Assigning siteminder resource to an IDM user

The IDM URL is currently protected by siteminder so that we can initiate single signon. My requirement is to have only the SSO login page and remove the IDM login module. I cerated a siteminder LDAP resource pointing to our siteminder server and a login module. I assigned this login module to the end user interface so that the user needs to login only once on the SSO page.
I created one identity user within IDM and the same user existed in SSO ldap also. I assigned the LDAP resource to that user and tried to save the record. On saving, here is the error I get "Resource 'ESSOQA-SiteMinderLDAP' is not accessible at this time. Correct the resource access problem or remove this resource from the user before attempting any updates".
PS: The entry DN for the LDAP account starts with ssouid=XXX,ou=XXX,o=test.com. The uid field is not used for entrydn attribute and the ssouid field is a random text . However the uid field in LDAP and the IDM account ID will be the same.
Please help figure out what the issue could be.

All you need to do is to link the IDM users with the SSO LDAP resource, don't call the reprovision.
Also make sure you have SM_USERDN in the pass-thru authentication variable to allow passthrough authentication.
If you are using Siteminder resource just for authentication then all you need to have is just the LDAP connection parameters.
-Aravanan

Similar Messages

  • Assigning Multiple Resource Accounts to IdM User Account in IdM 7.0

    Hi All -
    Has anyone tried assigning multiple resource accounts to a IdM User with IdM 7.0 by creating a Account type using Identity Rules. I tested it on Simulated Resource and it works fine. But for Active Directory, which has personal accounts and Admin accounts on different OU on AD, when I am trying to do the Bulk Upload. The bulk upload is able to do link up the Admin account on AD to user account. But then it tries to create an additional account as well even though the user that executed the Bulk action has a Blank form assigned. Has anyone been able to figure this out yet ? If yes, can you please provide some inputs on this ?

    Hi All -
    Has anyone tried assigning multiple resource accounts to a IdM User with IdM 7.0 by creating a Account type using Identity Rules. I tested it on Simulated Resource and it works fine. But for Active Directory, which has personal accounts and Admin accounts on different OU on AD, when I am trying to do the Bulk Upload. The bulk upload is able to do link up the Admin account on AD to user account. But then it tries to create an additional account as well even though the user that executed the Bulk action has a Blank form assigned. Has anyone been able to figure this out yet ? If yes, can you please provide some inputs on this ?

  • Assign ldap resource through workflow

    I'm trying to assign a ldap resource to a user through a custom workflow. I get the user view and I've tried adding the ldap resource to user.accounts, user.waveset.accounts, user.waveset.resources, user.accountInfo.accounts and checkin the view. But adding none off these creates a LDAP account. What do you add the the user view to assign a resource account to a user? Thanks in advance.

          <set name='user.waveset.resources'>
         <appendAll>
              <ref>user.waveset.resources</ref>
           <list>
             <s>LDAP</s>
           </list>
         </appendAll>
          </set>will keep the current resource values and add the additional i think
    -Rob

  • Assign Access Manager roles to end users?

    Hello,
    I am looking for information on how to assign an AM role to an end-user that is provisioned from IDM 7 to AM 7.1 using the AM resource adapter.
    We are modeling our IDM to AM provisioning based on this BigAdmin guide:
    http://www.sun.com/bigadmin/features/articles/id_access_integration.pdf
    However, in that document, it appears that the end user role is manually assigned to the user after provisioning to AM. We wish to do this role assignment in IDM, and have IDM push the assignment to AM (and by extension, the LDAP directory).
    Is this possible when using the AM resource adapter?
    Regards,
    Dillon

    Certainly.
    My role definitions look like this in the RoleAttributes section (you can configure this through the GUI in Roles > [rolename] > Set Attribute Values)
    <RoleAttribute name='RoleName:#ID#SunAccessManagerResource:roleMemberships'>
    <AttributeName>roleMemberships</AttributeName>
    <AttributeValueString>
    <List>
    <String>AMRoleName</String>
    </List>
    </AttributeValueString>
    <Requirement>Authoritative merge with value, clear existing</Requirement>
    <ResourceRef>
    <ObjectRef type='Resource' id='#ID#SunAccessManagerResource' name='SunAccessManagerRealm'/>
    </ResourceRef>
    </RoleAttribute>
    What this will do is set the nsRoleDN attribute (renamed as 'roleMemberships' by the adapter) in the assigned resource account for the user; the requirement field I've set to auth-merge-with-value, but you may want to play about with other settings.

