[Shib-Users] Shib, Federation, Oracle, and PeopleSoft
Steven_...@brown.edu
list asking about interoperation between Shibboleth/SAML and Oracle
products (including various Oracle branded products, as well as
Peoplesoft branded products).
Here's some relevant information from trusted sources within Oracle.
I thought this information would also be of interest to this list.
If you have specific questions related to your site, please feel free
to contact Sophia Maler <SOPHIA...@oracle.com> (PM for Oracle
Identity Federation).
If the group would like to discuss this information, develop a
consensus, and take that consensus back to my sources in Oracle,
please use this email list.
Lastly, a big thank you to my sources; I think they've helped
immensely in clearing away some of the fog.
A1 - Current Oracle View on Federation
Oracle has had a Federation product for several years (it was one of
the first products acquired). And we have been leading many
Federation related interops via Project Liberty and now Project
Kantara. This includes demonstrated inter-op with both Information
Cards and OpenID. We haven't focused as much as on Shibboleth because
now that Shibboleth 2.0 is SAML 2.0 compliant - it should just work.
Second - not all applications yet integrate with our Oracle Platform
Security Services (OPSS) which is one of the key components of Fusion
Middleware 11g. However, most (if not all) of Oracle applications are
in process of leveraging this framework. And one of the benefits of
this is that they should be able to at least accept basic SAML
assertions for authentication.
Note that Oracle Weblogic server supports SAML authentication. Here
is a good blog on setting it up:
http://biemond.blogspot.com/2009/05/sso-with-weblogic-103-and-saml.html
(info from stc -- Another alternative -- I've received a ppt deck
presented at a recent meeting in Spain describing some work allowing
SAML enabled access to Oracle Application Server. I'll make the ppt
(text in spanish; useful diagrams) and an english translation done
here at Brown available soon. )
A2 - PeopleSoft Integration
The focus of Oracle's SSO strategy is Oracle Access Manager. And most
customers who have deployed PeopleSoft and wish to have web-based SSO
are deploying OAM or one of its more common competitors ( CA
Siteminder, IBM TAM) all of which have connectors to provide SSO to
PeopleSoft. Currently OAM does not support native SAML authentication
and instead defers to OIF since initially we expected Federation to
be the more traditional between organizations. However, in the future
we are considering having a single SSO platform that will reduce the
need for a separate federation product.
So for institutions who want to use Shibboleth to SSO into PeopleSoft
the Oracle tested and supported mechanism is to use OIF+OAM. While
that is a rather large footprint for just PeopleSoft there might be
things within these products that could help get around missing
features in their current Shibboleth deployments.
And there is another alternative which apparently some institutions
are doing - which is to either use the Shibboleth Java libraries or
Apache proxy to use the PeopleSoft SSO integration API (what OAM and
everyone else uses ) to write custom integration. Based on my
discussion with my PeopleSoft contact - it sounded like this has been
relatively common - so maybe someone needs to share what they have
done :). While the actual Shib code wouldn't be supported - the
PeopleSoft API is supported.
PSFT documentation:
http://download.oracle.com/docs/cd/E13292_01/pt849pbr0/eng/psbooks/index.htm
- search on "Single Signon" - there's an entire section.
The PeopleSoft team has not yet announced any plans to support
SAML-based user authentication (though as I mentioned above we may be
able to come up with a smaller footprint solution in the future than
requiring OAM+OIF). The only currently planned support for SAML is a
future release for PeopleSoft's Web Service APIs.
Scott Cantor
> consensus, and take that consensus back to my sources in Oracle,
> please use this email list.
I just have a couple of additions/comments. Personally, I would also suggest
that this sort of stuff belongs in a wiki.
> Second - not all applications yet integrate with our Oracle Platform
> Security Services (OPSS) which is one of the key components of Fusion
> Middleware 11g. However, most (if not all) of Oracle applications are
> in process of leveraging this framework. And one of the benefits of
> this is that they should be able to at least accept basic SAML
> assertions for authentication.
This is not first-hand, but I was told by our PS folks that Fusion was
pretty well dead with the purchase of BEA, so I'm not sure what this means.
I suppose in terms of Oracle's response, I'd like to know if they plan to
leverage it within PS or not.
> Note that Oracle Weblogic server supports SAML authentication.
Yes, but I would note that the version they currently support for use with
PS is NOT the version with SAML 2 support, but only SAML 1 support.
Presumably that will change eventually.
> Here is a good blog on setting it up:
> http://biemond.blogspot.com/2009/05/sso-with-weblogic-103-and-saml.html
There's also this:
http://www.oracle.com/technology/pub/articles/dev2arch/2007/02/saml-iis.html
> (info from stc -- Another alternative -- I've received a ppt deck
> presented at a recent meeting in Spain describing some work allowing
> SAML enabled access to Oracle Application Server. I'll make the ppt
> (text in spanish; useful diagrams) and an english translation done
> here at Brown available soon. )
I've noted several times on the list that the SP works fine with OAS.
There's no special work involved in setting it up.
> And there is another alternative which apparently some institutions
> are doing - which is to either use the Shibboleth Java libraries or
Can we please nip this in the bud? All we need is more people claiming to be
using a Shibboleth SP in Java...
> Apache proxy to use the PeopleSoft SSO integration API (what OAM and
> everyone else uses ) to write custom integration. Based on my
> discussion with my PeopleSoft contact - it sounded like this has been
> relatively common - so maybe someone needs to share what they have
> done :).
I have with any number of people, but I would note that PS's signon API
seems to have a bug in it that's causing truncation of headers passed from
OAS to it, and that's currently severely compromising our ability to make it
reliable with the SP. We're currently investigating. It's not killing us,
but it's a problem.
-- Scott
Gary Windham
On Jul 10, 2009, at 1:52 PM, Scott Cantor wrote:
>> If the group would like to discuss this information, develop a
>> consensus, and take that consensus back to my sources in Oracle,
>> please use this email list.
>
> I just have a couple of additions/comments. Personally, I would also
> suggest
> that this sort of stuff belongs in a wiki.
>
>> Second - not all applications yet integrate with our Oracle Platform
>> Security Services (OPSS) which is one of the key components of Fusion
>> Middleware 11g. However, most (if not all) of Oracle applications are
>> in process of leveraging this framework. And one of the benefits of
>> this is that they should be able to at least accept basic SAML
>> assertions for authentication.
>
> This is not first-hand, but I was told by our PS folks that Fusion was
> pretty well dead with the purchase of BEA, so I'm not sure what this
> means.
> I suppose in terms of Oracle's response, I'd like to know if they
> plan to
> leverage it within PS or not.
"Fusion" is an Oracle marketing phrase that's been applied to a lot of
things--from middleware to "next generation" apps. Fusion Middleware,
specifically, refers to the synthesis Oracle is attempting to engineer
between their legacy middleware products and many of the third-party
acquisitions they've made over the last couple of years (e.g., BEA
WebLogic/AquaLogic, Tangosol Coherence, etc). I attended a PeopleSoft
Campus Solutions webinar the other day, in which they were discussing
future plans, and continued migration towards Fusion middleware
integration was mentioned a couple of times.
Thanks,
--Gary
--
Gary Windham
Senior Enterprise Systems Architect
The University of Arizona, UITS
+1 520 626 5981