Identity and Access Management Training in Bangalore

Similar Messages

• Oracle Identity and Access Management Suite Plus Integration with Oracle ADF

  Hi All,
  Kindly advice if Oracle Identity and Access Management Suite Plus can be integrated with Oracle ADF based applications to manage the end-to-end lifecycle of user accounts specifically addressing to roles/priviledges and security.
  Request you to share links to documentation where I can study the steps to integrate both the frameworks.
  Looking forward to hear from you soon.
  Best Regards,
  Ankit Gupta 

  Hi Sébastien,
  I came across the below link for the required integrations -
  Oracle® Fusion Middleware Installation Guide for Oracle Identity and Access Management 11g Release 2 (11.1.2) - …
  Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management 11g Release 2 (11.1.2) - Co…
  Best Regards,
  Ankit Gupta

• Discuss Identity and Access Management in the Cloud

  Identity and access management in the cloud refers to the processes, technologies, and policies for managing cloud systems identities and controlling how these identities can be used to access cloud resources. Three separate processes are used in most cloud
  identity and access management solutions:
  Identity provisioning and storage
  Authentication
  Authorization
  Identity management in a cloud system requires a complex collection of technologies to manage authentication, authorization and access control across distributed environments. These environments might include assets both on the internal cloud, which would
  be an on-premises private cloud, and services accessed on the public cloud. These environments can also cross-security domains, as when two enterprise-level organizations collaborate and enable cross-domain access to users from the partner security domain.
  You can learn more about these topics in the article Identity and Access Management in the Cloud.
  Let's talk about that article and the topics of identity and access management in the cloud! Use this thread to get it started.
  Thanks!
  Tom
  Learn more about Private Cloud at the
  Private Cloud Solutions Hub

  Tom,
  I am a novice and attempting to achieve a proof of concept of single sign on.  One example I read stated one should install Identity and Access on VS2012.  I did this on two different machines.   One was in the office domain and it shows the
  item "Identity and Access..." in the context menu of the MVC project I created.  The other machine is my laptop.  I followed the same procedure that worked on the desktop, yet the Identity and Access item in the project context menu does not show.
   One difference is that the laptop is not part of a domain, but I am attempting this proof of concept in Windows Azure with the laptop, since we do not have a test AD in our corporate domain.
  Is this the right forum to inquire about this issue?  Do you have a recommendation about a better forum?
  Stephen Pidgeon

• Oracle Identity and Access Management (11.1.1.3.0)   and IM difference?

  What is difference between Oracle Identity and Access Management (11.1.1.3.0) and Identity Management (11.1.1.3.0) ?
  From
  http://www.oracle.com/technetwork/middleware/downloads/oid-11g-161194.html

  When you run the config, you are asked to add some product. Have checked the "Oracle Access Manager with Database Policy Store" product?
  If not, you can add it by extending the domain. Once done you have to start two WLS servers (AdminServer and oam_server1):
  Start AdminServer with $DOMAIN/bin/startWebLogic.sh
  Start oam_server1 with $DOMAIN/bin/startManagedWebLogic.sh oam_server1
  It might be that oam_server1 asks for username and password. This is fine for the first time. During the first start the necessary directory structure is created. Once it came up and enters RUNNING state, kill it and create a file boot.properties in $DOMAIN/servers/oam_server1/security with the entries username=name and password=pw in two lines and start oam_server1 again.
  Starting oam_server1 is recommend to get proper values in the oamconsole.
  HTH,
  --olaf                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

• Difference between Identity Manager and Access Manager

  hi,
  Can any body tell me the difference between Identity manager and Access Manager.
  thanks in advance
  regards
  dhawanmayur

  Access Manager is for access control (web authentication, authorization), Identity Manager is for identity (userid,profile,role, password etc) provision/management across multi resources (such as unix, active directory, peoplesoft, SAP) etc.

