SAML - USer Principal mapped on a SAML attribute - How to do ???
Dear security experts,
I have configured on my weblogic platform a Sender vouches SAML profile.
I am trying to map the UserPrincipal (the one I get from the webServiceContext in my web service) to a SAML attribute (different from the SAML subject).
I have written a class that implement the interfaces SAMLIdentityAssertionNameMapper and SAMLIdentityAssertionAttributeMapper .
Here is an overview of the simplified implementation :
public String mapNameInfo(SAMLNameMapperInfo info, ContextHandler handler) {
return "user2";
public void mapAttributeInfo(Collection<SAMLAttributeStatementInfo> attribStmts, ContextHandler contextHandler) {
Set<Principal> principals = new HashSet<Principal>();
principals.add(PrincipalFactory.getInstance().createWLSUser("user1"););
((SecurityTokenContextHandler)contextHandler).addContextElement(ContextElementDictionary.SAML_ATTRIBUTE_PRINCIPALS, principals);
After weblogic has loaded my SAML assertion, I can see in the log that my uibject has two User Principal : user1, user2. When I call getUserPrincipal in my webservice, I always get "user1". I need to get "user2".
Why mapNameInfo() always has the priority ? Is it the good way to implement this mechanism ?
Thanks for your help.
Gyan:
How is that possible? If you import the VOImpl inside EOImpl, the import statement is ok. But how would you use that? There is no findViewObject method? The OADBTransaction class that I can use has only findObject method that one can use and I tried that but wasn't successful. Shouldn't you have to import OAApplicationModule and a host of other classes? Is that even possible?
I thought about the entity expert approach but I don't have a need to execute any query. I just need to refer to the view attribute from within the EOImpl. That's what I am looking for. If there is a way to refer to a view attribute from within the EOImpl without having to populate that attribute in a session/transaction variable that would be a better solution for me because there may be more attributes that I need from different VOs later on and everytime I need some VO attribute I don't have to create and populate a session/transaction variable.
Please let me know if it can be done. Can you please elaborate more on your proposal? I really appreciate your time and help. Thanks!
- Muzammil
Similar Messages
-
Looking for ideas:
Trading partner requires us to send 4 attributes in our SAML 2.0 assertion (staticID, firstName, lastName, EmployeeID). We will be providing the same value for staticID and EmployeeID.
When we configure Attribute Mappings within OIF, if we map the same LDAP attribute (employeenumber) for staticID and EmployeeID, only one of the attributes gets included in the SAML assertion. (3 attributes included in assertion rather than 4)
If I map staticID to employeenumber and EmployeeID to <some other attr> all 4 attributes are included in assertion.
Is there a way to make this happen? Does this violate a SAML standard?I am surprised that it is working. According to the following note:
314948.1: How can I determine what SAML attribute fields are case sensitivity?
the LDAP attributes specified should be in lowercase to work. Did you try specifying both fields in lowercase (employeenumber)?
You should pose this question to Oracle.
-shetty2k -
Hi,
I am having an issue developing an attribute mapper for my SAML 1.1 scenario using Sun Access Manager 7.1 patch 1 (war deployment installer) as the IDP. It is deployed on Sun Java System Web Server 7.0U1 (B06/12/2007 21:15) for Solaris 10 x86.
My class looks something like this:
package matt.saml.sample;
import java.util.ArrayList;
import java.util.List;
import java.util.Set;
import com.iplanet.sso.*;
import com.sun.identity.saml.assertion.*;
import com.sun.identity.saml.common.SAMLException;
import com.sun.identity.saml.plugins.PartnerSiteAttributeMapper;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.IdRepoException;
import com.sun.identity.idm.IdUtils;
import org.w3c.dom.Document;
public class TestSiteAttributeMapper implements PartnerSiteAttributeMapper {
public List getAttributes(SSOToken token, String targetURL) throws SAMLException {
//...code
return list;
}So, I put TestSiteAttributeMapper in the classpath and configured the Site Attribute Mapper. Now when I try SSO with SAML, attributes aren't passed through the assertion plus I get this in the amSAML debug log:
SAML Service Manager: PartnerUrl List:siteattributemapper=matt.saml.sample.TestSiteAttributeMapper
10/07/2008 12:14:41:518 PM EDT: Thread[service-j2ee-3,5,main]
ERROR: SAMLServiceManager:Invalid site attribute mapperI tried compiling the class with the amserver/WEB-INF/lib/am_services.jar(the one AM is using) in the classpath.
