This chapter describes issues associated with Oracle Identity Management integrations.
Oracle Identity Management consists of a number of products, which can be used either individually or collectively.
This chapter contains the following topics:
Integrating Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager
Integrating Access Manager and Oracle Adaptive Access Manager
This section contains issues related to the integration of Oracle Access Management Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager. It contains the following topics:
Section 11.1.2, "Invalid Class Exception When Password Policy Fails"
Section 11.1.4, "Forgot Password Link Is Available to Users that are not Registered"
In an Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager integrated environment, when an end user is locked in OIM and LDAP by providing multiple incorrect passwords, and he provides valid credentials in the OAAM login page, the user is denied access and an error message similar to the following is displayed:
Sorry, the identification you entered was not recognized. Please try again.
The locked user is not redirected to an account locked page with the Forgot your password link that enables him to use the Forgot Password flow to unlock himself. To perform self unlock, the user must click the Forgot Password link in the Password input page.
In an Access Manager and Oracle Identity Manager integrated environment, the locked user is redirected to an account locked page with the Forgot your password link available to him.
In an OAAM 11g Release 1 PS2 (11.1.1.3) and OIM 11g Release 2 PS1 (11.1.2.1) integrated environment or OAAM Release 2 PS1 (11.1.2.1) and OIM Release 1 PS2 (11.1.1.3) integrated environment, when the end user enters a password that violates the default password policy in the Expired, Forgot, or Change Password flow, the following message is displayed:
An error occurred while attempting to change your password. Please try again
An invalid class exception similar to the following example is shown in error log file:
<Apr 13, 2013 5:06:09 AM CST> <Error> <oracle.oaam> <BEA-000000> <failed to changePassword(john.doe@example.com) javax.ejb.EJBException: Problem deserializing error response; nested exception is: java.io.InvalidClassException: oracle.iam.identity.exception.IdentityException; local class incompatible: stream classdesc serialVersionUID = 1935467088360363654, local class serialVersionUID = -7391301560574640548; nested exception is: java.io.InvalidClassException: oracle.iam.identity.exception.IdentityException; local class incompatible: stream classdesc serialVersionUID = 1935467088360363654, local class serialVersionUID = -7391301560574640548 at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.unwrapRemoteException( RemoteBusinessIntfProxy.java:121) at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessI ntfProxy.java:96) at $Proxy163.changePasswordx(Unknown Source) at oracle.iam.identity.usermgmt.api.UserManagerDelegate.changePassword(Unknown Source) ...etc Caused By: java.io.InvalidClassException: oracle.iam.identity.exception.IdentityException; local class incompatible: stream classdesc serialVersionUID = 1935467088360363654, local class serialVersionUID = -7391301560574640548 at java.io.ObjectStreamClass.initNonProxy(ObjectStreamClass.java:562) at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1582) ...etc
The password related flows work if a valid password that adheres to the defined password policy is provided. The error does not affect the flow.
OAAM Server treats the user that is disabled in the identity store as an invalid user. When such a user tries to log in using the OAAM server, the user may see a message similar to one that is displayed for an invalid user, such as the following example:
Sorry, the identification you entered was not recognized. Please try again
The OAAM password page shows a link to initiate the Forgot Password flow irregardless of whether the user is registered or not.
This section contains issues related to the integration of Oracle Access Management Access Manager and Oracle Adaptive Access Manager. It contains the following topics:
Section 11.2.2, "OAAM Redirects from HTTPS to HTTP When Accessing an SSL-Protected Resource"
Section 11.2.3, "bharosa.uio.default.is_oam_integrated Must Be Set to False"
Oracle Access Management Access Manager and Oracle Adaptive Access Manager integrations using OAAMBasic and OAAMAdvanced authentication schemes are deprecated starting with 11.1.2.2 and will be desupported in 12.1.4 and future releases. The recommendation is to use the Oracle Access Management Access Manager and Oracle Adaptive Access Manager integration using Trusted Authentication Protocol (TAP) instead of OAAMBasic and OAAMAdvanced integrations. For information about Access Manager and Oracle Adaptive Access Manager integration using TAP, see Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.
In an OAAM and Access Manager integrated environment, when accessing an SSL-protected resource, OAAM redirects to the login page URL with the http protocol but with the SSL port, resulting in an error. This occurs when the OAAM Server is fronted by Oracle HTTP Server (OHS) using an SSL port and SSL terminates at Oracle HTTP Server.
To work around this issue:
Set the following properties (otherwise OAAM will redirect incorrectly to the HTTP port):
oaam.uio.oam.cookie.redirect.hostname.attribute=rh oaam.uio.oam.cookie.redirect.path.attribute=ru
Note:
These instructions only apply to integrations where TAPScheme is not used.Add the following to the Oracle HTTP Server configuration file that contains the reverse proxy settings, example location: WEB_ORACLE_INSTANCE
/config/OHS/component_name/moduleconf/sso_vh.conf
:
###################################################### ## Entries Required by Oracle Adaptive Access Manager ###################################################### <Location /oaam_server> SetHandler weblogic-handler WebLogicCluster OAMHOST1.mycompany.com:14300, OAMHOST2.mycompany.com:14300 WLProxySSL ON WLProxySSLPassThrough ON </Location>
Make sure the WebLogic SSL directives are in the sso_vh.conf
file.
Because the Oracle HTTP Server acts as a proxy for WebLogic, by default certain CGI environment variables are not passed through to WebLogic. These include the host and port. You must tell WebLogic that it is using a virtual site name and port so that it can generate internal URLs appropriately. To do this:
Log in to the WebLogic administration console in the IAMAccessDomain at
http://IADADMIN.mycompany.com/console
Select Clusters from the home page or, alternatively, select Environment -> Clusters from the Domain structure menu.
Click Lock and Edit in the Change Center Window to enable editing.
Click the Cluster Name (oaam_cluster).
Select HTTP and enter the following values:
Frontend Host: sso.mycompany.com (IAM_LOGIN_URI)
Frontend HTTP Port: 80 (HTTP_PORT)
Frontend HTTPS Port: 443 (HTTP_SSL_PORT)
This ensures that any HTTPS URLs created from within WebLogic are directed to port 443 on the load balancer.
Click Save.
Select Clusters from the home page or, alternatively, select Environment > Clusters from the Domain structure menu.
Click the Cluster Name (oaam_admin_cluster).
Select HTTP and enter the following values:
Frontend Host: IADADMIN.mycompany.com (IAD_DOMAIN_ADMIN_LBRVHN)
Frontend HTTP Port: 80 (HTTP_PORT)
Click Save.
Click Activate Changes in the Change Center window.
In the WebLogic administration console, click base_domain on the left hand navigation and then click the Web Applications tab.
Scroll down toward the bottom and select the WebLogic Plugin Enabled option.
Click Save.
Log in to the Oracle Access Management Administration Console and check the Access Manager host details. Make sure the host points to the load balancer and is HTTPS.
In an Access Manager and Oracle Adaptive Access Manager 11g Release 2 (11.1.2.3) integrated environment, the property bharosa.uio.default.is_oam_integrated
must be set to false
.