  • Assigning a resource via a role

    I have a read only resource that is being assigned via a role. If the user, being assigned the role, exists in the resource then link the user to the resource and update 1 resoruce attribute. If the user, being assigned the role, does not exist in then do something else.
    I've tried adding various resource attribute but without any success.
    What's the best way to achieve this?
    I'm using:
    siebel crm adapter
    idm 8.0
    cheers
    ck

    Thanks for the replies.
    I sorted this problem by checking <ref>waveset.roleInfos[*].name</ref> contained the required list of roles. If this condition was satisfied I then called a rule that called a static method that checked that the account existed. If the account existed then the following attributes were set:
    <Field name='waveset.accounts[ResourceName].created'>
    <Default>
    <s>true</s>
    </Default>
    </Field>
    <Field name='waveset.accounts[ResourceName].identity'>
    <Default>
    <ref>global.accountId</ref>
    </Default>
    </Field>
    <Field name='waveset.accounts[ResourceName].accountId'>
    <Default>
    <ref>global.accountId</ref>
    </Default>
    </Field>
    Thanks again

  • How to get the list of IDM users in a workflow.

    Hi,
    I wanted to get the list of IDM users in a workflow into a list.Now I tried to use getObjects Method,I do not have the display session here,I passed the workflow context or WF_Context.But it is giving exception like context null .
    I used the same method in a form and it worked.How can I get the list of users in a workflow.It is for customizing reports.
    Thanks and Regards,
    Pandu
    Any Idea on how to customize reports including attributes from resources and auditing attributes etc.Any help would be really great.
    Thank you.

    Hi John,
    I get this exception WorkItemForm: no id.
    This comes when I click on the other column.I generate the data needed in a report and display it as a sorting table when I get the data.
    I want to give the user ability to sort data by different columns.But when I click any column I get the exception
    WorkItemForm: no id
    How can I save a workitem on a manual form before invoking it from a manual action.
    Here is the code snippet
    <Field name='tblUsers'>
            <Display class='SortingTable'>
              <Property name='selectEnable' value='false'/>
              <Property name='align' value='left'/>
              <Property name='linkEnable' value='false'/>
              <Property name='sortEnable' value='true'/>
              <Property name='width' value='400'/>
              <Property name='columns'>
                <List>
                  <String>Account id</String>
                  <String>First Name</String>                      
                </List>
              </Property>
            </Display>      
            <FieldLoop for='row' in='_searchList[*]'>
              <Field name='enduserId'>
                <Display class='Label'>
                  <Property name='value'>
                    <block trace='true'>
                      <invoke name='getAccountId'>
                        <ref>row</ref>
                      </invoke>
                    </block>
                  </Property>
                </Display>
              </Field>
              <Field name='lblfirstname'>
                <Display class='Label'>
                  <Property name='value'>
                    <invoke name='getAttribute'>
                      <ref>row</ref>
                      <s>firstname</s>
                    </invoke>
                  </Property>
                </Display>
              </Field>
         <FieldLoop>      I think I may need to save some workItem,That is why this may be giving the error.How can I correct this.
    Thanks,
    pandu

  • Instead of creating new resource, recon is updating the same resource object for a user

    Hi,
    I created a DB target recon in OIM 11g. I ran recon and it created resource object. Resource is visible in Accounts tab.Now, I added one more entry with different description in DB. I ran the recon again. This time, instead of creating new resource object, recon linked it the same user with same resource object.
    My requirement is to create as many resource object as there are entries in DB table. The recon should not link all DB entries with same resource object in IDM. For every entry in DB, recon should create that many resource objects in accounts tab of user.
    Please let me know how to achieve the same.
    Regards,
    Kalpana.

    Hint is : Verify Reconciliation Key field mapping in Process definition
    Thanks,
    Pallavi

  • SAP IDM - User Sync to UME Not Working

    Hi All,
    Currently we're planning to implement IDM 7.1 SP05 for ESS/MSS user Password provisioning. We're done the basic configuration as per the guides and HR Employers has sync to VDS and then to SAP Master Identity Store.
    Now we wanted to sync these users back to IDM UI for setup Password provisioning as per guide 'User management for the Identity Management User Interfaceu2019.
    However every times we assign the PRIV:UME Role to users it called the Global Task Event 'Modified User'. However as we understand it should call Create UME User, Modified UME User or Delete UME user task and which will create users in IDM UME.
    Therefore users not created IDM UME and system also does not show enough log to analyse it. We've assign correct Privilege Task under PRIV:UME and it point to Create, Modified and Delete UME task as well.
    Appreciate the support on same.
    Thanks.

