Upload
warren-strange
View
244
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Configuration of OAM 11g Mobile and Social for a sample Android Application.
Citation preview
04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig
Table of Contents
ObjectiveCreate The Application ProfileCreate the Native Login Mobile Service Domain
Service Profile BindingsService ProtectionFinish domain creationUpdate the MobileJWTAuthentication Token provider to use OVD
Configure Social LoginCreate the Internet (Social) Application profileCreate the Service Domain for Social LoginModify the InternetIdentityAuthentication provider to use OVD
Android Lab Home
Objective
The objective of this chapter is to configure the OAM Mobile and Social server (OAMMS) for the sample application.
You should be familiar with the OAM Administration guide and should understand the following OAMMS concepts:
Application Profiles: An application is a web (html/javascript) or native (iOS or Android) application. Applications may have different requirements for AuthN/AuthZ, andtherefore each application that interacts with OAMMS REST services must be uniquely defined.Service Providers: Service providers define a type or class of service for authentication, authorization or user profiles. Think of Service providers as "templates" that areused to instantiate a real instance of a service. For example, the JWTAuthentication provider performs authentication and returns JWT (JSON Web Tokens) to theapplication. In contrast, the OAMAuthentication also provides authentication but uses OAM SSO tokens.Service Domains: Service domains bind together applications and service providers into a service domain. They are the instantiation of the defined providers. Multipleservice domains are needed when we have different communities of users or devices that we want to serve. For example - customers may authenticate to one source, whileemployees may use another.
Create The Application Profile
Log on to the oamconsole (iamadmin/Oracle123).
From System Configuration -> Mobile and Social -> Mobile Services, select "Create" under Application Profiles:
04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig
Enter the parameters for the new Application profile.
Setting Description
Name The application name. In this example we use MobileDemo (note: the name is not visible in the screenshot below). The application name configured heremust match the application name in the settings for the deployed Android application.
baseSecret Enter a password here. This does not need to match any existing password. It is used as an encryption key between the client and the OAMMS server
MobileConfigurationcheck box
Enable this checkbox for any mobile applications. This enables the SDK to collect and send Mobile specific attributes to the OAMMS server.
Webview Controls the type of browser that the Android application will use when showing a Social login dialog. The embedded browser (default) will render the browserwithin the application. External will use the system standalone browser. External can sometimes be preferable for debugging
URL Scheme Both Android and iOS use a custom URL scheme to register O/S handlers that will take control when OAMMS transfers control to device. Use the value osa://
AndroidPackage
The fully qualified name of the Android application that you will deploy. This is taken from your application's AndroidManifest.xml file. This is used to tellAndroid which application to launch when an intent is received (for example osa://).
AndroidSignature
This is the unique signature for your application. The android development chapter in this lab explains how to find this value. For development it is generatedby the Android SDK tools. For production this value is a stable signing key available from Google as part of the Play store deployment process.
04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig
Note: If you are deploying the pre-compiled .apk sample application, the signature is found below. If you are compiling the application in eclipse your signature will beunique to your SDK environment. You will need to extract your signature from the application logs. This procedure is detailed in the sample application walkthrough.
