More than just Identity & Access Management

Entra ID Multi Tenant App custom scope approval PowerShell script

noreply@blogger.com (siva pokuri) — Mon, 08 Sep 2025 23:13:00 +0000

$myApiSp = Get-MgServicePrincipal -Filter "displayName eq 'MultitenantApplication'"

# Or by AppId if displayName is not unique or known
# $myApiSp = Get-MgServicePrincipal -Filter "appId eq 'your-my-api-app-id'"

if (-not $myApiSp) {
Write-Error "Could not find Service Principal for 'My API Application Name'. Ensure it's correctly registered."
return
}

$externalAppSp = Get-MgServicePrincipal -Filter "displayName eq 'MultitenantApplication'"
# Or by AppId
# $externalAppSp = Get-MgServicePrincipal -Filter "appId eq 'external-multi-tenant-app-id'"

if (-not $externalAppSp) {
Write-Error "Could not find Service Principal for 'External Multi-Tenant App Name'. Ensure it has been consented to in your tenant."
return
}

# Get the App Roles (Application Permissions) exposed by My API
$myApiSp.AppRoles | Format-Table Id, DisplayName, Value, IsEnabled

# Pick the 'Id' of the specific scope you want to grant, e.g., for 'MyAPI.ReadData'
# For App Role (Application Permission)
$appRoleIdToGrant = ($myApiSp.AppRoles | Where-Object Value -eq "MyAPI.ReadData").Id

$params = @{
    "principalId" = $externalAppSp.Id
    "resourceId" = $myApiSp.Id
    "appRoleId"   = $appRoleIdToGrant # The ID of the app role you want to grant
}
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $externalAppSp.Id -BodyParameter $params
Write-Host "Application permission granted for $($externalAppSp.DisplayName) to $($myApiSp.DisplayName) app role $($appRoleIdToGrant)."

Create the Azure B2C Local accounts in bulk

noreply@blogger.com (siva pokuri) — Thu, 19 Sep 2024 02:26:00 +0000

Creating Azure B2C local accounts with randomly generated passwords-

# Install required modules (if not already installed)

Import-Module Microsoft.Graph

Import-Module ImportExcel

# Variables

$clientId = "<<clientid>>"

$clientSecret = "<<clientsecret>>"

$tenantId = "<<tenantid>>"

$issuerDomain = "<<domain>>.onmicrosoft.com" # The Azure B2C issuer domain

# FilePath to your Excel file

$excelFilePath = "C:\Stage\PowershellScript\users.xlsx"

$logFilePath = "C:\Stage\PowershellScript\logfile.txt"

# Function to authenticate and get an access token

function Get-GraphAccessToken {

$body = @{

client_id = $clientId

scope = "https://graph.microsoft.com/.default"

client_secret = $clientSecret

grant_type = "client_credentials"

}

$tokenResponse = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -ContentType "application/x-www-form-urlencoded" -Body $body

return $tokenResponse.access_token

}

# Function to create a user in Azure B2C

function Create-B2CUser($accessToken, $firstName, $lastName, $email, $password) {

$userPayload = @{

accountEnabled = $true

displayName = "$firstName $lastName"

givenName = $firstName

surname = $lastName

mailNickname = $email -replace "@", "-"

mail = $email

passwordProfile = @{

forceChangePasswordNextSignIn = $true

password = $password

}

identities = @(

signInType = "emailAddress"

issuer = $issuerDomain

issuerAssignedId = $email

}

)

}

$jsonPayload = $userPayload | ConvertTo-Json -Depth 10

$uri = "https://graph.microsoft.com/v1.0/users"

$headers = @{

"Authorization" = "Bearer $accessToken"

"Content-Type" = "application/json"

}

$response = Invoke-RestMethod -Method Post -Uri $uri -Headers $headers -Body $jsonPayload

return $response

}

# Generate a random strong password

function Generate-StrongPassword {

return [System.Web.Security.Membership]::GeneratePassword(12, 4)

}

# Function to write logs to a file

function Write-Log($message) {

$timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"

