"uid" vs. "cn" in OAM

Hi,
I think that there may be something wrong in my (initial) test OAM installation.
I am using SunONE Directory Server as my OAM repository.
When I use User Manager to create a new user, the new user appears (in the ou=People,...), but the user entry is always of the form "cn=username,ou=People,dc=...".
The new user appears when I search under User Manager, so all looks ok.
But then, if I try to login to OAM Admin using the new user, it always fails with "Invalid credentials" (even after I set the password).
In testing this, I created some users "manually" using the SunONE DS Admin console instead of using OAM Admin. These new users appear in the form "uid=username,ou=People,dc=...".
I CAN login to OAM admin using these "manually" created users.
So, I'm thinking that the login to OAM Admin, may be doing the authenticate against SunONE DS thinking that the name I enter needs to have "uid=" in front of it.
I was looking at the objectclass in OAM, and it looks like the "cn" attribute has semantic type "full name" and "dn prefix", while the "uid" attribute has semantic type "login", but when I look in SunONE DS at users, the "uid" attributes for the users that were created via the OAM Admin are all empty. I haven't tried adding "login" to the semantic type for the "cn" attribute, because I'm afraid that if I do that it might prevent everyone (including the admin users) from logging into OAM Admin.
I still might try that, but hoping someone can clarify this situation/problem for me.
Also, is this because I messed up something when I did the OAM installation??
Thanks,
Jim

Hi,
For the record, I fixed this by going into the "inetorgperson" objectclass, and changing the "uid" attribute to Semantic Type "DN Prefix". After that, I had to modify the Create User workflow to include the uid attribute. Then, when I create new users, they are of the form "uid=username,...".
Jim

Similar Messages

  • Oracle Access Manager and Passing Cert Info

    Friends,
    We are trying to pass the CN information from our smartcard (CAC) that looks i.e. john.doe.123456789 as a parameters to an HTML or JSP file utilizing the OBLIX SSO. We can pass the UID but since we will have First-time Registration of the Smartcards, the UID doesn't count since the CN information from the Smartcard has not been populated at this point to the OID, we are trying to get the functionality going to get the user first to put in their login and password but at submit time, to update the OID with the CN information to a separate column of OID and not the UID.
    Utilizing the OAM, we have been able to proof concept the authentication using the UID by using the Policy Manager and the Access System Console --> Access System Configuration. It's works well with the plugin that comes with the OAM (SSOOblixAuth.java) and thx to Oracle Support, but we need to be able to pass other parameters that are specified as a part of the Resource - Action as headervars such as
    HeaderVar OBLIX_SN or
    hearderVar OBLIX_MAIL
    Our Oracle Access Implementation is in halt until we find a way to pass these return Attributes to a sample HTML or JSP program.
    The Self-Service Forms functionality unfortunately doesn't provide the Smartcard related features such as SN, and MAIL.
    Any help we can get, we very much appreciate it.
    KA

    O.K.
    I am getting closer but still not getting the ssooblixuser or ssooblixcn. I have
    the following jsp to fire after a successful authentication.
    The following code is utilized in our SSO environment for changing passwords.
    The bolded line should get the ssooblixuser but it is not..
    <%
    response.setHeader("Cache-Control", "no-cache");
    response.setHeader("Pragma", "no-cache");
    response.setHeader("Expires", "Thu, 29 Oct 1969 17:04:19 GMT");
    request.setCharacterEncoding("UTF-8");
    response.setContentType("text/html; charset=UTF-8");
    String remoteUser = null;
    String userDn = null;
    String referer = null;
    String oblixheader = null;
    remoteUser = request.getRemoteUser();
    userDn=request.getHeader("OSSO-USER-DN");
    referer=request.getHeader("referer");
    oblixuser = request.getHeader("ssooblixuser");
    %>
    <HTML>
    <HEAD>
    <SCRIPT language="JavaScript">
    function validatePasswordsMatch()
    var frm = document.forms["changePassword"];
    if(frm.newpwd.value != frm.confirm_newpwd.value)
    alert('The Password and verified password do not match!');
    return false;
    else
    document.changePassword.submit();
    return false;
    function cancelButton()
    document.close();
    </SCRIPT>
    </HEAD>
    <BODY bgcolor="#cae3ff" >
    <table width="750" height="10" border="0" cellspacing="0" cellpadding="0">
    </table>
    <TABLE ALIGN="Center">
    <TR><TD>User Name</TD><TD> <%=remoteUser%> </TD></TR>
    <TR><TD>OBLIX USER</TD><TD> <%=oblixuser%> </TD></TR>
    Edited by: user10130371 on Sep 17, 2009 8:09 AM
    Edited by: user10130371 on Sep 17, 2009 8:10 AM

