Oracle Identity Federation (OIF) 11.1.1.6 Installation & Configuration

I recently implemented Oracle Identity Federation (OIF) as Service Provider (SP) integrated with Oracle Access Manager (OAM) as SP Integration Module. For basics of OIF SP/IdP click here. OIF SP with IdP is integrated using linked federation (attribute employeeNumber on IdP is linked to uid on SP). To further complicate this integration OIF as SP is integrated with two Identity Providers so resource protected in OAM (via OIF SP module) should be able to use either IdP1 or IdP2 .

I’ll start with installation and configuration of Oracle Identity Federation (OIF) in this port and cover remaining tasks (configuring OIF SP/IdP, OIF with OAM and protecting a resource using multiple IdP) in future posts.

.

OIF Installation Key Points

1. OIF software is part of Oracle Identity Management (IDM) software (This software also contains OID and OVD)

2. Latest version of OIF (as of April 2012) is 11.1.1.6 where 11.1.1.2 and 11.1.1.6 is full software (11.1.1.3/4/5 and  are patch-set). For 11.1.1.3/4/5 you must first install 11.1.1.2 and then patch it to specific required version i.e. 11.1.1.3/4/5. For 11.1.1.6 version install directly 11.1.1.6. [Thanks Arshad for pointing this out]

3. OIF (IDM software) requires weblogic, so install WebLogic (For 11.1.1.6 OIF install 10.3.6 WebLogic and for 11.1.1.5 OIF install 10.3.5 WebLogic)

4. During IDM 11.1.1.2 installation, select option Install Software- Do Not Configure . You should then apply patchset  11.1.1.3/4/5  (depending on which version you need)

For 11.1.1.6 , you can either  select “Install and Configure” or “Install Software Do not Configure” (For high avabilability select Install Software Do not Configure)

 

5. OIF User/Message store and Configuration can be stored in Database . If you are planning to use Database to store User/Message data and configuration file, then create OIF schema in database using Repository Creation Utility (RCU)

 


6.
After installation of WebLogic & then Identity Management Software (OIF), start OIF configuration from $ORACLE_HOME/bin/config.sh (here ORACLE_HOME is directory in which you installed idm software)

7. Select Oracle Identity Federation from list of components

 

 

8. For OIF you get two options to configure BASIC or Advanced

a) Basic – Use this to configure;
User Data Store (NONE), Federation Data Store (NONE), Authentication Engine (JAAS), Session Store (MEMORY), Transient Message Data Store (MEMORY), Configuration Store (FILE)

b) Advanced – Use this to configure;
User Data Store (NONE, LDAP, RDBMS)
Federation Data Store (NONE, LDAP, RDBMS, XML)
Authentication Type (JAAS or LDAP)
User Session Store (MEMORY, RDBMS)
Transient Message Data Store (MEMORY, RDBMS)
Configure Store (FILE, RDBMS)

Note: If you select option BASIC then you don’t need Database & LDAP Server where as for Advanced you need LDAP Server and Database. I am using OID as LDAP Server.

Note: These configuration (Autehntication Type, User Data Store, Federation/Message store..) can be changed later as well using Fusion Middleware Control (/em)

9. Select Advanced and then select Authentication Type, User Store, Federation Store, User Session Store, Message Store, and Configuration Store in OIF as shown below

 

10. In specifiy Authentication LDAP Details enter LDAP Server (I am using OID as ldap server where innowave21 is server where OID is running and 3063 is LDAP port, cn=orcladmin is OID superuser). When OIF is configured as IdP and LDAP as authentication engine then uid will be used as login attribute.

Change Base DN from dc=com to your LDAP server domain (in OID this is Realm defined during OID configuration)

 

 

Change Base DN from dc=com to your LDAP server domain (in OID this is Realm defined during OID configuration)

 

11. Specify LDAP Server details for Federation Data. During Feedration, federated data will be stored under OID container cn=Federation,dc=<your_domain> (OIF will create this container cn=Federation)

 

12. Specify Database details for Transient Data Store (OIF schema should already exist that was created earlier using RCU)

 

13. After installation, from WebLogic Admin Console (/console) you should see managed server (wls_oif1) like below


14. Key configuration files for OIF are

a) WebLogic Domain Configuration File config.xml under $DOMAIN_HOME/config/

b) OIF Circle of Trust and Configuration file  cot.xml, config.xml under directory $DOMAIN_HOME/config/fmwconfig/ servers/ <wls_oif1>/ applications/ OIF_11.1.1.2.0/ configuration

 

For configuring OIF as Identity Provider (IdP) or Service Provider (SP) stay tuned.

