15
04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig Table of Contents Objective Create The Application Profile Create the Native Login Mobile Service Domain Service Profile Bindings Service Protection Finish domain creation Update the MobileJWTAuthentication Token provider to use OVD Configure Social Login Create the Internet (Social) Application profile Create the Service Domain for Social Login Modify the InternetIdentityAuthentication provider to use OVD Android Lab Home Objective The objective of this chapter is to configure the OAM Mobile and Social server (OAMMS) for the sample application. You should be familiar with the OAM Administration guide and should understand the following OAMMS concepts: Application Profiles: An application is a web (html/javascript) or native (iOS or Android) application. Applications may have different requirements for AuthN/AuthZ, and therefore each application that interacts with OAMMS REST services must be uniquely defined. Service Providers: Service providers define a type or class of service for authentication, authorization or user profiles. Think of Service providers as "templates" that are used to instantiate a real instance of a service. For example, the JWTAuthentication provider performs authentication and returns JWT (JSON Web Tokens) to the application. In contrast, the OAMAuthentication also provides authentication but uses OAM SSO tokens. Service Domains: Service domains bind together applications and service providers into a service domain. They are the instantiation of the defined providers. Multiple service domains are needed when we have different communities of users or devices that we want to serve. For example - customers may authenticate to one source, while employees may use another. Create The Application Profile Log on to the oamconsole (iamadmin/Oracle123). From System Configuration -> Mobile and Social -> Mobile Services, select "Create" under Application Profiles:

Oracle Identity and Access Management_ Workshop-Android-oamconfig

Embed Size (px)

DESCRIPTION

Configuration of OAM 11g Mobile and Social for a sample Android Application.

Citation preview

04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig

Table of Contents

ObjectiveCreate The Application ProfileCreate the Native Login Mobile Service Domain

Service Profile BindingsService ProtectionFinish domain creationUpdate the MobileJWTAuthentication Token provider to use OVD

Configure Social LoginCreate the Internet (Social) Application profileCreate the Service Domain for Social LoginModify the InternetIdentityAuthentication provider to use OVD

Android Lab Home

Objective

The objective of this chapter is to configure the OAM Mobile and Social server (OAMMS) for the sample application.

You should be familiar with the OAM Administration guide and should understand the following OAMMS concepts:

Application Profiles: An application is a web (html/javascript) or native (iOS or Android) application. Applications may have different requirements for AuthN/AuthZ, andtherefore each application that interacts with OAMMS REST services must be uniquely defined.Service Providers: Service providers define a type or class of service for authentication, authorization or user profiles. Think of Service providers as "templates" that areused to instantiate a real instance of a service. For example, the JWTAuthentication provider performs authentication and returns JWT (JSON Web Tokens) to theapplication. In contrast, the OAMAuthentication also provides authentication but uses OAM SSO tokens.Service Domains: Service domains bind together applications and service providers into a service domain. They are the instantiation of the defined providers. Multipleservice domains are needed when we have different communities of users or devices that we want to serve. For example - customers may authenticate to one source, whileemployees may use another.

Create The Application Profile

Log on to the oamconsole (iamadmin/Oracle123).

From System Configuration -> Mobile and Social -> Mobile Services, select "Create" under Application Profiles:

04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig

Enter the parameters for the new Application profile.

Setting Description

Name The application name. In this example we use MobileDemo (note: the name is not visible in the screenshot below). The application name configured heremust match the application name in the settings for the deployed Android application.

baseSecret Enter a password here. This does not need to match any existing password. It is used as an encryption key between the client and the OAMMS server

MobileConfigurationcheck box

Enable this checkbox for any mobile applications. This enables the SDK to collect and send Mobile specific attributes to the OAMMS server.

Webview Controls the type of browser that the Android application will use when showing a Social login dialog. The embedded browser (default) will render the browserwithin the application. External will use the system standalone browser. External can sometimes be preferable for debugging

URL Scheme Both Android and iOS use a custom URL scheme to register O/S handlers that will take control when OAMMS transfers control to device. Use the value osa://

AndroidPackage

The fully qualified name of the Android application that you will deploy. This is taken from your application's AndroidManifest.xml file. This is used to tellAndroid which application to launch when an intent is received (for example osa://).

AndroidSignature

This is the unique signature for your application. The android development chapter in this lab explains how to find this value. For development it is generatedby the Android SDK tools. For production this value is a stable signing key available from Google as part of the Play store deployment process.

04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig

Note: If you are deploying the pre-compiled .apk sample application, the signature is found below. If you are compiling the application in eclipse your signature will beunique to your SDK environment. You will need to extract your signature from the application logs. This procedure is detailed in the sample application walkthrough.

