Response in OAM

Hi in our requirement we want to send error response like authentication failed, pwd expired,authentication successful so that portal can
get this response and display appropriate custom message to user.How can i send this response through OAM to portal.

What I would suggest is have the custom messages url specified as follows
For Authentication Failed -
In the Authentication Rule -> Actions -> Authentication Failure ->Redirection URL -Set the url for authentication failure custom message
For Authentication successful -
If your portal is protected then if the page is displayed that itself means your authentication is successful
But if you want a landing page for your application you can specify Authentication Success Redirection URL
For password expiry warning -
Set the password expiry url in "Password Expiry Warning Redirect URL" of you password policy in identity console
Hope this helps,
Sagar

Similar Messages

Failure Responses in OAM 11g

Hi
We are in process of migrating OAM 10g to OAM 11g.
We had configured OAM 10g to send headers and cookies on authN and authZ failures. but the same thing i cannot see in OAM 11g. We only have the option to configure failure URLs but not the headers or cookies.
Is there ant workaround for the same because customer wanted to send failure headers/cookies also.
Thanks and Regards

The server allows the user to retry authentication a number of times. Once they have exceeded retries, they are redirected to the failure URL.
The number of attempts can be modified in the oam-config.xml file in the MaxRetryLimit setting as in the example below:
             <Setting Name="OAMServerProfile" Type="htf:map">
             <Setting Name="OAMSERVER" Type="htf:map">
             <Setting Name="serverhost"
Type="xsd:string">oam-host</Setting>
             <Setting Name="serverport" Type="xsd:string">8002</Setting>
             <Setting Name="serverprotocol"
Type="xsd:string">http</Setting>
             <Setting Name="MaxRetryLimit" Type="xsd:integer">5</Setting>
             </Setting>
Please not that, Please have back up and do changes. We prefer have test in Dev if it works then relative Env.
Thanks

OAM manage roles and Authorization in WebLogic integration

Hi
Had anyone done weblogic integration where OAM manages roles and Authorization?
I could read in Oracle WebLogic integration document that,
"The Security Provider only supports authentication for portals."
I wanted to figure out if anyone has done this before or Is it possible to delegate role management and Authorization responsibility to OAM?
Thanks
Kiran Thakkar

Thanks for the quick response.
Thanks
Kiran Thakkar

Is it possible to keep an edge animation (OAM file) responsive in Muse CC ?

Hello Everyone,
I'm trying to have these 4 images below responsive on Muse CC. (don't pay attention to the menu bar)
They are meant to be link images with a caption which appears on hover.
I know I'm not meant to be able to do responsive in muse but Edge animate is meant to work with Muse CC and Edge animate creates responsive animations if set for it.
I thought if I create responsive animations on Edge it would work in Muse CC but it doesn't seem to be responsive in Muse.
Is it because I missed something or there are no ways to make oam files responsive in Muse ?
The responsiveness works when I test it from edge to a web browser.
I'd be so grateful to get suggestions how to do this effect even without Muse knowing that I don't code much.
In advance thank you and I'm looking forward to see what I get from this request for help as it is the very first time that I participate to a forum.
Leon
I'm desperately trying to find a way

Shadowfax is right. You can record it. I use Camtasia Studio Suite but there is also a cheaper software called FrontCam1.3. You can constrain your screenshots to the area of the Edge screen and record it.

Challenge & Response error messages in OAM

Hi,
I want to change the challenge response error messages in OAM.
I am not able to locate the file which is responsible for the error messages (e.g old response is not correct) ..
Can anyone update on this..
Thanks inadvance..
Regards,
Srikanth

Hi,
I am able to locate the file..
The error messages are available in userservcentermsg.xml under /identity/oblix/lang/en-us/ ..
Regards,
Srikanth

How to send OAM 11g session/cookie in authorization response?

Hi All,
Is it possible to send OAM 11g session token/cookie in Authorization policy Response as actions? If so, what cookie (name) has to be used for that?
Thanks
Mahendra.

