OAM – OIF integration : Login Fails when value for attribute cn is different than uid in LDAP Store

I recently integrated OAM with OIF where OAM is configured as OIF SP Integration Module. In this integration OAM resource is protected by authentication scheme OIFScheme and OAM’s authentication is delegated to OIF. More on Federation basics here

  • User can have multiple attributes defined like firstname, lastname, cn, uid, mail..

OIF by default send attribute (uid or cn or email) defined as user name attribute on OIF OSSO SP Integration Module screen to OAM. In my case this is set to uid.

My OIF-OAM integration works fine for users whose value for attribute cn is same as attribute uid . This integration fails (error below) for users whose value for cn is different than value stored in attribute uid.
In OAM Server diagnostic logs at $DOMAIN_HOME/ servers/ <oam_server1>/ logs/

_____

<Mar 3, 2012 12:07:35 PM BST> <Error> <oracle.oam.user.identity.provider> <OAMSSA-20086> <Locate user via a
specific attribute failed for attr cn and value oidiuseruid>
<Mar 3, 2012 12:07:35 PM BST> <Error> <oracle.oam.engine.authn> <OAMSSA-12126> <Cannot assert the username from DAP
token.>
<Mar 3, 2012 12:07:35 PM BST> <Error> <oracle.oam.user.identity.provider> <OAMSSA-20086> <Locate user via a
specific attribute failed for attr cn and value oiduseruid>
<Mar 3, 2012 12:07:35 PM BST> <Error> <oracle.oam.engine.authn> <OAMSSA-12126> <Cannot assert the username from DAP
token.>
<Mar 3, 2012 12:07:35 PM BST> <Error> <oracle.oam.user.identity.provider> <OAMSSA-20086> <Locate user via a
specific attribute failed for attr cn and value oiduseruid>

____

For this user value of attribute uid is set to oiduseruid and value of attribute cn is set as oidusercn

Root Cause :  OIF is sending value (oiduseruid) stored in attribute uid (This is because of User Name Attribute set in OIF OSSO SP Integration Module) where as OAM is trying to compare it against value (oidusercn) stored in attribute cn.

Bug: OAM hard code value of attribute to compare in configuration file $DOMAIN_HOME/config/fmwconfig/oam-config.xml

____
<Setting Name=”DAPModules” Type=”htf:map”>
<Setting Name=”7DASE52D” Type=”htf:map”>
<Setting Name=”name” Type=”xsd:string”>DAP</Setting>
<Setting Name=”MatchLDAPAttribute” Type=”xsd:string”>cn</Setting>
******
</Setting>
____

Fix : Shutdown WebLogic Admin Server and Managed Server where OAM server is deployed. Update value of setting MatchLDAPAttribute under DAPModule from cn to uid (same as defined in OIF OSSO Integration Module).

Hitting any OIF integration issue or confused about OIF integration with Facebook, Google, or OpenID then post your doubt/issue under comments section.

 

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

21 comments
kjj1983 says April 24, 2012

Hi Atul,

I am having trouble configuring OAM-OIF with Google Apps.

As per my understanding Google Apps is the idp and OIF is configured as SP.

At this point, I really not sure how do I integrate and post integration what should be the behavior. I have followed the steps mentioned in oracle docs but no luck.

Can you please share some insight on it.

Thanks

Reply
    Atul Kumar says April 24, 2012

    @ kjj1983,
    Are you

    a) using google apps like gdoc, gtalk, gmail …and authenticating against OIF using user store from your company or
    b) using your company resource protected by OIF and authenticating using google username/password

    If a) Then google apps is acting as service provider and OIF(deployed in your company) as Identity provider

    If b) Then OIF (deployed in your company) is acting as service provider and google as Identity provider

    I hope this is clear now.

    You mentioned that “I have followed the steps mentioned in oracle” – which doc are you following ?

    Reply
kjj1983 says April 26, 2012

Hi Atul –

I have followed the blog post form Warren Strange and have configured Google as IDP. Now for the integration between OAM & OIF I followed the following
http://docs.oracle.com/cd/E14571_01/doc.1111/e15740/oif.htm

I have done the above.

OIF 11.1.1.6 & OAM 11.1.1.5. I have done the integration using Service Provider Integration Modules Oracle Single Sign On. Not sure if this the right configuration.

And do I also need to follow the following section in 3.2.3 Deploying Oracle Identity Federation with Oracle Access Manager

http://docs.oracle.com/cd/E15523_01/oim.1111/e13400/deployment.htm#BABBFDEG

Please advice.

Thanks
Kunal Jain

Reply
    Atul Kumar says April 26, 2012

    @ Kunal Jain,

    If you want Oracle stack to be as SP (replying party) and google as IdP/OP (Identity Provider or OpenID Provider) then you are on right track.

    There are few bugs in OAM-OIF integration with OAM BP02 (11.1.1.5.2), I will cover these on blog in my upcoming posts.

