OAM 10.1.4.3.0 multidomain SSO
Hi all
I am currently having need to know if the multi-domain SSO is supported in 10 g as in 11 g?
I work with a client who wishes to implement multi-domain SSO and I believe that this is supported in 10.1.4.3.0. My understanding is that the session token and ObSSOCookie will be created for each area, so for the example of an area would be 1 . domain1.com and area 2 would be . portal.domain2.com field.
I think it is based on a common cookie domain.
My question is that users authenticated to the domain 1 once the sale related to the field of access 2 standards body would break and therefore be invited to log back in and even the opposite effect.
Thank you very much
Yes Multi domain sso is possible.
A single domain. Domain1.com would act as domain authentication. This area is responsible for authentication, also known as the farm of connection. Application of authentication in other areas (domain2.com, domain3.com) would come to domain1.com for authentication.
I hope this helps.
Concerning
Aakash
Tags: Fusion Middleware
Similar Questions
-
Help for the integration of the OAM SSO
Hi Experts
I'm trying to install and configure OAM 11 GR 2 to explore features SSO /Federation with one of the applications (OBIEE, Ebiz, Google Apps, or any simple application to start with).
I'm a newbie to OAM, where could you let me know the best way to achieve this and redirect me to some good posts?...
It is possible to reconfigure Windows8 (64 bit) with 8 GB RAM machine. ?
Thank you
You should try to just get installed first OAM and test a simple test application Hello World. The things you want to one are quite advanced so you shouldn't try to do until you understand and are comfortable with the basic concepts in the first place, that is to say learn to crawl, then walk until you try to run.
Your machine is pretty low spec, you'll be able to do things based on this topic, but for the more advanced things, you want to do next, you'll need a lot more RAM, and you're better off using Linux (IE Oracle/RedHat linux) than Windows.
-
Headers with OAM 11 GR 2 PS3 question
Hello
We are migrating OAM 11 GR 2-OAM 11 GR 2 PS3 from windows to linux. We installed the new configuration of the PS3 and migrated all the OAM configuration details. We have the user profile of authorization policies for applications protected by OAM.
But while testing the SSO with applications, I found below questions
1. If any attribute is null in LDAP to the user, R2 returns NOT_FOUND. But in the PS3 display headers as null. Enforcement team has a logic based on NOT_FOUND only. It's a lot of changes on the changes of app to check the value of the attribute of null NOT_FOUND. Is there a workaround for this?
2. we have values multiple attributes for users in LDAP, in R2, these multivalued attribute values are separated by a colon(:), mais dans la PS3, elle est séparée par une virgule.) I read the doc - id in metalink 1935703.1 , but it allows to change the comma separator. How this can be changed to the colon?
Enjoy your entries.
1. that is a very simple change in coding. Any decent programmer should be able to do this fairly easily.
2. just follow the instruction and where it says ',' replace with ': '.
-
Can we change/oam/server/auth_cred_submit action URL?
Hi all
We conduct authentication CDC in 11g R2 PS2 environment. We wanted to change the action URL to not use/oam/server/auth_cred_submit by default, use a specific URL custom say rather/sso/login/auth_submit.
I tried to change the action URL in the DCC login page and tested. When I submit creds, is again show login page. I also configured the proxy to the DCC web server to redirect to/oam/server/auth_cred_submit if incoming url is/sso/login/auth_submit but no luck.
Any help is very appreciated.
Thank you
Mahendra.
Yes it is possible
Step 1 Add action = / sso/login/auth_submit as a parameter in the CDC to challenge authentication scheme
Step 2 create OAM policy to protect the URL/sso/login/auth_submit.
Step 3 change login action url of the form/sso/login/auth_submit connection
Hope this helps
Concerning
Aakash
-
I have the internal users who authenticate to OAM to access internal applications.
Some of these internal users will then access Federated Apps where we are the IdP for these sites. Currently my IdP performs authentication to LDAP (same as LDAP OAM server) server.
According to me, which will cause the users authenticate to PDI again when accessing Federated applications because they are already authenticated to OAM. So, I think I IdP for authentication should be OAM and not LDAP. Is this correct?Fix. If your LDAP and OAM identitystore is the same, I would like to use authentication engine "Oracle Access MAnager" in the OIF to redirect all authentications of OAM. This way you can leverage SSO policies and authorization in OAM. You can do the integration via the mode of authentication or SP. OAM integration guide has more details.
Sunil.
