Integration of OAM (11.1.2.0.0) with the OIF (11.1.1.2.0) and the Protection of resources

Hi Oracle community!  It's my first post here on the forums, so please bear with me.

I have a question about the integration between the IOF, acting as an IdP and OAM as the authentication engine.  I'll start with our Setup and the way we protect resources and then finally to deliver my ultimate question.

First things first:

We use the OIF 11.1.1.2.0 and OAM 11.1.2.0.0 (looking at upgrading OAM/OIF soon to 11.1.2 patch set 2, so we get full OIF blown in OAM packet and not only the part of MS).

I essentially was self-taught in the integration of the products and did the best that I can.  We have that in the production running the full blown federations now, so that we know that we are doing something good.  I won't say that we have done is the perfect solution, but it is the way in which we understand how products interact and worked at the time.

We have OIF, acting as an IdP (without SP yet), configured to use our OAM authentication search engine.  According to the documentation, we read through, when this configuration occurs, when the IOF receives a request to start the process of Federation (/ fed/PDI/initiatesso? providerid = XXXXXX), she sees the user is not authenticated and will forward to the authentication engine.  In our case, this means that we forwards the request to an internal flow in the OIF (/ fed/user/authnoam11g) which crosses the webgate, then check with OAM, if it is a resource that is protected or not.  In OAM, we defined a resource to protect/fed/user/authnoam11g so she who collects and authenticates the user via the policy regime, etc.  Once that ends, she goes back to the OIF to finish the assertion.

Keep in mind, I'm aware of a lot more of what's going on in the process, but it's the main room that will be the basis of my question.

So than stated above, we have a single policy protected for all federations from the OIF since "out of the box" OIF doesn't have several URL structures that it will send to OAM based on service provider being accessible.  For me, this is a small problem because I want to perform specific authorization controls in OAM based on the providerid who had been requested to the OIF.  OIF, as far as I know, completely removes the URL of origin that was requested and query parameters (for example providerid) which means that I have little or no information of the initial request to any robust condition checks in the policies of the OAM.

My question to the community would be:

Is it possible for the headers of the OIF or query string parameters to be going to OAM via header variables/session variables/etc. and then accessible through licensing of OAM requirements to do solid state audits in order to allow/deny access based on rules?

A small example:

I am a customer who asks the following Federation on OIF:

  1. https://oifhost/fed/IDP/initiatesso?ProviderID=partnerAlias GOLD https://oifhost/FED/IDP/samlv20 <-the samlv20 would include a request for authentication with the good provider
  2. IOF receives the request and begins creating processes and the SAML assertion.  It is determined that the user is not authenticated, so OIF will forward to the authentication engine.
  3. OIF transmits to the https://oifhost/fed/user/authnoam11g
  4. OAM protects the url "/ fed/user/authnoam11g" to make the authentication/authorization.
  5. The point of authorization, I want to build conditions that are basically looking for the "providerid" in initial demand to run specific rules to allow/deny cons.  Currently, it is not possible that I know, and that's what I want to know.
  6. Once the authentication/authorization, OAM refers the request to the OIF where he finished the SAML flow and sends the statement to MS.

In step 5, I would need a mechanism to find the providerid (value of the header, cookie, session, etc.)

I posted this same question on another blog of Oracle and received a reply that I want to do with the current configuration is not supported.  In order for me to get the desired result, I need to upgrade to patch set 2 of OAM with the fully integrated OIF.

See response to blog here:

https://blogs.Oracle.com/dcarru/entry/authorization_in_oif_idp#comments

Tags: Fusion Middleware

Similar Questions

  • Integration with the PIX IDS firewall

    I read the Release Notes for Cisco Intrusion Detection System Sensor Version 3.0 S4 (1), and tripped on the new features of this version it pretends the integration with the PIX firewall

    How do implement you this? What kind of integration offer?

    Instructions for the sensor and the basic configuration of PIX can be found here:

    http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids8/13870_01.htm#xtocid23

    Instructions for sensor and PIX SSH configuration can be found here:

    http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids8/13870_01.htm#xtocid16

    You can configure the sensor to connect to the PIX via telnet when

    using the PIX inside interface, otherwise you have to use SSH.

    SSH with 3des encryption is supported in version 3.0 or later

    sensors for connections of PIX.

