Thursday, August 31, 2017

Tuesday, May 9, 2017

OIM: Sample code to Publish roles to Organizations

                   This post covers a sample OIM code that publishes the roles to specific organization provided through inputs. 

Our example code performs the following operations
  • Publish APP_USER to new Organization "Google" and set "include sub-orgs" flag to False.
  • Publish APP_USER to existing Organization "Microsoft" and set "include sub-orgs" flag to True.
  • Remove APP_USER from existing Organization "Yahoo" 
Initial role configuration in OIM before update: 


Environment:
  • OIM 11.1.2.3BP07
  • OEL/RHEL 6
Code:

import java.util.ArrayList;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;

import oracle.iam.identity.exception.NoSuchRoleException;
import oracle.iam.identity.exception.RoleLookupException;
import oracle.iam.identity.exception.SearchKeyNotUniqueException;
import oracle.iam.identity.orgmgmt.api.OrganizationManager;
import oracle.iam.identity.orgmgmt.vo.Organization;
import oracle.iam.identity.rolemgmt.api.RoleManager;
import oracle.iam.identity.rolemgmt.api.RoleManagerConstants;
import oracle.iam.identity.rolemgmt.vo.Role;
import oracle.iam.platform.OIMClient;
import oracle.iam.platform.authopss.api.PolicyConstants;
import oracle.iam.platform.authopss.vo.EntityPublication;
import oracle.iam.platform.authz.exception.AccessDeniedException;
import oracle.iam.platformservice.api.EntityPublicationService;

public class UpdateOIMRoleOrgAssociation {

       public static void main(String[] args) {

              try {
                     String roleKey = "";
                     String roleName = "APP_USER";

                     // Connect to OIM
                     Hashtable<Object, Object> env = new Hashtable<Object, Object>();
                     env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,
                                  OIMClient.WLS_CONTEXT_FACTORY);

                     env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, "t3://oimenv:14100");

                     System.setProperty("java.security.auth.login.config",
                                  "/oracle/iam/authwl.conf");
                     System.setProperty("OIMConnect.AppServerType", "wls");
                     System.setProperty("APPSERVER_TYPE", "wls");

                     OIMClient oimClient = new OIMClient(env);
                     oimClient.login("xelsysadm", "Welcome123!");

                     // Update Role Manager
                     RoleManager roleManager = oimClient.getService(RoleManager.class);

                     // Update Organization Manager
                     OrganizationManager orgManager = oimClient
                                  .getService(OrganizationManager.class);

                     // Update EntityPublicationService
                     EntityPublicationService entityPubService = oimClient
                                  .getService(EntityPublicationService.class);

                     // Get role Key information
                     try {
                           roleKey = roleManager.getDetails("Role Name", roleName, null)
                                         .getAttribute("Role Key").toString();

                           System.out.println("=====>Retrieved role Key ::" + roleKey);

                     } catch (SearchKeyNotUniqueException | NoSuchRoleException
                                  | RoleLookupException | AccessDeniedException e1) {
                           // TODO Auto-generated catch block
                           e1.printStackTrace();
                     }

                     // To modify/delete existing publication, it must first be fetched
                     List<EntityPublication> entityPubsAssigned = entityPubService
                                  .listEntityPublications(PolicyConstants.Resources.ROLE,
                                                roleKey, null);

                     // Initializing additions
                     System.out.println("----- Initializing updates/removes -----");
                     List<EntityPublication> entityPubsAddList = new ArrayList<EntityPublication>();
                     List<EntityPublication> entityPubsUpdateList = new ArrayList<EntityPublication>();
                     List<EntityPublication> entityPubsDeleteList = new ArrayList<EntityPublication>();

                     // Get Organization keys
                     Organization org1 = orgManager.getDetails("Google", null, true);
                     Organization org2 = orgManager.getDetails("Yahoo", null, true);
                     Organization org3 = orgManager.getDetails("Microsoft", null, true);
                     System.out.println("Google" + " Key ::" + org1.getEntityId());

                     // Add a new entity publication to the list
                     entityPubsAddList.add(new EntityPublication(roleKey,
                                  PolicyConstants.Resources.ROLE, Long.valueOf(org1
                                                .getEntityId()), false));

                     // Update existing entity publication
                     // Loop through Entity Pub result
                     for (EntityPublication entityPub : entityPubsAssigned) {
                           // Add to update list if Org name matches
                           if (entityPub.getScopeName().equalsIgnoreCase("Microsoft")) {
                                  entityPub.setHierarchicalScope(true);
                                  entityPubsUpdateList.add(entityPub);
                           }
                     }

                     // Delete existing entity publication
                     for (EntityPublication entityPub : entityPubsAssigned) {
                           // Add to update list if Org name matches
                           if (entityPub.getScopeName().equalsIgnoreCase("Yahoo")) {
                                  entityPub.setHierarchicalScope(true);
                                  entityPubsDeleteList.add(entityPub);
                           }
                     }

                     // Add all the entityPublication Lists to a Map
                     Map<String, List<EntityPublication>> entityPubsMap = new HashMap<String, List<EntityPublication>>();
                     entityPubsMap.put("ADD", entityPubsAddList);
                     entityPubsMap.put("UPDATE", entityPubsUpdateList);
                     entityPubsMap.put("DELETE", entityPubsDeleteList);

                     //Now update the role
                     Role newRole = new Role(roleKey);
                     newRole.setAttribute(
                                  RoleManagerConstants.ORGANIZATIONS_PUBLISHED_TO,
                                  entityPubsMap);
                     roleManager.modify(newRole);
                   
              } catch (Exception e) {
                     e.printStackTrace();
              }

       }
}


After updating through code, APP_USER role will be updated as shown below:

 

Monday, April 17, 2017

OAM: Enable White Listing mode

                       We are going to cover about the commands that can be used to enable White listing of URLs in OAM and enable it on OAM Protected applications. This white listing of URLs helps to avoid re-directions to external sites/URLs that are not registered with OAM.

Environment:
  • OAM 11.1.2.3BP07
  • RHEL6/OEL6
Steps:

      Enabling and configuring White-listing  mode is very simple and just requires the following acitivites.
  1. Enable OAM White listing Mode
  2. Adding/Removing URLs to/from the list of White listed URLs
1. Enable OAM White listing Mode:
  • Login to the server that contains installation of OAM component
  • Browse to the following directory
    • <Oracle_IDM_Home>/common/bin
  • Execute the following commands
    • ./wlst.sh
    • connect('weblogic','password','t3://oamhost:7001'>)
    • domainRuntime()
    • oamSetWhiteListMode(oamWhiteListMode="true")
  • This returns the success message as shown below.

2. Adding/Removing URLs to/from the list of White listed URLs :
  • Execute the below command to add a URL to the list
    • oamWhiteListURLConfig(Name="google",Value="http://www.google.com",Operation="Update")  


  • Execute the below command to remove a URL from the list
    • oamWhiteListURLConfig(Name="google",Value="http://www.google.com",Operation="Remove") 


Validation:
  • We can validate the behaviour during the logout process of any protected application with OAM Logout URL. For example, Add a URL like "http://www.google.com/" to white list and  invoke the following Logout URL which has end_url parameter with the google.com URL
    • http://<OHSHost:7777/oamsso/logout.html?end_URL=http://www.google.com/
  • After successful logout, above URL will redirect you back to "http://www.google.com/" as it is trusted URL.
  • You can validate by removing the same URL from the White Listed URLs list and invoke logout again. Then OAM will just log you out but will not redirect the user to "http://www.google.com/"
Thanks for visiting.