2 Integrating Oracle Identity Governance and Oracle Access Manager Using LDAP Connectors
Integrate Oracle Identity Governance (OIG) and Oracle Access Manager (OAM) using LDAP Connectors. You can run an automated integration script to complete OIG-OAM integration or perform configuration operations individually. The script utilizes user-supplied values from property files to perform various configurations.
Note:
The exact details in this chapter may differ depending on your specific deployment. Adapt information as required for your environment.The integration instructions assume Identity Governance components have been configured on separate Oracle WebLogic domains, as discussed in About the Basic Integration Topology. For prerequisite and detailed information on how the components were installed and configured in this example integration, see Preparing to Install and Configure Oracle Identity and Access Management in Fusion Middleware Installing and Configuring Oracle Identity and Access Management
If you are deploying Oracle Identity Governance components in an enterprise integration topology, as discussed in About the Basic Integration Topology, see Understanding an Enterprise Deployment in Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity and Access Management for implementation procedures.
This chapter contains these sections:
-
Overview of Oracle Identity Governance and Access Manager Integration
-
Configuring Oracle HTTP Server to Front-End Resources on Oracle Identity Governance
-
Configuring Oracle Identity Governance and Oracle Access Manager Integration
-
Validating the Access Manager and Oracle Identity Governance Integration
-
Troubleshooting Common Problems in Access Manager and OIM Integration
2.1 Overview of Oracle Identity Governance and Oracle Access Manager Integration
This integration scenario enables you to manage identities with Oracle Identity Governance and control access to resources with Oracle Access Manager. Oracle Identity Governance is a user provisioning and administration solution that automates user account management, whereas Access Manager provides a centralized and automated single sign-on (SSO) solution.
This section contains the following topics:
-
About Integrating Oracle Identity Governance with Oracle Access Manager
-
About Oracle Identity Governance and Oracle Access Manager Single-Node Integration Topology
-
Prerequisites to Integrating Oracle Identity Governance and Oracle Access Manager
-
Roadmap to Integrating Oracle Identity Governance and Oracle Access Manager
2.1.1 About Integrating Oracle Identity Governance with Oracle Access Manager
In the Oracle Access Manager (OAM) and Oracle Identity Governance (OIG) integration, users have the capability to:
-
Create and reset the password without assistance for expired and forgotten passwords
-
Recover passwords using challenge questions and answers
-
Set up challenge questions and answers
-
Perform self-service registration
-
Perform self-service profile management
-
Access multiple applications securely with one authentication step
2.1.2 About Oracle Identity Governance and Oracle Access Manager Single-Node Integration Topology
You must configure IdM components, Access Manager and Oracle Identity Governance, in separate WebLogic Server domains (split domain topology), as discussed in About the Basic Integration Topology, and separate Oracle Middleware homes. Otherwise, attempts to patch or upgrade one product may be blocked by a version dependency on a component shared with another. When you install Oracle Identity Governance components in a single WebLogic Server domain, there is a risk that the component (libraries, jars, utilities, and custom plug-ins) you are installing into the domain might not be compatible with other components, thereby resulting in problems across your entire domain.
Access Manager uses a database for policy data and a directory server for identity data. This integration scenario assumes a single directory server. The directory server must also be installed in a separate domain and a separate Middleware home as well.
Note:
The instructions in this chapter assume that you will use Oracle Unified Directory as the identity store.
2.1.3 Prerequisites to Integrating Oracle Identity Governance and Oracle Access Manager
Ensure the required environment is set and made available for the integration.
In the following sections it is assumed that the required components, as listed in Table 2-1, have already been installed, including any dependencies, and the environment is configured prior to the integration. See Understanding Oracle Identity Management Integration Topologies.
Note:
-
Use 12.2.1.3.0 binaries for OAM and OIG.
-
If you have OAM 11g or OIG 11g installed and not integrated, upgrade them to 12.2.1.3.0 before you begin the integration process.
-
If you are upgrading from OIG 11.1.2.3 to OIG 12.2.1.3.1 with LDAP Synchronization enabled, continue to use LDAP Synchronization in 12.2.1.3.1 as well.
-
Apply OIG 12.2.1.3.1 patch before starting the integrating process.
Table 2-1 Required Components for Integration Scenario
Component | Information |
---|---|
Oracle HTTP Server with OAM WebGate |
Oracle HTTP Server with OAM WebGate is installed. See Also:
|
Oracle SOA Suite |
Oracle Identity Governance requires Oracle SOA Suite 12.2.1.3.0, which is exclusive to Oracle Identity and Access Management. SOA Suite is a prerequisite for Oracle Identity Governance and must be installed in the same domain as Oracle Identity Governance. If you use SOA Suite for other purposes, a separate install must be set up for running your own services, composites, BPEL processes, and so on. See Installing the Oracle Identity and Access Management Software in Installing and Configuring Oracle Identity and Access Management. |
Oracle Unified Directory |
Oracle Unified Directory is installed. |
Access Manager |
Access Manager is already installed. See Configuring Oracle Access Management in Installing and Configuring Oracle Identity and Access Management. |
Oracle Identity Governance |
Oracle Identity Governance 12.2.1.3.0 is already installed and 12.2.1.3.1 patch is applied. See Installing and Configuring Oracle Identity and Access Management and Configuring Oracle Identity Governance in Installing and Configuring Oracle Identity and Access Management. |
Environmental Variables |
Set the environmental variables required for OIG-OAM integration. See Set Up Environment Variables for OIG-OAM Integration. |
2.1.4 Roadmap to Integrating Oracle Identity Governance and Oracle Access Manager
Table 2-2 lists the high-level tasks for integrating Access Manager and Oracle Identity Governance with Oracle Unified Directory.
Depending on your installation path, you may already have performed some of the integration procedures listed in this table. For details on the installation roadmap, see Understanding the Installation Roadmap.
Table 2-2 Integration Flow for Access Manager and Oracle Identity Governance
No. | Task | Information |
---|---|---|
1 |
Verify that all required components have been installed and configured prior to integration. |
See Prerequisites to Integrating Oracle Identity Governance and Oracle Access Manager |
2 |
Configure the WebGate on the Oracle HTTP Server (OHS) to point to the 11g OAM Server. |
See Configuring Oracle HTTP Server to Front-End Resources on Oracle Identity Governance |
3 |
Integrate Access Manager and Oracle Identity Governance. |
See Configuring Oracle Identity Governance and Oracle Access Manager Integration |
4 |
Stop the Oracle WebLogic Server managed servers for Access Manager and Oracle Identity Governance |
See Starting and Stopping Admin Server in Administering Oracle Fusion Middleware |
5 |
Test the integration. |
See Validating the Access Manager and Oracle Identity Governance Integration |
2.2 Configuring Oracle HTTP Server to Front-End Resources on Oracle Identity Governance
The Oracle HTTP Server (OHS) profile must be edited so that the OHS server points to the OIG server that is being protected by Access Manager.
The oim_template.conf
profile template file is located at $ORACLE_HOME/idm/server/ssointg/templates/oim_template.conf
.
Note:
WebGate installation and configuration are required.
The Oracle HTTP Server with 12c WebGate must be installed.
Edit the oim_template.conf
file to include the following lines:
<Location /provisioning-callback> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost %OIM_HOST% WebLogicPort %OIM_PORT% WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> <Location /CertificationCallbackService> SetHandler weblogic-handler WLCookieName JSESSIONID WebLogicHost %OIM_HOST% WebLogicPort %OIM_PORT% WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> <Location /FacadeWebApp> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost %OIM_HOST% WebLogicPort %OIM_PORT% WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> <Location /iam/governance/configmgmt> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost %OIM_HOST% WebLogicPort %OIM_PORT% WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> <Location /iam/governance/scim/v1> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost %OIM_HOST% WebLogicPort %OIM_PORT% WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> <Location /iam/governance/token/api/v1> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost %OIM_HOST% WebLogicPort %OIM_PORT% WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> <Location /OIGUI> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost %OIM_HOST% WebLogicPort %OIM_PORT% WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location> <Location /iam/governance/applicationmanagement> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost %OIM_HOST% WebLogicPort %OIM_PORT% WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" </Location>
See Also:
-
Installing and Configuring Oracle HTTP Server 11g WebGate for OAM in Installing WebGates for Oracle Access Manager.
-
Restarting Oracle HTTP Server Instances in Administering Oracle HTTP Server.
2.3 Configuring Oracle Identity Governance and Oracle Access Manager Integration
2.3.1 Prerequisites for the Connector-based Integration
Verifying the Environment
-
Check that your operating system is up-to-date with all necessary patches applied.
-
Mount the binaries you will be using. The applicable Oracle software includes:
-
Oracle Database 12c (12.2.x.x)
-
JRF 12.2.1.3.0
-
Oracle Fusion Middleware Identity and Access Management 12c (12.2.1.3.0)
-
Oracle Unified Directory (12.2.1.3.0) /Oracle Internet Directory (12.2.1.3.0)
-
Oracle WebLogic Server 12c (12.2.1.3.0)
Note:
-
Use 12.2.1.3.0 binaries for OAM and OIG.
-
If you have OAM 11g or OIG 11g installed and not integrated, upgrade them to 12.2.1.3.0 before you begin the integration process.
-
Apply OIG 12.2.1.3.1 patch before starting the integrating process.
-
-
Verify that the Oracle Database is connected and accessible.
-
Verify that the directory of your choice (OUD/OID/AD) is up and running.
-
Verify that the Oracle Access Manager is up and running.
-
Verify that the Oracle Identity Governance is up and running.
-
Verify if the environmental variables are set. See Set Up Environment Variables for OIG-OAM Integration.
-
Ensure that the Oracle Access Manager and Oracle Identity Governance are installed on separate domains.
Note:
The automated integration script,OIGOAMIntegration.sh
works with OIG and OAM on separate hosts and domains. It is not required to have OIG and OAM on the same domain.
