Detailed steps  to make SSO using OAM 11g

Similar Messages

• Custom Token authentication using OAM 11g

  Hi All,
  I have the following requirement: Authenticate a resource based on custom token if it is null or not. There is no need to map the token with an user record.
  Environment is all 11g.
  What is the best way to implement it? Is it possible to do it with just OAM 11g alone? Or does it require Oracle STS too? Please provide your inputs.
  Thanks,
  Mahendra.
  Edited by: 903004 on Jan 8, 2012 9:08 PM

  Can someone provide inputs on this? Please treat this as urgent.

• OBIEE 11g SSO using OAM and AD (authentication provider)

  Hi
  I am authenticating my OBIEE users thru Microsoft Active Directory and it works fine.
  I would like to set up sso, so as to achieve seamless navigation from my Peoplesoft system to OBIEE.
  If anyone has done this before, then could you point me to some reference material. I am not able to find any online.
  Thanks
  Madhu

  I believe you can integrate peoplesoft in the same way we have done it for EBS
  follow below link. it will help you.
  https://kr.forums.oracle.com/forums/thread.jspa?threadID=645740
  Thanks
  Jay.

• OAM 11g Webgate 10g customized SSO logout page

  As stated in the title, I am using OAM 11g and Webgate 10g. I am trying to create a customized SSO logout page but am confused on a few parts. First off, in http://docs.oracle.com/cd/E17904_01/doc.1111/e15478/logout.htm#CHDHFGJC , it states the following step for their logout.html:
  Logic in logout.html redirect to the OAM Server. For example:
  http://myoamserverhost:port/oam/server/logout?end_url=http://my.site.com/
  welcome.htmlMy question is if this is truely required? Or is there a way to have OAM invalidate the session and do its internal part of the logout procedures without needing to force the user to redirect to the OAM server's logout URL (eg: it automatically recognizes that the Webgate URL is "...../logout.html" and handles it properly). From talking to colleagues it sounds like this should be possible, and I see some mentions of it in the above documentation, but this appears to be 11g OAM and 11g Webgate behavior. At the same time though, the line "Logout is initiated when an application causes the invocation of the logout.html file configured for any registered OAM 10g Webgate." Leads me to believe that it can work with 10g webgate as well.
  Or, is there a way to have multiple valid logout pages on the OAM server? (There is currently a customized logout page that we cannot modify, and does not meet all the requirements we have for look/feel)
  Thank you
  Edited by: mBaldwin on Apr 12, 2013 10:30 AM

  Bump Any ideas?

• OAM 11g BP02 with Kerberos is not working on AIX

  Hi,
  We are trying to configure OAM 11g with Kerberos on AIX with no success..
  Resource is protected according to OAM documentation guide but the oam logs shows the following:
  [2012-08-28T00:03:22.305-05:00] [oam_server1] [TRACE] [] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread:
  '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0000J_fbCuS9h^k5kzWByZ1GF532
  00000G,0] [APP: oam_server] [SRC_METHOD: log] [SRC_CLASS: oracle.security.am.engines.common.adapters.OAMLoggerImp
  l] Authentication Failed.[[
  javax.security.auth.login.LoginException: Bad JAAS configuration: bad URL /home/oracle/oam.keytab
  Error java.net.MalformedURLException: no protocol: /home/oracle/oam.keytab
  at com.ibm.security.jgss.i18n.I18NException.throwLoginException(I18NException.java:5)
  at com.ibm.security.auth.module.Krb5LoginModule.j(Krb5LoginModule.java:537)
  at com.ibm.security.auth.module.Krb5LoginModule.b(Krb5LoginModule.java:146)
  at com.ibm.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:274)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
  at java.lang.reflect.Method.invoke(Method.java:611)
  we are using OAM 11g BP 02.
  oam-config.xml is configured as follow:
  <Setting Name="KerberosModules" Type="htf:map">
  <Setting Name="6DBSE52C" Type="htf:map">
  <Setting Name="keytabfile" Type="xsd:string">/home/oracle/oam.keytab</Setting>
  <Setting Name="krbconfigfile" Type="xsd:string">/etc/krb5/krb5.conf</Setting>
  <Setting Name="name" Type="xsd:string">Kerberos</Setting>
  <Setting Name="principal" Type="xsd:string">HTTP/myssoserver@mydomain</Setting>
  </Setting>
  </Setting>
  Please let me know how to get this resolved. Thanks in advance.
  Regards.

