Create User Identity Store

This page provides fields where you enter details for your store and default settings that you can edit for your environment. Click Create under OAM ID Stores to access this page.

The Create User Identity Store page is arranged in the following sections:

Location and Credentials
Users and Groups
Connection Details
Password Management

The following table describes the elements in the Create User Identity Store page:

Element	Description
Store Name	Type a unique name for this registration, you can type up to 30 characters.
Store Type	Choose from the list of all supported LDAP providers.
Description	Type a short description for this Store Name.
Enable SSL	Select this box to enable SSL between the directory server and OAM Server.
Use Native ID Store Settings	Select this box to enable getting the authentication code for natively locked/disabled/pw_must_changecode in the LDAP authentication module.
Prefetched Attributes	List of comma-separated user attributes. For Example: e-mail, phone, mobile. Note: The OAM server will cache the list of user attributes in memory while it authenticates the user against the identity store.The cached values will be used to compute the Authentication policy conditions. Pre-fetched attributes provide huge performance improvements by avoiding a round trip to the user identity store. The OAM Administrator has to make sure all the user attributes used in Authentication and Authorization policy response headers and Authorization conditions are defined as prefetched attributes in the user identity store profile.

Location and Credentials

The following table describes the elements in the Location and Credentials section of the Create User Identity Store page:

Element Description

Element	Description
Location	Provide the URL for the LDAP host, including the port number. Enter one (or more) LDAP URIs in `host:port` format, Multiple URIs must be separated by a space or new line (Oracle Access Management supports multiple LDAP URIs with failover capability. The Identity Assertion Provider fails over to the next LDAP URL based on the order in which these appear). Note: The number of characters a supported URL can have is based on the browser version. Ensure that your applications do not use URIs that exceed the length that Oracle Access Management and the browser can handle.
Bind DN	Provide the user DN for the connection pool over which all other BINDs occur. Oracle recommends a non administrator user with appropriate Read and Search privileges for the user and group base DNs. For Example: `uid=amldapuser,ou=people,o=org`.
Password	Type a password for the Principal, this is encrypted for security.

Location

Provide the URL for the LDAP host, including the port number. Enter one (or more) LDAP URIs in host:port format, Multiple URIs must be separated by a space or new line (Oracle Access Management supports multiple LDAP URIs with failover capability. The Identity Assertion Provider fails over to the next LDAP URL based on the order in which these appear).

Note: The number of characters a supported URL can have is based on the browser version. Ensure that your applications do not use URIs that exceed the length that Oracle Access Management and the browser can handle.

Bind DN

Provide the user DN for the connection pool over which all other BINDs occur. Oracle recommends a non administrator user with appropriate Read and Search privileges for the user and group base DNs.

For Example:

uid=amldapuser,ou=people,o=org.

Password

Type a password for the Principal, this is encrypted for security.

Users and Groups

The following table describes the elements in the Users and Groups section of the Create User Identity Store page:

Element	Description
Login ID Attribute	Enter the attribute that identifies the login ID (user name). For Example:`uid`.
User Password Attribute	Enter the attribute in the user identity store (LDAP directory) which stores the user's password. This is made configurable for added flexibility.
User Search Base	Provide the node in the directory information tree (DIT) under which user data is stored, this is the highest possible base for all user data searches. For example: `ou=people,ou=myrealm,dc=base_domain`.
User Filter Object Classes	Enter the object classes to be included in search results for users, in a comma separated list of user object class names. For example: `user,person`.
Group Name Attribute	Enter the attribute that identifies the group name. Default: cn.
Group Search Base	Provide the node in the directory information tree (DIT) under which group data is stored, this is the highest possible base for all group data searches. For Example: `ou=groups,ou=myrealm, dc=base_doamin`.
Group Filter Classes	Enter the object classes to be included in the search results for groups, in a comma-separated list of group object classes. For Example: groups, groupOfNames.
Enable Group Membership Cache	Check this box to set the value for group cache to true. Do not check to set the value for group cache to false. Default:true.
Group Membership Cache Maximum Size	Enter a integer for the group cache size. Default:10000
Group Membership Cache Time to Live (in seconds)	Enter a integer (in seconds) for Time to Live for group cache elements. Default: 0

Connection Details

The following table describes the elements in the Connection Details section of the Create User Identity Store page:

Element	Description
Minimum Pool Size	Set the smallest size for the connection pool. Default: 10
Maximum Pool Size	Set the greatest size for the connection pool. Default: 50
Wait Timeout (in seconds)	Set the number (in seconds) that connection requests can wait before timing out in the event of a fully utilized pool. Default: 120
Inactivity Timeout (in seconds)	Set the number (in seconds) that connection requests can be inactive before timing out in the event of a fully utilized pool.
Results time limit (in seconds)	Set the time limit (in seconds) for LDAP searches and bind operations on the connection pool. Default: 0
Retry Count	Enter a integer to set the number of times the connection can be retried when there is a connection failure. Default: 3
Referral Policy	Choose from the following options in the drop-down menu: follow - Follows referrals during an LDAP search (Default). ignore - Ignores referral entries during an LDAP search. throw - Results in a Referral Exception, which can be caught by the component user.

Password Management

The following table describes the elements in the Password Management section of the Create User Identity Store page:

Element	Description
Enable Password Management	Select to enable password policy enforcement against the attribute values. The corresponding options in the password policy must be configured as well.
Use Oblix User Schema	Select to enable the use of OBLIX schema instead of standard Oracle schema.
Global Common ID Attribute	Specify the User ID attribute name, this attribute will be used as part of the password policy to check that the user ID is not part of the password.
First Name Attribute	Specify the First Name attribute, this attribute will be used as part of the password policy to check that the user's first name is not part of the password.
Last Name Attribute	Specify the Last Name attribute, this attribute will be used as part of the password policy to check that the user's last name is not part of the password.
Email Address Attribute	Currently not supported.
Test Connection	Click to confirm connectivity, then close the confirmation window.
Apply	Click Apply to submit the registration.