IDCS - Identity Federation with Azure and Google (SAML IDP & Social IDP)

 

Collect IDCS Meta Data

• Enable "Access Signing Certificate" option to get the IDCS metadata.   Default Domain Settings ->  Select the Access Signing Certificate
• Use the following IDCS URL to get the metadata details.
• https://idcs-abcsdefghijkl1f.identity.oraclecloud.com/fed/v1/metadata
• Save the the XML data as IDCS metadata file.

Azure

• Login to Azure and Select Active Directory.
• Select the Enterprise Application on the left menu.
• Select add new application.
• Select Oracle as a cloud provider.
• Select OCI Console Option and SSO logo.
• Provide a unique name and click create. 
• This will create an Azure AD Application. 
•  SSO Setup
• Select SSO option under the above AD application. 
• Select SAML IdP provide option. 
• Use upload Metadata option to upload the IDCS metadata downloaded above. 
• Provide the IDCS sign on URL  - https://idcs-abcsdefghijkl1f.identity.oraclecloud.com/ui/v1/myconsole
• Save the data. 
• Download the Federation Metadata XML (Azure) from SAML Signing Certificate section. 
• Under User and Groups menu in the left add user and groups. 

IDCS- Setup IdP - IDCS Console -> Security -> Identity Provider.

• Select Add SAML IDP.
• Provide Name - Azure IDP
• Next and Upload the Azure Metadata downloaded above. 
• Next and select the option as per the requirement . Example NameId as a UserName and of Type Email Address. 
• Select Next and Test the configuration by selecting Testing Option. 
• Click Finish and Complete the setup.
• Activate the IdP.
• Note: 
• Go to IDCS user page and update the user as Federated. 
• This will allow the user to use both IDCS as well as Azure credentials. 

IDCS - Update IDP Policy:

• Update the IDP policy to add the above created IdP for the authentication. 
• Select the Default Provider Policy. 
• Select the Identity Provider Rules tab. 
• Edit the existing Rule and add the above created IDP. Azure IDP
• Save all changes and Logout and test the IDCS login. 
• Use the Azure IDP option on the IDCS login page to login using Azure Credentials. 

Note:  All the above IDCS steps can also be performed using OCI - Console. Under Identity and Security, go to domain,  create a new IDCS domain and under new domain we can perform above activities. 

Google:

• Login to GCP console. 
• Select the GCP project.
• Select the API's and Services under left menu.
• Select Credentials. 
• Note:  We will be creating OAuth 2.0 Client Id's 
• Select the Create Credentials option on the Top
• Select OAuth Client Id option.  For IDCS app. 
• Select Type as Web Application. 
• Add Authorized redirect URL - IDCS -   https://idcs-abcsdefghijkl1f.identity.oraclecloud.com/oauth2/v1/social/callback
• Select Create. 
• This will generate the Client Id and Secret. 
• Copy the Id and Secret. 

• IDCS -  Setup IdP - Add Social IDP
• Select Social IDP Option. 
• Select Google as Type. 
• Provide a name - GOOGLE_IDP
• Select Next
• Provide the above copied Client Id and Secret. 
• Select Finish
• Activate the IdP.
• Update IDP Policies.
• Add the above created IdP to the default policy rule. 

 

Docker - Container Cheat Sheet

Basic and advanced docker commands for reference. Use them as a cheat sheet

• Commands to install docker on Linux 

curl -fsSL https://get.docker.com -o get-docker.sh

sudo sh get-docker.sh

• Command to start the Docker daemon 

sudo service --status-all 

sudo service docker start

•  Command to Pull the docker images from Docker hub - https://hub.docker.com/

docker pull image_name:version
version : default  value is latest 

docker pull mysql

• Command to pull and install the docker image

docker run image_name

docker run mysql

            docker run -d image_name   => To run the command in background mode. 

             docker run -d --name webapp_vk  -d image_name  => To assign a name to the docker container

              docker run -d image_name command ==> We will override the CMD statement in the image or append the value to ENTRYPOINT command.  

•  Command to List the running containers. 

                    docker ps      ==> List all the running containers. 

                    docker ps -a  ==> List both running and stopped containers. 

• Command to List the images present on the host. 

                   docker images  ==> List all the images. 

• Command to Stop the containers.

                    docker stop container_id / container_name.   

• Command to Remove the containers. 

                    docker rm container_id  ==> Make sure containers are stopped before running the command. 

• Command to delete or remove the images. 

                   docker rmi image_id   ==> We can specify first few characters of the Id. 

• Command to run and execute Unix command. 

                docker run ubuntu cat /etc/*releases* ==> This will install a ubuntu on a container and run the command. 