3082030d308201f5a00302010202041973081b300d06092a864886f70d01010b05003037310b30090603550406130255533110300e060355040a1307416e64726f6964311630140603550403130d416e64726f6964204465627567301e170d3133303131303230353434395a170d3433303130333230353434395a3037310b30090603550406130255533110300e060355040a1307416e64726f6964311630140603550403130d416e64726f696420446562756730820122300d06092a864886f70d01010105000382010f003082010a0282010100a98485b6feb880178cec4fc821637f6bd2bc5039175e600e7c27a1ee0e958792ee4ef668f2aadbdd31cb0515e92b8a949814cb9646b37bf24a6da9dee1c34f0dbf47f3352051fa27c9bb1a19ae29f3de5490095a26fc823f90a65292080f1955827073a813a42afe8e37656f9b39a4953cfa1ec6226e96e5e9c5977d6c7fee31724d3093d0dff991bf70e708794c2c892a222a706b5d453500e758c15e19f45d24b982b06cf08a8767eb7669fbf93df817bf5ee3dce6dd7958899b0cdddd84f27608f96ae058f1e7402b00edb1ac3f103ee964b2e47115829da522fdafd157ce1856806cd2305a8d238b54cde46150cae1455348dd966bbf86a3e3fd0ef438c50203010001a321301f301d0603551d0e04160414226298672e30947800a85f76e7d8ed90b990d90d300d06092a864886f70d01010b0500038201010070cd3c29dcbd1411bd8529ec7344f51a18c59e328e73188700ab903670ec8cd6a058269d42ea8cd5eb2689d4f2b38c54eb4de86601bd3527695e7b44ee2b8a6b5be32518aa9feae37f7400504007ca1289c1e1acecc3f4d69ae389356a6c4f890d1fe39394dd954d90a62c5c94d929ffa793a6f108e42b8e905ef165ccd267c2aa6bef42a2254a4ac2625fd09a5790b459c3fd0f5ffd27fa3523c850438436741eb726a1113e27451dbdf622f630ac286a5d22c70397232f54d5eb88ff1088f93f66e618fe8c9255a82b541468f18870888c9e9abbb2a94f1aac292d27e888d3846b669fc136833d9e90be937ba9f1a9c31f8404bfa15b76745aee40704da4e8

Create the Native Login Mobile Service Domain

An OAMMS service domain binds together a set of configured interfaces for authentication, authorization and user profile services. Service domains provide flexibility to supportdifferent types of mobile clients. For example - an employee Mobile service domain would use a different authentication source than a Mobile service domain used by customers.

Select create under Mobile Service domains:

04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig

Create a name for your domain (NativeMobileDomain is used below). The name configured must match the service domain set in the Android application.

Under "Application Profile Selection" click the browse button. Choose the application profile that you created in the previous step. This associates the application with thisservice domain. A service domain can support multiple applications.

04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig

Service Profile Bindings

Advance to the next page of the wizard to configure the services for this domain. For this example we will use the following services:

Service Description

Authentication MobileJWTAuthentication. This will use the JWT (JSON Web Token) format authentication provider. The Android application upon succesfull authenticationwill recieve a signed JWT token from OAMMS. This token will be used in subsequent calls to OAMMS

Authorization OAMAuthorization. The authorization provider. The SDK makes calls to this provider endpoint to obtain authorization decisions on resource requests.Authorization is not used in this demo.

User ProfileService

OVDUserProfileService. This is the service that provides user profile services (attribute lookup, attribute modification). The OVD provider has been previouslyconfigured in the demonstration image. It makes calls to Oracle Virtual Directory to perform attribute operations.

04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig

Service Protection

The REST services for a domain can be protected by requiring the caller to present a token to invoke the service. In the example below we protect the authorization and userprofile services.

Make sure you enable writing of the profile. The sample application will demonstrate a user updating their profile. This call will fail if the write checkbox is not enabled.

04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig

Finish domain creation

04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig

Update the MobileJWTAuthentication Token provider to use OVD

By default the MobileJWTAuthentication provider uses the embedded Weblogic LDAP provider. Our demo users are in OVD/OUD - so we must change the provider. We could alsocreate a new provider that uses OVD - but for this example we have chosen to update the existing out of the box provider.

From the main OAMMS Mobile Screen - select and edit the MobileJWTAuthentication provider. In the drop down box for the directory choose "OVD". This LDAP provider hasbeen previously configured in the demo image. If you are doing this on your own image you will need to create a new ldap connection profile.