• UWC/CE 6.3 and Access Manager 7.1 SSO sometimes fails (seems like a bug)

  PREAMBULA: I started writing this post thinking that our AM SSO setup was at fault in some step. As I was gathering data, checking the doc-links and config files and finally sniffed the servers for HTTP dialogs, I grew pretty sure there's a bug in UWC/CE, AM SDK or Web Server Policy Agent, whatever implements the AM SSO session checking.
  In short, as written below, our "sunmail" server can POST a broken cookie to AM server, if the cookie originally contained a "plus" character. The "plus" is replaced by a "space", invalidating the session check. As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here. I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
  Is there some known bug or workaround that matches this description?
  Nevertheless, for completeness' sake I kept the description of our setup. Maybe it's at fault after all :)
  We have an installation of JCS5 with the latest patches as of early July 2008. And as the subject implies, we have problems with AM SSO in UWC/CE web-interface. I have reported them before, then they seemed fixed (not occuring for several tests in a row), but as time has shown, something wrong is still there.
  So I'll try to go into deeper detail now, as we've may have overlooked some nuance... Then again, as my sniffer research below shows, this may be an engine bug and these setup details are irrelevant.
  Our setup is split into several Solaris 10 full-root zones hosted on several servers, some of the components are enroute to HA (perhaps we made some mistakes on this part of the way?)
  So, we have the following software stack:
  1) two MMR Directory Servers (DSEE 6.3 = DSEE 6.2 from JCS5 + 125278-07__DSEE_6.3__x86x64 + 125277-07__DSEE_6.3__x86_sol9 patches) working in zones on two different servers. Except for one time when a manually forced ZFS rollback corrupted one of the server instances, no problems here.
  2) two zones with Directory Proxy Servers (6.3, exact versions as above) running at port 389 provide the clients with an illusion that they have a stable Directory Server, even if one of the actual servers is currently rebooting ;)
  These DPS zones are hosted on two different servers as well and are primarily used by LDAP clients (JCS components) running in other zones on the same respective servers.
  3) A zone with Sun Web Server 7.0U1 and Access Manager 7.1 (+ 126357-01__AM71_x86 patch) and Delegated Admin 6.4-4.01 (from JCS5 + 121582-18__COMMCLI64__x86 patch).
  At the moment there is one such zone (named "cos-psam-01.domain.ru" in the logs below), but we expect(-ed) it to become two similar zones as per AM HA setup.
  Zones listed in (1-3) use private IP numbers, they belong in our internal DMZ.
  Zones listed in (4-5) below use public (routed) IP numbers, they belong in our external DMZ.
  4) A zone with Sun Web Server 7.0U1 used primarily as a reverse-proxy server (optionally with a load-balancer libpassthrough.so plugin) successfully used for other hosted projects. One of its configurations now passes connections from an externally routed IP address published as "psam.domain.ru" to "cos-psam-01.domain.ru", per AM HA setup, so HTTP clients believe they work with an Access Manager instance. This zone has a backend interface with a private IP address to communicate with the actual AM instance.
  In AM configuration (both LDAP and file-based) we have configured a site ID with the publicly known name and mentioned both names (psam and cos-psam-01) in organization's realm/dns aliases.
  5) A zone with the rest of the Sun Java Communications Suite 5, as in Messaging Server 6.3 (6.3-6.03 64-bit: ci-5.0-1.03_solx86_x64__Messaging_Server_6.3-2 + patch 126480-09__MSG63__x86-64), UWC/CE 6.3 (from JCS5 + 122794-17__UWC63-4.01_core__x86), Instant Messaging 7.2 (from JCS5 + 118790-29__IM72__x86-1 + 118787-28__IM72__x86-2), Calendar Server 6.3 (from JCS5 + 121658-28__iCS63__x86). The web-components (UWC/CE, IM, /httpbind) are deployed in a Sun Web Server 7.0U1 as well.
  This zone is named "sunmail.domain.ru" and has a routed IP address for direct external access to its servicess.
  The AM SDK part is also patched (126357-01__AM71_x86); it points to the load-balancer name ("psam.domain.ru") as an actual AM server.
  # imsimta version
  Sun Java(tm) System Messaging Server 6.3-6.03 (built Mar 14 2008; 64bit)
  libimta.so 6.3-6.03 (built 17:15:08, Mar 14 2008; 64bit)