Once you have a UserSession you can use isAuthorized(ResourceRequest). The UserSession should handle the rest for you...
ObSSOCookie is OAM 10g style and supplied by a different API.
HTH,
--olaf

Responsive edge animate oam in fluid grid

Hi, maybe my question is totally rookie one, but I cannot get the responsive Edge Animate package to do resize smoothly in the fuid grid of Dreamweaver.
Either it is not wide enough or the height does not scale, which results in the footer to be far down.
It probably has to do with the fixed size of the object tag when I insert the oam.
<object id="EdgeID" type="text/html" width="960" height="510" ....
Changing sizes to 100% works fine for width only, the height behaves strange, showing only a small part of the animation in every view.
Is this an issue of oam packages or just my poor knowledge of CSS ?
Attached you find the screenshots:
Thanks a lot for your help!
B.

I came across this problem when recording Adobe Dreamweaver CC: Learn by Video for Adobe Press. The way I handled it was by adding the following block of JavaScript just before the closing </body> tag on the page that contains the Edge Animate object:
<script>
function fixHeight() {
var anim = document.getElementById('EdgeID'),
w = anim.offsetWidth;
anim.style.height = (w * .562) + 'px';
fixHeight();
window.addEventListener('resize', fixHeight, false);
</script>
This gets the width of the animation (the default ID is EdgeID). It then adjusts the height by multiplying the width by 0.562. You will need to fix the scaling ratio in the following line to suit the proportions of your animation:
anim.style.height = (w * .562) + 'px';
I can't remember all the details because it's more than a year ago that I did this. As I recall, Edge Animate generates the correct height for the animation, but it doesn't adjust the height of the <object> element used to display it.

Pourquoi une animation responsive (en% par rapport à la fenêtre) fonctionne dans le preview de Edge et ne marche plus une fois importée en .oam dans MUSE ?

Pourquoi une animation responsive (en% par rapport à la fenêtre) fonctionne et s'adapte à la bonne taille dans le preview de Edge et ne marche plus une fois importée en .oam dans MUSE (taille fixe) ?
Merci à la communauté

Illustrator CC uses the Pantone Plus series, there is no CMYK definition for the spot colours in these series.
The CMYK conversion is now based on the CMYK profile in your Color Settings.
This is a good thing, since most of the Pantone colours cannot be accurately reproduced in CMYK, colour management provides a way to simulate the spot colours as close as possible for your combination of ink, paper and press.
The CMYK values that were previously given by Pantone were just one way of simulating the spot colours and would give different results when another ink, paper, press combination was used.
Sometimes the CMYK values from Pantone were completely off and you give a perfect example with the Pantone 1797 U colour.
Printing that ink on uncoated stock would never give you such a bright saturated red as the Pantone provided CMYK values would suggest
If you want to have a better preview of the colour, use the Overprint Preview option, that comes closer to the final printed result. The Overprint preview in CC and CS versions give s you an almost identical preview (almost because the Lab values differ slightly).
There are ways to use the old libraries, but why should you if Pantone itself stopped giving CMYK numbers?

Setting a OAM custom authentication response

I'm working on OAM 11.1.1.5.0 BP03 and trying to use a custom authentication plugin to add a response to the HTTP header. I need to add information to the HTTP header that cannot be provided by a response on the Protected Resource Policy.
I can see using log entries that my plugin is working but I have a sample JSP landing page that OAM redirects to that just dumps out request.getHeaderNames and I don't see the value set by the plugin.
I was assuming that the PluginResponse class would suit my needs but I've tried every type of PluginAttributeContextType and cannot get it to work.
Is this possible? What code should I have written?
Here's a sample of what I tried:
          PluginResponse response = new PluginResponse();
          response.setName("OAM_TEST_KEY");
          response.setType(PluginAttributeContextType.CLIENT);
          response.setValue("TESTVALUE");
          context.addResponse(response);

Hi Ewan,
Instead of writing a custom plugin and maintaining it in case future upgrades is going to be cumbersome. I would suggest introduce OVD in your environment. Create a Join Adapter. This Adapter would join your LDAP server and AD Server users using employee ID. That way you can use a supported configuration and avoid writing a plugin. Now the user visible to OAM via OVD would have the LDAP attribute of AD username and hence you can set it as a header variable. Or you can setup Sync between your LDAP and AD. Most of the industry standard LDAP servers such as OID, ODSEE etc allow you to sync user information. That way you can fetch AD username attribute to your LDAP server. It doesn't need to have same attribute in your LDAP server. It can be stored in any attribute of LDAP server with a valid value. All you need to do is set header variable using attribute which contains the AD username attribute value.
Regards,
Yagnesh

