• Find us:
    +1-669-900-5138   |   +44-203-372-5553
  • Free Newsletter

    Get Latest Updates

  • Make Training Enquiry


  • Categories

  • Archive

  • OAM integration with OIF : Authentication Engine or Service Provider

    Posted by "" in "oam, oif" on 2012-04-03

    Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

    OIF is a federation product from Oracle which can act as both Identity Provider (IdP) or Service Provider (SP). More on Federation basics IdP/SP here

    • OIF come with authentication engine (LDAP, OAM, OSSO, Database, InfoCard, JAAS… ) and is used when OIF acts as Identity Provider
    • OIF also comes with Service Provider Integration Modules ( OSSO, OAM, Custom SP Engine…)

    OAM is a web Single Sign-On product from Oracle and also comes with its own authentication engine and can be integrated with OID for authentication (For OAM integration with OID click here and for OAM integration with OID click here ).

    • OAM and OIF can be implemented on their own alone or integrated with each other.

    OAM can be integrated with OIF in one of two mode

    1. OAM acting as authentication Engine with OIF: In this OAM-OIF integration, unauthenticated users are redirected to OAM for authentication. OAM authenticates user against its configured LDAP server and creates session in both OAM and OIF. In this mode OIF delegates authentication to OAM and OAM acts as Authentication Provider. To configure this type of integration follow steps here or here

    2. OIF acting as authentication Engine (IdP) with OAM: In this integration, unauthenticated users are redirected to Identity Provider of OIF for authentication. OIF (acting as IdP) authenticates user against its configured authentication engine and creates session in both OIF and OAM. In this mode OIF acts as Identity Provider for OAM. To configure this type of integration follow steps here or here

    Note : In this type of OAM-OIF integration where OIF acts as authentication engine for OAM, steps are slightly different between OIF and OIF (OIF uses OAM 11g SP Module where as OIF uses OSSO SP Module)