• Command to execute the scripts

            docker exec container_id cat /etc/*release*

• Command to build a docker image

        docker build .   ==> provided the Dockerfile is in the same directory from where we are running this command. 

        docker build -f  DockerFile  -t  vijaya/image_name  ==> Providing tag/name to the image

• Command to push the docker image to Hub

        Before we push the image , we need to login 

        docker login  ==>  This will prompt docker hub credentials.  After successful login

        docker push vijaya/image_name  ==> Push the image to Hub

• Command to pass the environment values

        docker run -d -e ENV_VARIABLE_NAME=VALUE  --name vijaya_container  image_name  ==> This will supply the environment values. 

• Command for Port Mapping to access the applications using Docker Host IP. 

            docker run -d -p host_port :  container_port  image_name

            docker run -d -p 8306:3306 mysql 

OPENSSL Commands

 Command to get the SSL certificate from the server. 

    openssl s_client -showcerts -connect ip:port

Command to import certificate to custom truststore. 

keytool -import -alias alias_name -file certificate.cer -storetype JKS -keystore CustomTrustStore

SOA Integration with IDCS

•  SCIM - System for Cross-Domain Identity Management
• Standard for Identity Managers API's
• Used by multiple Identity Provider. 
• SOA Roles will be mapped to IDCS groups. 
• Set up Federated SSO through SAML on IDCS and SOA

High-Level Steps. 

• Create IDCS groups for SOA

• Create a Confidential Application in IDCS
• Register as Client
• Select client as Confidential
• Allow following grants types
• Client Credentials
• JWT assertion
• Token Refresh
• SAML2 Assertion. 
• Granted Roles
• Identity Domain Administration
• Cloud Gate
• Assign groups to this application. 

• Configure Identity Provider in SOA weblogic Console. 
• Weblogic Console
• Security Realms
• Myrealm
• Providers
• Select New
• Name - IDCS Provider
• Type - OracleDentityCloudIntegrator
• Click Okay
• Open IDCS provide
• Common
• Control Flag - SUFFICENT : Meaning dont have to check other provider if the IDCS authentication is successful. 
• Active Type
• Authorization
• REMOTE_USER
• Provider Specific:
• Provide the IDCS details. 
• Host
• Port - 443
• SSL - Enabled
• IDCS Tenant Name
• Client Id
• Secret. 
• Save
• Reorder the provider to check IDCS first and then go for default providers. 
• Select DefaultAuthenticator
• Common
• Control Flag - SUFFICIENT
• Save
• Activate the changes. 

• Import IDCS Certificates to Trust Store. 
• Get the IDCS certificates using following URL
• https://$IDCS_HOST_PORT/ui/v1/adminconsole
• Import Certificates into System/Trust using EM console. 
• Add the following property to SetDomainEnv.sh to support wild card certificates using common names.
• -Dweblogic.security.SSL.hostnameverifier=weblogic.security.utils.sslwlswildcardhostnameverifier

• Manual OPSS Configurations. 
• Edit following file in domain dir
• /config/fmwconfig/jps-config.xml
• Search for idstore.ldap and replace it with idstore.scim under jpsContexts
• Create a IDCS property file and run the script as per the following doc-id : 2916662.2

• Configure SSO:
• Create a SAML application in IDCS.
• Give a name.
• Entity Id - Give any value
• Consumer URL - https://$SOA_LB_URL/saml2/sp/acs/post
• NameIdFormat - Unspecified. 
• Can add attributes.
• Name - Groups
• Format - Basic
• Value - Group Membership 
• Condition
• equals
• Value -  All groups
• Add Groups
• Activate
• Download the idcs metadat.xml from the SAML application created above.

• RDBMS Setup for Weblogic LB 
• Refer the below link for more details. 
• Configure SAML Asserter.
• Refer the below link for more details. 

Oracle Reference : https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=111700059898561&id=2916662.2&_afrWindowMode=0&_adf.ctrl-state=nbcwpoz12_4

Provisioning Oracle Integration Cloud Service

 OIC Provisioning.

• Provision Identity Cloud Service domain.
• Login into the OCI console.
• Go to Identity and Security Menu
• Select Domains under Identity. This option will be available for the OCI accounts created after December 2018
• Click Create Domains
• Provide Name.  Example - Development
• Provide Description.  Example - Development Domains
• Select Domain Type. Example - Free / Premium /etc.
• If we want to create a new administrator for the domain then we can provide the user name and password.
• Otherwise we can use the OCI admin user credentials by un-selecting Create Admin User option.
• Select the compartment - Development .  If not created then create a new compartment and use it.

• Create an IAM group in the IDCS domain.
• Go to the IDCS console.
• Select the groups menu
• Create a new group called Administrator group
• Provide a description.

