IDM 1.4.2 with WNA

Similar Messages

• IDM is not working with Web Sphere

  Hi,
  i have installed IDM 7 and make the idm.war and deploying with websphere5. the deployment has success but when i tried to start the application from web sphere admin console the web sphere server stops and not work admin console also.
  any other solution.
  i am unable to find the loggingtoolkit4j from ibm site and i didn;t get the log.jar
  kindly give the path where i can find out

  This may not be related, but I found that it may be necessary to turn of the Java 2 security option on the JVM in WebSphere.
  To turn off in WebSphere, logon to the WAS Administrative Console and navigate to Security > Configuration > Secure Administration > Applications and Infrastructure. Uncheck the Java 2 Security option.

• SAP IDM  7.0 integration with third party system

  Hi Experts,
  I know SAP IDM  7.0 can integrate with third party systems and create user ids on most of the third party systems.
  But I need to know regarding If it is possible to integrate with following systems
  1) Microsoft Exchange 2007 (  I know till exchange 2003 SAP  IDM support )
  2)  Microsoft  Active directory 2008 ( I know till Actice directory 2003)
  3) EMC  Documentum 6.5
  4)  ARIS 7.1.0
  5)  BlackBoard, Release 9.0
  6) Oracle 10g  ( Is it possible to create users at oracle level ? or at what level ? )
  7)  Sun Solaris Sparc  ( Is it possible to create users at  OS level )
  If you have information how on this please share. I know that  provisioning framework will have templates for most of the target systems. I want to know if they are available for above systems on SAP IDM 7.0 or if not have we can connect to them?

  Hi Matthew
  Your expertise in SAP IDM is indeed a great help!!
  >Can't see why not, it's all done via SQL commands. I've done similar things with MSSQL
  You mean that there will be oracle 10g drivers/oledb connectors in SAP IDM and in through SQL commands like "create user alfredo identified by alfredos_secret; " we can create user  in oracle database ?. As you said this should be possible.  What about creating user( user management ) in oracle 10g application  like dba or scot  and assigning the privileges in oracle application?
  >might need to do via UNIX scripts, but it can be done
  You mean that Unix scripts will be defined in SAP IDM and SAP IDM will execute these scripts in the Sun Solaris Sparc ?. It should be possible as you said. By the way how we will be able connect to Sun Solaris sparc ?  Is it via  the option "file " under the "Repositories" with repositories wizard  and later executing the file from SAP IDM ?
  Thank you once again for your expert answers on third party systems.

• SAP IDM position based security with user in multiple positions

  Hi,
  In case of Higher Duties, we have a scenario where a user can have multiple positions with access to the business roles of both the positions.
  The design is to have one business role assigned to one position so that the user can have all the access he requires.
  In case of higher duties, we see an exception.
  Has anyone implemented such a scenario?
  Inputs/advices are much valued.
  Thanks
  Chaitanya

  Hi Chaitanya,
  Is it possible to assign more than one position to an employee in HCM?
  If so, there is many ways of dealing with that from IDM side, I don't know precisely your business requirement, what you need to maintain and what should be dynamic, but i can suggest you to :
  1. Translate every position you receive from HR to a Business role and assign as many Business roles you want to the same user.
  From HCM you will receive :
  Employee :
  - Z_POSITION_ID1 :1
  - Z_POSITION_ID2 : 2
  In IDM
  Employee
  - Member of BR1
  - Member of BR2
  2. If you have a lot of attributes related to HR position on user (link user-position) to maintain , then create a custom Object in IDM (entrytype Z_POSITION).
  You wil be able to manage relations much easier than a simple relation (One-to-one attribute)
  Otherwise, It worth to look over this blog for general design of HCM integration :
  How to optimize identities’ lifecycle management in your information system using SAP HR events?
  Fadoua

• Number of SAP instance for IDM 7.1 IdP ? IDM 7.1 SP5 with UI also for 7.2 ?

