How to configure OSTS to propagate user identity from OAM to OSB Service?

Similar Messages

• OAM SSO integration question:How can I get a user identity from ObSSOCookie

  We are building an OAM SSO solution. The App server is both on OAS and WLS. My question is that, after I get the ObSSOCookie from httprequest.
  I need to verify whether the ObSSOCookie is a valid one, and I also need to get user identity from the cookie and pass it to login module to populate user principal
  Of course, one way of doing that is to install access manager SDK and go from there. But we support multiple OS, it's a pain to add Access manager SDK to different installer for different OS.
  I am trying to use IdentityXML Functions which is a SOAP based webservice so that I don't need to worry about the OS platform. But I can't find a webService which returns user identity based on a valid ObSSOCookie. It seems that I can invoke webService with valide ObSSOCookie, but there is no way to get the user identity back. Am I missing something?
  Hope someone can help me out.
  Thanks.
  -Wei

  Ok. Sounds like you are a vendor trying to play well in an SSO environment.
  Here is what I tell OAM customers when they are evaluating software to see if it will cooperate with a system like OAM.
  Can the software's native authentication scheme be explicitly turned off (usually a configuration in a file)?
  Can the software be configured to accept a token of identity in the form of a Cookie or HeaderVar (also configurable in a file)?
  If the answer to both is yes, then the system is capable of 'third party trust' for authentication.
  From your perspective, your logic for login should be something like:
  Is my native authN turned off?
  If yes, can I find the cookie or header that I should be looking for?
  If yes, take the value and proceed to create user session for this identity per usual (except that you never evaluated the authN - you trust that it was done).
  If no, present the native AuthN scheme anyway.
  If you follow this pattern, you are in the good company of folks like PeopleSoft and Plumtree who had these types of integrations working long ago.
  Yes, there are other ways to do this but, in my humble opinion, this remains the most stable and effective pattern we see.
  What you ask for as the identity token value is up to you. It is often the login ID value that you would have used in your own authN procedure. There's nothing particularly sensitive about having a webgate set headers - they are only available to the server and not to the client. Cookie of course could be seen but can't be spoofed as the webgate has the final word on it's content.
  Mark

• How to configure Email notification for User login's in Exchange Infrastructure?

  How to configure Email notification for User login's in Client Machines?

  Hi ,
  Based on the description , you need to assign logon scripts to the end users via group policy and also use your exchange server as the smtp server in that logon script to relay emails to the internal recipients.
  Thanks & Regards S.Nithyanandham

• How can I delete the other user reviews from the apple app developed by me

  How can I delete the other user reviews from the apple app developed by me

  As a registered developer you have access to the registered developers discussions area and direct access to the appropriate Apple personnel in regards to such a question. Pretty sure app reviews can't be deleted, but this is far from the appropriate place to get an answer for this.

• How Session/token/Header is passed to Application from OAM ?

  Hi Experts,
  I have understood that IAM will have obssocookie (10gwebgate), OAM_RMOETE_HEADER (OAM-identity assertor), any thing like session as well ?
  Question is
  Where is a mapping of enterprise Application session and OAM session ? in other words where we do configuration/assignment of session?
  Assumption : Enterprise application is deployed on one weblogic. (application like ADF,WCP,EJB)
  IAM is on another weblogic.
  Help appreciated

  For your qustn: How Session/token/Header is passed to Application from OAM?
  1. The appln contain the access code receives user req. for resource
  2. AG constructs ObResourceRequest structure
  3. The AG constructs ObAuthentication structure (For protected resources)
  4. Access server responds and AG constructs ObUserSession struc
  5. If credentials true then AG creates a Session Token for the user (this Tokes has usr identity, name of trget requested etc,.)
  Thnx
  Vishwa

