Use of OIM vs OAM to do SSO
Hi,
We are doing a project for which we need identity federation as well as single sign-on.
Is there a way that we can configure Oracle Identity Manager to do Single Sign-on or do we need to use Oracle Access Manager?
Thanks
"True SSO" let me try to explain....
Oracle Application Server included a older single sign on mechanism that would work as long as ALL the applications were running on one or more Oracle App Server instances. But if you had WebSphere, Weblogic, etc in addition to your Oracle middle tier, the Oracle Single Signon (OSSO) would not support those other app servers.
More recently, Oracle Access Manager (acquired as part of the Oblix deal) implements enterprise single signon (aka. "true" single sign on) across applications running on heterogeneous app/web servers.
Does this help?
Similar Messages
-
Self registration error in OIM-OID-OAM 11g
Hi,
We are using OIM,OID,OAM 11G,in clustering mode.We are facing a problem on self registration process.
For every alternate self registration request,system is throwing an error.After the self register user request has got approveod,I have checked the request status in 'advanced' panel its saying ; " IAM-3051103:The create operation on user entity failed in action stage.:"
This is really a big mysterious thing to me,1st self registration was successful,2nd was throwing an error , again 3rd was success ,4th was failure , 5th was success and 6th was failure.
Below is the corresponding error message in log file for the failed request.
<Mar 21, 2011 2:22:30 PM CDT> <Error> <oracle.iam.identity.usermgmt.impl.handlers.create> <IAM-3051103> <The create operation on user entity failed in action stage.
oracle.iam.platform.entitymgr.MissingRequiredAttributeException: [act_key]
at oracle.iam.platform.entitymgr.impl.EntityManagerImpl.checkRequired(EntityManagerImpl.java:1448)
at oracle.iam.platform.entitymgr.impl.EntityManagerImpl.createEntity(EntityManagerImpl.java:261)
at oracle.iam.platform.entitymgr.impl.EntityManagerImpl.createEntity(EntityManagerImpl.java:237)
at oracle.iam.identity.usermgmt.impl.handlers.create.CreateUserActionHandler.execute(CreateUserActionHandler.java:141)
at oracle.iam.identity.usermgmt.impl.handlers.create.CreateUserActionHandler.execute(CreateUserActionHandler.java:68)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at oracle.iam.platform.kernel.impl.EventHandlerDynamicProxy.invoke(EventHandlerDynamicProxy.java:30)
at $Proxy235.execute(Unknown Source)
at oracle.iam.platform.kernel.impl.OrchProcessData.runActionEvents(OrchProcessData.java:1028)
at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:637)
at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:220)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:669)
at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:716)
at oracle.iam.platform.kernel.impl.OrhestrationAsyncTask.execute(OrhestrationAsyncTask.java:108)
at oracle.iam.platform.async.impl.TaskExecutor.executeUnmanagedTask(TaskExecutor.java:100)
at oracle.iam.platform.async.impl.TaskExecutor.execute(TaskExecutor.java:70)
at oracle.iam.platform.async.messaging.MessageReceiver.onMessage(MessageReceiver.java:68)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy428.onMessage(Unknown Source)
at weblogic.ejb.container.internal.MDListener.execute(MDListener.java:466)
at weblogic.ejb.container.internal.MDListener.transactionalOnMessage(MDListener.java:371)
at weblogic.ejb.container.internal.MDListener.onMessage(MDListener.java:327)
at weblogic.jms.client.JMSSession.onMessage(JMSSession.java:4659)
at weblogic.jms.client.JMSSession.execute(JMSSession.java:4345)
at weblogic.jms.client.JMSSession.executeMessage(JMSSession.java:3821)
at weblogic.jms.client.JMSSession.access$000(JMSSession.java:115)
at weblogic.jms.client.JMSSession$UseForRunnable.run(JMSSession.java:5170)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
>
<Mar 21, 2011 2:22:30 PM CDT> <Error> <oracle.iam.platform.entitymgr.provider.ldap> <IAM-0042004> <An error occurred while un-reserving the user in LDAP, and the corresponding error is - java.lang.NullPointerException>
<Mar 21, 2011 2:22:30 PM CDT> <Warning> <oracle.iam.identity.usermgmt.impl.handlers.create> <BEA-000000> <null>
Any help would be really appreciated.