    More on OAM 11g in my Book at Amazon or Packt Publication

    Related Posts for Access Manager

    1. Integration Steps – 10g AS with OAM (COREid)
    2. OAS – OAM (Access Manager / Oblix COREid) Integration Architecture
    3. Oblix COREid and Oracle Identity Management
    4. Installing Oracle Access Manager (Oblix COREid / Netpoint)
    5. Oracle Access Manager (Oblix COREid) Upgrade
    6. Access Manager: WebGate Request Flow
    7. Introduction to Oracle Access manager : Identity and Access System – WebPass , Webgate, Policy Manager
    8. Certified Directory Server (AD, OID, Tivoli, Novell, Sun or OVD) and their version with Oracle Access Manager
    9. Install Oracle Access Manager (OAM) Identity Server, WebPass, Policy Manager, Access Server, WebGate
    10. Multi-Language or multi-lingual Support/Documentation for Oracle Access Manager (OAM)
    11. OAM Policy Manager Setup Issue “Error in setting Policy Domain Root” : OAM with AD and Dynamic Auxiliary Class
    12. OAM Installation Part II – Indentity Server Installation
    13. OAMCFGTOOL : OAM Configuration Tool for Fusion Middleware 11g (SOA/WebCenter) Integration with OAM
    14. Oracle Access Manager Installation Part III : Install WebPass
    15. OAM : Access Server Service Missing when installing Access Manager with ADSI for AD on Windows
    16. OAM : Create User Identity – You do not have sufficient rights : Create User Workflow
    17. Password Policy in Oracle Access Manager #OAM
    18. Changes in Oracle Access Manager 11g R1 (
    19. Agents in OAM 11g (WebGate 10g/11g, OSSO/mod_osso, AccessGate IDM Domain agent) aka PEP (Policy Enforcement Points)
    20. How to install Patches in Oracle Access Manager 10g : Bundle Patch / BPXX
    21. Session Management in #OAM 11g : SME , Idle Timeout, Session Lifetime
    22. Part IX : Install OAM Agent – 11g WebGate with OAM 11g
    23. How to integrate OAM 11g with OID 11g for User/Identity Store
    24. How to install Bundle Patch (BP) on OAM – BP02 (10368022) OAM
    25. Error starting OAM on IBM AIX : AMInitServlet : failed to preload on startup oam java. lang. Exception InInitializer Error
    26. OAMCFG-60024 The LDAP operation failed. OAMCFG-60014 Oracle Access Manager is not configured with this directory
    27. How to Edit (create, delete, modify) Identity Store of OAM 11g from command line (WLST) – editUserIdentityStoreConfig
    28. OAM WebGate Registration RREG – Resource URL format is not valid
    29. Blank Screen on OAM 10g Identity Server Console : /identity/oblix
    30. Oracle 10g/11g webgate software download location
    31. How to find Webgate 10g/11g Version and Patches Applied
    32. OAM integration with OIF : Authentication Engine or Service Provider
    33. OAM 11g integration with Microsoft Windows Active Directory (WNA, IWA, Kerberos) for Zero Sign-On
    34. OAM 11g : How to change Security Mode (OPEN, SIMPLE, CERT) – WebGate to Access Server Communication
    35. Forgot Password link on OAM Login Page
    36. OIM-OAM-OAAM integration – Account Lockout in OAM obLoginTryCount , oblockouttime, MaxRetryLimit
    37. How to identify which LDAP (OID/AD/OVD) server OAM 11g connects to and as what user ?
    38. OAM 10g WebGate installation failed with Sorry Invalid User or Invalid Group
    39. Beware if you are running OAM in SIMPLE mode with 10g WebGate : Oracle AccessGate API is not initialized
    40. Troubleshooting : 11g WebGate with OHS 11g integrated with OAM 11g : OBWebGate_AuthnAndAuthz: Oracle AccessGate API is not initialized
    41. Deploying OAM in high availability across data centres in Active Active cluster : New Feature in OAM 11gR2 PS2
    42. New OAMConsole in OAM 11gR2 PS2 : Enabling Federation, STS, Mobile & Social in Oracle Access Management Suite

    13 Responses to “OAM integration with OIF : Authentication Engine or Service Provider”

    1. vishuenc says:

      I have following doubts …
      1. how do we check the ObSSOCookie is set or not in fiddler or any vendor trace.

      2. Sometimes when user trying to access SSO url then he redirects to some other URL…How do we resolve that configurations issues?

      3. For example, if both companies have Federations servers then how they will share/AutH user’s identity?

      4. For example, If Company ‘A’ uses federation services from Company ‘B’ then how user’s identities are managed?

    2. Atul Kumar says:

      @ vishuenc,

      Q1. how do we check the ObSSOCookie is set or not in fiddler or any vendor trace.

      A1: You can check cookie in HTTP Header using browser plug-in like IEHTTPHeader (for IE) or HTTPHeader (for firefox). What is fiddler ?

      Q2. Sometimes when user trying to access SSO url then he redirects to some other URL…How do we resolve that configurations issues?

      A2: Enable debug on oracle.security handler of OIF (ODL). Debug is enabled using EM. You then check OIF logs and HTTPHeader trace to find root cause of issue.

      Q3. For example, if both companies have Federations servers then how they will share/AutH user’s identity?
      A3: Federation on one company will act SP and other compnay will act as IdP . For resource requested by SP , SP will contact IdP for user authentication. After authentication, IdP will assert user to SP which (depending on configuration) will map it to user at its own end and provide access to resource. I’ll cover few use case of IdP/SP on this blog later.

      Q4. For example, If Company ‘A’ uses federation services from Company ‘B’ then how user’s identities are managed?
      A5: There are multiple ways in which federation can be done (mapped, linked, transient…) check my post http://onlineappsdba.com/index.php/2012/04/01/oracle-identity-federation-oif-for-beginners-idp-sp/

      For mapped or linked federation each side will manage users. These user are linked based on IdP and SP setting. I am going to cover how this mapping is done in OIF in my upcomig posts.