$logMessage = "$timestamp - $message"

Add-Content -Path $logFilePath -Value $logMessage

}

# Get access token

$accessToken = Get-GraphAccessToken

# Read Excel file and create users

$users = Import-Excel -Path $excelFilePath

foreach ($user in $users) {

$firstName = $user.FirstName

$lastName = $user.LastName

$email = $user.Email

$password = Generate-StrongPassword

try {

$response = Create-B2CUser -accessToken $accessToken -firstName $firstName -lastName $lastName -email $email -password $password

$successMessage = "Successfully created user: $($response.displayName) ($email)"

Write-Host $successMessage

Write-Log $successMessage

}

catch {

Write-Host "Error creating user $email"

Write-Log "Error creating user $email"

}

Powershell script to read the groups using Get-MgGroup

noreply@blogger.com (siva pokuri) — Wed, 14 Aug 2024 11:55:00 +0000

# Step 1: Define the client credentials

$clientId= "<<client id>>"

$tenantId= "<<tenant id>>"

$clientSecret = ConvertTo-SecureString "<<client secret>>" -AsPlainText -Force

# Step 2: Create the PSCredential object

$credential = New-Object System.Management.Automation.PSCredential($clientId, $clientSecret)

Connect-MgGraph -Credential $credential -TenantId $tenantId

# Retrieve all groups with preferred properties

$groups = Get-MgGroup -All -Property Id, DisplayName, OnPremisesSyncEnabled, mail

# Define the output file path

$excelFilePath = "C:\AzureGroupsExport\AzureADGroups.xlsx"

# Export the groups to Excel

$groups | Select-Object Id, DisplayName, OnPremisesSyncEnabled, mail | Export-Excel -Path $excelFilePath -WorksheetName "AzureADGroups" -AutoSize

# Notify the user

Write-Output "Groups have been exported to $excelFilePath"

Powershell script to check B2B guest account invitation state in bulk

noreply@blogger.com (siva pokuri) — Sat, 17 Feb 2024 22:34:00 +0000

# Install AzureAD module if not already installed

Install-Module -Name AzureAD -Force -Scope CurrentUser

# Import required modules

Import-Module AzureAD

# Read emails from Excel sheet

$emails = Import-Excel -Path "emails.xlsx" | Select-Object -ExpandProperty Email

# Connect to Azure AD

Connect-AzureAD

# Iterate through emails and check user existence and account status

foreach ($email in $emails) {

$user = Get-AzureADUser -Filter "mail eq '$email'"

if ($user) {

Write-Host "User with email $email exists. Account Enabled: $($user.AccountEnabled) with invitation status: $($user.UserState)"

} else {

Write-Host "User with email $email does not exist."

}

How to schedule Azure APIM instance backup

noreply@blogger.com (siva pokuri) — Wed, 17 Jan 2024 02:12:00 +0000

In this article we will go through high level steps to take backup of Azure APIM instance to a storage account.

There are couple of ways to configure a regular backup of the Azure APIM instances. In this instance, we will configure Azure APIM backup using Logic Apps.

Before we proceed make sure below services are are already created

1. Azure APIM instance

2. Azure Storage account

3. Container in Azure Storage account

Let's see what it takes to configure a scheduled Azure APIM instance backup on a daily basis

1. Create a Logic App and navigate to Logic App designer tab

2. Add Recurrence step and set interval to what ever you would like to run the backups.

3. Add next step with HTTP POST method and use below URL and replace the place holders as per your environment

https://management.azure.com/subscriptions/<<Subscription ID>>/resourceGroups/<<Resource Group Name>>/providers/Microsoft.ApiManagement/service/<<APIM Instance Name>>/backup?api-version=2021-08-01"

then add below payload in the by replacing the values per your environment

{

"accessKey": "<<Storage Account Access Key>>",
"backupName":"<<Provide the backup name you would like to create with and append the name with date or current timestamp to make the backup name unique>>",

"containerName":"<<Container Name from the storage account>>"

"storageAccount":"<<Azure Storage account name>>"

}

4. Save the Logic App.

5. Now, Enabled the System assigned Identity for the logic app

6. Navigate to Azure APIM instance >> Access Control(IAM) tab

7. Click on Add role Assignment then select "API Management Service Contributor" role and click Next

8. Select the "Managed Identity" and select "Select Members"

9. Select the Azure Logic App create above and click on "Review and assign"

10. Back to Azure Logic App and click on "Run" to test the Logic app for Azure APIM backup.

Note that backup will take around 30 min to complete.

