This chapter describes issues associated with Oracle Access Management.
It includes the following topics:
This section describes general issues and workarounds organized by specific Access Manager services. If you do not find a service-related topic (Access Portal, for example), there are no general issues at this time.
This topic describes general issues and workarounds for Oracle Access Management Access Manager (Access Manager). It includes the following topics.
10G & 32 BIT 11G WebGates Not Supported with SHA1/SHA2 Certificates (Cert Mode)
SSO Global Logout Fails With Resource Secured By Public Policy
Behavior Impact for Non-OIC (Oracle Identity Connect) Clients
Specify Registered/Allowed Grant Types to Request OAuth Token
IdmConfigTool Creates Weblogic Authentication Provider With Invalid Configuration
OAM 11.1.2.2 WebGate Agents Not Supported with OAM 11.1.2.3 Server
Oracle Access Management Console Only Displays 1000 Users in Search
Anonymous User Must be Defined in Integrated OAM-OAAM Environment
Names of Certain Access Manager Artifacts Will Not Be Localized
Partial String + Wild Card (*) Doesn't Work with Authorization Rules Search
No Error Message Displayed When Login Page is Tunneled for DCC
DCC Webgate Must be Configured to Tunnel when Using Federation
If Oracle Access Management Access Manager 11.1.2.3.0 server is configured in Cert mode with SHA1/SHA2 certificate, 10g WebGate and 11.1.2.1.0/11.1.2.2.0 (32bit) WebGates are not supported.
A login issue occurs with Active Directory when using an SSL connection. The current workaround for this is to use a non-SSL port for the ActiveDirectoryAuthenticator.
SSO global logout fails if one of the participating resources is secured by OAM public policy. When Enterprise Content Management PS7 is used with OAM R2PS2 and the OAM ID Asserter is added as the authentication provider in which the action type is defined as an OAM_IDENTITY_ASSERTION token (rather than OAM_REMOTE_USER), SSO global logout fails.
When a user is authenticated with any Authentication Scheme using the LDAPNoPasswordModule Authentication Module, an authentication level of "0" is set for the user irrespective of the authentication level defined in the Authentication Scheme.
The registered/allowed grant types must be specified when an OAuth token is requested.
By default, idmConfigTool -configOAM
creates a Weblogic Authentication Provider with the following parameters:
Static Group Object Class = groupofnames
Static Member DN Attribute = member
Static Group DNs from Member DN Filter = (&(member=%M)(objectclass=groupofnames))
If your Oracle Unified Directory (OUD) is using groupofuniquenames
to define groups and uniquemember
to define group members, this must be explicitly changed in the Weblogic Authentication Provider for OUD.
After the OAM server is upgraded to 11.1.2.3, the 11.1.1.6 orapki library is no longer available to insert certificates in OAM 11.1.2.2 WebGate agents.
WORKAROUND: After upgrading to OAM 11.1.2.3, run the following command to convert the wallet to a version compatible with components of 11.1.2.3.
orapki wallet convert [-wallet [wallet]] [-auto_login_only]
As of this 11.1.2.3.0 release, the Access SDK client only needs to have oamasdk-api.jar
in the classpath. This enhancement cause resulted in a documentation change. See Section 5.4.2.1, "Access SDK Documentation Update."
When you search users in the identity store using the Oracle Access Management Console (Configuration -> Administration -> User search), a maximum of 1000 users is displayed even when the result contains more than 1000 users.
Anonymous must be defined as a user in the default UID when coexistence and Multi-Data Center is enabled in an integrated OAM-OAAM environment.
Because they are values and not strings that can be translated, the names of Authentication Policies, Authentication Schemes, Authentication Modules and Authentication Plugins will not be localized.
WORKAROUND: These names can be edited.
A partial string paired with a wild card (*) does not work when searching User or Groups in Authorization Rules. A notification error is not thrown when this occurs.
