OIM 11g R1 - Validating Password against Password Policy

Similar Messages

• OIM 11g R1 - Reset Password Settings

  Hello,
  if i reset a user password the default settings are:
  - Auto-generate the Password (randomly generated)
  - E-mail the new password to the user.
  Is it possible to remove these field or set "Manually change the password" as default?

  Update:Support has confirm is this as a bug and needs an install on BP06 to fix it.

• OIM 11g: Target account attribute value enforcement/policy

  We have some requirements around enforcing certain attribute values on our target platforms. For example, if we provision a field "Approval Limit=$100", and on a recon that value has been changed to "Approval Limit=$5000", then appropriate action should be taken (i.e. change it back to $100, notify somebody, etc.)
  This type of feature was available on some other IDM products I've worked with, but there does not seem to be anything built in to OIM to support this.
  My initial thoughts were to write task adapters against the Recon Insert/Update Received events and perform these types of checks and corrections there.
  Has anyone else run into this requirement in OIM? How did you solve it?

  There are three ways to handle such scenarios:
  Process Task: Attach a task on Reconciliation Task
  Event Handler/Entity Adapter
  Schedule Task

• OIM 11g Self Registration - authenticated against external data source

  Dear All,
  Out of the box server registration is unauthenticated. How to make it authenticated?
  What configuration should I perform?
  Thank you for your help
  Kind Regards
  Maria Adair
  Edited by: Maria on Oct 25, 2010 9:26 AM

  Hi,
  I am assuming in clustered environment you are having two instances running.
  It must be an issue with a single server,,because the problem is intermittent.
  To see which server is causing problem....just perform the following steps:
  1) Stop server1 and keep running server2..and fire new registration request...
  2) stop server 2..and keep running server1.....and fire new registration request.
  Using above, atleast you can see which server is causing the problem...
  Regards,
  J
  Edited by: J_IDM on Mar 21, 2011 10:52 PM

• AD Password Sync connector 9.1.1 With OIM 11g R2 - ERROR OVER SSL

  I have set up AD password sync with from AD to OIM 11G R2
  The password syncs from AD to OIM 11G R2 on non ssl port 389.
  But if fails on SSL Port 636.
  Errors in OIMMain.Log:_
  Debug [10/11/2012 10:49:34 AM] Inside ConnectToADSI
  Debug [10/11/2012 10:49:34 AM]
  ldap_connect failed with
  Debug [10/11/2012 10:49:34 AM] Server Down
  Debug [10/11/2012 10:49:34 AM]
  Steps Carried Out thus far:_
  AD is up and running.
  Configured AD Password Sync Connector on 636 and selected ssl.
  Created Certificate on OIM host, configured custom identity key store on weblogic. Restarted Weblogic.
  Imported Certificate to AD. After this, restarted the AD
  I can Telnet port 636 from OIM Box and also connect to AD through LDAP Browser on 636 and view OU and CN, so this seems fine.
  Provisioning from OIM through Connector Server to AD works over SSL and this works fine.
  Help would be appreciated.
  Many Thanks

  This question is now been fixed.
  Instead of explicitly stating 636 for SSL,
  Use the same port 389 for ssl and also configured oim port to be 140001 which is the ssl port for oim in the configuration of OIM Password Sync.
  Export Certificates from AD to java security keystore and to weblogic keystore
  Export .pem certificate created on OIM host machine to AD.
  Restart weblogic, oim and AD
  Everything would work fine.
  For all the other information, refer to doc.
  Thanks

• How to assign approvaal policy for a request template in OIM 11g

  When I request for resource in OIM 11g, It's always going for Default approval of xelsysadm.
  I want this Request level approval must go to "Beneficiary Manager approval". While requesting I am selecting request template (which I created) for Provision resource as Request type.I have already set "Beneficiary Manager approval" as request level approval for this request template.
  I have created one approval policy, How can I assign this approval Policy to request template so that When i submit this request , it should go to my Manager approval.
  Regards,
  J

  Hi Rajiv,
  I do not need approval of Operational level. I want to stop the approval process after request level approval.
  Here you are saying to create a new approval policy and set as AUTO Approval as true. There are some default approval policies which comes with OIM 11g and one of the approval policy is trigeering the Operaional level approval. So I think I do not need to create new approval policy and I can use exsting approval policy and modify as you suggested selecting AUTO APPROVAL and create approval rule as request template=="XYZ".
  I am not sure which default approval policy trigeering the Operational approval now. Can you pls tell me that?
  Can you pls confirm that, there is only way to restrict Opertional Approval by selecting "AUTO APPROVAL" true and put the approval rule as request template=="XYZ"
  Thanks Rajiv for your help all the time.

