11g OAM AuthZ policy

I need help with OAM 11g AuthZ policy.
Looking at the authorization policy, I can set it for IPAddress range, User Identity and time based.
I want to create a policy that checks for an attibute to see if its set or not and based on that allow or deny. How do I do that?

I would look at Constraints on the AuthZ side.
Other than that, you could merely return a header variable for the attribute you want to toggle.

Similar Messages

AuthZ Policy "Monitor Only" mode

I have a question about the AuthZ Policy “Monitor Only” or "Audit" mode. I want to test a new AuthZ policy by using “Monitor Only” mode, but I am not seeing any indication that my Test device is hitting the rule while in Monitor only mode… It ends up hitting our last default rule which is currently permit any. If I actually enable the rule, I can see the device hitting the rule and getting denied in the Authentication log window.
So I know the rule works, but I want to only monitor the rule for now to see what would get denied, so that we can assess how we want to handle auth for said devices. According some info I found, I should be seeing an indication in the Auth log window that a rule was matched, if it is Monitor only mode.
I am currently running ISE 1.3.0.876.
Any help is appreciated

I have had the same experience. If you look at the AuthZ details for the connection, you will see under Other Attributes a special attribute returned named "RadiusAuthorizationPolicyMatchedMonitorRules," but as far as I know there is no way to run a report on it. Maybe someone else has a suggestion on it.
What I do as a workaround is create a rule matching the conditions and create a special Authorization Profile for the rule that just has ACCESS_ACCEPT (not to break any traffic), then run a RADIUS Authentication report matching that Authorization Profile.

AuthZ Policy using specific Endpoint Identity Groups

I am trying to create an AuthZ policy that will identify if a device is in specific Endpoint Identity Group. See policy below.
I used the IdentityGroup:Name attribute Equals the Identity Group MAB_Devices. Please note that there are NO Identity groups listed in the dropdown options, so I typed in the name. Alas, the rule is not working. Anyone have advise on what I am doing wrong? Thx

Bransomar, your screenshot is an Authentication policy rule but you should do it in Authorization policy. Authentication policy sorts out requests by request method and origin and assigns an identity store to each.

How to Migrate 10g sso integrate with EBS 11.5.10.2 to 11g OAM(oracle access manager) with R12.1.3

How to Migrate 10g sso integrated with EBS 11.5.10.2 to 11g OAM(oracle access manager) with R12.1.3
Os:Linux 64 bit
database:11.2.0.3 Rac

Hi,
You could try working through the EBS -> APEX integration article on the Apex community site (http://www.oracle.com/technetwork/developer-tools/apex/apex-ebs-wp-cabot-consulting-169064.pdf)
Rod West

Order for resources in OAM authorization policy

Hi All
Does the order for the resources in OAM authorization policy matters or can I put the resources in any order ?
Thanks

OAM performs resource Authentication and Authorization based on the URLs. It doesn't matter on what order you try to put them.
~Yagnesh

Error in Webgate 11g (OAM, Webgate, WebTier)

Hi,
I'm setting up the WebGate in Webtier 11g, linux platform, I created a WebGate instance, configured and registered in OAM 11g 11.1.1.5.0
But the following error occurs in OHS
Message from syslogd@ at Sat Feb 25 15:37:13 2012 ...
wlroam15 Oblix: 2012/02/25@17:37:13.17372 7085 7104 ACCESS_GATE FATAL 0x00001520 /ade/aime_h0025/ngamac/src/palantir/webgate2/s rc/apache2entry_web_gate.cpp:591 "Exception thrown during WebGate initialization"
Can anyone help me
Thank

Hi,
I would usually expect an additional error message giving more information (maybe "Unable to contact any Access Servers" or some other message). But basic things to check are:
- ensure that the artefacts (ObAccessClient.xml, cwallet.sso if not Open mode) created during Agent registration are copied to the correct location in the WebGate installation directory;
- if using Simple or Cert mode operation, ensure that the certificate files are also in the correct location, and that the correct transport security has been specified in the Agent definiton in the oamconsole.
Regards,
Colin
Edited by: ColinPurdon on Feb 28, 2012 3:19 PM

ISE Profiled devices not being used in authz policy.

