Monday 15 December 2014

FIM 2010: Eliminating equal precedence

Intro

Precedence can be tricky in certain scenarios. Imagine you want to make FIM master for a given attribute, but you need an initial flow from another data source. A good example is the LDAP distinguished name. If you have a rule that builds the DN automatically based on a base DN and one or more attribute values, the object is provisioned with the correct DN on export. But when you want to visualize this DN in the FIM portal, you need to be able to flow it back. If FIM is master over the distinguished name attribute, this flow will be skipped "Not precedent".

So you have to consider the option of using equal precedence, since manual precedence is not possible in combination with the FIM MA. But equal precedence is dependent on the synchronization cycle order: "the last one to write the attribute wins". Therefore it is not an option if FIM needs to be the absolute master of the DN attribute and you want to make sure that it always has the value you expect it to have.

Wednesday 3 December 2014

FIM on Azure

While deploying your Forefront Identity Manager labs in your own local virtual environment is convenient, it does consume a lot of your precious disk drive space and there is no questioning the impact of hardware failure. So why not move your virtualization layer to the cloud and let Azure take care of the storage, networking and compute infrastructure for you? This post will go over the steps we took in order to successfully automate the deployment of our FIM lab environments on the Microsoft Azure platform.

Azure infrastructure fundamentals

In order to create domain joined environments in Azure, there are four components we need:

1. An affinity group
Having our resources deployed in the same region (data center) is a fair option, but there is no certainty these resources are also located in the same cluster within that data center. Using affinity groups, we can define a container in which all our virtual machines are physically placed close together. This improves latency, performance and thereby cost.
2. A cloud service
This component is responsible for hosting our virtual machines. It gets assigned a public IP address, making it possible for you to connect to your environment from any location using your own defined endpoints.
3. A virtual network
In a domain joined setup it is necessary your machines can talk to each other. Using a VPN, we make sure VM's are deployed in the same IP range. These VM's can be assigned a static internal IP address which makes it possible to define your domain controller as the DNS server for the virtual network.
4. A storage container
Each deployment gets its own container to host their virtual hard disks (VHD's) under a storage account which is linked to the subscription of the deployment's cloud service.


Wednesday 19 November 2014

FIM 2010: Event driven scheduling

Intro

In a previous post I described how I implemented a windows service for scheduling Forefront Identity Manager.

Since then, me and my colleagues used it in every FIM project. For one project I was asked if it was possible to trigger the synchronization "on demand". A specific trigger for a synchronization cycle for example, was the creation of a user in the FIM portal. After some brainstorming and Googling, we came up with a solution.

Trigger

We asked ourselves following question: "Is it possible to send a signal to our existing Windows service to start a synchronization cycle?". All the functionality for scheduling was already there, so it seemed reasonable to investigate and explore this option. As it turns out, it is possible to send a signal to a Windows service and the implementation turned out to be very simple (and simple is good, right?).

Friday 5 September 2014

Setting up Oracle Access Portal Service

While setting up Oracle Access Portal Service I ran into some issues, and came up with the following workarounds.

Issue #1 – Configuring Web Application Templates


Although not very clear, the documentation states that one must use de ESSO LM Administration console to configure web application templates and then either publish them directly to the LDAP repository, or export from ESSO LM Admin Console and import them back through the OAM Administration console.

None of these methods work! Once the application is published to the LDAP and you access it from the OAM admin console, the application is listed but if you try to access it the only thing that you will get is ADF exceptions. As for the export/import method, when you try to import the file from the OAM admin console, nothing happens, not even an ADF exception.

With this scenario the way to configure applications is to use the ESSO LM Admin Console to configure a Web Application, then create a new application in the OAM Admin Console, replicating the application settings defined in the ESSO LM Admin Console.

Issue #2 – Oracle Traffic Director Webgate


Oracle Access Portal Service works by injecting a javascript resource (columbiaWeb.js) into html pages, which then calls methods located in /idaas.
The requests made by columbiaWeb.js to the /idaas resources were coming back with HTTP error 405 - method not allowed. The HTTP method used to request these resources is GET, and included in the response was a list of allowed methods which included every HTTP method except for GET.