• Provision a Resource Object to Organization automatically in OIM 11g

  Hi All,
  How to provision a resource Object to Organizations automatically in OIM 11g.
  Can we use Access Policy for this , if not , is there any other way to solve this.
  Regards
  Edited by: 903745 on 31 May, 2012 1:40 AM

  Are you referring to creating an resource object (e.g. group) on the Organization itself (as opposed to users in that Organization) ? If so this can be done from a post-process event handler on the Organization object.

• OIM 11g R2 - API to validate user's password

  Hi,
  Is there any API available to validate if an user's password in OIM is valid.I have an user login and password and need to verify if the user's password in OIM is same the input password.I am not looking for the API to validate my password against password policy,for which I have the API.
  Thanks.

  One of the ways to do it would be to decrypt the current password and then compare with the new password. Where are you doing this check? Depending upon where you want to do this, you can use different ways to decrypt the current password of the user.
  There are various posts in the forum about decryting the password.
  On a side note, if your policy does not allow same password, then new password validation against the policy should suffice your requirement.
  -Bikash

• Problems Implementation Password Policy on OIM 9.1.0

  Hello,,,
  Please help me,
  i was create password policy on OIM, i inject that pass policy to one of resource object, i create object form and process form with same configuration ( field table ), i use data flow to transmit the data between object form and process form..
  i set process definition with check AUTO SAVE FORM, and AUTO PRE-POPULATE,
  the Problems is :
  1. When i try to do provisioning process ( with delegated admin : xelsysadm ) to that resource object (target system) , after admin submit , status process is provisioning, and the detail is System Validation : Pending
  2. Then i try to remove password policy on resource object, and i try again to do the provisioning, and the process working fine, status process provisioned, detail process
  system validation : completed, Create user : completed
  why it'is happen ?
  that the important point is, why AUTO SAVE FORM cannot working fine if i inject Password Policy on resource Object...
  Warm regards,
  Ricky R
  Manila

  When you say you have checked auto prepop means that there are pre pops attached to certain fields on your process form that you want to be auto triggered before provisioning commences. So i'm assuming that you are pre-populating password field. Is the password value that you are prepopping the field with conform to the standards of the password policy? If not that could be the reason why your provisioning process isnt getting kicked off. you will need to supply a password (either manually or if you want to automate it (pre pop it)) that coforms to the password policy defined on the resource object. Also i think the name of the password field must be _PASSWORD.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

• How to implement forgot password policy in OIM

  Hi,
  I want to implement forgot password Policy on OIM 11g r1.
  Can any one please help me on this.
  I mean from where to start and how is the follows goes..
  Thanks in Advance :-)

  Forgot Password functionality is OOTB.
  You can configure Forgot Password Question Answers. Go to System Configuration (Advance Console) and search for different properties associated with Challenge Questions Answers.
  OIM.DisableChallengeQuestions
  PCQ.NO_OF_CORRECT_ANSWERS
  XL.IsDupResponseAllowed
  etc..
  You can also add new Challenge Questions as well by adding into Lookup.WebClient.Questions

• OIM 11g (OIMClient) API login without password

  Hi,
  Is it possible to login using OIMClient API with username only?
  I would like to use a trusted web service to invoke the OIMClient API (using private key and username), this seems possible in the previous version of OIM, has anyone tried with 11g and how do you do it.
  Alternatively is it possible to decrypt 11g password from a web service?
  Thanks

  Hi,
  If you are looking for login to OIM using UserName/PrivateKey, refer the link below:
  While login to OIM 11g using private key getting error
  Regards,
  Raghav.