    Dinesh
    Thanks for the response.
    But all you mentioned has been checked.
    keys.ini is fine (I had a problem with that before), the provisioning option is set, all tasks are checked that they're enabled.
    Simply when I assign PRIV:UME to a user a "ModifyUser" log entry appears of the corresponding (ssuccesfully) IDM user modification -> but that's it. Nothing else. Not other job log, no system log, nothing in the log of the java stack. Simply nothing. I don't know why the UME provisioning tasks are neither triggered nor ANY log entry appears. It's hard to continue analyzing when a system appears alike a black box and absolutely no informations are returned.
    I also failed at several attempts to call these tasks directly/from manual created tasks.
    These tasks "simply" do not react any more ..
    Regards
    Stefan

  • Bulk Action to merge an IDM user to a Siebel CRM user

    Hi,
    i 'm using the SJS IDM 6.1 and i'm tryning to merge an IdM user to an user that is created on the Siebel CRM by a bulk action.
    The script used is the following
    command,user,waveset.resources,accounts[Siebel CRM].identity
    Update,IdMuser,|Merge|Siebel CRM,Siebel CRM user
    The result is the IdM user was associated to the Siebel CRM resource with the IdM account, and not linked by the Siebel CRM account and it is not found on the Siebel resources (obviously).
    I have a lot of IdM users to merge to the Siebel CRM account.
    Does anybody Know how to merge the account by bulk action?
    Thanks in advance
    Message was edited by:
    oruam69

    If you are using any other resource as Pass-through Authentication, then the password fields can be blank. In fact, if you enable pass-though authentication, the tabbed user form does not show the password fields.

  • Assigning a default value to a user property

    Hi everyone,
    do you know how can I assign a default value to a user property? It would be great if I should be able to assign it from the administration without writing any code (like profile web services...).
    Thank you!
    Alberto Marchiaro

    Hi Alberto,
    I don't think you can currently do this. In other words you can't set a default value for some object property and have it subbed in when no better value is available.
    You can however create a default profile, and set values for the object properties assigned to users (You do this by going to the "Default Profiles" manager). You can then edit the "Default Profile" that is already there (or create a new one), and edit the "Properties and Names". Set the value field to whatever you'd like to be copied by default.
    Once done, all new users that are created via a User Synchronization job will have this default profile. The changes will not apply to users that were previously created. If you created a new Default Profile in the Default Profiles Manager, then you need to goto the Authentication Source that you are doing your sync's from and pick which profile you'd like to use for All Groups. You can also create custom Default Profiles for various groups.
    Hope this helps,
    Akash

  • Assigning a default schema to a user.

    In Oracle can I assign a default schema to a user without using the later session command?
    Is there a ALTER USER setting where I can assign a user a default schema?

    Buddy,
    To answer to your question.
    1. First grant select any table or "grant select on all tables of user 'ELLIPSE' to the user "094137".
    2. Later to access schema ELLIPSE's objects, from "094137" user, you ll have to create public synonym to all of the tables in ELLIPSE schema.
    3. This way, the user "094137" can access all tables in SCHEMA ELLIPSE, with out specifying(prefixing) the schema name
    Hope this helps
    Thanks
    I would like the user "094137" to logon and have access to the tables in another schema "ELLIPSE" with out qualifying the table name with "ELLIPSE".
    The user "094137" has no objects of her own and only accesses the object of the schema "ELLIPSE".
    Is there a direct way of assigning a user (with no objects) to have a default schema of another users (without the alter session default schema statement)

  • Error while assigning the fallowing role to the user

    Hi,
    ERROR 2007-01-18 14:13:25
    CJS-30196  Role SAP_BC_JSF_COMMUNICATION_RO is not assigned to user SAPJSF
    i am getting the fallowing error while trying to assigning the fallowing role to the user any body through some light in to it.
    Thanks
    kiran.B

    Hi,
    Standard roles are not assigned to users directly.Make sure that copy the role from standard roles then change naming convention like your company specification.
    Ex: standard role : SAP_BC_JSF_COMMUNICATION_RO
    Step:1: go to t-code: PFCG and give the role name in role tab SAP_BC_JSF_COMMUNICATION_RO
    Step:2: press copy button and change the naming convention.
    Step:3: Assign to the user.
    I hope it will help you.
    kiran kumar.v

  • Unable to assign all security roles to a user with a new custom security role

    Dear All,
    Happy New Year.!
    I have a query regarding the assignment of Security Roles to new users in CRM. Normally we assign the security roles to new users via an Admin user who has 'System Administrator' security role assigned to him/her. This works perfectly fine, and we can assign
    any desired security role to the new user.
    However, in our case, we need to delegate the user creation rights to some of the client partners. We do not want to give them access to all the Administration functions; hence we created a new Security Role, lets say 'Support User Role'. We have provided
    'Create', 'Append', 'Append To', and 'Assign' rights on 'User' entity for this new security role. With this security role, we are able to create new users now, but we are only able to assign 'Agent' security role, not any other security roles.
    For example, if user 'x' has Security Role defined as 'Support User Role'. If 'x' tries to add a new user 'y', then 'x' is only able to assign 'Agent' security role to 'y', but not any other security role. As per business requirement, 'x' should be able
    to assign some other security roles, including 'Support User Role', to new user 'y'.
    I believe that there is something missing in Security Role configuration, which is causing the above problem. We compared both 'Support User Role' and 'System Administrator' security roles, but not able to figure out which minimum rights we can provide to
    'Support User Role' so that users with this security role can only add new users (with any security role), and that they are not having access on any other Administration features as well.
    Appreciate any help that you can provide on the above issue.
    Thanks in anticipation.

