Leave a Comment:
36 comments
Please send me info on using mutiple IdP for a single SP using OAM OIFAuth scheme.
I posted this on OTN and you said that if I need it now, I should add it to your comments.
@ Sunil,
Is SP or IdP initiated SSO request with 1 IdP (default) working for you (using OIF Scheme) ?
If yes then add second IdP with SP and then first make SP initiated call with providerId as IdP2 and returnURL as URL protected by OIF scheme.
For example
http://oif_sp_host/fed/sp/initiatesso?providerid=http://IdP_2/fed/idp&returnurl=http://ur_to_return
This URL will initiate SSO on SP using second IdP . After authentication from IdP2 , request is returned to http://ur_to_return where ur_to_return is protected by OAM with OIF authentication scheme.
Here OAM is already integrated with OIF SP Integration module.
There are few bugs if you are OAM 11.1.1.5 BP02 but I’ll try to cover them in my post tomorrow.
Let me know if this is not clear to you.
ReplyYes, my default is working. However, there is an issue with OSSO with OAM. There is a bug there and Oracle have confirmed it as a bug. My SR is with oracle dev and its been opened since December and they are still working on a fix for it.
So in my IdP initiated SSO, I have this URL:
I currently have two OIF servers setup, one is IdP and the other is SP.
I use this URL for IdP initiate SSO.
So, here the provider is the SP which has a “default SSO Idp Provider” associated with it.
When an Idp accesses a resource protected by OAM and is using the OIFAuthN scheme, OAM will forward to OIF (SP) and OIF(SP) will call its default IdP provider to authenticate.
So, looking at your URL, you have
http://oif_sp_host/fed/sp/initiatesso?providerid=http://IdP_2/fed/idp&returnurl=http://ur_to_return
This is different from mine. I have IdP as the first part of URL and you have SP. The provider in your URL is IdP and mine is SP. The third part is the protected resource to return to. That resource is protected by an OSSO agent in my case.
Why do I have my URL different. I was told to do it this way by oracle. I think you are doing a SP initiated SSO whereas I am trying to make IdP initiated SSO to work.
i.e. multiple IdP will want access to my protected app and I am acting as an SP.
Is that the case?
Reply@ Sunil,
You said : There is a bug there and Oracle have confirmed it as a bug. My SR is with oracle dev
AK: Yes, I had this bug in OAM 11.1.1.5 BP 02 and fix is to get new oam_server.ear from Oracle Support and deploy this (This new oam_server.ear works for me). Or wait for OAM BP03 which is due in May end.
On your OIF setup,
If you have two OIF one acting as IdP and second SP (which is not same as having multiple IdP). In my case I have three OIF , one acting as SP (this is integrated with OAM using SP integration module OSSO) and another two as IdP (IdP1 and IdP2).
If you have just one IdP then set that IdP as default IdP in SP and then you don’t have to provide provider Id. Why do you think you have multiple IdP (or am I missing something here ?)
___
Why do I have my URL different. I was told to do it this way by oracle. I think you are doing a SP initiated SSO whereas I am trying to make IdP initiated SSO to work ?
I am doing SP initiated call and you are doing IdP initiated call and for that reason URL are different. It does not matter if this is SP initiated or IdP initiated both should create session in OAM.
There is another bug for SP or IdP initiated call in OAM 11.1.1.5 BP02 and fix is to
___
1. Login to OAM Console
2. Expand Application Domain -> IAM Suite
3. Click the Authentication Policies node, then click the Create button in the tool bar
4. Fill in the fresh Authentication Policy page:
a) Name: TAP Response Protected Policy
b) Description: TAP Response Protected Authentication Policy for OAMAgent
c) Authentication Scheme: TAPResponseOnlyScheme
5. Open the Resources node
6. Click the New Resource button in the upper-right corner of the Search page
7. On the Resource Definition page enter the following details:
a) Type: HTTP
b) Description: TAP Resource to be asserted against
c) Host Identifier: IAMSuiteAgent
d) Resource URL: /oamTAPResponseAssertResource
e) Protection Level: Protected
f) Authentication Policy: TAP Response Protected Policy
g) Authorization Policy: Protected Resource Policy
Click Apply
______
ReplyThe TAP workaround is the result of me filing a bug and oracle gave that as a workaround. And, yes that does fix IdP initiated SSO but this workaround breaks SP inititated SSO for me. It now loops!
