SecurityContext userName with OAM SSO

Similar Messages

• SSO Enabling a custom application with OAM

  Hi All !
  Am a bit stuck on a problem and need some urgent help. Actually we are trying to launch some custom-built (J2EE/.NET) web applications from the Oracle Portal with SSO i.e. once the user logs into the portal he would not have to log-in again to the applications which would be launched from the portal home page.
  We have successfully integrated the Oracle Portal with the OAM SSO, but facing some problems with SSO enabling the custom applications. Any help on what should be the ideal integration architecture and approach for SSO enabling the apps with minimum amount of modification of the application code.
  The licenses are available for OID, OVD, OAM.
  Thanks in advance. Any views/comments/links to useful material appreciated.
  Cheers
  Soumak

  If your custom application uses its own database for Authentication, then you have to modify the login process for your application. i.e. you have to trust the OAM to have done the authentication and then create any custom cookie that your application might use in its landing page.
  I am assuming that your custom application have some way of tracking if the user has logged in or not. You can protect the Custom application URL within OAM and once the user has logged in you can then generate your custom application cookie.
  Even if you use OVD, you stil have to modify login process in your custom appliation to trust the third party to have done the authentication.
  Thanks
  Ram

• OBIEE 11.1.1.5 SSO integration with OAM 11gR1 (11.1.1.5)

  Hi,
  I am integrating OBIEE 11.1.1.5 with OAM 11gR1 (11.1.1.5).
  I have configured as per section 12.3 of following link:
  http://docs.oracle.com/cd/E22203_01/doc.31/e20664/chapter_12.htm#CHDFAFHH
  After making all these configurtions, when i access:
  http://<OHS server>:<OHS port>/analytics
  User is getting prompted for auth from OAM. After successful auth, request gets redirected to WebLogic server hosting the OBIEE app. I have verified in OBI logs that the header value OAM_REMOTE_USER gets passed to OBI.
  But even with all this, after successful OAM authentication, user is getting prompted with OBI login page.
  Pls help.
  Thanks

  Hi Abhinay,
  I have already make the following configurations as per the documentation:
  To enable SSO:
  1.Log in to OBIEE at
  http://[OBIEE server:port]/em.
  2.Click Farm_<OBIEEDomain>_domain > Business Intelligence > Coreapplication.
  3.Click the Security tab.
  4.Select Enable SSO.
  5.Select SSO Provider: Oracle Access Manager.
  6.Click Apply and Activate Changes.
  Do we need to make some other configurations also at OBIEE EM ?
  Thanks

• Integrating Webcenter 11g (Discussions)  with OAM  for SSO

  Hi,
  I need some help in integrating Webcenter 11g with OAM 10g.
  Objective:
  =========
  My customer is using Webcenter 11.1.1.2.0 and they are primarily using Discussions and wiki .I would like to integrate OAM with Webcenter for providing SSO.
  Steps Followed:
  ============
  I have followed the steps mentioned in the section 23.7.1 and 23.7.1.7 in the doc
  http://download.oracle.com/docs/cd/E15523_01/webcenter.1111/e12405/wcadm_security.htm#BGBCEHGE
  and also referred metalink note ID 829122.1
  Scenario after integrating with OAM:
  ===========================
  1.Accessed the dicussions url through OHS proxy http://<ohs_host>:<ohs_proxy>/owc_discussions
  2.Click on Login button
  3.OAM Login page appears
  4.Provide credentials for orcladmin (admin user of OAM OID LDAP)
  5.Discussions default login screen appears ( I dont expect this default login page,as I have already authenticated with OAM)
  6.Provide orcladmin credentials
  7.Login screen is keep on popping and not able to login
  if i set owc_discussions.sso.mode=false,then looping (Step 7) is not occuring and could able to login.
  Am I doing anything wrong here? Or is there a way I can make it work.
  Thanks in Advance.

