OAM 10.1.4.3.0 multidomain SSO

Similar Questions

• Help for the integration of the OAM SSO

  Hi Experts

  I'm trying to install and configure OAM 11 GR 2 to explore features SSO /Federation with one of the applications (OBIEE, Ebiz, Google Apps, or any simple application to start with).

  I'm a newbie to OAM, where could you let me know the best way to achieve this and redirect me to some good posts?...

  It is possible to reconfigure Windows8 (64 bit) with 8 GB RAM machine. ?

  Thank you

  You should try to just get installed first OAM and test a simple test application Hello World. The things you want to one are quite advanced so you shouldn't try to do until you understand and are comfortable with the basic concepts in the first place, that is to say learn to crawl, then walk until you try to run.

  Your machine is pretty low spec, you'll be able to do things based on this topic, but for the more advanced things, you want to do next, you'll need a lot more RAM, and you're better off using Linux (IE Oracle/RedHat linux) than Windows.

• Headers with OAM 11 GR 2 PS3 question

  Hello

  We are migrating OAM 11 GR 2-OAM 11 GR 2 PS3 from windows to linux. We installed the new configuration of the PS3 and migrated all the OAM configuration details. We have the user profile of authorization policies for applications protected by OAM.

  But while testing the SSO with applications, I found below questions

  1. If any attribute is null in LDAP to the user, R2 returns NOT_FOUND. But in the PS3 display headers as null. Enforcement team has a logic based on NOT_FOUND only. It's a lot of changes on the changes of app to check the value of the attribute of null NOT_FOUND. Is there a workaround for this?

  2. we have values multiple attributes for users in LDAP, in R2, these multivalued attribute values are separated by a colon(:), mais dans la PS3, elle est séparée par une virgule.)  I read the doc - id in metalink 1935703.1 , but it allows to change the comma separator. How this can be changed to the colon?

  Enjoy your entries.

  1. that is a very simple change in coding. Any decent programmer should be able to do this fairly easily.

  2. just follow the instruction and where it says ',' replace with ': '.

• Can we change/oam/server/auth_cred_submit action URL?

  Hi all

  We conduct authentication CDC in 11g R2 PS2 environment. We wanted to change the action URL to not use/oam/server/auth_cred_submit by default, use a specific URL custom say rather/sso/login/auth_submit.

  I tried to change the action URL in the DCC login page and tested. When I submit creds, is again show login page. I also configured the proxy to the DCC web server to redirect to/oam/server/auth_cred_submit if incoming url is/sso/login/auth_submit but no luck.

  Any help is very appreciated.

  Thank you

  Mahendra.

  Yes it is possible

  Step 1 Add action = / sso/login/auth_submit as a parameter in the CDC to challenge authentication scheme

  Step 2 create OAM policy to protect the URL/sso/login/auth_submit.

  Step 3 change login action url of the form/sso/login/auth_submit connection

  Hope this helps

  Concerning

  Aakash

• OIF / question OAM

  I have the internal users who authenticate to OAM to access internal applications.
  Some of these internal users will then access Federated Apps where we are the IdP for these sites. Currently my IdP performs authentication to LDAP (same as LDAP OAM server) server.
  According to me, which will cause the users authenticate to PDI again when accessing Federated applications because they are already authenticated to OAM. So, I think I IdP for authentication should be OAM and not LDAP. Is this correct?

  Fix. If your LDAP and OAM identitystore is the same, I would like to use authentication engine "Oracle Access MAnager" in the OIF to redirect all authentications of OAM. This way you can leverage SSO policies and authorization in OAM. You can do the integration via the mode of authentication or SP. OAM integration guide has more details.

  Sunil.

• After authentication check after user authentication using authentication SSO OAM

  Hi all

  We have recently configured all our apex oracle with OAM SSO application. Authentication works fine but the problem is, after the connection of users, we redirect users to different pages of the application based on their user role that is defined in the database table. This step is a failure because we use is no longer the Page 101 for a connection. We use the SSO OAM, which automatically connects the users when they launch the URL of the application. Please help on how to achieve this functionality. What other options are available.

  Previously, I had the sub process in Page 101 because we use page 101 of connection for users using LDAP authentication and we redirect users to different pages depending on their role.