-
After authentication check after user authentication using authentication SSO OAM
Hi all
We have recently configured all our apex oracle with OAM SSO application. Authentication works fine but the problem is, after the connection of users, we redirect users to different pages of the application based on their user role that is defined in the database table. This step is a failure because we use is no longer the Page 101 for a connection. We use the SSO OAM, which automatically connects the users when they launch the URL of the application. Please help on how to achieve this functionality. What other options are available.
Previously, I had the sub process in Page 101 because we use page 101 of connection for users using LDAP authentication and we redirect users to different pages depending on their role.
DECLARE
v_role VARCHAR2 (30);
v_page NUMBER;
BEGIN
BEGIN
SELECT user_role
IN v_role
Of user_tbl
WHEN USER_ID = UPPER (TRIM (: P101_USERNAME));
EXCEPTION WHEN NO_DATA_FOUND THEN
v_role: = NULL;
END;
IF v_role = "ADMIN" OR v_role = "POWER_ADMIN".
THEN
v_page: = 1;
ELSIF v_role = "USER".
THEN
v_page: = 32;
ON THE OTHER
v_page: = 200;
END IF;
APEX_UTIL.set_session_state (p_name = > 'FSP_AFTER_LOGIN_URL', p_value = > NULL);
wwv_flow_custom_auth_std. Login (P_UNAME = >: P101_USERNAME,)
P_PASSWORD = >: P101_PASSWORD,.
P_SESSION_ID = > v ("APP_SESSION").
P_FLOW_PAGE = >: APP_ID | ':' || v_page);
END;
Thank you
Rami
Hi ragu_s,
ragu_s wrote:
We have recently configured all our apex oracle with OAM SSO application. Authentication works fine but the problem is, after the connection of users, we redirect users to different pages of the application based on their user role that is defined in the database table. This step is a failure because we use is no longer the Page 101 for a connection. We use the SSO OAM, which automatically connects the users when they launch the URL of the application. Please help on how to achieve this functionality. What other options are available.
Previously, I had the sub process in Page 101 because we use page 101 of connection for users using LDAP authentication and we redirect users to different pages depending on their role.
The "wwv_flow_custom_auth_std.login" procedure is intended to address the process of connecting to an application based on the set of "authentication scheme. A good way to do this will be to allow the user to authenticate and log in to the application home page and write a header PLSQL treat on the application homepage that redirects the user appropriate to its APEX_UTIL from landing page. REDIRECT_URL.
Reference: Re: Re: Branch works not properly
Kind regards
Kiran
-
Inlineframe does not work in JDev 11.1.1.6 after we allow OAM SSO
Hi all
We have a requirement where we need to consume an external page in the adf page, so that we use the af:inlineframe component, everything works to God, but after we activated OAM SSO for the page in the adf, the external page is not get rendered in the page.
Can someone some throw some guidance on this.
Thank you.
As I said in my first answer: you can put a few proxy http between your application and the remote site, point your inlineFrame to the proxy and delete X-Frame-Options response header.
According to the remote site, perhaps you will also need to rewrite the URL in the body of the response to target your proxy.
Dario
-
Hi experts, OAM,
I read the docs published by oracle SSO
I have a few questions:
1. when the user requests a protected resource then webgate intercept and check isProtected() now the query is == > check isProtected() is at the level of engine for the OAM server or that fact via webgate (via the DTP Protocol)?
2. in steps final when user POST validate the credentials to the OAM server and server OAM and create Session and send the RESPONSE encrypted webgate so that webgate ADJUSTABLE cookie OAMAuthnCookie_host_port now the query is: once this is done then what happens exactly? WebGate redirect OAM yet for Authz or serve the user resorce?
Thank you
Vijay
Responds as follows
1 Webgate sends the request of PAO (IsResrcOpProtected) Protocol in OAM engine. OAM engine evaluates strategies to come to any decision. If you enable the server logs of the OAM at TRACE level, you can see (IsResrcOpProtected) PAO request / response in the log file.
2. once the OAM authentication cookie is set up, it has 302 (this is the answer to the obrar.cgi) & location header is set to url (url requested originally). In the next step that browser would request protected url and send the authentication of the OAM with her cookie. At this point webgate sends the request to the server OAM for check approval (message protocol of PAO to the OAM server). If the authorization is successful you will see url protected load. If the authorization is refused, you will see an error OAM (operation error Oracle Access Manager) default page or redirect to the url defined in the url of the failure of the authorization policy
Concerning
Aakash
-
OAM 11 g SSO: receiving error OAMAGENT-02027 on each connection after the first
I'm using the ASDK 11 g to connect to a server (11.1.1.5) OAM 11g. We have the configured server and SSO work and we can see that it works for the first user to connect. However, after that sign first, everyone else cause the following exception occurs:
"oracle.security.am.asdk.AccessException: OAMAGENT-02027: Oracle AccessGate API is not initialized."