ISE is standalone.
ver 1.2
Eval license.
I have a number of Cisco IP phones profiled by DHCP probe and sitting in the Endpoint Identity Group "Cisco-IP-Phone" (dynamic not static).
However when this is used in an Authorization Policy it never matches.
Just a basic Policy:
if Cisco-IP-Phone (no conditions) then Cisco_IP_Phones ......no match.
I can change Identity group to ANY and it works.
Sure i must be misssing something but I've gone round and round with this.
Tried deleting enpoints and allowing them to repopulate....failed.
Tried changing endpoints to static with no luck.
Noticed the "Cisco-IP-Phone" group is under the "Profiled" group so tried using that in the policy....no change.
Whatever i've tried just ends with the Authz going to the "Default" policy.

Thank you for providing the detailed information. The problem is not with profiling as that appears to be working as expected. I believe that the issue is with your authentication policy. Looking at screen shot #2 you don't have a single policy that is enabled to allow a phone to authenticate via MAB. All of your MAB policies are showing as "disabled." The default policy is set to only use Internal Users as its Identity Store and phones won't be store there. You authorization policies look OK so I would suggest you try the following:
1. Enable the top authentication rule called "MAB"
2. Confirm that "Allow PAP/ASCII" and "Detect PAP as Host Lookup" are enabled under the Allowed Protocols
3. Ensure that "Internal Endpoints" is selected for the Identity Store
4. Test again
Thank you for rating helpful posts!

OSB 11G - Routing with policy and forwarding authentication headers

Hi there,
I'm having problems trying to add authentication to some services developed with OSB 11G.
One of the requirements is that the services authenticate using the "oracle/wss_username_token_service_policy" policy... So far so good...
My problem now is that one of the services I'm trying to route messages to needs the same authentication as the OSB router... I've tried everything I found but without any success... The headers aren't being propagated...
I've found out that the header variable has the Authentication segments so I can remove the routing, add a service callout and add the header variable to it.. But this is kind of a hammered solution...
Is there any other solution that I'm missing?
Thanks in advance,
Best Regards,
Daniel Alves
Edited by: 863416 on Sep 18, 2012 9:49 AM

Hi,
transporting header setting is described here
Yuan's SOA Blog: Retrieve and pass around http Authorization header with OSB
but something is missing, I have to set proxy service Authentication to Basic. But then OSB authenticate inbound request at local scope and I want to authenticate at called web service level. How to do that?

Another OAM 10g policy evaluation question

I have a policy with authz expression= Rule A & Rule B & Rule C:
Rule A:
Allow: ldap_attr_1 = X
Deny: no one is denied
Allow preceeds denial: true
Authz failure redirection URL: URL1
Rule B:
Allow: ldap_attr_2 = Y
Deny: no one is denied
Allow preceeds denial: true
Authz failure redirection URL: URL1
Rule C:
Allow: anyone is allowed
Deny: ldap_attr_3 = Z
Allow preceeds denial: false
Authz failure redirection URL: URL2
My user profile has ldap_attr_1=X, ldap_attr_2=Y, ldap_attr_3=Z, I expect access to be denied based on Rule C and user redirected to URL2. Instead I see authorization = Inconclusive and Rule=<not found>.
If user has ldap_attr_1=X, ldap_attr_2=Y and NOT ldap_attr_3=Z I am getting correct evaluation - user is authorized.
Any ideas how to make this working? Basically I want user to be redirected to the URL that is defined in the rule that caused denial.
Thanks,
Alex

