Oracle Identity Federation Configuration Clustered mode

Similar Messages

• Oracle Identity Manager Configuration Error

  Versions I have used for the Installation:
  Software Version
  Oracle Database 11.2.0
  Repository Creation Utility 11.1.1.5.0
  Web logic 10.3.6
  SOA Suite 11.1.1.6.0
  Fusion Middle ware Installer 11.1.1.5.0
  JDK Oracle Web-logic JRockit JDK or Sun JDK 1.6.0_29
  Error : Config Action Oracle Identity Manager Configuration failed
  Exception waring occurs in web logic Server :
  <Aug 14, 2012 11:57:53 AM GMT+05:30> <Notice> <WebLogicServer> <BEA-000360> <Ser
  ver started in RUNNING mode>
  <Aug 14, 2012 12:03:49 PM GMT+05:30> <Warning> <Management> <BEA-141239> <The no
  n-dynamic attribute AuthenticationProviders on weblogic.management.security.Real
  mMBeanImpl@581c390c([OIDM]/SecurityConfiguration[OIDM]/Realms[myrealm]) has been
  changed. This may require redeploying or rebooting configured entities>
  <Aug 14, 2012 12:03:49 PM GMT+05:30> <Warning> <Management> <BEA-141238> <A non-
  dynamic change has been made which affects the server AdminServer. This server m
  ust be rebooted in order to consume this change.>
  <Aug 14, 2012 12:03:49 PM GMT+05:30> <Warning> <Management> <BEA-141239> <The no
  n-dynamic attribute ControlFlag on weblogic.security.providers.authentication.De
  faultAuthenticatorMBeanImpl@80d076be([OIDM]/SecurityConfiguration[OIDM]/Realms[m
  yrealm]/AuthenticationProviders[DefaultAuthenticator]) has been changed. This ma
  y require redeploying or rebooting configured entities>
  <Aug 14, 2012 12:03:49 PM GMT+05:30> <Warning> <Management> <BEA-141238> <A non-
  dynamic change has been made which affects the server AdminServer. This server m
  ust be rebooted in order to consume this change.>
  Please give me a solution to resolve the issue

  Each version has its won libraries and certain bug fixes. It's always good to see certification matrix first for any software and proceed with installation as per certified components. Also, vendor support your project only if you are using their certified versions. :)
  regards,
  GP

• Oracle Identity Federation

  Hi,
  How to configure Global Logout using Oracle Identity Federation ?
  Please provide the answer in detailed steps, if possible.
  Thanks.

  Not that much to configure really. Look through [this link|http://download-west.oracle.com/docs/cd/B28196_01/idmanage.1014/b25355/configuring.htm#BCGJGEJD].
  -Vinod

• Oracle Identity Federation or Microsoft ADFS

  Hi,
  There are two companies A & B having an isolated infrastructure. Currently we have an architecture where Company A is providing OAM-IWA based SSO functionality for its own users and not for Company B users. If Company B also wants to avail the benefits of IWA/SSO for an application hosted in Company AS what should they do? Please advise-
  1. Implement Microsoft ADFS? Company B may not like it because they think ADFS might expose confidential attributes to Company A?
  2. Implement Oracle Identity Federation? How will that fit in if we have OAM in place? Can OAM authenticate half of the user base and OIF do the rest? Pls advise
  3. Implement OVD? I am not sure if OVD can authenticate userbase against AD credentials?
  Pls let me know.
  Thanks,