Thanks

Check the assigned policies to Application in Azure AD through powershell

noreply@blogger.com (siva pokuri) — Sat, 16 Dec 2023 13:44:00 +0000

Install the required Azure AD preview module

Install-Module AzureADPreview

Connect to Azure AD with valid credentials -

Connect-AzureAD

Obtain the application Object ID

Get-AzureADServicePrincipal -Filter "DisplayName eq '<<APPLICATION_NAME>>'"

Take the ObjectId from the above command result

Get-AzureADServicePrincipalPolicy -id <<OBJECT ID from the above command>>

Get the policy details

Get-AzureADPolicy -Id <<ObjectIdOfthe Policy>> |select *

PowerShell script to export data Cosmos DB to a CSV file

noreply@blogger.com (siva pokuri) — Wed, 25 Oct 2023 01:49:00 +0000

# Set your Cosmos DB account and database details

$resourceGroupName = "<<Resource Group Name>>"

$accountName = "<<Azure Cosmos DB Account Name>>"

$databaseName = "<<Database Name>>"

$containerName = "<<container Name>>"

# Set the output CSV file path

$outputCsvFilePath = "<<Location>>\export.csv"

# Query to retrieve data from Cosmos DB

$query = "SELECT * FROM c"

# Authenticate to your Azure account (if not already authenticated)

# Connect-AzAccount

# Get the Cosmos DB container

$container = Get-AzCosmosDBSqlContainer -ResourceGroupName $resourceGroupName -AccountName $accountName -DatabaseName $databaseName -Name $containerName

# Execute the query and export the results to a CSV file

$queryResult = $container | Invoke-AzCosmosDBSqlQuery -Query $query

# Convert the result to a PowerShell object

$cosmosData = $queryResult | ConvertFrom-Json

# Export the data to a CSV file

$cosmosData | Export-Csv -Path $outputCsvFilePath -NoTypeInformation

Write-Host "Data exported to $outputCsvFilePath"

SSO with Apache and Kerberos authentication

noreply@blogger.com (siva pokuri) — Wed, 19 May 2021 19:29:00 +0000

I'm sharing another use case, "Kerberos + HEADER-based application SSO" implementation experience with Apache and Keberos module. There are times you end up working with a custom authentication & Single Sign-On solution to an application despite modern authentication mechanisms.

One such situation is providing seamless access to an application when accessing from an Active Directory domain-joined machine. It technically means leveraging the Kerberos token from the device and authenticates the user into the HEADER-based application.

Utilizing Apache web server, Kerberos module, and apache rules, we can provide a Single Sign-On experience to the users accessing the application from an AD domain-joined machine.

I am assuming that the Apache web server is installed, enabled mod_auth_kerb module, and configure the application to allow the REMOTE_USER header to login.

The first thing is to generate a keytab file for your Apache server using the ktpass command.

Example command:

ktpass -princ HTTP/<<HOSTNAME>>@<<DOMAIN>> -mapuser apache -crypto All -DesOnly -pass <<password>> -ptype KRB5_NT_PRINCIPAL -out apache.keytab

I had configured Apache 2.4.6 in RHEL 7.9 with the Kerberos module with the below VirtualHost to use auth_kerb_module and rules to read and set Request HEADER application in the "httpd" conf file.

