OAM 11gR2 PS1: Authenticate with email

Hi All
I want to authenticate users with email address and password instead of user id and password. Has anyone implemented this before.
I tried to update the user name attribute to mail which matches with my OUD attribute name but I am still not able to authenticate with email.
Any pointers will be highly appreciated.
Thanks

Hi,
Try with the below values in the User Identity Store Values in OAM Admin Console::
User Name Attribute :::: mail
User Filter Object Classes ::: inetOrgPerson
Group Name Attribute ::: group
User Filter Classes ::: groupOfUniqueNames
As an alternate solution, you can also configure OVD as Identity Store with OAM and then configure LDAP adapter for OVD with OUD details.
Choose "OVD: Oracle Virtual Directory" as store type and provide store details. Configuring LDAP adapter for OUD in OVD.
Provide your OUD details required.
Hope this helps.

Similar Messages

OAM 11gr2 ps1 patch needed

Hi guys
Please let me know where can I get the patch to upgrade my OAM 11g r2 environment to 11gr2 ps1.
Thanks

You can use the same installer to upgrade it as well. It will pop a message if you wish to upgrade the existing domain.
11.1.2.1.0 is a patch set for the 11GR2 suite. The difference between a bundle patch and a patch set is that a patch set can also include new functionality as well as bug fixes.
The 11.1.2.1.0 is comprised of two downloads on e-delivery, and is intended to be layered on top of your existing 11GR2 installation;
Oracle Identity and Access Management 11g (11.1.2.1.0) (Part 1 of 2) V37472-01 Part 1 of 2
Oracle Identity and Access Management 11g (11.1.2.1.0) (Part 2 of 2) V37472-01 Part 2 of 2
For instructions please see the document;
Oracle® Fusion Middleware Patching Guide for Identity and Access Management 11g Release 2 (11.1.2.1) Part Number E36789-03 at the URL http://docs.oracle.com/cd/E37115_01/doc.1112/e36789/patch_set_installer.htm#CHDCHDDJ
Section 3 Applying the Latest Oracle Fusion Middleware Patch Set
Edited by: Abhi_ on May 22, 2013 2:39 PM

How to protect an application running on Apache Tomcat app server with OAM 11gR2

Gurus,
We have an Apache Tomcat based application named "ABCD" here at client site that we want OAM 11gR2 PS1 to integrate with for SSO purposes. I have successfully configured OHS to reverse proxy requests to Apache Tomcat server whenever somebody tries to access the application URL but still, I am getting the application login page once I have successfully authenticated on OAM SSO login page. The Tomcat based application is authenticating users against a "UserDatabase realm".
I know in terms of weblogic application, there is an OAM identity asserter provider which then populates the User Principal for the java environment with the authenticated OAM user. But there is no such OAM identity provider for Tomcat.
So my question is, is there an provider (or Tomcat equivalent) which will entrust authentication to a header, that could be used to populate the Java User Principal from the OAM_REMOTE_USER header? Is the weblogic equivalent of authentication providers present in tomcat as well? Are those called valves?
Please advise to the earliest.
Thanks !!

Aakash,
I did follow the 4 steps that you mentioned to me. Out of the 4 that you had mentioned, I already had the webgate in place on OHS server and I was already passing the remote_user http header in oam policy as action.
As part of Step #2: Install mod_jk plugin on OHS server that you mentioned
1.) I downloaded the tomcat connector - tomcat-connectors-1.2.37-src
2.) I had to run ./configure,make, make install on my OHS server which runs on RHEL 6. It created the mod_jk.so file. I pasted it in the needed folder.
3.) I then created the httpd.conf file and workers.properties file as said in the connector docs.
4.) Restarted OHS.
As part of Step #3: Configure tomcat's ajp connector that you mentioned and I went through all the links pasted below but didn't find actually what needs to be in place to configure tomcat's ajp connector. I do see in the server.xml of tomcat app server that the ajp 1.3 protocol is supported:
http://tomcat.apache.org/tomcat-4.0-doc/config/ajp.html
http://tomcat.apache.org/tomcat-3.3-doc/mod_jk-howto.html#s8
http://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html
http://www.mulesoft.com/understanding-tomcat-connectors

    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />

    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Do we need to disable the HTTP protocol in Tomcat and keep only AJP connector enabled? If yes, how to do that?
I am trying to connect to the application from OHS server like so I am using the http protocal right? How should I use the ajp protocol to connect to tomcat application?
http://ohs-host:ohs-port/abcd
Thanks !!!!!

