This chapter describes issues associated with Oracle Identity Management integrations. It contains the following topics:
Section 11.1, "Integrating Access Manager and Oracle Adaptive Access Manager"
Section 11.2, "Natively Integrating Oracle Adaptive Access Manager"
This section contains issues related to the integration of Oracle Access Management Access Manager with Oracle Adaptive Access Manager. It contains the following topics:
Section 11.1.1, "The setupOAMTAPIntegration Script Fails with Permissions Issues"
Section 11.1.4, "Invalid Class Exception When Password Policy Fails"
Section 11.1.5, "User Unlock Exception Occurs in Change Password/Forgot Password Flow"
Section 11.1.6, "ChangePassword.credentials.enum Not Found Error Occurs in Change Password Flow"
During the integration of Access Manager and Oracle Adaptive Access Manager, you must provide the WebLogic/WebSphere Admin user name and password when running the setupOAMTAPIntegration script to configure Access Manager for TAP integration. If you provide the OAAM Admin user name and password, the script fails because the OAAM Admin user does not have the permissions required to run the script.
Also, the following incorrect FileNotFoundException error message is displayed, which does not inform you that you have entered an incorrect user name and password:
java.io.FileNotFoundException: .\config\jps-config.xml
If valid data is provided, the script works as expected.
Login to a protected resource may fail with an invalid class exception in an Access Manager Release 2 PS2 and Oracle Adaptive Access Manager Release 2 TAP integrated environment if a user session is still active prior to the Access Manager upgrade from Release 2 to Release 2 PS2 and the pre-upgrade session information is used post-upgrade. For the integration to work properly, before shutting down or starting the servers prior to the upgrade, you must stop all existing stale pre-upgrade sessions by clicking Delete All User Sessions in the Session Management page. For more information about session management, refer to the "About the Session Management Page" section in the "Managing Sessions" chapter of the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management 11g Release 2.
In an Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager integrated environment, when an end user is locked in OIM and LDAP by providing multiple incorrect passwords, and he provides valid credentials in the OAAM login page, the user is denied access and an error message similar to the following is displayed:
User account is disabled. Please contact customer service
The locked user is not redirected to an account locked page with the Forgot your password link that enables him to use the Forgot Password flow to unlock himself. In an Access Manager and Oracle Identity Manager integrated environment, the locked user is redirected to an account locked page with the Forgot your password link available to him.
In an OAAM 11g Release 1 PS2 (11.1.1.3) and OIM 11g Release 2 PS1 (11.1.2.1) or OAAM Release 2 PS1 (11.1.2.1) and OIM Release 1 PS2 (11.1.1.3) integrated environment, when the end user enters a password that violates the default password policy in the Expired, Forgot, or Change Password flow, the following message is displayed:
An error occurred while attempting to change your password. Please try again
An invalid class exception similar to the following is shown in error log file:
<Apr 13, 2013 5:06:09 AM CST> <Error> <oracle.oaam> <BEA-000000>
<failed to changePassword(john.doe@example.com)
javax.ejb.EJBException: Problem deserializing error response; nested
exception is:
java.io.InvalidClassException:
oracle.iam.identity.exception.IdentityException; local class incompatible:
stream classdesc serialVersionUID = 1935467088360363654, local class
serialVersionUID = -7391301560574640548; nested exception is:
java.io.InvalidClassException:
oracle.iam.identity.exception.IdentityException; local class incompatible:
stream classdesc serialVersionUID = 1935467088360363654, local class
serialVersionUID = -7391301560574640548
at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.unwrapRemoteException(
RemoteBusinessIntfProxy.java:121)
at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessI
ntfProxy.java:96)
at $Proxy163.changePasswordx(Unknown Source)
at oracle.iam.identity.usermgmt.api.UserManagerDelegate.changePassword(Unknown
Source)
...etc
Caused By: java.io.InvalidClassException:
oracle.iam.identity.exception.IdentityException; local class incompatible:
stream classdesc serialVersionUID = 1935467088360363654, local class
serialVersionUID = -7391301560574640548
at java.io.ObjectStreamClass.initNonProxy(ObjectStreamClass.java:562)
at
java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1582)
...etc
The password related flows work if a valid password that adheres to the defined password policy is provided. The error does not affect the flow.
In an Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager integrated environment, during the Change Password/Forgot Password flow, an UserUnlockException error is shown even though the flow is successful.
In an Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager integrated environment, during the Change Password flow, a ChangePassword.credentials.enum not found error is shown even though the flow is successful.
Oracle Access Management Access Manager and Oracle Adaptive Access Manager integrations using OAAMBasic and OAAMAdvanced authentication schemes are deprecated starting with 11.1.2.2 and will be desupported in 12.1.4 and future releases. The recommendation is to use the Oracle Access Management Access Manager and Oracle Adaptive Access Manager integration using Trusted Authentication Protocol (TAP) instead of OAAMBasic and OAAMAdvanced integrations. For information about Access Manager and Oracle Adaptive Access Manager integration using TAP, see Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.
In an Access Manager and OAAM integrated environment multiple sessions were created instead of a unified session for a particular user. As result session count increased for the user and reached its maximum limit. Over a period of time, this resulted in orphaned sessions. To work around this issue, set the following OAAM property:
oaam.uio.oam.authenticate.withoutsession=false
This section contains issues related to OAAM native integration. It contains the following topic:
The generateOTP() API has been deprecated in the OAAM JAVA and SOAP APIs. Please use the getOTPCode() API instead when writing your production code. For details on how to use the getOTPCode() API, see the Oracle Fusion Middleware Java API Reference for Oracle Adaptive Access Manager.
This section contains the following documentation errata for the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.
In the Access Manager-OAAM-OIM integration, the oaam.oim.passwordflow.unlockuser property is no longer needed and should be removed from Section 3.8.2, Table 3-7 of the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.
In Section C.7.4.4, change "For Access Management 11g Release 1 (11.1.1) and earlier: oaam.uio.oam.authenticate.withoutsession = false" to "For Access Management 11g: oaam.uio.oam.authenticate.withoutsession = false." This setting applies to all 11g releases.