Hi Colin,
Here's what I have:
Authz Rule: Rule1
Access allowed: Any one
Access denied: ldap rule (attr=value)
Allow takes precedence: false
Actions: redirect to URL1 on denied
You can use any attribute and any value, i am using my custom attribute. Then I protect a resource /myresource with policy Policy1 that only has this rule. Set up attr=value and access tester shows redirection to URL1. Now 2 more rules:
Authz Rule: Rule2
Access allowed: ldap rule (o=org)
Access denied: no one is denied
Allow takes precedence: true
Actions: no actions
Authz Rule: Rule3
Access allowed: ldap rule (title=title)
Access denied: no one is denied
Allow takes precedence: true
Actions: no actions
And Policy2 has authz expression Rule2 AND Rule3 AND Rule1. And Policy2 has action: redirect on authorization inconclusive to URL2. My user's profile has o=org, title=title, attr=value. Access tester shows redirection to URL2.
Thanks,
Alex

OAM 10g policy evaluation issue

I have the policy with following authorization expression: Rule A|Rule B.
Rule A:
allowed: all users with o=Org A
denied: any user
allow takes precedence: true
Rule B:
allowed: all users with o=Org B
denied: any user
allow takes precedence: true
I want the policy to grant access to any user in either of organizations. It does not work for users with o=Org B. Instead access tester shows that Rule A was in effect and authorization is inconclusive. The only way I can make it to work is by removing denial conditions completely: i.e. denied=no one is denied. It does not make sense to me - each rule actually works if not combined with another one.
Does anybody know whether it is a bug?
Thanks,
Alex

Hi Alex,
The important thing to remember is that for OR conditions, OAM will stop processing the expression as soon as the user is explicitly referenced (for either Allow or Deny) in a rule, as evaluated from left to right. So if you have an expression:
RuleA OR RuleB OR RuleC
and the logged in user is not mentioned in ruleA, but is Allowed in RuleB, then OAM will not process RuleC.
(With AND conditions, OAM needs to know all of the results, so in the case of an expression:
RuleX AND RuleY AND RuleZ
if the user satisfies RuleX, then OAM still needs to process RuleY and RuleZ in order to determine if the user meets the requirements of the expression.)
In the majority of cases, the way OAM works does boil down to the same as Boolean logic. If, for example, the OR expression above tested that a user is in either GroupA, or GroupB, or GroupC and the user is in GroupA, the only effect of the way that OAM works is that it does not unnecessarily work out if the user is in GroupB or GroupC.
The two areas which I can see as potentially causing confusion are:
- when you have an Allow Anyone or Deny Anyone in a rule. In this case, clearly every user is explicitly mentioned in a rule, and processing will stop at this rule as far as OR operations are concerned (as in the example you originally gave).
- when you want different actions to be performed depending on which rule is applied (so if a user is a member of both GroupA and GroupC, you may have different sets of header variables that need to be applied).
But generally, if these are not factors, I would expect the same behaviour for more complex relations (such as your "(Rule 1 OR Rule 2) AND (Rule 3 OR Rule 4)" expression) to be the same as for Boolean operations. In this case if a user satisfies Rule1, then it will still evaluate AND (Rule3 OR Rule4), but not Rule2.
If the above factors really do cause OAM to evaluate undesirable results for you, would it be possible to move the complexity to group membership? For example you could define group membership to be the result of a complex ldap filter, and then define a simple rule (and expression) and associated actions which allows access based on this group.
Regards,
Colin

OAM Password policy not working.

Hi All,
I am configuring a password policy in OAM which enforces the user to reset his password at first login. OAM is using OID as user store and I have added oblix password related objectclasses to OAM schema. OIM is used to provision all users to OID. I have also enabled the Checkbox Change on Reset in password policy.
I have also made certain attributes visible in OAM user manager such as obpasswordchageflag, oblastsuccesfullogin, oblastfaillogin etc.,
Once the user is created in OID through OIM, the values for attributes obpasswordchageflag, oblastsuccesfullogin, oblastfaillogin are empty.
Case1: obpasswordchangeflag attribute value is empty for user say oamtestuser. oamtestuser logs in to OAM protected application with default password provided in OIM. I could see the oblastsuccesfullogin attribute value updated in oamtestuser profile as expected. Similarly oblastfaillogin value also got updated for failed login as expected.
Case2: obpasswordchangeflag set to true manually in user profile for oamtestuser. oamtestuser logs into OAM protected application with default password. Upon submit, user is redirected the change password page which prompts the user to enter current password and new password. Upon submit user will be shown another page with backup button. Upon clicking back button, user is asked to login to the application once again with new password. Upon submit, user is shown change password page again instead of logging to application with new password. I have noticed that obpasswordchangeflag attribute value is still set as true.
Case3: After executing Case2, even after modifying the obpasschangeflag value to false or making empty, the attribute values of oblastsuccesfullogin and oblastfaillogin are not getting updated accordingly.
Please let me know if you have any clue on this.
This is really urgent. Would appreciate quick help.
Thanks.
Mahendra.