ServerName <<ServerName>>

AuthType Kerberos

KrbMethodNegotiate On

KrbMethodK5Passwd On

KrbServiceName HTTP/<<HOSTNAME>>@<<DOMAIN>>

KrbAuthRealms <<DOMAIN>>

Krb5KeyTab /etc/apache.keytab

KrbLocalUserMapping On

require valid-user

RewriteEngine On

RewriteCond %{LA-U:REMOTE_USER} (.+)

RewriteRule . - [E=RU:%1]

Header add X-Remote-User "%{RU}e" env=RU

RequestHeader set REMOTE_USER %{RU}e

</Location>

SSLProxyEngine On

SSLProxyVerify none

SSLProxyCheckPeerCN off

SSLProxyCheckPeerName off

ProxyRequests Off

ProxyPreserveHost On

ProxyPass / https://<<Application_HOST_NAME>>:<PORT>/

ProxyPassReverse / https://<<Application_HOST_NAME>>:<PORT>/

</VirtualHost>

Bounce the apache server and try to access the application from the AD joined machine.

Thanks

Siva Pokuri.

How To Correct Microsoft Azure AD IdP SAML Metadata for Qlik Sense printing module SAML integration

noreply@blogger.com (siva pokuri) — Fri, 05 Feb 2021 20:50:00 +0000

When uploading Azure AD SAML metadata to a service provider you might get below error message -

*********************************************************************

SAML xml metadata validation failed with the following error: This is an invalid xsi:type 'http://docs.oasis-open.org/wsfed/federation/200706:SecurityTokenServiceType'” SAML xml metadata validation failed with the following error: This is an invalid xsi:type 'http://docs.oasis-open.org/wsfed/federation/200706:SecurityTokenServiceType'.

****************************************************************************

Quick solution is that to remove <RoleDescriptor section from the metadata file and try to upload the metadata again.

Thanks

Siva Pokuri.

Azure AD Powershell command to query group with DirSyncEnabled attribute

noreply@blogger.com (siva pokuri) — Tue, 19 Jan 2021 15:22:00 +0000

There are times you want to know synched or cloud only groups.

Command to search synched groups -

Get-AzureADGroup -All $true | where-Object {$_.DirSyncEnabled -eq $TRUE}

Command to search cloud only groups -

Get-AzureADGroup -All $true | where-Object {$_.DirSyncEnabled -eq $NULL}

Funny enough that DirSyncEnabled attribute contains "TRUE" (if it's synched group) "NULL" (if cloud only)

Thanks

Siva Pokuri.

Azure AD B2B & B2C accounts provision to MS Exchange Address Book

noreply@blogger.com (siva pokuri) — Wed, 08 Jan 2020 13:48:00 +0000

Below setting in Azure AD user entry will make the external account visible in Outlook Address book -

Create Azure AD guest account using Graph API invitation URL
Update the user entry by setting "ShowInAddressList" attribute to "true" using Graph User API
Check the email address in Outlook Address Book

Note - This above configuration worked in beta version of graph API.

Thanks

Siva Pokuri.

Microsoft Groups

noreply@blogger.com (siva pokuri) — Mon, 19 Aug 2019 18:50:00 +0000

Following some research over the types of groups being offered by Microsoft.

I realized that I didn't come across a feature comparison among all Microsoft groups. So I said myself why not create one :-) and share it.

Thanks

Siva Pokuri.

Azure AD Webhooks (Azure Notifications)

noreply@blogger.com (siva pokuri) — Sat, 10 Aug 2019 03:25:00 +0000

Webhooks playing a much important role in today's event-driven communication between the server and a client, especially broadcasting changes from server to clients involving any changes. In a way, webhooks works reverse than the usual client sends a request to a server/service.

Lately, most of the cloud service providers have this feature in their cloud offerings. I got a chance to check out and try Microsoft Azure AD webhooks/notifications. It comes handy especially when there is a requirement to monitor activities and notify concern parties for action. For example, user & group management actions "create/update/delete" from Azure AD and gets notified to a pre-configured HTTPS notification URL.

Azure AD has the option to subscribe to "notifications" to quiet a list of services.

Here is the link for the list of supported resources.

A Sample application to subscribe to Azure AD Graph API "/users" endpoint, notification and receive the notification to configured notification URL. I tested and it served my requirement.