Also, I had to add amserver/WEB-INF/lib/am_services.jar(plus I added a couple other am_*.jar files) to the Web Server classpath, in the JVM settings to get rid of an error I was seeing in the web server logs:
[05/Oct/2008:19:36:31] failure ( 3746): for host 192.168.200.1 trying to GET /amserver/SAMLPOSTProfileServlet, service-j2ee reports: Stand
ardWrapperValve[SAMLPOSTProfileServlet]: PWC1406: Servlet.service() for servlet SAMLPOSTProfileServlet threw exception
java.lang.NoClassDefFoundError: com/sun/identity/saml/plugins/PartnerSiteAttributeMapper
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:620)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:260)
at java.net.URLClassLoader.access$100(URLClassLoader.java:56)
at java.net.URLClassLoader$1.run(URLClassLoader.java:195)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:268)
at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1461)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:164)
at com.sun.identity.saml.common.SAMLServiceManager.setValues(SAMLServiceManager.java:788)
at com.sun.identity.saml.common.SAMLServiceManager.init(SAMLServiceManager.java:266)
at com.sun.identity.saml.common.SAMLServiceManager.getAttribute(SAMLServiceManager.java:1015)
at com.sun.identity.saml.servlet.SAMLPOSTProfileServlet.getDestSite(SAMLPOSTProfileServlet.java:242)
at com.sun.identity.saml.servlet.SAMLPOSTProfileServlet.doGet(SAMLPOSTProfileServlet.java:118)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:796)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:917)
at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:398)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:86)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:217)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:255)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:188)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:586)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:556)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:187)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:586)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:556)
at com.sun.webserver.connector.nsapi.NSAPIProcessor.service(NSAPIProcessor.java:160)
[05/Oct/2008:19:36:32] warning ( 3746): CORE3283: stderr: Exception in thread "Thread-29" java.lang.NullPointerException
[05/Oct/2008:19:36:32] warning ( 3746): CORE3283: stderr: at com.sun.identity.saml.common.SAMLServiceManager.getAttribute(SAMLServic
eManager.java:1017)
[05/Oct/2008:19:36:32] warning ( 3746): CORE3283: stderr: at com.sun.identity.saml.servlet.POSTCleanUpThread.run(POSTCleanUpThread.j
ava:101)I didn't really think that I should have had to add the jar to the classpath, considering it is in the WEB-INF/lib folder.
In summary, my questions are:
1. What am I doing wrong in implementing this attribute mapper that causes it to be invalid?
2. Why did I have to add that jar to the classpath to remove that NoClassDefFoundError? Isn't it already in the classpath?
Thanks in advance,
Mattok i fixed my issue. removing all additional jars from the class path, and putting my class under amserver/WEB-INF/classes got it working.
I guess it's a classpath context issue -
Define a SAML Attribute whose value is not in any data store
I attempting to define a SAML Attribute in Sun OpenSSO Ent 8.x, whose value is not in any data store. I need to assign static text. The SP requires a unique value for all assertions under the same company. This is their method to help ensure an employee and assertion are for the correct data. For example,
<saml:Attribute Name="AccountID">
<saml:AttributeValue>ref-193749900</saml:AttributeValue>
</saml:Attribute>
I have not found a way with the OpenSSO admin portal. Any assistance would be appreciated.
Thanks.Any response to this? I have the same need.
-
Capturing SAML attribute in OSB proxy
Hi,
We have a requirement of extracting one of the SAML attributes sent to our proxy service and send it to the business service as one of the SOAP body elements.
I have done the following things:
- Created the business service based on particular WSDL
- Created the proxy service based on same WSDL and applied the policy oracle/wss10_saml_token_service_policy as per our requirements
- In the Security tab of proxy service, i have checked the option 'Process WS-Security Header' as i want to restrict the access to my proxy service based on SAML subject that we recieve
Following is the SAML header that i am using to test the OSB proxy from Soapui 2.0.2. I have to capture the saml:NameIdentifier from the below SAML assertion i receive. When i use $header variable i am unable to get this. But when i uncheck 'Process WS-Security Header' i am able to get the value but authentication is not working. So i think 'Process WS-Security Header' should always be checked.
