04/07/2013

Oracle Identity and Access Management: Workshop-android-oamconfig

Android Lab Home

Table of Contents
Objective Create The Application Profile Create the Native Login Mobile Service Domain Service Profile Bindings Service Protection Finish domain creation Update the MobileJWTAuthentication Token provider to use OVD Configure Social Login Create the Internet (Social) Application profile Create the Service Domain for Social Login Modify the InternetIdentityAuthentication provider to use OVD

Objective
The objective of this chapter is to configure the OAM Mobile and Social server (OAMMS) for the sample application. You should be familiar with the OAM Administration guide and should understand the following OAMMS concepts: Application Profiles: An application is a web (html/javascript) or native (iOS or Android) application. Applications may have different requirements for AuthN/AuthZ, and therefore each application that interacts with OAMMS REST services must be uniquely defined. Service Providers: Service providers define a type or class of service for authentication, authorization or user profiles. Think of Service providers as "templates" that are used to instantiate a real instance of a service. For example, the JWTAuthentication provider performs authentication and returns JWT (JSON Web Tokens) to the application. In contrast, the OAMAuthentication also provides authentication but uses OAM SSO tokens. Service Domains: Service domains bind together applications and service providers into a service domain. They are the instantiation of the defined providers. Multiple service domains are needed when we have different communities of users or devices that we want to serve. For example - customers may authenticate to one source, while employees may use another.

Create The Application Profile

Log on to the oamconsole (iamadmin/Oracle123). From System Configuration -> Mobile and Social -> Mobile Services, select "Create" under Application Profiles:

04/07/2013

Oracle Identity and Access Management: Workshop-android-oamconfig

Enter the parameters for the new Application profile. Setting Name baseSecret Mobile Configuration check box Webview URL Scheme Android Package Android Signature Description The application name. In this example we use MobileDemo (note: the name is not visible in the screenshot below). The application name configured here must match the application name in the settings for the deployed Android application. Enter a password here. This does not need to match any existing password. It is used as an encryption key between the client and the OAMMS server Enable this checkbox for any mobile applications. This enables the SDK to collect and send Mobile specific attributes to the OAMMS server.

Controls the type of browser that the Android application will use when showing a Social login dialog. The embedded browser (default) will render the browser within the application. External will use the system standalone browser. External can sometimes be preferable for debugging Both Android and iOS use a custom URL scheme to register O/S handlers that will take control when OAMMS transfers control to device. Use the value osa:// The fully qualified name of the Android application that you will deploy. This is taken from your application's AndroidManifest.xml file. This is used to tell Android which application to launch when an intent is received (for example osa://). This is the unique signature for your application. The android development chapter in this lab explains how to find this value. For development it is generated by the Android SDK tools. For production this value is a stable signing key available from Google as part of the Play store deployment process.

04/07/2013

Oracle Identity and Access Management: Workshop-android-oamconfig

Note: If you are deploying the pre-compiled .apk sample application, the signature is found below. If you are compiling the application in eclipse your signature will be unique to your SDK environment. You will need to extract your signature from the application logs. This procedure is detailed in the sample application walkthrough.

3 0 8 2 0 3 0 d 3 0 8 2 0 1 f 5 a 0 0 3 0 2 0 1 0 2 0 2 0 4 1 9 7 3 0 8 1 b 3 0 0 d 0 6 0 9 2 a 8 6 4 8 8 6 f 7 0 d 0 1 0 1 0 b 0 5 0 0 3 0 3 7 3 1 0 b 3 0 0 9 0 6 0 3 5 5 0 4 0 6 1 3 0 2 5 5 5 3 3 1 1 0 3 0 0 e 0 6 0 3 5 5 0 4 0 a 1 3 0 7 4 1 6 e 6 4 7 2 6 f 6 9 6 4 3

Create the Native Login Mobile Service Domain

An OAMMS service domain binds together a set of configured interfaces for authentication, authorization and user profile services. Service domains provide flexibility to support different types of mobile clients. For example - an employee Mobile service domain would use a different authentication source than a Mobile service domain used by customers. Select create under Mobile Service domains:

04/07/2013

Oracle Identity and Access Management: Workshop-android-oamconfig

Create a name for your domain (NativeMobileDomain is used below). The name configured must match the service domain set in the Android application. Under "Application Profile Selection" click the browse button. Choose the application profile that you created in the previous step. This associates the application with this service domain. A service domain can support multiple applications.

04/07/2013

Oracle Identity and Access Management: Workshop-android-oamconfig

Service Profile Bindings

Advance to the next page of the wizard to configure the services for this domain. For this example we will use the following services: Service Authentication Authorization User Profile Service Description MobileJWTAuthentication. This will use the JWT (JSON Web Token) format authentication provider. The Android application upon succesfull authentication will recieve a signed JWT token from OAMMS. This token will be used in subsequent calls to OAMMS OAMAuthorization. The authorization provider. The SDK makes calls to this provider endpoint to obtain authorization decisions on resource requests. Authorization is not used in this demo. OVDUserProfileService. This is the service that provides user profile services (attribute lookup, attribute modification). The OVD provider has been previously configured in the demonstration image. It makes calls to Oracle Virtual Directory to perform attribute operations.

04/07/2013

Oracle Identity and Access Management: Workshop-android-oamconfig

Service Protection
The REST services for a domain can be protected by requiring the caller to present a token to invoke the service. In the example below we protect the authorization and user profile services. Make sure you enable writing of the profile. The sample application will demonstrate a user updating their profile. This call will fail if the write checkbox is not enabled.

