Integrating Identity Manager with Access Manager
We have a plain vanilla installation of Identity Manager 5.5. We are attempting to integrate Access Manager 7 (also plain vanilla install). Both were deployed into Application Server 8.1 (all running on Solaris 10 x86).
Here is what we ran into:
1) When IDM is the only application deployed in Application Server, we can log in to its administration console with the base ID of "configurator" without a problem. Next, we installed Access Manager 7 without any errors. Now when we attempt to log into the IDM administration panel (still using "configurator"), IDM can no longer find the �configurator� ID. We tried using AM to add an ID of "configurator" to the LDAP directory (figuring that was the problem), but we still cannot get into IDM. What do we need to do to "integrate" these two products? We haven't even attempted customization yet.
2) Does anyone know of ANY sample apps that show IDM and AM working together?
Thanks in advance
Raghavan,
Do you have any template doc for this configurations, We did the same only thing that we changes is instead of using the fully qualified DNS name we used the ip address in the AMConfig.properties file.
Any ideas?
--Srini
Similar Messages
-
XI Integration with Identity management
Hello
Does anyone has experience in integrating XI with any kind of directory services which stores login credentials?
We are having one scenario where the XI will be used for integrating multiple .NET and J2EE applications with SAP and they have login credentials stored into Active Directory.
XI connects to multiple system through specific adapters for which we configure communication channels where we specify login credentials into it. Is it possible that our communication channel fetches connection details from this directory by which there will not be any reason to maintain the same at two places.
For J2EE applications I can achieve the same using Receiver java proxy but that would be tooo tedious.
Anybody has faced similar situation?
Thanks in advance.
Regards
RajeevHi,
Please see the below links for your reff only.
Reg Advice for SAP with RFID..
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/50acad90-0201-0010-43ba-f8fc18ebb6ba
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/f84aa22d-0e01-0010-f3ad-987bed637350
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e712914a-0801-0010-f68f-9d2b241bdc61
/people/sap.user72/blog/2004/08/05/what-is-identity-management--part-1
/people/sap.user72/blog/2004/08/09/what-is-identity-management--part-2
/people/frank.koehntopp/blog/2005/09/21/sap-and-siemens-join-forces-to-create-an-integrated-identity-management-solution
Regards
Chilla.. -
Problem with Access Manager intergration
Hi,
I'm integrating Identity Manager and Access Manager.
I've configured the End User interface to use Access Manager for authentication, and I have (as far as I can tell) everything else set up and working correctly. When I access the end user pages I get the following error:
Access Manager (Sun Access Manager Realm):Successfully authenticated '00000001' on resource 'Access Manager' and found a Lighthouse user with the same accountId, but no matching resource accountIdI've checked and confirmed that there is an attribute being passed in the header
'sois_user = 00000001'
And I have the following defined:
<Attribute name='common resources'>
<Object>
<Attribute name='AM Resources'>
<List>
<String>Enterprise Directory</String>
<String>Access Manager</String>
</List>
</Attribute>
</Object>
</Attribute>I suspect that it is the common resources that is failing, because its looking for an accountId that matches the DN of the account in LDAP rather than the LogonID. Can anyone provide pointers on how to resolve this?
All suggestions gladly received,
RMichael,
Thanks for your help, I understand your answer. However, I am using the Access Manager realm adapter which the docs say can't manage users, so no account is being exposed there.
I have found the solution though and it involves a couple of steps:
Firstly, the sois_user value that is passed by the header has to be the DN of the LDAP account.
Secondly, I think the order of the accounts in the 'common resources' definition needs to have the LDAP resource defined first.
Finally, the Login group needs to have both the Access Manager and LDAP login modules.
With these 3 components in place, SSO to IdM works.
R -
Integration of sun identity manager with sun access manager
Hi i am working on integration of sun identity manager 6.0 with SP1 and sun access manager7.0.IDM was deployed on Sun application server 8.1.SAm is installed on SunOneWebserver i am working on windows 2003 server.I downloaded the agent for the application server and installed.
when i am configuring resource in IDM i am getting following error.
testconnection failed for resource(s):
sun access manager could notconnect as user 'amadmin' with specified password==>com.sun.identity.authentication.spi.AuthLoginException:failed to create new AuthenticationContext{0}\n.
i modified amagent.properties,amconfig.properties and web.xml also
can any one help me on this.Hi i am working on integration of sun identity manager 6.0 with SP1 and sun access manager7.0.IDM was deployed on Sun application server 8.1.SAm is installed on SunOneWebserver i am working on windows 2003 server.I downloaded the agent for the application server and installed.
when i am configuring resource in IDM i am getting following error.
testconnection failed for resource(s):
sun access manager could notconnect as user 'amadmin' with specified password==>com.sun.identity.authentication.spi.AuthLoginException:failed to create new AuthenticationContext{0}\n.
i modified amagent.properties,amconfig.properties and web.xml also
can any one help me on this. -
Integrating Oracle Identity Manager 9.1.0.2 with third reported
Hi Friends,
I have installed Oracle Identity Manager 9.1 integrated with various connectors, for that I need to customize some reports. My question is that reports can integrate Oracle Identity Manager 9.1.0.2, according to its parent company certification
Thanks for the supportHi JLK,
Glad to know that OIM 9.1.0.2 working for you. I had no success in installing and configuring 9.1.0 with SQL db 2000.