    Hi,
    Can you check if you have organization level Read access for Securitity Role and Organization level Assign access for Security role.
    Refer:-
    http://www.magnetismsolutions.com/blog/paulnieuwelaar/2013/04/22/permissions-required-to-manage-roles-in-dynamics-crm-2011
    Hope this helps!!!
    Thanks,
    Prasad
    Make sure to "Vote as Helpful" and "Mark As Answer",if you get answer of your question

  • Acct assignment cat. of item not in user data; Inform system admin

    Hi all,
    We are on a SRM EBP 5.0 project and we are getting the following error when we try to create a purchase order from the purchasers login.
    "Acct assignment cat. of item not in user data; Inform system admin"
    The complete details of the screen shot are as follows:
    The following error text was processed in the system DS1 : Acct assignment cat. of item not in user data; Inform system admin.
    The error occurred on the application server lndnysap1_DS1_01 and in the work process 0 .
    The termination type was: TH_RES_FREE
    The ABAP call stack was:
    Form: ABORT_PO of program SAPLBBP_PO_UI_ITS
    Form: ADD_TO_MSG_LOG of program SAPLBBP_PO_UI_ITS
    Form: ADD_TO_MSG_LOG_MULTI of program SAPLBBP_PO_UI_ITS
    Form: SET_PRICING of program SAPLBBP_PO_UI_ITS
    Form: DETERMINE_EXTERNAL_SCREEN of program SAPLBBP_PO_UI_ITS
    Module: DETERMINE_EXTERNAL_SCREEN of program SAPLBBP_PO_UI_ITS
    We did the following steps :
    Created shopping cart- employer and WF triggered apprd. by manager.
    Purchaser did "Carry Out Sourcing ", and if we say "Create Purchase Order", the PO gets created with a information message that "Incomplete purchase order 11/1 is created "
    When we go to  "Process Purchase Order" for the completion of the same. If we see Follow-on documents "Purchase Order Held" occurs.
    In the tab Item Data details Pricing tab we get this error.
    Do any of the SRM gurus can suggest us what to do?
    In our admin logon it shows
    "Server for pricing is not running. Start Server"  occurs after every run of this process purchase order from the purchasers login, though our IPC is working fine.
    Will be of great help if somebody replies soon.
    Sincerely,
    Sridhar.

    Hi,
    IPC has to be configured.
    Please check the following threads :
    https://forums.sdn.sap.com/click.jspa?searchID=211089&messageID=2714527
    https://forums.sdn.sap.com/click.jspa?searchID=211089&messageID=2715019
    Kind regards,
    Yann

  • Assignment of Transaction variant to some users only

    Hi,
    I have created one transaction variant for T.code:MM02. With this some fields were made display mode. I want assign this Transaction variant to few of the users only not all users. That is for others the above are changeble.
    So I want to know how to assign this transaction variant to respective users only. If I activate this as standard variant, it is applicable to all. But I want to assign to few only.
    Reagrds.
    Veerappa
    Edited by: Chinna Veerappa on Oct 17, 2008 7:03 AM

    Hi,
    I tried this before posting the above. When I assigned some users, it is reflecting all users (Irrespective of users assignment, if I activated).
    Regards,
    Veerappa

Maybe you are looking for

  • 'Error 30644: Page Group name should be unique' after page group is removed

    Hi, I have removed a page group with name 'X'. But when i tried to create a new page group with the same name 'X', i encountered the following error message: 'Error 30644: Page Group name should be unique' What could i do to create page group with th

  • Question - Why Lightroom is not releasing memory?

    I've posted this question earlier and was wondering if anyone else is having this problem. After Lightroom is closed everything slows down. I checked the Task Manager Process tab and noticed the LR is still hogging the memory at 80% to 92%. I have to

  • How to view videos ipad2

    Can you get QuickTime for iPad?

  • Lack of realtime onm an 8-core PC

    Hi Have just invested in a huge 8 x 3.0GHZ PC, and have installed CS3. The red bar shows up for absolutely everything except raw footage. Even a cross dissolve or a speed change results in the red bar. A 10 second cross dissolve only takes about 5 se

  • Hand Free Link when in Maps

    When I get in my Honda accord and my iphone 6 links up via bluetooth, then use maps, it always defaults to giving map directions via the hands free link (honda speaker system).  Each time I start a map I can click on microphone and tell it to use iph