  SunOS sunmail 5.10 Generic_127112-07 i86pc i386 i86pc
  While setting up this server set we tried to use AM SSO as the user login method, but it works unreliably.
  "Unreliably" means that while most of the time entering a correct uid and password in Access Manager login page ("http://psam.domain.ru/amserver/UI/Login") does redirect a user back to "http://sunmail.domain.ru/uwc/auth" along with a new cookie, and the user is redirected again to his or her mailbox, sometimes the user receives the UWC/CE login page. Entering the same uid and password here does log him in, but it breaks the whole point of SSO and only increases the end-user routine required to log in :\
  We have also seen the "missing mail tab" problem - if the users point the browser to any hostname different from "sunmail.domain.ru" (i.e. www.mail.domain.ru which is equivalent in DNS), they have only the Address book, Calendar and Options tabs; no webmail. So far this is resolved by Policy Agent forcing The One name of the server.
  Here's the configuration we did specifically for AM SSO:
  1) in AMConfig.properties of "sunmail" and "cos-psam-01" we set up
  com.iplanet.am.cookie.encode=false
  am.encryption.pwd=<the same value>
  all hostname-related parameters point to "psam.domain.ru"
  2) in AMConfig.properties of "cos-psam-01" a number of FQDN equivalence entries are added (so it does not redirect to a server hostname unknown to visitors):
  com.sun.identity.server.fqdnMap[publicname-or-ip]=psam.domain.ru
  com.sun.identity.server.fqdnMap[cos-psam-01.domain.ru]=cos-psam-01.domain.ru
  3) in "msg.conf" on "sunmail" (entries added via configutil):
  local.webmail.sso.amcookiename = iPlanetDirectoryPro
  local.webmail.sso.amnamingurl = http://psam.domain.ru:80/amserver/namingservice
  local.webmail.sso.singlesignoff = yes
  local.webmail.sso.uwcenabled = 1
  service.http.ipsecurity = no
  (perhaps some more options are required? Looking for confirmation about: local.webmail.sso.uwclogouturl local.webmail.sso.uwccontexturi local.webmail.sso.uwchome service.http.allowadminproxy )
  4) Configured Web Policy Agent for Sun Web Server, so that users without an AM session are required to get one. Set up per [http://msg.wikidoc.info/index.php/AM_redirection_using_Policy_Agent], except that com.sun.am.policy.agents.config.notenforced_list points to the many names our server can go known by.
  5) Updated the logout URL in /opt/SUNWuwc/webmail/main.js:
  --- main.js.orig        Sat Jan 26 07:52:09 2008
  +++ main.js     Mon Jul 21 01:06:29 2008
  @@ -667,7 +667,8 @@
  function cleanup() {
     if(laurel)
  -      top.window.location =  getUWCHost() + "/base/UWCMain?op=logout"
  +//      top.window.location =  getUWCHost() + "/base/UWCMain?op=logout"
  +      top.window.location =  "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
     else
         exec('logout', '', 'exit()')
  @@ -1707,7 +1708,8 @@
     if(lg) {
           url = document.location.href
           url = url.substr(0,url.indexOf('webmail'))
  -        uwcurl = url + 'base/UWCMain?op=logout'        
  +//      uwcurl = url + 'base/UWCMain?op=logout'        
  +        uwcurl = "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
     exit()
  }6) Calendar SSO - per docs...
  According to ngrep sniffing,
  1) the browser goes to "http://sunmail.domain.ru/uwc/auth" without any cookies
  2) receives a redirect and goes to "http://psam.domain.ru/amserver/UI/Login?gotoOnFail=http://sunmail.domain.ru:80/uwc&goto=http%3A%2F%2Fsunmail.domain.ru%3A80%2Fuwc%2Fauth"; sends no cookies either.
  3) The first response from the "psam" server (as redirected from "cos-psam-01") sets a few cookies while rendering the login page:
  Set-cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; Path=/
  Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
  Set-cookie: amlbcookie=02; Domain=.domain.ru; Path=/
  4) The browser requests the login page resources (javascripts, images, etc) using these cookies, as in this header line:
  Cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; amlbcookie=02
  5) The browser POSTs the login request to "/amserver/UI/Login" and receives a redirection to http://sunmail.domain.ru:80/uwc/auth
  Set-cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
  Set-cookie: AMAuthCookie=LOGOUT; Domain=.domain.ru; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
  6) The browser requests "http://sunmail.domain.ru/uwc/auth" using the newly set cookie (looks like the old one to me though):
