SSO OAM flow

Similar Questions

• After authentication check after user authentication using authentication SSO OAM

  Hi all

  We have recently configured all our apex oracle with OAM SSO application. Authentication works fine but the problem is, after the connection of users, we redirect users to different pages of the application based on their user role that is defined in the database table. This step is a failure because we use is no longer the Page 101 for a connection. We use the SSO OAM, which automatically connects the users when they launch the URL of the application. Please help on how to achieve this functionality. What other options are available.

  Previously, I had the sub process in Page 101 because we use page 101 of connection for users using LDAP authentication and we redirect users to different pages depending on their role.

  DECLARE

  v_role VARCHAR2 (30);

  v_page NUMBER;

  BEGIN

  BEGIN

  SELECT user_role

  IN v_role

  Of user_tbl

  WHEN USER_ID = UPPER (TRIM (: P101_USERNAME));

  EXCEPTION WHEN NO_DATA_FOUND THEN

  v_role: = NULL;

  END;

  IF v_role = "ADMIN" OR v_role = "POWER_ADMIN".

  THEN

  v_page: = 1;

  ELSIF v_role = "USER".

  THEN

  v_page: = 32;

  ON THE OTHER

  v_page: = 200;

  END IF;

  APEX_UTIL.set_session_state (p_name = > 'FSP_AFTER_LOGIN_URL', p_value = > NULL);

  wwv_flow_custom_auth_std. Login (P_UNAME = >: P101_USERNAME,)

  P_PASSWORD = >: P101_PASSWORD,.

  P_SESSION_ID = > v ("APP_SESSION").

  P_FLOW_PAGE = >: APP_ID | ':' || v_page);

  END;

  Thank you

  Rami

  Hi ragu_s,

  ragu_s wrote:

  We have recently configured all our apex oracle with OAM SSO application. Authentication works fine but the problem is, after the connection of users, we redirect users to different pages of the application based on their user role that is defined in the database table. This step is a failure because we use is no longer the Page 101 for a connection. We use the SSO OAM, which automatically connects the users when they launch the URL of the application. Please help on how to achieve this functionality. What other options are available.

  Previously, I had the sub process in Page 101 because we use page 101 of connection for users using LDAP authentication and we redirect users to different pages depending on their role.

  The "wwv_flow_custom_auth_std.login" procedure is intended to address the process of connecting to an application based on the set of "authentication scheme. A good way to do this will be to allow the user to authenticate and log in to the application home page and write a header PLSQL treat on the application homepage that redirects the user appropriate to its APEX_UTIL from landing page. REDIRECT_URL.

  Reference: Re: Re: Branch works not properly

  Kind regards

  Kiran

• SSO OAM Access Manager solution is unable to open the docs and PDFs

  Hello
  
  I created a solusion to SSO like this.
  
  OAM against AD, running on windows (Server A). WebPass is on IIS.
  The application that I am protecting is an application from Weblogic 10.0 Windows (Server B)
  I also installed the webgate on serverB running on Apache 2.0, and the installation is done by following the documentation for Weblogic sso
  (This is to make the executable application directly via port 80 and Apache redirect)
  
  The sso works fine.
  
  But I have a problem on IE6
  
  When the application attempts to open documents to view in msword or pdf for printing format, the document does not open, I get a "file not found" exception in the browser and the url to get the document seems very long. (The gray popup)
  
  When I opened the application in IE8, it works very well and the url to get the document seems short (just the docID)
  
  (The application is currently only compatible for IE6 running in IE8 will cause other problems)
  
  I can not find error messages in all the papers.
  
  If I run the excact same application without sso its fine in IE8 and IE6 to work
  
  Concerning
  Tine

  Hi Tine,.

  I don't know what the problem is, but try to set CachePragmaHeader and CacheControlHeader in the 'public' WebGate (in the Console of the system access) to see if that helps.

  Kind regards
  Colin

• Problem of double identity store OAM 11 g R2

  Hello

  Problem:

  I can't not to my console OAM.  It now redirects to SSO (/ oam/Server/auth_cred_submit)

  Background

  I chose the option "" (as noted in the documentation) to keep the LDAP protocol for my identity embedded system store and configure OID for the (default) user store.  I work my way to x 509 auth but not there yet.