Updating Datasource Related to OIG Meta Data Store (MDS) Configuration
-
From the WLS Console, navigate to Services, Data Sources, and then to mds-oim.
-
Click the Connection Pool tab.
-
Update the following property values in the MDS-OIM connection pool:
-
Initial Capacity to 50
-
Maximum Capacity to 150
-
Minimum Capacity to 50
-
-
Click Save.
-
Update the value for Inactive Connection Timeout as follows:
-
From the WLS Console, navigate to Services, Data Sources, and then to the Configuration tab.
-
Select the data_source as mds-oim.
-
Click Connection Pool under the Configuration tab.
-
Click Advanced link under the bottom of the page and set the Inactive Connection Timeout value to 10.
-
Click Save.
-
-
Restart the OIG server.
Downloading the Connector
-
Download the Connector bundle from the artifactory: Download Connector Bundle
-
For OID or OUD, download the Connector bundle corresponding to Oracle Internet Directory.
-
For AD, download connector bundle corresponding to Microsoft Active Directory User Management.
Note:
For all directory types, the required Connector version for OIG-OAM integration is 12.2.1.3.0. -
-
Unzip the Connector bundle to the desired connector path under
$ORACLE_HOME/idm/server/ConnectorDefaultDirectory
.For example:
$ORACLE_HOME/idm/server/ConnectorDefaultDirectory
-
For AD, install the Active Directory User Management Connector on both, OIG and Connector server.
-
In case of integration with OID or OUD, update connector version and bundle version in the template XML files.
-
Remove the existing
For example, if the LDAP connector bundle is extracted toauth-template
,pre-config
andtarget-template xml
files available out-of-box in LDAP Connector version 12.2.1.3.0./u01/oracle/products/identity/idm/server/ConnectorDefaultDirectory/OID-12.2.1.3.0
, move the following files located at/u01/oracle/products/identity/idm/server/ConnectorDefaultDirectory/OID-12.2.1.3.0/xml/
:-
Move
ODSEE-OUD-LDAPV3-pre-config.xml
toODSEE-OUD-LDAPV3-pre-config.xml_bak
-
Move
ODSEE-OUD-LDAPV3-target-template.xml
toODSEE-OUD-LDAPV3-target-template.xml_bak
-
Move
ODSEE-OUD-LDAPV3-auth-template.xml
toODSEE-OUD-LDAPV3-auth-template.xml_bak
-
Move
OID-pre-config.xml
toOID-pre-config.xml_bak
-
Move
OID-target-template.xml
toOID-target-template.xml_bak
-
Move
OID-auth-template.xml
toOID-auth-template.xml_bak
-
-
Update the Connector and bundle versions in the target template as follows:
<connectorVersion>12.2.1.3.0</connectorVersion> <advanceConfig name="Bundle Version" value="12.3.0" required="false"/>
Note:
-
If directory type is OUD, update
${ORACLE_HOME}/idm/server/ssointg/connector/oud/oud-oam-target-template.xml
-
If directory type is OID, update
${ORACLE_HOME}/idm/server/ssointg/connector/oid/OID-OAM-Target-Template.xml
-
-
Update the Connector and bundle versions in the authoritative template as follows:
<connectorVersion>12.2.1.3.0</connectorVersion> <advanceConfig name="Bundle Version" value="12.3.0" required="false"/>
Note:
-
If directory type is OUD, update
${ORACLE_HOME}/idm/server/ssointg/connector/oud/OUD-OAM-auth-template.xml
-
If directory type is OID, update
${ORACLE_HOME}/idm/server/ssointg/connector/oid/OID-OAM-auth-template.xml
-
-
Update bundle version in
pre-config
template as follows:<LookupValue id="LKV2341" repo-type="RDBMS"> <LKV_COUNTRY>US</LKV_COUNTRY> <LKV_DECODED>12.3.0</LKV_DECODED> <LKV_DISABLED>0</LKV_DISABLED> <LKV_ENCODED>Bundle Version</LKV_ENCODED> <LKV_LANGUAGE>en</LKV_LANGUAGE> <LKV_UPDATE>1334606670000</LKV_UPDATE> </LookupValue>
Note:
-
If directory type is OUD, update
${ORACLE_HOME}/idm/server/ssointg/connector/oud/OUD-OAM-pre-config.xml
-
If directory type is OID, update
${ORACLE_HOME}/idm/server/ssointg/connector/oid/OID-OAM-pre-config.xml
In case of OID, update themaxSize
to 100 forOrclGuid
attribute definition inOID-OAM-pre-config.xml
:<AttributeDefinition repo-type="API" name="OrclGuid" subtype="User Metadata"> ... <maxSize>100</maxSize> ... </AttributeDefinition>
In case of OUD, update themaxSize
to 100 forNsuniqueID
attribute definition inOUD-OAM-pre-config.xml
:<AttributeDefinition repo-type="API" name="NsuniqueID" subtype="User Metadata"> ... <maxSize>100</maxSize> ... </AttributeDefinition>
-
Important:
Post OIG-OAM integration, if the LDAP Connector bundle or the Active Directory Connector bundle is used for creating target application instances for other IT resources, then thepre-config.xml
corresponding to the directory type must be manually imported from Sysadmin UI before proceeding to create application instance.-
For OID:
XML name: OID-pre-config.xml Location (example): $ORACLE_HOME/idm/server/ConnectorDefaultDirectory/OID-12.2.1.3.0/xml/OID-pre-config.xml
-
For OUD/ODSEE/LDAPV3:
XML name: ODSEE-OUD-LDAPV3-pre-config.xml Location (example): $ORACLE_HOME/idm/server/ConnectorDefaultDirectory/OID-12.2.1.3.0/xml/ODSEE-OUD-LDAPV3-pre-config.xml
-
For AD:
XML name: ad-pre-config.xml Location (example): $ORACLE_HOME/idm/server/ConnectorDefaultDirectory/activedirectory-12.2.1.3.0/xml//ad-pre-config.xml
For importing
pre-config.xml
, see Importing Connector XML File. -
Assigning Lockout Threshold in Directory and Oracle Access Manager
The value for maximum number of authentication failures that a user is allowed to attempt before the user's account gets locked, should be the same in the LDAP directory and Oracle Access Manager.
See Also:
-
OAM-Accessing Password Policy Configuration Page in Oracle® Fusion Middleware Administering Oracle Access Management.
-
OID-Managing Password Policies in Oracle® Fusion Middleware Administering Oracle Internet Directory.
-
OUD-Managing Password Policies in Oracle® Fusion Middleware Administering Oracle Unified Directory.
2.3.2 One-step Procedure for OIG-OAM Integration Using Automated Script
A single driver script, OIGOAMIntegration.sh
, simplifies the process of a connector-based integration and helps configure the OIG-OAM integrated environment.
OIGOAMIntegration.sh
located at $ORACLE_HOME/idm/server/ssointg/bin/
to perform the following configuration operations sequentially in a single execution and to configure the OIG-OAM integrated environment:
-
Preparing IDStore
-
Configuring OAM
-
Adding required object classes for existing users in the LDAP directory
-
Populating OHS Rules
-
Configuring WLS Authentication Providers
-
Configuring LDAP Connector
-
Update LDAP Container Rules
-
Configuring OIG SSO Integration
-
Enabling OAM Notifications
Tip:
You can run these configuration operations individually in a sequence where any particular step, in the event of failure, can be rerun.Note:
Executing the script for configuring connector seeds only the default LDAP container rules into MDS. You can use custom container rules and manually upload them to MDS.Note:
The automated script,OIGOAMIntegration.sh
works within OIG and OAM on separate hosts and domains. It is not required to have OIG and OAM on the same domain.
Updating Properties File before Executing Automated Integration Script
The properties file, ssointg-config.properties
located at $ORACLE_HOME/idm/server/ssointg/config/
, contains the properties required to perform each of the configuration operation required to accomplish OIG and OAM integration. The automated script for integration, OIGOAMIntegration.sh
, refers to property fields in the ssointg-config.properties
file and executes integration operations.
For a single-step execution of the automated integration script, OIGOAMIntegration.sh
, ensure that the following properties are set to the default value, true
:
generateIndividualConfigFiles=true prepareIDStore=true configOAM=true addMissingObjectClasses=true populateOHSRules=true configureWLSAuthnProviders=true configureLDAPConnector=true ## configureLDAPConnector takes care of updating container rules ## Additional option is provided in case rules need to be updated again updateContainerRules=true configureSSOIntegration=true enableOAMSessionDeletion=true
Important:
-
Set
addMissingObjectClasses=false
, if you have existing users in LDAP directory. See Adding Missing Object Classes. -
Ensure all the properties in the
ssointg-config.properties
file are updated before executing theOIGOAMIntegration.sh
script. -
When prompted, the passwords entered
xelsysadm
user andweblogic
user must match with the respective passwords existing for these users. -
If IDStore is not prepared already, set
prepareIDStore=true
inssointg-config.properties
file. -
If OAM is not configured already, set
configOAM=true
inssointg-config.properties
file.