  Hello,
  I've just read the SAP NW IDM Identity Provider Implementation Guide. It seems very interesting. One question though : it seems the Identity Provider must be deployed on a NW CE 7.2 system.
  So we end up having a NW CE 7.1 Ehp1 for IDM UI with IDM runtime, designtime and database (all on the same server) and we must have another server or another SAP instance for the IdP with CE 7.2 ?
  Will IDM 7.1 SP5 UI also be compatible with / be developed for CE 7.2 to avoid another SAP instance ?
  Finally will Windows 2008 be officially certified for IDM 7.1 ?
  Thanks in advance,
  Hervé

  Hello Petr, I think this might be a problem. Probably you would be able to do what you want to do within a portal setup, where IdM is providing content to that portal. However, the development would take place in the portal and not per se be a development in the IdM UI. As I understand it the IdM UI is configurable to some extent, but not changeable by customers.
  Rgds.
  Anders

• SAP IDM on Solution Manager with Change Request Management

  Hi Experts,
  I'm facing a question. Does SAP Identity Management manage association between user in Solution Manager and links in PPOMA_CRM tree for Ticket validation on Change Request Management project ?
  It seems that it could be done using Compliant User Provisioning from GRC Access Control application.
  Thanks for your help,
  Ben

  Hello Ben,
  as far as I know currently there is no "business level" integration between IdM 7.1 and SAP Solution Manager. You only can create SU01 user data as for any other SAP ABAP system.
  I have heard that it is planned for the future to integrate the Solution Manager also in the business suite integration options the IdM product already provides for applications such as CRM, SRM and others.
  Nevertheless you could create your own implementation for your requirements.
  Regards,
  René Feister
  SAP Consulting Germany

• Changing users with WNA Configuration ??

  Is there any way i can log out a change users when using WNA configuration ?
  For example, in a certain moment i am logged in as userA.domain.com, then i want to log in as a differnet user, say, userB.domain.com, but when i tryed to log off, and login again the user is always userA.domain.com.
  Is there any way a can logout and the log in again as user userB ??
  thanks

  I'm not sure whether you want the server simply to run as some other user other than "administrator", or if you want it to execute as a different user account for each client connection.
  If what you want is the server simply to run as another account, you need to start it differently. For example, on WinNT/WinXP, it is possible to run the server as a Windows service. A service can be configured to run under any user account you choose, which should solve your problem. As for how to run the server as a Windows service, I recommend using the freeware here:
  http://www.kcmultimedia.com/javaserv/
  I was able to use this successfully without a lot of trouble. If your environment is Linux etc. I am sure there is a way to change the account under which a process is run, but I don't know enough about it to tell you how.
  However, if what you want is for the server to operate as a different user for each client conection, I think that would be much trickier. You would probably need to spawn a different process for each connection using JNI to write some platform-specific intefacing to accomplish the account switching.

• Hast anyone manage to download the IDM FEDERATION file shiped with SP05?

  Hi,
  The file  IDMFEDERATION05_0-10009228.SCA is reported by SAP download manager no longer available. Has anyone ever successfully downloaded it?
  BR,
  Bin

  Hi Bin,
  I have the same problem. I have already reported this to SAP and they are currently checking whats going wrong. I guess the file will be available somewhere this week.
  Best regards
  Holger