Microsoft sample used ngrok (a web reverse proxy available for free) to configure the HTTP(S) URL to test from the local environment. But, Azure AD functions can be used to get & read the notifications and act on the notification messages.

Quick demo video --

For more details check below links from Microsoft. Pretty straight forward to configure and test quickly.

https://docs.microsoft.com/en-us/graph/webhooks

Thanks

Siva Pokuri

Tips: Azure AD B2B user UserPrincipalName(UPN) update

noreply@blogger.com (siva pokuri) — Thu, 25 Apr 2019 15:39:00 +0000

Issue:

Trying to update the UserPrincipalName (UPN) of B2B user to some public domain email address like siva@gmail.com in Azure AD tenant and results below error message.

Error message - "Property userPrincipalName is invalid"

Solution:

Make sure create/update user UPN with verified domain names in Azure AD tenant.

Thanks
Siva Pokuri.

Service providers and identity providers

noreply@blogger.com (Aditya A) — Mon, 25 Mar 2019 17:25:00 +0000

Identity federation standards identify two operational roles in an SSO transaction:

Identity provider (IdP)
Service provider (SP).

An IdP, for example, might be an enterprise that manages accounts for a large number of users who may need secure access to the Web-based applications or services of customers, suppliers, and business partners.

An SP might be a SaaS provider or a business-process outsourcing (BPO) vendor wanting to simplify client access to its services.

Identity federation allows both types of organizations to define a trust relationship whereby the SP provides access to users from the IdP.

The IdP continues to manage its users, and the SP trusts the IdP to authenticate them.

Thanks,

Aditya

Ping Access internet proxy setting to access token provider

noreply@blogger.com (siva pokuri) — Sun, 20 Jan 2019 16:31:00 +0000

Offen this kind of setup needed especially when deploying ping access internally and token provider such as Ping federation/Aure AD in the cloud.

In this kind of set up, secure internet access needed from Ping Access needed in order to register the token provider.

First, register the internet proxy IP and port number (provide credentials if proxy need authentication) in the Ping Access Administration console settings >> networking >> proxies

Next, Add created proxy instance to Administration/replica Administration nodes and all the engine nodes(If in the multinode cluster setup) else if in a standalone setup adding in Primary Administration node is good enough.

Thanks
Siva Pokuri

The AccessGate is unable to contact any Access Servers."#011raw_code^301#011

noreply@blogger.com (Aditya A) — Fri, 18 Jan 2019 03:44:00 +0000

Error: The AccessGate is unable to contact any Access Servers."#011raw_code^301#011

Version: OAM 11.1.2.3 and later

Work Around:

Go into oamconsole and modify the webagte profile ( may be decrease the Cache Timeout by a second )for the first agent and save it.
Download webagte artifacts
Copy the artifacts from the the oam server directory to appropriate directories for the correct webgate.
Restart the webserver instance on which webgate is running.

Thanks,
Aditya.

Oracle IDCS + Salesforce Integration demo video

noreply@blogger.com (siva pokuri) — Thu, 15 Nov 2018 19:52:00 +0000

Thanks

Siva Pokuri.

PingAccess Windows service will not start

noreply@blogger.com (siva pokuri) — Tue, 18 Sep 2018 19:52:00 +0000

Problem:

Once Ping Access is installed and configured as Windows service. The service then fails to start.

One possible most common issue is with JAVA_HOME environment variable.

Solution:

Check if JAVA_HOME env and set at SYSTEM level not just USER level if not already set. It may be necessary to restart the Windows server to pick up the system variable change.

Then try starting the service again.

Thanks.

OIM 12C - Design Console alert

noreply@blogger.com (Aditya A) — Fri, 14 Sep 2018 03:05:00 +0000

Below screenshot refers new and updated alert from OIM 12c:

Thanks,
Aditya.

How to enable HTTPS / SSL in Tomcat with self signed certificate

noreply@blogger.com (siva pokuri) — Mon, 10 Sep 2018 21:00:00 +0000

Below steps tested with Tomcat 9.0.11 on both Windows & Linux machine.