  Cookie: amlbcookie=02; iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#
  7) The "sunmail" web-server checks the AM session validity with the same "psam.domain.ru". It sends a series of POSTs to /amserver/namingservice:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="com.iplanet.am.naming" reqid="685">
  <Request><![CDATA[
  <NamingRequest vers="1.0" reqid="324" sessid="AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#">
  <GetNamingProfile>
  </GetNamingProfile>
  </NamingRequest>]]>
  </Request>
  </RequestSet>(receives a large XML list of different Access Manager configuration parameters and URLs)
  ...then a double-request to /amserver/sessionservice:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="Session" reqid="686">
  <Request><![CDATA[
  <SessionRequest vers="1.0" reqid="678">
  <GetSession reset="true">
  <SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
  </GetSession>
  </SessionRequest>]]>
  </Request>
  <Request><![CDATA[
  <SessionRequest vers="1.0" reqid="679">
  <AddSessionListener>
  <URL>http://sunmail.domain.ru:80/UpdateAgentCacheServlet?shortcircuit=false</URL>
  <SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
  </AddSessionListener>
  </SessionRequest>]]>
  </Request>
  </RequestSet>As a result it receives an XML with a lot of user-specific information (the username, LDAP DN, preferred locale, auth module used, etc.)
  !!!*** Now, the problem part ***!!!
  8) And then "sunmail" POSTs a broken cookie to "psam" (note the space in mid-text, where the "plus" sign was previously). As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here.
  I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. I looked over the large XML responses to the two previous requests, whenever they mention the session cookie value, the "plus" is there.
  For the most detail I can provide, I'll even paste the whole HTTP packet:
  POST /amserver/sessionservice HTTP/1.1
  Proxy-agent: Sun-Java-System-Web-Server/7.0
  Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#;amlbcookie=null
  Content-type: text/xml;charset=UTF-8
  Content-length: 336
  Cache-control: no-cache
  Pragma: no-cache
  User-agent: Java/1.5.0_09
  Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  Host: cos-psam-01.domain.ru
  Client-ip: 194.xxx.xxx.xxx
  Via: 1.1 https-weblb.domain.ru
  Connection: keep-alive
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="session" reqid="258">
  <Request><![CDATA[<SessionRequest vers="1.0" reqid="254">
  <GetSession reset="true">
  <SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</SessionID>
  </GetSession>
  </SessionRequest>]]></Request>
  </RequestSet> The server's error response is apparent:
  HTTP/1.1 200 OK
  Server: Sun-Java-System-Web-Server/7.0
  Date: Thu, 31 Jul 2008 05:49:50 GMT
  Content-type: text/html
  Transfer-encoding: chunked
  19b
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <ResponseSet vers="1.0" svcid="session" reqid="258">
  <Response><![CDATA[<SessionResponse vers="1.0" reqid="254">
  <GetSession>
  <Exception>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=# Invalid session ID
  AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</Exception>
  </GetSession>
  </SessionResponse>]]></Response>
  </ResponseSet>On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
  For reference, here's a working final request-response (one with a good cookie, as received by the load-balancer web-server). Request looks a bit different:
  POST /amserver/sessionservice HTTP/1.1
  Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#;amlbcookie=null
  Content-Type: text/xml;charset=UTF-8
  Content-Length: 379
  Cache-Control: no-cache
  Pragma: no-cache
  User-Agent: Java/1.5.0_09
  Host: psam.domain.ru
  Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  Connection: keep-alive
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="session" reqid="281">
  <Request><![CDATA[<SessionRequest vers="1.0" reqid="277">
  <SetProperty>
  <SessionID>AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#</SessionID>
  <Property name="uwcstatus" value="active"></Property>
  </SetProperty>
  </SessionRequest>]]></Request>
  </RequestSet> ...and the response is OK:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <ResponseSet vers="1.0" svcid="session" reqid="281">
  <Response><![CDATA[<SessionResponse vers="1.0" reqid="277">
  <SetProperty>
  <OK></OK>
  </SetProperty>
  </SessionResponse>]]></Response>
  </ResponseSet>