• IDM 8.0 Domino User Registration Failure with Explicit Policy

  I'm using IDM 8.0 Patch 5 with a Lotus Notes 7.0.2 CCH1 client. I have been successfully creating accounts for almost 2 years and am looking to migrate to IDM 8.x. Previous to my IDM 8.x configuration, I have been using the Lotus Notes 6.5.5 CCH2 client with IDM 6.0 SP2. I have been using an explicit policy since day one with the previous configuration without any issues. The policy was being set using the Policy schema attribute with a field on the user form and worked fine. As of IDM 8.0, the gateway service crashes on every attempt to create a user when the Lotus Notes 6.5.5 client is used. Due to this headache, I tried the Lotus Notes 7.0.2 client and the gateway no longer crashes. However, a new error message is produced. At about the point in registration where the notes ID file is generated (which doesn't succeed), it throws the following error:
  DominoExtension::Error while executing 'WS_REGNewPerson' errCode: '8421' Registration Failed: A policy could not be retrieved from the Domino directory.
  When I stop the gateway service and open the Lotus Notes client using the same credentials the gateway service uses, I can easily find the policy object that we've been using, open it, look at it, etc. With the gateway trace enabled at the highest level (4), it shows no other information between the call to WS_REGNewPerson and the error displayed in the response. I would also like to mention that I noticed the new availability of the explicit policy attribute on the resource configuration page. I attempted to use the resource attribute instead of the form field that I was previously using and it also fails with the same error.
  It should also be noted that I'm running this new environment in parallel with the existing system, that is, IDM 6.0 SP2 with Lotus Notes 6.5.5. That environment has its own gateway servers and web servers. The production Domino environment has not changed and still works fine in the current production IDM environment. The IDM 8.x environment is running against the same Domino servers (same physical servers), but is using separate web servers and gateway servers in a test environment using the same credentials as the production environment.
  Has anyone seen this issue and had success in overcoming it? Any assistance would be greatly appreciated.

  There are a couple of important bugs here:
  Bug 19094: gateway crashes when provisioning Notes user if Notes client version is 6.5 and server is 7.x
  Bug 17213: Add support for Lotus Domino/Notes 8
  The resolution brought on by BUG # 17213 added a section to the release notes that states the Domino Server and Lotus Notes client versions must match.
  Regarding the error you're seeing:
  DominoExtension::Error while executing 'WS_REGNewPerson' errCode: '8421' Registration Failed: A policy could not be retrieved from the Domino directory.
  I believe there was a change from REGNewUser to REGNewPerson, which could be playing a role, but I am not certain. I hope this helps.
  -A

• IDM connected with GRC

  Hi All,
  Would like to check a question with you. As I know SAP IDM can be connected with SAP GRC for risk analysis during user request. Does anyone know if there are any other IDM solutions (other than SAP IDM) which can be connected with SAP GRC and do risk analysis during user request?
  Thanks in advance.
  Benny Ren

  Hi Ankur,
  Thanks for your reply. As I understand the GRC adapter in ITIM works only with SAP resource (please correct me if I am wrong) and not any other ERP or non-ERP resource. Is there any way so that I can directly use webservices with ITIM without using ITIM adapter.
  Hi Frank,
  If I can integrate the webservice directly with ITIM, then what I can do is using the risk analysis find out what are the roles which violates the SoD. If web services can return that, then I can use the following steps:
  - Create a Life cycle rule to find all the violations.
  - Once violations are identified then send an approval for the violations.
  - If this are approved, then the role can remain with the person.
  - If rejected then the role will be removed through the life cycle it self.
  Please let me know if what I think can be done and is feasible.
  Thanks to all for your replies.
  Regards,
  Ashish Choudhary

• Integrating Oracle Access Manager with Kerberos (WNA)