• HOW TO CONFIGURE MANAGER or APPROVER USER IN ACCESS REQUEST MANAGEMENT TO APPROVE OR REJECT REQUEST

  hi sap gurus,
  i configured grc 10 system successfully. I created one user: GR_AR_APP001 and assign following roles:
  SAP_GRAC_ACCESS_APPROVER
  SAP_GRAC_ACCESS_REQUEST_ADMIN
  SAP_GRC_FN_BASE
  SAP_GRC_FN_NUSINESS_USER
  and I maintained GR_AR_APP001 in access control owners as "POINT OF CONTACT", "SECURITY LEAD" and "WORKFLOW ADMINISTRATOR"
  but when i am creating access request for new user and defining MANAGER under user details tab as GR_AR_APP001.
  the user GR_AR_APP001 is not receiving any request for APPROVE or REJECT in his WORK INBOX.
  can u please guide me how to configure APPROVER or MANAGER to approve or reject request.
  I will be very much thankful if you guide me successfully.

  Hi Colleen,
  thanks a lot for your time.
  PIC1: I created one user: GR_AR_APP001
  and assigned all the GRC ROLES.
  PIC2: I assigned owner type to GR_AR_APP001 user : POINT OF CONTACT, SECURITY LEAD and WORKFLOW ADMINISTRATOR in NWBC ACCESS CONTROL OWNERS
  PIC3: I created one EUP 980 (copied from default EUP)
  PIC4: I maintained default manager as GR_AR_APP001 user in 980 EUP
  PIC5: I selected SAP_GRAC_ACCESS_REQUEST process id
  PIC6: I created one agent id as ZGRAC_MANAGER11 in which I added approver user id: GR_AR_APP001
  PIC7: I saved agent id
  PIC8: I added agent id as ZGRAC_MANAGER11 in stage5 in manager stage.
  PIC9: I saved
  PIC10: I maintained EUP 980 (in which I configured manager as GR_AR_APP001 user) in stage 5 task settings
  PIC11: Maintain Route Mapping, I clicked on next
  PIC12 and PIC13: I saved and activated.
  After this process I created one request for new account and selected the manager as GR_AR_APP001 and one request is created with request no 9000000030.
  now I logged into system by user GR_AR_APP001 and checked, there is no request under his work inbox.
  please guide me at least one procedure, how to receive request in approver work inbox so that I can learn other procedures to configure approver as per our organization requirement.
  thanks for your support Colleen.

• Can't create new User Identity in OAM backed by OID

  We installed with the following steps:
  1) Downloaded OIM from OTN (10.1.4.0.1)
  2) Installed OIM, selecting only OID, onto a dedicated XP server
  3) Downloaded OAM from OTN (10.1.4.0.1)
  4) Installed Identity Server onto the OID server, updating the OID schema with Oblix entries
  5) Started the Identity Server service
  6) Installed WebPass on top of Apache 2.0 on a separate XP server
  7) Restarted Apache 2.0
  8) Accessed server/identity/oblix and went through the WebPass setup
  Other than seeing a bunch of A-caret characters, the screens all look good.
  9) Logged in as orcladmin to OAM
  10) Tried to Create User Identity
  This fails with a 'You do not have sufficient access rights' error. The only user we have in the OID is orcladmin. Looking into the directory, orcladmin is a member of Oblix/Directory Administrators and Oblix/Web Masters.
  We're trying to setup OAM for SSO and add custom modules for user provisioning to our application (OTM). Any help is appreciated.

  Hi
  You have to create user workflow so as to enable user creation in OAM. If the workflow is created then make sure that user has access to the workflow.
  -Kiran Thakkar

• How do you delete a guest user account from the users&groups pane?

  could anyone help with giving a tip on how to  delete a guest user account from the users&groups pane in os-x 10.7 ? when I unlock account the delete or minus button is inactive. Thankyou

  aha, by disabling the find my mac checkbox in icloud seems to work. tusen takk previous threaders!!!!!!!!!!