Oracle have reproduced this and called it a bug also and are working on a fix.
@ Sunil,
Good thanks, Yes I had looping issue too and that is another bug . Ask support for Bug # 13812000 .
I think we are working on similar implementation. Are you using OES and OEG too ?
Lets chat sometime on phone.
ReplyYou what you are saying is that there is a new ear file for oam that I can apply? I already have BP02 applied and this ear is in addition to BP02?
I’ve asked oracle many times but they never mentioned this ear file. Did you get it from support?
@ Sunil,
Yes problem with OAM BP02 integration with OIF (where OAM has delegated authentication to OIF SP which in turn to IdP) is that after SAML assertion by IdP request comes to SP (creates session in OIF SP) and while creating session in OAM request redirects in loop between OAM, SP and IdP. If this is what you are hitting then this is bug and temporary workaround is get new oam_server.ear from support (undeploy existing oam_server.ear from weblogic which comes as part of OAM BP02 and deploy new ear file ) . Ask product support to look for bug # 13812000
I think we are hit by Bug 13812000
[2012-05-15T06:58:58.087-07:00] [oam_server1] [TRACE] [] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-10c9cdc3:13750945aa0:-8000-0000000000000dfe,0] [SRC_CLASS: oracle.security.am.controller.MasterController] [APP: oam_server] [SRC_METHOD: processEvent] MasterController: Flow Controller: oracle.security.am.engines.enginecontroller.SSOEngineController@2620e750, Event: oracle.security.am.controller.events.credcollect.DAPAssertCredentialsEvent@2270f5ea, Event Handler: CredCollectEngineController
[2012-05-15T06:58:58.087-07:00] [oam_server1] [NOTIFICATION:16] [OAM-02086] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-10c9cdc3:13750945aa0:-8000-0000000000000dfe,0] [APP: oam_server] ssoFlowController: processing Event:CRED_CHECK_REQUEST_CREDS.
[2012-05-15T06:58:58.087-07:00] [oam_server1] [TRACE:16] [] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-10c9cdc3:13750945aa0:-8000-0000000000000dfe,0] [SRC_CLASS: oracle.security.am.engines.enginecontroller.credcollect.CredCollectEngineController] [APP: oam_server] [SRC_METHOD: processEvent] ENTRY
[2012-05-15T06:58:58.087-07:00] [oam_server1] [TRACE] [OAM-02078] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-10c9cdc3:13750945aa0:-8000-0000000000000dfe,0] [SRC_CLASS: oracle.security.am.engines.enginecontroller.credcollect.CredCollectEngineController] [APP: oam_server] [SRC_METHOD: processEvent] Processing Event CRED_CHECK_REQUEST_CREDS
[2012-05-15T06:58:58.087-07:00] [oam_server1] [TRACE:16] [] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-10c9cdc3:13750945aa0:-8000-0000000000000dfe,0] [SRC_CLASS: oracle.security.am.engines.enginecontroller.credcollect.CredCollectEngineController] [APP: oam_server] [SRC_METHOD: handleCheckRequestCredentialsEvent] Event execution status: fail
[2012-05-15T06:58:58.087-07:00] [oam_server1] [TRACE:16] [] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-10c9cdc3:13750945aa0:-8000-0000000000000dfe,0] [SRC_CLASS: oracle.security.am.engines.enginecontroller.credcollect.CredCollectEngineController] [APP: oam_server] [SRC_METHOD: processEvent] RETURN oracle.security.am.controller.events.credcollect.CheckRequestCredentialsEvent@7861a781
[2012-05-15T06:58:58.087-07:00] [oam_server1] [NOTIFICATION:16] [OAM-02099] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-10c9cdc3:13750945aa0:-8000-0000000000000dfe,0] [APP: oam_server] ssoFlowController: Event processing finished :CRED_CHECK_REQUEST_CREDS with status fail.