• Delay in the change user password OIM 11g

  Hi guys,
  I have a problem with OIM 11g. The user accesses the OIM to do change your password, when the message that password is changed show, the user executed log-off and try access with new password, but the new password isn't accepted.
  The new password is posted to AD immediately.
  Only after of some time, the new password is accepted in OIM.
  I need the new password is applied as in AD. When changing the password.
  Someone know resolve this issue??
  Thanks

  I don’t think this is possible. You can add some delay while changing target system password. But not guarantee.

• Allowed set of characters for user name and password in OIM 11g

  Hi,
  Can anyone provide us quickly what is the characters (no.s,alpahbets,special symbols) that are supported for username and password field in OIM 11.1.1.5 ?
  Thanks,
  Karthik

  Read it , it is general for OIM 11g
  http://docs.oracle.com/cd/E14571_01/relnotes.1111/e10132/oim.htm#CHDFFDGH

• Reconciliation of "change password on next logon" from AD fails in OIM 11g

  Hello,
  We have a use case on our OIM 11g project where we create a user in Active Directory and check *"User must change password at next logon"* box in AD.
  We have setup AD as Trusted and Target resource (using connector 9.1.1.7), where users coming from AD will be created in OIM and password changes in OIM will be sent to AD. Also we use the password synchronization module (9.1.1.5) to synchronize the passwords from AD to OIM when they are changed in AD.
  What we noticed is the "User must change password at next logon" is synchronized to the "AD Resource", but unlike the regular attributes it is not accessible normally because it's a system attribute.
  What we expect is the user logging in to OIM will be prompted to change the password, but nothing happens when the newly reconciled user logs in (i.e. normal self-service page is shown). Same thing applies when we set the flag on an existing user also.
  Did anyone get this working properly?
  P.S. In a previous version it used to be the opposite where the user was constantly prompted for the password, even though it was changed in AD already, after changing the password using Alt+Crtl+Delete the user was still prompted to change when logging in to OIM. Oracle suggested we upgrade to 11.1.1.5.1 (most recent patch set) but now the reverse happens - we never get change password prompt now.
  Thanks,
  -JP
  Edited by: JacekP on Oct 17, 2011 8:10 AM

  Yeah, you're right, unfortunately we have dual authorative password model, where a user can change the password from OIM when he is accessing a OIM through a web interface or from his Windows machine through the domain controller. We need the use case to work fully both ways ideally.
  A plan-B solution is to use a directory synchronization mechanism outside of OIM that would connect OID and AD, but we would prefer not to.

• OIM 11g integration AutoLogin error (first login or forgot password)

  Hi,
  We are currently integrating OAM+OIM 11g (R2). We have used a 10g webgate for this.
  When the user logs in for the first time, and sets his password and answers the challenge questions, he should be "Auto logged in" when he is finished.
  The same scenario should happen, if the user forgot his password, and resets it. He should be "Auto-logged in" when finished.
  This is not happending for us.
  The OIM logs tells us this:
  ERROR: Autologin failed oracle.iam.ui.platform.sso.exception.AutoLoginException: Error occured while retrieving TAP partner key from Credential store
  We have tried to verify everything recommended by this Oracle Support article:
  How to Solve Autologin problems in OIM with OAM? [ID 1475297.1]
  Any ideas what we are missing?
  Thanks & Regards,
  Henrik

  Maybe this is a something?
  Whate should the value of the property OAM_SERVER_VERSION be, when running idmConfigTool.sh and using a 10g webgate for the integration?
  Chapter 7.6 in the integration documentation states this:
  OAM_SERVER_VERSION: 11g (use 10g if Oracle Access Manager 10g is used)
  http://docs.oracle.com/cd/E27559_01/integration.1112/e27123/oim.htm#CACFCJHI
  Under chapter 2.4.5 in the idmConfigTool documentation it's described like this:
  OAM_SERVER_VERSION: Required only when Access Manager server does not support 11g webgate in Oracle Identity Manager-Access Manager integration. In that case, value should be provided as '10g'.
  http://docs.oracle.com/cd/E27559_01/integration.1112/e27123/idmcfgtool.htm#CIHCICHD
  When we ran the script, we had the value set to "11g" (because that's our OAM version)... now I'm wondering if I need to set this value at all..
  Regards,
  Henrik