|Oracle® Identity Federation Administrator's Guide
This appendix describes common problems that you may encounter when configuring and using Oracle Identity Federation, and explains how to solve them.
This section describes common problems and solutions arranged in these topical groups:
This section describes general issues and workarounds. It includes the following topics:
This issue concerns a scenario where Oracle Identity Federation is used as a service provider, OracleAS Single Sign-On is the user data store and an OracleAS Single Sign-On session is created for a federated user using SAML 1.x or WS-Federation. When that session expires, the service provider's Oracle Identity Federation server tries to reauthenticate the session using SAML 2.0. If SAML 2.0 is not enabled on the service and identity providers, the reauthentication will fail, typically with a 500 Internal Server Error.
This problem can be avoided by configuring OracleAS Single Sign-On. Open the
ORACLE_HOME/sso/conf/policy.properties file and protect all the partner applications with the default SSO server authentication plugin; configure the SASSO authentication plugin to have a higher security level than the OracleAS Single Sign-On server plugin.
With this configuration, when a user authenticated by SAML 1.x or WS-Federation protocol accesses a resource protected by OracleAS Single Sign-On, and the session times out, the user will be redirected to theOracleAS Single Sign-On server for local authentication instead of seeing an error from Oracle Identity Federation or an incorrect IdP.
The attribute sharing feature cannot be used with Microsoft Internet Information Servers (IIS) with Oracle Access Manager WebGate agents installed. For this feature an authentication plugin sets an HTTP header with the SubjectDN from the client's X.509 certificate, and an authorization plugin retrieves the header to initiate a SAML attribute query. However, because of the way the IIS WebGate performs SSL client certificate authentication, the SubjectDN header cannot be retrieved by the authorization plugin. In this case the following error is reported at the user's browser:
Oracle Access Manager Operation Error Access to the URL <targetURL> has been denied for user <OblixAnonymous user DN>.
Also, the following error messages are written to the
SubjectDN header ObNullString
SubjectDN is missing. Assume local user and return Continue
There is no workaround for this problem, other than to use a different web server such as the Oracle HTTP Server or the Sun One Web Server.
When Oracle Identity Federation is used as an identity provider with the Oracle Access Manager user data store, a user initiating additional SAML 1.x or WS-Federation single sign-ons might experience a redirection loop at the browser.
This occurs if the Oracle Access Manager AccessGate configured for Oracle Identity Federation has an Idle Session Timeout less than the Maximum user session time. In this case, if the user waits for the idle session timeout to elapse and then initiates another SSO, the redirection loop will occur.
This can be avoided by setting the Oracle Identity Federation AccessGate's Idle Session Timeout equal to or greater than the Maximum user session timeout (which is the default setting).
The following issue is observed during a Japanese-language installation session:
Start Oracle Universal Installer.
Choose the "Oracle Identity Federation 10g" installation option.
Proceed to the "Select Installation Method" page.
The text describing the first radio button ("Basic"), is truncated.
If Oracle Identity Federation is used as an identity provider with an RDBMS user data store, a configured SAML 1.x assertion profile with a non-existent user attribute will cause all single sign-ons (SSOs) using the SAML 1.x and WS-Federation profiles to fail, even if they do not use the invalid profile.
When a user logs into an Oracle Identity Federation identity provider with the RDBMS user data store, Oracle Identity Federation attempts to retrieve all user attributes in all configured assertion profiles. If any of the attributes are invalid, the SSO will fail.
The user will receive a
500 Internal Server Error. If debug logging is enabled, the
federation.log file will show the following error:
RDBMSBridge.authenticate(): ERROR - SQL Exception thrown by JDBC: java.sql.SQLException: ORA-00904: "<attribute name>": invalid identifier
The workaround is to correct the invalid user attribute in the offending assertion profile, or delete the offending assertion profile.