  • Oracle Access Manager and Passing Cert Info to HTML or JSP

    Friends,
    We are trying to pass the CN information from our smartcard (CAC) that looks i.e. john.doe.123456789 as a parameters to an Oracle Forms using the staticHTML implementation utilizing the OBLIX SSO OR utilizing a JSP or HTML file to read these parameters and update OID. We can pass the UID but since we will have First-time Registration of the Smartcards, the UID doesn't count since the CN information from the Smartcard has not been populated at this point to the OID, we are trying to get the functionality going to get the user first to put in their login and password but at submit time, to update the OID with the CN information to a separate column of OID and not the UID.
    Utilizing the OAM, we have been able to proof concept the authentication using the UID by using the Policy Manager and the Access System Console --> Access System Configuration. It's works well with the plugin that comes with the OAM (SSOOblixAuth.java) and thx to Oracle Support, but we need to be able to pass other parameters that are specified as a part of the Resource - Action as headervars such as
    HeaderVar OBLIX_SN or
    hearderVar OBLIX_MAIL
    Our Oracle Access Implementation is in halt until we find a way to pass these return Attributes to our Oracle Forms. The Oracle Forms running SSO is working greatly with just the userlogin and password (UID is passed as a header) without the Oracle Access Manager (OBLIX) but now we have shifted to this product for reading and processing Smartcard information.
    Any help we can get, we very much appreciate it.
    KA

    O.K.
    I am getting closer but still not getting the ssooblixuser or ssooblixcn. I have
    the following jsp to fire after a successful authentication.
    The following code is utilized in our SSO environment for changing passwords.
    The bolded line should get the ssooblixuser but it is not..
    <%
    response.setHeader("Cache-Control", "no-cache");
    response.setHeader("Pragma", "no-cache");
    response.setHeader("Expires", "Thu, 29 Oct 1969 17:04:19 GMT");
    request.setCharacterEncoding("UTF-8");
    response.setContentType("text/html; charset=UTF-8");
    String remoteUser = null;
    String userDn = null;
    String referer = null;
    String oblixheader = null;
    remoteUser = request.getRemoteUser();
    userDn=request.getHeader("OSSO-USER-DN");
    referer=request.getHeader("referer");
    oblixuser = request.getHeader("ssooblixuser");
    %>
    <HTML>
    <HEAD>
    <SCRIPT language="JavaScript">
    function validatePasswordsMatch()
    var frm = document.forms["changePassword"];
    if(frm.newpwd.value != frm.confirm_newpwd.value)
    alert('The Password and verified password do not match!');
    return false;
    else
    document.changePassword.submit();
    return false;
    function cancelButton()
    document.close();
    </SCRIPT>
    </HEAD>
    <BODY bgcolor="#cae3ff" >
    <table width="750" height="10" border="0" cellspacing="0" cellpadding="0">
    </table>
    <TABLE ALIGN="Center">
    <TR><TD>User Name</TD><TD> <%=remoteUser%> </TD></TR>
    <TR><TD>OBLIX USER</TD><TD> <%=oblixuser%> </TD></TR>
    Edited by: user10130371 on Sep 17, 2009 8:09 AM
    Edited by: user10130371 on Sep 17, 2009 8:10 AM

  • How to Use 'uid' for AD Users Without Domain Name For User Log in OAM

    How to Use 'uid' for synchronized Active Directory (AD) Users into Oracle Internet Directory (OID) Without Domain Name For User Logins in OIDDAS and OAM
    We successfully integrated OAM 11g with EBS R12.1.3 Now all the AD user id's stored in fnd_users table as [email protected]
    How can we remove @abc.com
    We are using OID 11g and OAM 11g
    Found the similar note for OID 10G: How to Use 'uid' for AD Users Without Domain Name For User Logins in OIDDAS and SSO [ID 580480.1]
    We are in OID 11g.
    Any help on this greatly appreciated.