    Warning: If you use telnet with a version 6.2.1 or PIX more late or if

    you want to use SSH with encryption on any PIX, so you

    need a patch for your sensor. If so, open a case of TAC and demand

    the latest version of nr.managed engineering. Reference

    [email protected] / * / for any question.

  • Serving AVDF 12.1.2 integrated with the package DBMS_AUDIT_MGMT allowing the automation of audit records

    I have a question about this part of the vault of the audit and the Guide Release 12.1.2 database firewall administrator documentation:

    -Start quote-

    Schedule for a job of automatic Purge

    Oracle AVDF is integrated with the DBMS_AUDIT_MGMT package on an Oracle database. This integration automates the purge of the AUD $ audit records and files of $ FGA_LOG and operating system .aud and .xml files after that that they have been properly applied in the repository of Audit Vault Server.

    Once the complete purge, officer of Vault automatically sets a timestamp on the audit data that has been collected. Therefore, you must set the property USE_LAST_ARCH_TIMESTAMP set to true to ensure that the right set of audit records are purged. You don't need to manually set a work of purge interval.

    -Extract-

    According to the documentation above, how AVDF brings integration resulting in automation?

    Hello

    When you configure an audit trail in the AV server, say a table AUD$ path, once it collects the audit data he attributes automatically the last time stamp archive on the secure target database (you can check it out of view DBA_AUDIT_MGMT_LAST_ARCH_TS).

    However, the trail (or the AV itself server) does not purge that verification data already collected.

    You have to clean these data with the DBMS_AUDIT_MGMT. Procedure CLEAN_AUDIT_TRAIL, example for AUD$ table only:

    BEGIN

    DBMS_AUDIT_MGMT. () CLEAN_AUDIT_TRAIL

    audit_trail_type-online DBMS_AUDIT_MGMT. AUDIT_TRAIL_AUD_STD,

    use_last_arch_timestamp => TRUE);

    END;

    /

    You can simply run this procedure via a job depending on how often you want to cleanup audit and what time recordings. You don't need to worry about the timestamp of last archive.

  • Integration of apex EBS with the APPS schema

    Hello

    I'm a developer APEX with no experience of BSE, but I took on a project to review the current context where the APEX and EBS are integrated. The first thing that I found is that 40 + Apex Applications all use the EBS 'APPS' schema as the schema work space of analysis, I read in the document Oracle 'white paper of March 2015 release on Extending Oracle E-business 12.1 and above using APEX', is a large, no!. Below are the details of the environment. In addition, they use a PLSQL Embedded walkway that once, it looks like the less favored approach and a listener of the Apex on (Glassfish?) must be used.

    So my question is... what would be the best approach, should I change all the existing application to use a newly created Apex analysis schema for example APEX_EBS_EXTENSION and then create views and grants him so it can access the data of the applications. I do this manually through all the applications by looking at each piece of code? This seems a very unpleasant approach. Should we deviate from the integrated bridge, any guidance would be appreciated?

    The task that made me initially was to manage the upgrade of the schema in the database to 5 APEX Apex, regression test all existing applications and create new applications using the universal theme, but I want to get the House in order before the upgrade.

    Environment

    E-Business Suite Release 12.1.3

    Apex 4.1.0.00.32

    Oracle Database 11 g Enterprise Edition Release 11.2.0.3.0 - 64 bit Production

    IBM/AIX RISC System/6000: Version 11.2.0.3.0 - Production

    Hi AndyLou,

    AndyLou wrote:

    I'm a developer APEX with no experience of BSE, but I took on a project to review the current context where the APEX and EBS are integrated. The first thing that I found is that 40 + Apex Applications all use the EBS 'APPS' schema as the schema work space of analysis, I read in the document Oracle 'white paper of March 2015 release on Extending Oracle E-business 12.1 and above using APEX', is a large, no!. Below are the details of the environment. In addition, they use a PLSQL Embedded walkway that once, it looks like the less favored approach and a listener of the Apex on (Glassfish?) must be used.

    Yes. Oracle REST Data Services (ADR) (formerly known as the APEX listener) deployed to the support for Java EE application servers is a best/best option as for Oracle APEX instead of the EPG Web listener option.