  Since company A and B have isolated infrastructures, I assume they are separate companies and on separate networks, with the internet as the network that will allow users from company B to access the application hosted by company A. And I assume the application is a web application.
  First, IWA is a function of the IIS web server and suppported browsers (IE and Firefox) and is independent of OAM or OIF. OAM 10g supports IWA when running a webgate on the IIS web server that is configured to accept IWA authentication. IWA will work on the Intranet, so employees of company A can use IWA to SSO to OAM in their environment. Likewise, if company B has their own deployment of OAM, they can use IWA to SSO their users to their instance of OAM.
  If you deploy OAM 11g, there is no longer a dependency on IIS because OAM 11g support Windows Native Authentication. You can read OAM 11g documentation for details on WNA.
  1) Regarding use of ADFS, I have no comment as I am not familiar with the details of ADFS.
  2) Regarding using OIF, some questions and clarifications
  - Does company B own a web SSO and/or federation product? Do they own OAM? Do they own OIF? If not, they'll need something that speaks SAML or another federation protocol supported by OIF.
  - For company A, you can buy OIF and integrate with OAM, if necessary. Since company A is hosting the application that company B employees want to get to, they would most likely be configured as the service provider/relying party.
  - For company B, you can buy OIF and integrate with OAM. And OAM can integrate with IWA. So a user could use IWA to seamlessy SSO to OAM and then follow a federation enabled link to company A's app and seamlessy SSO to that as well.
  - There is some integration work to be done here. Specificaly, company B needs to have a way to send its users over to company A so they can import them into company A's app. You need to exchange some metadata and agree on a unique identifier to identify the users. Or if the app works by having company B users access it as a generic user or something, you need to set something up for that (such as passing the generic userID in the SAML assertion).
  - I would probably deploy the app such that there were two entry doors. One door would be for company A's employees and would be internally accessible only and protected by OAM. Then I would have an externally accessible door that relied on OIF SAML and was configured as a relying party for company B's employees.
  3) regarding OVD, I don't see how that is going to help you since each company is on a separate isolated infrastructure.

• Oracle Identity Federation - High Availability

  Hello,
  We are trying to figure out the high availability options supported by the Oracle Identity Federation. While reading the documentation we find it a bit confusing. We read the OIF Administrator Guide here: http://download.oracle.com/docs/cd/E10773_01/doc/oim.1014/b25355/advtopics.htm#CHDBCDFG
  In Section "9.4 High Availability" it said that "Oracle Identity Federation supports the Cold Failover Cluster (CFC) or active-passive high availability configuration,". In the Application Server 10g guide also said the same and explicitly said that the active-active configuration is not supported for the OIF.
  Then in Section "9.5 Setting Up a Load Balancer with Oracle Identity Federation" it explains how to set up a load balancer for the OIF. When it explains this it says that we can have several instances of OIF in different machines, configured with a load balancer. All these instances share the same transient database where the sessions are stored.
  Which is the difference between this load-balancer-based configuration and an active-active high availability configuration? If one node of the load-balancer configuration goes down, the sessions administered by him are lost? That is the difference?
  Thanks!
  Leonardo

  Hi
  I am not very sure about High Availability configuration but for Load balancer as mentioned in the document, You have to have both the instances sharing transient database where sessions will be stored.
  If both the OIF instances are not sharing transient database and you have LB sharing load, It will not work as sessions will be store in memory. So sessions from one OIF instance will not be known and available to the other instance of OIF.
  Thanks
  Kiran Thakkar

• How to deploy Portal to Oracle identity Federation 10.2.0.4 ?

  AIX5.3 Oracle iAS 10.2.0.2, 10.2.0.4
  Oracle Identity Federation 10.2.0.4 was installed successfully.
  How can i deploy portal of 10.2.0.2 to it`s instance ?
  Simple installation of Portal into instance has no result.
  Help please.

  AIX5.3 Oracle iAS 10.2.0.2, 10.2.0.4
  Oracle Identity Federation 10.2.0.4 was installed successfully.
  How can i deploy portal of 10.2.0.2 to it`s instance ?
  Simple installation of Portal into instance has no result.
  Help please.

• Error in Oracle identity federation SSO testing

  Hi All
  I need help on oracle identity federation task. Any one please try to give solution for my bug. Am new to this product .Comming to issue am following below mentioned link ( http://www.oracle.com/webfolder/technetwork/tutorials/obe/fmw/oif/11g/r1/oif_tran_map/oif_tran_map.htm#top ) . as per document i created two machines one for Service provider and another one for identity provider. at last am trying to test the SSO between the both SP & IDP one pop up window is appering when i pass the credentials the below mentioned error am getting .
  Error 401--Unauthorized
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  *10.4.2 401 Unauthorized*
  *The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.
  Any one please try to give solution for this bug or else please give me the hints perform my task ( Transient Federations ).