  Did you setup weblogic as per this doc? - http://download.oracle.com/docs/cd/E17904_01/webcenter.1111/e12405/wcadm_security_sso.htm#WCADM8175

• SharePoint 2010 with OAM 11g

  We are currently trying to integrate SharePoint 2010 server with OAM 11g with 10g webgate. In our environment SharePoint site is configured with Claims based authentication with LDAP provider for membership. We have performed all the configurations based on the Oracle documentation with validation mode as OAMHttp.
  We are seeing the following behavior after this integration.
  1)     The user requests access to an SharePoint Site
  2)     Webgate protecting the site intercepts the request, determines if the resource is protected, and challenges the user.
  3)     The user enters their OAM credentials; Webgate contacts the OAM Server, which verifies the credentials from user store and authenticates the user. Webgate generates the OAM native SSO cookie (ObSSOCookie), which enables single sign-on and sets the User ID (to username) header variable in the HTTP request and redirects the user to SharePoint site.
  Here, instead of taking user to the home page of the site, the SharePoint login page is displayed again.
  =================================================================================================
  Looking into the debug logs i found the following error.
  Date ProcessId ThreadID ManagesThreadId ClassName MethodName Message
  =================================================================================================
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.CustomMembershipProvider Initialize validationMode^OAMHttp
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator .ctor Method Entered
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator .ctor ValidationURL configured validationUrl^http://wtv-sea-spapp01.chemd.net:8086/ValidateCookie.html
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator .ctor validationHost^wtv-sea-spapp01.chemd.net
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator .ctor OAMAuthUserCookieName^OAMAuthCookie
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator .ctor Method Exited
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.CustomMembershipProvider Initialize Setting Validation Type OAMHttp
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.CustomMembershipProvider ValidateUser Entering ValidateUser : username^IDG2M
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator ValidateUser Method Entered
  Exception Caught InValidateUser
  The remote server returned an error: (403) Forbidden. at System.Net.HttpWebRequest.GetResponse()
  at Oracle.OAMHttpValidator.ValidateUser(Dictionary`2 creds)5/4/2012 4:16:19 AM 7648 3604 7 Oracle.OAMHttpValidator ValidateUser Exiting AuthStatus^AuthZFail
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.CustomMembershipProvider ValidateUser OAMauthStatus^AuthZFail
  5/4/2012 4:16:19 AM 7648 3604 7 Oracle.CustomMembershipProvider ValidateUser Method Exited returnCode^False
  If anyone have integrated OAM 11g with SharePoint 2010 earlier, appreciate your inputs in this regard.

  Each license is platform specific, you can't backwards apply or forwards apply licenses from one version of SharePoint to another.
  If you do have MSDN access, you'll have access to all current versions of SharePoint, across the current and retired server products.
  Steven Andrews
  SharePoint Business Analyst: LiveNation Entertainment
  Blog: baron72.wordpress.com
  Twitter: Follow @backpackerd00d
  My Wiki Articles:
  CodePlex Corner Series
  Please remember to mark your question as "answered" if this solves (or helps) your problem.

• How to protect an application running on IIS with OAM 11gR2

  Hello Gurus,
  I have a question regarding protecting an application running on IIS with OAM 11gR2. We have an OHS server running and all the requests from the users are coming to this OHS server webgate for them to login using the SSO login page. These is all solaris. I am protecting other applications like pplsoft moduels with this OHS instance and OAM server. There is another application that I need to protect which is itself running on IIS windows machine. I need guidance as to -
  1.) Do I need to install a windows version of webgate to protect this IIS based application?
  2.) Or I can still protect and proxy requests from this application to current OHS instance? How can I do this?
  3.) Or Do I need to proxy requests directly from IIS to OAM weblogic server?
  Please advise to the earliest as this is an urgent issue.
  Thanks !!