HI Sagar,
Thanks for the response.
Another major update: When we tried creating user using OAM workflow, the obpasswordchangeflag got true value by default and password change functionality worked as expected. So it is obviously an issue with provisioning user through OIM. We manually created an attribute obpasswordchangeflag and provisioned a new user with value as true but still the user profile in OAM User Manager for attribute obpasswordchangeflag is empty. This means that there needs to be some mapping which we are missing i.e., an attribute in OIM has to be mapped correctly with OID attribute obpasswordchangeflag .
So we are searching for this mapping stuff. Do you have any other opinion on this?
Thanks
Mahendra.

11g OAM High Availability + SSL

Has anyone SUCCEEDED in setting up OVD+OID+OAM 11g in a High Availability environment to include SSL throughout on LINUX with 10g WebGate?

In the OAM Server Settings you will a "load balancing" section. You have to give the host name a value that can be reached from your users through a load balancer (eg a non-protected OHS with mod_wl_ohs configured to redirect to the login page on both OAM servers).
HTH,
--olaf

Integrating Oracle Portal 11g / OAM 10.1.4.3 / OSSO 10g

We are currently designing our new 11g Web Logic server architecture. We have a need to use Oracle Portal 11g in this environment, which of course requires Oracle SSO 10g. We also want to integrate this portal environment with OAM 10.1.4.3.
I am looking for some information on how to perform this integration. I would also like to know the communication flow that unfolds when a user signs into a portal that is protected by both OSSO and OAM?
The best thing that I have found to date is an “Oracle by Example” document, but this procedure was written for older versions of portal, OAM, OID, OSSO.
Are you aware of any resources that I can look at? Or has anybody out there done this in their environment?
Any help would be greatly appreciated.

To use Oracle AS SSO with OID 11g you should look at Chapter 10 of the Identity Management Installation Guide. This is the pre-requisite for Oracle AS SSO 10g on OID 11g. To use OAM with Oracle AS SSO as well you need to provide IdentityProvider class for Oracle AS SSO. This is handled in the OAM 10.1.4.0 Integration Guide.
--olaf

Using Framed IP Address in ISE AuthZ policy

Hi,
i have an issue when attempting to use the RADIUS-Framed-IP attribute in a User Authorisation policy. Essentially, when I try and map the Radius attribute to the user custom attribute in the AAuthZ profile, it will not let me as the RADIUS Framed IP has a data type of IPv4 and the user attribute i created has a data type of string.
I cannot see the data type of IPv4 available when creating user attributes.
Is there a way around this?
Thanks
Mario

Which version of ISE / patch are you using
The following was fixed in ISE 1.2 patch 3
CSCuj14382 Cannot statically assign IP address as FramedAddress

ISE Identity Groups in AuthZ Policy

So we all know we can leverage identity groups in authorization policy, can we leverage two of them ? I tried building a compound condition that uses an identity group (MAB) along with another identity group (User) and can not get the policy to hit..Thoughts?

I doubt that, as far as i can tell with ISE, when you are being authenticated either by mab or by a user/pass with ex PEAP, your identity is established as either, not both, and the identity is what gets compared to identity groups.

11g OAM AuthZ policy

Similar Messages

Maybe you are looking for