    I couldn't find any reference that could be helpful -- Please log a SR and see if this is supported and if the steps are available.
    Thanks,
    Hussein

  • Run report with SSO/OAM by URL without prompt for uid/pwd?

    Can I run a report by URL to a report engine protected by SSO/OAM without being prompted for credentials?  Asking the same in another way, is there a way to pass the SSO/OAM credentials in the URL (or otherwise) to avoid being prompted for them?  I find many references to how to do this for the database connection credentials, but I'm trying to pass the SSO/OAM credentials on the URL.  My end game is to be able to run a report from VB.NET from a kiosk application in VB.NET where there is no attendant and client does not want to have to log into SSO/OAM at any time.  My VB.NET code will submit the URL, grab the output and manage the work stream (print, save, store to doc repos, etc.) in the kiosk code.
    Thanks in advance
    Hank
    12/29/2014
    For the sake of those that come later with this same question:
    It turns out there is a way to do this after all.  I opened an SR with MOS and with a little trial and error we worked out that the following does work:
    http://<theFormsReportsServer>:9002/reports/rwservlet?report=myTestReport.rdf&authid=myOAMUserId/mySSOPasswd&userid=dbUid/dbPwdK@DbTnsEntryName&destype=cache&desformat=html
    Note that there are two necessary bits to this in addition to specifying the authid=SSO Credentials part.  The first is that you must use the WLS_REPORTS port (9002 in our case), not the OHS port (8888 in our case).  The other is that you must provide the database connection.  I have done it overtly in this syntax by specifying userid=DbCredentials@Db, but it should also work to substitute the ssoconn functionality in order to hide the Db credentials.  That is not an issue in our environment so i have not actually tested it.
    Regards
    Hank

    Hi;
    It's been too long since I've done anything in Access. Have a look at this old sample, and see if it helps:
    https://smpdl.sap-ag.de/~sapidp/012002523100006013432008E/rdc_vba.exe
    Regards,
    Jonathan

  • Unable to authenticate users using Custom plugins in OAM 11g

    We are working on a requirement in which we have to write a custom authentication plugin in OAM 11g.
    we were able to import and activate the plugin
    we created a new authentication module with steps in the following order
    1)UserIdentificationPlugin
    2)UserAuthenticationPlugin
    3)Our custom plugin to create custom responses(We just created the class with mandatory methods and process method returning success)
    but finally when we try to authenticate,authentication fails resulting in OAM-2 error.We had entered valid credentials
    Can somebody please help me on resolving this issue.
    The plugin code,manifest file and Metadata XML is shared below.
    Plugin Code
    public class NewPlugin extends AbstractAuthenticationPlugIn {
    private static final String CLASS_NAME = "FirstTestClass";
    public ExecutionStatus initialize (PluginConfig config){
    super.initialize(config);
    if(LOGGER.isLoggable(Level.FINE)){
    LOGGER.logp(Level.FINE,CLASS_NAME,"initialize","Entering initialize");
    return ExecutionStatus.SUCCESS;
    @Override
    public String getDescription() {
    // TODO Auto-generated method stub
    return null;
    @Override
    public Map<String, MonitoringData> getMonitoringData() {
    // TODO Auto-generated method stub
    return null;
    @Override
    public String getPluginName() {
    // TODO Auto-generated method stub
    return null;
    @Override
    public int getRevision() {
    // TODO Auto-generated method stub
    return 0;
    @Override
    public ExecutionStatus process(AuthenticationContext context)
    throws AuthenticationException {
    if(LOGGER.isLoggable(Level.FINE)){
    LOGGER.logp(Level.FINE,CLASS_NAME,"initialize","Entering process");
    return ExecutionStatus.SUCCESS;
    @Override
    public void setMonitoringStatus(boolean arg0) {
    // TODO Auto-generated method stub
    @Override
    public boolean getMonitoringStatus() {
    // TODO Auto-generated method stub
    return false;
    MANIFEST.MF
    Manifest-Version: 1.0
    Bundle-ManifestVersion: 2
    Bundle-Name: NewPlugin Plug-in
    Bundle-SymbolicName: NewPlugin
    Bundle-Version: 1.0.0
    ImportPackage:org.osgi.framework;version="1.3.0",oracle.security.am.plugin,oracle.security.am.plugin.authn,oracle.security.am.plugin.api,oracle.security.am.common.utilities.principal,oracle.security.idm,javax.naming,javax.sql,javax.security.auth
    Bundle-RequiredExecutionEnvironment: JavaSE-1.6
    METADATA XML
    <?xml version="1.0" encoding="UTF-8" ?>
    <Plugin name="NewPlugin" type="Authentication">
    <author>me</author>
    <email>[email protected]</email>
    <creationDate>11:40:20,2012-13-02</creationDate>
    <version>1</version>
    <description>Custom User Authentication Plugin</description>
    <interface>oracle.security.am.plugin.authn.AbstractAuthenticationPlugIn</interface>
    <implementation>newplugin.NewPlugin</implementation>
    <configuration>
    <AttributeValuePair>
    <Attribute type="String" length="20">DataSource</Attribute>
    <mandatory>true</mandatory>
    <instanceOverride>false</instanceOverride>
    <globalUIOverride>true</globalUIOverride>
    <value>jdbc/CISCO</value>
    </AttributeValuePair>
    </configuration>
    </Plugin>