How to protect an application running on IIS with OAM 11gR2

Hello Gurus,
I have a question regarding protecting an application running on IIS with OAM 11gR2. We have an OHS server running and all the requests from the users are coming to this OHS server webgate for them to login using the SSO login page. These is all solaris. I am protecting other applications like pplsoft moduels with this OHS instance and OAM server. There is another application that I need to protect which is itself running on IIS windows machine. I need guidance as to -
1.) Do I need to install a windows version of webgate to protect this IIS based application?
2.) Or I can still protect and proxy requests from this application to current OHS instance? How can I do this?
3.) Or Do I need to proxy requests directly from IIS to OAM weblogic server?
Please advise to the earliest as this is an urgent issue.
Thanks !!

From your description it is not clear how exactly architecture looks like
We have an OHS server running and all the requests from the users are coming to this OHS server webgate for them to login using the SSO login page.
is this OHS centralized login farm ? (Case 1)
OR is this OHS server (with webgate) acting as virtual web server hosting multiple web sites so that request to any site passes through this OHS/webgate (Case 2)
1.) Do I need to install a windows version of webgate to protect this IIS based application?
If case 1 then you need to install 10g webgate on top of IIS server to protect this application
If case 2 then you can just proxy request from OHS to IIS server. As every request passes through OHS user will be authenticated before request hits IIS
Look at Product documentation for virtual web sites : http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/shared.htm#autoId12
It has steps to protect virtual web sites.
Also you need to make sure no one hits IIIS web sites directly.
Hope this helps

Is Sun DS 5.2 compatible with OUD 11gR2 PS1 Replication Gateway?

Hi
Is it possible to synchronise a Sun DS 5.2 master with OUD 11gR2 PS1 using an OUD replication gateway?
If not, is it possible to set up replication between Sun DS 5.2 and ODSEE 11gR2, and then synchronise ODSEE 11gR2 with OUD via the OUD replication gateway?
Thanks.

Hi,
The replication gateway must communicate with one ODSEE 11gR2 master. However the rest of the topology does not need to be upgraded to 11g.
Many customers deploy the replication gateway and the ODSEE11g instance on the same box; The ODSEE11g can be seen as a companion of the replication gateway.
Note that some specific limitations apply when DSEE5.2 is in the picture: Some Password policy related state, e.g. nb of failed authentication are not fully replicated between DSEE 5.2 and OUD.
-Sylvain

SGD 4.3 authenticate with AD(Users login n get different set of application

Hi SGD Forum users,
First of all, happy new year and happy holiday to all of you from new SGD user :-).
We are planing to Demo SGD 4.3 to one of our customer by early next week.
So, what the customer would like to see with the demo:
1) From SunRay client, user1 launch Firefox browser and type the sgd web page.
- Enter username and password ( Username and password must authenticate with AD ).
- After successfully authenticate, user1 will get his webtop page.
- In the webtop page, user1 only have two(2) applications to launch. First application is MS Office Word and Second application is Full Virtual XP desktop( 192.168.5.205 ).
2) From SunRay client, user2 launch Firefox browser and type the sgd web page.
- Enter username and password ( Username and password must authenticate with AD ).
- After successfully authenticate, user2 will get his webtop page.
- In the webtop page, user2 only have two(2) applications to launch. First application is MS Office Excel and Second application is Full Virtual XP desktop( 192.168.5.206 ).
3) From SunRay client, user "manager" launch Firefox browser and type the sgd web page.
- Enter username and password ( Username and password must authenticate with AD ).
- After successfully authenticate, user "manager" will get his webtop page.
- In the webtop page, user "manager" only have four(4) applications to launch. First application is MS Office Word, Second application is MS Office Excel, Third application is MS Office Powerpoint and Fourth application is Full Virtual XP desktop( 192.168.5.207 ).
Note: The above mentioned users( user1, user2 and manager ) launch a different MS Office applications and different Virtual XP desktop servers.
Here are my SGD 4.3 demo setup:
- Install Solaris 10 06/06 OS for Sparc.
- Install latest patches.
- Create a local zone.
- Install SRSS 3.1 and patches in Global zone.
- Install SGD 4.3 in the local zone.
- My colleague install 2x MS Server 2003( AD and DNS server )
- My coleague install ESX( VM Server ) and created 3x Virtual XP Desktop( 192.168.5.205, 192.168.5.206 & 192.168.5.207 ).
In my SGD, Array Manager, i had successfully set "Enabling the Active Directory login authority" as mentioned in the SGD Administrator Guide. I also login successfully to SGD server using user1, user2 and manager( Created in AD server ). So, my SGD server successfully communicated with AD server.
When i test login user1 or user2 or manager to SGD server, they get same webtop with same applications. If i am not wrong, these behaviour is due to LDAP Profile under "o=Tarantella System Objects". If i put any application in LDAP Profile's Links tap, all the user whose authenticated with AD will be able to launch it.
The customer requirement is, all the users authenticate with AD and the users should launch different applications and different Virtual XP Desktop as i mentioned earlier.
Is it possible to perform the SGD demo as customer requirement ? If yes, can you guide and help me on how-to create different profile for each AD authenticated users.
Thanks in advance.
# Yours Sincerely,
# Mohamed Ali Bin Abdullah.

