2.  Follow the rest of the steps from Oracle doc


$ cd ../Middleware/Oracle_IDM1/common/bin
$ ./wlst.sh

wls:/YOUR_DOMAIN/serverConfig> connect()
Please enter your username :weblogic
Please enter your password :
Please enter your server URL [t3://localhost:7001] :t3://YourServer:7001
Connecting to t3://YourServer:7001 with userid weblogic ...
Successfully connected to Admin Server 'AdminServer' that belongs to YOUR_DOMAINr'.

wls:/YOUR_DOMAIN/serverConfig> configurePersistentLogin(enable="true", validityInDays="30",maxAuthnLevel="2", userAttribute="obPSFTID")
SUCCESS

wls:/YOUR_DOMAIN/serverConfig> exit()

Monday, March 10, 2014

Including Custom MANIFEST.MF File in NetBeans jar Building Process

OAM custom authentication module requires a custom manifest.mf file to be included in your custom plugin jar file. It is is easy to include your own manifest.mf file during jar building process in eclipse. But it not that easy if you are using Netbeans .  If you do a clean build using Netbeans, you will end in having a default manifest.mf file in the jar file.

Here are the steps to include your OAM plugin specific manifest.mf file in the jar.
(1)  Keep your custom manifest.mf file in /src/META-INF/ directory.
(2) Open /YourProject/nbproject/project.properties
comment this line
#manifest.file=manifest.mf

add this two lines that will do the magic
manifest.available=true 
manifest.file=${src.dir}/META-INF/manifest.mf 

(3) Now do a NetBean build, the generated jar file should have "/src/META-INF/manifest.mf" included already.

Wednesday, January 15, 2014

Japanese (non-ASCII) Character Issues in OAM headers variable

I have few user records with Japanese character (like 高山) in their attributes. Querying these users in OVD through ODSM displays it correctly . However, the same attributes when passed as OAM header variable through OAM-Authorization-Scheme spit out garbage like '=?UTF-8?B?6auY5bGx?=' .

This happens because the Webgate will encode any non-ASCII characters in header variables according to RFC 2047. It is the receiving OAM-protected application that will decode the encoded characters. The following java sample code will be a quick rescue. This will transform the non-ASCII character to a readable one.
:
import javax.mail.internet.MimeUtility ;
System.out.println("The Actual Value is := " + MimeUtility.decodeText("=?UTF-8?B?6auY5bGx?=")) ;
:

Your result will be =
The Actual Value is := 高山


Tuesday, July 2, 2013

Always Mark Your OAM Cookie as Secure and HttpOnly

It is a good practice to mark all OAM cookie as Secure and Http-only. This can be done in individual authentication scheme. The exact OAM-11g-R1 syntax is "ssoCookie=Secure;httponly" in Challenge-Parameters field.

httponly :- By marking the cookie as httpOnly, you are ensuring that the cookie can only be used for http protocol. It is not accessible via non-HTTP methods like JavaScript ("document.cookie"). Usually hackers can steal cookies via cross-site scripting.

Secure :- This configuration limit the cookie transmission thru the encrypted(https) channel only. This is an additional security on the top of httponly configuration.