Thanks.Hi,
I am assuming in clustered environment you are having two instances running.
It must be an issue with a single server,,because the problem is intermittent.
To see which server is causing problem....just perform the following steps:
1) Stop server1 and keep running server2..and fire new registration request...
2) stop server 2..and keep running server1.....and fire new registration request.
Using above, atleast you can see which server is causing the problem...
Regards,
J
Edited by: J_IDM on Mar 21, 2011 10:52 PM -
Best practices on enterprise and application roles in OIM and OAM 11g?
Hi, all,
I wonder if any of you can give me some advice on role design for OIM and OAM 11g. I'd like to have both enterprise roles, such as Accountant II, and application roles, such as App1_User, App1_Admin, etc. Ideally, the enterprise role would automatically give the user the appropriate application roles, but I can't figure out how to do that. We tried using OIM 11g's inheritance, but when the application role is inherited, OAM doesn't see it in OID/OVD and therefore doesn't think the user has the correct authorization to access the application. I thought about using role membership rules, but those seem to only allow you to use user attributes to control membership, which doesn't help at all in my situation.
How is this situation best handled? Any advice much appreciated!
Ariel Anderson
Senior Business Analyst
Zirous, Inc.Hi,
I am assuming in clustered environment you are having two instances running.
It must be an issue with a single server,,because the problem is intermittent.
To see which server is causing problem....just perform the following steps:
1) Stop server1 and keep running server2..and fire new registration request...
2) stop server 2..and keep running server1.....and fire new registration request.
Using above, atleast you can see which server is causing the problem...
Regards,
J
Edited by: J_IDM on Mar 21, 2011 10:52 PM -
Hi All,
Can anyone give me inputs on how to replicate an instance of OIM/SOA/OAM from one machine to another machine, with same configuration details.
Given that I have oracle home location and the password to use. How do I go ahead about cloning the instance on different machines?
Regards,
ShashiFurther to this discussion, I found these scripts what would copy environments and home instances and its components.
http://docs.oracle.com/cd/E23943_01/core.1111/e10105/clone.htm
Can the same procedure be followed for environment cloning?
We are planning to try this approach, so, needs any of your reviews,
1. Use backup & restore strategy to import the schema and data.
2. Use the cloning procedure given at the above link to import the instance details.
Regards,
Shashi
Updated the message with approach details -
Hi all !
i am newbie to the world of identity and access management! currently i am studying both identity and access management solutions for our company! i am a bit confused and require your guidance!
OIM is a solution that is used to manage identities of users and organisation of an enterprise.
OAM is a solution that in addition to (limited) identity management is used for authenticating and authorizing users.
Now we have both the issue at hand. We want to manage identities and also want to manage access to out set of web applications through single sign -on.
where i get confused is that do we need to install OIM for identity management and OAM for access management i.e WAM (web access management). Can they both be deployed in collaboration?
or do we need just to have access manager installed and manage identity through it as well?
Bear with me my little knowledge.
Best Regards
ZiaYou have to install both OIM and OAM. OIM will manage identities and then oyu have to integrate OAM with OIM which will take care of Authentication and Authorization of OIM identities.
Users of OIM will be authenticated through OAM. -
Hello friends..
I am new to OIM and OAM but I know java and Struts. If i decided to learn OIM/OAM then what will be future scope of these technologies to me. And in which sector i will have the job. Currently working as a Java Developer and willing to learn OIM and OAM.
Please know me if anyone know...
Thanks and Regards
DBThis is how I understand how the products relate to each other:
Oracle Identity Management isn't an actual product it's an umbrella term Oracle use to describe all the Oracle Identity and Access Management products. Please take a look at the link below:
http://www.oracle.com/technology/products/id_mgmt/index.html
Oracle Identity Manager and Oracle Access Manager are seperate products.
Oracle Identity Manager is a provisioning and compliance product formerly Xellerate Identity Manager from Thor.
Oracle Access Manager is a authentication and access product used for securing and providing single sign on to web based applications.
Both products have many other features besides what's described above some of these features overlap such as workflow, user self service and password management.
Hope this helps. -
Regarding OAM-eBusiness suite SSO.
Hi All,
Is it possible to configure SSO between OAM(10.1.4.3.0) -- eBusiness Suite(11i or 12.0 or 12.1) with out installing OSSO in between?