• How to get the system property - user.name from a client system

  Hi All,
  I have an application which would enable active users from the domain of the company. I want to get the name of the client from the system. I tried to run it on the local machine from Jdeveloper, it returned me the correct user name. But when the application is deployed on the Oracle Application server, and i hit the URL of the application, it returns the server URL.
  I understand that the JSP works on the server side here but help me out to get a solution. I want to read the user name from the client side.
  Thanks in advance!
  Akhil

  Akhil,
  I hope this will never work. Think about your requirement for a second....
  This would mean an application is able to see my user credentials without my knowledge. It's bad enough the know my IP if I'm not using TOR.
  To get your requirement to work you have to redefine it a bit. The user have to log in to your application. The application holds the name together with an ID of the session to know the user in further requests.
  Thats a basic security theme, described in the dos [Adding Security to a Fusion Web Application|http://download.oracle.com/docs/cd/E12839_01/web.1111/b31974/adding_security.htm] .
  Timo

• CWMS v.2 - how to configure CWMS to authenticate user with CUCM

  Hi,
  I have a CUCM with no LDAP or AD integration. I already configured the directory integration with CUCM and it synchronized the user accounts to CWMS. When trying to login with end user account, password configured in CUCM doesn't work. What is the process to configure CWMS to authenticate with CUCM user database? Thanks.
  -Alan

  Hi Alan,
  CUCM and LDAP integration is a prerequisite for using Directory Integration on CWMS.
  http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/1_5/Administration_Guide/Administration_Guide_chapter_01011.html#task_DB0D271D6EB1459EB4DA269461E93B36
  Before You Begin
   You must configure AXL and LDAP directory service on CUCM before you can use the directory integration feature. CUCM is required to import users into your Cisco WebEx Meetings Server system. Use CUCM to do the following:
   Enable Cisco AXL Web Service
   Enable Cisco directory synchronization
   Configure LDAP integration
   Configure LDAP authentication
  -Dejan

• How to configure SCCM 2012 discover user group only?

  Hi,
  I'm wondering if there is a way to discover user group only (ignore computer group) in SCCM 2012?
  Jason

  Hi,
  Also note that by default, only security groups are discovered. However, you can discover the membership of distribution
  groups when you select the checkbox for the option Discover the membership of distribution groups on
  the Option tab
  in the Active Directory Group Discovery Properties dialog box.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• How to configure sync rules involving a CSV file and portal self service

  Hello,
   I need to configure some FIM sync rules for the following scenario:
   User account details are entered from a HR CSV file and exported to AD  Users have the ability to modify their own AD attributes in the
  FIM portal (there is not a requirement for them to view their  HR CSV data in the portal). The FIM portal modifications will be exported to AD as expected.  
  My setup is as follows:
  CSV file - name, last name, employee ID, address.
  CSV MA - has direct attribute flows configured in the MA between the data source and MV Portal self service attributes –      
  users can edit mobile, display name and photo
  I've also set the CSV MA as precedent for the attributes
  FIM MA – attribute flows defined for MV to Data Source as usual (i.e. firstname to firstname, accountname to accountname, etc).
  AD MA – no attribute flows defined as inbound and outbound sync rules have been configured in the portal using the Set\MPR\Triple.
  I’m thinking of using the following run profiles:
  CSV MA – full import and delta sync (imports HR data)
  FIM MA –  export and delta import (imports portal changes)
  FIM MA – delta sync (syncs any portal changes)
  AD MA – export and delta import
  If my understanding is correct this should sync HR data from CSV to AD, as well as user attribute self service updates from the portal to AD.
  If I wanted to just do a HR CSV sync could I get away with just steps 1 & 4 ? (presumably not as my rules are in the FIM portal?)
  If I wanted to do just a portal sync, could I get away steps 2-4?
  Any advice on how to improve my setup is much appreciated - cheers
  IT Support/Everything