  There have been a few reports of the same behaviour with other customers - specifically with the handling of the encoding of "+" characters to " ". It relates to how cookie encoding/decoding is performed (as you have already observed).
  The solution for these customers was the following:
  => AM server/client side:
  Ensure that com.iplanet.am.cookie.encode=false in AMConfig.properties and AMAgent.properties on all systems.
  => AM client (UWC) side:
  - Set <property name="encodeCookies" value="false"/> in /var/opt/SUNWuwc/WEB-INF/sun-web.xml. This will prevent UWC from trying to urldecode the cookie it receives and therefore stops it turning the + into a space e.g.
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN' 'file:///net/wajra.india.sun.com/export/share/dtd/sun-web-app_2_3-1.dtd'>
  <sun-web-app>
     <property name="encodeCookies" value="false"/>
     <session-config>
        <session-manager/>
     </session-config>
     <jsp-config/>
  <property name="allowLinking" value="true" />
  </sun-web-app>Regards,
  Shane.

• Sizing of Oracle IdentityManager and Access Manager on same Weblogic Server

  Hi ,
  We are planning to deploy Oracle Identity Manager and Access Manager on the same weblogic server in different domains.We have user base of 25000 users.
  We can propose two different weblogic servers for OIM and OAM ?
  Please let me know the best hardware and software requirements for this installation.
  Thanks,
  RBM

  Here is sizing guide for Oracle Identity Manager
  http://www.oracle.com/technetwork/middleware/id-mgmt/oim11g-sizingguide-194346.pdf
  You can use it as a guideline, and it refers to 25000 users similar to your requirement. There are other factors also consider like, failover, performance etc. Feel free to reach out if you need more info [email protected]

• Fusion Middleware Control "Identity and Access" menu missing

  Hi.
  I have a problem with one of the fussion middleware control menus which is missing.
  The environment is as follows:
  - One server with OVD + OID
  - One server with Weblogic + ODSM + Fussion Middleware Control
  (All idm fmw 11.1.1.2.0)
  ODSM can connect to OVD / OID on the other server without any problems.
  On Fussion middleware Control I can not see the menu "Identity and Access". In previous installations where all the components where installed together in the same server, that menu appeared without any extra configuration.
  The menu i'm talking about is the one referred here: http://download.oracle.com/docs/cd/E15523_01/oid.1111/e10046/basic_started.htm#CIHHAJJH
  "2.In the left panel topology tree, expand the farm, then Identity and Access. Alternatively, from the farm home page, expand Fusion Middleware, then Identity and Access. Oracle Virtual Directory components are listed in both places"
  Which are the steps to get that menu back? How do i get "linked" fusion middleware control with ovd/oid from the other server?
  Any extra configuration, any steps during installation...
  There's something probably very simple i'm missing but i haven't found any reference about creating/configuring that menu...
  Thanks in advance.