    Your search results show that the user "collini" was not found (nentries=0). This could be caused by a number of reasons.
    1) The user doesn't exist under "ou=people,dc=our,dc=domain"
    2) The user doesn't contain the posixAccount objectclass
    3) The user account that performed the search doesn't have access rights to read/search that user account
    What user account was used to BIND on the connection that the search was done on?
    Try performing the same exact search with an account you know can retrieve the entry. For example:
    ldapsearch -D "cn=Directory Manager" -w - -b ou=people,dc=our,dc=domain -s one "(&(objectClass=posixAccount)(uid=collini))"
    If the entry doesn't return as a result of the search then either #1 or #2 above is the problem. If the entry does return then #3 is your problem.

  • Workflows are not shown in the OAM aplications front end but exists in LDAP

    Hi
    In my OAM application, Workflows are not shown in the front end but exists in LDAP. Any idea how the workflows are displayed on the front end.
    due to this not there in production, when i tried to create a user, it says i donot have access rights.
    When i try to create and add workflows in the LDAP, the server rejects with the following error:
    Error adding object 'dn: obname=R20030715T164905882142,obpolicyContainerId=WorkflowDB, obcontainerId=Policies, o=Oblix,ou=oblixconfigentries,. The error sent by the server was 'Already exists':
    the entry is : last line shows obwfstatus as deleted ...
    dn: obwfinstanceid=7e872056d0ce012f0000BD537dc00000,obcontainerId=workflowInstances,o=Oblix,ou=oblixconfigentries, dc=axa,dc=co,dc=uk
    modifyTimestamp;adcsn-5038aa2900000001000f;vucsn-5038aa2900000001000f: 20120825103356Z
    modifiersName;adcsn-5038aa2900000001000e;vucsn-5038aa2900000001000e: uid=oblixadmin,ou=admins,dc=uk
    obwfstatus;adcsn-5038aa2900000001000d;vucsn-5038aa2900000001000d: 8
    obwfstatus;vdcsn-5038aa2900000001000d;deleted:

    Edit the targetNamespace to any name less than 60 chars and they try again
    Regards,
    Prateek

  • OAM 10g  - custom resource type issue

    I've created a custom resource type, say, boolean with one operation: TRUE. Then I defined resources of type boolean in my domain: /folder, /folder/1
    and /folder/2. I created a policy that sets TRUE for resources /folder, /folder/*, and the rule is some LDAP query, like      ldap:///<my_suffix>??sub? (|(attr='A')(title='B')). Then when I run policy tester for a user (who I know has attribute I set in the LDAP query) and for example, resource /main/1, OAM tells me: policy name - correct name, rule - undefined, authorization - inconclusive. If anyone played with custom resource types, can you please advise? Why does it say "rule not found"?
    Thanks,
    -Alex