Please let me know asap on how can i extract saml:NameIdentifier from the request received in proxy service. Is there anyway to intercept the request to proxy just like SOAP handlers?
<saml:Assertion AssertionID="Id-00000127f49c1cf3-0000000000900e24-2" IssueInstant="2010-04-19T00:40:24Z" Issuer="www.oracle.com" MajorVersion="1" MinorVersion="1" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Conditions NotBefore="2010-06-16T00:40:24Z" NotOnOrAfter="2010-06-21T00:40:24Z"/>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">weblogic</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AttributeStatement>
</saml:Assertion>
Thanks
SivaHi Siva,
We have a requirement of extracting one of the SAML attributes sent to our proxy service and send it to the business service as one of the SOAP body elementsI think your requirement is not to do the authentication then why are you checking the option 'Process WS-Security Header'?
If 'Process WS-Security Header' check-box is selected then it will process and consume the security headers and enforces the message level access control policies on the incoming message (This is called an Active Intermediary Proxy Service). if you don't select it the proxy will be pass-through and OSB will not make any modification to the security headers, encrypted body parts, etc (this is called a Pass-Through Proxy Service)
I think in your case you require a pass-through proxy service.
To know more about pass-through/active intermediary proxies and their configuration in OSB, please refer section "Configuring Proxy Service Message-Level Security" on below link -
http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/message_level.html#wp1077884 ()
Regards,
Anuj -
Read SAML attributes in Proxy service
Hi,
I need to read SAML attributes in a proxy service in OSB. But the SAML is not available.
The client call a service with encrypted SAML im Header, but when I read the header in Proxy service, the SAML is no more available.
Client call with:
Authorization: Basic MTAyOjw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04Ij8+CjxzYW1sMnA6UmVzcG9uc2UgSUQ9IlJlc3BvbnNlX2YzY2ZkZjM5NWIyNzI3ZWFhZWEyZDlhYTRkMWNhY2RhNzgzNGMxZWMiIElzc3VlSW5zdGFudD0iMjAxMi0wOC0zMFQwNjoyMDoyMC43MDNaIiBWZXJzaW9uPSIyLjAiIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48c2FtbDI6SXNzdWVyIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5uZXZpc0F1dGg8L3NhbWwyOklzc3Vlcj48c2FtbDJwOlN0YXR1cz48c2FtbDJwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbDJwOlN0YXR1cz48c2FtbDI6QXNzZXJ0aW9uIElEPSJBc3NlcnRpb25fM2MxYzZlZGM1NWQ4ZDVhN2QzNmQ2NTkzMzlmMzgxNzBhOWU1Mzk0NiIgSXNzdWVJbnN0YW50PSIyMDEyLTA4LTMwVDA2OjIwOjIwLjM4OVoiIFZlcnNpb249IjIuMCIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSI+PHNhbWwyOklzc3Vlcj5uZXZpc0F1dGg8L3NhbWwyOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KPGRzOlNpZ25lZEluZm8+CjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KPGRzOlJlZmVyZW5jZSBVUkk9IiNBc3NlcnRpb25fM2MxYzZlZGM1NWQ4ZDVhN2QzNmQ2NTkzMzlmMzgxNzBhOWU1Mzk0NiI+CjxkczpUcmFuc2Zvcm1zPgo8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz4KPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI+PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgUHJlZml4TGlzdD0ieHMiIHhtbG5zOmVjPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybT4KPC9kczpUcmFuc2Zvcm1zPgo8ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz4KPGRzOkRpZ2VzdFZhbHVlPnRvUzBGM3lxSjdPTXpUZmYzQ05oVFlvQ0x1Yz08L2RzOkRpZ2VzdFZhbHVlPgo8L2RzOlJlZmVyZW5jZT4KPC9kczpTaWduZWRJbmZvPgo8ZHM6U2lnbmF0dXJlVmFsdWU+ClNjTlJBc0cvY2loSFB2cVRPTHhOSkNOQUhjdVNoU0NCZDQ4UTNDK1ZieHQ3OHVoZDZNbHdVdDhuaDVJc1hJK2k4SldWRFJiMnJVMUYKcGxYeUdrcWRDYWRtcVB5bjRUb00wZ2tLRTF3R05wb1lLYkFtaGl5ZDZyai9yK2E0SEVmUUxvQmxxWTQ4TTBzZWRra1dlY0orcGE1NwppbUM3ekNzWlhWbWFSNzdvZEZPVVhsR1FwNFlpbnlBaExrbVk1QjlkNjVZSE91akh3UFhLTURaT3VwSlExMURIcFE3N1p1WjE5WjNWClRWK2ZkRzl1RThBUmpKYVZobnJSdWdETWVEOWNaYnRDbkRyRWdaeFYwanAvWHB2TTg3cTEwYXNuWFZMaDRwWlA5eCtGSkNQQis4MS8KV21PK2VwRVZSZU0rLy85WU1xdlNTaXBaTXJ1N1AxZGs5K3R3eHc9PQo8L2RzOlNpZ25hdHVyZVZhbHVlPgo8ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlERERDQ0FmU2dBd0lCQWdJR0FUY3dvTzBVTUEwR0NTcUdTSWIzRFFFQkJRVUFNRll4Q3pBSkJnTlZCQVlUQW1Ob01SUXdFZ1lEClZRUUtEQXRVY21sMllXUnBjeUJCUnpFeE1DOEdBMVVFQXd3b2RISnBkbUZrYVhNZ1EwRWdLR3hqYlRBeE1ERXVZMnh2ZFdRdWRISnAKZG1Ga2FYTXVZMjl0S1RBZUZ3MHhNakExTURrd09EQTBNelphRncweU1qQTFNRGt3T0RBME5ERmFNRGd4Q3pBSkJnTlZCQVlUQW1ObwpNUlF3RWdZRFZRUUtEQXRVY21sMllXUnBjeUJCUnpFVE1CRUdBMVVFQXd3S1lYVjBhRk5wWjI1bGNqQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbWhjRTVWQ0JjVXNwTFVaa1JkRkxETFk2VFBjR3JmbUJmSkVFblVCUXF5MTZ5UG5LZmIKRVNFWjEzQnFCSVNKcEQ0aEpFRWJXZTFvY1hUSWJTSTNRaVE0Z1huMzdraXYwVmZkZmdmcGRDeW9zazIwbmRsWEsxbnFQcmdrREQzNwpSU0h5YXhYWW1QOExEWDF0UHNzbTJPT3lBdWtVcXgxVnJtRDc3SGttMHBuVGxKWWhlODVGZndiQnpQaGtJM3pWa0lZYmF5eHh2QkQrCldURjRZa0pQeUNRQmxxRUZGQ0I3enpsVUhRTzBTZngyK0Q0b3MyVSthbThjTHkvUUNQT2F0N0prQkZ0TXJOME5ZbWpOaEFBNWkyYkMKWHNnWldGNXM4bmZTU0Y4R0JYVWdTcXJyMVdKaHg2YVJ0V2xJcUl2ZFpGSStYbmttRHhiNjNtUDBDdVRmMnUwQ0F3RUFBVEFOQmdrcQpoa2lHOXcwQkFRVUZBQU9DQVFFQWF2YXdzMkFJM0NrZzhwclYrcFVOSGxlanV1aE5ZbEFlZGVFaUs3Z09jb29ScjEvV0N6cDA4cFdjCmE5ZThQWEhGTGJPeHJYMUNyeXA1bW9Xc3ZwRXFQMkhVbFZqK3d3ZWtnZERXVzFzaTdYZWI5YURyTmFvSnJQelp6ZzNvK2ZmaXRMM1EKeWYvRTcwemllZTladG5ZQk1Zc1ZIbituWHJzZlVsYVdjMzdYQzNPaWZtajc1WGYrZ0J0MmM1RUJLay8yV1cwaXlEZTJhQVpubisyNwpKTkU2bGE5SHVqWWlWS3pzMUpzRm5lNWJwT1dJZDZ5MW8rUnZSOVpsb1hSMjVMM2tMekd1ajBlRzdjaTE1eXBjY1o1NDlZaTdHRlhPClJxZTlKVnZPZERGcllCQnpEaHE4TWlEZG1aemVZbFEzS3NNNlU1SjE5ODVDRXJLa0NpNUdUTm9yanc9PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sMjpTdWJqZWN0PjxzYW1sMjpOYW1lSUQ+MTAyPC9zYW1sMjpOYW1lSUQ+PC9zYW1sMjpTdWJqZWN0PjxzYW1sMjpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMi0wOC0zMFQwNjoyMDoyMC4zODlaIiBOb3RPbk9yQWZ0ZXI9IjIwMTItMDgtMzBUMDY6MjU6MjAuMzg5WiIvPjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTItMDgtMzBUMDY6MjA6MjAuMzg5WiI+PHNhbWwyOkF1dGhuQ29udGV4dD48c2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQ8L3NhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDI6QXV0aG5Db250ZXh0Pjwvc2FtbDI6QXV0aG5TdGF0ZW1lbnQ+PHNhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImNsaWVudElkIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+MTAwPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9InJvbGVzIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyIvPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0ic2Vzc2lkIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyIvPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0ibG9naW5JZCI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciLz48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9InByb2ZpbGVJZCI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPjEwMjwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PC9zYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sMjpBc3NlcnRpb24+PC9zYW1sMnA6UmVzcG9uc2U+
Is the security filtered ?