  From your description it is not clear how exactly architecture looks like
  We have an OHS server running and all the requests from the users are coming to this OHS server webgate for them to login using the SSO login page.
  is this OHS centralized login farm ? (Case 1)
  OR is this OHS server (with webgate) acting as virtual web server hosting multiple web sites so that request to any site passes through this OHS/webgate (Case 2)
  1.) Do I need to install a windows version of webgate to protect this IIS based application?
  If case 1 then you need to install 10g webgate on top of IIS server to protect this application
  If case 2 then you can just proxy request from OHS to IIS server. As every request passes through OHS user will be authenticated before request hits IIS
  Look at Product documentation for virtual web sites : http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/shared.htm#autoId12
  It has steps to protect virtual web sites.
  Also you need to make sure no one hits IIIS web sites directly.
  Hope this helps

• How to protect an application running on Apache Tomcat app server with OAM 11gR2

  Gurus,
  We have an Apache Tomcat based application named "ABCD" here at client site that we want OAM 11gR2 PS1 to integrate with for SSO purposes. I have successfully configured OHS to reverse proxy requests to Apache Tomcat server whenever somebody tries to access the application URL but still, I am getting the application login page once I have successfully authenticated on OAM SSO login page. The Tomcat based application is authenticating users against a "UserDatabase realm".
  I know in terms of weblogic application, there is an OAM identity asserter provider which then populates the User Principal for the java environment with the authenticated OAM user. But there is no such OAM identity provider for Tomcat.
  So my question is, is there an provider (or Tomcat equivalent) which will entrust authentication to a header, that could be used to populate the Java User Principal from the OAM_REMOTE_USER header? Is the weblogic equivalent of authentication providers present in tomcat as well? Are those called valves?
  Please advise to the earliest.
  Thanks !!

  Aakash,
  I did follow the 4 steps that you mentioned to me. Out of the 4 that you had mentioned, I already had the webgate in place on OHS server and I was already passing the remote_user http header in oam policy as action.
  As part of Step #2: Install mod_jk plugin on OHS server that you mentioned
  1.) I downloaded the tomcat connector - tomcat-connectors-1.2.37-src
  2.) I had to run ./configure,make, make install on my OHS server which runs on RHEL 6. It created the mod_jk.so file. I pasted it in the needed folder.
  3.) I then created the httpd.conf file and workers.properties file as said in the connector docs.
  4.) Restarted OHS.
  As part of Step #3: Configure tomcat's ajp connector that you mentioned and I went through all the links pasted below but didn't find actually what needs to be in place to configure tomcat's ajp connector. I do see in the server.xml of tomcat app server that the ajp 1.3 protocol is supported:
  http://tomcat.apache.org/tomcat-4.0-doc/config/ajp.html
  http://tomcat.apache.org/tomcat-3.3-doc/mod_jk-howto.html#s8
  http://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html
  http://www.mulesoft.com/understanding-tomcat-connectors
  <!-- A "Connector" represents an endpoint by which requests are received
           and responses are returned. Documentation at :
           Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
           Java AJP  Connector: /docs/config/ajp.html
           APR (HTTP/AJP) Connector: /docs/apr.html
           Define a non-SSL HTTP/1.1 Connector on port 8080
      -->
      <Connector port="8080" protocol="HTTP/1.1"
                 connectionTimeout="20000"
                 redirectPort="8443" />
  <!-- Define an AJP 1.3 Connector on port 8009 -->
      <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
  Do we need to disable the HTTP protocol in Tomcat and keep only AJP connector enabled? If yes, how to do that?
  I am trying to connect to the application from OHS server like so I am using the http protocal right? How should I use the ajp protocol to connect to tomcat application? 
  http://ohs-host:ohs-port/abcd
  Thanks !!!!!

• OAM SSO integration question:How can I get a user identity from ObSSOCookie

  We are building an OAM SSO solution. The App server is both on OAS and WLS. My question is that, after I get the ObSSOCookie from httprequest.
  I need to verify whether the ObSSOCookie is a valid one, and I also need to get user identity from the cookie and pass it to login module to populate user principal
  Of course, one way of doing that is to install access manager SDK and go from there. But we support multiple OS, it's a pain to add Access manager SDK to different installer for different OS.
  I am trying to use IdentityXML Functions which is a SOAP based webservice so that I don't need to worry about the OS platform. But I can't find a webService which returns user identity based on a valid ObSSOCookie. It seems that I can invoke webService with valide ObSSOCookie, but there is no way to get the user identity back. Am I missing something?
  Hope someone can help me out.
  Thanks.
  -Wei

