Urgent: Authorization of OAM

Similar Questions

• OIF / question OAM

  I have the internal users who authenticate to OAM to access internal applications.
  Some of these internal users will then access Federated Apps where we are the IdP for these sites. Currently my IdP performs authentication to LDAP (same as LDAP OAM server) server.
  According to me, which will cause the users authenticate to PDI again when accessing Federated applications because they are already authenticated to OAM. So, I think I IdP for authentication should be OAM and not LDAP. Is this correct?

  Fix. If your LDAP and OAM identitystore is the same, I would like to use authentication engine "Oracle Access MAnager" in the OIF to redirect all authentications of OAM. This way you can leverage SSO policies and authorization in OAM. You can do the integration via the mode of authentication or SP. OAM integration guide has more details.

  Sunil.

• Question about web gateways OAM and load balencie interaction.

  Must before the web gateway load balancing OAM maintain sessions?
  
  The platform is Microsoft Windows Server 2003 R2.
  
  Any comment is appreciated.

  When the user authenticates OAM defines the obSSOcookie that contains all the details of this user's session. If a user accesses ANY webgate configured for SINGLE sign-on in this area, no new authentication is required. The Webgate knows the user identity based on the details of the obSSOCookie, and authorization rules OAM for this domain policy kick in. This occurs regardless of any load balancer hardware or backend even application. Therefore, you load balancing should not be configured for the post-it, just for the Webgate and SSO sessions. An important consideration is that your load balancing program is setup for NAT or not. This will affect the IPValidation parameter. If the NAT is used, then you must turn off IPValidation, or use an exception IPValidation for the VIP on the load balancer.

• OAM authorization policy: scenario

  Hi all

  I need your advice to implement a solution as described below (high steps level that I can follow and implement):

  Current architecture:

  I have Siebel, IOM, OAM and OID. Users are provisioned to Siebel by IOM and connection OAM is responsible for the authentication/authorization for Siebel resources.

  Requirement:

  There are many users who are connected to using OAM and I need to make a change, a change for a specific group of users who are actually allowed to access the resource.

  Example:

  The Group has, can access resources abc

  Group B, cannot access resources abc.

  Ask you to help me with the approach without involving the IOM.

  Thank you

  Varun

  You have active LDAPSynch?

  If yes stores the user identity of the OAM is the same as the LDAP directory configured in the IOM LDAPSynch

  In the case of LDAPSynch, ROLE created in IOM translated by LDAP groups. I was referring to these LDAP groups to use in the OAM authorization policy. In a State of identity, you can also add LDAP groups. See screenshot 18-5 on top of link. 'Add users & groups' select option in "State of identity".

  Organization of the IOM is not related to LDAP groups.

  With regard to the UDF

  In the LDAP synchronization scenario if the user UDF is also get stored in the LDAP directory in the profile of the user, then you can use LDAP attribute in the user's profile to set the authorization policy in OAM. This can be done by specifying "Filter Add Search" in the same"identity".

  Concerning

  Aakash

• OAM authorization cache query

  Hello
  I have a resource protected with OAM 10 g and uses a plugin for authorization for this resource which makes an LDAP call and returns the result.
  I want to know if OAM user cache works with plugins for custom authorization as well or not.
  
  Please let me know your understanding.
  
  Thank you

  The result of authorization plugin will not be cached and your plugin will be executed whenever authorization is requested.
  If you try to make a call LDAP in the plugin a better solution would be to use LDAP filters in the expressions of approval.

  Hope this helps,
  Sagar

• Urgent - Custom authentication and authorization for the application of the ADF

  Hi friends,
  
  Custom implementation for authentication and authorization for the application of the ADF
  
  My project to use the OID , authentication and authorization, we will need to support both OAM and DB tables ( according to the preferences of the client during the installation ).
  
  I am new to this and do not have a clue about the same.
  
  Please guide me how to set up both in JDeveloper 11 g + ADF
  
  Thanks in advance.

  The answers you got up to present every point in the right direction. ADF security see the authentication of WLS, even for business authorization with respect to user roles defined on the WLS server. During the deployment, ADF security defined application roles are mapped to the user enterprise groups

  Application developed using Jdeveloper ADF +.

  This would use WLS for authentication

  Users of authentication - LDAP (OID) - are stored in LDAP

  Use the OID authentication provider in WLS

  Authorization - OAM or database (authorization details are stored in the DB or OAM tables)

  You can't allow users without authentication. If you need create authentication providers additional if they exist for OAM and RDBMS (there is a supplier of existing RDBMA, that you can use to identify users and to assign membership user groups). Then, you set the optional flag so that when authentication fails for additional providers you can always start the application.

  When running Admin users - create users from roles to create and assign permission privileges to the role (for pages and workflows)
  assign (or remove) the roles to/to leave users.