  David,
  Your Principal name should be the SSO LB URL.(ie :sso.mycomany.com)
  ktpass -princ HTTP/sso.mycomany.com@DOMAIN -pass XXXXXXX mapuser DOMAIN\user -out oam.keytab.
  Also make sure sso.mycomany.com has a reverse DNS configured correctly.
  you can check using dig command
  ping sso.mycomany.com
  What ever the ip-address
  dig -x <IP-ADDRESS>
  Check in the reverse DNS section there should be 1 record.
  ;; ANSWER SECTION:
  1.1.1.1.in-addr.arpa. 3600 IN PTR sso.mycomany.com.
  Let me know if you have more questions.
  Thanks
  Saurabh

• OAM 11g "Failure URL" in Authoriztion policy not working?

  Hi,
  Per the subject, I am running OAM server 11g (11.1.1.3), with an OAM 10g Apache webgate.
  In the OAM Authorization policy (protected), I have specified a full URL for the "Failure URL", to get the browser to redirect when an authorization failure occurs.
  However, when I test with a user that does not have access (user authenticates ok, but doesn't have right to access the protected resource), instead of the browser being redirected, I am getting an "Oracle Access Manager Operations Error" page.
  I've been trying to figure this out, and have found several threads about this, e.g.:
  OAM 11g authz redirect URL not working?
  But, as I said, I am using OAM 11g server, and there is no "Inconclusive URL" in the policy settings (I guess there was in 10g, but not in 11g).
  I have trace logging enabled on the OAM server, and I can clearly see that the request is getting "results DENY", but there's no indication in the logs that OAM server is aware of any failure redirection URL.
  I've also got a header trace, and I can see that the browser is simply being re-directed to the "/oberr.cgi...." URL, so it' not going "somewhere else".
  So, does anyone know why the "Failure URL" is not working in OAM 11g in Authorization policies?
  Thanks,
  Jim
  P.S. The URL that it's suppose to be re-directing the browser to is in the Public resources under Authorization, and as I said, I don't see the browser even attempting to go to the failure URL, either via header traces or the OAM server logs.
  Edited by: jimcpl on Nov 5, 2011 8:53 PM

  Hi,
  Per the subject, I am running OAM server 11g (11.1.1.3), with an OAM 10g Apache webgate.
  In the OAM Authorization policy (protected), I have specified a full URL for the "Failure URL", to get the browser to redirect when an authorization failure occurs.
  However, when I test with a user that does not have access (user authenticates ok, but doesn't have right to access the protected resource), instead of the browser being redirected, I am getting an "Oracle Access Manager Operations Error" page.
  I've been trying to figure this out, and have found several threads about this, e.g.:
  OAM 11g authz redirect URL not working?
  But, as I said, I am using OAM 11g server, and there is no "Inconclusive URL" in the policy settings (I guess there was in 10g, but not in 11g).
  I have trace logging enabled on the OAM server, and I can clearly see that the request is getting "results DENY", but there's no indication in the logs that OAM server is aware of any failure redirection URL.
  I've also got a header trace, and I can see that the browser is simply being re-directed to the "/oberr.cgi...." URL, so it' not going "somewhere else".
  So, does anyone know why the "Failure URL" is not working in OAM 11g in Authorization policies?
  Thanks,
  Jim
  P.S. The URL that it's suppose to be re-directing the browser to is in the Public resources under Authorization, and as I said, I don't see the browser even attempting to go to the failure URL, either via header traces or the OAM server logs.
  Edited by: jimcpl on Nov 5, 2011 8:53 PM

• Urgent: OAM 11g allow/block URLs

  Hi All
  I am using OAM 11g R1 and want to allow some and block some URLs. Please let me know if this can be configured in OAM.
  URLs to be allowed:
  http://Hostname1:80/rootContext?x=1
  http://Hostname1:80/rootContext?x=2
  URLs to be blocked:
  http://Hostname1:80/rootContext?x=3
  http://Hostname1:80/rootContext?x=4
  Please help. This is really urgent
  Thanks

  I am aware of OAM configurations but want to know more about this specific configuration where the resource URL is the same and just the query parameter is different.