[2012-05-15T06:58:58.087-07:00] [oam_server1] [TRACE:16] [] [oracle.oam.audit] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-10c9cdc3:13750945aa0:-8000-0000000000000dfe,0] [SRC_CLASS: oracle.security.am.common.audit.config.AuditConfigStore] [APP: oam_server] [SRC_METHOD: loadConfiguration] ENTRY
[2012-05-15T06:58:58.087-07:00] [oam_server1] [TRACE:16] [] [oracle.oam.audit] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-10c9cdc3:13750945aa0:-8000-0000000000000dfe,0] [SRC_CLASS: oracle.security.am.common.audit.config.AuditConfigStore] [APP: oam_server] [SRC_METHOD: loadConfiguration] Returning t
Yes, I logged that bug and Patch p13834510_111152_Generic.zip, fixes it.
I got a hotfix from Oracle and that fixed my issue with OAM/ OIF
That hotfix is going to be in BP03 due out at end of may.
@ kjj1983
Thanks Sunil.
My 2 cents , after applying patch 13834510 undeploy oam_server application and redeploy oam-server.ear from one which comes as part of patch. This file after patch gets copied to $ORACLE_HOME/oam/server/apps directory
Reply@Atul/Sunil –
Thanks for the patch info. After applying the patch the loop issue is gone. but now the issue is the below
[2012-05-15T23:34:45.378-07:00] [oam_server1] [ERROR] [OAMSSA-20040] [oracle.oam.user.identity.provider] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-530892a3:137543e7400:-8000-00000000000004c1,0] [APP: oam_server] Could not modify user attribute for user : cn, attribute : null, value : {2} .
[2012-05-15T23:34:45.378-07:00] [oam_server1] [TRACE:16] [] [oracle.oam.user.identity.provider] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-530892a3:137543e7400:-8000-00000000000004c1,0] [SRC_CLASS: UserProviderImpl] [APP: oam_server] [SRC_METHOD: getUsersByAttribute] RETURN
[2012-05-15T23:34:45.379-07:00] [oam_server1] [ERROR] [OAMSSA-12126] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-530892a3:137543e7400:-8000-00000000000004c1,0] [APP: oam_server] Cannot assert the username from DAP token.
[2012-05-15T23:34:45.381-07:00] [oam_server1] [TRACE] [] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-530892a3:137543e7400:-8000-00000000000004c1,0] [SRC_CLASS: oracle.security.am.engine.authn.internal.executor.AuthenticationSchemeExecutor] [APP: oam_server] [SRC_METHOD: execute] User is authenticated with Authentication scheme level = 2
[2012-05-15T23:34:45.382-07:00] [oam_server1] [NOTIFICATION:16] [OAMSSA-12130] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-530892a3:137543e7400:-8000-00000000000004c1,0] [APP: oam_server] Result of Authentication Scheme Execution: false.
[2012-05-15T23:34:45.382-07:00] [oam_server1] [TRACE:16] [] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-530892a3:137543e7400:-8000-00000000000004c1,0] [SRC_CLASS: oracle.security.am.engine.authn.internal.controller.AuthenticationEngineControllerImpl] [APP: oam_server] [SRC_METHOD: validateUser] Authenticated User Name: null
I am doing transient federation.
Reply@kjj1983
What is your email address?
You have to create AuthN Scheme/ Resource and authN Policy for TAP. I can send you info to your email.