Following is a sample ssointg-config.properties
file:
## The following section controls the various operations that OIGOAMIntegration performs ## You can set the flag to false to disable/enable operations for incremental installation ## Each operation uses it's own properties file, with values synchronized from ssointg-config.properties ## If generateIndividualConfigFiles is true, then values from ssointg-config.properties will be ## used to generate each operation's config file. ## If generateIndividualConfigFiles is false, then each config file will not be re-generated ## and can be edited for incremental operations generateIndividualConfigFiles=true prepareIDStore=true configOAM=true addMissingObjectClasses=true populateOHSRules=true configureWLSAuthnProviders=true configureLDAPConnector=true ## configureLDAPConnector takes care of updating container rules ## Additional option is provided in case rules need to be updated again updateContainerRules=true configureSSOIntegration=true enableOAMSessionDeletion=true ##-----------------------------------------------------------## ## DIRTYPE values can be [OID | OUD | AD] IDSTORE_DIRECTORYTYPE IDSTORE_HOST IDSTORE_PORT ## Specify the IDStore admin credentials below. IDSTORE_BINDDN IDSTORE_BINDDN_PWD IDSTORE_USERNAMEATTRIBUTE IDSTORE_LOGINATTRIBUTE IDSTORE_SEARCHBASE IDSTORE_USERSEARCHBASE IDSTORE_USERSEARCHBASE_DESCRIPTION IDSTORE_GROUPSEARCHBASE IDSTORE_GROUPSEARCHBASE_DESCRIPTION IDSTORE_SYSTEMIDBASE IDSTORE_READONLYUSER IDSTORE_READWRITEUSER IDSTORE_SUPERUSER IDSTORE_OAMSOFTWAREUSER IDSTORE_OAMADMINUSER IDSTORE_OAMADMINUSER_PWD IDSTORE_OIMADMINUSER IDSTORE_OIMADMINUSER_PWD IDSTORE_OIMADMINGROUP IDSTORE_WLSADMINUSER IDSTORE_WLSADMINUSER_PWD IDSTORE_WLSADMINGROUP IDSTORE_OAAMADMINUSER IDSTORE_XELSYSADMINUSER_PWD ## The domain for the email - e.g. user@company.com IDSTORE_EMAIL_DOMAIN POLICYSTORE_SHARES_IDSTORE OAM11G_IDSTORE_ROLE_SECURITY_ADMIN ## If you are using OUD as the identity store #IDSTORE_ADMIN_PORT #IDSTORE_KEYSTORE_FILE ## The value of the IDSTORE_KEYSTORE_PASSWORD parameter is the content of the /u01/config/instances/oud1/OUD/config/admin-keystore.pin #IDSTORE_KEYSTORE_PASSWORD PRIMARY_OAM_SERVERS WEBGATE_TYPE ACCESS_GATE_ID ACCESS_GATE_PWD OAM11G_IDM_DOMAIN_OHS_HOST OAM11G_IDM_DOMAIN_OHS_PORT OAM11G_OIM_OHS_URL OAM11G_IDM_DOMAIN_LOGOUT_URLS OAM11G_OAM_SERVER_TRANSFER_MODE OAM11G_WG_DENY_ON_NOT_PROTECTED OAM11G_SERVER_LOGIN_ATTRIBUTE OAM11G_SSO_ONLY_FLAG OAM11G_OIM_INTEGRATION_REQ OAM11G_IMPERSONATION_FLAG OAM11G_SERVER_LBR_HOST OAM11G_SERVER_LBR_PORT OAM11G_SERVER_LBR_PROTOCOL OAM11G_IDSTORE_NAME OAM_TRANSFER_MODE ## Required if OAM_TRANSFER_MODE is not OPEN #SSO_KEYSTORE_JKS_PASSWORD #SSO_GLOBAL_PASSPHRASE COOKIE_DOMAIN COOKIE_EXPIRY_INTERVAL SPLIT_DOMAIN OIM_HOST OIM_PORT OAM_HOST OAM_PORT OIM_WLSHOST OIM_WLSPORT OIM_WLSADMIN OIM_WLSADMIN_PWD WLS_OIM_SYSADMIN_USER WLS_OIM_SYSADMIN_USER_PWD ## Specify the IDStore admin credentials below. IDSTORE_OIMADMINUSERDN ## For ActiveDirectory use the values of "yes" or "no". i.e. IS_LDAP_SECURE IS_LDAP_SECURE SSO_TARGET_APPINSTANCE_NAME ## Path to expanded connector bundle: e.g. for OID and OUD CONNECTOR_MEDIA_PATH ## Path for AD bundle ## [ActiveDirectory] # The following attributes need to be initialized only if Active Directory is the target server # CONNECTOR_MEDIA_PATH # AD_DIRECTORY_ADMIN_NAME # AD_DIRECTORY_ADMIN_PWD # AD_DOMAIN_NAME ## Active Directory Connector Server details # AD_CONNECTORSERVER_HOST # AD_CONNECTORSERVER_KEY # AD_CONNECTORSERVER_PORT # AD_CONNECTORSERVER_TIMEOUT ## Set to yes if SSL is enabled # AD_CONNECTORSERVER_USESSL NAP_VERSION ACCESS_SERVER_HOST ACCESS_SERVER_PORT OAM_SERVER_VERSION SSO_ENABLED_FLAG SSO_INTEGRATION_MODE OIM_LOGINATTRIBUTE OAM11G_WLS_ADMIN_HOST OAM11G_WLS_ADMIN_PORT OAM11G_WLS_ADMIN_USER OAM11G_WLS_ADMIN_PASSWD ## Required in SSL mode #OIM_TRUST_LOC #OIM_TRUST_PWD #OIM_TRUST_TYPE
The following table provides descriptions of the parameters in the ssointg-config.properties
properties file example. This file is used to integrate Oracle Identity Governance and Oracle Access Manager.
Table 2-3 Parameters in ssointg-config.properties
file
Property | Description | Sample Value |
---|---|---|
ACCESS_GATE_ID |
Name to be assigned to the WebGate. This is the value specified during OAM configuration. |
Webgate_IDM |
ACCESS_GATE_PWD |
Enter the Password for Access Gate ID. |
<password> |
ACCESS_SERVER_HOST |
Enter the Access Manager OAP host. |
oamaccesshost.example.com |
ACCESS_SERVER_PORT |
Enter the Access Manager OAP port. |
5557 |
AD_CONNECTORSERVER_HOST |
Enter the host name or IP address of the computer hosting the connector server. |
192.168.99.100 |
AD_CONNECTORSERVER_KEY |
Enter the key for the connector server. |
<connectorserverkey> |
AD_CONNECTORSERVER_PORT |
Enter the number of the port at which the connector server is listening. |
8759 |
AD_CONNECTORSERVER_TIMEOUT |
Enter an integer value that specifies the number of milliseconds after which the connection between the connector server and the Oracle Identity Governance times out. A value of 0 means that the connection never times out. |
0 |
AD_CONNECTORSERVER_USESSL |
Enter For Active Directory, the value should be yes or no. The default value is Note: It is recommended that you configure SSL to secure communication with the connector server. |
true (or false) |
AD_DIRECTORY_ADMIN_NAME |
The Admin user who can perform read and write operations on ActiveDirectory. |
oimLDAP@example.com |
AD_DIRECTORY_ADMIN_NAME_PWD |
Enter the password for Active Directory Admin. |
<password> |
AD_DOMAIN_NAME |
Enter the domain name configured in Microsoft Active Directory. |
example.com |
CONNECTOR_MEDIA_PATH |
Enter the location of the Connector bundle downloaded and unzipped. Oracle Identity Governance would use this location to pick the Connector bundle to be installed. |
OID/OUD = /u01/oracle/products/identity/idm/server/ConnectorDefaultDirectory/OID-11.1.1.7.0 AD = /u01/oracle/products/identity/idm/server/ConnectorDefaultDirectory/activedirectory-12.2.1.3.0 |
COOKIE_DOMAIN |
Enter the domain in which the WebGate functions. |
.example.com |
COOKIE_EXPIRY_INTERVAL |
Enter the Cookie expiration period. |
120 |
IDSTORE_ADMIN_PORT |
Enter the Administration port of your Oracle Unified Directory instance. If you are not using Oracle Unified Directory, you ignore this parameter. |
4444 |
IDSTORE_BINDDN |
An administrative user in Oracle Internet Directory, Oracle Unified Directory or Active Directory. |
OID = cn=orcladmin OUD = cn=oudadmin AD = CN=Administrator,CN=Users,DC=example.com,DC=example,dc=com |
IDSTORE_BINDDN_PWD |
Enter the Password for administrative user in Oracle Internet Directory or Oracle Unified Directory. |
<password> |
IDSTORE_DIRECTORYTYPE |
Enter the identity store directory type. Valid options are OID, OUD, and AD. |
OID |
IDSTORE_EMAIL_DOMAIN |
Enter the domain used for e-mail For example, |
company.com |
IDSTORE_GROUPSEARCHBASE |
Enter the location in the directory where groups are stored. |
cn=groups,dc=example,dc=com |
IDSTORE_GROUPSEARCHBASE_DESCRIPTION |
Enter the description for the directory group search base. |
Default group container |
IDSTORE_HOST |
Enter the identity store host name. |
idstore.example.com |
IDSTORE_KEYSTORE_FILE |
Enter the location of the Oracle Unified Directory If you are not using Oracle Unified Directory, you can ignore this parameter. This file must be located on the same host that the |
/u01/config/instances/oud1/OUD/config/admin-keystore |
IDSTORE_KEYSTORE_PASSWORD |
Enter the encrypted password of the Oracle Unified Directory keystore. This value can be found in the file |
<password> |
IDSTORE_LOGINATTRIBUTE |
Enter the login attribute of the identity store that contains the user's login name. |
uid |
IDSTORE_OAAMADMINUSER |
Enter the user you want to create as your Oracle Access Management Administrator. This user is created by the tool. |
oaamAdminUser |
IDSTORE_OAMADMINUSER |
Enter the user you use to access your Oracle Access Management Console. |
oamAdmin |
IDSTORE_OAMADMINUSER_PWD |
Enter the password for the user you use to access your Oracle Access Management Console. |
<password> |
IDSTORE_OAMSOFTWAREUSER |
Enter the user you use to interact with the LDAP server. |
oamLDAP |
IDSTORE_OIMADMINGROUP |
Enter the group you want to create to hold your Oracle Identity Governance administrative users. |
OIMAdministrators |
IDSTORE_OIMADMINUSER |
Enter the user that Oracle Identity Governance uses to connect to the identity store. |
oimLDAP |
IDSTORE_OIMADMINUSER_PWD |
Enter the Password for the user that Oracle Identity Governance uses to connect to the identity store. |
<password> |
IDSTORE_OIMADMINUSERDN |
Enter the location of a container in the directory where system-operations users are stored. There are only a few system-operations users and are kept separate from enterprise users stored in the main user container. For example, the Oracle Identity Governance reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters. |