    3. […] in oam, oif  Print This Post I recently integrated OAM with OIF where OAM is configured as OIF SP Integration Module. In this integration OAM resource is protected by authentication scheme OIFScheme and OAM’s […]

    4. JL says:

      Hi Atul,

      Thanks for this post and a clearer explanation of the options for integrating OAM with OIF. We have been using OAM (currently 11gR2) for awhile now, and I’m looking into extending to support federated identities (i.e., integrating OIF). We currently have OIF 11.1.2 installed as part of the IDM suite (OIF/OID/OVD) installation.

      Our use cases would be something like:

      1) A user who is currently one of our users under OAM accesses one of the resource protected by our OAM: Such users should be able to continue to authenticate against OAM, but if

      2) A user who is NOT currently one of our users under OAM accesses a resource protected by our OAM: Such users should be given the opportunity to authenticate against the IDP of one of our federated partners, and then, after authenticating against one of those IDPs, be (ideally) redirected to their original target resource and be able access the resource protected by our OAM.

      In other words, if one of our users accesses one of our protected resources, there shouldn’t be a need to involve OIF, and only our OAM ATN and ATZ should be involved. Conversely, in the other case, we would want to delegate authentication to the SP of our OIF to facilitate that user getting authenticating by “their” IDP.

      I think that your 2nd option (OIF acting as authentication Engine (IdP) with OAM) fits our case better, but it seems like with JUST that integration, ALL of our users would have to authenticate via our OIF SP to our OIF IDP, rather than authenticating directly via our own OAM.

      Is there a way to accommodate such usage scenarios with OIF and OAM out-of-the-box? Or will we need to do some customization?


    5. JL says:


      I am trying to integrate OAM with OAM using the option #2, using the OSSO SP integration module in OIF and the OIFScheme/DAP module in OAM.

      This is *almost* working, i.e., when I try to hit the OAM-protected resource (/fedtest/*), I get redirected to the IDP login page, and to the SP login page, and authenticate successfully with both, but then the ATN fails in OAM, and I get the blue OAM error page. If I set a Failure URL on the ATN policy, I can see it gets invoked, so I know that OAM thinks the ATN has failed.

      I’ve been trying to nail this problem down, but it looks like after the the IdP and SP authentications succeed, OAM is throwing a NumberFormatException when it tries to process a DAP token. I’m pretty sure that OAM is able to decrypt the DAP token, because I have logging set to TRACE:32 on OAM and can see the decrypted tap_token_body.

      The problem is that that tap_token_body has a number of fields that are coming in a null (the “Expriy Time” (Oracle’s spelling :), etc.), and that OAM code throws that NumberFormatException, and then eventually the ATN fails.

      One of the differences is that I’m using a “real” Apache, with an OAM 10g Apache webgate, rather than OHS. I don’t know if that makes a difference, but if it does, is there a way to do this integration with using Apache, rather than OHS?


    6. Gopi says:

      Hi Jim,
      I am also facing exactly the same issue (ATN fails) that you facing. Did you ever get resolved this? If you have a solution for this, please reply.

    7. JL says:

      Hi Gopi,

      I couldn’t get it working using the OSSO SP Plugin. I had enabled TRACE:32 on OAM, and the problem was occurring at the very end, when OAM was trying to extract the information from the DAP token, but from the debug, it looked like there were a number of fields in the token that were null.

      I think, but am not sure, that the problem that I was trying to use this integration with a “real” Apache+webgate, rather than an OHS+webgate.

      We’re just starting to work with OAM 11gR2/11.1.2, and I noticed that OAM 11.1.2 includes a section for configuring with identity federation. From what I saw, it allows you to configure OAM as an SP directly, rather than having to use the SP interface in OIF. So, I used OAM as an SP talking to OIF as the IdP, and the configuration was relatively simple, and works.