    Hi Alex,
    Doing the equivalent works for me - I suspect that it's a problem more with the resource syntax that the policy is protecting than with custom resource types. In my env I have:
    - Policy Domain protecting resource of type boolean, resource /folder1
    - Policy within the domain protecting url prefix /folder1, url pattern test/.../*, resource type boolean, resource operation TRUE
    - authorisation rule (used in the Authorisation Expression for the policy) ldap:///dc=example,dc=com??sub?(|(uid=bjensen)(givenName=*ba*))
    and the Access Tester shows the rule and expected results when testing url boolean:///folder1/test/whatever
    Are you using the /.../* syntax in your policy?
    Regards,
    Colin

  • How to persist URL parameters in OAM portal inserts?

    Hi,
    We have a requirement to redirect the users to different XSLs based on the containers configured in OID (ou=employees,ou=customers). We have configured different style directories (employees and customers) in OAM. For Identity Administration activities we are using another style (adminStyle) used by OAM Identity Administrators.
    We are using OAM portal inserts for navigating from webapplication (integrated with OAM) to OAM modify profile page to change user attributes.
    Also webapplication using different authenitcation scheme in OAM.
    User login into webapplication using login.jsp (form based authentication scheme) and clicks on Modify profile link (URL will be portal insert URL).
    After the user session timeout (Configured in webgate) user is redirected to OAM login page (form based authentication). Once the user enters valid credentials user is redirected to OAM user manager application (only navigation bar with back button is displayed).
    The parameters comp=true, style=employees and program=modify are lost. Hence user not able to see OAM Modify profile page. Again user needs to click on back button (portalid) to get into Modify profile page. How to persist these parameters in the URL?
    Following is the portal insert URL we are using:
    http://<host>:<port>/identity/oblix/apps/userservcenter/bin/userservcenter.cgi?program=modify&uid=UserDN&style=employees&xsl=usc_profile.xsl&comp=true &portalid=webapphome
    Anypointers on this is appreciated.
    Thanks in advance.
    Regards,
    Srikanth
    Edited by: Srikanth_idam on 16-Apr-2010 04:30

    Hi Srikanth,
    That looks like a bug (6158232) that was fixed in version 10.1.4.2 of OAM Access Server (maybe WebGate too). Are you on an earlier version?
    Regards,
    Colin

  • Preparing OVD for use with OAM

    Hi,
    I am trying to configure OVD for use with OAM. I am trying to present two directories, one from AD and the other from Sun LDAP, with OVD.
    In case of AD, I am using the "OAM/AD Adapter with Mapper" template, and it does appear to be massaging Active Directory into a more inetOrgPerson schema... however the relative distinguished name (rdn) of the objects are still cn=username.
    This is in conflict with the users that are coming in from Sun, who have an rdn of uid=username. I'm concerned that this is going to create difficulties for OAM, and it just feels wrong (especially since we are migrating many of these users to AD at which point their DNs will change).
    My questions are:
    1. Is there a best practice for what the RDN should be for OAM? It seems like the product has historically used uid as the RDN, and so that feels safest.
    2. Should I, and if so, how can I get OVD to translate the RDNs? Why don't the templates do this automatically?
    - Jim

    OAM is not concerned with the RDN of a user in AD or Sun. It can be anything.
    So in OVD you can have dn like uid=usrid,dc=example,dc=com for Sun and cn=commonname,dc=example,dc=com for AD.
    Only thing to take care is you have configured OVD with the same objectclass for AD and Sun.
    For example "OAM/AD Adapter with Mapper" maps AD's user object class into inteorgperson and same goes for Sun. So in OAM you have to configure user objectclass as "inetorgperson"
    OAM searches are based on the login id, so in this case it will always be uid="user login" which OVD will translate into samaccountname for AD and uid for Sun.
    There is no restriction in OAM on what the RDN should be for a user entry.