  ADF security uses JAAS to permissions that you can change using Enterprise Manager when running. Permissions are granted to the application roles and application roles are granted to business roles that which then has users become members of the. If you want to change the status of user account, then you don't do this the ADF or EM, but use a direct access to the provider of the user (for example, access OID, RDBMS access etc.) There is no unified administration API available that would allow you to do this via WLS (which uses OPSS).

  If your question is in the context of the ADF, the documentation, with that you should follow is OPSS and WLS authentication providers.

  Frank

• How to combine the two groups under the single authorization rule in the OAM

  Hi people,
  
  I have an authorization rule that allows the user to access resources based on their ldap group memberships (the name of the group appears indeed as a people tab entry allow access). However, it does work if I have a single defined group. I would add another group, OAM begins to enforce an OR operator, instead of one and. In other words, if the rule Authz groups A and B, and that the user is a member of Group B, but no group has, it still gets access. The only way that this works if I create one rule Authz by each LDAP group, I'm interedted, then use one AND inside the Authz Expression.
  
  Any help is appreciated
  Thank you, novel

  Hi Roman,

  It is as expected. When you select several groups in an authorization rule, you are saying 'allow access to these groups. This is consistent with when you select several people - 'allow access to one of these people. " The everything (i.e. or) is implied and I think that it is valid. In addition, as you say, OAM gives you a way to reach the AND through the expression.

  If your folder is AD or ADAM, membership in the group details are also stored in the user profile and so there, you might be able to achieve what you want in a rule unique authz via LDAP rule.

  -Vinod

• Have OAM authenticate/authorize users on servers of dir diff

  Hi people,
  
  Is it possible to have OAM authenticate/authorize users against diff server under single instance OAM dir?
  We have autonomous OAM 10_1_4_3_0 w OHS11g installed on linux and connected to a particular directory server (ldap sun). We have also an application protected by OAM authenticates / allowing users on the same server dir. Pouvons we somehow configure the rules/policies/etc, so that the users who access the app B will be authenticated and authorized against dir Server B; users accessing the app C will be authenticated and authorized against dir server c; etc., without having multiple instances OAM?
  
  Any help is greatly appreciated
  Thank you, novel

  The best way to do this is to set up a common directory OVD namespace under which each backend directory is represented as a different OU. For example, suppose you have two directories - one for internal users, that is AD and one for external users who is OID. Configure a common namespace, dc = yourcompany, dc = com. Then configure OUS for each directory, OU = external pointing to the OID and OU = internal who showed up at AD.

  Then in your authentication schemes, create a credential mapping plugin for the bases of the different mapping (authentication scheme a for internal users, the other for external users).

  And in your strategy for each application, configure the rule of authentication for the application to use the appropriate authentication scheme. If this is an application for internal users, use the user authentication schema internals and if an application external users, use the external authentication scheme.

• OAM authorization error

  Hi people,
  
  I get an error of permission of OAM (I'm new to it) when you try to use an allow rule based on the value of certain ldap attribute (attrib employeeType's value must be 'EMP'). Here's what I have:
  On the side of the access system: simple licensing in Authz Mgmt (oblix/lib/authz_attribute under the name shared lib, RA_SubjectDN as user Param, ruleExpression as the param name w worthless req)
  On the political side Bishop: area w authorization rule based on the diagram above (the other rule genuine works fine) with the following: Authz rule Plugin Params: RA_SubjectDN profile attributes passed to the plug-in, ruleExpression as name of required parameters, w value employeeType = "EMP". Authz rule action performs a redirection to a url certail if failure (does not work). Now for the default rules > permission Expression, all I have is my Authz rule.
  
  Now, if I disable the rule Authz leaving only the genuine one, everything works fine. When I try to access the resource protected by using Authz rule, I get an error for Oracle Access Manager operating in the browser, then the following error message in the server access log to the:
  WARNING AUTHZ_MGMT 0 x 00001165 /usr/abuild/Oblix/coreid1014/palantir/authz_common/src/authzexptree.cpp:99 "error while evaluating the rule" raw_code ^ RuleID 8 ^ 20091125T 15554836330 returned error is ^ assessment returned permission need more information as the return code
  
  I realize it's my rule Authz or schema causes the error, but I can't figure out who it is. I was wondering if someone could direct me to the right direction.
  
  Thank you
  Roman
  
  Published by: user10433316 on December 8, 2009 07:49

  Hi Roman,

  You may need to put the page failure too in the 'Inconclusive permission' actions in the Expression of approval. Regarding where to put the header variables it is in large part a matter of taste. However, there may be cases where you have the same rule applied to various resources, but sets a different variable header - in this case, you will need to put them in the Expression.

  Kind regards
  Colin

• OAM - Ondaaah - Urgent

  I am able to run kinit without file keytab:
  : / oam, Oracle, Middleware, ondaaah > kinit HTTP / < SPN > @ < AD_Domain >
  Password HTTP / < SPN > @ < AD_Domain >:
  : / oam, Oracle, Middleware, ondaaah >
  
  But get the following error when running kinit with file keytab:
  : / oam, Oracle, Middleware, ondaaah > kinit v k t /oam/Oracle/Middleware/wna/oam.keytab HTTP / < SPN > @ < AD_Domain >
  kinit (v5): table entry not found while getting initial credentials of the key
  : / oam, Oracle, Middleware, ondaaah >
  
  Please let me know if anyone has faced this problem in the past.