      So, if you have 11gR2, try that for the SP.

      11.1.2 also has several Federation modules and schemes out-of-box for after you’ve setup OAM as an SP, and they’re ok as starters, but may need to be tweaked to provide my full use case.

      Good luck,

    8. Gopi says:

      Hi Jim,

      Thanks for your quick reply. I’m working with OAM 11gR2/11.1.2 only. I too noticed the identity federation service that coexists with OAM earlier. That time I thought we can configure it only as IdP. I am a newbie and not aware of much of these.
      My use case is pretty much simillar to yours I guess. Can you help me in solving this?

      My configuration is as follows….
      1. Machine M1 is configured with OAM
      2. Machine M2 is configured with OIF as IdP

      My use case is as follows….
      1. I want to access the protected resource of M1
      2. The user unauthenticated by OAM (i.e., who is not present in identity store of OAM) has to be redirected to OIF for authentication.

      3. From OIF the user details has to be federated to OAM so that he will be authorized at OAM and access the resource if he had permission.

      This is my use case.

      Now tell me how to do the following…
      1. How to configure the identity federation coexisting with OAM 11gR2/11.1.2 as SP?

      2. Can OAM delegate the authentication of only specific users (as I specified in step2 of my use case)? If so, how can it be done?

      Please help me in solving these… I am working on these for the last 1 week, but I’m unable to do…


    9. Gopi says:

      Working with OHS+Webgate only…

      forgot to mention this.


    10. Gopi says:

      Hi Guys….

      if anyone of you know answer for my second previous comment, please reply

    11. JL says:


      For your case 2, if you have OAM 11gR2, take a look at the MT/Multi-tenant Plugin and Scheme, e.g., FederationMTPlugin. That has steps where it attempts to check for a local user first, and then if it fails, does a federated ATN.


    12. JL says:

      Atul (or anyone),

      If you have some understanding of possible OAM-OIF integrations, I have another question.

      I’m using OAM 11gR2, and with that, I’m using OAM as an SP using the “Identity Provider” configuration under “Identity Federation”, and have it working with OIF, but only with FORM login. In that configuration, I’m using FederationScheme in the OAM, then the SP inside OAM puts up a FORM login. After submit, it redirects to OIF, sending a get with a samlv20 request.

      That’s all working fine here now, but now I need to look at how to be able to do X509 ATN.

      I kind of understand the two models of delegating, but for example, if you use OIF delegating ATN to OAM (i.e., OAM as an OIF ATN Engine), it looks like the way that works is that a user has to come to the OIF through a webgate (in order to get OAM_REMOTE_USER after ATN’ing). I got that part.

      But, if I have a resource protected by OAM policy, that means the request goes through two webgates (one in front of the OIF, and one in front of the OAM-protected resource) so I’m ending up with two ObSSOCookie cookies (FYI, working only with Apache 10g webgates), and things break when that happens. I have an SR with Oracle, but they haven’t responded in two+ days, and I’m pretty much stuck on this, so if you know how this integration is suppose to work, can you please post info?


    13. sampal says:

      Hello Atul,

      In our current environment we have OIF integrated with OAM in authentication mode. OIF is acting as the identity provider to different external applications. We want to protect the applictaions using two different authentictaion schemes – Form based and Kerberos. However in oam when we protect /fed/user/authnoam we can use only one authentication scheme – either kerberos/form based. We have used virtual hosts configuration in Apache server too. ( It didnot work )

      Can you please let me know how can we protect applictaion with multiple authentication schemes from OAM.

    Leave a Reply

  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.

    K21 Technologies
    8 Magnolia Place, Harrow,
    London, HA2 6DS

    UK: +44(0)7476444481
    USA: +1-888-414-1821

  • 2014, K21 Technologies. All rights reserved DMCA.com
  • TOP