  • OBIEE 11.1.1.6 SSO with OAM 11.1.1.5: OID 11.1.1.6 attribute problem

    Hi Everyone!
    I have configured a OAM(webgate)+OID+OBIEE+OHS system.
    The OBIEE is protected via OHS(weblogic module) and webgate. It is working very well.
    The OAM authenticates from OID(default user identity store).
    The *"User Search Base"* is same ( *"cn=Users,dc=mydomain,dc=com"* ) in identity store and in OBIEE's OID authentication provider too.
    The SSO is enabled in OBIEE and the providers are:
    OID (Provider that performs LDAP authentication     1.0) SUFFICIENT
    OAM Provider (Oracle Access Manager Identity Asserter     1.0) REQUIRED
    DefaultAuthenticator     (WebLogic Authentication Provider     1.0) SUFFICIENT
    DefaultIdentityAsserter
    IF the *"User Name Attribute"* is *"cn"* in OAM's user identity store and the OBIEE's OID provider's *"user name attribute"* is *"cn"* (default) too, everything is working fine.
    But I have to use *"orclSAMAccountName"* instead of *"cn"* (OAM and OID provider). And in this case I have the problem.
    In the OBIEE's OID provider are:
    All Users Filter: (&(orclSAMAccountName=*)(objectclass=person))
    User From Name Filter: (&(orclSAMAccountName=%u)(objectclass=person))
    User Name Attribute: orclSAMAccountName
    I made a test user:
    cn=test
    sn=test_sn
    orclsamaccountname=test_sama
    uid=test_uid
    krbprincipalname=test_krb
    I can authenticate with test_sama in OAM, but OBIEE say: *"You are not logged in here: Oracle BI Server."*
    The bi log shows that:
    +Default (self-tuning)'> <BISystemUser> <> <00093dFuR^HFW7PMye7i6G00052S000Tt7> <1345642607333> <BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User test javax.security.auth.login.LoginException: [Security:090300]Identity Assertion Failed: User test does not exist+
    +oracle.security.jps.internal.api.jaas.AssertionException: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User test javax.security.auth.login.LoginException: [Security:090300]Identity Assertion Failed: User test does not exist+
    Why does search OBIEE the *"cn"* and why does not use the *"orclsamaccountname"* ?
    Any idea???
    Regards, Jani

    Hello Jani,
    This is a known issue in OBIEE 11.1.1.6.0 , Please refer to : OBIEE 11.1.1.6 Agent failed with Error Codes: IHVF6OM7:OPR4ONWY:U9IM8TAC [nQSError: 13039] The impersonator does not exist in the BI Security Service [ID 1446877.1]
    We have configured OBIEE 11.1.1.6 on Linux and using Single Sign On (SSO) with Windows Native Authentication (WNA).
    Configured AD Authenticator, selected sAMAccountName instead of CN for User Attribute. Enabled SSO in EM. When trying to access OBIEE Presentation services we have encountered the error below.
    "You are not logged in here: Oracle BI Server."
    When checking the biserver1 log file found : [Security:090300]Identity Assertion Failed: User OracleSystemUser does not exist
    After applying the patch 13553428 on top of OBIEE 11.1.1.6.0 we have successfully logged into OBIEE Presentation services.
    This works fine with OBIEE 11.1.1.5.0 and 11.1.1.6.1
    Fixed in OBIEE 11.1.1.6.1. Apply Patch 13742915.
    If you want to stay in OBIEE 11.1.1.6.0. Apply Patch 13553428.
    Let me know if this solves the Asserter issue.
    Pls mark if helpful or answered.
    Thanks,
    -SVS