Because SAML 1.0 does not fully specify how the XML Signature standard is to be used, Oracle Identity Federation cannot - within the context of a SAML response - correctly generate a signed SAML 1.0 assertion, nor verify a received signed SAML 1.0 assertion. Consequently, signatures on SAML 1.0 assertions used for the Artifact and POST SSO profiles are incorrect. If a user attempts to perform a single sign-on (SSO) using a SAML 1.x assertion profile with assertion singing enabled, and SAML 1.1 is not enabled for MyDomain or the destination domain, the service provider/destination site may not be able to verify the signature on the SSO assertion, causing the SSO to fail. If the destination site uses Oracle Identity Federation, the
federation.log file will show:
RECEIVER: ERROR: An invalid SAML Response was received: XML SIGNER: ERROR: Invalid signature or altered contents
The workaround is to use the SAML 1.1 protocol instead of SAML 1.0. (In fact, one of the reasons for the SAML 1.1 revision was to allow better use of XML Signatures.)
Note:Signed assertions are not required, nor are they commonly used, for the SAML 1.x SSO profiles.
By default, JDBC does not encrypt network connections between Oracle Identity Federationand the Oracle9i Database Server. Sites can optionally use Oracle Advanced Security to encrypt these connections.
In configuring Oracle Identity Federation to use Oracle Internet Directory or other LDAP servers to authenticate users, a site may choose whether to use SSL to connect to the LDAP server. If you do not use SSL, unencrypted passwords may be sent over network connections between Oracle Identity Federation and the LDAP server.
You may be unable to access the Oracle Identity Federation administration console in this situation:
The command-line configuration assistant is executed to change the RDBMS database used for the transient data store. The command format is as follows:
java -jar install.jar -transient rdbms <parameters>
After the command is executed, the Oracle Identity Federation administration console is not accessible, and the federation logs or the OPMN logs show errors like the following:
This issue is seen when switching the Oracle Identity Federation transient store from one database to another, using a different username/password combination, or when using the same database but with different credentials.
This problem arises because Oracle Identity Federation is already set up for RDBMS transient data store, but when the command-line configuration assistant is executed, the database password does not get reset; this results in the invalid username/password error when trying to perform any Oracle Identity Federation operations.
Use these steps to work around the problem:
Log on to the Oracle Enterprise Manager 10g Grid Control Console.
Navigate to OC4J_FED - > Administration - > Security.
In the Users list, click the jazn.com/oif_db entry.
Enter the correct password to access the RDBMS.
Apply, and restart the OC4J_FED instance.
When an Oracle Identity Federation IdP is configured to send signed both Response messages and Assertions, only the Assertions are signed.
This affects SSO and attribute sharing profiles for the Liberty 1.x and SAML 2.0 protocols. This does not affect profiles where a Response message does not contain an Assertion.
In the Japanese locale, assertions using the SAML 1.x POST method fail with this error:
ERROR: The SAML Response was not signed by the expected authority (RVE013)
The problem is due to the translated strings for OU and ST in the Signing Certificate Subject DN and the Signing Certificate Issuer DN.
As a workaround to this problem, the OU and ST values need to be replaced with the equivalent English strings. You can obtain the English value of the strings from the Issuer and Subject DN in the MyDomain configuration.
ERROR - RESPONDER: ERROR Unknown requester <domain name>
This problem is due to the use of the colon character, which is invalid in this context.
When specifying the requester ID for each domain, make sure that the string does not contain a ":" character.
When invoking the Oracle Identity Federation logout URL, the sign-off operation is performed, but the server does not display a result page; instead, it displays the last page visited by the browser, and the operation appears to have aborted even though logout was successful.
The logout service takes a
returnurl parameter, which is required for correct operation. This problem occurs if no
returnurl parameter is specified when invoking the Oracle Identity Federation logout URL. To avoid the problem, specify the
returnurl parameter to point to the result page.
The IdP has two load-balanced Oracle Identity Federation instances.
A SAML 1.x SSO request of this type is issued:
You log in with valid user credentials.