    Reference: https://docs.oracle.com/cd/E59726_01/install.50/e39144/overview.htm#HTMIG29325

    Learn about considerations when using of EPG (Embedded PL/SQL Gateway) as the web listener with Oracle APEX.

    Reference: https://docs.oracle.com/cd/E59726_01/install.50/e39144/overview.htm#HTMIG29140

    So my question is... what would be the best approach, should I change all the existing application to use a newly created Apex analysis schema for example APEX_EBS_EXTENSION and then create views and grants him so it can access the data of the applications. I do this manually through all the applications by looking at each piece of code? This seems a very unpleasant approach. Should we deviate from the integrated bridge, any guidance would be appreciated?

    Yes. You must move far EPG to a better option.

    The task that made me initially was to manage the upgrade of the schema in the database to 5 APEX Apex, regression test all existing applications and create new applications using the universal theme, but I want to get the House in order before the upgrade.

    Environment

    You should go for upgrade of the Oracle APEX of 4.1 to 5.x with existing architecture first. Regression test your applications to remove if any errors introduced by upgrade. The kickoff of a new project to migrate your applications to universal theme.

    Reference:

    After the upgrade, when all the dust about the upgrade issued sets in, then you can consider changing your architecture, analysis scheme for your APEX applications according to white papers issued by Oracle:

    Kind regards

    Kiran

  • Need help on PSP with the JDE ERP integration

    Hello

    We need to implement accounting processes with JDE using FIP Solution accelerator providers.

    It seems that Oracle does not provide this integration, please someone implemented, can provide some details will be highly appreciated.

    You can go forward with the consultation.

    But if you look at the base or FIPSA solution accelerator, these are all business processes that can be built easily internal either using BPMN or BPEL.

    I have provided details taking point of FIPSA for EBS you mentioned that oracle provide for that.

    Leave that all behind, go build your own set of BPEL/BPMN process to expedite the process of AP/expense in your organization.

    Even the adapter for JDE development is very simple as it seems.

    If you decide to go forward in the internal system I can help you in all aspects or ODC/RPO/IPM/UCM/BPMN/BPEL/JDE/EBS/TFTP.

  • With the help of Cloud Connector to replace the native integration of SFDC of Eloqua

    I was discussing an idea today and I want to run it by the community here to get feedback and validation.

    We have a customer wants to integrate their instance Eloqua with a CRM unsupported by Eloqua.

    The customer likes the idea and the logic of the program generator and copy the programs that come by default with any which Eloqua instance for integration with SFDC.

    The clinet will build a service bus to manage the integration between their CRM and Eloqua.

    The question here is can the stages of the program changed to call their internal service bus using the cloud connector (ExternalService) instead of calling the natives calls SFDC integration event?

    I assume here they will build different methods in their bus server to manage create leads and contacts and update leads and contacts similar to event integration calls.

    Also here I'm not talking about the auto-synch functionlaity I just need to check out this concept and see if anyone already implmeneted before or not.

    Also, if anyone has problems with it let me know I would like to cover all the bases before going with this idea.

    I think that theoretically it should work without any problems and it is a big plus to take advantage of the use of the program generator to control the flow of the integration logic.

    Kind regards

    Nader

    The question you ask is:

    Can I use generator program and custom integrations to CRM cloud connectors.  Effectively, you need to replace the native integration API steps with no cloud to your program/middleware.

    The quick answer is Yes.   The thing to know is the number of steps (API has a limit of simultaneous connection 5 hard) and the number of API calls.   You would like to make an analysis of the frequency and volume of lead and contact updates to CRM in order to determine whether it is the right solution.  Based on the frequency and the volume you need business logic to live outside of Eloqua.  Using a middleware like Informatica product allows to build it in a workflow environment and you allows to exploit the DTS WSDL (E9) allows a high volume of documents.

    Cheers, Aaron.

  • Animate cc, the police is both by default when you change the size of the text field. Have integrated a font with the name prjFnt... but once I have change the rating in the design view of the prjFnt goes to the new roman times... what a mistake... don't

    Animate cc, the police is both by default when you change the size of the text field. Have integrated a font with the name prjFnt... but once I have change the rating in the design view of the prjFnt goes to the new roman times... what a mistake... don't have we not no matter what patch

    This problem has been fixed in the latest update to animate CC.

    You can upgrade to animate CC 15.1.0.1.13 creative use of cloud App or via the Help menu > updates.