• Oam 11g r2 Access Client error

  Hi guys,
  I am trying to create an AccessClient based on section 2.2.3 Sample Code: Simple Access Client of following..
  http://docs.oracle.com/cd/E27559_01/dev.1112/e27134/as_api.htm#BGBCEHCI
  the code successfully initialized AccessSDK but giving following error
  ======
  Jul 7, 2013 2:54:58 PM oracle.security.am.asdk.ResourceRequest isProtected
  SEVERE: Unknown exception.
  Access Exception: OAMAGENT-02071
  Process exited with exit code 0.
  ===========
  how can we clear this issue...
  Regards,
  jdev

  Hi colin,
  thanks for the reply..
  I am using oam 11g r2 and i did following,
  1.successfully configured an OAM 10GAgent with remote registration with '/**' as protected resource.
  2.created java project in jdeveloper.
  3.Added all the jars in the project by setting libray and class path.
  4.copied the OBAccessClient.xml to developemt system folder D:\softwares\11gR2\OAMSDK's\RREG10G_OAM\oblix\lib.
  5.copied JAccessClient.java and did follwing modifications..
    public static final String m_configLocation = "D:\softwares\11gR2\OAMSDK's\RREG10G_OAM" 
  6.kept the following as it is
    ac = AccessClient.createDefaultInstance(m_configLocation,AccessClient.CompatibilityMode.OAM_10G);
  7.Observed the OAM SDK initialization is successful,
  8.Observed that acessclient and resources request objects are not null by adding following in the class file,
     System.out.println(ac) gives oracle.security.am.asdk.AccessClient@17f409c
  as output
     System.out.println(rrq) gives oracle.security.am.asdk.ResourceRequest@facf0b
  as output
  Following is OBAccessClient.xml
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <CompoundList xmlns="http://www.oblix.com">
      <SimpleList>
          <NameValPair ParamName="id" Value="RREG10G_OAM"/>
      </SimpleList>
      <SimpleList>
          <NameValPair ParamName="debug" Value="false"/>
      </SimpleList>
      <SimpleList>
          <NameValPair ParamName="security" Value="open"/>
      </SimpleList>
      <SimpleList>
          <NameValPair ParamName="state" Value="Enabled"/>
      </SimpleList>
      <SimpleList>
          <NameValPair ParamName="preferredHost" Value="RREG10G_HostId"/>
      </SimpleList>
      <SimpleList>
          <NameValPair ParamName="maxCacheElems" Value="100000"/>
      </SimpleList>
      <SimpleList>
          <NameValPair ParamName="cacheTimeout" Value="1800"/>
      </SimpleList>
      <SimpleList>
          <NameValPair ParamName="maxSessionTime" Value="3600"/>
      </SimpleList>
      <SimpleList>
          <NameValPair ParamName="maxConnections" Value="1"/>
      </SimpleList>
      <SimpleList>
          <NameValPair ParamName="failoverThreshold" Value="1"/>
      </SimpleList>
      <SimpleList>
          <NameValPair ParamName="aaaTimeoutThreshold" Value="-1"/>
      </SimpleList>
      <SimpleList>
          <NameValPair ParamName="sleepFor" Value="60"/>
      </SimpleList>
      <SimpleList>
          <NameValPair ParamName="denyOnNotProtected" Value="1"/>
      </SimpleList>
      <SimpleList>
          <NameValPair ParamName="cachePragmaHeader" Value="no-cache"/>
      </SimpleList>
      <SimpleList>
          <NameValPair ParamName="cacheControlHeader" Value="no-cache"/>
      </SimpleList>
      <SimpleList>
          <NameValPair ParamName="ipValidation" Value="0"/>
      </SimpleList>
      <SimpleList>
          <NameValPair ParamName="accessClientPasswd" Value=""/>
      </SimpleList>
      <SimpleList>
          <NameValPair ParamName="cookieSessionTime" Value="0"/>
      </SimpleList>
      <SimpleList>
          <NameValPair ParamName="idleSessionTimeout" Value="3600"/>
      </SimpleList>
      <SimpleList>
          <NameValPair ParamName="primaryCookieDomain" Value=".mycompany.com"/>
      </SimpleList>
      <ValList ListName="logOutUrls">
          <ValListMember Value="/oamsso/logout.html"/>
      </ValList>
      <ValList ListName="primary_server_list">
          <ValListMember Value="primaryServer1"/>
      </ValList>
      <ValNameList ListName="primaryServer1">
          <NameValPair ParamName="host" Value="oamserver.mycompany.com"/>
          <NameValPair ParamName="port" Value="5575"/>
          <NameValPair ParamName="numOfConnections" Value="1"/>
      </ValNameList>
      <ValList ListName="proxySSLHeaderVar">
          <ValListMember Value="IS_SSL"/>
      </ValList>
      <ValList ListName="URLInUTF8Format">
          <ValListMember Value="true"/>
      </ValList>
      <ValList ListName="client_request_retry_attempts">
          <ValListMember Value="1"/>
      </ValList>
      <ValList ListName="inactiveReconfigPeriod">
          <ValListMember Value="10"/>
      </ValList>
  </CompoundList>
  ==============================
  Please let me know the way which i did is correct or not...
  Regards,
  Jdev

