OIM / OAM SSO breaks with 9.1.0.2 upgrade
Hi all, would much appreciate help with the following please....
I had OIM running fine with SSO from OAM (passing the header value) with 9.1.0.1
After upgrading to 9.1.0.2 I changed the config auth settings back from default to SSO but now find that when
I try to access OIM after authenticating to OAM I get a login prompt from WebLogic. Entering my internal OIM credentials doesn't get me through
so I end up with a 401 from WebLogic.
Has anyone else seen anything like this please?
Many thanks,
Bernie
No replies to this so far - thought I'd ask just once more....
Thanks,
Bernie
Similar Messages
-
Reset Password In Form Based Authentication "OIM - OAM Integration" SSO
Hi All
I want to give Password Reset Option in the Form Based Authentication page for OIM-OAM SSO Application, could you please help me in that??
my SSO is working with OIM 9.1.0.2BP06 with OAM 10.1.4.2.0, and i have created Simple Form in html, for the Authnetication, Now i want Password Reset Button on Form, and will have to reset through LDAP
TAProvide the OIM links for registration and forgot password.
If your OAM has a user store(LDAP) where OIM is provisioning, your changes will be reflected in OAM
Hope this helps,
Sagar -
How to Migrate 10g sso integrate with EBS 11.5.10.2 to 11g OAM(oracle access manager) with R12.1.3
How to Migrate 10g sso integrated with EBS 11.5.10.2 to 11g OAM(oracle access manager) with R12.1.3
Os:Linux 64 bit
database:11.2.0.3 RacHi,
You could try working through the EBS -> APEX integration article on the Apex community site (http://www.oracle.com/technetwork/developer-tools/apex/apex-ebs-wp-cabot-consulting-169064.pdf)
Rod West -
Will 11.1.1.6 work with OIM OAM/WG 11.1.1.5?
Will 11.1.1.6 work with OIM OAM/WG 11.1.1.5?
I believe OIM/OAM/WG 11.1.1.5 is the latest?
Thank you in advance.OIM 11.1.15 is certified with all OFM component 11.1.1.5 versions only. OIM 11.1.1.5 BP 04 is latest. OIM R2 is latest release but not available for download as of now.
regards,
GP -
OIM-OAM 11g BP 02 integration not working as expected
Hi Experts,
We have OIM 11g and OAM 11g both upgraded to BP02 installed on separate hosts. We are using OID 11g as the directory servers and OVD 11g fronting OID for integration. We followed the steps mentioned in Oracle Document Oracle® Fusion Middleware Integration Guide for Oracle Access Manager 11g Release 1 (11.1.1)Part Number E15740-04 for integration purpose.
After performing all the integration tasks mentioned in the document, while testing the ingtegration, the expected results are not been serverd.
If I access OIM admin console URL, am getting default OIM admin console URl instead of OAM SSO login page for authencation. and also I am unable to login using either xelsysadm\oimadmin\oamadmin but I can login using weblogic, so this is referin to the default embeded LDAP of weblogic for credential validation.
OIM and OAM are deployed on separate hosts, please find the deployment details below.
1. JDK: 1.6.0_29
2. WLS : 10.3.5
3. LDAP: Oracle Internet Directory: 11.1.1.5.0
Oracle Virtual Directory: 11.1.1.2.0
4. Webserver: Oracle HTTP Server fronting the OIM
The Integration videa on Support.oracle assumes that all components OIM\OAM/OID/OHS being on the same host.
I have my OIM and OAM both patched to the latest BP which is BP 02. There is a support article which specifically talks about few settings ton be made for BP 02.
the article ID is 1447494.1.
Even after doing all these, the integration is not working.
As per the support article, I need to use preferred host name for agent fronting OIM as IAMSuiteAgent and if I do that, the proxying of OIM server with the webserver host will not work at all and ends with 404 not found error when I access using http://OHShost:OHSport/oim.
but if i use the name of agent i.e webserver name in the preferred host field, the redirection would happen and i get OAM SSO login page for authentication, however with the credential validation at this page, the OIM login page (http://OIMhost:OIMport/oim) is provided prompting for login again.
also if i access OIM login page http://OIMhost:OIMport/oim directly, the OAM SSO page is not coming for authentication.
I am awaiting your advice\suggestions or workarounds if any one has come across this kind of issue, which i am sure is an obvious case.
Thanks,
NagendraHi,
Any help in this regard please/
Thanks
Nagendra -
OAM SSO integration question:How can I get a user identity from ObSSOCookie
We are building an OAM SSO solution. The App server is both on OAS and WLS. My question is that, after I get the ObSSOCookie from httprequest.