  1. rose all components of forms (associated OID)

  2 configured OAM and forms for the SSO

  3 found that I had to add the LDAP module by default store so that it my new user in OID authentication

  But now, whenever I try to enter http://FQDN:7001 / oamconsole to connect to my weblogic administrator account it seems to try to use OID to authenticate that does not work because the user isn't here.  I had a sense of awe when I couldn't choose my OID of the LDAP module and not the reverse.

  Questions

  Is it a non supported configuration (using LDAP embarked for administrator weblogic as store system and OID for users in the default store)?

  How can I retrieve my access to the oamconsole without having to reinstall OAM?

  Thank you

  TT

  Create a new module, for example OIDModule or similar and a new authentication scheme that uses this module, and then assign all your new policies auth to use this new auth/policy module and change your default LDAP to use your built-in store.

  This works perfectly if you have not connected your weblogic. If you did, then you should patch your patch and add a JDK policy to grant permissions to use its unrestricted patch for weblogic.

• Configuration of single sign on with OAM to ensure web application (no application from merger)

  Hello world

  I have configured single sign-on with OAM to guarantee a non fusion web application. But she cannot lead to the OAM sso login page. Could you please say nowhere I need to check?

  The web application deployed in a weblogic domain, the console already be configured for authentication sso OAM successfully. But the deployed web application does not can be redirected to sso login page when go to a secure page.

  The web.xml file is

  	<>login-config
  	< Auth-method >CLIENT-CERT< / auth-method >
  	< domain name > myRealm < / realm-name >
  	< / login-config >

  Thank you.

  Hello

  Assuming that you go directly to the port of the Weblogic Server and not through a web server, acting as a proxy, try to add the url of your application as a resource in the Application domain 'IAM Suite' in the /oamconsole, which gives it an authentication strategy of 'Protected level policy' to see if this changes the behavior. This is a test - if it works, it's best to create your own application domain for your resources so that they can be managed without interfering with internal policies used by OAM.

  Kind regards

  Colin

• UNIQUE between Simple mode and open authentication possible OAM?

  Hello
  
  Our SSO OAM in 'Open' mode (WP, PM, AM, AAA and ID).
  
  I would like to configure an applications in SIMPLE mode between the access server and webgate. But still I'd like to preserve, single sign - on, when the user accesses the protected open OAM application.
  
  Is this possible? Thank you.

  Yes, possible. The transport application component security mode has no impact on the end user SSO.

  Technically, the mix of modes (simple and open) is not supported. If you have installed some AAA servers more in simple mode you can connect your webgate to those simple ones more and not the other (open mode) to avoid this problem.

  If you need to share the existing AAA servers you will need to bring the listening in BOTH modes. This used to work even if I have not tried with recent versions. The technique is to (re) configure the AAA servers in Simple mode and then pass the parameter mode back to open the profile of component in the directory (via the admin UI).

  Mark

• Help for the integration of the OAM SSO

  Hi Experts

  I'm trying to install and configure OAM 11 GR 2 to explore features SSO /Federation with one of the applications (OBIEE, Ebiz, Google Apps, or any simple application to start with).

  I'm a newbie to OAM, where could you let me know the best way to achieve this and redirect me to some good posts?...

  It is possible to reconfigure Windows8 (64 bit) with 8 GB RAM machine. ?

  Thank you

  You should try to just get installed first OAM and test a simple test application Hello World. The things you want to one are quite advanced so you shouldn't try to do until you understand and are comfortable with the basic concepts in the first place, that is to say learn to crawl, then walk until you try to run.

  Your machine is pretty low spec, you'll be able to do things based on this topic, but for the more advanced things, you want to do next, you'll need a lot more RAM, and you're better off using Linux (IE Oracle/RedHat linux) than Windows.

• Inlineframe does not work in JDev 11.1.1.6 after we allow OAM SSO

  Hi all

  We have a requirement where we need to consume an external page in the adf page, so that we use the af:inlineframe component, everything works to God, but after we activated OAM SSO for the page in the adf, the external page is not get rendered in the page.

  Can someone some throw some guidance on this.

  Thank you.

  As I said in my first answer: you can put a few proxy http between your application and the remote site, point your inlineFrame to the proxy and delete X-Frame-Options response header.

  According to the remote site, perhaps you will also need to rewrite the URL in the body of the response to target your proxy.

