Integration of Oracle Access Manager with SharePoint webapplications
Recently I had worked with an interesting case in which customer was using Oracle Access Manager (OAM) for providing the security in their application. They were using a Java application in which they were used LDAP membership provider. There was a SharePoint webapplication which was configured to use FBA and use the same LDAP membership provider.
Actual requirement was, whenever an user access the SharePoint URL, the OAM’s webgate (it is an IIS plug-in [will register it as ISAPI filter in the virual directory of SharePoint webapplication] developed by Oracle responsible for checking access policy and authentication etc ) will intercept the URL and display a generic login page to the user. User put his credentials and OAM’s webgate then validates it and allow the user to access SharePoint URL.
At this point, SharePoint does not know who the user is even if OAM has already authenticated him. Note that SharePoint already has LDAPMembership to the same LDAP that used by OAM. So what will happen is, since the SharePoint site is configured to use FBA it will directly show the SharePoint FBA login.aspx to enter the credentials. But they don’t want to show that page again because user has been already authenticated by the OAM.
The only work-around is place a hook point and does the redirection. Here we will get the help of a HttpModule. There is a good post for getting the high level picture of this kind of facility here : siteminder and ASP.NET. I have taken the below picture from the that post for giving a graphical idea about how this type of authentication works.
Here consider the ASP.NET site as a SharePoint site. For OAM scenario also the only work-around is use HTTPModule but since the SharePoint site is using FBA authentication we have do some modification in the HTTPModule which I am giving below.
HttpModule code
1: using System;
2: using System.Security;
3: using System.Security.Principal;
4: using System.Web;
5: using System.Web.Security;
6:
7: namespace MyOAMHttpModule
8: {
9: class OAMHttpModule : IHttpModule
10: {
11: public void Init(HttpApplication app)
12: {
13: app.AuthenticateRequest += (new EventHandler(this.Application_AuthenticateRequest));
14: app.PreSendRequestHeaders += (new EventHandler(this.Application_PreSendRequestHeaders));
15: }
16:
17: private void Application_AuthenticateRequest(object sender, EventArgs e)
18: {
19: HttpApplication app = (HttpApplication)sender;
20: if (app.User == null)
21: {
22: string[] roles = new string[1];
23: roles[0] = "GuestUser";
24: GenericIdentity id = new GenericIdentity("testuser1","Forms");
25: GenericPrincipal p = new GenericPrincipal(id, roles);
26: app.Context.User = p;
27: }
28: }
29:
30: private void Application_PreSendRequestHeaders(object sender, EventArgs e)
31: {
32: HttpApplication app = (HttpApplication)sender;
33: if (app.Response.RedirectLocation != null)
34: {
35: if (app.Response.RedirectLocation.Contains("AccessDenied.aspx?Source") && app.User.Identity.Name == "testuser1")
36: {
37: app.Response.Redirect("/_layouts/login.aspx?ReturnUrl=" + app.Request.RawUrl);
38: }
39: }
40:
41: }
42:
43: public void Dispose()
44: {
45:
46: }
47:
48: }
NB: If you are using "single sign on" in which if you are accessing the sharepoint site through a different site in which you have already authenticated , then in that scenario you to install this assembly of the HttpModule in GAC which will provide the shared access within the webserver. Otherwise, you may get an "server Error '/samplesite' Application" error while accessing the SharePoint site, here the "samplesite" is the name of the virutal directory of the other site from which where you are coming to sharepoint site. Because if you keep the dll of that HTTPmodule in the local /bin directory of the SharePoint application and if you use FBA authentication in OAM (OAM also has FBA authentication mechanism), in that it may not allow you to load that dll from SharePoint webapplication's local bin directory.
Flow of user access :
- User types the URL for a SharePoint application into the web browser.
- OAM’s webgate (IIS plug-in/ web-agent developed by Oracle responsible for checking Access policy and authentication etc) intercepts the URL and display our generic login page to user. User put his credentials. OAM webgate then validate it and allow the user to access SharePoint URL.
- At this point SharePoint does not know who the user is even if OAM has already authenticated him. Note that our SharePoint already has LDAPmembership to the same LDAP that used by OAM.
- Now the HTTPModule will come to our rescue which will,
a. Rread the USER_ID from header (set by OAM after the authentication) and create a GenericPrincipal for SharePoint.
b. Set the SSO token in the browser so user can have single sign on with other applications.
The outcome out of this model is,
a. Share point will not display its login page to the user.
b. The user -to-role assignment can still be possible inside SharePoint as SharePoint is also connected to the same LDAP that is used by OAM for authentication (which is also the user db for OAM) through LDAP-membership.
Comments
Anonymous
November 12, 2008
PingBack from http://www.tmao.info/integration-of-oracle-access-manager-with-sharepoint-webapplications/Anonymous
April 19, 2012
Good knowledge! Do you know in case of Ping Fedarate how this work with OAM?Anonymous
May 03, 2012
Good Article. I have a question here, the solution here tells that the LDAP should be same for OAM and SharePoint. What if, the LDAPs are different and user id are different between the two directories. Also, can you provide some insights on how to register an HTTPModule in SharePoint site? Thanks Mark