• Find us:
    +1-669-900-5138   |   +44-203-372-5553
  • Free Newsletter

    Get Latest Updates

  • Make Training Enquiry


    Company

  • Categories

  • Archive

  • OAM – OIF integration : Login Fails when value for attribute cn is different than uid in LDAP Store

    Posted by "" in "oam, oif" on 2012-04-11

    I recently integrated OAM with OIF where OAM is configured as OIF SP Integration Module. In this integration OAM resource is protected by authentication scheme OIFScheme and OAM’s authentication is delegated to OIF. More on Federation basics here

    • User can have multiple attributes defined like firstname, lastname, cn, uid, mail..

    OIF by default send attribute (uid or cn or email) defined as user name attribute on OIF OSSO SP Integration Module screen to OAM. In my case this is set to uid.

    My OIF-OAM integration works fine for users whose value for attribute cn is same as attribute uid . This integration fails (error below) for users whose value for cn is different than value stored in attribute uid.

     
    In OAM Server diagnostic logs at $DOMAIN_HOME/ servers/ <oam_server1>/ logs/

    _____

    <Mar 3, 2012 12:07:35 PM BST> <Error> <oracle.oam.user.identity.provider> <OAMSSA-20086> <Locate user via a
    specific attribute failed for attr cn and value oidiuseruid>
    <Mar 3, 2012 12:07:35 PM BST> <Error> <oracle.oam.engine.authn> <OAMSSA-12126> <Cannot assert the username from DAP
    token.>
    <Mar 3, 2012 12:07:35 PM BST> <Error> <oracle.oam.user.identity.provider> <OAMSSA-20086> <Locate user via a
    specific attribute failed for attr cn and value oiduseruid>
    <Mar 3, 2012 12:07:35 PM BST> <Error> <oracle.oam.engine.authn> <OAMSSA-12126> <Cannot assert the username from DAP
    token.>
    <Mar 3, 2012 12:07:35 PM BST> <Error> <oracle.oam.user.identity.provider> <OAMSSA-20086> <Locate user via a
    specific attribute failed for attr cn and value oiduseruid>

     ____

    For this user value of attribute uid is set to oiduseruid and value of attribute cn is set as oidusercn

    Root Cause :  OIF is sending value (oiduseruid) stored in attribute uid (This is because of User Name Attribute set in OIF OSSO SP Integration Module) where as OAM is trying to compare it against value (oidusercn) stored in attribute cn.

    Bug: OAM hard code value of attribute to compare in configuration file $DOMAIN_HOME/config/fmwconfig/oam-config.xml

    ____
    <Setting Name=”DAPModules” Type=”htf:map”>
                    <Setting Name=”7DASE52D” Type=”htf:map”>
                      <Setting Name=”name” Type=”xsd:string”>DAP</Setting>
                      <Setting Name=”MatchLDAPAttribute” Type=”xsd:string”>cn</Setting>
                   ******
          </Setting>
    ____

    Fix : Shutdown WebLogic Admin Server and Managed Server where OAM server is deployed. Update value of setting MatchLDAPAttribute under DAPModule from cn to uid (same as defined in OIF OSSO Integration Module).

    Hitting any OIF integration issue or confused about OIF integration with Facebook, Google, or OpenID then post your doubt/issue under comments section.

     

    21 Responses to “OAM – OIF integration : Login Fails when value for attribute cn is different than uid in LDAP Store”

    1. kjj1983 says:

      Hi Atul,

      I am having trouble configuring OAM-OIF with Google Apps.

      As per my understanding Google Apps is the idp and OIF is configured as SP.

      At this point, I really not sure how do I integrate and post integration what should be the behavior. I have followed the steps mentioned in oracle docs but no luck.

      Can you please share some insight on it.

      Thanks

      • Atul Kumar says:

        @ kjj1983,
        Are you

        a) using google apps like gdoc, gtalk, gmail …and authenticating against OIF using user store from your company or
        b) using your company resource protected by OIF and authenticating using google username/password

        If a) Then google apps is acting as service provider and OIF(deployed in your company) as Identity provider

        If b) Then OIF (deployed in your company) is acting as service provider and google as Identity provider

        I hope this is clear now.

        You mentioned that “I have followed the steps mentioned in oracle” – which doc are you following ?

    2. kjj1983 says:

      Hi Atul –

      I have followed the blog post form Warren Strange and have configured Google as IDP. Now for the integration between OAM & OIF I followed the following
      http://docs.oracle.com/cd/E14571_01/doc.1111/e15740/oif.htm

      I have done the above.

      OIF 11.1.1.6 & OAM 11.1.1.5. I have done the integration using Service Provider Integration Modules Oracle Single Sign On. Not sure if this the right configuration.

      And do I also need to follow the following section in 3.2.3 Deploying Oracle Identity Federation with Oracle Access Manager

      http://docs.oracle.com/cd/E15523_01/oim.1111/e13400/deployment.htm#BABBFDEG

      Please advice.

      Thanks
      Kunal Jain

      • Atul Kumar says:

        @ Kunal Jain,

        If you want Oracle stack to be as SP (replying party) and google as IdP/OP (Identity Provider or OpenID Provider) then you are on right track.