  Dario

• OAM 11 g SSO: receiving error OAMAGENT-02027 on each connection after the first

  I'm using the ASDK 11 g to connect to a server (11.1.1.5) OAM 11g. We have the configured server and SSO work and we can see that it works for the first user to connect. However, after that sign first, everyone else cause the following exception occurs:
  "oracle.security.am.asdk.AccessException: OAMAGENT-02027: Oracle AccessGate API is not initialized."
  
  Whenever authenticate us the user, the following steps are processed:
  
  -Get the session token
  -Create a new default instance of AccessClient with the given configuration directory and 10g CompatibilityMode [ac = AccessClient.createDefaultInstance (OAM_CONFIGURATION, AccessClient.CompatibilityMode.OAM_10G)];
  -Create a new UserSession object with the token and the access generated access client
  -The information required of the UserSession object
  -Stop the instance of AccessClient
  
  
  On the first invocation, it rolls and the user is brought to our application after the default login page and that they are correctly recorded in our system. Connect the other errors on 'create a new object UserSession... '. "step shown above with the above exception.
  
  If someone has encountered this error and know how to fix? Or have any suggestions about how to try to determine what is the problem?
  
  Thank you
  
  [EDIT]
  Fixed the title, this isn't a server OAM 11 g, 10 g.
  
  Edited by: mBaldwin on 8 March 2013 13:42

  The new g 11 API differs a lot in terms of how the ASDK is initialized. In 10g, you would initialize the ASDK for each application, however, 11 g, you just launch the ASDK once at startup and then use it again to stop.

• OBIEE 11.1.1.6 SSO with OAM 11.1.1.5: problem of attribute OID 11.1.1.6

  Hello world!
  
  I configured an OAM (webgate) + DIO + OBIEE + OHS system.
  The OBIEE is protected via OHS(weblogic module) and webgate. It works very well.
  The CAO authenticates OID (default user identity store).
  The * "User research Base" * is the same (* "cn = Users, dc is mydomain, dc = com" *) in the store of identity and authentication provider OID of OBIEE too.
  SSO is enabled in OBIEE and suppliers are:
  OID (provider that performs authentication LDAP 1.0) JUST
  REQUIRED OAM (Oracle Access Manager identity Asserter 1.0) provider
  DefaultAuthenticator (WebLogic Authentication Provider 1.0) SUFFICIENT
  DefaultIdentityAsserter
  
  IF the * "User name attribute" * is * '' cn '' * in-store OAM of identity of the users and the provider of the OID of the OBIEE * "user name attribute" * is * "cn" * (by default) also, everything works fine.
  
  But I have to use * "orclSAMAccountName" * instead of * "cn" * (OAM and OID provider). And in this case, I have the problem.
  The OID of the OBIEE provider are:
  All users filter: (& (orclSAMAccountName = *)(objectclass=person))
  The user of the name filter: (&(orclSAMAccountName=%u)(objectclass=person)))
  Username attribute: orclSAMAccountName
  
  I did a test user:
  CN = test
  SN = test_sn
  orclsamaccountname = test_sama
  UID = test_uid
  krbprincipalname = test_krb
  I can authenticate with test_sama OAM, but OBIEE say: * "" you are not logged here: Oracle BI Server. "*"
  The bi log shows that:
  + By default (self-adjusting)' > < BISystemUser > <>< 00093dFuR ^ HFW7PMye7i6G00052S000Tt7 > < 1345642607333 > < BEA-000000 > < javax.security.auth.login.FailedLoginException: [Security: 090304] authentication failed: User test javax.security.auth.login.LoginException: identity [Security: 090300] Assertion failure: test user does not exist +.
  + oracle.security.jps.internal.api.jaas.AssertionException: javax.security.auth.login.FailedLoginException: [Security: 090304] authentication failed: User test javax.security.auth.login.LoginException: [Security: 090300] identity Assertion failure: test user does not exist.
  
  Why does search OBIEE the * '' cn '' * and why does not use the * "orclsamaccountname?"
  
  Any idea?
  
  Best regards, Jani

  Hello Joseph,.