Please have look at my thread OIM 9.1.0 installation- Unable to access Admin console
If you could throw me pointera or provide assistance that would be great. Thx in advance. -
Java class integration with Oracle Identity Manager 9.1.0.2
Hello Friends,
I have a java class that is responsible for sending notifications, my question is how do the relationship of this class with the Oracle Identity Manager 9.1.0.2 so you can take the class and notify users when an application is approved or rejected.
Any recommendation for this process.
Thanks for the support
Edited by: JLK on Jun 12, 2012 5:20 PMHi
Java class integration with OIM happen through concept of adapters. You can go through OIM documentation of how to create adapters.
In your case you should create a process task adapetrs adn attach it on the Approved response code in your approval process.
Desingn Console --> Process management --> Process definition --> <Apprlication Process Ex: AD User>.
Alternatively you can also send notification using OIM OOTB email templates.
Regards
user12841694 -
OIM integration with Microsoft CRM by using webservices? (OIM: Oracle Identity Management)
Hi Guys,
can you provide me integration document for my new project
OIM with Microsoft CRM, by using webservices.
Venkat
[email protected]user1106726 wrote:
We currently have ILM 2007 in our environment with limited usage at the moment. We are looking at purchasing Oracle Identity Manager to implement an enterprise wide IAM solution.
We were wondering if it is possible to continue using ILM like a middleware between our AD forests and the Oracle IdM. Where the Oracle IdM is the overarching IAM solution and Microsoft ILM 2007/FIM 2010 is like the metadirectory for our AD forests.
Is this possible without installing the Oracle Management Connector on any of our DCs and using ILM as the directory that Oracle IdM connects to. All AD account provisioning/de-provisioning, acct updates, password sync/reset will be initiated from the Oracle IdM to ILM and then implemented on AD. In order words no direct interaction with AD domain controllers from Oracle IdM, everything will go to ILM and ILM in turn applies it to AD.
Is this possible?yes
>
Is there a custom connector that will work with ILM 2007/FIM 2010Yes, if you write one you will have a custom connector
>
Is this a simple customization or something that can be problematic and expensive?It won't be simple. Problematic and expensive maybe, depends on how good you are with OIM and ILM -
Integration of MS Active directory with SAP Identity management
Hello
I am implementing SAP identity Management 7.1with external tools MS active Directory with Single sign on using SAP IDM . Is there any documentation as to how do I connect SAP IDM with MS AD with the roles and their user provisioning process .
Also does anyone have a architectural work flow template on this process .Hi
I guess, using VDS you can achive this. ref the LDAP connection part.
https://websmp203.sap-ag.de/~sapidb/011000358700001449652008E
https://www.sdn.sap.com/irj/sdn/nw-identitymanagement
Regards
Shridhar Gowda -
Confusion with a current state of Oracle Identity Management
I would like to know if anyone has successfully implemented the complete suite of IdM. If yes, please share this experience. I want to clarify the definition of "successful integration". It should include the following:
- SSO for Partner applications
- SSO for External (third parties) applications
- Provisioning and Synchronization
- Delegated Administration
- WNA with Kerberos
- SAML implementation (optional)
I would appreciate all answers on this subjectTo restart from your initial question, it's quite strange because the components you mention are all included in the AS10g Enterprise Edition or in AS10g Portal, and are perfectly integrated. I know numerous customers which use Oracle Portal, for instance, and leverage on SSO (patner or external), Delegated Administration (DAS) , Synchro with AD server and Windows native authentication, without a single line of specific code. Provisioning is done automatically by DIP in the case of Portal with AD, as well, or with a Human resource system. Even the password synchro can be made betwwen AD and OID (Oracle LDAP)
Now, it's a sligthy different discussion if we consider the recent acquisitions made by Oracle, and which are sold in the so call : Oracle Identity management 10g.
OAM (previously Oblix) is a more ambitious product that Oracle SSO.
OIM (provisioning and identity management) is far more sophisticated than Oracle DIP.