The following error results:
ERROR - LOCAL LOGIN: ERROR: No JSESSIONID cookie in a POST request.
Ensure that the URLs in MyDomain at the load-balanced provider, and in the load-balanced domain at the other provider, have the hostname and address of the load-balancer, and not the hostname and address of one of the load-balanced Oracle Identity Federation instances.
A schema violation error occurs when performing a Liberty 1.x / SAML 2.0 single sign-on operation, with the federation data store residing in an LDAP server. The
$Oracle_Home/fed/log/federation.log shows the following error message:
javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - Failed to find orclfednamevalue in mandatory or optional attribute list.]
This problem is seen if the schema of the federation data store's LDAP server has not been upgraded to include the Oracle Identity Federation attributes and object classes.
Upgrade the LDAP schema either at installation time (with the Advanced Installation mode), or after installation.
Upgrade Schema at Installation
To perform the upgrade at installation time, take these steps:
Choose the Advanced Installation mode.
On the "Select Configuration Options" page, check the "Federation Data in LDAP Server" box. This indicates that the federation records will be stored in an LDAP server whose schema must be upgraded.
On the "Specify Federation Data Store" page, enter the LDAP connection information. The schema will then be upgraded as part of the installation process.
Post-Installation Schema Upgrade
To perform the upgrade post-installation, note that the Oracle Identity Federation installation includes
LDIF files that you can execute using the
ldapmodify tool to upgrade the schema of an LDAP server.
LDIF file to use depends on the type of LDAP server used:
$Oracle_Home/fed/setup/ldap/userFedSchemaOid.ldif if you use Oracle Internet Directory
$Oracle_Home/fed/setup/ldap/userFedSchemaIPlanet.ldif if you use the Sun One Directory Server
$Oracle_Home/fed/setup/ldap/userFedSchemaAD.ldif if you use Microsoft Active Directory Server. In this case, you need to edit the LDIF file to replace the string
%DOMAIN_DN% with your active directory domain suffix.
An example suffix is
ldapmodify, you can upgrade the LDAP schema with the LDIF file. For example:
ldapmodify -c -D BIND_DN_USERNAME -w PASSWORD -f $Oracle_Home/fed/setup/ldap/userFedSchemaOid.ldif -h LDAP_HOSTNAME -p LDAP_PORT -x
This section describes issues that you may encounter when Oracle Identity Federation is the service provider (SP), and Oracle Single Sign-On is configured as the identity provider (IdP) at the back end. It contains these topics:
Oracle Identity Federation is configured as a service provider.
The partner application is configured to be protected by Oracle Identity Federation.
When a user tries to access the protected resource, the Oracle Single Sign-On login page appears instead of the intended Oracle Identity Federation login page.
This problem can occur if the partner application is incorrectly configured for
mod_osso, causing the user to be prompted for local authentication.
The steps required to ensure that the partner application is correctly configured for
mod_osso are outlined here. Detailed information appears in the Oracle Application Server Single Sign-On Administrator's Guide.
Shut down Oracle HTTP Server and OC4J_SECURITY.
Edit the Oracle HTTP Server configuration file,
ORACLE_HOME/Apache/Apache/conf/httpd.conf, located in the Oracle Application Server Infrastructure directory:
Add the osso_module to the server's loaded modules using the
AddModule (Windows) and
LoadModule (Windows, Linux) directives. See the Oracle Application Server Single Sign-On Administrator's Guide for an example.
Add a virtual host to create a new partner application listener that will be protected by
mod_osso. See the Oracle Application Server Single Sign-On Administrator's Guide for details about configuring
mod_osso with virtual hosts.
ssoreg to manually configure
mod_osso and the Oracle Single Sign-On server.
Restart Oracle HTTP Server (OHS) And OC4J_SECURITY.
Additional information about integrating Oracle Identity Federation with Oracle Single Sign-On appears in the Oracle Application Server Single Sign-On Administrator's Guide.
Perform a single sign-on (SSO) operation using SAML 2.0, Liberty, or WS-Federation protocols.