  Hi,
  I have working Oracle Access Manager currently being able only to authenticate users against Active Directory. I want to enable WNA. But I am still having issues with correctly configure it:
  I do not know what am I doing wrong.
  I am logged as example.com\testuser into Windows XP, using firefox with WNA enabled for URI example.com. Then I enter http://oracle.example.com which is my Oracle HTTP Server's protected URL, then I am receiving ERROR from Oracle Access Manager: "The user account is locked or disabled. Please contact the System Administrator."
  In OAM Log there is this: <Jun 19, 2012 4:14:15 PM CEST> <Error> <oracle.oam.controller> <OAM-02010> <User account is locked. Authentication failed.>
  Interesting is when I disable WNA support in firefox, then this behavior occurs: fisrt there is this dialog shown "A username and password are being requested by http://oracle.example.com:14100. The site says: "OAM 11g"" --> here I enter example.com\testuser and password. After this new dialog is shown: A username and password are being requested by http://oracle.example.com:14100. The site says: "WebLogic Server", then after entering weblogic/password I receive "The user account is locked or disabled. Please contact the System Administrator."
  In the OAM log this is logged:
  <Jun 19, 2012 4:22:28 PM CEST> <Error> <oracle.oam.user.identity.provider> <OAMSSA-20023> <Authentication Failure for user : weblogic.>
  <Jun 19, 2012 4:22:28 PM CEST> <Error> <oracle.oam.controller> <OAM-02010> <User account is locked. Authentication failed.>
  Any ideas? I am really stuck here.
  I am using this keytab file:
  [root@oracle centos]# klist -ke /home/oracle/keytab.testuser1
  Keytab name: WRFILE:/home/oracle/keytab.testuser1
  KVNO Principal
  7 HTTP/[email protected] (des-cbc-crc)
  7 HTTP/[email protected] (des-cbc-md5)
  7 HTTP/[email protected] (arcfour-hmac)
  7 HTTP/[email protected] (aes256-cts-hmac-sha1-96)
  7 HTTP/[email protected] (aes128-cts-hmac-sha1-96)
  kinit passes fine:
  [root@oracle centos]# kinit -V HTTP/[email protected] -k -t /home/oracle/keytab.testuser1
  Using default cache: /tmp/krb5cc_0
  Using principal: HTTP/[email protected]
  Using keytab: /home/oracle/keytab.testuser1
  Authenticated to Kerberos v5
  Why and which user is locked? I can lock with the AD user into windows domain, so I assume it is not locked + I checked it in the Active Directory.

  Ok, now I got it working. Sh~t! Why oracle documentation says I should set AD datasource with this parameter:
  User Name Attribute: UserPrincipalName, when this does not work?!
  After changing to User Name Attribute: sAMAccountName my WNA works!!!
  I have been fighting all day with this! The question is why such behavior - if the problem is in wrongly written oracle documentation, or I have problem somewehere else.
  Btw my user in AD looks like this:
  distinguishedName:     CN=John Doe,CN=Users,DC=example,DC=com
  sAMAccountName:     doejohn
  userPrincipalName     [email protected]
  It looks OAM takes "doejohn" from Windows via WNA/Kerberos and searches for this using UserPrincipalName and this is giving no match of course because "doejohn != [email protected]".
  The question is why does it take doejohn and not [email protected] from Windows WNA/Kerberos ???

• Installing IdM 7.2 sp9 and connectivity with Success Factor

  Hello Experts,
  Looking forward to connect IdM 7.2 sp9 with Success Factor as Data Source System.
  Since by default there's no connector available in this version,  looking for information about setting up a new connector as to establish the connection.
  Advise would be much appreciated.
  -thanks
  Yogesh

  Hello Yogesh,
                        there is a connector delivered as standard from IdM relase 8.0 onwards. To date I have not see any connector for lower release but maybe somebody here will have tried ;-)
  Regards,
  Chris