While investigating this issue I found that the Webgate has some hardcoded directives regarding /idaas.
I realized this by executing the command: strings /WebGate_HOME/webgate/iplanet/lib/esso_webproxy.so|grep idaas
This command yelds the following output:
/idaas/am/esso/v1/userwallet/credentials?ESSO_Payload_Request=
/idaas/am/esso/v1/app/policies?ESSO_Payload_Request=
/idaas/am/esso/v1/userwallet/credentials


I tried many different approaches to solve this issue with the OTD webgate, including commenting the entry in the Oracle Traffic Director instance instance-obj.conf configuration file that pointed to the /idaas resource and getting the resource from OAM Server through other means, but was unsuccessful.

Eventually the solution I came up with is to use Apache HTTP Server instead of Oracle Traffic Director.

I installed and configured mod_webglogic in Apache so that I could map /idaas resources to the OAM Server and then copied OTDs columbiaWeb.js to the Apache Webgate folder /Webgate_HOME/webgate/apache/oamsso/global/.

Added the following entries to APACHEs configuration files where needed, to inject columbiaWeb.js:

AddOutputFilterByType SUBSTITUTE text/html
Substitute "s|</head>|<script type='text/javascript' id='OracleSSOProxy' essoLoggingLevel='0' src='/oamsso/columbiaWeb.js' oam_partner='Webgate_IDM_11g' essobasepath='http://oap.oam.demo' essoProxyType='DNS' essoConsoleLoggingLevel='0'></script></head>|i"

Added this entry to webgate.conf:

<LocationMatch "/idaas/*">
Satisfy any
</LocationMatch>

This last entry unprotects the /idaas resource, not doing so will result in an empty json response and the following entry in the OAM server log: <ESSOTokenManager object is null. Session could not created and hence use-case can not move ahead. Returning the empty response back.>

Issue #3 – Dealing With Iframes


While configuring Gmail I realized that columbiaWeb.js was not handling iframes correctly so I created a new Javascript file based on columbiaWeb.js  and after this entry:

        var validFrames = this.getFrames();
        if (validFrames[0] === null) {
            if (global.oracleESSO.globals.logger.enabled(5)) global.oracleESSO.globals.logger.debug("matchTemplates end; No valid frames.");
            return 0;
        }

I added this piece of code so that it would ignore iframes:

        var validFramesTmp = [];
        for (i =0; i < validFrames.length; i++) {
                if(validFrames[i] === window) {
                        validFramesTmp[i] =  validFrames[i];
                }
         }
         validFrames = validFramesTmp;


This separate Javascript file was created because I don't know the impact of this workaround in other configurations.

Unsolved Issues


While adding other forms to the configuration, for example a password change form, I get the following Javascript error in every form: global.oracleESSO.templateData.templates[matchedSections[0][prop].ParentKey1] is undefined
The fields get highlighted but there is no credential insertion. Hopefully this and other issues will be fixed in a future release.

Friday 20 June 2014

SQL Query for the FIM2010 admin account

Recently, I came across a FIM2010 deployment that wasn't very well documented. My task was to review the deployment but how could I get admin access to the FIM Portal if I didn't know which account to use? The answer is in the FIMService database and this query will get it for you:

  SELECT Distinct a.AttributeName,p.[ValueString]
  FROM [FIMService].[fim].[ObjectValueString] as p JOIN [FIMService].[fim].[Objects] as o ON p.ObjectKey = o.ObjectKey
  JOIN [FIMService].[fim].[BindingInternal] as a on p.AttributeKey = a.AttributeKey
  Where o.ObjectID ='7fb2b853-24f0-4498-9534-4e10589723c4'

Reset the password of the account and I could proceed with my review. Hope this helps.

Friday 16 May 2014

Congratulations for iWelcome

Congratulations are in order for our Dutch colleagues of iWelcome for winning the Best Cloud Security Project European Identity Cloud Awards 2014 (that's a mouthful). The press release is posted here.