Whenever authenticate us the user, the following steps are processed:
-Get the session token
-Create a new default instance of AccessClient with the given configuration directory and 10g CompatibilityMode [ac = AccessClient.createDefaultInstance (OAM_CONFIGURATION, AccessClient.CompatibilityMode.OAM_10G)];
-Create a new UserSession object with the token and the access generated access client
-The information required of the UserSession object
-Stop the instance of AccessClient
On the first invocation, it rolls and the user is brought to our application after the default login page and that they are correctly recorded in our system. Connect the other errors on 'create a new object UserSession... '. "step shown above with the above exception.
If someone has encountered this error and know how to fix? Or have any suggestions about how to try to determine what is the problem?
Thank you
[EDIT]
Fixed the title, this isn't a server OAM 11 g, 10 g.
Edited by: mBaldwin on 8 March 2013 13:42The new g 11 API differs a lot in terms of how the ASDK is initialized. In 10g, you would initialize the ASDK for each application, however, 11 g, you just launch the ASDK once at startup and then use it again to stop.
-
Hello world!
I configured an OAM (webgate) + DIO + OBIEE + OHS system.
The OBIEE is protected via OHS(weblogic module) and webgate. It works very well.
The CAO authenticates OID (default user identity store).
The * "User research Base" * is the same (* "cn = Users, dc is mydomain, dc = com" *) in the store of identity and authentication provider OID of OBIEE too.
SSO is enabled in OBIEE and suppliers are:
OID (provider that performs authentication LDAP 1.0) JUST
REQUIRED OAM (Oracle Access Manager identity Asserter 1.0) provider
DefaultAuthenticator (WebLogic Authentication Provider 1.0) SUFFICIENT
DefaultIdentityAsserter
IF the * "User name attribute" * is * '' cn '' * in-store OAM of identity of the users and the provider of the OID of the OBIEE * "user name attribute" * is * "cn" * (by default) also, everything works fine.
But I have to use * "orclSAMAccountName" * instead of * "cn" * (OAM and OID provider). And in this case, I have the problem.
The OID of the OBIEE provider are:
All users filter: (& (orclSAMAccountName = *)(objectclass=person))
The user of the name filter: (&(orclSAMAccountName=%u)(objectclass=person)))
Username attribute: orclSAMAccountName
I did a test user:
CN = test
SN = test_sn
orclsamaccountname = test_sama
UID = test_uid
krbprincipalname = test_krb
I can authenticate with test_sama OAM, but OBIEE say: * "" you are not logged here: Oracle BI Server. "*"
The bi log shows that:
+ By default (self-adjusting)' > < BISystemUser > <>< 00093dFuR ^ HFW7PMye7i6G00052S000Tt7 > < 1345642607333 > < BEA-000000 > < javax.security.auth.login.FailedLoginException: [Security: 090304] authentication failed: User test javax.security.auth.login.LoginException: identity [Security: 090300] Assertion failure: test user does not exist +.
+ oracle.security.jps.internal.api.jaas.AssertionException: javax.security.auth.login.FailedLoginException: [Security: 090304] authentication failed: User test javax.security.auth.login.LoginException: [Security: 090300] identity Assertion failure: test user does not exist.
Why does search OBIEE the * '' cn '' * and why does not use the * "orclsamaccountname?"
Any idea?
Best regards, JaniHello Joseph,.
This is a known issue in OBIEE 11.1.1.6.0, please see: OBIEE 11.1.1.6 Agent failed with error code: IHVF6OM7:OPR4ONWY:U9IM8TAC [nQSError: 13039] the imposter does not exist in the BI [1446877.1 ID] Security Service
We have configured OBIEE 11.1.1.6 on Linux and use Single Sign On (SSO) with authentication Native for Windows (Ondaaah).
Configured authenticator AD, select sAMAccountName instead of CN for the attribute of the user. SSO in MS license. When you try to access the OBIEE presentation services we met the below error.
«You are not logged here: Oracle BI Server.»