• Unable to authenticate users using Custom plugins in OAM 11g

  We are working on a requirement in which we have to write a custom authentication plugin in OAM 11g.
  we were able to import and activate the plugin
  we created a new authentication module with steps in the following order
  1)UserIdentificationPlugin
  2)UserAuthenticationPlugin
  3)Our custom plugin to create custom responses(We just created the class with mandatory methods and process method returning success)
  but finally when we try to authenticate,authentication fails resulting in OAM-2 error.We had entered valid credentials
  Can somebody please help me on resolving this issue.
  The plugin code,manifest file and Metadata XML is shared below.
  Plugin Code
  public class NewPlugin extends AbstractAuthenticationPlugIn {
  private static final String CLASS_NAME = "FirstTestClass";
  public ExecutionStatus initialize (PluginConfig config){
  super.initialize(config);
  if(LOGGER.isLoggable(Level.FINE)){
  LOGGER.logp(Level.FINE,CLASS_NAME,"initialize","Entering initialize");
  return ExecutionStatus.SUCCESS;
  @Override
  public String getDescription() {
  // TODO Auto-generated method stub
  return null;
  @Override
  public Map<String, MonitoringData> getMonitoringData() {
  // TODO Auto-generated method stub
  return null;
  @Override
  public String getPluginName() {
  // TODO Auto-generated method stub
  return null;
  @Override
  public int getRevision() {
  // TODO Auto-generated method stub
  return 0;
  @Override
  public ExecutionStatus process(AuthenticationContext context)
  throws AuthenticationException {
  if(LOGGER.isLoggable(Level.FINE)){
  LOGGER.logp(Level.FINE,CLASS_NAME,"initialize","Entering process");
  return ExecutionStatus.SUCCESS;
  @Override
  public void setMonitoringStatus(boolean arg0) {
  // TODO Auto-generated method stub
  @Override
  public boolean getMonitoringStatus() {
  // TODO Auto-generated method stub
  return false;
  MANIFEST.MF
  Manifest-Version: 1.0
  Bundle-ManifestVersion: 2
  Bundle-Name: NewPlugin Plug-in
  Bundle-SymbolicName: NewPlugin
  Bundle-Version: 1.0.0
  ImportPackage:org.osgi.framework;version="1.3.0",oracle.security.am.plugin,oracle.security.am.plugin.authn,oracle.security.am.plugin.api,oracle.security.am.common.utilities.principal,oracle.security.idm,javax.naming,javax.sql,javax.security.auth
  Bundle-RequiredExecutionEnvironment: JavaSE-1.6
  METADATA XML
  <?xml version="1.0" encoding="UTF-8" ?>
  <Plugin name="NewPlugin" type="Authentication">
  <author>me</author>
  <email>[email protected]</email>
  <creationDate>11:40:20,2012-13-02</creationDate>
  <version>1</version>
  <description>Custom User Authentication Plugin</description>
  <interface>oracle.security.am.plugin.authn.AbstractAuthenticationPlugIn</interface>
  <implementation>newplugin.NewPlugin</implementation>
  <configuration>
  <AttributeValuePair>
  <Attribute type="String" length="20">DataSource</Attribute>
  <mandatory>true</mandatory>
  <instanceOverride>false</instanceOverride>
  <globalUIOverride>true</globalUIOverride>
  <value>jdbc/CISCO</value>
  </AttributeValuePair>
  </configuration>
  </Plugin>