The goal, for Oracle, is to unify the workflow engine and the Human interface (with ADF). This task is probably on the rails for the next year.
OVD (previously OctetSting) is an architectural component which allow virtualisation of LDAP server.
About Federation, OIF allow all existing Oracle Portal customer (using SSO) to rely on SAML tokens in order to trust partners site.
So, in my opinion, acquisitions oblige to make a substantial effort to unify human interface and make arbitration between some concepts, but it's within the Oracle means. -
Getting started with identity management . . .
. . . at least I think that's what I'm asking about.
I've worked quite a number of years in the Oracle database world, but this is really my first foray into Fusion Middleware, or Identity Management, or whatever I'm looking for is called.
We are looking at tightening our user security by tying our database usernames/logons to Active Directory. The immediate issue is that we have various people connecting to the db with each other's credentials. I know this is at least partly a management issue, but the people doing the sharing are themselves managers. And for the most part I don't think they even realize they are sharing credentials. I think most of it comes from sharing Excel spreadsheets with external data connections to the Oracle database, and their credentials are hard-coded into the connection definition. So when Bob gives a copy of a spreadsheet to Carol, he doesn't even know his personal credentials are built in and that when Carol uses her copy of the sheet, she is connecting with his credentials.
What we'd like to do is tie their database credentials to their network credentials. At this point I'm not knowledgeable enough to know if that inherently means single-sign-on something short of that. And at this point I'm not sure I care about that distinction, but I at least want to keep the distinction visible.
Since my "home" is the database forums, I've asked around there and been given some links to various docs and MOS notes, pointing back to more docs. Mostly simply under the umbrella of 'you need to use Fusion Middleware'. which is why I am coming to this forum. It is quickly reaching a point of "you've got to understand it all before you can understand any of it". In other words, I'm not finding a good starting point to get any traction.
Currently I'm trying to get my head around "Oracle Fusion Middleware Installation Guide for Oracle Identity Management" and still getting lost in all of the different components.
When I go to look at downloading software to try (Oracle Fusion Middleware 11g Software Downloads) , it looks like what I want is Identity Management, but I'm not sure if I've even followed the correct trail to get to that point.
When I go to the online store to get an idea of what actual product we will need to purchase (https://shop.oracle.com/pls/ostore/f?p=dstore:2:0::NO:RIR,RP,2:PROD_HIER_ID:4509956172801805720011), again, I'm not sure which product I should be looking at, or if I've even followed the correct trail to get to that point.
I'm not sure how the version numbers work and how they relate (if it matters) to the database version numbers. FWIW, my databsaes are all Standard Edition 11.2.0.4, with some on Linux and one prod/test pair on Windows. We are looking at moving to 12.1 in the next 12 to 18 months.
I know this is all rather vague, but at this point I don't even know enough to ask a more focused, intelligent question. I'm hoping someone can see what I'm after and help be get on the right track -- and cut through the forest of Fusion Middleware stuff that I don't need to be concerned with.Hello Ed
Oracle EUS is basically what you need at this point. It enables you to address administrative and security challenges for enterprise database users. Enterprise User Security (EUS) relies on Oracle Identity Management infrastructure, which in turn uses an LDAP-compliant directory service to centrally store and manage users. The components you will need are mainly OID and/or OVD depending on your use case
Here is an excellent online doc explaining the EUS integrations
http://www.nyoug.org/Presentations/2011/December/Moulton-Sullivan_Centralize_Oracle_Database.pdf
Here's some more reading on EUS from Oracle
http://docs.oracle.com/cd/B28359_01/network.111/b28528/concepts.htm#DBIMI152
Regards Shiva -
Integrate other directory servers with access manager
How to integrate other directory servers with access manager ?
Please read the Access Manager admin guide at http://docs.sun.com/app/docs/doc/819-4670/6n6qardvq
Any further questions regarding this integration, post them to the AM forum at http://forums.sun.com/forum.jspa?forumID=770 -
E-Business Suite 11i with ESSO and Identity Manager
Hi,
We want to use Identity Manager to provision user information to Active Directory, MS Exchange, and E-Business Suite. Also, intend to deploy e-sso to provide single sign-on experience for desktop and web based applications.
Has anyone integrated Oracle E-Business Suite 11.5.10.2 with Enterprise Single Sign-On and Identity Manager (Identity Management)?
Can we achieve it without using Oracle Internet Directory/OracleAS 10g Single Sign-On?
Any relevant information or issues faced during integration, would be helpful.
Regards.Hi,
for this integration you will need Provisioning Gateway component of the ESSO suite, and the included OIM-ESSO PG Connector.
The eBusiness Java interface can be integrated with eSSO, trough the java helper object.