Thanks
YvesHi Sura,
The number of thread-count configured in your proxy-scheme is the number of concurrent client request that you proxy servers can handle. Ideally your (thread-count * proxy servers) = (clients * max requests). Also, you need to check that the byte/message backlog on the proxy servers is close to zero.
Hope this helps!
Cheers,
NJ -
How to map single context value attribute to multiple value attributes?
Hello,
is there any way to map a single value attribute
from view's context into several value attributes
in controller's context?
The business context of what I want to achieve
is the following: I have a view which can be called
in two modes: read only (RO) and read-write (RW).
The input parameters to the view are the same for
both modes, however when in RO mode, the view calls
a different set of web services than when called
in RW mode. Before calling each of the web services
I need to populate their context value attributes
with appropriate input values.
I know I can do it in Java code, but is it possible
to do it without any programming (doing it in the
source code is prone to errors)?
Any help highly appreciated.
Greetings,
Tomek.Hi Kishore,
than you very much for your kind help.
I have already created a value attribute of type
boolean and mapped it into the read-only property
of the UI elements. This however does not solve all
of the problems... I will describe it with an
example:
Let's say the form I want to implement will be
used to: create (read-write mode), update (read-
write mode) or show (read-only mode) customer's
data. The customer's data is complex (lots of
data, including tree structures).
The problem is that:
- when the form is called in read-only mode,
it should populate its fields with values
provided by the getCustomerData web service,
- when the form is called to create a new
customer (in read-write) mode, it should
not use the getCustomerData web service.
Instead it should map the input values
entered by the user into input parameters
of the createNewCustomer web service,
- when the form is called to update customer's
data, it should first display values returned
by the getCustomerData web service, and then
it should map the modified values entered by
the user into input parameters of the
updateCustomer web service,
In all the above cases I must map my view's
context data to different controller's context
elements. Doing it directly in the source code
is not a nice solution. Is there any other
way to achieve this?
Calling a form in different modes in not an
unusual thing, so I was hoping that maybe
there are any built-in mechanisms that would
solve the obove problem...
Greetings,
Tomek. -
Principal mapping across domains -help!
Hi, I am trying to find a way to authenticate users on a WL6 domain
and then have these users' principal object mapped across to a
different domain so that I do not have to re-authenticate them (i.e.
they are trustworthy). Does anyone know how this is done?
Thanks, Stephen.Have you tried making the system password the same under both domains?
See
http://edocs.bea.com/wls/docs70/secmanage/domain.html#1171534
Regards,
Jon
"Stephen" <[email protected]> wrote in message
news:[email protected]..
Hi, I am trying to find a way to authenticate users on a WL6 domain
and then have these users' principal object mapped across to a
different domain so that I do not have to re-authenticate them (i.e.
they are trustworthy). Does anyone know how this is done?