cn=oimLDAP,systemids,dc=example,dc=com |
IDSTORE_PORT |
Enter the identity store port. |
3060 |
IDSTORE_READONLYUSER |
Enter the user with read-only permissions to the identity store. |
IDROUser |
IDSTORE_READWRITEUSER |
Enter the user with read-write permissions to the identity store. |
IDRWUser |
IDSTORE_SEARCHBASE |
Enter the location in the directory where users and groups are stored. |
dc=example,dc=com |
IDSTORE_SUPERUSER |
Enter the Oracle Fusion Applications superuser in the identity store. |
weblogic_fa |
IDSTORE_SYSTEMIDBASE |
Enter the location of a container in the directory where system-operations users are stored. There are only a few system operations users and are kept separate from enterprise users stored in the main user container. For example, the Oracle Identity Governance reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters. |
cn=systemids,dc=example,dc=com |
IDSTORE_USERNAMEATTRIBUTE |
Enter the |
cn |
IDSTORE_USERSEARCHBASE |
Enter the Container under which Access Manager searches for the users. |
cn=users,dc=example,dc=com |
IDSTORE_USERSEARCHBASE_DESCRIPTION |
Enter the description for the directory user search base |
Default user container |
IDSTORE_WLSADMINGROUP |
Enter the identity store administrator group for Oracle WebLogic Server. |
wlsadmingroup |
IDSTORE_WLSADMINUSER |
Enter the identity store administrator for Oracle WebLogic Server. |
weblogic |
IDSTORE_WLSADMINUSER_PWD |
Enter the password for Identity store administrator for Oracle WebLogic Server. |
<password> |
IDSTORE_XELSYSADMINUSER_PWD |
Enter the password of System administrator for Oracle Identity Goverance. Must match the value in Oracle Identity Governance |
<password> |
IS_LDAP_SECURE |
It indicates the usage of SSL for LDAP Communication. Use |
FALSE |
NAP_VERSION |
Enter the NAP protocol version. (4 indicates 11g+) |
4 |
OAM_HOST |
Enter the URL for OAM server. |
oamhost.example.com |
OAM_PORT |
Enter the port for OAM Server |
14100 |
OAM_SERVER_VERSION |
Only OAM 11g is supported. OAM 10g is not supported in 12c integration. |
11g |
OAM_TRANSFER_MODE |
Enter the security mode in which the access servers function. Supported values are |
Open |
OAM11G_IDM_DOMAIN_LOGOUT_URLS |
Set to the various logout URLs. |
/console/jsp/common/logout.jsp, /em/targetauth/emaslogout.jsp |
OAM11G_IDM_DOMAIN_OHS_HOST |
Enter the load balancer that is in front of Oracle HTTP Server (OHS) in a high-availability configuration. |
sso.example.com |
OAM11G_IDM_DOMAIN_OHS_PORT |
Enter the load balancer port. |
443 |
OAM11G_IDSTORE_NAME |
Enter the name of the IDStore configured in OAM. This will be set as the default/System ID Store in OAM. |
OAMIDStore |
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN |
Account to administer role security in identity store. |
OAMAdministrators |
OAM11G_IMPERSONATION_FLAG |
It enables or disables the impersonation feature in the OAM Server. |
TRUE |
OAM11G_OAM_SERVER_TRANSFER_MODE |
Enter the security mode in which the access servers function. Supported values are |
Open |
OAM11G_OIM_INTEGRATION_REQ |
It specifies whether to integrate with Oracle Identity Governance or configure Access Manager in stand-alone mode. Set to |
TRUE |
OAM11G_OIM_OHS_URL |
Enter the URL of the load balancer or Oracle HTTP Server (OHS) fronting the OIM server. |
https://sso.example.com:443/ |
OAM11G_SERVER_LBR_HOST |
Enter the OAM Server fronting your site. The following two parameters are used to construct your login URL:
|
sso.example.com |
OAM11G_SERVER_LBR_PORT |
Enter the load balancer port. |
443 |
OAM11G_SERVER_LBR_PROTOCOL |
Enter the Protocol to use when directing requests to the load balancer. |
https |
OAM11G_SERVER_LOGIN_ATTRIBUTE |
Setting to |
uid |
OAM11G_SSO_ONLY_FLAG |
Set it to configure Access Manager 11g as authentication only mode or normal mode, which supports authentication and authorization. Default value is |
TRUE |
OAM11G_WG_DENY_ON_NOT_PROTECTED |
Set to deny on protected flag for 10g WebGate. Valid values are |
FALSE |
OAM11G_WLS_ADMIN_HOST |
Enter the host forAdmin server in OAM Domain. |
oamadminhost.example.com |
OAM11G_WLS_ADMIN_PASSWD |
Enter the password for the weblogic admin user in OAM domain. |
<password> |
OAM11G_WLS_ADMIN_PORT |
Enter the port for Admin server in OAM domain. |
7001 |
OAM11G_WLS_ADMIN_USER |
Enter the weblogic administrator user in OAM domain. |
weblogic |
OIM_HOST |
Enter the host name for OIG managed server. |
oimhost.example.com |
OIM_LOGINATTRIBUTE |
Enter the login attribute of the identity store that contains the user's login name. User uses this attribute for logging in. For example, User Login. |
User Login |
OIM_PORT |
Enter the port for OIG Server. |
14000 |
OIM_SERVER_NAME |
Enter the OIG server name. |
oim_server1 |
OIM_TRUST_LOC |
Enter the location of the OIG trust store. |
ORACLE_HOME/wlserver/server/lib/DemoTrust.jks |
OIM_TRUST_PWD |
Enter the password to access the trust store |
<password> |
OIM_TRUST_TYPE |
Enter the type of the trust store. |
JKS |
OIM_WLSADMIN |
Enter the weblogic administrator user in OIM domain. |
weblogic |
OIM_WLSADMIN_PWD |
Enter the password for the weblogic admin user in OIM domain. |
<password> |
OIM_WLSHOST |
Enter the OIG admin server host name. |
oimadminhost.example.com |
OIM_WLSPORT |
Enter the OIG admin server port. |
7001 |
POLICYSTORE_SHARES_IDSTORE |
Set it to |
TRUE |
PRIMARY_OAM_SERVERS |
Enter comma-separated list of your Access Manager servers and the proxy ports they use. |
oamhost1.example.com:5575, oamhost2.example.com:5575 |
SPLIT_DOMAIN |
Set to |
TRUE |
SSO_ENABLED_FLAG |
Set it to |
TRUE |
SSO_GLOBAL_PASSPHRASE |
The random global passphrase for |
<password> |
SSO_INTEGRATION_MODE |
Enter the integration mode with OAM. With Challenge Question Response (CQR) mode, OIG will handle the password policy and password operations. With One Time Password (OTP) mode, any password operations will be handled by OAM itself and there will be no password change or reset in OIG. |
CQR |
SSO_KEYSTORE_JKS_PASSWORD |
Enter the password for keystore, required for SIMPLE mode communication with OAM. |
<password> |
SSO_TARGET_APPINSTANCE_NAME |
Enter the Target application instance name used for provisioning account to target LDAP. |
SSOTarget |
WEBGATE_TYPE |
Enter the WebGate agent type you want to create. 10g is no longer supported in 12c. |
ohsWebgate11g |
WLS_OIM_SYSADMIN_USER |
Enter the system admin user to be used to connect to OIG while configuring SSO. This user needs to have system admin role. |
xelsysadm |
WLS_OIM_SYSADMIN_USER_PWD |
Enter the password for OIG system administrator user. |
<password> |
WLSADMIN |
Enter the WebLogic Server administrative user account you use to log in to the WebLogic Server Administration Console in OIG domain. |
weblogic |
WLSHOST |
Enter the Administration server host name in OAM domain. |
oamadminhost.example.com |
WLSPORT |
Enter the Administration server port in OAM domain. |
7001 |
Executing the Automated Script for Integration
After verifying all the values in the ssointg-config.properties
properties file, execute the automated script for integration, OIGOAMIntegration.sh
to complete OIG-OAM integration process.
-
Run the automated script for OIG-OAM integration as follows:
cd $ORACLE_HOME/idm/server/ssointg/bin/ ./OIGOAMIntegration.sh -all
Note:
In case of Active Directory, grant ACLs manually after executingOIGOAMIntegration.sh -prepareIDStore
command. See Granting ACLs Manually for Active Directory.
You have successfully executed the automated script for integration.
Restarting Servers
After executing the automated script to complete the OIG-OAM integration process, restart all the servers.
-
Copy the
oim.conf
file fromORACLE_HOME/server/ssointg/templates/oim.conf
toOHS_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/moduleconf
. -
Restart OHS Server.
-
Restart OIG and OAM domain.
You have successfully executed the automated script and completed the OIG-OAM Integration process.
Proceed with validation of your integration setup. See Validating OIG-OAM integration.
2.3.3 Step-by-step Procedure for OIG-OAM Integration Using Automated Script
OIGOAMIntegration.sh
supports individual execution of OIG-OAM configuration operations. The properties file, ssointg-config.properties
located at $ORACLE_HOME/idm/server/ssointg/config/
specifies which individual step is to be executed.
-
Installed all the components listed Prerequisites.
OIGOAMIntegration.sh
, a top-level automated integration script, to perform the following configuration operations required for OIG-OAM integration:
ssointg-config.properties
, located at $ORACLE_HOME/idm/server/ssointg/config/
, provides the required configuration information for OIG and OAM integration. The configuration operations executed by the automated integration script are managed by the ssointg-config.properties
file.
Note:
The value forgenerateIndividualConfigFiles
is set to false
for all the configuration operations.