04/07/2013

Oracle Identity and Access Management: Workshop-android-oamconfig

Finish domain creation

04/07/2013

Oracle Identity and Access Management: Workshop-android-oamconfig

Update the MobileJWTAuthentication Token provider to use OVD

By default the MobileJWTAuthentication provider uses the embedded Weblogic LDAP provider. Our demo users are in OVD/OUD - so we must change the provider. We could also create a new provider that uses OVD - but for this example we have chosen to update the existing out of the box provider. From the main OAMMS Mobile Screen - select and edit the MobileJWTAuthentication provider. In the drop down box for the directory choose "OVD". This LDAP provider has been previously configured in the demo image. If you are doing this on your own image you will need to create a new ldap connection profile.

04/07/2013

Oracle Identity and Access Management: Workshop-android-oamconfig

Configure Social Login

The sample application demonstrates social login using a google account. You will need to configure an application profile for Social login and a new service domain that uses the social login application profile. When the creating the new internet application profile, you must use the same name as your previously created Application profile for the mobile application. For example, if your mobile application profile is called "MobileDemo" the internet application profile should also be called "MobileDemo".

Create the Internet (Social) Application profile

Navigate to Mobile and Social, click on "Internet Identity Services" and create a new application profile:

04/07/2013

Oracle Identity and Access Management: Workshop-android-oamconfig

Set the following parameters for the new application profile Setting Name Shared Secret Return URL Mobile Application Return URL Login Type Enable browser pop ups Description The application name. This must match the name of the of mobile application profile created for your application under Mobile Services. We use MobileDemo for this example. A password used as an encryption key between the application and OAMMS. This does not need to match any existing passwords. See below After the Relying Party (social) login, the OAMMS server will redirect to the Android application using this URI. This URI will be registered with Android and associated with an Intent that is mapped to our sample application. This allows our sample application (and the linked SDK) to handle the post login authentication process. Use osa:// for this lab. If you look inside your applications AndroidManifest.xml file you will see this URI mapped to an activity that invokes the SDK. Choose to allow local login as well as Social login. Select yes to allow use of new browser instance to pop up for the login page.

04/07/2013
User Registration Authentication Service Endpoint Application to Provider Mapping

Oracle Identity and Access Management: Workshop-android-oamconfig

For our demo we assume the account is already registered. If you wish to allow user registration enable this feature Make sure that /internetidentityauthentication is selected.

Select the social login providers that you wish to enable. For the lab select Google. You can choose others here (e.g. Facebook) but you must register for a developer API key.

04/07/2013

Oracle Identity and Access Management: Workshop-android-oamconfig

Save the new profile.

Create the Service Domain for Social Login

Navigate to Mobile Services. Click on New to create a new service domain

In this example we call the domain "SocialDomain". The type should be Mobile Application and the application credential type User Token. At this point we will not use a security post processor (leave this blank for now) Add the application "MobileDemo" to the domain. Advance the next page of the wizard.

04/07/2013

Oracle Identity and Access Management: Workshop-android-oamconfig

Select the Service profiles as shown below. Take care that the Authorization service is set to InternetIdentityAuthentication

Set the protection for the Profile and Authorization services as shown below:

04/07/2013

Oracle Identity and Access Management: Workshop-android-oamconfig

Finish the creation of the service domain

Modify the InternetIdentityAuthentication provider to use OVD

The out of the box configuration for the InternetIdentityIdentification provider uses the embedded LDAP store. Under MobileServices, select and edit the provider and set the directory to OVD as shown below. This directory connection has been previously configured for you:

04/07/2013

Oracle Identity and Access Management: Workshop-android-oamconfig

List of attachments
Kind
png png png png png png png png png png png png png png png png png png png png

Attachment Name Workhop-android-mobsoc-08.png Workshop-android-mobsoc-01.png Workshop-android-mobsoc-02.png Workshop-android-mobsoc-02b.pn... Workshop-android-mobsoc-02c.pn... Workshop-android-mobsoc-03.png Workshop-android-mobsoc-04.png Workshop-android-mobsoc-05.png Workshop-android-mobsoc-06.png Workshop-android-mobsoc-07.png Workshop-android-social-01.png Workshop-android-social-02.png Workshop-android-social-03.png Workshop-android-social-04.png Workshop-android-social-05.png Workshop-android-social-06.png Workshop-android-social-07.png Workshop-android-social-08.png Workshop-android-social-09.png Workshop-android-social-10.png

Size 192.7 kB 233.7 kB 217.5 kB 209.7 kB 155.0 kB 266.2 kB 179.3 kB 165.6 kB 170.3 kB 204.9 kB 182.9 kB 70.3 kB 63.7 kB 18.3 kB 170.0 kB 56.2 kB 46.7 kB 45.1 kB 73.4 kB 43.8 kB

Version 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

Date Modified 02-Jul-2013 12:59 01-Jul-2013 19:41 01-Jul-2013 19:41 03-Jul-2013 14:01 03-Jul-2013 20:02 01-Jul-2013 19:41 01-Jul-2013 19:41 01-Jul-2013 19:41 01-Jul-2013 19:42 01-Jul-2013 19:42 03-Jul-2013 13:56 03-Jul-2013 13:56 03-Jul-2013 13:57 03-Jul-2013 13:57 03-Jul-2013 19:22 03-Jul-2013 19:22 03-Jul-2013 19:23 03-Jul-2013 19:23 03-Jul-2013 19:23 03-Jul-2013 19:23

Author admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin admin

Change note