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

36 comments
Sunil says May 1, 2012

Please send me info on using mutiple IdP for a single SP using OAM OIFAuth scheme.
I posted this on OTN and you said that if I need it now, I should add it to your comments.

Reply
Atul Kumar says May 1, 2012

@ Sunil,
Is SP or IdP initiated SSO request with 1 IdP (default) working for you (using OIF Scheme) ?

If yes then add second IdP with SP and then first make SP initiated call with providerId as IdP2 and returnURL as URL protected by OIF scheme.

For example

http://oif_sp_host/fed/sp/initiatesso?providerid=http://IdP_2/fed/idp&returnurl=http://ur_to_return

This URL will initiate SSO on SP using second IdP . After authentication from IdP2 , request is returned to http://ur_to_return where ur_to_return is protected by OAM with OIF authentication scheme.

Here OAM is already integrated with OIF SP Integration module.

There are few bugs if you are OAM 11.1.1.5 BP02 but I’ll try to cover them in my post tomorrow.

Let me know if this is not clear to you.

Reply
Sunil says May 1, 2012

Yes, my default is working. However, there is an issue with OSSO with OAM. There is a bug there and Oracle have confirmed it as a bug. My SR is with oracle dev and its been opened since December and they are still working on a fix for it.

So in my IdP initiated SSO, I have this URL:

I currently have two OIF servers setup, one is IdP and the other is SP.
I use this URL for IdP initiate SSO.

http://idp.idpdomain.com:8016/fed/idp/initiatesso?providerid=http://sp.spdomain.com:8016/fed/sp&returnurl=aspen.appdomain.com:8016/fed/user/testspsso

So, here the provider is the SP which has a “default SSO Idp Provider” associated with it.
When an Idp accesses a resource protected by OAM and is using the OIFAuthN scheme, OAM will forward to OIF (SP) and OIF(SP) will call its default IdP provider to authenticate.

So, looking at your URL, you have

http://oif_sp_host/fed/sp/initiatesso?providerid=http://IdP_2/fed/idp&returnurl=http://ur_to_return

This is different from mine. I have IdP as the first part of URL and you have SP. The provider in your URL is IdP and mine is SP. The third part is the protected resource to return to. That resource is protected by an OSSO agent in my case.

Why do I have my URL different. I was told to do it this way by oracle. I think you are doing a SP initiated SSO whereas I am trying to make IdP initiated SSO to work.
i.e. multiple IdP will want access to my protected app and I am acting as an SP.

Is that the case?

Reply
    Atul Kumar says May 1, 2012

    @ Sunil,

    You said : There is a bug there and Oracle have confirmed it as a bug. My SR is with oracle dev

    AK: Yes, I had this bug in OAM 11.1.1.5 BP 02 and fix is to get new oam_server.ear from Oracle Support and deploy this (This new oam_server.ear works for me). Or wait for OAM BP03 which is due in May end.

    On your OIF setup,
    If you have two OIF one acting as IdP and second SP (which is not same as having multiple IdP). In my case I have three OIF , one acting as SP (this is integrated with OAM using SP integration module OSSO) and another two as IdP (IdP1 and IdP2).

    If you have just one IdP then set that IdP as default IdP in SP and then you don’t have to provide provider Id. Why do you think you have multiple IdP (or am I missing something here ?)

    ___

    Why do I have my URL different. I was told to do it this way by oracle. I think you are doing a SP initiated SSO whereas I am trying to make IdP initiated SSO to work ?

    I am doing SP initiated call and you are doing IdP initiated call and for that reason URL are different. It does not matter if this is SP initiated or IdP initiated both should create session in OAM.

    There is another bug for SP or IdP initiated call in OAM 11.1.1.5 BP02 and fix is to

    ___

    1. Login to OAM Console
    2. Expand Application Domain -> IAM Suite
    3. Click the Authentication Policies node, then click the Create button in the tool bar
    4. Fill in the fresh Authentication Policy page:
    a) Name: TAP Response Protected Policy
    b) Description: TAP Response Protected Authentication Policy for OAMAgent
    c) Authentication Scheme: TAPResponseOnlyScheme
    5. Open the Resources node
    6. Click the New Resource button in the upper-right corner of the Search page
    7. On the Resource Definition page enter the following details:
    a) Type: HTTP
    b) Description: TAP Resource to be asserted against
    c) Host Identifier: IAMSuiteAgent
    d) Resource URL: /oamTAPResponseAssertResource
    e) Protection Level: Protected
    f) Authentication Policy: TAP Response Protected Policy
    g) Authorization Policy: Protected Resource Policy
    Click Apply

    ______

    Reply
Sunil says May 3, 2012

The TAP workaround is the result of me filing a bug and oracle gave that as a workaround. And, yes that does fix IdP initiated SSO but this workaround breaks SP inititated SSO for me. It now loops!
Oracle have reproduced this and called it a bug also and are working on a fix.