When to check the logfile biserver1 found: failure of the Assertion of identity [Security: 090300]: user OracleSystemUser does not exist
After you apply the hotfix 13553428 on top of 11.1.1.6.0 OBIEE we connected in OBIEE presentation services.
It works very well with OBIEE, 11.1.1.5.0 and 11.1.1.6.1
OBIEE fixed in 11.1.1.6.1. Apply Patch 13742915.
If you want to stay in OBIEE 11.1.1.6.0. Apply Patch 13553428.
Let me know if this solves the problem of Asserter.
Pls mark so useful or response.
Thank you
SVS- -
Integration of EBS with SSO/OID/OAM
People - I did not understand if this is the right forum to post.
We run 12.1 E-business - and have enabled SSO using the normal route of authentication OID/LDAP in AD from a server Linux X 86 - 64
While we run E-Business on linux Z, the SSO/OID instance is running on a stand-alone server for x 86-64 linux.
My question is this - is being replaced by Oracle Access Manager (11g) SSO?
Also the application server is being deprecated in favor of Weblogic server for forms and reports in the E-Business Suite for future versions?
If I'm level OID 10.1.4.3 to OAM 11 g, everyone sings the steps successfully... There is a lot of information available on 1304550.1, 876539.1, 975182.1 and 1286596.1. These documents, however, take you in circles...
Can someone who has just experienced a succesfull install and integration in E Business Suite, point me in the right direction?
Thank youMy question is this - is being replaced by Oracle Access Manager (11g) SSO?
Migration Oracle Single Sign-On 10 g (10.1.4.3) 3 to Access Manager Oracle 11 GR 1 material with Oracle E-Business Suite [ID 1304550.1]
Procedure step by step to integrate E-business suite with Oracle Access Manager. [832456.1 ID]
Integration of Oracle E-Business Suite with Oracle Access Manager 11 g using Oracle E-Business Suite AccessGate [1309013.1 ID].. I see that you already have the docs referenced in your post!
Also the application server is being deprecated in favor of Weblogic server for forms and reports in the E-Business Suite for future versions?
An overview of the E - Business Suite 12.2: WebLogic Server and online marking
http://blogs.Oracle.com/stevenChan/entry/glimpses_of_e_business_suiteIf I'm level OID 10.1.4.3 to OAM 11 g, everyone sings the steps successfully... There is a lot of information available on 1304550.1, 876539.1, 975182.1 and 1286596.1. These documents, however, take you in circles...
Can someone who has just experienced a succesfull install and integration in E Business Suite, point me in the right direction?
You already have the docs - I don't him not get tired myself.
Thank you
Hussein -
How propate error message OID to the OAM SSO login page
Hello
I set up OAM with OID as the data store. I have a password policy in the OID such that if the user enters a bad password more than 3 times, then the account is locked for a specified interval. I would like to know how to tell the user (via the SSO login page) that
(a) he entered a wrong password / authentication failure
(b) the account is locked
Thank you
JoeYou can create an authfailure.html page that displays a name of user and password not valid message with the login page and mention this url unless authorized redirects URLs in the political field. In addition, mention the redirect challenge form authentication url based in http://webserverhostname:port
-
SSO OAM Access Manager solution is unable to open the docs and PDFs
Hello
I created a solusion to SSO like this.
OAM against AD, running on windows (Server A). WebPass is on IIS.
The application that I am protecting is an application from Weblogic 10.0 Windows (Server B)
I also installed the webgate on serverB running on Apache 2.0, and the installation is done by following the documentation for Weblogic sso
(This is to make the executable application directly via port 80 and Apache redirect)
The sso works fine.
But I have a problem on IE6
When the application attempts to open documents to view in msword or pdf for printing format, the document does not open, I get a "file not found" exception in the browser and the url to get the document seems very long. (The gray popup)
When I opened the application in IE8, it works very well and the url to get the document seems short (just the docID)
(The application is currently only compatible for IE6 running in IE8 will cause other problems)
I can not find error messages in all the papers.
If I run the excact same application without sso its fine in IE8 and IE6 to work
Concerning
TineHi Tine,.
I don't know what the problem is, but try to set CachePragmaHeader and CacheControlHeader in the 'public' WebGate (in the Console of the system access) to see if that helps.
Kind regards
Colin -
OAM 11g - OAM-02073 trying to SSO
Hello people, that I improve an OSSO 10 g environment in OAM 11 g 11.1.2.0.0 and try to configure the SINGLE sign-on using agents OSSO.