  Ok. Sounds like you are a vendor trying to play well in an SSO environment.
  Here is what I tell OAM customers when they are evaluating software to see if it will cooperate with a system like OAM.
  Can the software's native authentication scheme be explicitly turned off (usually a configuration in a file)?
  Can the software be configured to accept a token of identity in the form of a Cookie or HeaderVar (also configurable in a file)?
  If the answer to both is yes, then the system is capable of 'third party trust' for authentication.
  From your perspective, your logic for login should be something like:
  Is my native authN turned off?
  If yes, can I find the cookie or header that I should be looking for?
  If yes, take the value and proceed to create user session for this identity per usual (except that you never evaluated the authN - you trust that it was done).
  If no, present the native AuthN scheme anyway.
  If you follow this pattern, you are in the good company of folks like PeopleSoft and Plumtree who had these types of integrations working long ago.
  Yes, there are other ways to do this but, in my humble opinion, this remains the most stable and effective pattern we see.
  What you ask for as the identity token value is up to you. It is often the login ID value that you would have used in your own authN procedure. There's nothing particularly sensitive about having a webgate set headers - they are only available to the server and not to the client. Cookie of course could be seen but can't be spoofed as the webgate has the final word on it's content.
  Mark

• Preparing OVD for use with OAM

  Hi,
  I am trying to configure OVD for use with OAM. I am trying to present two directories, one from AD and the other from Sun LDAP, with OVD.
  In case of AD, I am using the "OAM/AD Adapter with Mapper" template, and it does appear to be massaging Active Directory into a more inetOrgPerson schema... however the relative distinguished name (rdn) of the objects are still cn=username.
  This is in conflict with the users that are coming in from Sun, who have an rdn of uid=username. I'm concerned that this is going to create difficulties for OAM, and it just feels wrong (especially since we are migrating many of these users to AD at which point their DNs will change).
  My questions are:
  1. Is there a best practice for what the RDN should be for OAM? It seems like the product has historically used uid as the RDN, and so that feels safest.
  2. Should I, and if so, how can I get OVD to translate the RDNs? Why don't the templates do this automatically?
  - Jim

  OAM is not concerned with the RDN of a user in AD or Sun. It can be anything.
  So in OVD you can have dn like uid=usrid,dc=example,dc=com for Sun and cn=commonname,dc=example,dc=com for AD.
  Only thing to take care is you have configured OVD with the same objectclass for AD and Sun.
  For example "OAM/AD Adapter with Mapper" maps AD's user object class into inteorgperson and same goes for Sun. So in OAM you have to configure user objectclass as "inetorgperson"
  OAM searches are based on the login id, so in this case it will always be uid="user login" which OVD will translate into samaccountname for AD and uid for Sun.
  There is no restriction in OAM on what the RDN should be for a user entry.

• Obiee 11.1.1.5 integration with OAM

  Hi,
  I integrated OBIEE 11.1.1.5 with OID11g (as a part of OAM integration),all OID users are getting reflected into obiee.Im able to login in to the ‘analytics’ but not able to access the reports.Also I'm not able to assign any BI groups to OID users.
  Have anyone faced this kind of a scenario?Can anyone please help me?
  If anyone have done obiee 11.1.1.5 integration with oam 11g,please provide me the document which you followed.
  Thanks in advance,
  Fathima farsatha.
  Edited by: 927873 on Jul 16, 2012 12:11 AM

  Hi,
  Please try to access Analytics Webservices by using 'analytics-ws' instead of only 'analytics' in the URL as below,
  http://<Host Name>:<Port>/analytics-ws/saw.dll?WSDL
  Give a try with below link it may help you..
  http://onlineappsdba.com/index.php/2011/12/05/integrate-obiee-11g-with-oam-11g-for-single-sign-on-in-13-steps/
  http://fusionsecurity.blogspot.com/2012/06/integrating-obiee-11g-into-weblogics.html
  http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/sso.htm#CEGJBAED
  Thanks
  Deva

• PLSQL toolkit with OAM 11gR2

  Hello,
  We're currently using PLSQL toolkit developed applications with Oracle SSO. We're looking to upgrade to OAM in the near future and would like to verify if we can use these PLSQL toolkit applications with OAM. Will this be a problem for us?
  Thanks for any information or insight.
  Ariel