  The truth is that your design should be done in the way that it doesn't matter which profiles in which order you will execute. At the end, if you will run all import, synch and export profiles on each data source you should get same result. This is beauty
  of synch engine here.
  Your steps from 1-4 will synch data to your data sources and at the end will give you expected result. But not because of the order you are executing them but because of correct attribute flows. If flows from CSV file and from FIM portal might be done for
  the same attributes you need to think also about attribute precedence.   
  Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

• Is there a way I can configure LV To pick user controls from a different folder

  than user.lib folder under C:\Program Files\National Instruments\LabVIEW
  6.1\
  I hate putting my own code where the application software is installed.
  Makes it tough to manage in IMHO.
  I see that \* is used under Options->VI Paths, so if I can just
  modify this userlib environment variable, I should be good to go, but
  haven't figured out how to do it.
  vishi

  LabVIEW is much more flexible than most people think. You can configure any folder to show up as a sub-palette of the controls pallette. Just edit the palette. See chapter 3 of the LabVIEW User Manual. You can insert a sub-palette and like it to a directory. That sounds like what you want.
  Daniel L. Press
  PrimeTest Corp.
  www.primetest.com

• How can I get ALL the user info from WWW_FLOW_FND_USER -table?

  Hi.
  I use HTML DB authentication and therefore all my user information is stored in HTML DB tables. I can use :APP_USER to get USER_NAME, but in my application I need to have also USER_ID, FIRST_NAME, LAST_NAME and EMAIL_ADDRESS fields from database. I don't want to change any database/schema security level so I cannot read directly from WWW_FLOW_FND_USER -table when I am inside in SCOTT -schema/sec.level.
  How to read all the information?

  Thank you for your help, but I cannot find any information about backage wwv_flow_user_api on OTN or in HTML DB documentation.
  Where to start?

• How to make SSO if a user login from Jetspeed and jump to Sun Portal

  We need to make the Sun Java Portal Server SSO when a user has done the authentication in another remote desktop application or the web applications ( like Jetspeed host ).
  Username and password can be retrieved if a user logs in any other application. In the Access Manager, LDAP is the only authentication module used.
  We made this requirement in the Jetspeed. The general idea is to create a filter which sets the Username and Password into the principal. Thus, Jetspeed checks the existence of the principal and regards the user as being authenticated if the principal is valid.
  Currently, it seems not feasible in the Sun Java Portal Server by using the same way. Anyone met the same the situation before? Who is familar with the process of the second session validation? I read the Sun Java System Access Manager - Technical Overview ( p38, topic: session validation). It just gave me a very general image. Who has some specific references about that ? I am very appreciated for your help.
  Here is the codes of the filter
  Public class EnablerFilter implements Filter {
  public void init (FilterConfig arg0) throws Servlet Exception {}
  public void destroy() {}
  pulic void doFilter (ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
  HttpServletRequest request = ( HttpServletRequest) req;
  HttpServletResponse response = ( HttpServletRequest) res;
  SSOTokenManger tokenMgr =null;
  try {
  tokenMgr = SSOTokenManger.getInstance();
  } catch ( SSOException e) {
  e.printStackTrace ():
  System.out.println ( " failed in creating Token Manger");
  SSOToken token = null;
  // if a token exists in the cookie
  try {
  token = tokenMgr . createSSOToken (request);
  } catch (UnsupportedOperationExcetpion e1) {
  el.printStackTrace() ;
  } catch (SSOException e1) {
  el.printStackTrace ();
  // if a token does not exist in the cookie
  if (token =null ) {
  Principal cfxPrincipal = new CfxPrincipal ( " username");
  try {
  token = tokenMgr. createSSOToken ( cfxPrincipal, " username");
  } catch (SSOException e) {
  e.printStackTrace () ;
  chain.doFilter (request, response);
  }

  Hi,
  Thanks,
  But the note don´t say how to connect the j2ee of the BI-Java with the J2ee of the Portal.