Thanks, Stephen. -
AD User Recon of Terminal Services Profile Attributes
I am trying to get some of the Terminal Services Profile attributes to Reconcile to OIM during the AD User Reconciliation scheduled task. Other attributes sync fine, but the Remote Manager is never called to run the Recon vbs script. Looking at the Java for the AD User Recon scheduled task, I can find the method that should be called; getBLOBAttributeValues(). Funny thing is I can't find even one call to that method in any of the java code in the xliADRecon.jar file.
OIM 9.1.0.2 BP07
AD Connector 9.1.1.4
Looup.AD.BLOBAttribute.Values is configured with the attributes to sync
Lookup.ADReconciliation.FieldMap is configured with the attributes
The Resource Object has the fields defined for Reconciliation
The Process Definition has the fields mapped to the Process form attributes
Everything seems to be in place except there is no call to the getBLOBAttributeValues() method to call the reconciliation script via the remote manager.
What am I missing?
And BTW ... Provisioning of the attributes works fine, using the RManager.
Thanks,
BillHi,
Please go through below article might helpful in your case.
How to read msTSProfilePath, msTSHomeDrive and msTSHomeDirectory properties from AD (VB.NET)
http://blogs.msdn.com/b/alejacma/archive/2010/10/13/how-to-read-mstsprofilepath-mstshomedrive-and-mstshomedirectory-properties-from-ad-vb-net.aspx
Hope it helps!
Thanks.
Dharmesh Solanki
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
How to create a user using XML and specifying addional attributes that are objects
I'm trying to create a user using XML and specifying some attributes that are objects and not sure how to do it. How would I set the DirectoryUserAcl to Public?
Here's the xml file:
<?xml version = '1.0' standalone = 'yes'?>
<SimpleUser>
<UserName>mike2</UserName>
<Password>abc123</Password>
<AdminEnabled>false</AdminEnabled>
<HomeFolderRoot>/home</HomeFolderRoot>
<HasContentQuota>false</HasContentQuota>
<DirectoryUserAcl> ??? </DirectoryUserAcl>
<DefaultAclBundleAcl> ??? </DefaultAclBundleAcl>
<HomeFolderPolicyBundleAcl> ??? </HomeFolderPolicyBundleAcl>
</SimpleUser>I figured out the answer:
<?xml version = '1.0' standalone = 'yes'?>
<SimpleUser>
<UserName>mike2</UserName>
<Password>abc123</Password>
<AdminEnabled>false</AdminEnabled>
<HomeFolderRoot>/home</HomeFolderRoot>
<HasContentQuota>false</HasContentQuota>
<DirectoryUserAcl classname="SystemAccessControlList" refType="name">Public</DirectoryUserAcl>
</SimpleUser>
null -
Dear SDNs,
I write a user defined mapping program under a namespace, and I want to use it in other namespaces by drag and drop instead of importing, is that possible?Hi,
<i>>>>Prakash, I'm a little confused, I think mapping program like java and XSLT can only imported in user defined function in Mapping, isn't it?</i>
No, you will be importing it under Imported Archive. You will find User Defined Function inside the Graphical Mapping.
Refer this link for UDF
http://help.sap.com/saphelp_nw04/helpdata/en/22/e127f28b572243b4324879c6bf05a0/content.htm
<i>>>>What do you mean by the "F4"? Can you explain it to me ?</i>
F4 is Value request. In the Interface mapping when you are assigning the mapping program you will click on the "?" button which is nothing but F4. You can also press F4 which is equal to pressing "?"
Thanks,
Prakash -
Cannot add users to mapped third party group
when i try to add a user to a group i get the following message
"cannot add users to mapped third party group"If a group was mapped in via AD/LDAP/SAP then the users must be added in the 3rd party (AD/LDAP/SAP) you cannot create members inthe CMC. This is by product design. If you want to add members to groups in the CMC they must be enterprise groups only (groups created in the CMC not mapped in from 3rd parties).
Regards,
Tim -
Table that stores the business role and user id mapping
Hi,
i want to know the table that stores the Business role and the business role and user id mapping in CRM system.
Thanks in Advance.
Regards,
PricyHi Mary,
There is no direct table but there is a way to find it.
HRP1263 is the table where business roles are stored when maintained at org level. These are stored against the Position.
For getting user ID and position linkage refer table HRP1001.
In HRP1001 table use below criteria to get the User and Position.