  Hi All
  I need help on oracle identity federation task. Any one please try to give solution for my bug. Am new to this product .Comming to issue am following below mentioned link ( http://www.oracle.com/webfolder/technetwork/tutorials/obe/fmw/oif/11g/r1/oif_tran_map/oif_tran_map.htm#top ) . as per document i created two machines one for Service provider and another one for identity provider. at last am trying to test the SSO between the both SP & IDP one pop up window is appering when i pass the credentials the below mentioned error am getting .
  Error 401--Unauthorized
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  *10.4.2 401 Unauthorized*
  *The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.
  Any one please try to give solution for this bug or else please give me the hints perform my task ( Transient Federations ).

• Integrating Oracle Identity Federation with homegrown SSO solutions

  Hello,
  We are trying to integrate Oracle Identity Federation with a home grown SSO solution.
  The OIF FAQ document mentioned that Oracle provides programmatic interfaces to achieve this.
  But I did not find any javadocs / samples on how this can be done.
  Can anybody throw some insight into this..
  Thanks

  Hi Easwaran,
  You need to upload the SAML 2.0 IdP/SP metadata for the peers you want to federate with. OIF will verify the metadata and add the peers in its Circle of Trust as IdP or SP depending on the metadata upoaded. If the peer is going to play both IdP and SP roles, you need to upload both the metadata files.
  Similarly, in case you need to provide the peer your metadata, OIF makes this available at http(s)://host:port/fed/idp/metadatav20 (SAML 2.0 IdP metadata) or http(s)://host:port/fed/sp/metadatav20 (SAML 2.0 SP metadata) as required.
  -Vinod

• Interoperability of Shibboleth 2.0 with Oracle Identity Federation (OIF)

  Hi,
  I am in the process of selecting an identity federation product to interact eventually, both as an IdP and a SP, with a "pure Shibboleth" federation. I know the easiest, most obvious solution would be to go with Shibboleth as well, but after a comparative analysis, it seems that OIF would better fit (internally) my needs than Shibboleth, so here comes my question :
  Has anybody successfully made OIF 11g and Shibboleth 2.0 interoperate yet ?
  I work in the higher education vertical, and it would help me a lot to justify the budget for a POC if I'd knew it can be done...
  Cheers,
  Stephane

  Ping Identity is another solution for you to look at if you're going the Shibboleth route. PingFederate and Shibboleth have the ability to interoperate. http://www.pingidentity.com/.

• Oracle Identity Federation (SHAREid configuration)

  Hi,
  We are trying to do CDSSO with another portal, and access the pages of the destination, within our portal frame.
  We are having Oblix SHAREid with SAML verion 1.0, and the service provider has their custom implementation of SAML, verision 1.0
  The service provider has integrated with another portal with its custom SAML implementation currently, (which we would be replacing with our portal).
  The service provider expects us to send the Artifact, and some more parameters as hidden variables by using HTTPS Post.
  example :
  <input type = hidden name="SAMLArtifact" value="ABCDEFSDFASFDASFD">
  <input type = hidden name="data" value="<cust><name>abc</name><age>44</age></cust>">
  <input type = hidden name.....
  There are around 10 hidden parameters which needs to be sent, with the Artifact. The data is dynamic.
  Please let me know, if there is a solution to this problem, with which we can configure the Oblix SHAREid to send all these parameters.
  Will a plug-in or something help?
  Please provide any reference document or links, which i can refer to.
  Thanks in Advance.
  Regards,
  Raju

  Hi iam37,
  Follow this guide: http://docs.oracle.com/cd/E17904_01/core.1111/e12035/oif.htm#BAJGIAAA
  Notice that you run the config.sh script on both OIF hosts and then run the pack.sh and unpack.sh. Be sure to use the pack.sh -managed=true from section 15.5 so that the AdminServer is not packed up and moved to oif host 2.
  Seth