Reply
    Atul Kumar says May 3, 2012

    @ Sunil,
    Good thanks, Yes I had looping issue too and that is another bug . Ask support for Bug # 13812000 .

    I think we are working on similar implementation. Are you using OES and OEG too ?

    Lets chat sometime on phone.

    Reply
Sunil says May 3, 2012

You what you are saying is that there is a new ear file for oam that I can apply? I already have BP02 applied and this ear is in addition to BP02?
I’ve asked oracle many times but they never mentioned this ear file. Did you get it from support?

Reply
    Atul Kumar says May 3, 2012

    @ Sunil,
    Yes problem with OAM BP02 integration with OIF (where OAM has delegated authentication to OIF SP which in turn to IdP) is that after SAML assertion by IdP request comes to SP (creates session in OIF SP) and while creating session in OAM request redirects in loop between OAM, SP and IdP. If this is what you are hitting then this is bug and temporary workaround is get new oam_server.ear from support (undeploy existing oam_server.ear from weblogic which comes as part of OAM BP02 and deploy new ear file ) . Ask product support to look for bug # 13812000

    Reply
kjj1983 says May 15, 2012

I think we are hit by Bug 13812000

[2012-05-15T06:58:58.087-07:00] [oam_server1] [TRACE] [] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-10c9cdc3:13750945aa0:-8000-0000000000000dfe,0] [SRC_CLASS: oracle.security.am.controller.MasterController] [APP: oam_server] [SRC_METHOD: processEvent] MasterController: Flow Controller: oracle.security.am.engines.enginecontroller.SSOEngineController@2620e750, Event: oracle.security.am.controller.events.credcollect.DAPAssertCredentialsEvent@2270f5ea, Event Handler: CredCollectEngineController
[2012-05-15T06:58:58.087-07:00] [oam_server1] [NOTIFICATION:16] [OAM-02086] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-10c9cdc3:13750945aa0:-8000-0000000000000dfe,0] [APP: oam_server] ssoFlowController: processing Event:CRED_CHECK_REQUEST_CREDS.
[2012-05-15T06:58:58.087-07:00] [oam_server1] [TRACE:16] [] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-10c9cdc3:13750945aa0:-8000-0000000000000dfe,0] [SRC_CLASS: oracle.security.am.engines.enginecontroller.credcollect.CredCollectEngineController] [APP: oam_server] [SRC_METHOD: processEvent] ENTRY
[2012-05-15T06:58:58.087-07:00] [oam_server1] [TRACE] [OAM-02078] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-10c9cdc3:13750945aa0:-8000-0000000000000dfe,0] [SRC_CLASS: oracle.security.am.engines.enginecontroller.credcollect.CredCollectEngineController] [APP: oam_server] [SRC_METHOD: processEvent] Processing Event CRED_CHECK_REQUEST_CREDS
[2012-05-15T06:58:58.087-07:00] [oam_server1] [TRACE:16] [] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-10c9cdc3:13750945aa0:-8000-0000000000000dfe,0] [SRC_CLASS: oracle.security.am.engines.enginecontroller.credcollect.CredCollectEngineController] [APP: oam_server] [SRC_METHOD: handleCheckRequestCredentialsEvent] Event execution status: fail
[2012-05-15T06:58:58.087-07:00] [oam_server1] [TRACE:16] [] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-10c9cdc3:13750945aa0:-8000-0000000000000dfe,0] [SRC_CLASS: oracle.security.am.engines.enginecontroller.credcollect.CredCollectEngineController] [APP: oam_server] [SRC_METHOD: processEvent] RETURN oracle.security.am.controller.events.credcollect.CheckRequestCredentialsEvent@7861a781
[2012-05-15T06:58:58.087-07:00] [oam_server1] [NOTIFICATION:16] [OAM-02099] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-10c9cdc3:13750945aa0:-8000-0000000000000dfe,0] [APP: oam_server] ssoFlowController: Event processing finished :CRED_CHECK_REQUEST_CREDS with status fail.
[2012-05-15T06:58:58.087-07:00] [oam_server1] [TRACE:16] [] [oracle.oam.audit] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-10c9cdc3:13750945aa0:-8000-0000000000000dfe,0] [SRC_CLASS: oracle.security.am.common.audit.config.AuditConfigStore] [APP: oam_server] [SRC_METHOD: loadConfiguration] ENTRY
[2012-05-15T06:58:58.087-07:00] [oam_server1] [TRACE:16] [] [oracle.oam.audit] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-10c9cdc3:13750945aa0:-8000-0000000000000dfe,0] [SRC_CLASS: oracle.security.am.common.audit.config.AuditConfigStore] [APP: oam_server] [SRC_METHOD: loadConfiguration] Returning t