• Create an IAM policy in the IDCS domain.
• Go to the OCI console.
• Select Identity and Security
• Select Policies under Identity
• Click Create policy.
• Provide a name - OICIntegrationGroupPolicy
• Use the policy builder to create policy.
• Sample : allow group Development/Administrator to manage integration-instance in compartment Development
• Development/Administrator - DomainName/GroupName
• If we don't provide the Domain Name then it will take the default domain present in the root compartment.
• NOTE: User Federation refers to linking user's identity and attributes across multiple identity management systems.
• Oracle Integration Federation means that identities are linked in IDCS and Oracle Identity And Access Management(IAM).

• Create an Oracle Integration Instance
• NOTE :  Instance will be associated with the IDCS instance to which we login while provisioning the OIC.
• Use the proper Identity domain while login.
• In this case , use the Development domain to login.
• After Signing into the OCI console, select the region.
• Got to Developer Service Menu on OCI console
• Under Application Integration select Integration
• Select the Compartment in which you want to provision the OIC.  In this case it will be the Development compartment.
• Click CREATE.
• Provide Name.
• Select Version - Gen 2 or Gen 3
• Consumption Model -- Universal Credit Limit
• Edition -- Standard or Enterprise.
• Shape -- Development or Production
• NOTE : Based on the shape patches will be applied. Development shapes will receive the patches two weeks early.
• Production shapes will receive the patches two weeks after the Development shapes.
• Advance Options :
• Network Access :
• Only Gen 2 version will allow us to define and configure Allow list.
• Custom Endpoint :
• Available only for Gen 2
• We can provide the custom endpoint.
• It must already be registered on a DNS provider.
• Its SSL certificates must be stored as secret in an OCI vault.

• Email Configurations.
• Sender Policy Framework (SPF) :
• It lets domain owners (InfiniteCloud) identify servers (External Servers) they have approved to send emails on behalf of their domain.
• In Oracle Integration's case, domain owners(InfiniteCloud) need to approve OCI as an approved sender and to add a record for it in their domain.

OCI - WAF - Web Application Firewall

Oracle OCI WAF helps us to protect our web applications or internet facing applications from threats such as OWASP defined vulnerabilities. 

WAF can be used to restrict access based on the Geo location. It can also be used to apply the rate limiting. It also support protection rules , access control and Bot management. 

WAF helps us to protect OCI based applications , On-premise and Multi cloud applications. 

WAF supports two types of Enforcements. 

• WAF on OCI Load Balancer
• WAF Edge Enforcement 
• For On-Prime Applications
• Multi Cloud , Multi Region Applications. 

WAF Demo:

• Access OCI Console. 
• Select Identity and Security from the Menu
• Select Web Application Firewall
• Select Create WAF Policy
• Provide a unique name 
• Select the compartment
• Use Legacy Workflow Option to create an Edge Policy
• New Window will open
• Provide the following details. 
• Domain Name :  connect.vijaya.in
• Additional Domain :  oic.dvp.connect.vijaya.in
• WAF Origin : Target application to be Protected 
• Origin Name :  sample-origin-name
• URI : oic.svn-dvp.connect.vijaya.in
• Create Policy
• In case of Edge Policy, once the WAF is activated , OCI console will display the CNAME to be added in DNS Zone. 
• Go to DNS zone and add the CNAME.
• Add a CNAME record
• Domain Name : oic.dvp.connect.vijaya.in
• RDATA :  WAF-CNAME from the OCI console.
• TTL : Time to live.

• In case of WAF for LB continue to the next page. 
• Add Access Control Rules
• Add Access Rules
• Example:
• Geo restrictions
• Source IP List
• HTTP request Methods
• HTTP Request Headers
• Cookies
• Path Check
• Etc
• For Each access control rule select the action to be performed. 
• You can create your own action.
• Select the pre configured actions
• Check and Allow
• Allow
• Check and Block 
• Send Error Response Back to the client. 
• Go to Next Page 
• Apply rate limiting rules if required
• Go to next page
• Apply protect rules. 
• Select predefined  OWASP rules to block the malicious requests. 
• Example :
• Cross Site Scripting
• SQL Injections
• Etc 
• Go to the Next page
• Select the OCI LoadBalncer to which WAF needs to be applied. 
• Review
• Create WAF Policy

Reference for more details: https://www.ateam-oracle.com/post/enhance-security-with-oracle-cloud-infrastructures-web-application-firewall

https://www.ateam-oracle.com/post/using-oci-waf-web-application-firewall-with-oracle-e-business-suite

DNS Resolution

 Following diagram illustrates how the DNS resolution works in the background.