3082030d308201f5a00302010202041973081b300d06092a864886f70d01010b05003037310b30090603550406130255533110300e060355040a1307416e64726f6964311630140603550403130d416e64726f6964204465627567301e170d3133303131303230353434395a170d3433303130333230353434395a3037310b30090603550406130255533110300e060355040a1307416e64726f6964311630140603550403130d416e64726f696420446562756730820122300d06092a864886f70d01010105000382010f003082010a0282010100a98485b6feb880178cec4fc821637f6bd2bc5039175e600e7c27a1ee0e958792ee4ef668f2aadbdd31cb0515e92b8a949814cb9646b37bf24a6da9dee1c34f0dbf47f3352051fa27c9bb1a19ae29f3de5490095a26fc823f90a65292080f1955827073a813a42afe8e37656f9b39a4953cfa1ec6226e96e5e9c5977d6c7fee31724d3093d0dff991bf70e708794c2c892a222a706b5d453500e758c15e19f45d24b982b06cf08a8767eb7669fbf93df817bf5ee3dce6dd7958899b0cdddd84f27608f96ae058f1e7402b00edb1ac3f103ee964b2e47115829da522fdafd157ce1856806cd2305a8d238b54cde46150cae1455348dd966bbf86a3e3fd0ef438c50203010001a321301f301d0603551d0e04160414226298672e30947800a85f76e7d8ed90b990d90d300d06092a864886f70d01010b0500038201010070cd3c29dcbd1411bd8529ec7344f51a18c59e328e73188700ab903670ec8cd6a058269d42ea8cd5eb2689d4f2b38c54eb4de86601bd3527695e7b44ee2b8a6b5be32518aa9feae37f7400504007ca1289c1e1acecc3f4d69ae389356a6c4f890d1fe39394dd954d90a62c5c94d929ffa793a6f108e42b8e905ef165ccd267c2aa6bef42a2254a4ac2625fd09a5790b459c3fd0f5ffd27fa3523c850438436741eb726a1113e27451dbdf622f630ac286a5d22c70397232f54d5eb88ff1088f93f66e618fe8c9255a82b541468f18870888c9e9abbb2a94f1aac292d27e888d3846b669fc136833d9e90be937ba9f1a9c31f8404bfa15b76745aee40704da4e8
Create the Native Login Mobile Service Domain
An OAMMS service domain binds together a set of configured interfaces for authentication, authorization and user profile services. Service domains provide flexibility to supportdifferent types of mobile clients. For example - an employee Mobile service domain would use a different authentication source than a Mobile service domain used by customers.
Select create under Mobile Service domains:
04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig
Create a name for your domain (NativeMobileDomain is used below). The name configured must match the service domain set in the Android application.
Under "Application Profile Selection" click the browse button. Choose the application profile that you created in the previous step. This associates the application with thisservice domain. A service domain can support multiple applications.
04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig
Service Profile Bindings
Advance to the next page of the wizard to configure the services for this domain. For this example we will use the following services:
Service Description
Authentication MobileJWTAuthentication. This will use the JWT (JSON Web Token) format authentication provider. The Android application upon succesfull authenticationwill recieve a signed JWT token from OAMMS. This token will be used in subsequent calls to OAMMS
Authorization OAMAuthorization. The authorization provider. The SDK makes calls to this provider endpoint to obtain authorization decisions on resource requests.Authorization is not used in this demo.
User ProfileService
OVDUserProfileService. This is the service that provides user profile services (attribute lookup, attribute modification). The OVD provider has been previouslyconfigured in the demonstration image. It makes calls to Oracle Virtual Directory to perform attribute operations.
04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig
Service Protection
The REST services for a domain can be protected by requiring the caller to present a token to invoke the service. In the example below we protect the authorization and userprofile services.
Make sure you enable writing of the profile. The sample application will demonstrate a user updating their profile. This call will fail if the write checkbox is not enabled.
04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig
Update the MobileJWTAuthentication Token provider to use OVD
By default the MobileJWTAuthentication provider uses the embedded Weblogic LDAP provider. Our demo users are in OVD/OUD - so we must change the provider. We could alsocreate a new provider that uses OVD - but for this example we have chosen to update the existing out of the box provider.
From the main OAMMS Mobile Screen - select and edit the MobileJWTAuthentication provider. In the drop down box for the directory choose "OVD". This LDAP provider hasbeen previously configured in the demo image. If you are doing this on your own image you will need to create a new ldap connection profile.
04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig
Configure Social Login
The sample application demonstrates social login using a google account. You will need to configure an application profile for Social login and a new service domain that uses thesocial login application profile.
When the creating the new internet application profile, you must use the same name as your previously created Application profile for the mobile application. Forexample, if your mobile application profile is called "MobileDemo" the internet application profile should also be called "MobileDemo".
Create the Internet (Social) Application profile
Navigate to Mobile and Social, click on "Internet Identity Services" and create a new application profile:
04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig
Set the following parameters for the new application profile
Setting Description
Name The application name. This must match the name of the of mobile application profile created for your application under Mobile Services. We use MobileDemofor this example.