Authenticating test applcation in OAM is not working

Hello OAM experts, can you please help to figure out why my test application is not getting authenticated by OAM.
I have installed IDM for fusion application and SSO login is working for all admin consoles such as WLS, EM, OAM, OIM. I have deployed test application to OAM server itself to test the authentication of protected resources.
Host identifier is already there which was create while configuring my IDM for fusion applications. I created new application domain , created resource for /text/*, created authentication policy and used LDAPScheme for authentication, created authorization policy and defined constraints by adding a group OAMAdministrators ( just for testing purpose). I also added response in the authentication policy.
Then I have configured admin.conf of OHS server to redirect http://webhost1:7777/test to oam server host and port. It is getting redicted but not to the SSO login page. The URL still shows http://webhost1:7777/test and executes the test page and displays test application. It should have been redirected to SSO login page though OAM.
At this stage I have no clue what did I miss. As I said, when I login to wls console, it gets redicted to SSO login through OAM login page and then while accessing OIM, it directly takes me to OIM application since the user has privileges and also OAM page without logging in again.
But why my test application is not redirected to OAM authentication page ?
Any help is grately appreciated.
thanks
Edited by: Jyothi on May 3, 2012 3:25 AM

Hi, I am having the same issue. I am new to all this OAM stuff. I am using OAM 11g with a 11g Webgate configured. When I try to access the OAM Console the SSO setup does work and kicks-in and redirects me to the OAM server's integrated login page. But my test application that lives on an app server installed on a separate machine is never challenged for their credentials. As the documentation says I have CLIENT-CERT defined as the auth-method in my login-config inside my applications web.xml file.
I think I am not using the right providers. What I want is Identity Assertion and also OAM authentication (if Identity Assertion fails Authentication should kick-in and redirect to challenge login page). So I have an OAMIdentityAsserter and an OAMAUthenticator set-up in addition to the Default Weblogic Identity Asserter and Default Weblogic Authenticator.
I have tried everything but, the login redirect never happens. If I use the DefaultAuthenticator along with OAMAuthenticator (no OAMIdentityAsserter) and define BASIC in my login-config in web.xml then the Default Weblogic Authenticator pops up a dialog box which does let me enter credentials and when I do it does make the trip to the OAM server and works flawlessly. But I don't want basic authentication and I don't want a dialogue box to pop-up. I want the OAM server to redirect me to it's built-in login page just like it does for the OAMConsole itself which is being protected by the out of the box 10g IAMSuiteAgent Webgate. Which, as you know, comes pre-installed.
Please let me know your configuration and the providers you have set up and how you were able to make the OAM server challenge you for credentials when trying to access a protected resource/application.
Thank You.