On the login page, bookmark the page.
Open a new browser instance and go to the bookmarked login page. Log in with valid user credentials.
The user will receive an error and SSO will fail.
Do not bookmark the login page. Oracle Identity Federation does not support the use of bookmarked login pages.
A SAML 1.x transfer URL is issued.
After waiting for the duration of the session timeout at the SP (set in OracleAS Single Sign-On and the Oracle Identity Federation administration console), reissue the same transfer URL in the same browser instance and log in again.
An internal server error is seen, or unusual redirection behavior may be observed.
When a resource is protected by OracleAS Single Sign-On and configured to use Oracle Identity Federation authentication, the only protocols that the OracleAS Single Sign-On server can initiate for authentication are Liberty 1.x and SAML 2.0. Consider a user who is authenticated using SAML 1.x or WS-Federation protocols, and who obtains access to such a resource. When its session times out, OracleAS Single Sign-On will redirect the user to Oracle Identity Federation for authentication using Liberty 1.x or SAML 2.0, which may result in server errors if the protocols are not configured, or unexpected redirection as the user is redirected to an IdP different from the SAML 1.x or WS-Federation login.
The immediate workaround is to close the browser instance and reissue the SAML 1.x SSO request in a new browser instance.
For a permanent solution, configure OracleAS Single Sign-On so that, when a user is authenticated by SAML 1.x/WS-Fed protocols, and accesses a resource protected by OracleAS Single Sign-On, when the session times out, the user is redirected back to OracleAS Single Sign-On for local authentication:
Protect all the partner applications with the default OracleAS Single Sign-On server authentication plugin.
Configure the SASSO authentication plugin to have a higher security level than the OracleAS Single Sign-On server plugin.
The Access Server SDK specifies a certain user under whom the AccessGate runs.
Oracle Identity Federation is installed on the Linux or Solaris platform under a different user.
When you apply the AccessGate configuration page for the Oracle Access Manager user data store, you receive the error:
AccessGate configuration failed. Reason: Preparing to connect to Access
Server. Please wait. Error: Permission denied.
This error results from having different owners for the Oracle Identity Federation and Access Server SDK installations.
When Oracle Identity Federation is installed on Linux or Solaris, ensure that the AccessServerSDK files, installed at
ORACLE_HOME/fed/shareid, have the same owner and group as the Oracle Identity Federation installation.
AccessGate configuration failed. Reason: Preparing to connect to Access Server. Please wait. Client authentication failed, please verify your AccessGate ID.
The problem also occurs when the AccessGate ID contains non-ASCII Latin-1 characters (for example, "Ådmïn").
Use only ASCII characters in the AccessGate ID for the Oracle Identity Federation AccessGate.
This problem may be due to an incorrect setting for the
LD_ASSUME_KERNEL environment variable. This variable must be set to
2.4.19, because the Access Server SDK supports the Linux threading model and not the native posix thread library (NPTL).
For example, if
LD_ASSUME_KERNEL is not set, you may see this type of error in the Oracle Identity Federation
06/06/15 10:05:22: ERROR ShareIDLogger - ObRareqService: EXCEPTION during initialization: (SVX001) com.oblix.access.ObAccessException: Env variable LD_ASSUME_KERNEL not set to 2.4.19. at com.oblix.access.ObConfig.jni_initialize(Native Method) ...
An "internal server error" message may also be displayed at the user's browser.
Refer to "Integrate Oracle Identity Federation and Oracle Access Manager". Step 3 describes how to set
LD_ASSUME_KERNEL using the AccessServerSDK installer.
If your configuration involves two providers with Oracle Access Manager back-ends (IdP and SP2, for example), and both instances are using the same cookie domain, you may see an error when attempting single sign-on. The error message in the log file looks like this:
06/05/21 01:24:40: ERROR - COREID BRIDGE: ERROR The session token loggedoutcontinue is invalid: com.oblix.access.ObAccessException: Session token passed to the ObUserSession constructor is null or invalid. (NBE006)
This problem occurs when multiple Oracle Access Manager providers are using the same cookie domain.