Thanks & Regards,
Siva Pokuri.Hi Siva,
First you need to register OID/SSO(>10.1.4.2) component with Oracle E-Business Suite 12g version (12.1.1) using a perl script txkrun.pl. Through Oracle Access Manager 10.1.4.3 you can protect E-Business Suite related web-resources.
Regards,
Ajay Babu -
OAM Access Manager SSO solution fails to open docs and pdfs
Hi
I have created a solusion for SSO like this.
OAM against AD, running on windows (server A). Webpass is on IIS.
The applikation I'm protecting is an Weblogic 10.0 application running on windows (server B)
I have also installed the webgate on serverB running on Apache 2.0, and all the installation is done by following the documentation for Weblogic sso
(This is to make the application runnable directly through port 80 and redirecting in Apache)
The sso works fine.
But i have a problem in IE6
When the application is trying to open documents to view them in msword or pdf for printing, the document is not opened, I get an "file not found" exeption in the browser, and the url for getting the document seems very long. (The grey popup)
When I open the application in IE8 it works fine, and the url for getting document seems short (just the docID)
(The application is currently only compatible for IE6 so running it in IE8 will cause other problems)
I cannot find any error messages in any logs.
If I run the excact same application without sso its working fine in both IE8 and IE6
Regards
TineHi
This is a followup to the question in this thread
The system is now able to load pdf's and doc documents, and the reason it did not work before was due to the cache settings on the webgate. The system is now caching documents in the temporarInternetfolder created for the users and loads word and pdf files for printing without problems.
Now.. my problem is that the application is also running a kind of "generate pdf, doc, html files" application which are saving some modified files on the local users area. (my computer)
After that the application ask to load these documents into the applications database.
When I use the Apache mod_weblogic.c to proxy the requests, large files (5 MB) are not able to be loaded into the application database. I get a "the connection with the server was terminated abnormally" exeption.
Small files (94 KB) are working fine.
Does anyone have any idea of what can cause this?
I have upgraded Apache from 2.0.58 to Apache 2.0.63 and I use mod_wl128_20.so as the weblogic module.
Regards
Tine -
Unable to authenticate users using Custom plugins in OAM 11g
We are working on a requirement in which we have to write a custom authentication plugin in OAM 11g.
we were able to import and activate the plugin
we created a new authentication module with steps in the following order
1)UserIdentificationPlugin
2)UserAuthenticationPlugin
3)Our custom plugin to create custom responses(We just created the class with mandatory methods and process method returning success)
but finally when we try to authenticate,authentication fails resulting in OAM-2 error.We had entered valid credentials
Can somebody please help me on resolving this issue.
The plugin code,manifest file and Metadata XML is shared below.
Plugin Code
public class NewPlugin extends AbstractAuthenticationPlugIn {
private static final String CLASS_NAME = "FirstTestClass";
public ExecutionStatus initialize (PluginConfig config){
super.initialize(config);
if(LOGGER.isLoggable(Level.FINE)){
LOGGER.logp(Level.FINE,CLASS_NAME,"initialize","Entering initialize");
return ExecutionStatus.SUCCESS;
@Override
public String getDescription() {
// TODO Auto-generated method stub
return null;
@Override
public Map<String, MonitoringData> getMonitoringData() {
// TODO Auto-generated method stub
return null;
@Override
public String getPluginName() {
// TODO Auto-generated method stub
return null;
@Override
public int getRevision() {
// TODO Auto-generated method stub
return 0;
@Override
public ExecutionStatus process(AuthenticationContext context)
throws AuthenticationException {
if(LOGGER.isLoggable(Level.FINE)){
LOGGER.logp(Level.FINE,CLASS_NAME,"initialize","Entering process");
return ExecutionStatus.SUCCESS;
@Override
public void setMonitoringStatus(boolean arg0) {
// TODO Auto-generated method stub
@Override
public boolean getMonitoringStatus() {
// TODO Auto-generated method stub
return false;
MANIFEST.MF
Manifest-Version: 1.0
Bundle-ManifestVersion: 2
Bundle-Name: NewPlugin Plug-in
Bundle-SymbolicName: NewPlugin
Bundle-Version: 1.0.0
ImportPackage:org.osgi.framework;version="1.3.0",oracle.security.am.plugin,oracle.security.am.plugin.authn,oracle.security.am.plugin.api,oracle.security.am.common.utilities.principal,oracle.security.idm,javax.naming,javax.sql,javax.security.auth
Bundle-RequiredExecutionEnvironment: JavaSE-1.6
METADATA XML
<?xml version="1.0" encoding="UTF-8" ?>
<Plugin name="NewPlugin" type="Authentication">
<author>me</author>
<email>[email protected]</email>
<creationDate>11:40:20,2012-13-02</creationDate>
<version>1</version>
<description>Custom User Authentication Plugin</description>
<interface>oracle.security.am.plugin.authn.AbstractAuthenticationPlugIn</interface>
<implementation>newplugin.NewPlugin</implementation>
<configuration>
<AttributeValuePair>
<Attribute type="String" length="20">DataSource</Attribute>
<mandatory>true</mandatory>
<instanceOverride>false</instanceOverride>
<globalUIOverride>true</globalUIOverride>
<value>jdbc/CISCO</value>
</AttributeValuePair>
</configuration>
</Plugin>Your search results show that the user "collini" was not found (nentries=0). This could be caused by a number of reasons.