Unable to authenticate users using Custom plugins in OAM 11g

We are working on a requirement in which we have to write a custom authentication plugin in OAM 11g.
we were able to import and activate the plugin
we created a new authentication module with steps in the following order
1)UserIdentificationPlugin
2)UserAuthenticationPlugin
3)Our custom plugin to create custom responses(We just created the class with mandatory methods and process method returning success)
but finally when we try to authenticate,authentication fails resulting in OAM-2 error.We had entered valid credentials
Can somebody please help me on resolving this issue.
The plugin code,manifest file and Metadata XML is shared below.
Plugin Code
public class NewPlugin extends AbstractAuthenticationPlugIn {
private static final String CLASS_NAME = "FirstTestClass";
public ExecutionStatus initialize (PluginConfig config){
super.initialize(config);
if(LOGGER.isLoggable(Level.FINE)){
LOGGER.logp(Level.FINE,CLASS_NAME,"initialize","Entering initialize");
return ExecutionStatus.SUCCESS;
@Override
public String getDescription() {
// TODO Auto-generated method stub
return null;
@Override
public Map<String, MonitoringData> getMonitoringData() {
// TODO Auto-generated method stub
return null;
@Override
public String getPluginName() {
// TODO Auto-generated method stub
return null;
@Override
public int getRevision() {
// TODO Auto-generated method stub
return 0;
@Override
public ExecutionStatus process(AuthenticationContext context)
throws AuthenticationException {
if(LOGGER.isLoggable(Level.FINE)){
LOGGER.logp(Level.FINE,CLASS_NAME,"initialize","Entering process");
return ExecutionStatus.SUCCESS;
@Override
public void setMonitoringStatus(boolean arg0) {
// TODO Auto-generated method stub
@Override
public boolean getMonitoringStatus() {
// TODO Auto-generated method stub
return false;
MANIFEST.MF
Manifest-Version: 1.0
Bundle-ManifestVersion: 2
Bundle-Name: NewPlugin Plug-in
Bundle-SymbolicName: NewPlugin
Bundle-Version: 1.0.0
ImportPackage:org.osgi.framework;version="1.3.0",oracle.security.am.plugin,oracle.security.am.plugin.authn,oracle.security.am.plugin.api,oracle.security.am.common.utilities.principal,oracle.security.idm,javax.naming,javax.sql,javax.security.auth
Bundle-RequiredExecutionEnvironment: JavaSE-1.6
METADATA XML
<?xml version="1.0" encoding="UTF-8" ?>
<Plugin name="NewPlugin" type="Authentication">
<author>me</author>
<email>[email protected]</email>
<creationDate>11:40:20,2012-13-02</creationDate>
<version>1</version>
<description>Custom User Authentication Plugin</description>
<interface>oracle.security.am.plugin.authn.AbstractAuthenticationPlugIn</interface>
<implementation>newplugin.NewPlugin</implementation>
<configuration>
<AttributeValuePair>
<Attribute type="String" length="20">DataSource</Attribute>
<mandatory>true</mandatory>
<instanceOverride>false</instanceOverride>
<globalUIOverride>true</globalUIOverride>
<value>jdbc/CISCO</value>
</AttributeValuePair>
</configuration>
</Plugin>

Your search results show that the user "collini" was not found (nentries=0). This could be caused by a number of reasons.
1) The user doesn't exist under "ou=people,dc=our,dc=domain"
2) The user doesn't contain the posixAccount objectclass
3) The user account that performed the search doesn't have access rights to read/search that user account
What user account was used to BIND on the connection that the search was done on?
Try performing the same exact search with an account you know can retrieve the entry. For example:
ldapsearch -D "cn=Directory Manager" -w - -b ou=people,dc=our,dc=domain -s one "(&(objectClass=posixAccount)(uid=collini))"
If the entry doesn't return as a result of the search then either #1 or #2 above is the problem. If the entry does return then #3 is your problem.

How to protect an application running on Apache Tomcat app server with OAM 11gR2

Gurus,
We have an Apache Tomcat based application named "ABCD" here at client site that we want OAM 11gR2 PS1 to integrate with for SSO purposes. I have successfully configured OHS to reverse proxy requests to Apache Tomcat server whenever somebody tries to access the application URL but still, I am getting the application login page once I have successfully authenticated on OAM SSO login page. The Tomcat based application is authenticating users against a "UserDatabase realm".
I know in terms of weblogic application, there is an OAM identity asserter provider which then populates the User Principal for the java environment with the authenticated OAM user. But there is no such OAM identity provider for Tomcat.
So my question is, is there an provider (or Tomcat equivalent) which will entrust authentication to a header, that could be used to populate the Java User Principal from the OAM_REMOTE_USER header? Is the weblogic equivalent of authentication providers present in tomcat as well? Are those called valves?
Please advise to the earliest.
Thanks !!

Aakash,
I did follow the 4 steps that you mentioned to me. Out of the 4 that you had mentioned, I already had the webgate in place on OHS server and I was already passing the remote_user http header in oam policy as action.
As part of Step #2: Install mod_jk plugin on OHS server that you mentioned
1.) I downloaded the tomcat connector - tomcat-connectors-1.2.37-src
2.) I had to run ./configure,make, make install on my OHS server which runs on RHEL 6. It created the mod_jk.so file. I pasted it in the needed folder.
3.) I then created the httpd.conf file and workers.properties file as said in the connector docs.
4.) Restarted OHS.
As part of Step #3: Configure tomcat's ajp connector that you mentioned and I went through all the links pasted below but didn't find actually what needs to be in place to configure tomcat's ajp connector. I do see in the server.xml of tomcat app server that the ajp 1.3 protocol is supported:
http://tomcat.apache.org/tomcat-4.0-doc/config/ajp.html
http://tomcat.apache.org/tomcat-3.3-doc/mod_jk-howto.html#s8
http://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html
http://www.mulesoft.com/understanding-tomcat-connectors