  Hi. i tried what i posted on my last message but i can't pass next step of the installation.
  If i try to install oid+ovd in <host 2> i can select "extend existing domain" and it connects correctly to the weblogic domain (IDMDomain creating during installation of odsm & em fmw control) that is up un running on <host 1>.
  But on the next step it asks for the "Weblogic Server Directory"... If i enter the path where weblogic resides on <host 1> it fails because it looks for it in the host i'm installing oid+ovd <host 2>.
  - First of all, is it really possible to have oid+ovd on one host and weblogic+odsm+enterprise manager fmw control in a different host in a way that makes possible to manage oid+ovd with enterprise manager fmw control?
  - Is it possible to tell the installer that the path for the weblogic server is in a different host? something like host:path?
  - If it's not possible, is it documented anywhere? i haven't found anything regarding that possible limitation.
  Please, any help would be appreciated as this is becoming critical for us.

• Realm of my application for identity and access

  I plan to replace Azure cloud services’ provided subdomain (myapp.cloudapp.net) with our own domain, customDomain.com. I eventually find out that I cannot do that. I have to configure a custom domain name to route traffic to myapp.cloudapp.net. Why does
  not Azure allow me to replace myapp.cloudapp.net with my own custom domain? I end up having two domains for one site. Please look at this site:
  http://azure.microsoft.com/en-us/documentation/articles/cloud-services-custom-domain-name/
  That custom domain name also has an SSL certificate from a CA. In addition to that, I also use single sign on for my application (Identity and Access). In this case, I configure the Identity and Access (realm of my application) with my custom domain name.
  Is this the right way? It does not make sense to configure this with myapp.cloudapp.net. I currently have issues with ADFS but I could not figure out why. 

  Hi,
  Here providing article might helpful for your case.
  Domain mapping, Domain forwarding, SSL certificate for Windows Azure
  http://blogs.msdn.com/b/sriharsha/archive/2012/02/25/domain-mapping-on-windows-azure.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Inside Identity and Access Control products

  Hello,
  For the past few months I was working on a blog which can help understanding under the hood of identity and access control products. Please have a look into it and let me know how to improve the contents.
  http://identitycontrol.blogspot.com

  Latest Topics
  1) Video of Federated Access Control
  2) RSA Conference 2007

• Inside identity and access control products : blog

  Frinends,
  Visit my blog http://identitycontrol.blogspot.com to get inside working of the identity and access control products. My efforts here is to explain insides in a simple language.
  Latest topic i added is "SAML in action"
  Please post your comments also so I can improve the contents.
  Thanks

  Thanks a lot idmguru!!
  your efforts are simply awesome..
  -Yash Bansal

• Error in OAM Identity and Access Servers login pages

  Hi All,
  I am trying to install OAM I completed all installations . But now am getting error as invalid "*Invalid credential*". IS there any process to know what the userid and password for the both Identity and Access Servers . Please tell me if there is any process. It very helpful to me .
  Thank u & Regards
  Pokuri

  Hi Pokuri,
  Could be that the searchbase is wrong, so that OAM is not finding the user whose credentials you are entering. Or, maybe OAM is using a different attribute as the login attribute (for example, you could be entering the cn when OAM is expecting the uid).
  Try binding to ldap with another utility (such as ldapbind or ldapsearch) to see if this gives any indications. You may need to reconfigure the Identity Server to verify/correct the searchbase (for this, follow note 730376.1) and to check which attribute has the "Login" semantic type in OAM.
  Regards,
  Colin

• Domain and realm of my application for identity and access

  I plan to replace Azure cloud services’ provided subdomain (myapp.cloudapp.net) with our own domain, customDomain.com. I eventually find out that I cannot do that. I have to configure a custom domain name to route traffic to myapp.cloudapp.net. Why does
  not Azure allow me to replace myapp.cloudapp.net with my own custom domain? I end up having two domains for one site. Please look at this site:
  http://azure.microsoft.com/en-us/documentation/articles/cloud-services-custom-domain-name/
  That custom domain name also has an SSL certificate from a CA. In addition to that, I also use single sign on for my application (Identity and Access). In this case, I configure the Identity and Access (realm of my application) with my custom domain name.
  Is this the right way? It does not make sense to configure this with myapp.cloudapp.net. 