  • Error in custom OAM authentication plugin

    Hi All
    I am trying to build a custom OAM authentication plugin using JDeveloper. Here are the version information:
    OAM - 11.1.1.5 BP04
    WLS - 10.3.5
    Issue:
    I get the following error in the OAM logs when I try to activate the plugin.
    [2012-11-14T09:39:17.996-08:00] [oam_server1] [WARNING] [] [oracle.oam.extensibility.lifecycle] [tid: DistributedCache:DistributionCache:EventDispatcher] [userId: <anonymous>] [ecid: 0000Jfzyiy6EgKI5qrH7iY1GcxMc000002,0] [APP: oam_server] Activation failed due to felix bundle exception while installing and starting the bundle.Unresolved constraint in bundle oamCustomAuthPlugin [2]: Unable to resolve 2.0: missing requirement [2.0] package; (package=oracle.security.am.plugin.ExecutionStatus)[[
    org.osgi.framework.BundleException: Unresolved constraint in bundle oamCustomAuthPlugin [2]: Unable to resolve 2.0: missing requirement [2.0] package; (package=oracle.security.am.plugin.ExecutionStatus)
    at org.apache.felix.framework.Felix.resolveBundle(Felix.java:3404)
    The names of jar file, class file, plugin xml file etc are all same. My plugin code is very generic and I have the following values in the plugin's manifest and xml file
    Plugin xml file [oamCustomAuthPlugin.xml]:
    <Plugin name="oamCustomAuthPlugin" type="Authentication">
    <author>uid</author>
    <email>[email protected]</email>
    <creationDate>09:32:20, 2011-11-13</creationDate>
    <version>4</version>
    <description>OAM Custom Authentication plugin</description>
    <interface>oracle.security.am.plugin.authn.AbstractAuthenticationPlugIn</interface>
    <implementation>com.company.oam.oamCustomAuthPlugin</implementation>
    <configuration>
    <AttributeValuePair>
    <Attribute type="string" length="20">INPUT_PARAM1</Attribute>
    <mandatory>true</mandatory>
    <instanceOverride>false</instanceOverride>
    <globalUIOverride>true</globalUIOverride>
    <value>Param1</value>
    </AttributeValuePair>
    <AttributeValuePair>
    <Attribute type="string" length="20">INPUT_PARAM2</Attribute>
    <mandatory>true</mandatory>
    <instanceOverride>false</instanceOverride>
    <globalUIOverride>true</globalUIOverride>
    <value>Param2</value>
    </AttributeValuePair>
    </configuration>
    </Plugin>
    Manifest File [MANIFEST.MF]:
    Ant-Version: Apache Ant 1.7.1
    Bundle-Version: 1.0.0.4
    Bundle-Name: oamCustomAuthPlugin
    Bundle-Activator: oamCustomAuthPlugin
    Bundle-ManifestVersion: 2
    Created-By: 17.0-b17 (Sun Microsystems Inc.)
    Import-Package: oracle.security.am.plugin,oracle.security.am.plugin.authn
    Bundle-SymbolicName: oamCustomAuthPlugin
    Bundle-RequiredExecutionEnvironment: JavaSE-1.6
    Please let me know if you have faced a sinilar issues in the past. Please help !!

    Try with Import-Package: org.osgi.framework;version="1.3.0",oracle.security.am.plugin,oracle.security.am.plugin.authn,oracle.security.am.plugin.api If it doesn't work try with - Import-Package: org.osgi.framework;version="1.3.0",oracle.security.am.plugin,oracle.security.am.plugin.authn,oracle.security.am.plugin.api ,oracle.security.am.plugin.ExecutionStatus

  • How to configure OAM to connect to OVD?

    Hi folks,
    I have two OAM/OAS pairs both connected to replicated Sun Dir Servers, so that the first OAS/OIS pair is connected to Sun Dir-1, while the second OAS/OIS pair is connected to Sun Dir-2. It works fine. I've recently created two OVD servers each pointing to the two Sun Dir servers. How do I re-configure OAM (OIS, OAS, WebPass, WebGate, Policy Manager, etc) to use the OVDs instead of individ Sun Servers? I get an error about DS not found from OAM whenever I try to point to OVD. Do I need to load OAM schema/user data into OVDs?
    Thank you, Roman

    Hi,
    Can you try/check the following -
    1. Value of 'LDAPMaxNoOfRetries' in globalparams.xml? Generally, this should be 'No.of Directory Profiles + 1'. Restart the OIS.
    2. under the o=oblix node,
    -> Web Masters (cn=web masters, o=oblix, ...)
    -> Directory Administrators (cn=directory administrators, o=oblix, ...)
    Reconfirm if the 'master admin' user's DN is correct.
    3. Regenerate Shared Secret.
    If these doesn't work, try -
    1. Add another user's 'dn' under 'cn=Web Masters,o=oblix,<realm>' and 'cn=Master Web Resource Admins,obapp=PSC,o=oblix,<relam>'
    Eg: obuniquememberStr = uid=pramod,<realm>
    2. Remove/Delete the 'dn' of the admin user with which the problem is/was occuring.
    Eg: uid=oamadmin,ou=users,<realm>
    3. Add the 'dn' of the admin user again.
    Eg: uid=oamadmin,ou=users,<realm>
    4. Restart LDAP Server, OAM Identity & Access Servers, and Web Servers.
    -- Pramod Aravind