• E-Business Suite Integration with Oracle Identity Federation for SAML

  Has anyone developed a way to use OIF for e-Business Suite authentication through SAML rather than using the standard Identity Management stack of apps?
  Today we have Oracle e-Business Suite 115.10.2 using OSSO through OID with WNA for zero sign-on (no login, just pass-through, based on AD credentials). Our domain controllers are Windows 2003 but we are in the process of upgrading them to Windows 2008 R2, where the OSSO stack is not supported unless we globally set the 2008 R2 domain controllers to use DES encryption instead of the default AES encryption. (See Oracle note 1076018.1)
  When deploying OSSO, we encountered a similar issue with Windows 7 workstations would not work with OSSO unless we set the workstation policy not to use AES encryption. (See Oracle note 973190.1)
  We are not inclined to continue to use DES encryption and we have obstacles moving to 11g iDM/OAM/OID from OSSO. I am exploring the possibility continuing to keep one 2003 domain controller in production, and pointing OSSO to that, until we can move to the 11g iDM stack.
  Meanwhile, we have ongoing frustration with how complicated SSO is with the e-Business Suite. Sure, it works, once you climb the mountain to set it up, and we don't have that many issues in production. But the implementation of SSO for e-Business Suite is simply complex. The trip from the workstation back to an EBS session is operationally somewhat brittle. I guess some of us relish complexity. Certainly there is pride in understanding something like this. But, after a while, when the trickle of tickets from the Help Desk never completely dries up, you get tired of complexity and you seek something simpler.
  So, instead of this path:
  Workstation > EBS > OID > AD / Kerberos > Workstation
  (and I didn't even mention F5 switch with reverse proxy servers ...)
  Why can't we have this?
  Workstation with certificate > OIF with SAML > EBS session.
  Has anyone done that?
  Thank you for your help.

  Hello JJ,
  We are facing the same issue. Oracle has recommanded us to install
  HTML-DB on the same database as our Apps 11i.
  What we still have to figure out is whether is use APPS schema for the
  HTML-DB workspaces, or use a different schema.
  How is it configured at your site?
  Moshe

• Error on page in Idm 7.1.0

  I installed IdM 7.1.0 with Tomcat 5.5.23, jdk 1.6 and MySql 5.0.45.
  I login to application and edit user assignments (click to Accounts, eg. Administrator and Assignments).
  There is an error on this page: there is a red cross instead of control to edit Roles, Individual Resource Assignment, Individual Resource Group Assignment or Resource Exclusions. When I click to the "Save" button, Internet Explorer reports "Error on page".
  Do you have any idea how to get rid of this error?

  Those controls are all Java applets, it sounds like you do not have Java applets enabled in your browser.
  If you can't use Java applets you can also edit the form (User Library in this case) and add a property to all of the fields whose display class is MultiSelect:
  <Property name='noApplet' value='true'/>
  This will cause the JavaScript version of the multiselect to render instead.

• Business Partner creation in CRM/SRM with ID Management

  Hi,
  I have tried to find info about Business partner management with IDM to CRM/SRM...
  Customer would have two use cases.. Internal and External users...
  Internal use case is quite straight forward in IDM documentation.. I have two questions about this,,,
  1. ALE connection from HCM to CRM/SRM to create BPs to internal users... is there anywhere documentation how to configure this ALE connection?
  2. Is after SU01 user is created - Linking to BP automatical when using Business Suite connector ?
  External use case. Customer would like to implement scenario, where BP is created either:
  1. on CRM/SRM and IDM user would be created... and after approving new IDM user SU01 user with roles would be created nd BP linking would happen...
  2. on IDM user is created - BP and SU01 user would be created on CRM side... and linking between them..
  On external use case I have understood- that first one is possible without stronger customization and ABAP programming?
  --- first one requires VDS and SPML ID store on IDM side
  And something to send Newly created BP from CRM to IDM with SPML
  or does IDM check regularry with SPML CRM for newly created BPs??
  Does anyone know how actually this is happening?
  And is there any special configuration needed on CRM side? or some transaction to run after BP creation?
  IDM version 7.1 SP5
  Ystävällisin terveisin / Kind Regards
  Veli-Matti Luotonen

  Hi,
  Check whether the BP roles have been defined in the system.
  Go to  Customizing:
  Cross-Application Components -> SAP Business Partner -> Business Partner -> Basic Settings -> Define BP Roles
  Here you can define BP Roles and BP Categories.
  Make sure the appropriate category is assigned to the BP role that you are trying to create. For this select the BP role and click on the "details" button.
  Also read the documentation provided here.
  Regards,
  Reema.
  PS. Reward appropriate points to useful answers.