Hi Wai,
Sorry not including full details of the person object in my previous posting.
Here are the details of person object:
General
- Name: user1
- Description:
- Surname: esuria
- Username: user1
- Email: [email protected]
- Locale: Automatic
- Keyboard Map: Use XPE setting
- Windows NT Domain: BIA
- Bandwidth: None
- Webtop Theme: Standard
- Inherit parent's webtop content: NO
- Shared between users(quest): NO
- May log in to Secure Global Desktop: YES
- Profile Editing: Use Parent setting
- Clipboard Access: Use Parent Setting
- Serial Port Mapping: Use Parent Setting
Links
o=BIA/cn=MS XP Desktop 192.168..5.205
Thats the setting of user1 person object which i had created in my SGD but when user1 authenticated with AD, the user1 still sees LDAP Profile applications.
What else, do i need to set in SGD and AD server side ?
Thanks in advance.

How to Create Internet user with email id as user id

Hi All,
I am having a requirement to create internet user taking email id as the user id, means the user id is same as the email id, to achieve this do I need to maintain some settins or is there any standard BAPI to do this.
Is this a standard feature of CRM 2007.
Thanks in advance,
Mayank

Hello Mayank,
B2C Scenario has these options for the parameter usertype in the Application definition.
In R/3 scenario: R3_SU05Customer_LoginEmail ISA R/3:This login configuration is the only one that is supported for ISA R/3 B2C. It cannot be chosen for the B2B and shopadmin applications. During B2C registration, SU05 users are created with type equals 'KNA1', referring to a newly created R/3 customer.
-In CRM scenario:_ CRM_Standalone_LogonConsumer: Standard user management settings if Internet Sales is used as a standalone, the login is based on the e-mail address. The internet users must use the SU01 user concept. Consumer is the keyword here. The BP associated with the SU01 user is a Consumer.
The B2C application is hard-wired the way it is defined above.
Now for the B2B application
In R/3 scenario: Only R/3 ISA provides some SU05 user possibilities. But they are not relevant to your situation
In CRM scenario: it gives CRM Standalone or CRM Portal possibilities. In CRM Standalone, the login id uses Alias. But nothing stops you from using keeping Alias same as the User ID. In case of Portal, the login occurs via Portal. That is user log on to portal and gets into ISA using SSO. The portal offers varieties of ways to authenticate including email adress, user id etc. This is made possible by use of LDAP in portal for user authentication. They maintain a mapping between email-id and user-id and do what you are seeing now in SDN. If you have Portal in your landscape, and let external B2B users come through Portal into ISA with SSO, you can also do login using email-id in a jiffy.
But in your case I think you are stuck with CRM Standalone
Easwar Ram
http://www.parxlns.com

OAM 11gR2 Authentication using username/password/additional ldap field

I want to add additional credential parameter along with username and password to be validated against LDAP.
Is there any out of the box solution for authentication using username/password/additional ldap field in OAM 11gR2?
This solutions exist in 10g and could not find any OOB feature in 11g.