Shared Secret A password used as an encryption key between the application and OAMMS. This does not need to match any existing passwords.
Return URL See below
MobileApplicationReturn URL
After the Relying Party (social) login, the OAMMS server will redirect to the Android application using this URI. This URI will be registered with Android andassociated with an Intent that is mapped to our sample application. This allows our sample application (and the linked SDK) to handle the post loginauthentication process. Use osa:// for this lab. If you look inside your applications AndroidManifest.xml file you will see this URI mapped to an activity thatinvokes the SDK.
Login Type Choose to allow local login as well as Social login.
Enablebrowser popups
Select yes to allow use of new browser instance to pop up for the login page.
04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig
UserRegistration
For our demo we assume the account is already registered. If you wish to allow user registration enable this feature
AuthenticationServiceEndpoint
Make sure that /internetidentityauthentication is selected.
Application toProviderMapping
Select the social login providers that you wish to enable. For the lab select Google. You can choose others here (e.g. Facebook) but you must register for adeveloper API key.
04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig
Save the new profile.
Create the Service Domain for Social Login
Navigate to Mobile Services. Click on New to create a new service domain
In this example we call the domain "SocialDomain". The type should be Mobile Application and the application credential type User Token.
At this point we will not use a security post processor (leave this blank for now) Add the application "MobileDemo" to the domain. Advance the next page of the wizard.
04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig
Select the Service profiles as shown below. Take care that the Authorization service is set to InternetIdentityAuthentication
Set the protection for the Profile and Authorization services as shown below:
04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig
Finish the creation of the service domain
Modify the InternetIdentityAuthentication provider to use OVD
The out of the box configuration for the InternetIdentityIdentification provider uses the embedded LDAP store.
Under MobileServices, select and edit the provider and set the directory to OVD as shown below. This directory connection has been previously configured for you:
04/07/2013 Oracle Identity and Access Management: Workshop-android-oamconfig
List of attachments
Kind Attachment Name Size Version Date Modified Author Change note
png Workhop-android-mobsoc-08.png 192.7 kB 1 02-Jul-2013 12:59 admin
png Workshop-android-mobsoc-01.png 233.7 kB 1 01-Jul-2013 19:41 admin
png Workshop-android-mobsoc-02.png 217.5 kB 1 01-Jul-2013 19:41 admin
png Workshop-android-mobsoc-02b.pn... 209.7 kB 1 03-Jul-2013 14:01 admin
png Workshop-android-mobsoc-02c.pn... 155.0 kB 1 03-Jul-2013 20:02 admin
png Workshop-android-mobsoc-03.png 266.2 kB 1 01-Jul-2013 19:41 admin
png Workshop-android-mobsoc-04.png 179.3 kB 1 01-Jul-2013 19:41 admin
png Workshop-android-mobsoc-05.png 165.6 kB 1 01-Jul-2013 19:41 admin
png Workshop-android-mobsoc-06.png 170.3 kB 1 01-Jul-2013 19:42 admin
png Workshop-android-mobsoc-07.png 204.9 kB 1 01-Jul-2013 19:42 admin
png Workshop-android-social-01.png 182.9 kB 1 03-Jul-2013 13:56 admin
png Workshop-android-social-02.png 70.3 kB 1 03-Jul-2013 13:56 admin
png Workshop-android-social-03.png 63.7 kB 1 03-Jul-2013 13:57 admin
png Workshop-android-social-04.png 18.3 kB 1 03-Jul-2013 13:57 admin
png Workshop-android-social-05.png 170.0 kB 1 03-Jul-2013 19:22 admin
png Workshop-android-social-06.png 56.2 kB 1 03-Jul-2013 19:22 admin
png Workshop-android-social-07.png 46.7 kB 1 03-Jul-2013 19:23 admin
png Workshop-android-social-08.png 45.1 kB 1 03-Jul-2013 19:23 admin
png Workshop-android-social-09.png 73.4 kB 1 03-Jul-2013 19:23 admin
png Workshop-android-social-10.png 43.8 kB 1 03-Jul-2013 19:23 admin