OTYPE = CP
SCLAS = US
SOBID = User ID
ENDDA = 31.12.9999
Get the OBJID
Query the HRP1001 table again with following
OTYPE = CP
OBJID = OBJID from above Query
ENDDA = 31.12.9999
SCLAS = S
SOBID = Thats Position.
Pass the position to HRP1263 as below.
OTYPE = S
OBJID = POSITION
PROFILE - Thats business role assigned for the given position and user.
Hope this is helpful.
Regards,
Naresh -
GRC AC 10.0 Maintain Master User ID Mapping
Hi,
I try to configure "Maintain Master User ID Mapping" in the transaction
SPRO->GRC->Access Control
Example:
SYSTEM: A
USER ID: B
MASTER USER ID: C
If i try to launch the PSS for the C user, also change the password of the B user?
This, not working.
RegardsHello Prashant,
I want to talk to you regarding GRC upgrade / Migration.
Could you please provide me your contact details or email me on my mail id i.e. [email protected]
I hope you remember me, we had worked together in Mumbai (CG) around 4-5 years back.
Regards,
Atul Rajwade -
How to create mass users and map them to existing hrms users
Hi,
Im running oracle ebusiness suite 12i . I want to create mass users , and map them to existing hrms users.
The users I want to create exist in an excel spreadsheet with the columns employee id, user name. They will all be granted the same responsibility. I want to map them to existing hrms users using the employee id key.
I have read about the package FND_USER_PKG.CREATEUSER and I can loop over it by using sql loader to create a temporary table, but I m lost on how to automatically map them to hrms users as part of the script.
Any help.
dulaThanks a lot Omka,
I managed to create the users by running the script:
declare
Cursor C1 is
select d.product_code,b.responsibility_key from FND_USER_RESP_GROUPS_ALL a,fnd_responsibility b,fnd_user c,fnd_application d
where a.user_id = c.user_id
and a.responsibility_id = b.responsibility_id
and b.application_id = d.application_id
and c.user_name ='JOCHIENG';
Cursor employee is
SELECT EMPLOYEE_ID,EMPLOYEE_NAME from eldoret_final;
BEGIN
for e in employee loop
fnd_user_pkg.createuser
x_user_name => e.EMPLOYEE_NAME
*,x_owner => ''*
*,x_unencrypted_password => 'welcome123'*
*,x_start_date => SYSDATE - 10*
*,x_end_date => NULL*
*,x_description => 'CBK Employee'*
*,X_EMPLOYEE_ID => e.EMPLOYEE_ID*
fnd_user_pkg.addresp(upper (e.EMPLOYEE_NAME),'PER', 'CBK_EMPLOYEE_DIRECT_ACCESS','STANDARD', 'DESCRIPTION', sysdate, null);
end loop;
commit;
end;
I had first created the user JOCHIENG and assigned it the responsibility for Self service. So the script just assigns the responsibilities by copying from the one assgined to this user.
Everything seems ok. However, when trying to log in as the new user, the login error: Login failed. Please verify your login information or contact the system administrator.
is returned. But I can reset the password using the forms under Security > Define. Even with the correct password, the login doesn't go through.
Any idea?
dula
Maybe you are looking for
-
My Address Book and Calendar won't sync
I have configured in my iPhone settings to sync my mail, contacts and Calendars with my Google account, and it works when I input new data on my computer, but when I enter new contacts or dates on my iPhone, it doesn't translate to my computer. Ho
-
Moving a folder from one local root folder to another
I've used Dreamweaver CS4 to build my website, and I've become basically familiar with the way it works. Now I'm just starting to build a second site - and I've run into a baffling problem. I've defined the new site in the normal way, and created the
-
I have lost all my notes data after restore. Anyone know how to retrieve notes after restore? I havent' took any backup of my notes in icloud. The moment I enter the password after restore my notes will be empty. The only option to get notes back is
-
File Adapter Polling issue(Is there critical value of File size )?
Hi I use File adapter as the Activation to initialize a BPEL process instance .The source data is a kind of Delimited file format.On my PC, when the file size is less than 4M ,everything works fine ,But when the size increased. The BPEL process will
-
Hello Everyone, i have created a BDC in session method, the screens and all are supposed to be correct and still i am getting this error. "BDC_INSERT, screen .&. is invalid" i am using the same screens in many different programs, so i strongly feel t