  Your search results show that the user "collini" was not found (nentries=0). This could be caused by a number of reasons.
  1) The user doesn't exist under "ou=people,dc=our,dc=domain"
  2) The user doesn't contain the posixAccount objectclass
  3) The user account that performed the search doesn't have access rights to read/search that user account
  What user account was used to BIND on the connection that the search was done on?
  Try performing the same exact search with an account you know can retrieve the entry. For example:
  ldapsearch -D "cn=Directory Manager" -w - -b ou=people,dc=our,dc=domain -s one "(&(objectClass=posixAccount)(uid=collini))"
  If the entry doesn't return as a result of the search then either #1 or #2 above is the problem. If the entry does return then #3 is your problem.

• SSO for ALUI using OAM 10.1.4.0.1

  Has any1 successfully tested SSO for ALUI or WCI using OAM??? I would appreciate if someone shares the policy created. you can send me an email to [email protected]
  Edited by: Ferry on Sep 24, 2009 11:07 PM

  The 10.1.4.0.1 installers can still be found on http://edelivery.oracle.com under Oracle Application Server 10.1.3 - please see Note 1286374.1 for details. 10.1.4.0.1 is deprecated, and I would certainly recommend using the base 10.1.4.3 installers if at all possible.
  Regards,
  Colin

• How to configure and deploy OAM 11g with DB setup using silent mode

  Hello all,
  I am trying to create automation process to install and configure OAM 11g on WLS. This task involves three stages
  1. Install WLS
  2. Install OAM 11g
  3. Create DB schema using RCU
  4. Configure and deploy OAM 11g
  I have done first 3 stages in silent mode using scripts and response files. I am stuck at 4th stage. I know how to configure and deploy OAM 11g using config.sh via GUI installer as well as console mode. But I would like to run config.sh in silent mode something like
  ./config.sh -mode=silent -silent_script=<script_location>
  I have searched a lot, but could not find any resource on how to do it? I tried passing the parameters via a text file. But that has not worked. I have also explored WLST, but it also does not work. Given that first 3 things are relatively very simple, the 4th step is becoming complex. I would be very thankful if someone can please point me in the right direction.
  Thanks!

  Have a look at your software directory : <sofware directory>/Disk1/stage/Response
  Here you will find 2 rsp files which you can use to install and then configure it all.
  Good luck.
  Filip

• What are the steps to make it seamless for a customer to use the install program and then use the installed program?

  I wrote an install program (.exe) that is downloaded from a website.  When run, it 1) leads a customer to browse to a directory, and 2) copies files (.exe, .dll, etc.) from a website to that directory.  When I run, the installed program works.
  What are the steps to make it seamless for a customer to use the install program and then use the installed program? 
  bhs67

  This site https://msdn.microsoft.com/en-us/library/vstudio/2kt85ked%28v=vs.110%29.aspx provides a basic description of the Visual Studio Windows Installer. 
  Near the bottom of the page is "You can unlock all the features of InstallShield by paying to upgrade to the full version of InstallShield."  Where do I find info that describes the differences between the "free" and the "full"
  versions?
  bhs67
  Hello,
  The default feature does support the task for your requirement, so there is no need to pay for the other features unless you want to use some feature which is not free.
  In addition, as this thread
  InstallShield LE not available with VS 2012 RTM? shared, even through there is a link to InstallShield LE in the New Project dialog under Deployment solutions, but it belongs to third-party that I would recommend you consider posting this issue
  at the following forum to get supports about InstallShield.
  http://community.flexerasoftware.com/forumdisplay.php?133-InstallShield
  Regards.
  Carl
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• LDAP configuration using AD in EP complete details steps