OIGOAMIntegration.sh
script, ensure that the value for the specific operation parameter is set to true
and the value for other operations are set to false
.generateIndividualConfigFiles=false prepareIDStore=true configOAM=true populateOHSRules=true configureWLSAuthnProviders=true configureLDAPConnector=true ## configureLDAPConnector takes care of updating container rules ## Additional option is provided in case rules need to be updated again updateContainerRules=true configureSSOIntegration=true enableOAMSessionDeletion=true
Note:
Alternatively, you can specify each option as command line argument toOIGOAMIntegration.sh
instead of setting relevant parameters in the ssointg-config.properties
file to true
or false
. You can set only one of operation parameters to true
at a time and execute the automated integration script. For example, OIGOAMIntegration.sh -configureLDAPConnector
Important:
Specifying the option as command line argument overrides the values set in thessointg-config.properties
file.
2.3.3.1 Preparing IDStore Using Automated Script
Prepare IDStore using the automated script for OIG-OAM integration, OIGOAMIntegration.sh
.
Configure the identity store and policy store by creating the groups and setting ACIs to the various containers. Add necessary users and associating users with groups to the identity store. This step is similar to running the IDMConfigTool command, idmConfigTool.sh -prepareIDStore -mode=ALL
. See prepareIDStore Command.
- Locate the properties file,
ssointg-config.properties
, available at$ORACLE_HOME/idm/server/ssointg/config/
and set theprepareIDStore
value totrue
.generateIndividualConfigFiles=false prepareIDStore=true configOAM=false addMissingObjectClasses=false populateOHSRules=false configureWLSAuthnProviders=false configureLDAPConnector=false ## configureLDAPConnector takes care of updating container rules ## Additional option is provided in case rules need to be updated again updateContainerRules=false configureSSOIntegration=false enableOAMSessionDeletion=false
-
Update the
prepareIDStore.all.config
file and when prompted, enter the passwords forxelsysadm
user andweblogic
user.Note:
The passwords entered forxelsysadm
user andweblogic
user must match with the respective passwords existing for these users.## DIRTYPE values can be [OID | OUD | AD] IDSTORE_DIRECTORYTYPE IDSTORE_HOST IDSTORE_PORT IDSTORE_BINDDN IDSTORE_BINDDN_PWD IDSTORE_USERNAMEATTRIBUTE IDSTORE_LOGINATTRIBUTE IDSTORE_SEARCHBASE IDSTORE_USERSEARCHBASE IDSTORE_GROUPSEARCHBASE IDSTORE_SYSTEMIDBASE IDSTORE_READONLYUSER IDSTORE_READWRITEUSER IDSTORE_SUPERUSER _fa IDSTORE_OAMSOFTWAREUSER IDSTORE_OAMADMINUSER IDSTORE_OAMADMINUSER_PWD IDSTORE_OIMADMINUSER IDSTORE_OIMADMINUSER_PWD IDSTORE_OIMADMINGROUP IDSTORE_WLSADMINUSER IDSTORE_WLSADMINUSER_PWD IDSTORE_WLSADMINGROUP IDSTORE_OAAMADMINUSER IDSTORE_XELSYSADMINUSER_PWD POLICYSTORE_SHARES_IDSTORE OAM11G_IDSTORE_ROLE_SECURITY_ADMIN ## If you are using OUD as the identity store, then the additional properties are: #IDSTORE_ADMIN_PORT #IDSTORE_KEYSTORE_FILE ## The value of the IDSTORE_KEYSTORE_PASSWORD parameter is the content of the /u01/config/instances/oud1/OUD/config/admin-keystore.pin #IDSTORE_KEYSTORE_PASSWORD
The following table provides descriptions of the parameters related to preparing IDStore in the
prepareIDStore.all.config
file example.Table 2-4 Parameters in
prepareIDStore.all.config
fileProperty Description Sample Value IDSTORE_ADMIN_PORT
Enter the Administration port of your Oracle Unified Directory instance. If you are not using Oracle Unified Directory, you ignore this parameter.
4444
IDSTORE_BINDDN
An administrative user in Oracle Internet Directory, Oracle Unified Directory or Active Directory.
OID = cn=orcladmin OUD = cn=oudadmin AD = CN=Administrator,CN=Users,DC=example.com,DC=example,dc=com
IDSTORE_BINDDN_PWD
Enter the Password for administrative user in Oracle Internet Directory or Oracle Unified Directory.
<password>
IDSTORE_DIRECTORYTYPE
Enter the identity store directory type. Valid options are OID, OUD, and AD.
OID
IDSTORE_GROUPSEARCHBASE
Enter the location in the directory where groups are stored.
cn=groups,dc=example,dc=com
IDSTORE_HOST
Enter the identity store host name.
idstore.example.com
IDSTORE_KEYSTORE_FILE
Enter the location of the Oracle Unified Directory
Keystore
file. It is used to enable communication with Oracle Unified Directory using the Oracle Unified Directory administration port. It is calledadmin-keystore
and is located inOUD_ORACLE_INSTANCE/OUD/config
.If you are not using Oracle Unified Directory, you can ignore this parameter. This file must be located on the same host that the
idmConfigTool
command is running on. The command uses this file to authenticate itself with OUD./u01/config/instances/oud1/OUD/config/admin-keystore
IDSTORE_KEYSTORE_PASSWORD
Enter the encrypted password of the Oracle Unified Directory keystore. This value can be found in the file
OUD_ORACLE_INSTANCE/OUD/config/admin-keystore.pin
. If you are not using Oracle Unified Directory, you can ignore this parameter.<password>
IDSTORE_LOGINATTRIBUTE
Enter the login attribute of the identity store that contains the user's login name.
uid
IDSTORE_OAAMADMINUSER
Enter the user you want to create as your Oracle Access Management Administrator. This user is created by the tool.
oaamAdminUser
IDSTORE_OAMADMINUSER
Enter the user you use to access your Oracle Access Management Console.
oamAdmin
IDSTORE_OAMADMINUSER_PWD
Enter the password for the user you use to access your Oracle Access Management Console.
<password>
IDSTORE_OAMSOFTWAREUSER
Enter the user you use to interact with the LDAP server.
oamLDAP
IDSTORE_OIMADMINGROUP
Enter the group you want to create to hold your Oracle Identity Governance administrative users.
OIMAdministrators
IDSTORE_OIMADMINUSER
Enter the user that Oracle Identity Governance uses to connect to the identity store.
oimLDAP
IDSTORE_OIMADMINUSER_PWD
Enter the Password for the user that Oracle Identity Governance uses to connect to the identity store.
<password>
IDSTORE_PORT
Enter the identity store port.
3060
IDSTORE_READONLYUSER
Enter the user with read-only permissions to the identity store.
IDROUser
IDSTORE_READWRITEUSER
Enter the user with read-write permissions to the identity store.
IDRWUser
IDSTORE_SEARCHBASE
Enter the location in the directory where users and groups are stored.
dc=example,dc=com
IDSTORE_SUPERUSER
Enter the Oracle Fusion Applications superuser in the identity store.
weblogic_fa
IDSTORE_SYSTEMIDBASE
Enter the location of a container in the directory where system-operations users are stored. There are only a few system operations users and are kept separate from enterprise users stored in the main user container.
For example, the Oracle Identity Governance reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.
cn=systemids,dc=example,dc=com
IDSTORE_USERNAMEATTRIBUTE
Enter the
username
attribute used to set and search for users in the identity store.cn
IDSTORE_USERSEARCHBASE
Enter the Container under which Access Manager searches for the users.
cn=users,dc=example,dc=com
IDSTORE_WLSADMINGROUP
Enter the identity store administrator group for Oracle WebLogic Server.
wlsadmingroup
IDSTORE_WLSADMINUSER
Enter the identity store administrator for Oracle WebLogic Server.
weblogic
IDSTORE_WLSADMINUSER_PWD
Enter the password for Identity store administrator for Oracle WebLogic Server.
<password>
IDSTORE_XELSYSADMINUSER_PWD
Enter the password of System administrator for Oracle Identity Goverance. Must match the value in Oracle Identity Governance
<password>
POLICYSTORE_SHARES_IDSTORE
Set it to
true
if your policy and identity stores are in the same directory. If not, it is set tofalse
.TRUE
-
Run the automated script for OIG-OAM integration to seed the directory with Users, Roles, and
ob
schema extensions.OIGOAMIntegration.sh -prepareIDStore
Note:
In case of Active Directory, grant ACLs manually after executingOIGOAMIntegration.sh -prepareIDStore
command. See Granting ACLs Manually for Active DirectoryYou have successfully executed the automated script for preparing the IDStore.
Granting ACLs Manually for Active Directory
For Active Directory, after running OIGOAMIntegration.sh -prepareIDStore
, perform the following on the AD server machine:
-
Add ACLs.
dsacls /G cn=orclFAUserReadPrivilegeGroup,<IDSTORE_GROUPSEARCHBASE>:GR dsacls /G cn=orclFAUserWritePrivilegeGroup,<IDSTORE_GROUPSEARCHBASE>:GW dsacls /G cn=orclFAGroupReadPrivilegeGroup,<IDSTORE_GROUPSEARCHBASE>:GR dsacls /G cn=orclFAGroupWritePrivilegeGroup,<IDSTORE_GROUPSEARCHBASE>:GW dsacls /G cn=orclFAOAMUserWritePrivilegeGroup,<IDSTORE_GROUPSEARCHBASE>:GW
-
Reset User Password.
dsmod user "CN=weblogic_idm,<IDSTORE_USERSEARCHBASE>" -pwd <password> -mustchpwd no dsmod user "CN=xelsysadm,<IDSTORE_USERSEARCHBASE>" -pwd <password> -mustchpwd no dsmod user "CN=oamadmin,<IDSTORE_USERSEARCHBASE>" -pwd <password> -mustchpwd no dsmod user "CN=OblixAnonymous,DC=interop,DC=us,DC=oracle,DC=com" -pwd <password> -mustchpwd no dsmod user "CN=oamLDAP,<IDSTORE_SYSTEMIDBASE>" -pwd <password> -mustchpwd no dsmod user "CN=oimLDAP,<IDSTORE_SYSTEMIDBASE>" -pwd <password> -mustchpwd no
-
Enable user accounts.
dsmod user "CN=weblogic_idm,<IDSTORE_USERSEARCHBASE>" -disabled no dsmod user "CN=xelsysadm,<IDSTORE_USERSEARCHBASE>" -disabled no dsmod user "CN=oamadmin,<IDSTORE_USERSEARCHBASE>" -disabled no dsmod user "CN=OblixAnonymous,DC=interop,DC=us,DC=oracle,DC=com" -disabled no dsmod user "CN=oamLDAP,<IDSTORE_SYSTEMIDBASE>" -disabled no dsmod user "CN=oimLDAP,<IDSTORE_SYSTEMIDBASE>" -disabled no
2.3.3.2 Configuring OAM Using Automated Script
Configure Oracle Access Manager using the automated script for OIG-OAM integration,OIGOAMIntegration.sh
.
idmConfigTool.sh -configOAM
. See configOAM Command.