I need to verify whether the ObSSOCookie is a valid one, and I also need to get user identity from the cookie and pass it to login module to populate user principal
Of course, one way of doing that is to install access manager SDK and go from there. But we support multiple OS, it's a pain to add Access manager SDK to different installer for different OS.
I am trying to use IdentityXML Functions which is a SOAP based webservice so that I don't need to worry about the OS platform. But I can't find a webService which returns user identity based on a valid ObSSOCookie. It seems that I can invoke webService with valide ObSSOCookie, but there is no way to get the user identity back. Am I missing something?
Hope someone can help me out.
Thanks.
-WeiOk. Sounds like you are a vendor trying to play well in an SSO environment.
Here is what I tell OAM customers when they are evaluating software to see if it will cooperate with a system like OAM.
Can the software's native authentication scheme be explicitly turned off (usually a configuration in a file)?
Can the software be configured to accept a token of identity in the form of a Cookie or HeaderVar (also configurable in a file)?
If the answer to both is yes, then the system is capable of 'third party trust' for authentication.
From your perspective, your logic for login should be something like:
Is my native authN turned off?
If yes, can I find the cookie or header that I should be looking for?
If yes, take the value and proceed to create user session for this identity per usual (except that you never evaluated the authN - you trust that it was done).
If no, present the native AuthN scheme anyway.
If you follow this pattern, you are in the good company of folks like PeopleSoft and Plumtree who had these types of integrations working long ago.
Yes, there are other ways to do this but, in my humble opinion, this remains the most stable and effective pattern we see.
What you ask for as the identity token value is up to you. It is often the login ID value that you would have used in your own authN procedure. There's nothing particularly sensitive about having a webgate set headers - they are only available to the server and not to the client. Cookie of course could be seen but can't be spoofed as the webgate has the final word on it's content.
Mark -
Wrong Hostname for OIM/OAM implementation
Hi everyone,
I'm having some issues with OAM redirecting using the machine name instead of fully qualified hostname.
Linux: Red Hat Enterprise Linux Server release 5.6 (Tikanga)
In my base domain I have installed OIAM 11.1.1.5 (OIM, OAM, SOA, OAAM) and in my secondary domain sits IDM 11.1.1.5 which has OVD, OID, ODSM.
For my base domain, OAM appears to be listening on http://machine... when I try to login using http://machinename.domain/7001/oamconsole it fails because the page redirects to https://machinename:14101/oam/server/ and this fails... likewise http://machine.domain:14000/oim sends me to the same oam link and ends up failing
i'd like it to use the fully qualified hostname including domain... how do i do this?
ThanksHi,
The likely suspects for this would be the settings for the OAM Server(s) and Load Balancing (if set) in the oamconsole. Please check the hostname settings in the "System Configuration" tab in the screens for the OAM servers (oam-server1 etc) under "Server Instances", and in the "Load Balancing" settigns in "Access Manager Settings".
Regards,
Colin -
OIM-OAM integration and LDAP Sync
Hello All, I have deployed OIM 11g R2 and OAM/OVD 11.1.1.5. Now I need to enable LDAP sync for OIM-OAM integration and I'm not allowed to extend Oracle schema in AD. So I decided to use OUD for FMW schema and I have completed all those steps and OUD is up and running. Since my enterprise directory is AD and OUD is my FMW directory, I need to think of a split profile setting in OVD. I'm following this link http://fusionapplications-ateam.blogspot.com/2012/04/split-profiles-with-ad-and-oid-for.html for this deployment. I have OVD adapters configured for AD, OUD, Join view and changelog. The link does not clearly explain the steps in OIM for LDAP Sync.
When I configure LDAP Sync in OIM, should I point the sync to the OUD users container?
When and how this cn=shadowentries container will be used? I understand that the password (obattributes) are used for password management by OAM, but wondering where will that get stored in OUD?
Please let me know your thoughts.
Thanks.Hi,
when I use url:
http://idm1:14000/admin/faces/pages/Admin.jspx
I get Access Manager login page, I can click links: register new user, reset password and I get correct OIM pages. But when I type xelsysadm and password I get error on the next page:
Error 401--Unauthorized
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.2 401 Unauthorized
I can't logon to EM, OAMconsole, Weblogic etc. when the OAM is running. In OIM log I got errors from oam-agent: "User is not authorized to access resource, MinorCode: DENY, MajorCode: DENY".
I have got user xelsysadm in OIM and in LDAP, when the OAM is not running I can login to OIM, create users in OIM (they appear in OID) etc. The user xelsysadm is added to group: OAMAdministrators. Also when I try to logon to OAM console (http://idm1:7001/oamconsole) using orcladmin name I get error: Access to administration console is restricted. But when I use weblogic username (the user is in OAMAdministrators group in OID) i can get OAMconsole.