  DECLARE

  v_role VARCHAR2 (30);

  v_page NUMBER;

  BEGIN

  BEGIN

  SELECT user_role

  IN v_role

  Of user_tbl

  WHEN USER_ID = UPPER (TRIM (: P101_USERNAME));

  EXCEPTION WHEN NO_DATA_FOUND THEN

  v_role: = NULL;

  END;

  IF v_role = "ADMIN" OR v_role = "POWER_ADMIN".

  THEN

  v_page: = 1;

  ELSIF v_role = "USER".

  THEN

  v_page: = 32;

  ON THE OTHER

  v_page: = 200;

  END IF;

  APEX_UTIL.set_session_state (p_name = > 'FSP_AFTER_LOGIN_URL', p_value = > NULL);

  wwv_flow_custom_auth_std. Login (P_UNAME = >: P101_USERNAME,)

  P_PASSWORD = >: P101_PASSWORD,.

  P_SESSION_ID = > v ("APP_SESSION").

  P_FLOW_PAGE = >: APP_ID | ':' || v_page);

  END;

  Thank you

  Rami

  Hi ragu_s,

  ragu_s wrote:

  We have recently configured all our apex oracle with OAM SSO application. Authentication works fine but the problem is, after the connection of users, we redirect users to different pages of the application based on their user role that is defined in the database table. This step is a failure because we use is no longer the Page 101 for a connection. We use the SSO OAM, which automatically connects the users when they launch the URL of the application. Please help on how to achieve this functionality. What other options are available.

  Previously, I had the sub process in Page 101 because we use page 101 of connection for users using LDAP authentication and we redirect users to different pages depending on their role.

  The "wwv_flow_custom_auth_std.login" procedure is intended to address the process of connecting to an application based on the set of "authentication scheme. A good way to do this will be to allow the user to authenticate and log in to the application home page and write a header PLSQL treat on the application homepage that redirects the user appropriate to its APEX_UTIL from landing page. REDIRECT_URL.

  Reference: Re: Re: Branch works not properly

  Kind regards

  Kiran

• Inlineframe does not work in JDev 11.1.1.6 after we allow OAM SSO

  Hi all

  We have a requirement where we need to consume an external page in the adf page, so that we use the af:inlineframe component, everything works to God, but after we activated OAM SSO for the page in the adf, the external page is not get rendered in the page.

  Can someone some throw some guidance on this.

  Thank you.

  As I said in my first answer: you can put a few proxy http between your application and the remote site, point your inlineFrame to the proxy and delete X-Frame-Options response header.

  According to the remote site, perhaps you will also need to rewrite the URL in the body of the response to target your proxy.

  Dario

• SSO OAM flow

  Hi experts, OAM,

  I read the docs published by oracle SSO

  I have a few questions:

  1. when the user requests a protected resource then webgate intercept and check isProtected() now the query is == > check isProtected() is at the level of engine for the OAM server or that fact via webgate (via the DTP Protocol)?

  2. in steps final when user POST validate the credentials to the OAM server and server OAM and create Session and send the RESPONSE encrypted webgate so that webgate ADJUSTABLE cookie OAMAuthnCookie_host_port now the query is: once this is done then what happens exactly?  WebGate redirect OAM yet for Authz or serve the user resorce?

  Thank you

  Vijay

  Responds as follows

  1 Webgate sends the request of PAO (IsResrcOpProtected) Protocol in OAM engine. OAM engine evaluates strategies to come to any decision. If you enable the server logs of the OAM at TRACE level, you can see (IsResrcOpProtected) PAO request / response in the log file.

  2. once the OAM authentication cookie is set up, it has 302 (this is the answer to the obrar.cgi) & location header is set to url (url requested originally). In the next step that browser would request protected url and send the authentication of the OAM with her cookie. At this point webgate sends the request to the server OAM for check approval (message protocol of PAO to the OAM server). If the authorization is successful you will see url protected load. If the authorization is refused, you will see an error OAM (operation error Oracle Access Manager) default page or redirect to the url defined in the url of the failure of the authorization policy

  Concerning

  Aakash

• OAM 11 g SSO: receiving error OAMAGENT-02027 on each connection after the first

  I'm using the ASDK 11 g to connect to a server (11.1.1.5) OAM 11g. We have the configured server and SSO work and we can see that it works for the first user to connect. However, after that sign first, everyone else cause the following exception occurs:
  "oracle.security.am.asdk.AccessException: OAMAGENT-02027: Oracle AccessGate API is not initialized."
  