- Locate the properties file,
ssointg-config.properties
, available at$ORACLE_HOME/idm/server/ssointg/config/
and set theconfigOAM
value totrue
.generateIndividualConfigFiles=false prepareIDStore=false configOAM=true addMissingObjectClasses=false populateOHSRules=false configureWLSAuthnProviders=false configureLDAPConnector=false ## configureLDAPConnector takes care of updating container rules ## Additional option is provided in case rules need to be updated again updateContainerRules=false configureSSOIntegration=false enableOAMSessionDeletion=false
-
Update the
configOAM.config
file.WLSHOST WLSPORT WLSADMIN IDSTORE_HOST IDSTORE_PORT IDSTORE_BINDDN IDSTORE_USERNAMEATTRIBUTE IDSTORE_LOGINATTRIBUTE IDSTORE_SEARCHBASE IDSTORE_USERSEARCHBASE IDSTORE_GROUPSEARCHBASE IDSTORE_OAMSOFTWAREUSER IDSTORE_OAMADMINUSER PRIMARY_OAM_SERVERS WEBGATE_TYPE ACCESS_GATE_ID _IDM OAM11G_IDM_DOMAIN_OHS_HOST OAM11G_IDM_DOMAIN_OHS_PROTOCOL OAM11G_OAM_SERVER_TRANSFER_MODE OAM11G_IDM_DOMAIN_LOGOUT_URLS OAM11G_WG_DENY_ON_NOT_PROTECTED OAM11G_SERVER_LOGIN_ATTRIBUTE OAM_TRANSFER_MODE COOKIE_DOMAIN OAM11G_IDSTORE_ROLE_SECURITY_ADMIN OAM11G_SSO_ONLY_FLAG OAM11G_OIM_INTEGRATION_REQ OAM11G_IMPERSONATION_FLAG OAM11G_SERVER_LBR_HOST OAM11G_SERVER_LBR_PORT OAM11G_SERVER_LBR_PROTOCOL COOKIE_EXPIRY_INTERVAL OAM11G_OIM_OHS_URL SPLIT_DOMAIN OAM11G_IDSTORE_NAME IDSTORE_SYSTEMIDBASE
The following table provides descriptions of the parameters related to configuring OAM in the
configOAM.config
properties file example.Table 2-5 Parameters in
configOAM.config
fileProperty Description Sample Value IDSTORE_SYSTEMIDBASEACCESS_GATE_ID
Name to be assigned to the WebGate. This is the value specified during OAM configuration.
Webgate_IDM
COOKIE_DOMAIN
Enter the domain in which the WebGate functions.
.example.com
COOKIE_EXPIRY_INTERVAL
Enter the Cookie expiration period.
120
IDSTORE_BINDDN
An administrative user in Oracle Internet Directory, Oracle Unified Directory or Active Directory.
OID = cn=orcladmin OUD = cn=oudadmin AD = CN=Administrator,CN=Users,DC=example.com,DC=example,dc=com
IDSTORE_GROUPSEARCHBASE
Enter the location in the directory where groups are stored.
cn=groups,dc=example,dc=com
IDSTORE_HOST
Enter the identity store host name.
idstore.example.com
IDSTORE_LOGINATTRIBUTE
Enter the login attribute of the identity store that contains the user's login name.
uid
IDSTORE_OAMADMINUSER
Enter the user you use to access your Oracle Access Management Console.
oamAdmin
IDSTORE_OAMSOFTWAREUSER
Enter the user you use to interact with the LDAP server.
oamLDAP
IDSTORE_PORT
Enter the identity store port.
3060
IDSTORE_SEARCHBASE
Enter the location in the directory where users and groups are stored.
dc=example,dc=com
IDSTORE_SYSTEMIDBASE
Enter the location of a container in the directory where system-operations users are stored. There are only a few system operations users and are kept separate from enterprise users stored in the main user container.
For example, the Oracle Identity Governance reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.
cn=systemids,dc=example,dc=com
IDSTORE_USERNAMEATTRIBUTE
Enter the
username
attribute used to set and search for users in the identity store.cn
IDSTORE_USERSEARCHBASE
Enter the Container under which Access Manager searches for the users.
cn=users,dc=example,dc=com
OAM_TRANSFER_MODE
Enter the security mode in which the access servers function. Supported values are
OPEN
andSIMPLE
Open
OAM11G_IDM_DOMAIN_LOGOUT_URLS
Set to the various logout URLs.
/console/jsp/common/logout.jsp, /em/targetauth/emaslogout.jsp
OAM11G_IDM_DOMAIN_OHS_HOST
Enter the load balancer that is in front of Oracle HTTP Server (OHS) in a high-availability configuration.
sso.example.com
OAM11G_IDM_DOMAIN_OHS_PORT
Enter the load balancer port.
443
OAM11G_IDM_DOMAIN_OHS_PROTOCOL Enter the Protocol to use when directing requests to the load balancer. OAM11G_IDSTORE_NAME
Enter the name of the IDStore configured in OAM. This will be set as the default/System ID Store in OAM.
OAMIDStore
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN
Account to administer role security in identity store.
OAMAdministrators
OAM11G_IMPERSONATION_FLAG
It enables or disables the impersonation feature in the OAM Server.
TRUE
OAM11G_OAM_SERVER_TRANSFER_MODE
Enter the security mode in which the access servers function. Supported values are
OPEN
andSIMPLE
Open
OAM11G_OIM_INTEGRATION_REQ
It specifies whether to integrate with Oracle Identity Governance or configure Access Manager in stand-alone mode. Set to
true
for integration.TRUE
OAM11G_OIM_OHS_URL
Enter the URL of the load balancer or Oracle HTTP Server (OHS) fronting the OIM server.
https://sso.example.com:443/
OAM11G_SERVER_LBR_HOST
Enter the OAM Server fronting your site.
-
OAM11G_SERVER_LBR_HOST
-
OAM11G_SERVER_LBR_PORT
-
OAM11G_SERVER_LBR_PROTOCOL
sso.example.com
OAM11G_SERVER_LBR_PORT
Enter the load balancer port.
443
OAM11G_SERVER_LBR_PROTOCOL
Enter the Protocol to use when directing requests to the load balancer.
https
OAM11G_SERVER_LOGIN_ATTRIBUTE
Setting to
uid
ensures the validation of the username against the uid attribute in LDAP when the user logs in.uid
OAM11G_SSO_ONLY_FLAG
Set it to configure Access Manager 11g as authentication only mode or normal mode, which supports authentication and authorization. Default value is
true
.TRUE
OAM11G_WG_DENY_ON_NOT_PROTECTED
Set to deny on protected flag for 10g WebGate. Valid values are
true
andfalse
.FALSE
PRIMARY_OAM_SERVERS
Enter comma-separated list of your Access Manager servers and the proxy ports they use.
oamhost1.example.com:5575, oamhost2.example.com:5575
SPLIT_DOMAIN
Set to
true
is required to suppress the double authentication of Oracle Access Management Console.TRUE
WEBGATE_TYPE
Enter the WebGate agent type you want to create. 10g is no longer supported in 12c.
ohsWebgate11g
WLSADMIN
Enter the WebLogic Server administrative user account you use to log in to the WebLogic Server Administration Console in OIG domain.
weblogic
WLSHOST
Enter the Administration server host name in OAM domain.
oamadminhost.example.com
WLSPORT
Enter the Administration server port in OAM domain.
7001
-
-
Run the automated script for OIG-OAM integration to configure OAM.
OIGOAMIntegration.sh -configOAM
You have successfully executed the automated script for configuring Oracle Access Manager.
2.3.3.3 Populating OHS Rules Using Automated Script
Populate OHS rules using the automated script for OIG-OAM integration,OIGOAMIntegration.sh
.
oim.conf
file. See Configuring Oracle HTTP Server to Front-End Resources on Oracle Identity Governance.
To populate OHS rules:
- Locate the properties file,
ssointg-config.properties
, available at$ORACLE_HOME/idm/server/ssointg/config/
and set thepopulateOHSRules
value totrue
.generateIndividualConfigFiles=false prepareIDStore=false configOAM=false addMissingObjectClasses=false populateOHSRules=true configureWLSAuthnProviders=false configureLDAPConnector=false ## configureLDAPConnector takes care of updating container rules ## Additional option is provided in case rules need to be updated again updateContainerRules=false configureSSOIntegration=false enableOAMSessionDeletion=false
-
Update the
populateOHSRedirectIdmConf.config
file.OIM_HOST OIM_PORT OAM_HOST OAM_PORT
The following table provides descriptions of the parameters in the
populateOHSRedirectIdmConf.config
file.Table 2-6 Parameters in
populateOHSRedirectIdmConf.config
fileProperty Description Sample Value OAM_HOST
Enter the URL for OAM server.
oamhost.example.com
OAM_PORT
Enter the port for OAM Server
14100
OIM_HOST
Enter the host name for OIG managed server.
oimhost.example.com
OIM_PORT
Enter the port for OIG Server.