How can I change logon type in OIM?
best
mp
Edited by: J23 on 2011-01-10 00:47 -
Oracle SSO 10g with Oracle WebCenter portal 11g (11.1.1.8)
My client is having an existing Single Sign On solution (SSO 10g) and now we are implementing webcenter portal 11g (11.1.1.8).
The client is going for OID 11g for the new implementation and wants old SSO to be used for single sign on.
Here's the stack:
1. Oracle SSO 10g - existing one and client is not interested in upgrading to OIM/OAM 11g.
2. Oracle OID 11g - new install and client is ready for migration.
3. Oracle WebCenter 11g - the custom portal whose build is in progress.
We want to bring the new portal implemention under the SSO umbrella for authentication and authorization.
The questions are:
1. Is this discouraged by Oracle? I mean, if you are using 11g for WCP and 11g for OID why not migrate to OIM/OAM 11g ?
2. Can I configure my new portal for this old SSO? if yes, is there any documentation for it? Are there any limitations/demerits in this approach?
3. Is there any other bettter way out there which I am not aware of?
Thanks in advance
RegardsCan some one help me on this. Zero responses after a week is
-
Imlpementing EULA / end user declaration using OIM/OAM
Hi,
We have a requirement in which we have to make user accept EULA /end user declaration prior to adding details in portal, does any one has pointers on how to do the same using OIM/OAM.
Early response would be much appreciated.I would have done it in this way: Assuming you have decent knowledge of using existing components of OOTB connector for re-usability. Also I have never tried this, its just an approach which could possibly work.
- The only way for an end user to change its own password in OIM is via self-service which means the tcUtilityFactory would be instantiated by the user itself. If that is the case then you can obtain the User ID in the pre-insert entity adapters/plugin. Now when the password reset operation is being done, you can check the User ID of the Logged In user and the Target User and take a decision whether it was the user itself or some other admin.
- If it was some other admin then you can set the Force Password Change at next Logon check-box in the User Profile to true.
- Now modify the Change User Password task to use the IT Resource connection credentials if that check box is selected to create a connection OR use the credentials form the Process Form if that check box is not selected.
This way the connection to the LDAP would be done via the user itself if it was a self-service password reset and your LDAP Policy would have no complaints.
Assumption The user has the permissions to establish a JNDI connection with SDS and modify its own account which I am sure would be there.
Thanks
SRS -
Implementing OAM - SSO for Multiple Applications
I am trying to implement OAM - SSO for 2 applications. I already have completed the setup of SSO for one application . OID -- OAM -- OHS ( 11g webgate ) - Weblogic Server - OBIEE . ( All the components are 11.1.1.5 version ).
Now I am looking to add a 2nd application ( OBIEE 11.1.1.6.5 version ) into the mix. So should I install a separate OHS and webgate for the new application or can I use the existing OHS to add another application.
Any tips on this would be helpful please.
ThanksYou may use the same OHS server in reverse proxy to the two applications and configure corresponding policies in OAM console.
Let us know if you get into any issues. -
Siebel SSO Integration with Novell eDirectory
I am wondering if anyone on this forum has worked with integrating a SSO solution using Novell eDirectory and Siebel. I have personally worked on SSO integrations with Siebel using Cleartrust and Siteminder and they are all basically the same concept however, I am facing issues trying to get the Novell SSO solution to work with Siebel.
I am using the standard LDAP Security adapter and I can make a basic connection into Siebel using LDAP. When implementing SSO I am using a "header" value and a custom userspec name that is different then then "Remote_Use" name mentioned in the Siebel SSO documentation. With SSO turned on I am successfully able to authenticate and almost get all the way into the home page of Siebel before the IE browser crashes. The SWSE log files, interestingly enough, show that my userspecsource is equal to header and that my userspec is correct and then I see the SISNAPI connection occurring between the Siebel We Server and the Siebel AOM but then after the IE browser crashes I see the SWSE log which then tries to picks up Siebel's default userspec " Remote_User" value which is not confiugred or turned on anywhere from within the application. I was just wondering if anyone else had faced similar issues when integrating Siebel into Novell eDirectory for SSO. I have also reviewed the configuration on Novell's side and they are protecting the correct object manager and are also using the same exact userspec name as what we have defined within the eapps.cfg of Siebel. We are using Siebel 8.1.1 Any ideas or help would be greatly appreciated as I have not gotten much support from my open SR on this issue.I am wondering if anyone on this forum has worked with integrating a SSO solution using Novell eDirectory and Siebel. I have personally worked on SSO integrations with Siebel using Cleartrust and Siteminder and they are all basically the same concept however, I am facing issues trying to get the Novell SSO solution to work with Siebel.