  Hi gurus,
              Can anybody provide me complete details
  step to configur UME and LDAP configuration
  THanks
  Happy

  Hi,
  Below is the configuration for UME-LDAP. In configtool you have to do this configuration.
  ume.ldap.access.server_name : <servername>
  ume.ldap.access.server_port         :  <enter the port>
  ume.ldap.access.user                    : <user>
  ume.ldap.access.password           :  <password>
  ume.ldap.access.base_path.user  : 
  Ume.ldap.access.base_path.grup : 
  Refer the link for more info on LDAP configuration.
  http://help.sap.com/saphelp_nw70/helpdata/en/63/14f5b51a6eff429f2d8b2063400e82/frameset.htm
  Thanks
  R.Murali

• OIM-OAM 11g BP 02 integration not working as expected

  Hi Experts,
  We have OIM 11g and OAM 11g both upgraded to BP02 installed on separate hosts. We are using OID 11g as the directory servers and OVD 11g fronting OID for integration. We followed the steps mentioned in Oracle Document Oracle® Fusion Middleware Integration Guide for Oracle Access Manager 11g Release 1 (11.1.1)Part Number E15740-04 for integration purpose.
  After performing all the integration tasks mentioned in the document, while testing the ingtegration, the expected results are not been serverd.
  If I access OIM admin console URL, am getting default OIM admin console URl instead of OAM SSO login page for authencation. and also I am unable to login using either xelsysadm\oimadmin\oamadmin but I can login using weblogic, so this is referin to the default embeded LDAP of weblogic for credential validation.
  OIM and OAM are deployed on separate hosts, please find the deployment details below.
  1. JDK: 1.6.0_29
  2. WLS : 10.3.5
  3. LDAP: Oracle Internet Directory: 11.1.1.5.0
  Oracle Virtual Directory: 11.1.1.2.0
  4. Webserver: Oracle HTTP Server fronting the OIM
  The Integration videa on Support.oracle assumes that all components OIM\OAM/OID/OHS being on the same host.
  I have my OIM and OAM both patched to the latest BP which is BP 02. There is a support article which specifically talks about few settings ton be made for BP 02.
  the article ID is 1447494.1.
  Even after doing all these, the integration is not working.
  As per the support article, I need to use preferred host name for agent fronting OIM as IAMSuiteAgent and if I do that, the proxying of OIM server with the webserver host will not work at all and ends with 404 not found error when I access using http://OHShost:OHSport/oim.
  but if i use the name of agent i.e webserver name in the preferred host field, the redirection would happen and i get OAM SSO login page for authentication, however with the credential validation at this page, the OIM login page (http://OIMhost:OIMport/oim) is provided prompting for login again.
  also if i access OIM login page http://OIMhost:OIMport/oim directly, the OAM SSO page is not coming for authentication.
  I am awaiting your advice\suggestions or workarounds if any one has come across this kind of issue, which i am sure is an obvious case.
  Thanks,
  Nagendra

  Hi,
  Any help in this regard please/
  Thanks
  Nagendra

• OAM 11g reports with BI publisher 11g

  Hi Guys,
  I am facing issue while configuring the reports in BI Publisher for 11g while generating report i am getting error
  oracle.xdo.XDOException: oracle.xdo.XDOException: oracle.xdo.XDOException: Could not get data source connection for: Audit
  i will list down the steps
  1. Created a audit database using RCU
  2.Created a jdbd data source in weblogic
  3. Attach this data source to Audit store in Enterprise manager.
  4.deploy the reports in BI publisher
  5. created a jdbc data source to point to audit database.
  6.Attach this datasource to data modal and then to report. Now when i run the report i am getting this error
  oracle.xdo.XDOException: oracle.xdo.XDOException: oracle.xdo.XDOException: Could not get data source connection for: Audit
  guys provide me with some pointers.

  Hi,
  Here is a set of instructions on how to run the OAM 11g reports in BI 11g:
  http://oraclemiddlewareblog.com/2012/07/31/how-to-run-oam-11g-audit-reports-in-bi-publisher-11g/
  Basically, even if you have created the datasource to the XX_IAU schema, you still need to make sure that you enable the audit on the OAM side and that you configure the right filters for the audited operations.