Reply
Sunil says May 15, 2012

Yes, I logged that bug and Patch p13834510_111152_Generic.zip, fixes it.
I got a hotfix from Oracle and that fixed my issue with OAM/ OIF
That hotfix is going to be in BP03 due out at end of may.

Reply
Atul Kumar says May 15, 2012

@ kjj1983

Thanks Sunil.

My 2 cents , after applying patch 13834510 undeploy oam_server application and redeploy oam-server.ear from one which comes as part of patch. This file after patch gets copied to $ORACLE_HOME/oam/server/apps directory

Reply
kjj1983 says May 16, 2012

@Atul/Sunil –

Thanks for the patch info. After applying the patch the loop issue is gone. but now the issue is the below

[2012-05-15T23:34:45.378-07:00] [oam_server1] [ERROR] [OAMSSA-20040] [oracle.oam.user.identity.provider] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-530892a3:137543e7400:-8000-00000000000004c1,0] [APP: oam_server] Could not modify user attribute for user : cn, attribute : null, value : {2} .
[2012-05-15T23:34:45.378-07:00] [oam_server1] [TRACE:16] [] [oracle.oam.user.identity.provider] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-530892a3:137543e7400:-8000-00000000000004c1,0] [SRC_CLASS: UserProviderImpl] [APP: oam_server] [SRC_METHOD: getUsersByAttribute] RETURN
[2012-05-15T23:34:45.379-07:00] [oam_server1] [ERROR] [OAMSSA-12126] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-530892a3:137543e7400:-8000-00000000000004c1,0] [APP: oam_server] Cannot assert the username from DAP token.
[2012-05-15T23:34:45.381-07:00] [oam_server1] [TRACE] [] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-530892a3:137543e7400:-8000-00000000000004c1,0] [SRC_CLASS: oracle.security.am.engine.authn.internal.executor.AuthenticationSchemeExecutor] [APP: oam_server] [SRC_METHOD: execute] User is authenticated with Authentication scheme level = 2
[2012-05-15T23:34:45.382-07:00] [oam_server1] [NOTIFICATION:16] [OAMSSA-12130] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-530892a3:137543e7400:-8000-00000000000004c1,0] [APP: oam_server] Result of Authentication Scheme Execution: false.
[2012-05-15T23:34:45.382-07:00] [oam_server1] [TRACE:16] [] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: ab97688b1af69ce1:-530892a3:137543e7400:-8000-00000000000004c1,0] [SRC_CLASS: oracle.security.am.engine.authn.internal.controller.AuthenticationEngineControllerImpl] [APP: oam_server] [SRC_METHOD: validateUser] Authenticated User Name: null

I am doing transient federation.

Reply
Sunil says May 16, 2012

Did you apply the TAP workaround?

Reply
kjj1983 says May 16, 2012

TAP workaround?

Reply
Sunil says May 16, 2012

@kjj1983
What is your email address?

You have to create AuthN Scheme/ Resource and authN Policy for TAP. I can send you info to your email.

Reply
kjj1983 says May 16, 2012

@Sunil

Please send it to jkunal@gmail.com

Thanks.

Reply
Sunil says June 8, 2012

I have OIF/OAM working now. OIF having mutiple IdPs. All working now.

Reply
narendra says July 12, 2012

Hi Atul,

Can you please provide link for downloading OIF 10g .