Reply@ narendra,
I don’t think OIF 10g is available to download on Oracle website (or OTN) . Please raise an Service Request via My Oracle Support (earlier Metalink) and support team should be able to ship you OIF media
Hi Atul,
I followed step-by-step installation for Oracle Identity and Access Management, but at the end I don’t find OIF. I don’t know which step I missed during the installation from Part(I) to Part(VI) of your online help:
http://onlineappsdba.com/index.php/2010/08/23/part-vi-configure-identity-manager-oim-oracleidm-11g-step-by-step-installation-of-oam-oim-oaam-oapm-oin/
I installed the following components on Red Hat Enterprise Linux Server release 5.8 (64-bit):
-Oracle 11g database 11.2.0.1.0
-RCU utility 11.1.1.5
-Weblogic Server 10.3.6
-SOA Suite 11.1.1.5.0
-Oracle Identity & Access Management 11.1.1.5
I thought Oracle Identity & Access Management 11.1.1.5 should include OIF but at the very end, I couldn’t find OIF when I logged in to the Oracle Enterprise Manager using http://localhost:7001/em. I don’t see OIF under “Identity and Access”.
Please let me know which step I am missing or if I has installed wrong versions. Please advise me a workaround so that I don’t have to start Oracle installation from the beginning.
Thanks,
-Arshad
@arshadiqbal1,
OIF is 11gR1 is part of OID/OVD so install that . In 11gR2 OIF is part of identity & access management .
Thanks Atul for quick reply,
(1) Can I install Identity Management 11gR1(11.1.1.6.0) which includes OIF. Is this require some additional software? As I see “Patch Scripts” under required software.Is this will be compatible with existing installed components?
(2) Also if I want to install 11.1.1.5.0 OID, can you please point me to the download link for Oracle Internet Directory(OID) 11.1.1.5.0?
Thanks,
-Arshad
@ arshadiqbal1,
Insatll OID/OIF 11.1.1.6 under different middleware home (than OAM/OIM). Use 10.3.6 weblogic and it should work
Atul
ReplyPlease explain what do you mean by different Middleware home, if I will use the already installed Weblogic Server 10.3.6 then it will be the same Middleware directory. Forgive me if I am missing a key point here.
My current middleware directory is:
/home/oracle/Oracle/Middleware/
[oracle@localhost Middleware]$ ls -l
total 236
-rw-rw—- 1 oracle oinstall 219 Nov 12 12:30 domain-registry.xml
drwxr-xr-x 2 oracle oinstall 4096 Nov 12 14:48 logs
drwxr-xr-x 7 oracle oinstall 36864 Nov 1 10:37 modules
-rw-r–r– 1 oracle oinstall 852 Nov 1 10:37 ocm.rsp
drwxr-x— 32 oracle oinstall 4096 Nov 1 12:02 oracle_common
drwxr-x— 29 oracle oinstall 4096 Nov 12 14:26 Oracle_IDM1
drwxr-x— 27 oracle oinstall 4096 Nov 1 12:02 Oracle_SOA1
-rw-r–r– 1 oracle oinstall 108888 Nov 1 10:38 registry.dat
-rw-r–r– 1 oracle oinstall 1775 Nov 1 10:38 registry.xml
drwxr-x— 4 oracle oinstall 4096 Nov 12 12:29 user_projects
drwxr-xr-x 8 oracle oinstall 4096 Nov 1 10:37 utils
drwxr-xr-x 9 oracle oinstall 4096 Nov 2 14:45 wlserver_10.3
Thanks,
-Arshad
@ Arshad,
You middlware home for OIM/OAM is /home/oracle/Oracle/Middleware
Though Oracle says you can install OIM/OAM and OID/OIF in same middleware home but I always faced issues with enterprise manager and I usually install OIM/OAM in one moddleware home and OID/OIF in second middlewar home.
Install another weblogic under /home/oracle/Oracle/Middleware2 so this will create second middleware home . Install OID/OIF in this second middleware home (/home/oracle/Oracle/Middleware2)
ReplyThanks Atul for your prompt helps.
One more question when I will install Weblogic server 10.3.6 again in a different Middleware home then I have to install the Oracle Fusion Middleware 11g SOA Suite 11.1.1.5.0 again? Or I don’t need that component:
Could you please specify the correct steps in order for me, knowing that Oracle database and RCU is already installed.