04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig

Configure Social Login

The sample application demonstrates social login using a google account. You will need to configure an application profile for Social login and a new service domain that uses thesocial login application profile.

When the creating the new internet application profile, you must use the same name as your previously created Application profile for the mobile application. Forexample, if your mobile application profile is called "MobileDemo" the internet application profile should also be called "MobileDemo".

Create the Internet (Social) Application profile

Navigate to Mobile and Social, click on "Internet Identity Services" and create a new application profile:

04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig

Set the following parameters for the new application profile

Setting Description

Name The application name. This must match the name of the of mobile application profile created for your application under Mobile Services. We use MobileDemofor this example.

Shared Secret A password used as an encryption key between the application and OAMMS. This does not need to match any existing passwords.

Return URL See below

MobileApplicationReturn URL

After the Relying Party (social) login, the OAMMS server will redirect to the Android application using this URI. This URI will be registered with Android andassociated with an Intent that is mapped to our sample application. This allows our sample application (and the linked SDK) to handle the post loginauthentication process. Use osa:// for this lab. If you look inside your applications AndroidManifest.xml file you will see this URI mapped to an activity thatinvokes the SDK.

Login Type Choose to allow local login as well as Social login.

Enablebrowser popups

Select yes to allow use of new browser instance to pop up for the login page.

04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig

UserRegistration

For our demo we assume the account is already registered. If you wish to allow user registration enable this feature

AuthenticationServiceEndpoint

Make sure that /internetidentityauthentication is selected.

Application toProviderMapping

Select the social login providers that you wish to enable. For the lab select Google. You can choose others here (e.g. Facebook) but you must register for adeveloper API key.

04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig

Save the new profile.

Create the Service Domain for Social Login

Navigate to Mobile Services. Click on New to create a new service domain

In this example we call the domain "SocialDomain". The type should be Mobile Application and the application credential type User Token.

At this point we will not use a security post processor (leave this blank for now) Add the application "MobileDemo" to the domain. Advance the next page of the wizard.

04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig

Select the Service profiles as shown below. Take care that the Authorization service is set to InternetIdentityAuthentication

Set the protection for the Profile and Authorization services as shown below:

04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig

Finish the creation of the service domain

Modify the InternetIdentityAuthentication provider to use OVD

The out of the box configuration for the InternetIdentityIdentification provider uses the embedded LDAP store.

Under MobileServices, select and edit the provider and set the directory to OVD as shown below. This directory connection has been previously configured for you:

04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note

png Workhop-android-mobsoc-08.png 192.7 kB 1 02-Jul-2013 12:59 admin

png Workshop-android-mobsoc-01.png 233.7 kB 1 01-Jul-2013 19:41 admin

png Workshop-android-mobsoc-02.png 217.5 kB 1 01-Jul-2013 19:41 admin

png Workshop-android-mobsoc-02b.pn... 209.7 kB 1 03-Jul-2013 14:01 admin

png Workshop-android-mobsoc-02c.pn... 155.0 kB 1 03-Jul-2013 20:02 admin

png Workshop-android-mobsoc-03.png 266.2 kB 1 01-Jul-2013 19:41 admin

png Workshop-android-mobsoc-04.png 179.3 kB 1 01-Jul-2013 19:41 admin

png Workshop-android-mobsoc-05.png 165.6 kB 1 01-Jul-2013 19:41 admin

png Workshop-android-mobsoc-06.png 170.3 kB 1 01-Jul-2013 19:42 admin

png Workshop-android-mobsoc-07.png 204.9 kB 1 01-Jul-2013 19:42 admin

png Workshop-android-social-01.png 182.9 kB 1 03-Jul-2013 13:56 admin

png Workshop-android-social-02.png 70.3 kB 1 03-Jul-2013 13:56 admin

png Workshop-android-social-03.png 63.7 kB 1 03-Jul-2013 13:57 admin

png Workshop-android-social-04.png 18.3 kB 1 03-Jul-2013 13:57 admin

png Workshop-android-social-05.png 170.0 kB 1 03-Jul-2013 19:22 admin

png Workshop-android-social-06.png 56.2 kB 1 03-Jul-2013 19:22 admin

png Workshop-android-social-07.png 46.7 kB 1 03-Jul-2013 19:23 admin

png Workshop-android-social-08.png 45.1 kB 1 03-Jul-2013 19:23 admin

png Workshop-android-social-09.png 73.4 kB 1 03-Jul-2013 19:23 admin

png Workshop-android-social-10.png 43.8 kB 1 03-Jul-2013 19:23 admin