I am using the standard LDAP Security adapter and I can make a basic connection into Siebel using LDAP. When implementing SSO I am using a "header" value and a custom userspec name that is different then then "Remote_Use" name mentioned in the Siebel SSO documentation. With SSO turned on I am successfully able to authenticate and almost get all the way into the home page of Siebel before the IE browser crashes. The SWSE log files, interestingly enough, show that my userspecsource is equal to header and that my userspec is correct and then I see the SISNAPI connection occurring between the Siebel We Server and the Siebel AOM but then after the IE browser crashes I see the SWSE log which then tries to picks up Siebel's default userspec " Remote_User" value which is not confiugred or turned on anywhere from within the application. I was just wondering if anyone else had faced similar issues when integrating Siebel into Novell eDirectory for SSO. I have also reviewed the configuration on Novell's side and they are protecting the correct object manager and are also using the same exact userspec name as what we have defined within the eapps.cfg of Siebel. We are using Siebel 8.1.1 Any ideas or help would be greatly appreciated as I have not gotten much support from my open SR on this issue. -
How to change metadata database after OIM/OAM install?
Hi everyone
We need to change the metadata/schema database for our OIM/OAM installation.
What I plan to do is:
1. Create the new db
2. Run the RCU utility for both OID and OAM.
3. Change the connection pool data source in the OAM Weblogic console.
Is there anything else I need to do?
I know there was a connection to the database done when I created the Domain from the OID home (using config.sh). I've tried to run this config script again but can't find any way to amend the domain, nor can I see how to do it in any of the (many) consoles.
Any help greatly appreciates!
DHi ,
At the time of configuration you will get an option to set the database connection parameters there you can point to your required DB schema.
Regards,
Ari -
Are animated ellipses in OAM files compatible with DPS?
I tried creating a basic animation with an ellipses flying into the stage. but for some reason the ellipses isn't displaying on Adobe Content Viewer.
I've done the same thing with a rectangle, and the animation works fine. Are animated ellipses in OAM files compatible with DPS?Ellipses animations on the Desktop Adobe Content Viewer are coming out as squares. Preview looks fine on the device.
-
OID, OVD, OIF, OIM, OAM version
Hey guys, I wanted to know if there is some commands that would give me the versions of OID, OVD, OIF, OIM, OAM
Weblogic version can be found by connecting to the console at the bottom of the page: e.g:
"WebLogic Server Version: 10.3.3.0
Copyright © 1996,2010, Oracle and/or its affiliates. All rights reserved."
However, for specific product, I'm not sure if there is a way to know the version. Is there a version.property file or a command that can help me ?)
In case of OID, OVD:
- opmnctl services version
- odsm version
In case of OIF:
- opmnctl services version
- oif version
In case of OAM:
- version of identity server
- version of access server
- version of webgate
In case of OIM:
- version of OIM
Thank you for your help.for OID-Step1-Make Sure DB is up and running
Run: prompt> tnsping <connect string>
Step2-Make sure OID processes are up
Prompt>$ORACLE_HOME/bin/oidctl connect=<servicename from tnsnames.ora> status
-Once u run above comnd u could see processes and ver
for OIA-Once u complete installations Open rbacx.log for versin info
thnks
vishwa
orcl
Maybe you are looking for
-
Setting up 2 ipods/itunes accounts on one computer
I have an ipod and an itunes account. My friend recently received an ipod, but her computer is dead and will not be getting a new one for a while. Can she use my computer to set up a SEPERATE itunes? I am sure she can not use my music and such, and t
-
Prelude Single App Subscription
In Creative Cloud single app subscription, does Prelude come with Premiere Pro? Also what about Media Encoder and Bridge?
-
How can the symbol and non-English diacritical marking/punctuation pallet, available in pre-Snow Leopard OSes with various combinations of letter or number keys and functional keys, be accessed in Snow Leopard? Those pre-Snow Leopard versions worked
-
MP4 (from Nokia N93) Sound Problem, on Preview Only! Help!
Hi there, has anyone had experience with this problem? I have about 1 hours worth of video to edit in iMovie HD 6 using a MacBook Pro, the video is from the Nokia N93, it is 640x480 at 30fps, MP4 format with an AAC 48khz stereo audio track. After imp
-
How do I download my iPhoto update from App Store?
I have iPhoto on my iMac (it is the one that came preinstalled - it has likely had updates made to it since I had the iMac as I have had it a few years now, but I never use iPhoto so don't know which version currently.) I am running 10.8.2. I have ju