After you configure the agent and transfer the file osso.conf to the OAS and bouncing I can get the OAS server to redirect to OAM, but instead of the login page, I get
"
Error
System error. Please try your action again. If you continue to
This error occurs, please contact the administrator.".
When you look at the newspapers I see the error:
"
< 28 October 2013 15:10:21 CEST > < WARNING > < oracle.oam.binding > < BEA-000000 > < OAM-02073 >
< 28 October 2013 15:11:02 CEST > < WARNING > < oracle.oam.controller > < OAM-02073 > < error while checking whether or not the resource is protected. >
"
Any ideas on how to solve this problem?
Thank you in advance,
André
Found the answer. The HTTP server name was misspelled in the host identifier.
-
Logging errors to a sso migrated high on OAM 11.1.1.5.0 10g bp2
After having successfully migrated an OSSO 10 environments using the upgrade wizard in OAM 11 g trying to loggin to OIDDAS I got page logging oam with a message:
"System error. Please try your action again. If you continue to receive this error, contact the administrator. »
The journal of oam_server, I learned:
< 9 March 2012 15:11:45 ART > < error > < oracle.oam.binding > < OAM-00002 > < error occurred during the processing of the request.
oracle.security.am.common.utilities.exception.AmRuntimeException: event flow controller: not configured to handle the event: check_request_creds
at oracle.security.am.controller.events.AbstractEventFlowController.getNextEvent(AbstractEventFlowController.java:92)
at oracle.security.am.controller.MasterController.getNextEvent(MasterController.java:229)
at oracle.security.am.controller.MasterController.processEvent(MasterController.java:587)
at oracle.security.am.controller.MasterController.processRequest(MasterController.java:757)
at oracle.security.am.controller.MasterController.process(MasterController.java:680)
at oracle.security.am.pbl.PBLFlowManager.delegateToMasterController(PBLFlowManager.java:209)
at oracle.security.am.pbl.PBLFlowManager.handleBaseEvent(PBLFlowManager.java:147)
at oracle.security.am.pbl.PBLFlowManager.processRequest(PBLFlowManager.java:107)
at oracle.security.am.pbl.transport.http.AMServlet.handleRequest(AMServlet.java:169)
at oracle.security.am.pbl.transport.http.AMServlet.doPost(AMServlet.java:134)
at oracle.security.am.pbl.transport.http.AMServlet.doGet(AMServlet.java:684)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:821)
to weblogic.servlet.internal.StubSecurityHelper$ ServletServiceAction.run (StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
to oracle.security.jps.ee.http.JpsAbsFilter$ 1.run(JpsAbsFilter.java:111)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
to weblogic.servlet.internal.WebAppServletContext$ ServletInvocationAction.wrapRun (WebAppServletContext.java:3715)
to weblogic.servlet.internal.WebAppServletContext$ ServletInvocationAction.run (WebAppServletContext.java:3681)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)It seems that you may encounter a bug in OAM 11.1.1.5.2 where there was a typographical error that did in the oam - config.Xml. follow these steps:
1 save a backup of your /config/fmwconfig/oam-config.xml
2. change the oam - config.xml, and then locate the following line (line 2317 oam - config.xml downloaded):
cred_collect and change the name of file check_request_creds.fail as shown below:
cred_collect 3. restart the managed server and restart your login.
Thank you
(credit to robert)
Maybe you are looking for
-
Tecra M5: Cannot install driver nVidia on Vista Ultimate SP1 x 86
Today I installed the version of Vista Ultimate with SP1 (PTM51E - Bios 3.60) Since installing I can not any version of the nvidia drivers graphics card to install. "Driver Installation Module stopped working and was closed" is the error that happens
-
Satellite A200 cannot see wifi
HelloI have a strange problem, up to what my wifi has now works well, but today, I don't know why my laptop can't see the wireless networks, as if the antenna was turn off. Of course, it's on, I see an orange light that reported that. I try to reinst
-
I used to have a weather report on my desk. now his party, how to bring
How to display the weather on desktop
-
There is no normal user account SID in the HKEY_USERS registry entry
I went to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion \ProfileList to check the SID of the account of normal user called "Internauta" - SID is S-1-5-21-1085031214-1482476501-725345543-1006. Then I went to HKEY_USERS and saw, there
-
Sharing the same catalog between 2 PCs
HelloI have LR on 2 different PC and I configured the two of them work on the same catalogue, located on Google Reader.In addition, two PC's have a D: / partition on which I saved the same images that I work on.The problem is that when I make a chang