1) The user doesn't exist under "ou=people,dc=our,dc=domain"
2) The user doesn't contain the posixAccount objectclass
3) The user account that performed the search doesn't have access rights to read/search that user account
What user account was used to BIND on the connection that the search was done on?
Try performing the same exact search with an account you know can retrieve the entry. For example:
ldapsearch -D "cn=Directory Manager" -w - -b ou=people,dc=our,dc=domain -s one "(&(objectClass=posixAccount)(uid=collini))"
If the entry doesn't return as a result of the search then either #1 or #2 above is the problem. If the entry does return then #3 is your problem. -
anyone done sso with oam11g and oim 9.1.0.2?
I seem to be having issue where OAM11g sessions and header variables not getting over.Hi,
Can you provide more details ?
Thanks
GK -
Delete oimGroup membership of the oim user using Script (oim 9.1).
Hi All,
I want to remove oim users' particular oim group membership, Is there any problem, if I use the following script to delete user group information from USg table?
delete from usg where usr_key in (select usr_key from usr where usr_login in ('xxx','yyy')) and ugp_key=31
Note: In our case, No policies,membershiprules are assigned to this oim group (we defined gruops only) and env is oim 9.1.
Can any one confirm this. Or if there is nay problem, please let us know.
Thanks.
Edited by: user13285646 on Jul 28, 2011 11:01 PMThanks Rajiv.
-
Using the OIM logger in a Pre-populate adapter
I am having problems getting the logger to show any output from my java code. This same logic works for a scheduled task, but not in a pre-populate adapter. I am even trying to use a logging class that I see is already in the logs.
Code snippet:
import com.thortech.util.logging.Logger;
public class MyPrePop {
private static Logger logger = Logger.getLogger("XELLERATE.ADAPTERS");
public String doSomething(String userid) {
logger.info("Using "+userid);
return "COMPLETE"
Any help is greatly appreciated!
KerryHave you added all the filelds in prepoluate tab of the process form which all you want to prepopulate and assigned them the "iPlanet PP String" adapter if you want to just copy the values from OIM to LDAP.
-
Captivate crashes on publishing HTML5 output with a widget that uses "requires" tag in oam.xml
Has anyone else run into this problem?
I have an HTML5 widget that depends on certain (small) image files.
When I try to wrap those image files in the oam.xml file via the <requires> tag, the widget places on the Captivate stage just fine, but Captivate crashes on publish.
Remove the <requires> elements (but leave the empty tag) and it publishes just fine, but the images don't make it into the published folder.