Do you need to accept additional parameter from user via login form & then use it in credential mapping step
Not sure if %% syntax would work .. havent tried it. next option is to develop custom authentication plugin
Additional ldap attribute against static value
If you need to add additional ldap attribute (check against static value) that you can specify in LDAP search filter in "User Identification plugin" configuration
Take a look at "MTLDAPPlugin" under custom authentication modules
Hope this helps

Ldapbind to database adapter users in OVD with email

Hi!
Can anyone tell me howto ldapbind to database adapter users in OVD with email or uid?
Ldapbind with full DN work just fine.
Thanks!

>
Also I can bind to users in database CRM OVD-DB table using
ldapbind -h ovd.mydomain.com -p 6501 -D "cn=extcustomername,cn=customers,cn=users,dc=mydoamin,dc=com" -w %custpwd%
But I getting "ldap_bind: Invalid credentials" error trying to bind with:
ldapbind -h ovd.mydomain.com -p 6501 -D cn=extcustomername -w %custpwd%You can bind with UPN to AD because AD is special.
You won't be able to bind with cn=extcustomername using out of the box adapter. If you write your own plugin that will look up the DN based on cn=extcustomername, then have the plugin do the bind with the DN for you, it'll work. Then you would have to make sure this plugin will work with the database adapter, I haven't tried it so I don't know.
If you're trying to make this bind with cn=extcustomername work for OAM to OVD, then you don't need to do it. Leave the adapter as is (bind with full DN). External users will login to OAM-protected application with their username or whatever is the value of cn. OAM will then look up the DN based on the cn or any other attribute, this is configured in authentication scheme in credential_mapping plugin. Take a look at the OBE example: http://www.oracle.com/technology/obe/fusion_middleware/im1014/ovd-oam/index.htm

OAM 11gR2 - Remote Registration Exception - HTTP Error 501

Hello
I installed OAM 11gR2 and am trying to configure OAM with WebGate.
While doing remote registration using rreg.bat I get an exception
RemoteRegistrationException
HTTP error 501 could not send HTTP Post message
Can anyone help me?
Thanks,
Ram

Its most likely a problem with your java version.
I know for sure that Java version 1.6.0_37 doesn't work and that 1.6.0.41 works for sure.
Can you try installing a different version of java.
if on linux use the
update-alternatives --config java
as root to point to the java (other version that you installed) and try again.
Let me know if that helps.
Cheers
-Kungo

OAM multi-level authentication with an OIF SP

As background, we have 16 Shibboleth IdPs in a federation and users need to access a couple of applications that are protected by OAM (10.1.4.3) using OIF (11g) as the SP. We have a requirement to force re-authentication for a set of URLs protected by OAM. So, if a user accesses application, let's call it LOW, and then attempts to access application called HIGH, we need to reauthenticate the user at the IdP. In OAM, this is the classic use case for multi-level authentication, I think.
Since OIF acts as a gateway, all of the applications "behind" OIF/OAM use the same authentication scheme in OAM, so I can't use OAM's multi-level authentication as we are configured now. I was told by an OIF person at OracleWorld that a possible approach would be to configure a custom authentication engine in OIF that is basically a copy of the OAM authentication engine and set that up at a different authentication level in OAM. However, looking through the documentation, it looks like the authentication engines are only used when OIF is used as an IdP. Perhaps the person meant that I need to set up a custom SP Integration Module? Or am I misunderstanding the role of the auth engine?
The OAM SP Integration Module lets me specify Authentication Schemes and Authentication Scheme Levels. We currently are set up to use OIF-unspecified with a level of 1. Since we want to re-authenticate, however, we really want to use the same authentication scheme but at a different authentication level. Is there a way to achieve that? Can I set up a second OAM SP Integration Module with a different policy domain and set the OIF-unspecified authentication scheme to level 2 on that one? How would I go about doing that -- as a custom SP engine?
Has anyone done anything similar or found a way to force reauthentication using the same authenticator for some applications behind an OIF SP but not others?
Thanks for any help you can provide.
--Mike

Hi,
Thanks for the reply.
“In fact there is not one use case. There are 5 use cases for which we need to provide Second Level of Authentication functionality. And that also with the flexibility of switching this on/off.
Now as per my understanding we should achieve this through the following flow :
Store one extra attribute in OID per user per service. And that attribute will store the enable/disable information for that particular service and for that particular user.
Now ObAuthentication Scheme class of Access Manager API needs to be used for enabling or disabling the Level 2 authentication scheme as per that attribute.
Is this flow possible.”
Cheers,
Sunny