  Whenever authenticate us the user, the following steps are processed:
  
  -Get the session token
  -Create a new default instance of AccessClient with the given configuration directory and 10g CompatibilityMode [ac = AccessClient.createDefaultInstance (OAM_CONFIGURATION, AccessClient.CompatibilityMode.OAM_10G)];
  -Create a new UserSession object with the token and the access generated access client
  -The information required of the UserSession object
  -Stop the instance of AccessClient
  
  
  On the first invocation, it rolls and the user is brought to our application after the default login page and that they are correctly recorded in our system. Connect the other errors on 'create a new object UserSession... '. "step shown above with the above exception.
  
  If someone has encountered this error and know how to fix? Or have any suggestions about how to try to determine what is the problem?
  
  Thank you
  
  [EDIT]
  Fixed the title, this isn't a server OAM 11 g, 10 g.
  
  Edited by: mBaldwin on 8 March 2013 13:42

  The new g 11 API differs a lot in terms of how the ASDK is initialized. In 10g, you would initialize the ASDK for each application, however, 11 g, you just launch the ASDK once at startup and then use it again to stop.

• OBIEE 11.1.1.6 SSO with OAM 11.1.1.5: problem of attribute OID 11.1.1.6

  Hello world!
  
  I configured an OAM (webgate) + DIO + OBIEE + OHS system.
  The OBIEE is protected via OHS(weblogic module) and webgate. It works very well.
  The CAO authenticates OID (default user identity store).
  The * "User research Base" * is the same (* "cn = Users, dc is mydomain, dc = com" *) in the store of identity and authentication provider OID of OBIEE too.
  SSO is enabled in OBIEE and suppliers are:
  OID (provider that performs authentication LDAP 1.0) JUST
  REQUIRED OAM (Oracle Access Manager identity Asserter 1.0) provider
  DefaultAuthenticator (WebLogic Authentication Provider 1.0) SUFFICIENT
  DefaultIdentityAsserter
  
  IF the * "User name attribute" * is * '' cn '' * in-store OAM of identity of the users and the provider of the OID of the OBIEE * "user name attribute" * is * "cn" * (by default) also, everything works fine.
  
  But I have to use * "orclSAMAccountName" * instead of * "cn" * (OAM and OID provider). And in this case, I have the problem.
  The OID of the OBIEE provider are:
  All users filter: (& (orclSAMAccountName = *)(objectclass=person))
  The user of the name filter: (&(orclSAMAccountName=%u)(objectclass=person)))
  Username attribute: orclSAMAccountName
  
  I did a test user:
  CN = test
  SN = test_sn
  orclsamaccountname = test_sama
  UID = test_uid
  krbprincipalname = test_krb
  I can authenticate with test_sama OAM, but OBIEE say: * "" you are not logged here: Oracle BI Server. "*"
  The bi log shows that:
  + By default (self-adjusting)' > < BISystemUser > <>< 00093dFuR ^ HFW7PMye7i6G00052S000Tt7 > < 1345642607333 > < BEA-000000 > < javax.security.auth.login.FailedLoginException: [Security: 090304] authentication failed: User test javax.security.auth.login.LoginException: identity [Security: 090300] Assertion failure: test user does not exist +.
  + oracle.security.jps.internal.api.jaas.AssertionException: javax.security.auth.login.FailedLoginException: [Security: 090304] authentication failed: User test javax.security.auth.login.LoginException: [Security: 090300] identity Assertion failure: test user does not exist.
  
  Why does search OBIEE the * '' cn '' * and why does not use the * "orclsamaccountname?"
  
  Any idea?
  
  Best regards, Jani

  Hello Joseph,.

  This is a known issue in OBIEE 11.1.1.6.0, please see: OBIEE 11.1.1.6 Agent failed with error code: IHVF6OM7:OPR4ONWY:U9IM8TAC [nQSError: 13039] the imposter does not exist in the BI [1446877.1 ID] Security Service

  We have configured OBIEE 11.1.1.6 on Linux and use Single Sign On (SSO) with authentication Native for Windows (Ondaaah).