14000
-
Run the automated script for OIG-OAM integration to populate OHS Rules.
OIGOAMIntegration.sh -populateOHSRules
You have successfully executed the automated script for populating OHS rules.
Note:
Alternatively, you can manually populate OHS Rules by following instructions available in Configuring Oracle HTTP Server to Front-End Resources on Oracle Identity Governance section.2.3.3.4 Configuring WLS Authentication Providers Using Automated Script
Configure WLS Authentication Providers using the automated script for OIG-OAM integration, OIGOAMIntegration.sh
.
Configure SSO logout for OIM. The security providers in OIM domain should be configured so both, the SSO login and OIM client-based login, work appropriately.
For example: Reorder the authenticators as follows for OID:
-
OAMIDAsserter
-
OIMSignatureAuthenticator
-
OIDAuthenticator
-
DefaultAuthenticator
-
DefaultIdentityAsserter
-
All other existing authenticators
To configure WLS Authentication Providers using automated script:
- Locate the properties file,
ssointg-config.properties
, available at$ORACLE_HOME/idm/server/ssointg/config/
and set theconfigureWLSAuthProviders
value totrue
.generateIndividualConfigFiles=false prepareIDStore=false configOAM=false addMissingObjectClasses=false populateOHSRules=false configureWLSAuthnProviders=true configureLDAPConnector=false ## configureLDAPConnector takes care of updating container rules ## Additional option is provided in case rules need to be updated again updateContainerRules=false configureSSOIntegration=false enableOAMSessionDeletion=false
-
Update the
configureWLSAuthnProviders.config
file.OIM_WLSHOST OIM_WLSPORT OIM_WLSADMIN OIM_WLSADMIN_PWD ## DIRTYPE values can be [OID | OUD | AD] IDSTORE_DIRECTORYTYPE IDSTORE_HOST IDSTORE_PORT IDSTORE_BINDDN IDSTORE_BINDDN_PWD IDSTORE_USERSEARCHBASE IDSTORE_GROUPSEARCHBASE
The following table provides descriptions of the parameters related to configuring WLS Authentication Providers.
Table 2-7 Parameters in
configureWLSAuthnProviders.config
fileProperty Description Sample Value IDSTORE_BINDDN
An administrative user in Oracle Internet Directory, Oracle Unified Directory or Active Directory.
OID = cn=orcladmin OUD = cn=oudadmin AD = CN=Administrator,CN=Users,DC=example.com,DC=example,dc=com
IDSTORE_BINDDN_PWD
Enter the Password for administrative user in Oracle Internet Directory or Oracle Unified Directory.
<password>
IDSTORE_DIRECTORYTYPE
Enter the identity store directory type. Valid options are OID, OUD, and AD.
OID
IDSTORE_GROUPSEARCHBASE
Enter the location in the directory where groups are stored.
cn=groups,dc=example,dc=com
IDSTORE_HOST
Enter the identity store host name.
idstore.example.com
IDSTORE_PORT
Enter the identity store port.
3060
IDSTORE_USERSEARCHBASE
Enter the Container under which Access Manager searches for the users.
cn=users,dc=example,dc=com
OIM_WLSADMIN
Enter the weblogic administrator user in OIM domain.
weblogic
OIM_WLSADMIN_PWD
Enter the password for the weblogic admin user in OIM domain.
<password>
OIM_WLSHOST
Enter the OIG admin server host name.
oimadminhost.example.com
OIM_WLSPORT
Enter the OIG admin server port.
7001
-
Run the automated script for OIG-OAM integration to configure WLS Authentication Providers.
OIGOAMIntegration.sh -configureWLSAuthnProviders
You have successfully executed the automated script for configuring WLS Authentication Providers.
2.3.3.5 Configuring LDAP Connector Using Automated Script
Configure LDAP Connector using automated script for integration, OIGOAMIntegration.sh
.
-
Copying the Application On-boarding LDAP templates into the downloaded Connector bundle.
-
Obtaining application names and other property values such as LDAP host and port from the configuration file.
-
Creating Application objects, target application and authoritative application, from the unmarshalled LDAP templates.
-
Executing
create
API method through the Application Manager to create the Application Instances from the Application objects. -
Updating the IT Resource instance with values obtained from the configuration file as follows:
-
baseContexts
-
principal
-
credentials
-
host and port
-
SSL (
true
orfalse
)
-
-
Setting
SSO.DefaultCommonNamePolicyImpl
system property. -
Setting properties in
SSOIntegrationMXBean
with values obtained from the configuration file:-
targetAppInstanceName
-
targeITResourceNameForGroup
-
directorytype
-
-
Updating the scheduled jobs with the SSO trusted and target parameters.
-
Updating container rules by invoking SSOIntegrationMXBean
addContainerRules
operation with values obtained from the configuration file:-
Directory type
-
User search base
-
User search base description
-
Group search base
-
Group search base description
-
Note:
Executing the script for configuring connector seeds only the default LDAP container rules into MDS. You can use custom container rules and manually upload them to MDS.To configure the LDAP Connector:
- Locate the properties file,
ssointg-config.properties
, available at$ORACLE_HOME/idm/server/ssointg/config/
and set theconfigureLDAPConnector
value totrue
.generateIndividualConfigFiles=false prepareIDStore=false configOAM=false addMissingObjectClasses=false populateOHSRules=false configureWLSAuthnProviders=false configureLDAPConnector=true ## configureLDAPConnector takes care of updating container rules ## Additional option is provided in case rules need to be updated again updateContainerRules=false configureSSOIntegration=false enableOAMSessionDeletion=false
-
Update the
configureLDAPConnector.config
file.IDSTORE_DIRECTORYTYPE OIM_HOST OIM_PORT OIM_SERVER_NAME WLS_OIM_SYSADMIN_USER WLS_OIM_SYSADMIN_USER_PWD OIM_WLSHOST OIM_WLSPORT OIM_WLSADMIN OIM_WLSADMIN_PWD IDSTORE_HOST IDSTORE_PORT IDSTORE_OIMADMINUSERDN IDSTORE_OIMADMINUSER_PWD IDSTORE_SEARCHBASE IDSTORE_USERSEARCHBASE IDSTORE_GROUPSEARCHBASE IDSTORE_USERSEARCHBASE_DESCRIPTION IDSTORE_GROUPSEARCHBASE_DESCRIPTION ## For ActiveDirectory use the values of "yes" or "no". i.e. IS_LDAP_SECURE IS_LDAP_SECURE SSO_TARGET_APPINSTANCE_NAME ## Path to expanded connector bundle: e.g. for OID and OUD CONNECTOR_MEDIA_PATH ## Path for AD bundle # CONNECTOR_MEDIA_PATH ## [ActiveDirectory] # The following attributes need to be initialized only if Active Directory is the target server # IDSTORE_ADADMINUSERDN # IDSTORE_ADADMINUSER_PWD # AD_DOMAIN_NAME # AOB_TEMPLATE_FILE_PREFIX ## Active Directory Connector Server details # AD_CONNECTORSERVER_HOST # AD_CONNECTORSERVER_KEY # AD_CONNECTORSERVER_PORT # AD_CONNECTORSERVER_TIMEOUT ## Set to yes if SSL is enabled # AD_CONNECTORSERVER_USESSL
The following table provides descriptions of the parameters in the
configureLDAPConnector.config
file example.Table 2-8 Parameters in
configureLDAPConnector.config
fileProperty Description Sample Value AD_CONNECTORSERVER_HOST
Enter the host name or IP address of the computer hosting the connector server.
192.168.99.100
AD_CONNECTORSERVER_KEY
Enter the key for the connector server.
<connectorserverkey>
AD_CONNECTORSERVER_PORT
Enter the number of the port at which the connector server is listening.
8759
AD_CONNECTORSERVER_TIMEOUT
Enter an integer value that specifies the number of milliseconds after which the connection between the connector server and the Oracle Identity Governance times out. A value of 0 means that the connection never times out.
0
AD_CONNECTORSERVER_USESSL
Enter
true
to specify that you will configure SSL between Oracle Identity Governance or Oracle Unified Directory and the Connector Server. Otherwise, enterfalse
.For Active Directory, the value should be yes or no. The default value is
false
Note:
It is recommended that you configure SSL to secure communication with the connector server.true (or false)
AD_DOMAIN_NAME
Enter the domain name configured in Microsoft Active Directory.
example.com
CONNECTOR_MEDIA_PATH
Enter the location of the Connector bundle downloaded and unzipped. Oracle Identity Governance would use this location to pick the Connector bundle to be installed.
OID/OUD = /u01/oracle/products/identity/idm/server/ConnectorDefaultDirectory/OID-11.1.1.7.0 AD = /u01/oracle/products/identity/idm/server/ConnectorDefaultDirectory/activedirectory-12.2.1.3.0
IDSTORE_DIRECTORYTYPE
Enter the identity store directory type. Valid options are OID, OUD, and AD.
OID
IDSTORE_GROUPSEARCHBASE_DESCRIPTION
Enter the description for the directory group search base.
Default group container
IDSTORE_HOST
Enter the identity store host name.
idstore.example.com
IDSTORE_OIMADMINUSER_PWD
Enter the Password for the user that Oracle Identity Governance uses to connect to the identity store.
<password>
IDSTORE_OIMADMINUSERDN
Enter the location of a container in the directory where system-operations users are stored. There are only a few system-operations users and are kept separate from enterprise users stored in the main user container.
For example, the Oracle Identity Governance reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.
cn=oimLDAP,systemids,dc=example,dc=com
IDSTORE_PORT
Enter the identity store port.
3060
IDSTORE_SEARCHBASE
Enter the location in the directory where users and groups are stored.
dc=example,dc=com
IDSTORE_USERSEARCHBASE
Enter the Container under which Access Manager searches for the users.
cn=users,dc=example,dc=com
IDSTORE_USERSEARCHBASE_DESCRIPTION
Enter the description for the directory user search base
Default user container
IS_LDAP_SECURE
It indicates the usage of SSL for LDAP Communication. Use
yes
orno
for ActiveDirectory.FALSE
OIM_HOST
Enter the host name for OIG managed server.
oimhost.example.com
OIM_PORT
Enter the port for OIG Server.