  • Discoverer 11.1.1.7.0 against 12.1.3 with OAM 11.1.2 EBS to request the password for the user with Ondaaah

    Hello

    Oracle has not been able to help me to do this job; 2 open of SR for weeks and no good answer.  They referred me to the people of onlinappsdba and various other public Internet sites.  We run EBS 12.1.3 and Disco 11.1.1.7.0 with 10g SSO and Ondaaah and SSL.  That works very well, users, identity is established through Ondaaah on our corporate network, with zero sign - on.  I'm replacing 10gSSO by OAM 11.1.2.  OAM/OID works very well for EBS and OBIEE, always zero sign - on with the OID 11.1.1.7.0 and AccessGate piece (and a webgate for both).  (Too many servers to SSO support in my view, if something goes wrong, too many places to look.)  For Disco, I created the osso.conf in OAM 11.1.2 installed in a folder on the Disco and bounced of Disco.  This works OK if in OAM authentication method is based authentication forms, with OAM inviting the user to signon, OID and then passes the user name and password through the OID in Active Directory, and connect on Disco invites to indicate the user name, and then gives access to workbooks.  No prompt for password clubbing.  But when I try to activate Ondaaah as an authentication method in the OAM, discoverer invite first the "Oracle Applications" connection for a user name and the EUL.  But Disco then prompts the user a password, that no longer exists in fnd_user. because authentication is external.  Connections fail.  I am also unable to create a private connection; This dialog box Disco also invites a user password.  At the login page of Disco, the user session went to OAM and fact authentication successful via Ondaaah.  I can tell from follow-up to the session through Fiddler.  Transmitted to the disco but Disco missing something and password prompts.  Support OAM at Oracle seems to think that OAM is not send the cookie to Discoverer, although I'm not sure.

    First of all, Ondaaah with Disco should work with OAM, right?  Any thoughts on what might be missing?  I went through the MOS notes a few times, closely followed the tutorial onlinappsdba on it.

    Thank you very much.

    Tom

    The hotfix is described in Note 1616228.1 problem with mod_osso and custom authentication plugins.  Disco can work very well, with zero sign - we and OAM.

  • Impossible to install a security update on Acrobat Reader DC because the previous version of the product has been installed with the package integrated MSP

    Hi all.

    I'm trying to 15.010.20056 update is installed on 15.009.20079 version of Acrobat Reader the domain controller that was installed as integrated (with the updates included) package in our corporate environment. So during the installation, I get these errors: 1328 and 1603. If I uninstall the current version of MS, install 2015.007.20033 (most recent Adobe site) version and then install updated security, everything is going very well. How to solve this problem?

    I assume that you have installed 15.009.20079 by AIP. Is that this is the case, then you won't able to correct this AIP installation at 15.010.20056.

    Because of facilities using setup.exe will be updated at the latest by only applying the fix. Please refer toRe: AcroRdrDC1501020056 msp and msi as always ~ ~ for more details.

    If you have not used of AIP, please let us know so that we can continue.

  • Control edge file animate OAM with the buttons play/pause of Captivate on the skin.

    Hello world

    I worked on a project where I mix a variety of objects and animations.  I do animations animate on board.  The problem I have is that when the user clicks the button pause on the Captivate playback controls, the oam file do not pause.  I found descriptions of how I can make an animation to play/pause the Captivate timeline button on board, but I can't find anything on the use of the Captivate pause button to control the Edge file animate.  Discussions only that I managed to find on that seem to be the answer.  Someone had a bit of luck with this question?

    Any advice would be appreciated.

    Thank you

    Randy

    OK, it's a bit hacky, but it works quite to control the main timeline object in a file of edge of Cape Town, where the Edge file has been imported to Cap 9 as a Web (oam) object. I went seeking answers same like you and came from vacuum, then start to tinker myself and came across the following method.