Thanks,
Narendra

Reply
    Atul Kumar says July 13, 2012

    @ narendra,
    I don’t think OIF 10g is available to download on Oracle website (or OTN) . Please raise an Service Request via My Oracle Support (earlier Metalink) and support team should be able to ship you OIF media

    Reply
arshadiqbal1 says November 12, 2012

Hi Atul,

I followed step-by-step installation for Oracle Identity and Access Management, but at the end I don’t find OIF. I don’t know which step I missed during the installation from Part(I) to Part(VI) of your online help:
http://onlineappsdba.com/index.php/2010/08/23/part-vi-configure-identity-manager-oim-oracleidm-11g-step-by-step-installation-of-oam-oim-oaam-oapm-oin/

I installed the following components on Red Hat Enterprise Linux Server release 5.8 (64-bit):
-Oracle 11g database 11.2.0.1.0
-RCU utility 11.1.1.5
-Weblogic Server 10.3.6
-SOA Suite 11.1.1.5.0
-Oracle Identity & Access Management 11.1.1.5

I thought Oracle Identity & Access Management 11.1.1.5 should include OIF but at the very end, I couldn’t find OIF when I logged in to the Oracle Enterprise Manager using http://localhost:7001/em. I don’t see OIF under “Identity and Access”.

Please let me know which step I am missing or if I has installed wrong versions. Please advise me a workaround so that I don’t have to start Oracle installation from the beginning.

Thanks,
-Arshad

Reply
    Atul Kumar says November 12, 2012

    @arshadiqbal1,
    OIF is 11gR1 is part of OID/OVD so install that . In 11gR2 OIF is part of identity & access management .

    Reply
arshadiqbal1 says November 12, 2012

Thanks Atul for quick reply,

(1) Can I install Identity Management 11gR1(11.1.1.6.0) which includes OIF. Is this require some additional software? As I see “Patch Scripts” under required software.Is this will be compatible with existing installed components?

(2) Also if I want to install 11.1.1.5.0 OID, can you please point me to the download link for Oracle Internet Directory(OID) 11.1.1.5.0?

Thanks,
-Arshad

Reply
Atul Kumar says November 12, 2012

@ arshadiqbal1,
Insatll OID/OIF 11.1.1.6 under different middleware home (than OAM/OIM). Use 10.3.6 weblogic and it should work

Atul

Reply
arshadiqbal1 says November 12, 2012

Please explain what do you mean by different Middleware home, if I will use the already installed Weblogic Server 10.3.6 then it will be the same Middleware directory. Forgive me if I am missing a key point here.

My current middleware directory is:

/home/oracle/Oracle/Middleware/
[oracle@localhost Middleware]$ ls -l
total 236
-rw-rw—- 1 oracle oinstall 219 Nov 12 12:30 domain-registry.xml
drwxr-xr-x 2 oracle oinstall 4096 Nov 12 14:48 logs
drwxr-xr-x 7 oracle oinstall 36864 Nov 1 10:37 modules
-rw-r–r– 1 oracle oinstall 852 Nov 1 10:37 ocm.rsp
drwxr-x— 32 oracle oinstall 4096 Nov 1 12:02 oracle_common
drwxr-x— 29 oracle oinstall 4096 Nov 12 14:26 Oracle_IDM1
drwxr-x— 27 oracle oinstall 4096 Nov 1 12:02 Oracle_SOA1
-rw-r–r– 1 oracle oinstall 108888 Nov 1 10:38 registry.dat
-rw-r–r– 1 oracle oinstall 1775 Nov 1 10:38 registry.xml
drwxr-x— 4 oracle oinstall 4096 Nov 12 12:29 user_projects
drwxr-xr-x 8 oracle oinstall 4096 Nov 1 10:37 utils
drwxr-xr-x 9 oracle oinstall 4096 Nov 2 14:45 wlserver_10.3

Thanks,
-Arshad

Reply
Atul Kumar says November 12, 2012

@ Arshad,

You middlware home for OIM/OAM is /home/oracle/Oracle/Middleware

Though Oracle says you can install OIM/OAM and OID/OIF in same middleware home but I always faced issues with enterprise manager and I usually install OIM/OAM in one moddleware home and OID/OIF in second middlewar home.

Install another weblogic under /home/oracle/Oracle/Middleware2 so this will create second middleware home . Install OID/OIF in this second middleware home (/home/oracle/Oracle/Middleware2)

Reply
arshadiqbal1 says November 12, 2012

Thanks Atul for your prompt helps.

One more question when I will install Weblogic server 10.3.6 again in a different Middleware home then I have to install the Oracle Fusion Middleware 11g SOA Suite 11.1.1.5.0 again? Or I don’t need that component:

Could you please specify the correct steps in order for me, knowing that Oracle database and RCU is already installed.