  This is a known issue in OBIEE 11.1.1.6.0, please see: OBIEE 11.1.1.6 Agent failed with error code: IHVF6OM7:OPR4ONWY:U9IM8TAC [nQSError: 13039] the imposter does not exist in the BI [1446877.1 ID] Security Service

  We have configured OBIEE 11.1.1.6 on Linux and use Single Sign On (SSO) with authentication Native for Windows (Ondaaah).

  Configured authenticator AD, select sAMAccountName instead of CN for the attribute of the user. SSO in MS license. When you try to access the OBIEE presentation services we met the below error.

  «You are not logged here: Oracle BI Server.»

  When to check the logfile biserver1 found: failure of the Assertion of identity [Security: 090300]: user OracleSystemUser does not exist

  After you apply the hotfix 13553428 on top of 11.1.1.6.0 OBIEE we connected in OBIEE presentation services.

  It works very well with OBIEE, 11.1.1.5.0 and 11.1.1.6.1

  OBIEE fixed in 11.1.1.6.1. Apply Patch 13742915.

  If you want to stay in OBIEE 11.1.1.6.0. Apply Patch 13553428.

  Let me know if this solves the problem of Asserter.

  Pls mark so useful or response.

  Thank you
  SVS-

• Logging errors to a sso migrated high on OAM 11.1.1.5.0 10g bp2

  After having successfully migrated an OSSO 10 environments using the upgrade wizard in OAM 11 g trying to loggin to OIDDAS I got page logging oam with a message:
  
  "System error. Please try your action again. If you continue to receive this error, contact the administrator. »
  
  The journal of oam_server, I learned:
  
  < 9 March 2012 15:11:45 ART > < error > < oracle.oam.binding > < OAM-00002 > < error occurred during the processing of the request.
  oracle.security.am.common.utilities.exception.AmRuntimeException: event flow controller: not configured to handle the event: check_request_creds
  at oracle.security.am.controller.events.AbstractEventFlowController.getNextEvent(AbstractEventFlowController.java:92)
  at oracle.security.am.controller.MasterController.getNextEvent(MasterController.java:229)
  at oracle.security.am.controller.MasterController.processEvent(MasterController.java:587)
  at oracle.security.am.controller.MasterController.processRequest(MasterController.java:757)
  at oracle.security.am.controller.MasterController.process(MasterController.java:680)
  at oracle.security.am.pbl.PBLFlowManager.delegateToMasterController(PBLFlowManager.java:209)
  at oracle.security.am.pbl.PBLFlowManager.handleBaseEvent(PBLFlowManager.java:147)
  at oracle.security.am.pbl.PBLFlowManager.processRequest(PBLFlowManager.java:107)
  at oracle.security.am.pbl.transport.http.AMServlet.handleRequest(AMServlet.java:169)
  at oracle.security.am.pbl.transport.http.AMServlet.doPost(AMServlet.java:134)
  at oracle.security.am.pbl.transport.http.AMServlet.doGet(AMServlet.java:684)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:821)
  to weblogic.servlet.internal.StubSecurityHelper$ ServletServiceAction.run (StubSecurityHelper.java:227)
  at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
  at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
  at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:27)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
  to oracle.security.jps.ee.http.JpsAbsFilter$ 1.run(JpsAbsFilter.java:111)
  at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
  at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
  at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
  at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
  at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
  at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
  to weblogic.servlet.internal.WebAppServletContext$ ServletInvocationAction.wrapRun (WebAppServletContext.java:3715)
  to weblogic.servlet.internal.WebAppServletContext$ ServletInvocationAction.run (WebAppServletContext.java:3681)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
  at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
  at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
  at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)

  It seems that you may encounter a bug in OAM 11.1.1.5.2 where there was a typographical error that did in the oam - config.Xml. follow these steps:

  1 save a backup of your /config/fmwconfig/oam-config.xml
  2. change the oam - config.xml, and then locate the following line (line 2317 oam - config.xml downloaded):
  cred_collect

  and change the name of file check_request_creds.fail as shown below:

  cred_collect

  3. restart the managed server and restart your login.

  Thank you

  (credit to robert)

• Integration of EBS with SSO/OID/OAM

  People - I did not understand if this is the right forum to post.
  
  We run 12.1 E-business - and have enabled SSO using the normal route of authentication OID/LDAP in AD from a server Linux X 86 - 64
  
  While we run E-Business on linux Z, the SSO/OID instance is running on a stand-alone server for x 86-64 linux.
  