    Let's use window.postMessage to send a string between Cape document window and document edge iframe window then react accordingly. You can learn more about postMessage accepted battery answer here: http://stackoverflow.com/questions/3076414/ways-to-circumvent-the-same-origin-policy

    In your dashboard file click the support of Actions for the stage object in the timeline and select the compositionReady event. Paste this code into the text window:

    addEventListener for Chrome, attachEvent for IE

    window.addEventListener ('message', receivedFromCaptivate, false);

    window.attachEvent ('onmessage', receivedFromCaptivate);

    function receivedFromCaptivate (event) {}

    switch (event.data) {}

    case "play":

    SYM. Play();

    break;

    case "pause":

    SYM. Stop();

    break;

    }

    }

    Save the file and publish it as an oam, then import the OLS in a slide of Cap, as you normally would. Now, to put in place things of the CAP. Here is a visual aid for the rest of the explanation...

    In the PAC file select the control that you use to start playing the chronology of the edge (in the example above the "slide4Play"), select the checkbox 'Use as button' in the properties on the right, select the "Actions" tab, then to the drop-down list for 'Success' choose "Execute advanced Actions." Click the folder next to the selection of Script control and advanced Actions dialog box should appear. Name your action something (for example, "playEdgeSlide4"), then click the 'Add' in the grey bar to add a new action in the queue. In the drop down "Select Action"... ", choose"execute Javascript. "In the drop down menu"select the window... ". ", choose"current ". Then click on the 'Script_Window' button to bring up a window of text Javascript crap. In this window, you can paste this:

    try {}

    $("iframe") [0].contentWindow.postMessage ("play", "*");

    } catch (e) {}

    Console.log (e.message);

    }

    Select 'OK' to close the window of text Javascript crap, then click the 'Update Action' button to save your new action. Now let's do the same for break action - select the control that you use to pause, go through the steps above, the name of the action, implement advanced action in the same way and in the Javascript crap text window, paste the following text:

    try {}

    $("iframe") [0].contentWindow.postMessage ("break", "*");

    } catch (e) {}

    Console.log (e.message);

    }

    Cap incorporates the Edge file in an iframe on the page that has its own document window. In order to communicate between base ceiling windows and the iframe, we use the postMessage call. So when you hit your button Pause/Play in Cape Town, he publishes an event to the function that gets recorded in the iframe on board. And in the event.data is the string we send above the Cap base window in the function postMessage ('play' or 'pause'). We use a simple switch to react to the data string, stop or have fun with the main symbol of the scene at the edge (sym.play(1000) (), sym.stop ()).

    I hope this helps!

  • better integration with the Mavericks. Still a problem with the display of the menu bar spaces when moved

    Much better integration with the OSX mavericks on the latest version. Without a doubt ahead of Parallels in terms of dual display/full screen. The menu bar has been resolved, but there is a ghost menu bar that appears when you move one space (fullscreen vm) from one monitor to the other. It resembles a translucent bar on top and without words. But clicking on it shows menus as if it is supposed to be links there.

    Yes, it is a known problem with the Mavericks Developer Preview; We work closely with Apple to find a solution. So far, we have seen only with the restoration of the window or when you move the window between monitors - if you leave full screen and enter again, it should work fine. If you notice any others, please let us know.

  • What I need to buy other products such as CC Photoshop and Lightroom for them to be integrated with creative cloud? Or do I have to understand that the versions of these products are delivered with the purchase of 9.99?

    What I need to buy other products such as CC Photoshop and Lightroom for them to be integrated with creative cloud? Or do I have to understand that the versions of these products are delivered with the purchase of 9.99?

    TC III

    The $9.99 rate is only for Photoshop and Lightroom. The entire Collection of CC is $ 49.99 per month.

  • I look integrated in the block of the legend of slide show, a widget like "Accordion" for, with one click, or by the way with the mouse, open a new caption for each photo. I tried with 'Accordion' Muse, it does not work. I haven't tried to copy and paste,

    Issue.

    I look integrated in the block of the legend of slide show, a widget like "Accordion" for, with one click, or by the way with the mouse, open a new caption for each photo. I tried with 'Accordion' Muse, it does not work. I haven't tried to copy and paste, but no result. The widget disappear into the legend of block. disappear. Do you have a solution?

    Thank you

    Loïc

    Accordion Panel tabs should, with click and open the container.

    Please provide the url of the site where it does not, also if you can provide an example where we can see the exact action, then it would help us.

    Thank you

    Sanjit

  • Problem in starting service of integration with the CAD / 11g

    Hi friends,

    IM @ the stage of registration of service integration and the repository in DAC 11 g function. I can start the service of good repository in CAD, but facing the question in the start of integration service with DAC, while trying to test the connection im getting a message like

    Failure connecting to BIA_IS!