Here is the oam.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<widget name="PBEAWidget" id="com.iastate.widgets.PBEAWidget"
spec="0.1b" jsClass='PBEAWidget' sandbox='true' width='180' height='30'
xmlns="http://openajax.org/metadata">
<!-- Required tag specifies any external depencies your widget might have such as images, jQuery etc, see http://helpx.adobe.com/captivate/using/create-wdgt-files.html -->
<requires>
<require type="folder" src="assets/images"/>
</requires>
<!-- Main widget JS file -->
<javascript src="js/PBEAWidget.js"/>
<!-- Properties tag currently not supported -->
<properties />
<content type='fragment'>
<![CDATA[
<div id="ConnectionDiv" style="display: inline-block; padding: 4px; vertical-align: center">
<img src="images/lights-02.png" id="statusLight" width="16" height="16" alt="Connection Status" style="position: absolute: left: 0; top: 0; margin-bottom: 2px; cursor: pointer"/>
</div>
<div id="FeedbackDiv" style="display: inline-block; padding: 2px 6px 0px 6px; height: 28px; border: solid 1px #fff; border-radius: 6px">
<img src="images/icons_01.png" id="createFeedback" width="24" height="24" alt="Write Feedback" style="cursor: pointer"/>
<img src="images/icons_02.png" id="finishFeedback" width="24" height="24" alt="Submit Feedback" style="cursor: pointer" />
</div>
<div id="PrintDiv" style="display: inline-block; padding: 3px 6px 0px 6px">
<img src="images/icons_03.png" id="printCourse" width="24" height="24" alt="Print Course" style="cursor: pointer" />
</div>
</div>
]]>
</content>
</widget>Hi
Can you please forward the file, or share it in a shared location, so that we can look into the issue?\
Thanks,
Mohana -
Which architecture do you use for OIM 11g IHM (admin, self service, etc)?
Hi,
I would like to know if you use :
- The native IHM with native extension (Event handlers, prepopulate adapters, etc).
- Custom tabs in ADF added to OIM.
- A web application in ADF (war) added to the oim.ear.
- A J2EE application in ADF which communicates through webservices.
- A J2EE application in another technology which communicates through webservices.
- Other architectures.
And why did you choose this architecture?
Thank you very much for your replies.
Regards
Pierre.Note that you can use the internal LDAP that comes with WebLogic, for your users and groups if you want.
When you have multiple domains, you have a problem with this set-up as the internal LDAP is coupled to
a specific domain. This means that users you created in one domain are not visible in the other. When using
a separate LDAP that contains the users. You can configure in each domain an authenticator that points
to the LDAP. In this way you can share to user accross multiple domains.
When you are planning to use one domain you can stick with the internal LDAP if you want.
An example set-up (that uses access manager not identity manager) can be found here: http://middlewaremagic.com/weblogic/?p=7819,
which might help you in how to proceed. -
Difference Between OIM and OAM
Once again, apologies for the newbie question, but I am becoming thoroughly confused by Identity Mgmt as a whole.
I've implemented Single Sign-On for E-Business Suite before (10.1.4.2) and it was straight forward. Now I am confused by all
the different Identity Mgmt Paths. Can someone explain what the difference is between Oracle Identity Mgmt (10.1.4.3) and Oracle Access Manager ?? Is OAM installed on top of 10.1.4.3 ?? Any information would be helpful.Hi,
There are a number of white papers here:
http://www.oracle.com/products/middleware/identity-management/resource-library.html
that will hopefully help to describe the various identity management packages, and which ones should be used depending on requirements. This one:
http://www.oracle.com/technology/products/id_mgmt/pdf/idm_suite_datasheet.pdf
has a short description of each of the current products.
Hope this helps.
Regards,
Colin
Maybe you are looking for
-
Want to know the sale order report for Delivery bclok at header level
Dear, i would like to know some reports 1). I would like to know is ther any SAP std report is available for Sale order if Blocked for delivery(VBAK-LIFSK)?? 2). is ther any report for knowing the Sale order if header/item text is maintained?? P
-
How can you reset an ipod if the lock button is broken?
how can i reset my ipod if the lock button is broken?
-
AppStore is extremely slow in Shanghai, please help!!!!!!!!
Hi Guys, Do you encounter same slowness in Shanghai? When I visit AppStore on my iPad, it behaves extremely slow!!!! I'm in Shanghai (China). The weird thing is when I visit AppStore via mobile network like China Unicom or China Mobile, it is slow bu
-
Jwindow behaves differently in jdk1.5
Hi, I created a splash screen using jwindow. In the earlier versions of jdk the splash screen (Jwindow component) can be moved back and i was able to switch to other applications. But when i used jdk 1.5 the Jwindow stays on top and even if i switch
-
Did Mavericks remove ability to drag files and apps between desktops?
I recently upgraded to Mavericks and am trying to drag files and apps between desktops without the use of Mission Control. I used to be able to drag something to the edge of the screen, hold it for a split second and have it move over to that screen.