  Use NT-RC4-HMAC everything by generating the keytab file and add RC4-HMAC in the krb5.conf file.

  Please me know if you face any issues.

• URGENT: Connect to a LDAP ID OAM 11 g on SSL store

  Hi Im creating a user identity store in OAM 11g (11.1.1.5). My requirement is to create the user identity store by activating SSL. The SSL port number is correct and when you test the connection, thru 'test connection', it's throwing error "unable to connect to the user identity store.
  
  Could someone tell me how to create the identity user via the SSL store
  
  
  
  
  
  
  
  
  Thank you
  Kumar

  You use what ldap? If its open ldap:
  http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.HTML#4.0
  Then generate the certificate first. See the link above and then import using keytool.

  If the certificate has already generated, you can open the browser openlink https:/// you can get certificate here of the browser itself. Copy and import certificate.

  Kind regards
  GP

• Urgent! OAM 10.1.4.0.1 to 10.1.4.2.0 upgrade

  Hi all
  
  Is it good to upgrade the MCO to 10.1.4.2.0 without stop of the OAM components and Web server?
  
  
  Thanks in advance.
  
  Siva NAKI.

  Hi Siva,

  Do not stop components OAM - you should be able to just stop, perform the upgrade to hotfix and restart everything with everything works OK. There is not a lot of functional difference between 10.1.4.0.1 and 10.1.4.2 (but a lot of corrections to make the valid upgrade) so that the system should behave the same as before the upgrade. However, as with any upgrade, you should try it in a test system just to make sure nothing is broken.

  If you perform the upgrade must be applied a recent Bundle Patch (BP) at the same time (the upgrade path is 10.1.4.0.1-> 10.1.4.2-> 10.1.4.2BPxx - you can't do as a simple upgrade).

  Kind regards
  Colin

• Managing roles using the solution of the OIM/OAM/OID

  Dear members

  I am faced with confusion while providing the solution about the OAM and OID.

  We have the portal WC system where authentication solution implemented using OAM 11 g. We expect authentication based on roles with the help of OID/IOM.

  I hear, by authentication based on roles, we're essentially the user roles will find in these roles. So they have will go through SSO system and their landing page will be the same. But the controls and links will be displayed according to their role.

  We do not use oracle role manager then manage it using OID.

  Is there a possible solution. Please help me its urgent.

  Thanks in advance.

  
  

  Concerning

  Arun Kumar Singh
  

  Hi Arun,

  In OAM, you can define authorization policies that allow or deny access to resources based on a value of attribute (of the logged in user). For example, you might allow access to the url/admin only to users who have a value of 'Administrator' in an attribute. Another approach is simply to set the attribute as a Variable for header (this is also defined in an OAM authorization policy) so that it is passed to the receiving application, which can then query the value of the attribute and take appropriate action.

  In these cases, OAM is only using the values of the attribute or send them to another application. To manage the values (put them properly for users/applications etc.) you would use a tool like the IOM to ensure that they are properly sized.

  Kind regards

  Colin

• Headers with OAM 11 GR 2 PS3 question

  Hello

  We are migrating OAM 11 GR 2-OAM 11 GR 2 PS3 from windows to linux. We installed the new configuration of the PS3 and migrated all the OAM configuration details. We have the user profile of authorization policies for applications protected by OAM.

  But while testing the SSO with applications, I found below questions

  1. If any attribute is null in LDAP to the user, R2 returns NOT_FOUND. But in the PS3 display headers as null. Enforcement team has a logic based on NOT_FOUND only. It's a lot of changes on the changes of app to check the value of the attribute of null NOT_FOUND. Is there a workaround for this?

  2. we have values multiple attributes for users in LDAP, in R2, these multivalued attribute values are separated by a colon(:), mais dans la PS3, elle est séparée par une virgule.)  I read the doc - id in metalink 1935703.1 , but it allows to change the comma separator. How this can be changed to the colon?

  Enjoy your entries.

  1. that is a very simple change in coding. Any decent programmer should be able to do this fairly easily.

  2. just follow the instruction and where it says ',' replace with ': '.

• How to pass the headers to the request of the child which is protected by OAM

  Hello

  I joined Oracle Webcenter Portal (WCP) with 11 GR 2 OAM. I'm passing headers to WCP via the authorization policy. We have child application developed using java that is available with in iFrame in WCP. Since this java application is accessible with in the iFrame, it cannot retrieve the headers that I'm passing to WCP. How can I switch from headers to this java OAM iFrame application? I have to create the new application domain and add headers to the new authorization policy?

  Enjoy your entries.

  It was with incorrect authentication rules. He now works as expected.