  Hi,
  If you want to configure SSL for azure cloud service, I think this article will help you:
  http://azure.microsoft.com/en-gb/documentation/articles/cloud-services-configure-ssl-certificate/, if you want to ask some issues related to Identity and Access, I would suggest you move to azure Active Directory forum:
  https://social.msdn.microsoft.com/Forums/en-US/home?forum=WindowsAzureAD
  Best Regards,
  Jambor
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Directory Server Replication and Access Manager

  I've set up 2 Access Managers instances AM1 and AM2 connected to one Directory Server DS1. Changes to AM1 are replicated to AM1. DS1 is replicated to DS2 using MMR. I'm following Sun's document http://docs.sun.com/app/docs/doc/819-4672/6n6qcof22?a=view to setup failover for this environment. Step 5 says
  Modify the following properties to reflect the host and port number of a consumer Directory Server installed in Configuring For Replication .
  com.iplanet.am.directory.host = DS1.domain
  com.iplanet.am.directory.port = port of DS1
  How do I modify above to reflect DS2 so that should DS1 fail, DS2 takes over?
  Also step 9 says - In the serverconfig.xml file, specify the host name and port number of the consumer directory installed in Configuring For Replication, as shown in the following example for the serverconfig.xml file.
  <iPlanetDataAccessLayer>
  <ServerGroup name="default" minConnPool="1"
  maxConnPool="10">
  <Server name="Server1"
  host="consumer1.example.com" port="389"
  type="SIMPLE" />
  Again, how do I modify serverconfig.xml to reflect the 2nd Directory Server, DS2 so that if DS1 fails both AM1 and AM2 can connect to DS2. If anybody has done this please let me know how it worked, thanks.

  Are you talking about Access Manager flopping over from ds1 to ds2 if ds1 is down?
  In serverconfig.xml look for the line containing 'Server Name' and add a line like this directly underneath of it:
  <Server name="Server2" host="ds2" port="389" type="SIMPLE" />
  Save and exit
  vi AMConfig.properties and add something like this after the existing com.iplanet.am.directory.host and com.iplanet.am.directory.port:
  /* Added for multi-master directory fail-over */
  com.iplanet.am.directory.host=ds2
  com.iplanet.am.directory.port=389
  com.iplanet.am.replica.retries=3
  com.iplanet.am.replica.delay.between.retries=5000
  /* End Added for multi-master directory fail-over */
  Save and exit
  Restart the Access Manager web container

• SSL connection between Dist Auth UI Server and Access Manager

  Hi,
  I have a Dist Auth UI Server installed in Web Server 7 and working properly, but now i want to configure it to talk with Access Manager with a secure port.
  I have configured Access Manager (also deployed in Web Server 7) in a secure port (443). I have requested and installed the server certificate in the Access Manager Web Server instance and also the root entity certificate.
  My question is: how must i configure the UI Server to communicate with the Access Manager Server in a secure way and trust the certificate that the WS of the AM presents ?
  Regards,

  There have been a few reports of the same behaviour with other customers - specifically with the handling of the encoding of "+" characters to " ". It relates to how cookie encoding/decoding is performed (as you have already observed).
  The solution for these customers was the following:
  => AM server/client side:
  Ensure that com.iplanet.am.cookie.encode=false in AMConfig.properties and AMAgent.properties on all systems.
  => AM client (UWC) side:
  - Set <property name="encodeCookies" value="false"/> in /var/opt/SUNWuwc/WEB-INF/sun-web.xml. This will prevent UWC from trying to urldecode the cookie it receives and therefore stops it turning the + into a space e.g.
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN' 'file:///net/wajra.india.sun.com/export/share/dtd/sun-web-app_2_3-1.dtd'>
  <sun-web-app>
     <property name="encodeCookies" value="false"/>
     <session-config>
        <session-manager/>
     </session-config>
     <jsp-config/>
  <property name="allowLinking" value="true" />
  </sun-web-app>Regards,
  Shane.