Thanks again,
-Arshad
Hi Atul,
I am going to install Oracle Identity Management 11.1.1.6.0, I have already installed Weblogic server 10.3.6 & Oracle SOA Suite 11g (11.1.1.6.0).
Can I install OID/OIF 11.1.1.6.0 directly?
I am confused with your post in the beginning of this page under “OIF Installation Key Points”:
” You must first install 11.1.1.2 and then patch it to 11.1.1.6.”
Thanks,
-Arshad
@ arshadiqbal1,
a) SOA is not required for OID/OIF but there is no harm if it exists in same MW_HOME where you are going to install OID/OIF
b) Yes you can install OID/OIF 11.1.1.6 directly . This is full version
” You must first install 11.1.1.2 and then patch it to 11.1.1.6.”
This is wrong and thanks for pointing this out . You can install 11.1.1.6 directly as this is full version.
Hello Atul,
In our current environment we have OIF integrated with OAM in authentication mode. OIF is acting as the identity provider to different external applications. We want to protect the applictaions using two different authentictaion schemes – Form based and Kerberos. However in oam when we protect /fed/user/authnoam we can use only one authentication scheme – either kerberos/form based. We have used virtual hosts configuration in Apache server too. ( It didnot work )
Can you please let me know how can we protect applictaion with multiple authentication schemes from OAM.
ReplyHi Atul,
We want to integrate R12 with other applications using SAML 2.0.
How we can use OIF integrated into R12 to act as SSO using SAML. Or do we need to install OAM/OID/SSO to get this work.
Any suggetions?Any notes.
Thanks in advance.
ReplyHi Atul
We have Third party SAML based identity provider used for authentication.
1. User login to URL of SAML based Identity server
2. User provides credentials inside the URL for authentication.
3. Ones authenticated, The URL provides links to connect to applications
4. If we click a particular application then it should connect to application without providing further Login details.
Oracle Enterprise Manager 12c is our Linked application we need to configure with Third party SAML based identity provider.
1. Do we need Oracle Access Manager or OID for this configuration
2. Only Oracle Identity federation is enough
3. Is there any Oracle document to perform this configuration
Any suggestions
Thanks in Advance
Pratap
@ Pratap,
From Oracle’s point of view, I don’t think OEM 12c can talk directly to OIF configured as Service Provider with SAML based identity provider. Chekc with OEM team if this is supported.
Else follow this
1. Integrate OEM 12c with OAM and see it works with OAM first
2. Integrate OAM with OIF
3. Integrate OIF (in SP mode) with SAML provider (in IdP mode)
4. Test this integration
@Atul,
Can you please let me know if its possible to do federation with any console application(thick client)
In my case: I have to federate with a thick client application. The applictaion is installed in each user’s desktop, and after launching the applictaion user has to enter his credential(application specific) to access.
Please suggest.
ReplyHi,
I was reading your article -> http://onlineappsdba.com/index.php/2012/04/26/oracle-identity-federation-oif-11-1-1-6-installation-configuration/ . As part of this article, you were supposed publish another paper “configuring OIF SP/IdP, OIF with OAM and protecting a resource using multiple IdP ” . Did you publish this ? If so , could you please let me know the link ? If did not, could you please let me know link for configuring multiple idp with OIF as SP ?
Thanks
ReplyHI was following through the OIF installation step which you posted i would like to go through the post for configuring OIF as Identity Provider (IdP) or Service Provider (SP) so please provide the url or mail to rprudhvi9.idm@gmail.com
ReplyHi Atul
We have Third party SAML based identity provider used for authentication.
1. User login to URL of SAML based Identity server
2. User provides credentials inside the URL for authentication.
3. Ones authenticated, The URL provides links to connect to applications
4. If we click a particular application then it should connect to application without providing further Login details.
We have OAM in the current set up which handles SSO .
Can we use OIF for communicate using SAML ?
Do you have any docs which can guide us in this regard.?
Any suggestions
Thanks in Advance
Reply