Open command prompt/terminal and execute below keytool command to create a new key store with a self-signed certificate by replacing the alias and keystore values.

keytool.exe -genkey -alias <<certaliasname>>-keyalg RSA -keystore <<location to save keystore>>\<<keystorename>>

provide the details of the certificate as it asks questions.

Open server.xml file from <<TOMCAT_HOME>>/conf/ location

and add below text by replacing keystoreFile and keystorePass values.

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"

maxThreads="150" SSLEnabled="true" scheme="https" secure="true"

clientAuth="false" sslProtocol="TLS"

keystoreFile="<<path to keystore file>>"

keystorePass="<<keystore password>>" />

then restart the tomcat server and access https://<<hostname>>:8443

Thanks!

The process cannot access the flie because it is being used by another process exception from HRESULT:0*80070020

noreply@blogger.com (Aditya A) — Thu, 06 Sep 2018 15:55:00 +0000

Issue:-At times you may notice that one or more Web sites are not started in IIS 7.0. If you try to manually start the Web site, it may fail with the following error message:

Internet Information Services (IIS) Manager - The process cannot access the file because it is being used by another process.
(Exception from HRESULT: 0x80070020)

Environment:-Windows 2012R2 server

Error Cause:-The error code 0x80070020 translates to ERROR_SHARING_VIOLATION (The process cannot access the file because it is being used by another process.)

This issue may occur if TCP port 80 and/or 443 is grabbed by a different service.

Solution:-First check to see what is listening on port 80.
Open a command prompt and enter the following command:

netstat -ano | find ":80"

netstat -aon | find ":443"

In this case process ID 4228 was listening on port 80.
To check what this process is open task manager and locate that PID.
(Note you may need to select View -> Select columns -> PID first).

1.It turns out a developer installed Apache which was listening
on port 80 and causing a conflict.To resolve the conflict change one service to run
on a different port or uninstall the unnecessary web server.
2.In Task bar we can select httpd.exe running on port 80 and end process

Now you can start and stop IIS website.

Thanks,
Aditya.

Keytool & OpenSSL handy commands

noreply@blogger.com (siva pokuri) — Thu, 06 Sep 2018 14:50:00 +0000

OpenSSL command to extract SSL host certificate

openssl s_client -servername <<servername>> -connect <<servername>>:<<portnumber>>

Java Keytool Commands for Creating and Importing

Generate a Java keystore and key pair
keytool -genkey -alias mydomain -keyalg RSA -keystore keystorename.jks -keysize 2048
Generate a certificate signing request for an existing Java keystore
keytool -certreq -alias domainname -keystore keystore.jks -file domainname.csr
Import a root or intermediate CA certificate to an existing Java keystore
keytool -import -trustcacerts -alias root -file serverchain1.crt -keystore keystore.jks
Import a signed primary certificate to an existing Java keystore
keytool -import -trustcacerts -alias mydomainname -file mydomainname.crt -keystore keystore.jks
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

Java Keytool Commands for Checking

Check a stand-alone certificate
keytool -printcert -v -file mydomain.crt
Check which certificates are in a Java keystore
keytool -list -v -keystore keystore.jks
Check a particular keystore entry using an alias
keytool -list -v -keystore keystore.jks -alias mydomain

Delete a certificate from a Java Keytool keystore
keytool -delete -alias mydomain -keystore keystore.jks
Change a Java keystore password
keytool -storepasswd -new new_storepass -keystore keystore.jks
Export a certificate from a keystore
keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks
List Trusted CA Certs
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
Import New CA into Trusted Certs
keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

Oracle Access Manager 12c useful docs

noreply@blogger.com (siva pokuri) — Tue, 28 Aug 2018 19:32:00 +0000

OAM 12c installation & configuration instructions

IAM infrastructure(weblogic) installation:

http://www.oracle.com/webfolder/technetwork/tutorials/obe/fmw/identity%20management%2012c/oam%2012c%20(12.2.1.3)/getting_started_series/3-installoam/index-template.html

