13 IdM Integration

This chapter contains release note items for Oracle Identity Management component integrations.

Topics include:

13.1 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds. It includes the following topic:

13.1.1 IDContext Claims in the Access Manager-OAAM TAP Integration

To use IDContext claims in the Access Managerand OAAM TAP integration, follow the below steps:

  1. In <Domain-home>/config/fmw-config/oam-config.xml, search for the setting with the TAP partner name. You would have specified the TAP Partner name while registering the TAP partner for Access Manager. For example, OAAMPartner. Change the OAAM partner's TapTokenVersion from v2.0 to v2.1.

  2. Change the version setting on the OAAM side from v2.0 to v2.1 by adding/editing a property through the OAAM Admin Console. To do this, proceed as follows:

    1. Log in to the OAAM Admin Console.

    2. In the navigation tree, click Environment and double-click Properties. The Properties search page is displayed.

    3. Search for property with name oaam.uio.oam.dap_token.version and set its value to v2.1.

    4. In case the property does not exist, add a new property with the name oaam.uio.oam.dap_token.version and the value as v2.1.

  3. In the TAP Scheme of the Access Management policy, add the following challenge parameter: TAPOverrideResource=http://IAMSuiteAgent:80/oamTAPAuthenticate. To do that, proceed as follows:

    1. Log in to the Oracle Access Management Console.

    2. Click the Policy Configuration tab to the left of the screen.

    3. In the navigator tree, expand the Authentication Schemes node.

    4. Double-click TAPScheme authentication scheme.

    5. To add another parameter to an existing parameter, position your cursor in the Challenge Parameter field and press Enter using your keyboard.

    6. In the new line, add TAPOverrideResource=http://IAMSuiteAgent:80/oamTAPAuthenticate for a challenge parameter of TAPScheme.

13.1.2 setupOAMTapIntegration.sh Fails to Run on OEL6

When the setup script setupOAMTapIntegration.sh is launched on the OEL 6 platform, it fails with following error:

setupOAMTapIntegration.sh: line 13: source: setCliEnv.sh: file not found
-Djava.security.policy=conf/jmx.policy -classpath
oracle.oaam.integration.asa.IntegrationUtil setupOAMTapIntegration
readFromFile=conf/bharosa_properties/oaam_cli.properties
setupOAMTapIntegration.sh: line 21: -Djava.security.policy=conf/jmx.policy:
No such file or directory 

To resolve this problem, launch the script as follows:

bash script_filename

13.1.3 Authentication Results in Two User Sessions

In an Access Manager-OAAM-OIM integrated environment, any authentication results in two user sessions being created in Oracle Access Management Access Manager (visible in Oracle Access Management Console under Session Management, and in the OAM_SESSIONS table in MDS).

One session is created by the IAMSuiteAgent (which is configured in OAAM as the Java agent as part of the OAAM-Access Managerconfiguration); and the other session is created by the actual WebGate within the Oracle HTTP Server (OHS) web tier.

13.1.4 Setting Up the CLI Environment in Access Manager-OAAM and Access Manager-OAAM-OIM Integrations

During the set up of Access Manager and Oracle Adaptive Access Manager, the setupOAMTapIntegration script fails with a NoClassDefFoundError error. To work around this issue, when setting up the CLI environment in the Access Manager and OAAM and Access Manager-OAAM-OIM integrations, execute the following command on the command line from the CLI working directory:

chmod 750 findjar.sh

13.1.5 OAAM Password Length Limited to 25 Characters

When users logs in to OAAM server for the first time, and they enter a password more than 25 bytes, they are returned to the page for the user name with an error that their password was invalid.

OAAM accepts a limit of 25 characters for passwords.

To work around this issue, update the character limit specified by the following property in the oaam_cli.properties file:

bharosa.authentipad.textpad.datafield.maxLength

For existing deployments, you can update this property value using the OAAM Administration Console or shared library.

13.2 Documentation Errata

This section contains documentation errata and updates for the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite, Part Number E27123-01. Topics include:

13.2.1 Additional Properties for preConfigIDStore and prepareIDStore

This update applies to sections 2.4.1 preConfigIDStore Command and 2.4.2 prepareIDStore Command.

An additional property, IDSTORE_ADMIN_PORT, must be specified when using the preConfigIDStore command or the prepareIDStore command and the targeted identity store is an instance of Oracle Unified Directory (OUD). This property is required to connect to and configure the OUD identity store.

For example, you would set this property as follows in the properties file:

IDSTORE_ADMIN_PORT: 4444

Additionally, the properties IDSTORE_KEYSTORE_FILE and IDSTORE_KEYSTORE_PASSWORD must be set to establish the SSL connection to the OUD identity store.

13.2.2 Login through /oaam_server No Longer Works After OAAM and Access Manager TAPScheme Integration

This update applies to section 8.7 Troubleshooting Common Problems.

After a standard installation of both OAAM and Access Manager and then performing the OAAM and Access Manager TAPScheme integration steps, the URL /oaam_server is no longer able to authenticate any users.

When the user navigates to the URL and enters his username, he is directed to the page where he enters his password. After submitting the password, the login fails and the following error is displayed:

Error Sorry, the identification you entered was not recognized. Please try again

There is no workaround. The URL /oaam_server is not intended for use with OAAM and Access Manager integration using the TAP scheme. The URL is used for testing the OAAM configuration before proceeding with the integration steps. After integration, the user should not have direct access to the OAAM Server.

13.2.3 Incorrect Setting for bharosa.uio.proxy.mode.flag Causes OAAM and Access Manager 11g Integration to Fail

This update applies to section 8.7 Troubleshooting Common Problems.

OAAM and Access Manager integration using TAP fails with the following message:

Sorry, the identification you entered was not recognized.

Access Manager and OAAM integration using TAP fails when you integrate Access Manager using TAP and also customize OAAM using the OAAM extensions shared library and you set the property bharosa.uio.proxy.mode.flag to true. If you integrate and customize using the shared library, you must set the property to false.