  My question is this - is being replaced by Oracle Access Manager (11g) SSO?
  
  Also the application server is being deprecated in favor of Weblogic server for forms and reports in the E-Business Suite for future versions?
  
  If I'm level OID 10.1.4.3 to OAM 11 g, everyone sings the steps successfully... There is a lot of information available on 1304550.1, 876539.1, 975182.1 and 1286596.1. These documents, however, take you in circles...
  
  Can someone who has just experienced a succesfull install and integration in E Business Suite, point me in the right direction?
  
  Thank you

  My question is this - is being replaced by Oracle Access Manager (11g) SSO?

  Migration Oracle Single Sign-On 10 g (10.1.4.3) 3 to Access Manager Oracle 11 GR 1 material with Oracle E-Business Suite [ID 1304550.1]
  Procedure step by step to integrate E-business suite with Oracle Access Manager. [832456.1 ID]
  Integration of Oracle E-Business Suite with Oracle Access Manager 11 g using Oracle E-Business Suite AccessGate [1309013.1 ID]

  .. I see that you already have the docs referenced in your post!

  Also the application server is being deprecated in favor of Weblogic server for forms and reports in the E-Business Suite for future versions?

  An overview of the E - Business Suite 12.2: WebLogic Server and online marking
  http://blogs.Oracle.com/stevenChan/entry/glimpses_of_e_business_suite

  If I'm level OID 10.1.4.3 to OAM 11 g, everyone sings the steps successfully... There is a lot of information available on 1304550.1, 876539.1, 975182.1 and 1286596.1. These documents, however, take you in circles...

  Can someone who has just experienced a succesfull install and integration in E Business Suite, point me in the right direction?

  You already have the docs - I don't him not get tired myself.

  Thank you
  Hussein

• How propate error message OID to the OAM SSO login page

  Hello
  
  I set up OAM with OID as the data store. I have a password policy in the OID such that if the user enters a bad password more than 3 times, then the account is locked for a specified interval. I would like to know how to tell the user (via the SSO login page) that
  (a) he entered a wrong password / authentication failure
  (b) the account is locked
  
  Thank you
  Joe

  You can create an authfailure.html page that displays a name of user and password not valid message with the login page and mention this url unless authorized redirects URLs in the political field. In addition, mention the redirect challenge form authentication url based in http://webserverhostname:port

• OAM 10.1.4.3.0 multidomain SSO

  Hi all

  I am currently having need to know if the multi-domain SSO is supported in 10 g as in 11 g?

  I work with a client who wishes to implement multi-domain SSO and I believe that this is supported in 10.1.4.3.0. My understanding is that the session token and ObSSOCookie will be created for each area, so for the example of an area would be 1 . domain1.com and area 2 would be . portal.domain2.com field.

  I think it is based on a common cookie domain.

  My question is that users authenticated to the domain 1 once the sale related to the field of access 2 standards body would break and therefore be invited to log back in and even the opposite effect.

  Thank you very much

  Yes Multi domain sso is possible.

  A single domain. Domain1.com would act as domain authentication. This area is responsible for authentication, also known as the farm of connection. Application of authentication in other areas (domain2.com, domain3.com) would come to domain1.com for authentication.

  I hope this helps.

  Concerning

  Aakash

• OAM 11g - OAM-02073 trying to SSO

  Hello people, that I improve an OSSO 10 g environment in OAM 11 g 11.1.2.0.0 and try to configure the SINGLE sign-on using agents OSSO.

  After you configure the agent and transfer the file osso.conf to the OAS and bouncing I can get the OAS server to redirect to OAM, but instead of the login page, I get

  "

  Error

  System error. Please try your action again. If you continue to
  This error occurs, please contact the administrator.

  ".

  When you look at the newspapers I see the error:

  "

  < 28 October 2013 15:10:21 CEST > < WARNING > < oracle.oam.binding > < BEA-000000 > < OAM-02073 >

  < 28 October 2013 15:11:02 CEST > < WARNING > < oracle.oam.controller > < OAM-02073 > < error while checking whether or not the resource is protected. >

  "

  Any ideas on how to solve this problem?

  Thank you in advance,

  André

  Found the answer. The HTTP server name was misspelled in the host identifier.