    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />

    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Do we need to disable the HTTP protocol in Tomcat and keep only AJP connector enabled? If yes, how to do that?
I am trying to connect to the application from OHS server like so I am using the http protocal right? How should I use the ajp protocol to connect to tomcat application?
http://ohs-host:ohs-port/abcd
Thanks !!!!!

How to Protect two Apps running on two different Hosts using same OAM serve

Hi All,
I am new to OAM. I am trying to configure SSO for an Application using OAM 11g server which is already protecting another Application(Oracle EBS) on a different host.
Oracle EBS application uses the Oracle EBS Access Gate to collect the credentials.
Now what should I do to protect the second application say APP2. Should I require to install a new OHS instance and new Webgate for this purpose ? or can i use the one already used by EBS application ?
Please reply me soon
Thanks,
Prabhu

You may use the same OHS instance by creating additional reverse proxy filter for your application 2.
Or create another instance of OHS and configure webgate, OAM policies for your application 2.
All the applications configured with OAM will be configured for single sign on and no special configuration needs to be done.
Here are my comments to your questions:
1) Can you tell me why we should have different OHS and Webgate to protect the 2nd application ?
- As per best practices, you should have different OHS instances (+webgate) for different applications. But you may also configure the same OHS for multiple applications.
2) If we have different OHS and Webgate, then the same OAM session will be shared between the applications ? Basically the user will navigate from the first application to the second application by clicking a link on the first application's page. Will the OAM_REMOTE_USER header be passed on to the second application in this case?
- Yes, if you have different OHS and Webgate, then the same OAM session will be shared between the applications.
To pass the header variables to any application, add the variables in the application's OAM authorization policy responses.
3) By default OAM 11.1.1.3 sets the userid to the OAM_REMOTE_USER? or we should manually set a response header ?
- To be on a safer side, set this header on the authz policy's response tab and put the vallue as $user.userid

Need help to build Portal Insert URL in OAM..

Hi All,
I have a requirement to customize the user Manager screen in such a way that i need to get only the search criteria tab(but not any of the tabs or links) and the search results.
To achieve this i have builded below Portal URL.
http://training.orademo.com/identity/oblix/apps/userservcenter/bin/userservcenter.cgi?program=search&comp=true
By using this above URL i am able to hide all the tabs in the browser but i need to have that search criteria to be displayed in the screen.
Can any one please suggest me the solution to achieve this.
Its bit urgent requirement.
Thanks in advance.
Siva Pokuri.

Hi Colin,
Thanks for your quick response.
URL that i posted will search the users in OAM. But my requirement is like i have to select the attribute and search type and search value from that page(in that Page i should not have UserManager, GroupManager, Org Manager, Identity SYstem Console tab and My Profile , reports ...etc links should not be appear) i sould be able to select the attribute that i would like to search only. so the search functionality should be there.
Based on this req i have to build the URL.
Please help me.
Thanks & Regards,
Siva Pokuri.

Upgraded version of edge won't allow Muse to read my .oam file

A consultant created the site for us. I am taking it live, but when I opened the Safty.an file to change a hyperlink he got wrong and edit the text, I was forced to save the .oam file into a newer upgraded version. After this, even if I don't make any edits to the hyperlink or text, and just save to the new upgraded version, the .oam file won't load in Muse. If I use the previous .oam file, it will. Please help, it seems like it it something clear or obvious, but nothing seems to be working. Also, the new safety.oam file is nearly one third the size that it was previously. http://preview.quantapowerinc.com/safety.html

Se my response on this post:
] Screen Message"File iTines Library.itl cannot be read because it was created by a newer version of iTunes" What is this and how can it be fixed?
They do not appearon the right-had side of your post.

Response in OAM

Similar Messages

Maybe you are looking for