• Custom Name Identifier format in Oracle Identity Federation (OIF)

  Hello,
  at the moment we're using OIF 10.1.4.01 together with Oracle Access Manager (OAM) and everything works well.
  We're acting as both IdP and SP in the Federation for which we are using OIF.
  So far we're using the persistent name ID format as Subject ID in the assertions we're creating as IdP.
  Now we have the need to store a non-opaque value in the Subject ID, something like an uid for example, since the SP is requiring this for their back-end systems.
  With the X509 Subject format we're able to store a non-opaque value from the OID, however the SP wants the name ID format NOT to be of the X509 subject format, but something different.
  I intended to use the custom name ID format that is described in the OIF documentation (see this link: http://download.oracle.com/docs/cd/E10773_01/doc/oim.1014/b25355/addlconfig.htm#BABBFJJF).
  I followed every step and double checked that I configured everything correctly. What happens when I set the property "defaultnameidformat" to "custom", is that OIF is defaulting to the "persistent" name ID format when an assertion is created and not the "custom" name ID format.
  I checked if it also happens when I specify the X509 Subject format, but then it is correctly using the X509 subject name ID format as expected, so it seems I've configured everything like it should be. By the way, the same problem occurs for the "unspecified" name ID format.
  I found something interesting in the 10g Release 3 Patch Set 1 (10.1.4.2) documentation for OIF (see link: http://download.oracle.com/docs/html/E10972_01/toc.htm#CHDDGJJD). At bug ID: 5725307, it says something about this feature (for both the unspecified and custom name ID format).
  Although the functionality is described in the documentation for OIF 10.1.4.0.1, it appears that this is not working. Is this correct?
  Do I need to apply the patch set?
  It's rather strange and confusing that this functionality seems to be added and documented in the first version, and seems to be added again in the patch set.
  Does anyone experienced the same problem?
  Also I would really have it confirmed that this is not working for OIF 10.1.4.0.1 and IS working for OIF 10.1.4.2.
  Thanks in advance for any help.
  Dave

  Thanks for your help Vinod,
  after applying the patch 10.1.4.2 , everything is working as expected!
  Cheers,
  Dave

• E-Business Suite Integration with Oracle Identity Federation for SAML

  Has anyone developed a way to use OIF for e-Business Suite authentication through SAML rather than using the standard Identity Management stack of apps?
  Today we have Oracle e-Business Suite 115.10.2 using OSSO through OID with WNA for zero sign-on (no login, just pass-through, based on AD credentials). Our domain controllers are Windows 2003 but we are in the process of upgrading them to Windows 2008 R2, where the OSSO stack is not supported unless we globally set the 2008 R2 domain controllers to use DES encryption instead of the default AES encryption. (See Oracle note 1076018.1)
  When deploying OSSO, we encountered a similar issue with Windows 7 workstations would not work with OSSO unless we set the workstation policy not to use AES encryption. (See Oracle note 973190.1)
  We are not inclined to continue to use DES encryption and we have obstacles moving to 11g iDM/OAM/OID from OSSO. I am exploring the possibility continuing to keep one 2003 domain controller in production, and pointing OSSO to that, until we can move to the 11g iDM stack.
  Meanwhile, we have ongoing frustration with how complicated SSO is with the e-Business Suite. Sure, it works, once you climb the mountain to set it up, and we don't have that many issues in production. But the implementation of SSO for e-Business Suite is simply complex. The trip from the workstation back to an EBS session is operationally somewhat brittle. I guess some of us relish complexity. Certainly there is pride in understanding something like this. But, after a while, when the trickle of tickets from the Help Desk never completely dries up, you get tired of complexity and you seek something simpler.
  So, instead of this path:
  Workstation > EBS > OID > AD / Kerberos > Workstation
  (and I didn't even mention F5 switch with reverse proxy servers ...)
  Why can't we have this?
  Workstation with certificate > OIF with SAML > EBS session.
  Has anyone done that?
  Thank you for your help.