  Colin,
  One more question pertaining to this is
  earlier i was not using any valid host:port combinations in host identifier. it was generic string equal to the the name of host identifier.
  But now after changing servercache to form and modifying the login form to return OAM_REQ, i have to put valid combinations in the host identifier. without that it shown Bad Access Manager error and in the logs:
  [2013-10-29T08:27:41.002-06:00] [oam_server2] [WARNING] [OAM-02073] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: c72ab7e1931dad2b:-ad6b939:1420484d41b:-8000-0000000000000014,1:27010] [APP: oam_server#11.1.2.0.0] Error while checking if the resource is protected or not.
  [2013-10-29T08:27:41.003-06:00] [oam_server2] [ERROR] [OAM-04029] [oracle.oam.proxy.oam] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: c72ab7e1931dad2b:-ad6b939:1420484d41b:-8000-0000000000000014,1:27010] [APP: oam_server#11.1.2.0.0] Error in generating AMEvent. Details Event Response status is STATUS_FAIL for GET_AUTHN_SCHEME event. Error code OAM-02073 status fail isExcluded false
  Could you please explain the behaviour.
  Thanks in advance.

• Shared Services with OAM ?

  Plannign a green-field 11.1.2.2 implementation and want to understand whether it will be possible (or indeed is possible in current versions) to integrate Shared Services with OAM ?
  Thanks is advance !
  Alasdair
  Edited by: 919830 on 09-Mar-2012 03:25

  Hi,
  Yes is the answer, but I am not sure how can it be done. But the document of essbase states the below
  Security: Integration with Oracle Access Manager, Oracle SSO, Desktop Kerberos Support, OID as the Native Provider
  Sandeep Reddy Enti
  http://hyperionconsultancy.com/

• Apex Application With Oralce SSO (inbuilt) application integration

  Hi,
  Installed oracle 11g, configured Application Express Release 3.0.
  I developed application in APEX.
  Now I want to authenticate my application with Oracle SSO login.
  Please help me on this.
  Thanks in advance.
  Thanks,
  Surya

  Hello Surya,
  If you follow the instructions here you should be able to connect to your SSO.
  http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html
  Peter

• Registering a Partner application with Oracle SSO 10gR2

  Hi Everybody
  I'd like to ask a question around registering a partner application with Oracle SSO.
  I have entered my home_url, logout_url and cancel_url e.g. home_url is https://vevopuitest1.co.uk/vevo_test1 and so on for the other fields.
  When I save the details some information is automatically created e.g. Site Id, Site Token etc.
  The bit that I am particularly interested in are the fields Single Sign-On URL and Single Sign-Off URL.
  For my purposes these fields are respectively: https://cwassotest1.co.uk/pls/orasso/orasso.wwsso_app_admin.ls_login and https://cwassotest1.co.uk/pls/orasso/orasso.wwsso_app_admin.ls_logout
  My questions are:
  1. Where do these values come from?
  2. Can I view them anywhere, say, in Oracle Directory Manager or using ldif queries?
  I would like to be able to verify these values.
  Many Thanks
  Andy

  I'm afraid this won't answer your question completely, but AFAIK in principle it does not matter on which machine SSO is running, as long as it passes the user id and credentials properly through the HTTP Header. Even more: in practice it is very common to have SSO running on a different machine than where your app runs.
  So what I would do is find out how to use ADF Faces with SSO. Perhaps someone else can provide pointers on that.
  Jan Kettenis

• Implementing OAM - SSO for Multiple Applications

  I am trying to implement OAM - SSO for 2 applications. I already have completed the setup of SSO for one application . OID -- OAM -- OHS ( 11g webgate ) - Weblogic Server - OBIEE . ( All the components are 11.1.1.5 version ).
  Now I am looking to add a 2nd application ( OBIEE 11.1.1.6.5 version ) into the mix. So should I install a separate OHS and webgate for the new application or can I use the existing OHS to add another application.
  Any tips on this would be helpful please.
  Thanks

  You may use the same OHS server in reverse proxy to the two applications and configure corresponding policies in OAM console.
  Let us know if you get into any issues.