  • Error in OAM Identity and Access Servers login pages

    Hi All,
    I am trying to install OAM I completed all installations . But now am getting error as invalid "*Invalid credential*". IS there any process to know what the userid and password for the both Identity and Access Servers . Please tell me if there is any process. It very helpful to me .
    Thank u & Regards
    Pokuri

    Hi Pokuri,
    Could be that the searchbase is wrong, so that OAM is not finding the user whose credentials you are entering. Or, maybe OAM is using a different attribute as the login attribute (for example, you could be entering the cn when OAM is expecting the uid).
    Try binding to ldap with another utility (such as ldapbind or ldapsearch) to see if this gives any indications. You may need to reconfigure the Identity Server to verify/correct the searchbase (for this, follow note 730376.1) and to check which attribute has the "Login" semantic type in OAM.
    Regards,
    Colin

  • OAM Plugin Module

    Hello All
    I have a problem I have been trying to research for a while. Basically, as part of a form-based login, I want to perform some checks for the user to see if they have signed an acceptable use agreement and make sure their current signature is valid. I have had a few suggestions to just do this via OAM using header variables to the acceptable use page, but this would add another step in the login process whereby all users would be redirected back to the page, then sent to their original page. Given I have a large population of users, I think this would be pretty inefficient and would like to do it as part of the login process. I am writing an authentication plugin dll to use as part of the form-based authentication module, but wanted to see if anyone had any opinions on better options.
    Also, in terms of process flow, one question I do have is based on the processing of the plugin. If I send the uid of the user to the plugin, it checks it, and I send back a success/failure, can I program results in the plugin process based on the success/failure. for example, if the plugin returns a failure, then the user is redirected to the AUP page, if it is successful, they just go on to the original resource requested?
    Any help you can give would be appreciated.
    Thanks
    Nick

    Hi Nick,
    Is this application specific or overall SSO. What you can do is add an boolean attribute for inetorgperson class in ldap for UAP and pass that attribute through OAM to the passthrough script. If you use OVD, you can also attach the attribute with an adapter to the App DB. This will be faster and mostly OOTB to be supportable and maintainable. We do not see any performance degradation compared to the Oracle OOTB Scripts such as SecurID which does post processing using a perl script.
    If you are passing the attribute in the SSO session to the post processing script, you just need to check if the value is enabled/disabled and can redirect the user to the initial URL. If the UAP is application specific, more design is needed to skip UAP check for Application Users who are not required to agree with UAP.
    Thanks
    Ramesh GK

Maybe you are looking for

  • IPhone 4 calendar entries get duplicated for all day events

    Hi all, A new one, I have an iPhone 4 which is duplicating all day events for no reason. You can delete one of the events and then it promptly shows up again. The other two all day events for the same item can not be edited or deleted. They originall

  • IPhone Remote - iPhone is not able to connect with my library

    Hi, after searching the internet for a solution, i hope one of you guys can help. Well, when i start Remote on my iPhone iTunes detects the Device, and im able to enter the code in iTunes. But when im trying to connect to my library, my iPhone just w

  • ITunes 7 does recognize 30gb 5th gen and will not update to 1.2

    Upgraded to iTunes 7, program no longer recognizes 30GB 5th gen. Windows does pick it up. So, I plug it in, explorer window for removeable drive appears, iTunes does not launch. With iTunes open, explorer window opens and there is no effect in iTunes

  • Employee Photo not displayed in ESS- Who's Who Services

    Hi All.. My employee photo upload was successful in Quality System . I can also view the photo both in R/3 employee related facsmiles , header of PA20, PA30. and also the same photo's are displayed in ESS - Who's Who services. steps I used- OANR, OAC

  • E6-00 gone brick. Any help is appreciated.

    My phone ran out of battery last week. The battery got totally empty, I suppose, while I was making a phone call. I plugged it in immediately just to find the on/off button defunct. Whenever I press the power button, the charging light (the one on th