OAM 12c configuration steps:

http://www.oracle.com/webfolder/technetwork/tutorials/obe/fmw/identity%20management%2012c/oam%2012c%20(12.2.1.3)/getting_started_series/4-configoam/index-template.html

Configure OUD as directory server for OAM 12c:

http://www.oracle.com/webfolder/technetwork/tutorials/obe/fmw/identity%20management%2012c/oam%2012c%20(12.2.1.3)/getting_started_series/5-configureoud/index-template.html

Install & Configure OHS 12c:

http://www.oracle.com/webfolder/technetwork/tutorials/obe/fmw/identity%20management%2012c/oam%2012c%20(12.2.1.3)/getting_started_series/6-configureohs/index-template.html

Configure OHS 12c OAM webgate:

http://www.oracle.com/webfolder/technetwork/tutorials/obe/fmw/identity%20management%2012c/oam%2012c%20(12.2.1.3)/getting_started_series/7-configurewebgate/index-template.html

Protect application deployed in Weblogic using OAM 12c:

http://www.oracle.com/webfolder/technetwork/tutorials/obe/fmw/identity%20management%2012c/oam%2012c%20(12.2.1.3)/getting_started_series/8-protectwebapps/index-template.html

Thanks
Siva Pokuri.

OAM 11g IDP SAML Federation authorization policies

noreply@blogger.com (siva pokuri) — Thu, 16 Aug 2018 19:15:00 +0000

This post is on how to enable and configure authorization policies for federated applications with OAM 11g as Identity Provider.

Note: Tested with an application integrated with OAM 11g R2 PS2 as IDP and I think this article still applies to later versions also.

By default, Federation Authorization is disabled. Execute below steps to enable federation authorization using WLST commands.

Enter the WLST environment by executing
$IAM_ORACLE_HOME/common/bin/wlst.sh
Connect to the WLS Admin server
connect()
Navigate to the Domain Runtime
domainRuntime()
Execute the configureFedSSOAuthz() command

To enable authorization:
configureFedSSOAuthz("true")
To disable authorization:
configureFedSSOAuthz("false")

Exit the WLST environment:
exit()

Authorization policies can be configured to allow/deny to individual accounts (OR) groups (OR) combination of both groups & individual accounts from OAM 11g backend LDAP server.

Steps to configure Token Issuance policy

Go to the OAM Administration Console: https://oam-admin-host:port/oamconsole
Navigate to Access Manager -> Application Domains
Click Search
Click in IAM Suite in the list of results
Click on the Token Issuance Policies tab
Click “Create Token Issuance Policy”
Enter a name (Example: AdministratorsOnlyPolicy)
Click on Conditions tab
Click Add to add a constraint for the AdministratorsOnly group
Enter the details of the constraints:

Name: example AdministratorsGroup
Type: Token Requestor Identity

Note: If you would like to allow all the users with valid credentials to login into application just select "True" in condition type drop down and click "Add selected" button.

Click Add Selected
Select the newly created constraint to configure it

In the conditions details, click Add and select Add Identities
Select the Identity Store and enter Administrators group name
Click search
Select the AdministratorsOnly Group

Click Add Selected
Click on the Rules tab
In the Allow Rule section, select the AdministratorsGroup condition and add it to the Selected Conditions, since we want to allow users belonging to the Administrators group to do Federation SSO with the partners listed in this policy
Click Apply

Execute the following steps to create a new resource and add it to the AdministratorsOnlyPolicy Token Issuance Policy:

Go to the OAM Administration Console: http(s)://oam-admin-host:port/oamconsole
Navigate to Access Manager -> Application Domains
Click Search
Click in IAM Suite in the list of results
Click on the Resources tab
Click on New Resource and create a new resource for the Token Issuance Policy:

Type: TokenServiceRP
Resource URL, name of the SP Partner as it was created in the Federation Admin section: Example: XYZAppAdmin
Operations: all
Token Issuance Policy: AdministratorsOnlyPolicy
Apply

Expect "User is not authorized to perform Federation SSO" SAML status message in IDP SAML response in case any user try to login other than user from Admin group.

Happy SSO'ing

Thanks

Siva Pokuri