  Configured authenticator AD, select sAMAccountName instead of CN for the attribute of the user. SSO in MS license. When you try to access the OBIEE presentation services we met the below error.

  «You are not logged here: Oracle BI Server.»

  When to check the logfile biserver1 found: failure of the Assertion of identity [Security: 090300]: user OracleSystemUser does not exist

  After you apply the hotfix 13553428 on top of 11.1.1.6.0 OBIEE we connected in OBIEE presentation services.

  It works very well with OBIEE, 11.1.1.5.0 and 11.1.1.6.1

  OBIEE fixed in 11.1.1.6.1. Apply Patch 13742915.

  If you want to stay in OBIEE 11.1.1.6.0. Apply Patch 13553428.

  Let me know if this solves the problem of Asserter.

  Pls mark so useful or response.

  Thank you
  SVS-

• Integration of EBS with SSO/OID/OAM

  People - I did not understand if this is the right forum to post.
  
  We run 12.1 E-business - and have enabled SSO using the normal route of authentication OID/LDAP in AD from a server Linux X 86 - 64
  
  While we run E-Business on linux Z, the SSO/OID instance is running on a stand-alone server for x 86-64 linux.
  
  My question is this - is being replaced by Oracle Access Manager (11g) SSO?
  
  Also the application server is being deprecated in favor of Weblogic server for forms and reports in the E-Business Suite for future versions?
  
  If I'm level OID 10.1.4.3 to OAM 11 g, everyone sings the steps successfully... There is a lot of information available on 1304550.1, 876539.1, 975182.1 and 1286596.1. These documents, however, take you in circles...
  
  Can someone who has just experienced a succesfull install and integration in E Business Suite, point me in the right direction?
  
  Thank you

  My question is this - is being replaced by Oracle Access Manager (11g) SSO?

  Migration Oracle Single Sign-On 10 g (10.1.4.3) 3 to Access Manager Oracle 11 GR 1 material with Oracle E-Business Suite [ID 1304550.1]
  Procedure step by step to integrate E-business suite with Oracle Access Manager. [832456.1 ID]
  Integration of Oracle E-Business Suite with Oracle Access Manager 11 g using Oracle E-Business Suite AccessGate [1309013.1 ID]

  .. I see that you already have the docs referenced in your post!

  Also the application server is being deprecated in favor of Weblogic server for forms and reports in the E-Business Suite for future versions?

  An overview of the E - Business Suite 12.2: WebLogic Server and online marking
  http://blogs.Oracle.com/stevenChan/entry/glimpses_of_e_business_suite

  If I'm level OID 10.1.4.3 to OAM 11 g, everyone sings the steps successfully... There is a lot of information available on 1304550.1, 876539.1, 975182.1 and 1286596.1. These documents, however, take you in circles...

  Can someone who has just experienced a succesfull install and integration in E Business Suite, point me in the right direction?

  You already have the docs - I don't him not get tired myself.

  Thank you
  Hussein

• How propate error message OID to the OAM SSO login page

  Hello
  
  I set up OAM with OID as the data store. I have a password policy in the OID such that if the user enters a bad password more than 3 times, then the account is locked for a specified interval. I would like to know how to tell the user (via the SSO login page) that
  (a) he entered a wrong password / authentication failure
  (b) the account is locked
  
  Thank you
  Joe

  You can create an authfailure.html page that displays a name of user and password not valid message with the login page and mention this url unless authorized redirects URLs in the political field. In addition, mention the redirect challenge form authentication url based in http://webserverhostname:port

• SSO OAM Access Manager solution is unable to open the docs and PDFs

  Hello
  
  I created a solusion to SSO like this.
  
  OAM against AD, running on windows (Server A). WebPass is on IIS.
  The application that I am protecting is an application from Weblogic 10.0 Windows (Server B)
  I also installed the webgate on serverB running on Apache 2.0, and the installation is done by following the documentation for Weblogic sso
  (This is to make the executable application directly via port 80 and Apache redirect)
  
  The sso works fine.
  
  But I have a problem on IE6
  
  When the application attempts to open documents to view in msword or pdf for printing format, the document does not open, I get a "file not found" exception in the browser and the url to get the document seems very long. (The gray popup)
  
  When I opened the application in IE8, it works very well and the url to get the document seems short (just the docID)
  
  (The application is currently only compatible for IE6 running in IE8 will cause other problems)
  
  I can not find error messages in all the papers.
  