  Hello JJ,
  We are facing the same issue. Oracle has recommanded us to install
  HTML-DB on the same database as our Apps 11i.
  What we still have to figure out is whether is use APPS schema for the
  HTML-DB workspaces, or use a different schema.
  How is it configured at your site?
  Moshe

• Error while Updating Client Metadata & Certs on Oracle Identity Federation

  We need to update the certs on OIF 11g (we are Service Provider's) as our client certificates are expiring soon.
  we got Metadata and Certificate from Client and these are step we followed for updating certs -
  *1. In the OIF 11g - EM console, under OIF server-> security and trust -> under trusted CAs and CRLs, deleted the existing certificate for that partner and upload the new certificates.*
  *2. Then Generate Metadata a new and upload it again under the partners side (OIF - EM - Under OIF server - Fedeartion)*
  This is the ERROR we are getting -
  May 29, 2012 12:41:19 PM oracle.security.fed.sec.SecurityServicesImpl processIncoming
  SEVERE: Certificate was missing when trying to verify digital signature.
  May 29, 2012 12:41:19 PM oracle.security.fed.http.translator.saml.SAMLProtocolMessageTranslator translateMessage
  SEVERE: Signature verification failed for provider ID http://***.uat.*****.com:*
  May 29, 2012 12:41:19 PM oracle.security.fed.controller.ApplicationController processServletRequest
  SEVERE: Exception: {0}
  oracle.security.fed.controller.web.action.RequestHandlerRuntimeException: XML signature verification failed.
  *[2012-05-29T12:41:19.634-05:00] [wls_oif1] [ERROR] [FED-12064] [oracle.security.fed.controller.ApplicationController] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 004kJ1NbamTFw000jzwkno0003540016U3,0:1] [APP: OIF#11.1.1.1.0] [URI: https://*****-uat.*******:443/fed/sp/authnResponse20] Exception: {0}[[*
  oracle.security.fed.controller.web.action.RequestHandlerRuntimeException: XML signature verification failed.
  at oracle.security.fed.http.translator.saml.SAMLProtocolMessageTranslator.translateMessage(Unknown Source)
  at oracle.security.fed.http.handlers.profiles.sp.AuthnResponseV20RequestHandler.generateEvent(Unknown Source)
  at oracle.security.fed.controller.web.action.RequestHandlerSupport.perform(Unknown Source)
  at oracle.security.fed.controller.ApplicationController.processServletRequest(Unknown Source)
  Please let us know...where did we wrong.
  Thanks in Advance!!!

  Can you guys help?
  801072, user12038686, OIDM,

• Getting error, No SAMLart parameter in oracle identity federation.

  what does the following error means,
  Web Intersite Signon Error
  RECEIVER: ERROR: No SAMLart parameter in the inter-site signon request.
  We are destination domain and the client is getting this error when trying to federate to our environment. The method is Post profile.
  Thanks.
  Edited by: user504421 on Mar 20, 2009 1:34 PM

  With POST, it looks for SAMLArt in the URL (steps 3 and 4 in http://download.oracle.com/docs/cd/E10773_01/doc/oim.1014/b25355/deployinstall.htm#CHDFEHIC). Are you sure you don't have anything else going on, e.g artifact resolution based on a reference to an assertion (vs full assertion) in the URL?

• Oracle identity federation 10g--error while login with single sign

  Hi...
  I installed oif10g using microsoft ad2003.now i am integrating with salesforce.com to provide single sign on...but while signing authentication is failed...so for that we need to search for assertion which will be under federation-mssg.log..
  but no error messg is under it...so can any one help to enable all debug settings in oif..

  Hello,
  I think its not possible to mix and match authentication once you have set OBIEE to use EBS ICX cookie based authentication, you would not able to use the DefaultAuthenticator Provider.
  Let me know the updates.
  Thanks,
  SVS.