Normally when the Coherence server is started in SSL mode, it comes up on port 9095. This issue is encountered if Access Manager finds 9095 in use and starts Coherence on 9096. To alleviate this, make sure that port 9095 is open for the Coherence server.
For an OAM-OAAM integrated environment (using TAP and the DCC to work, the following configurations must be done.
Set the DCC app domain "/oam/**" to unprotected.
Set "/favicon.ico" as an excluded resource.
There is no globalization support for OTP mail in SFA. Although the mail subject and content can be edited in AdaptiveAuthenticationPlugin
and AdaptiveAuthenticationModule
, it applies to all users.
If using Active Directory as your identity store, change the group objectclass to "group" rather than the default "groupofuniquenames".
Detached Credential Collector (DCC) HTTP Reverse Proxy feature has been introduced in the 11.1.2.2.0 release. This new DCC HTTP Reverse Proxy capability is different from the previous DCC for HTTP-Basic/FORM based login, with the latter not working for the Federation SSO flows (IdP or SP mode).
This topic describes general issues and workarounds for Oracle Access Management Security Token Service. There are none currently listed.
This topic describes general issues and workarounds for Oracle Access Management Identity Federation. There are none currently listed.
This topic describes general issues and workarounds for Oracle Access Management Mobile and Social. There are none currently listed.
This topic describes general issues and workarounds for Oracle Access Management Access Portal Service. It includes the following topics.
When an Administrator unchecks the delegation option using the Oracle Access Management Console, the Application can still be delegated. The workaround is to use the classic ESSO for enabling and disabling the delegation setting.
This section describes configurations and workarounds organized around specific services. The following topics are included:
This topic describes configurations and workarounds for Oracle Access Management Access Manager (Access Manager). It includes the following.
11.1.2.3 WebGate agents can send the execution context identifier (ECID) as a value of 'ECID-context' to the OAM server and receive a response containing the identifier in return. The ECID can help in end to end debugging of requests sent from the WebGate to OAM and returned responses. To enable ECID context set the following user-defined parameter to true in the 11g WebGate profile.
sendECIDResponse=true
Using the Oracle Access Management Console, create a server entry for the oam_policy_mgr1 node if it is targeted on a different machine than the AdminServer machine. Navigate through Configuration -> server instances from the Launch Pad. The hostname and port should match that of the oam_policy_mgr1 managed server node. Use the SSL Port, if enabled. The oam_policy_mgr1 node should only be started after creation of this server entry.
There are no configurations and workarounds for Oracle Access Management Security Token Service.
This topic describes configurations and workarounds for Oracle Access Management Identity Federation. It includes the following.
After Oracle Access Management is installed and configured with Mobile and Social, the Federation Service should be enabled but is not. To enable the Federation Service:
Login to the Oracle Access Management Console as Administrator.
Navigate through Configuration to access the Available Services.
Disable and re-enable the Mobile and Social Service.
This action will enable the Federation Service.
There are no configurations and workarounds for Oracle Access Management Mobile and Social.
This section documents issues that affect the Oracle Access Management Console. It includes the following topics:
A WebGate is available for OHS 12c however the Oracle Access Management Console only lists 10g and 11g options. At this time, 12c WebGates should be configured as you would an 11g WebGate.
Oracle manuals describing and showing Oracle Access Management 11.1.2 and related services, including these Release Notes, incorrectly refer to the OAM Server (the former name of the Access Manager Server). However, in the next release of Oracle 11.1.2 books, the term OAM Server will be replaced by AM Server (Access Manager Server).
This section describes documentation errata for Oracle Access Management-specific manuals. It includes the following titles:
There are no documentation errata for Administrator's Guide for Oracle Access Management.
This topic describes modifications made to the Developer's Guide for Oracle Access Management.
Due to changes in the oam-java-asdk.zip, the About Installing Access SDK section in chapter 2 of the Developer's Guide for Oracle Access Management has been modified.