  If I run the excact same application without sso its fine in IE8 and IE6 to work
  
  Concerning
  Tine

  Hi Tine,.

  I don't know what the problem is, but try to set CachePragmaHeader and CacheControlHeader in the 'public' WebGate (in the Console of the system access) to see if that helps.

  Kind regards
  Colin

• OAM 11g - OAM-02073 trying to SSO

  Hello people, that I improve an OSSO 10 g environment in OAM 11 g 11.1.2.0.0 and try to configure the SINGLE sign-on using agents OSSO.

  After you configure the agent and transfer the file osso.conf to the OAS and bouncing I can get the OAS server to redirect to OAM, but instead of the login page, I get

  "

  Error

  System error. Please try your action again. If you continue to
  This error occurs, please contact the administrator.

  ".

  When you look at the newspapers I see the error:

  "

  < 28 October 2013 15:10:21 CEST > < WARNING > < oracle.oam.binding > < BEA-000000 > < OAM-02073 >

  < 28 October 2013 15:11:02 CEST > < WARNING > < oracle.oam.controller > < OAM-02073 > < error while checking whether or not the resource is protected. >

  "

  Any ideas on how to solve this problem?

  Thank you in advance,

  André

  Found the answer. The HTTP server name was misspelled in the host identifier.

• Logging errors to a sso migrated high on OAM 11.1.1.5.0 10g bp2

  After having successfully migrated an OSSO 10 environments using the upgrade wizard in OAM 11 g trying to loggin to OIDDAS I got page logging oam with a message:
  
  "System error. Please try your action again. If you continue to receive this error, contact the administrator. »
  
  The journal of oam_server, I learned:
  
  < 9 March 2012 15:11:45 ART > < error > < oracle.oam.binding > < OAM-00002 > < error occurred during the processing of the request.
  oracle.security.am.common.utilities.exception.AmRuntimeException: event flow controller: not configured to handle the event: check_request_creds
  at oracle.security.am.controller.events.AbstractEventFlowController.getNextEvent(AbstractEventFlowController.java:92)
  at oracle.security.am.controller.MasterController.getNextEvent(MasterController.java:229)
  at oracle.security.am.controller.MasterController.processEvent(MasterController.java:587)
  at oracle.security.am.controller.MasterController.processRequest(MasterController.java:757)
  at oracle.security.am.controller.MasterController.process(MasterController.java:680)
  at oracle.security.am.pbl.PBLFlowManager.delegateToMasterController(PBLFlowManager.java:209)
  at oracle.security.am.pbl.PBLFlowManager.handleBaseEvent(PBLFlowManager.java:147)
  at oracle.security.am.pbl.PBLFlowManager.processRequest(PBLFlowManager.java:107)
  at oracle.security.am.pbl.transport.http.AMServlet.handleRequest(AMServlet.java:169)
  at oracle.security.am.pbl.transport.http.AMServlet.doPost(AMServlet.java:134)
  at oracle.security.am.pbl.transport.http.AMServlet.doGet(AMServlet.java:684)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:821)
  to weblogic.servlet.internal.StubSecurityHelper$ ServletServiceAction.run (StubSecurityHelper.java:227)
  at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
  at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
  at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:27)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
  to oracle.security.jps.ee.http.JpsAbsFilter$ 1.run(JpsAbsFilter.java:111)
  at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
  at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
  at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
  at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
  at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
  at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
  to weblogic.servlet.internal.WebAppServletContext$ ServletInvocationAction.wrapRun (WebAppServletContext.java:3715)
  to weblogic.servlet.internal.WebAppServletContext$ ServletInvocationAction.run (WebAppServletContext.java:3681)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
  at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
  at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
  at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)

  It seems that you may encounter a bug in OAM 11.1.1.5.2 where there was a typographical error that did in the oam - config.Xml. follow these steps:

  1 save a backup of your /config/fmwconfig/oam-config.xml
  2. change the oam - config.xml, and then locate the following line (line 2317 oam - config.xml downloaded):
  cred_collect

  and change the name of file check_request_creds.fail as shown below:

  cred_collect

  3. restart the managed server and restart your login.

  Thank you

  (credit to robert)