Thanks again,
-Arshad

Reply
arshadiqbal1 says November 13, 2012

Hi Atul,

I am going to install Oracle Identity Management 11.1.1.6.0, I have already installed Weblogic server 10.3.6 & Oracle SOA Suite 11g (11.1.1.6.0).

Can I install OID/OIF 11.1.1.6.0 directly?
I am confused with your post in the beginning of this page under “OIF Installation Key Points”:

” You must first install 11.1.1.2 and then patch it to 11.1.1.6.”

Thanks,
-Arshad

Reply
Atul Kumar says November 14, 2012

@ arshadiqbal1,

a) SOA is not required for OID/OIF but there is no harm if it exists in same MW_HOME where you are going to install OID/OIF

b) Yes you can install OID/OIF 11.1.1.6 directly . This is full version

” You must first install 11.1.1.2 and then patch it to 11.1.1.6.”
This is wrong and thanks for pointing this out . You can install 11.1.1.6 directly as this is full version.

Reply
sampal says December 14, 2012

Hello Atul,

In our current environment we have OIF integrated with OAM in authentication mode. OIF is acting as the identity provider to different external applications. We want to protect the applictaions using two different authentictaion schemes – Form based and Kerberos. However in oam when we protect /fed/user/authnoam we can use only one authentication scheme – either kerberos/form based. We have used virtual hosts configuration in Apache server too. ( It didnot work )

Can you please let me know how can we protect applictaion with multiple authentication schemes from OAM.

Reply
kumar says January 11, 2013

Hi Atul,

We want to integrate R12 with other applications using SAML 2.0.

How we can use OIF integrated into R12 to act as SSO using SAML. Or do we need to install OAM/OID/SSO to get this work.

Any suggetions?Any notes.

Thanks in advance.

Reply
pratapuce says September 27, 2013

Hi Atul

We have Third party SAML based identity provider used for authentication.
1. User login to URL of SAML based Identity server
2. User provides credentials inside the URL for authentication.
3. Ones authenticated, The URL provides links to connect to applications
4. If we click a particular application then it should connect to application without providing further Login details.

Oracle Enterprise Manager 12c is our Linked application we need to configure with Third party SAML based identity provider.

1. Do we need Oracle Access Manager or OID for this configuration
2. Only Oracle Identity federation is enough
3. Is there any Oracle document to perform this configuration

Any suggestions

Thanks in Advance
Pratap

Reply
    Atul Kumar says September 28, 2013

    @ Pratap,
    From Oracle’s point of view, I don’t think OEM 12c can talk directly to OIF configured as Service Provider with SAML based identity provider. Chekc with OEM team if this is supported.

    Else follow this

    1. Integrate OEM 12c with OAM and see it works with OAM first
    2. Integrate OAM with OIF
    3. Integrate OIF (in SP mode) with SAML provider (in IdP mode)
    4. Test this integration

    Reply
Rinita says September 4, 2014

@Atul,

Can you please let me know if its possible to do federation with any console application(thick client)

In my case: I have to federate with a thick client application. The applictaion is installed in each user’s desktop, and after launching the applictaion user has to enter his credential(application specific) to access.

Please suggest.

Reply
deba says May 27, 2016

Hi,

I was reading your article -> http://onlineappsdba.com/index.php/2012/04/26/oracle-identity-federation-oif-11-1-1-6-installation-configuration/ . As part of this article, you were supposed publish another paper “configuring OIF SP/IdP, OIF with OAM and protecting a resource using multiple IdP ” . Did you publish this ? If so , could you please let me know the link ? If did not, could you please let me know link for configuring multiple idp with OIF as SP ?

Thanks

Reply
prudhvi says May 30, 2016

HI was following through the OIF installation step which you posted i would like to go through the post for configuring OIF as Identity Provider (IdP) or Service Provider (SP) so please provide the url or mail to rprudhvi9.idm@gmail.com

Reply
Ajai says February 1, 2017

Hi Atul

We have Third party SAML based identity provider used for authentication.
1. User login to URL of SAML based Identity server
2. User provides credentials inside the URL for authentication.
3. Ones authenticated, The URL provides links to connect to applications
4. If we click a particular application then it should connect to application without providing further Login details.

We have OAM in the current set up which handles SSO .
Can we use OIF for communicate using SAML ?
Do you have any docs which can guide us in this regard.?

Any suggestions

Thanks in Advance

Reply
Add Your Reply

Not found