        There are few bugs in OAM-OIF integration with OAM BP02 (11.1.1.5.2), I will cover these on blog in my upcoming posts.

    3. kjj1983 says:

      Hi Atul –

      If you can give me your email address, I can send you the document with screen shots, so that you can verify if it is correct.

      Thanks
      Kunal Jain
      jkunal@gmail.com

    4. kjj1983 says:

      And also does OID supports auto federation ..i.e. If OpenID account is not present in RP it will automatically create one?

      IOf a new user logs in , can the product automatically create a account?

    5. kjj1983 says:

      On trying to access

      http://oamoifdemo.mycorp.com:7779/fedpartner/index.html (Resource protected by OIFScheme in OAM)

      I am redirected to

      Warning
      http://oamoifdemo.mycorp.com:14100/oam/server/dap/cred_submit?osso_sassoToken=v1.0%7ENEUzOEI0RTc4MDZDNUI5RTU3QzYxRn43NUZCRDE2QTBENDIxOTQwMjg3MkNGQTY2RjAwRTFBQUU3NzVGMzA1fkNCRDk5MDEzQzVGQTg5OTMzN0E1QzQzMERDNzExMDVFfmU1YzJkMmUwMjk1ZGY3NDhmMmUwYTRkOGI1MjY2NjZlNzZlMjM4OWQyODFjYjFiZTIyYjUwZmI0ODgzOWQ1NmUyZDJhODZmODRhZDViNWQ1NzM4MmViNzU5NDIzNDMzMDAxMzhkY2Y1YWY5ODJlOWJjN2Q1NDAzNmRmNTNkYzMxMDM2MmViZTQwZmZkZjcyNGNmMDVlZjM5NjMwOWQ3ZWE0ZTkxNzViMmQzMjNjMzRkZWVhMjUzNTM4OWI1ZmI5YzJkMDdkN2RjMzc1NmU2YzcwM2M4MzQ5ZTc0YmNiODM0OTVjOWQ5ZDdiYzkxY2E5MmU0YjhhNmI3NGZkYzk0YzRkZDQyYjI5ZjNkYWFiZmQwOTM2ODhlYzNiNjRiMDRhOTRmMWFiZjgzMGNmODNkYjRhYTgzNzRkZWQ4NTA5MGQ4YjMxMjg2MDk0YjA1OTA3ODgwNGYyNWVmZjFkYzg3YjY%3D

      A page on the public Internet requests data from your private intranet. For security reasons, automatic access is blocked, but you may choose to continue.

      Continue

      Always continue when data is requested from this server on my private intranet

      On clicking Continue – I get the following page. olab2.mycorp.com is my OIF Server.

      This document you requested has moved temporarily.

      It’s now at http://olab2.mycorp.com:7777/fed/user/sposso?osso_spToken=NEVGMEQyOUU0ODZERjU0QUIzRjY3Q35EQ0JDRTNDNkMwODlCNjQ3RTFEOUQwODQ0NUM2NzFEOERBMDM1OENBfjc5QTYzRDI5Q0RCNTdGQkNFNzIxQkVCOUQ4QUU2MjkwfjBENDUxNDdFOEM1RkVGRDM0OTI4NTREMTJEOENBNkUwNzcwNTY1NjEwNURGNkJERkQzRTBCN0Y2NDhGMEE5OEUzRTFGMUZDRTM5NUUyNzQ0ODU5MDYyNDlBRTU2NDM1OEU0NjVFQjY4OUY0NUFDMkFERjFFODlENjQ3NDI0REQ3NzAyQ0Y0NTZFNDYwNDJGQkZGMzYzRDhCODg5RjJBODA4MTQ3RkE1NDI2RjVGMzg1MkU1QTkyRUUyREUzOUM0NEI4OENBOUUwMEIwQzIxNTU3NzRCMTAyMzk1NkI1RUZFRDQ4NEQxRkIwMENCNzYwNzkxRUI1ODU0NjQ5MUNBNzk%3D&TapSubmitURL=http%3A%2F%2Foamoifdemo.mycorp.com%3A14100%2Foam%2Fserver%2Fdap%2Fcred_submit&authn_try_count=0&contextType=external&TAPPartnerId=OIFDAPPartner&daptoken=string&challenge_url=http%3A%2F%2Folab2.mycorp.com%3A7777%2Ffed%2Fuser%2Fsposso&request_id=-4197816456572239837&locale=en_US.

      • Atul Kumar says:

        Don’t go for OAM test directly. First check if OIF (SP) test page is working with Google OP (IdP).

        I hope you are using OpenID 2.0.

        What is your OIF version and weblogic version ? (I can build same environment at my end to test this setup)

    6. kjj1983 says:

      OIF – Google integration is working.

      So when I try to access the protected resource (OIFScheme protected). I am redirected to the google login.

      After logging in I am supposed to be redirected to the above protected page.