    Reply
kjj1983 says April 26, 2012

Hi Atul –

If you can give me your email address, I can send you the document with screen shots, so that you can verify if it is correct.

Thanks
Kunal Jain
jkunal@gmail.com

Reply
kjj1983 says April 26, 2012

And also does OID supports auto federation ..i.e. If OpenID account is not present in RP it will automatically create one?

IOf a new user logs in , can the product automatically create a account?

Reply
kjj1983 says April 26, 2012

On trying to access

http://oamoifdemo.mycorp.com:7779/fedpartner/index.html (Resource protected by OIFScheme in OAM)

I am redirected to

Warning
http://oamoifdemo.mycorp.com:14100/oam/server/dap/cred_submit?osso_sassoToken=v1.0%7ENEUzOEI0RTc4MDZDNUI5RTU3QzYxRn43NUZCRDE2QTBENDIxOTQwMjg3MkNGQTY2RjAwRTFBQUU3NzVGMzA1fkNCRDk5MDEzQzVGQTg5OTMzN0E1QzQzMERDNzExMDVFfmU1YzJkMmUwMjk1ZGY3NDhmMmUwYTRkOGI1MjY2NjZlNzZlMjM4OWQyODFjYjFiZTIyYjUwZmI0ODgzOWQ1NmUyZDJhODZmODRhZDViNWQ1NzM4MmViNzU5NDIzNDMzMDAxMzhkY2Y1YWY5ODJlOWJjN2Q1NDAzNmRmNTNkYzMxMDM2MmViZTQwZmZkZjcyNGNmMDVlZjM5NjMwOWQ3ZWE0ZTkxNzViMmQzMjNjMzRkZWVhMjUzNTM4OWI1ZmI5YzJkMDdkN2RjMzc1NmU2YzcwM2M4MzQ5ZTc0YmNiODM0OTVjOWQ5ZDdiYzkxY2E5MmU0YjhhNmI3NGZkYzk0YzRkZDQyYjI5ZjNkYWFiZmQwOTM2ODhlYzNiNjRiMDRhOTRmMWFiZjgzMGNmODNkYjRhYTgzNzRkZWQ4NTA5MGQ4YjMxMjg2MDk0YjA1OTA3ODgwNGYyNWVmZjFkYzg3YjY%3D

A page on the public Internet requests data from your private intranet. For security reasons, automatic access is blocked, but you may choose to continue.

Continue

Always continue when data is requested from this server on my private intranet

On clicking Continue – I get the following page. olab2.mycorp.com is my OIF Server.

This document you requested has moved temporarily.

It’s now at http://olab2.mycorp.com:7777/fed/user/sposso?osso_spToken=NEVGMEQyOUU0ODZERjU0QUIzRjY3Q35EQ0JDRTNDNkMwODlCNjQ3RTFEOUQwODQ0NUM2NzFEOERBMDM1OENBfjc5QTYzRDI5Q0RCNTdGQkNFNzIxQkVCOUQ4QUU2MjkwfjBENDUxNDdFOEM1RkVGRDM0OTI4NTREMTJEOENBNkUwNzcwNTY1NjEwNURGNkJERkQzRTBCN0Y2NDhGMEE5OEUzRTFGMUZDRTM5NUUyNzQ0ODU5MDYyNDlBRTU2NDM1OEU0NjVFQjY4OUY0NUFDMkFERjFFODlENjQ3NDI0REQ3NzAyQ0Y0NTZFNDYwNDJGQkZGMzYzRDhCODg5RjJBODA4MTQ3RkE1NDI2RjVGMzg1MkU1QTkyRUUyREUzOUM0NEI4OENBOUUwMEIwQzIxNTU3NzRCMTAyMzk1NkI1RUZFRDQ4NEQxRkIwMENCNzYwNzkxRUI1ODU0NjQ5MUNBNzk%3D&TapSubmitURL=http%3A%2F%2Foamoifdemo.mycorp.com%3A14100%2Foam%2Fserver%2Fdap%2Fcred_submit&authn_try_count=0&contextType=external&TAPPartnerId=OIFDAPPartner&daptoken=string&challenge_url=http%3A%2F%2Folab2.mycorp.com%3A7777%2Ffed%2Fuser%2Fsposso&request_id=-4197816456572239837&locale=en_US.

Reply
    Atul Kumar says April 26, 2012

    Don’t go for OAM test directly. First check if OIF (SP) test page is working with Google OP (IdP).

    I hope you are using OpenID 2.0.

    What is your OIF version and weblogic version ? (I can build same environment at my end to test this setup)

    Reply
kjj1983 says April 26, 2012

OIF – Google integration is working.

So when I try to access the protected resource (OIFScheme protected). I am redirected to the google login.

After logging in I am supposed to be redirected to the above protected page.