You can resolve the issue by changing the Oracle Access Manager instances to use different cookie domains, or by using a different back-end (such as an LDAP back-end) at the IdP.
Note:Some issues listed in this section may have a system-wide impact on the Oracle Identity Federation server, while others may only impact a specific component such as a particular federation partner.
java.net.SocketException: Too many open files
This error occurs when the file descriptor limit is reached.
Increase the file descriptor limit, which is specified in the
/etc/security/limits.conf configuration file.
Note:If no file descriptor limit is defined, the server uses a default value of 1024.
In this example, the file descriptor limit is being set to a value of 16K:
soft nofile 16384
hard nofile 16384
Reboot the machine after changing the value.
When searching for information in an Active Directory environment that is configured for LDAP referrals, the referrals fail if the host being referred to is in a different domain than the Active Directory server.
When a user requests a resource, at times verification of the user's identity can fail due to an inability to validate the user's identity in the directory. This error can occur in an Active Directory environment when the user's browser runs on a non-Windows computer, or if the user's browser runs on a Windows computer that is not in the Active Directory server domain.
This problem can arise due to LDAP referral chasing. An LDAP referral occurs when a domain controller does not have the section of the directory tree where a requested object resides. The domain controller refers the client to another destination so that the client can conduct a DNS search for another domain controller. If the client is configured to chase referrals, the search can continue.
For the scenario where the user has a Windows-based computer, an issue can occur with LDAP referrals if the client's domain controller does not have a trust relationship with the Active Directory domain controller.
If you encounter this issue, add the entry for the Active Directory host's address in the following list:
On Windows XP, the list is located here:
On a Unix-based system, add this entry to the
/etc/hosts file, using the format:
AD_host_name is the host name specified in the referral, for example:
Set up Oracle SmartMarks at source and destination sites; that is, enable Oracle SmartMarks in domain entries and enter the transfer query string in the source domain at the destination site.
Issue a SAML 1.x transfer URL. For example:
Close the browser and open a new browser instance.
Attempt to access the protected resource directly:
Enter valid credentials (username and password) when redirected to the source site for authentication.
After logging in, you get a
404 error instead of access to the protected resource.
This problem may occur due to the use of an incorrect transfer query string.
Check that the transfer query string does not include the actual target after the
For example, this is an incorrect transfer query string:
And this is the correct transfer query string:
The user should clear any ObSAMLDomain cookies set in the browser.
Accessing WS-Federation protected resources directly is not supported if the SP is using an OracleAS Single Sign-On back-end. Users should not bookmark and later attempt to access the resource in this scenario.
This section contains issues related to the Oracle Identity Federation administration console.
When performing a federated single sign-on using Oracle Identity Federation, where the user authenticates using OracleAS Single Sign-On, it is not possible to access the Oracle Identity Federation administration or monitoring console; access is denied, and authentication fails.
The Oracle Identity Federation consoles are protected by the JAZN module. This problem can be caused by a role conflict between OracleAS Single Sign-On and the JAZN module.
There are two possible solutions: for an immediate resolution, access the Administration or Monitoring console in a clean browser instance. For a durable solution, configure the administration and monitoring consoles to be protected by OracleAS Single Sign-On.
Take these steps to protect the consoles using OracleAS Single Sign-On:
Log on to the Oracle Enterprise Manager 10g Application Server Control Console.
At the console, navigate to OC4J_FED - > Applications - > fed or fedmon - > General.
Select "Use JAZN LDAP User Manager" which contains the Oracle Internet Directory location.
Go to OC4J_FED - > Applications - > fed or fedmon - > Security.
Click Map Role To Principals.
Select user(s) or group(s) from the LDAP server that will have access to the console.
Restart the OC4J_FED instance.
A user attempting to access the console will now be redirected to the OracleAS Single Sign-On server for authentication.