      OAM 11.1.1.5 – WLS 10.3.5
      OIF 11.1.1.6 – WLS 10.3.6

    7. kjj1983 says:

      Atul –

      Do we also need to follow the document at http://docs.oracle.com/cd/E28389_01/oim.1111/e13400/deployment.htm#BABCAECB

      3.2.4 Oracle Identity Federation/SP Authenticating to Oracle Access Manager

    8. Atul Kumar says:

      @ kjj1983,
      NO, don’t configure OIF SP authenticating to OAM. You want OIF SP to authenticate google OP (OpenID Provider) which as per you is already working.

      I am assuming your requirement is that users in Oracle system should be able to login using google account via Open ID federation.

    9. kjj1983 says:

      @Atul –

      Yes the requirement is that the users in LDAP should be able to login using google via Open ID federation.

      For e.g.

      kunal@mycorp.com should be able to get authenticated through google and via OIF should be able to authenticate with OAM and access the protected resource.

    10. Atul Kumar says:

      @ kjj1983
      Where is password for kunal@mycorp.com stored ?

    11. kjj1983 says:

      kunal@mycorp.com is a google apps account. So we already have a google apps account created.

    12. kjj1983 says:

      Hi Atul –

      can you please help.

      Following is the log error when I try to access the OIFScheme protected resource.

      I am integrating this with dossia server.

      <Exception: {0}
      oracle.security.fed.controller.web.action.exceptions.ResponseHandlerException: OpenID XRDS document location could not be determined: {Date=Tue, 01 May 2012 06:15:10 GMT, Content-Length=2996, Content-Type=text/html;charset=windows-1252, Connection=close, Server=Apache/2.2.3 (CentOS)}
      at oracle.security.fed.http.flow.profiles.sp.OpenIDV20RetrieveXRDSResponseHandler.perform(OpenIDV20RetrieveXRDSResponseHandler.java:102)
      at oracle.security.fed.controller.ApplicationController.processServletRequest(ApplicationController.java:338)
      at oracle.security.fed.controller.web.servlet.FederationServlet.doGet(FederationServlet.java:142)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
      at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
      at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
      at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
      at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:184)
      at weblogic.servlet.internal.RequestDispatcherImpl.invokeServlet(RequestDispatcherImpl.java:526)
      at weblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:253)
      at oracle.security.fed.controller.web.flow.URLContextTarget.perform(URLContextTarget.java:84)
      at oracle.security.fed.controller.ApplicationController.processServletRequest(ApplicationController.java:370)
      at oracle.security.fed.controller.web.servlet.FederationServlet.doGet(FederationServlet.java:142)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
      at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
      at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
      at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
      at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
      at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
      at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
      at java.security.AccessController.doPrivileged(Native Method)
      at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
      at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
      at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
      at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
      at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
      at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
      at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:139)
      at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
      at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
      at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
      at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
      at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
      at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)

      • Atul Kumar says:

        @ kjj1983

        Your issue is “OpenID XRDS document location could not be determined”. Please share what steps you did to configure OIF with Dossia using openID ?

        • Atul Kumar says:

          @ kjj1983,
          In document you shared with me, you used Discovery URL as https://dev-openid.dossia.org where did you get this information. Is this not an Endpoint URL ?

          Endpoint URL: This is the URL where the user is redirected at the OP for authentication. You used https://dev-openid.dossia.org as end point URL which looks OK to me

          however

          Discovery URL: This is the URL where the OP publishes its XRDS metadata, in your case you used Discovery URL as https://dev-openid.dossia.org so OIF is expecting XRDS metadata at this location and it can’t find this XRDS metadata from Dossia.

    13. puneet bassi says:

      Hi Atul,
      We are trying to integrate facebook acting as IDP and OIF 11.1.1.5 as SP.Is there any guide or document to achieve this.

    14. MohaKumar says:

      Hi Atul,

      I am using OIF 10g and my data store is OAM 10g(integrated OAM & OIF) i am having multiple directory profiles in OAM, let say ssoroot.local is main node and its childs are SSOchilda.ssoroot.local,SSOchildb.ssoroot.local

      When i configured a saml application and try to access the application, i am able to login with all the users in root node, and where as the users in the child node are unable to login and getting the below error, and here when i search the users i am able to search all the users such as i am getting users in root node as well as in child nodes.

      F.Y.I..,

      ERROR – javax.naming.NameNotFoundException: [LDAP: error code 32 – 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
      ‘DC=ssoroot,DC=local’
      ] [Root exception is com.sun.jndi.ldap.LdapReferralException: [LDAP: error code 10 – 0000202B: RefErr: DSID-0310063C, data 0, 1 access points
      ref 1: ‘ssoroot.local’
      ]; remaining name ‘CN=mohan kumar,CN=Users,DC=ssochilda,DC=ssoroot,DC=local,dc=ssoroot,dc=local’]; remaining name ”
      13/02/20 23:03:48: ERROR – No value in user record for Name ID Policy requested: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

      Please help me regarding this error.

      Thanks,
      Mohankumar.Koribilli

    Leave a Reply



  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.
  • CONTACTS

    K21 Technologies
    8 Magnolia Place, Harrow,
    London, HA2 6DS

    UK: +44(0)7476444481
    USA: +1-888-414-1821

  • 2014, K21 Technologies. All rights reserved DMCA.com
  • TOP
    TOP