There are several metalink notes that describe the OIM-PG integration:
NOTE: 550639.1 eSSO: Overview And Troubleshooting Of OIM Integration With Provisioning Gateway
NOTE: 550642.1 eSSO: OIM PG Integration: ProvisioningInstructionException: The user is not authorized for the action
NOTE: 550645.1 eSSO: OIM PG Integration: Error in Sending Request to web service
NOTE: 550646.1 eSSO: OIM PG Integration: Unsupported major.minor version 49.0
NOTE: 550641.1 eSSO: OIM PG Integration: Add_credential Execution Failed. Error: XPathFactory
NOTE: 550643.1 eSSO: OIM PG Integration: Could not find IT asset value for Svr_key
Yes, with eSSO-OIM you wont need Oracle Internet Directory/OracleAS 10g Single Sign-On.
Octavian -
Is it possible to access Identity Manager Account Policy attributes?
Has anyone used attributes to do with checking if a users password has expired on a particular date and has been set not to allow a reset. I want to create a process that creates a bunch of users who want access to a resource for a short time period. I then want to create a process that checks and removes the accounts that have expired.
I thought maybe I could do this by accessing the settings somehow in the Default Identity Manager Account Policy to do with password expirey. I would like to do this using a workflow or a form.Where is this set? Is this in the new role manager by any chance? I have created some roles and assgned resources in IDM 8 but can't find any reference to settings for access limitation time periods.
-
How to use Virsa with SAP Identity Management?
I have been assigned to handle my company's SAP Identity Management and
I am asked to use Virsa control.
I am not quite clear about the relationship between the 2 SAP products.
Would you please help? Thanks!Jennifer,
There is no product called virsa control by SAP. Virsa was a small company which made different solution for SOX compliance. It was acquired by SAP. If you are talking about SAP BusinessObjects Access Control 5.3 then see the links below to understand the integration between SAP IdM and SAP AC 5.3.
https://www.sdn.sap.com//irj/sdn/go/portal/prtroot/docs/library/uuid/b0aafd33-e662-2a10-a197-dd3137f7f7e0
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b0da2dba-0480-2b10-a7ae-f055ab6e9355
Regards,
Alpesh -
Integrate external identity management solution in SAP GRC Access Control
We need to integrate an external identity management solution into SAP GRC Access Enforcer. Some white paper mention extensibility is provided by web services. It seems that none of these web services are documented. Does anybody have infos about these services and documentation. Any hint is appreciated.
thanks
DetlefUnfortunately Access Enforcer doesn't implement a number of critical requirements and implementing it "as is" would be a lot of steps backwards in our process.
what do the published webservices do? Is there any documentation about them?
In a part of our process, we must manually pick the current roles(1), the pending roles(2) (roles that were approved but not given due to training prerequisites) and the requested new roles(3) and make the simulation in the VCC.
The information (1) and (2) and (3) we have in our internal system, the information (1) we have inside VCC and (2) and(3) must be manually inputted by the operator to run the simulations. Since this operation is repeated 6000+ times a month in my company, eliminating this manual input will cause a great gain in efficiency.
Other thing that we want to do is to create a job where it would automatically desassociate the mitigating controls if the user does not have the risks anymore (users can lose roles automatically in some events here, so it would be coherent that the user also loses the associated mitigating controls)
IMHO as a former programmer, these are classic cases where I would like to consume some webservices for this tasks to avoid a lot of ctrc ctrlv from the operators (inefficient and error prone)
VCC has any documentation that would help me to find how I would do this integrations?
Thanks in advance
Maybe you are looking for
-
Problem with logging in to Apex administration
Please disregard the question, it was mistake in the address. When I try to log in to Apex administration (http://<server>:8080/apex_admin, I get a dialog box requiring a user name and password The dialog box has Windows security in the header and sa
-
I have a message box on my iPad screen that says, "iCloud Backup" This iPad hasn't been backed up in 2 weeks. Backups happen when this iPad is plugged in, locked, and connected to Wi-Fi. I cannot touch the 'OK' button to make the message go away... i
-
Can't get mic to work on Acer TravelMate P
Hello there Arch forum. @mod I'm not sure if this post is best placed in laptop/media or newbie corner, I have used Arch for 2 years now but I'm a noob on pulseaudio. Feel free to move it to the desired location. Anyone have any suggestions on how to
-
Changing my current system date to a different format
Hello to all. I am posting a question that you may find to be an easy answer, but I have been trying to figure this out for quite awhile now. I cannot figure out how to take my current system time and change it to the format I want it to be. My code
-
Hi Does anyone know if its possible to start a program with a PNP screen from the PNP database (used to select personnel numbers) and later in the program call a screen from the PCH database (to select objects)? Greets