    I'm not sure the reason for this problem in the DAC. I have also set the necessary environment variables such as INFA_HOME and INFA_DOMAINS_FILE on the domains.infa as file

    INFA_DOMAINS_FILE = C:\Informatica\9.1.0\domains.infa

    Also checked with the file dac_env which has the content below

    REM -----------------------------------------------------
    REM
    REM OF ENVIRONMENT VARIABLES THAT YOU MAY HAVE SET FOR
    REM INFORMATICA GOOD 8.x or 9.x HANDSHAKE.
    REM
    REM INFORMATICA_SERVER_LOCATION refers to the installation of
    REM Informatica components. Example:
    REM C:\Informatica\PowerCenter9.1
    REM
    AREAS OF rem. INFA_FILE_LOCATION designates the location
    REM (including the name) of the file domains.infa
    REM
    REM please make sure to set the correct values for the variables
    REM mentioned above
    REM
    REM -----------------------------------------------------

    Set INFORMATICA_SERVER_LOCATION="C:\Informatica\9.1.0".
    Set DOMAINS_INFA_FILE_LOCATION=C:\Informatica\9.1.0\domains.infa

    Set INFA_CMD_STYLE = 8
    set PATH=C:\Informatica\9.1.0\server\bin;%PATH%
    Set INFA_DOMAINS_FILE = % DOMAINS_INFA_FILE_LOCATION %

    What could be the problem and where to check with the file journal related to the failure of integration in CAD service.

    Thanks in advance.

    Kind regards

    Saro

    Hi guys,.

    The problem is solved. Here it is two precautions to be taken into account.

    *) Make sure you INFA_HOME/Server/bin is @ the end in the PATH variable.

    *) Of each change in the PATH variable, it is best to restart the services (infa and DAC) here and for the changes to take effect.

    Kind regards

    Saro

  • can we use OID 11 GR 1 material with the OAM/OIM 11 g 2

    Hello
    I install IdM 11 GR 2. As OID is not equipped with this pack. so can we use/install the OID that comes with the IdM 11 GR 1 material.

    Or y at - it another option as the OUD.

    We can integrate the OUD 11 GR 2 with the OIM/OAM 11 g 2 to manage users/groups. ? If so, please share any document for it.

    Please suggest the best option because we learn OIM/OIM 11 GR 2.

    Thank you
    Harry

    Published by: Harry-Harry on January 28, 2013 12:59 AM

    Published by: Harry-Harry on January 28, 2013 01:10

    Hello
    OID 11.1.1.5.0 + can support IDM11gR2. Please see the matrix below IDM products certification.

    http://www.Oracle.com/technetwork/middleware/ID-Mgmt/identity-accessmgmt-11gr2certmatrix-1714221.xls

    Kind regards
    Kishore

Maybe you are looking for

  • Multiple poster on MacBook Pro (retina) end 2012

    Hey friends, I'm trying to put up in my office and I would like some insight or feedback if the following configuration will work for me. I have a MacBook Pro 15 "with the retina display (end of 2012) and want to connect: 2 x 29 "Samsung Ultra Wide m

  • Buy missing songs from iTunes story (on iPhone)

    I listened to an album I bought, and I noticed that five songs are absent from the album. When I shoot to the top of the album on the iTunes Store on my phone, it shows all the 24 songs, and beside the five missing, it says 'Buy' instead of 'play '.

  • Stop Ad Block Plus sign disappeared

    using Firefox latest version - Ad Block Plus symbol has disappeared. Some websites that I use need me to, so I can read their content. I uninstalled and reinstalled Ad Block - still doesn't work - even when I disable Ad Block the site it still shows

  • Calibration of the scxi-1520 and scxi-1314

    I have a SCXI-1000 chassis with the scxi-1520 module and the scxi-1314 terminal block and I was wondering how to do a calibration on it?  What I have to send back them to OR for calibration or I can send it to a local company to perform the calibrati

  • All-in-one HP OfficeJet Pro X576dw: poor Fax quality with ADF

    I have a fairly new HP OfficeJet 576, which sends faxes fine when using the flat bed scanner.  When documents are sent by fax using the ADF, the receiving end gets a copy of very poor quality; the document is very light and the lower part is impossib