OAM 11.1.1.5 – WLS 10.3.5
OIF 11.1.1.6 – WLS 10.3.6

Reply
kjj1983 says April 26, 2012

Atul –

Do we also need to follow the document at http://docs.oracle.com/cd/E28389_01/oim.1111/e13400/deployment.htm#BABCAECB

3.2.4 Oracle Identity Federation/SP Authenticating to Oracle Access Manager

Reply
Atul Kumar says April 26, 2012

@ kjj1983,
NO, don’t configure OIF SP authenticating to OAM. You want OIF SP to authenticate google OP (OpenID Provider) which as per you is already working.

I am assuming your requirement is that users in Oracle system should be able to login using google account via Open ID federation.

Reply
kjj1983 says April 26, 2012

@Atul –

Yes the requirement is that the users in LDAP should be able to login using google via Open ID federation.

For e.g.

kunal@mycorp.com should be able to get authenticated through google and via OIF should be able to authenticate with OAM and access the protected resource.

Reply
Atul Kumar says April 26, 2012

@ kjj1983
Where is password for kunal@mycorp.com stored ?

Reply
kjj1983 says April 26, 2012

kunal@mycorp.com is a google apps account. So we already have a google apps account created.

Reply
kjj1983 says May 1, 2012

Hi Atul –

can you please help.

Following is the log error when I try to access the OIFScheme protected resource.

I am integrating this with dossia server.

<Exception: {0}
oracle.security.fed.controller.web.action.exceptions.ResponseHandlerException: OpenID XRDS document location could not be determined: {Date=Tue, 01 May 2012 06:15:10 GMT, Content-Length=2996, Content-Type=text/html;charset=windows-1252, Connection=close, Server=Apache/2.2.3 (CentOS)}
at oracle.security.fed.http.flow.profiles.sp.OpenIDV20RetrieveXRDSResponseHandler.perform(OpenIDV20RetrieveXRDSResponseHandler.java:102)
at oracle.security.fed.controller.ApplicationController.processServletRequest(ApplicationController.java:338)
at oracle.security.fed.controller.web.servlet.FederationServlet.doGet(FederationServlet.java:142)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:184)
at weblogic.servlet.internal.RequestDispatcherImpl.invokeServlet(RequestDispatcherImpl.java:526)
at weblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:253)
at oracle.security.fed.controller.web.flow.URLContextTarget.perform(URLContextTarget.java:84)
at oracle.security.fed.controller.ApplicationController.processServletRequest(ApplicationController.java:370)
at oracle.security.fed.controller.web.servlet.FederationServlet.doGet(FederationServlet.java:142)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:139)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)

Reply
    Atul Kumar says May 1, 2012

    @ kjj1983

    Your issue is “OpenID XRDS document location could not be determined”. Please share what steps you did to configure OIF with Dossia using openID ?

    Reply
      Atul Kumar says May 1, 2012

      @ kjj1983,
      In document you shared with me, you used Discovery URL as https://dev-openid.dossia.org where did you get this information. Is this not an Endpoint URL ?

      Endpoint URL: This is the URL where the user is redirected at the OP for authentication. You used https://dev-openid.dossia.org as end point URL which looks OK to me

      however

      Discovery URL: This is the URL where the OP publishes its XRDS metadata, in your case you used Discovery URL as https://dev-openid.dossia.org so OIF is expecting XRDS metadata at this location and it can’t find this XRDS metadata from Dossia.

      Reply
puneet bassi says May 15, 2012

Hi Atul,
We are trying to integrate facebook acting as IDP and OIF 11.1.1.5 as SP.Is there any guide or document to achieve this.

Reply
MohaKumar says February 21, 2013

Hi Atul,

I am using OIF 10g and my data store is OAM 10g(integrated OAM & OIF) i am having multiple directory profiles in OAM, let say ssoroot.local is main node and its childs are SSOchilda.ssoroot.local,SSOchildb.ssoroot.local

When i configured a saml application and try to access the application, i am able to login with all the users in root node, and where as the users in the child node are unable to login and getting the below error, and here when i search the users i am able to search all the users such as i am getting users in root node as well as in child nodes.

F.Y.I..,

ERROR – javax.naming.NameNotFoundException: [LDAP: error code 32 – 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
‘DC=ssoroot,DC=local’
] [Root exception is com.sun.jndi.ldap.LdapReferralException: [LDAP: error code 10 – 0000202B: RefErr: DSID-0310063C, data 0, 1 access points
ref 1: ‘ssoroot.local’
]; remaining name ‘CN=mohan kumar,CN=Users,DC=ssochilda,DC=ssoroot,DC=local,dc=ssoroot,dc=local’]; remaining name ”
13/02/20 23:03:48: ERROR – No value in user record for Name ID Policy requested: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Please help me regarding this error.

Thanks,
Mohankumar.Koribilli

Reply
Add Your Reply

Not found