OAM 11gR2 Throwing SSL Warning after configured to use HTTPS Load Balancer

I have configured OAM 11gR2 to use an https load balancer on 14100 and have set my managed servers SSL listen port to 14100 (Could not use 14101 because the HTTPS VIP created was listing on 14100) everything works fine with this configuration, but my logs are filling up the the following warning.
<Oct 3, 2012 1:41:54 PM UTC> <Warning> <Security> <BEA-090475> <Plaintext data for protocol HTTP was received from peer 10.228.0.1 - 10.228.0.1 instead of an SSL handshake.>
I know that 10.228.0.1 is the DNS server, but I'm not sure why this happening. Any ideas?

What is WLS and OHS versions are you using in this environment?
If it's old version than these, please upgrade WLS to 10.3.3 and the OHS to 11.1.1.3. These is a known bug on WLS side not it OAM.
I hope this helps,
Thiago Leoncio.

OIM 11gR2 PS1 installation on Websphere

Hi,
Has any one installed OIM 11gR2 PS1 on websphere (With Cluster environment or single node).
I

I was able to resolve this issue . we need to click on "regenerate view".

BASIC OAM 11gR2 QUESTION

Can someone explain difference between "success url" for
1. Authentication Policy - success url is optional parameter.
2. Authrization Policy - success url is optional parameter.
3. Unsolicated Login - success url is required parameter.
This is with respect to Oracle Access Manager 11gR2.1

1. Authentication Policy - success url is optional parameter.
After successful authentication user will be redirected to URL mentioned in "success url".
2. Authrization Policy - success url is optional parameter.
After successful authorization user will be redirected to URL mentioned in "success url"
Both these parameters are optional. If these parameters are not present in OAM policy then user will be taken to a protected application url from where OAM flow began. For example user has started with http://mydomain.com/protectedapp URL
3. Unsolicated Login - success url is required parameter.
This is required parameter for "unsolicited login" feature. Basically you pass three parameters to OAM Direct authentication url "username" , "password" & "successurl". If provided username and password is correct redirection to URL in "successurl" parameter would happen. You can get more information about unsolicited login feature in this blog
http://www.ateam-oracle.com/unsolicited-login-with-oam-11gr2/
Hope this helps.

9630 Tour Device here in the U.S. Cant authenticate with BES that is overseas - help?

My 9630 device was connected to the BES of the my company which is physically in Europe, but stopped getting emails. I am with Verizon as a carrier, they obviously are not as they are in Europe.
For some reason, when setting up the email my device fails to authenticate with 'the server', which I presume the device means to be the company's email server. When I make the connection request, I see the BES data email come into my inbox and process itself, but the device just sits in a 'Activating - Contacting Server.....' state until it times out.
The wierd thing is that I did have it working for 2 weeks, but it has been offline for a month now. Initially I was able to send emails, but not receive, but after some tinkering around by the BES agent in Europe, I can longer send or receive.
I guess what I am looking for is a list of potential causes that would result in a device not authenticating to the mail server, so that I can go through it one by one and they are telling me it's likely the device or the SIM and I just don't believe that it is.
What we do know:
- It is not related to my IQ and the classic User IQ Exceeded conclusion
- It is not related to my password as we have changed this many times, including creating secondary email accounts on the server
- The guys in Europe were able to authenticate my email to a different device
- The device works fine, or at least seems to, as I get my personal emails to the device
Help! Anyone have any experience with this?
-Alf

http://www.apple.com/iphone/LTE/
According to Apple's list (link above) you will probably want to pick up a Sprint or US Cellular model. HOWEVER, as I mentioned above I know that the Verizon iPhones come unlocked from the factory (assuming it will be the same for iPhone 6 and 6+). I DO NOT KNOW if the Sprint and US Cellular models come unlocked. But I am sure some quick internet research will lead you to the answer.
I think your goal would be to get a Sprint or US Cellular version. Also I believe a law was just recently passed that allows someone to have a phone unlocked by the carrier no questions asked. So even if the Sprint and US Cellular iPhones are locked you can have them unlocked.
Update:
http://www.cbsnews.com/news/obama-signs-bill-unlocking-cellphones/

OAM 11gR2 PS1: Authenticate with email

Similar Messages

Maybe you are looking for