14000
OIM_SERVER_NAME
Enter the OIG server name.
oim_server1
OIM_WLSADMIN
Enter the weblogic administrator user in OIM domain.
weblogic
OIM_WLSADMIN_PWD
Enter the password for the weblogic admin user in OIM domain.
<password>
OIM_WLSHOST
Enter the OIG admin server host name.
oimadminhost.example.com
OIM_WLSPORT
Enter the OIG admin server port.
7001
SSO_TARGET_APPINSTANCE_NAME
Enter the Target application instance name used for provisioning account to target LDAP.
SSOTarget
WLS_OIM_SYSADMIN_USER
Enter the system admin user to be used to connect to OIG while configuring SSO. This user needs to have system admin role.
xelsysadm
WLS_OIM_SYSADMIN_USER_PWD
Enter the password for OIG system administrator user.
<password>
-
Run the automated script for OIG-OAM integration to configure the LDAP Connector.
OIGOAMIntegration.sh -configureLDAPConnector
You have successfully executed the automated script for configuring LDAP Connector.
Note:
Alternatively, you can perform manual configuration of LDAP Connector. See Configuring LDAP Connector Manually2.3.3.6 Configuring SSO Integration Using Automated Script
Configure SSO Integration using automated script for integration, OIGOAMIntegration.sh
.
OIGOAMIntegration.sh
to register OIM as TAP partner for OAM, add the resource policies for OIG-OAM communication, and update SSOIntegrationMXBean values in MDS.
To configure SSO integration:
- Locate the properties file,
ssointg-config.properties
, available at$ORACLE_HOME/idm/server/ssointg/config/
and set theconfigureSSOIntegration
value totrue
.generateIndividualConfigFiles=false prepareIDStore=false configOAM=false addMissingObjectClasses=false populateOHSRules=false configureWLSAuthnProviders=false configureLDAPConnector=false ## configureLDAPConnector takes care of updating container rules ## Additional option is provided in case rules need to be updated again updateContainerRules=false configureSSOIntegration=true enableOAMSessionDeletion=false
-
Update the
configureSSOIntegration.config
file.NAP_VERSION COOKIE_EXPIRY_INTERVAL OAM_HOST OAM_PORT ACCESS_SERVER_HOST ACCESS_SERVER_PORT OAM_SERVER_VERSION WEBGATE_TYPE ACCESS_GATE_ID _IDM SSO_ACCESS_GATE_PASSWORD COOKIE_DOMAIN OAM_TRANSFER_MODE SSO_ENABLED_FLAG SSO_INTEGRATION_MODE OIM_LOGINATTRIBUTE ## Parameters required for TAP registration OAM11G_WLS_ADMIN_HOST OAM11G_WLS_ADMIN_PORT OAM11G_WLS_ADMIN_USER OAM11G_WLS_ADMIN_PASSWD ## Required if OAM_TRANSFER_MODE is not OPEN #SSO_KEYSTORE_JKS_PASSWORD #SSO_GLOBAL_PASSPHRASE OIM_WLSHOST OIM_WLSPORT IDSTORE_OAMADMINUSER IDSTORE_OAMADMINUSER_PWD ## Required in SSL mode #OIM_TRUST_LOC #OIM_TRUST_PWD #OIM_TRUST_TYPE
The following table provides descriptions of the parameters related to configuring SSO Integration in the
configureSSOIntegration.config
file example.Table 2-9 Parameters in
configureSSOIntegration.config
fileProperty Description Sample Value ACCESS_GATE_ID
Name to be assigned to the WebGate. This is the value specified during OAM configuration.
Webgate_IDM
ACCESS_SERVER_HOST
Enter the Access Manager OAP host.
oamaccesshost.example.com
ACCESS_SERVER_PORT
Enter the Access Manager OAP port.
5557
COOKIE_DOMAIN
Enter the domain in which the WebGate functions.
.example.com
COOKIE_EXPIRY_INTERVAL
Enter the Cookie expiration period.
120
IDSTORE_OAMADMINUSER
Enter the user you use to access your Oracle Access Management Console.
oamAdmin
IDSTORE_OAMADMINUSER_PWD
Enter the password for the user you use to access your Oracle Access Management Console.
<password>
NAP_VERSION
Enter the NAP protocol version. (4 indicates 11g+)
4
OAM_HOST
Enter the URL for OAM server.
oamhost.example.com
OAM_PORT
Enter the port for OAM Server
14100
OAM_SERVER_VERSION
Only OAM 11g is supported. OAM 10g is not supported in 12c integration.
11g
OAM_TRANSFER_MODE
Enter the security mode in which the access servers function. Supported values are
OPEN
andSIMPLE
Open
OAM11G_WLS_ADMIN_HOST
Enter the host forAdmin server in OAM Domain.
oamadminhost.example.com
OAM11G_WLS_ADMIN_PASSWD
Enter the password for the weblogic admin user in OAM domain.
<password>
OAM11G_WLS_ADMIN_PORT
Enter the port for Admin server in OAM domain.
7001
OAM11G_WLS_ADMIN_USER
Enter the weblogic administrator user in OAM domain.
weblogic
OIM_LOGINATTRIBUTE
Enter the login attribute of the identity store that contains the user's login name. User uses this attribute for logging in. For example, User Login.
User Login
OIM_TRUST_LOC
Enter the location of the OIG trust store.
ORACLE_HOME/wlserver/server/lib/DemoTrust.jks
OIM_TRUST_PWD
Enter the password to access the trust store
<password>
OIM_TRUST_TYPE
Enter the type of the trust store.
JKS
, by defaultJKS
OIM_WLSHOST
Enter the OIG admin server host name.
oimadminhost.example.com
OIM_WLSPORT
Enter the OIG admin server port.
7001
SSO_ENABLED_FLAG
Set it to
TRUE
if OIG-OAM integration is enabled.False
, otherwise.TRUE
SSO_GLOBAL_PASSPHRASE
The random global passphrase for
SIMPLE
security mode communication with Access Manager. By default, Access Manager is configured to use theOPEN
security mode. If you want to use the installation default ofOPEN
mode, you can skip this property.<password>
SSO_INTEGRATION_MODE
Enter the integration mode with OAM. With Challenge Question Response (CQR) mode, OIG will handle the password policy and password operations. With One Time Password (OTP) mode, any password operations will be handled by OAM itself and there will be no password change or reset in OIG.
CQR
SSO_KEYSTORE_JKS_PASSWORD
Enter the password for keystore, required for SIMPLE mode communication with OAM.
<password>
WEBGATE_TYPE
Enter the WebGate agent type you want to create. 10g is no longer supported in 12c.
ohsWebgate11g
-
Run the automated script for OIG-OAM integration to configure SSO Integration.
OIGOAMIntegration.sh -configureSSOIntegration
You have successfully executed the automated script for configuring SSO Integration.
2.3.3.7 Enabling OAM Notifications Using Automated Script
Enable OAM notifications using the automated script for OIG-OAM integration, OIGOAMIntegration.sh
.
Event handlers are required to terminate user sessions. OAM notification handlers are not loaded by default. Run OIGOAMIntegration.sh -enableOAMsessionDeletion
to import OAM notification handlers and register OIG System Administrator to utilize OAM REST APIs.
To enable OAM notification:
- Locate the properties file,
ssointg-config.properties
, available at$ORACLE_HOME/idm/server/ssointg/config/
and set theenableOAMSessionDeletion
value totrue
.generateIndividualConfigFiles=false prepareIDStore=false configOAM=false addMissingObjectClasses=false populateOHSRules=false configureWLSAuthnProviders=false configureLDAPConnector=false ## configureLDAPConnector takes care of updating container rules ## Additional option is provided in case rules need to be updated again updateContainerRules=false configureSSOIntegration=false enableOAMSessionDeletion=true
-
Update the
enableOAMSessionDeletion.config
file.OIM_SERVER_NAME OIM_WLSHOST OIM_WLSPORT OIM_WLSADMIN OIM_WLSADMIN_PWD IDSTORE_DIRECTORYTYPE IDSTORE_HOST IDSTORE_PORT ## Specify the IDStore admin credentials below IDSTORE_BINDDN IDSTORE_BINDDN_PWD IDSTORE_USERSEARCHBASE IDSTORE_GROUPSEARCHBASE IDSTORE_SYSTEMIDBASE IDSTORE_OAMADMINUSER IDSTORE_OAMSOFTWAREUSER
The following table provides descriptions of the parameters related to enabling OAM Notifications in the
enableOAMSessionDeletion.config
file example.Table 2-10 Parameters in
enableOAMSessionDeletion.config
fileProperty Description Sample Value IDSTORE_BINDDN
An administrative user in Oracle Internet Directory, Oracle Unified Directory or Active Directory.
OID = cn=orcladmin OUD = cn=oudadmin AD = CN=Administrator,CN=Users,DC=example.com,DC=example,dc=com
IDSTORE_BINDDN_PWD
Enter the Password for administrative user in Oracle Internet Directory or Oracle Unified Directory.
<password>
IDSTORE_DIRECTORYTYPE
Enter the identity store directory type. Valid options are OID, OUD, and AD.
OID
IDSTORE_GROUPSEARCHBASE
Enter the location in the directory where groups are stored.
cn=groups,dc=example,dc=com
IDSTORE_HOST
Enter the identity store host name.
idstore.example.com
IDSTORE_OAMADMINUSER
Enter the user you use to access your Oracle Access Management Console.
oamAdmin
IDSTORE_OAMSOFTWAREUSER
Enter the user you use to interact with the LDAP server.
oamLDAP
IDSTORE_PORT
Enter the identity store port.
3060
IDSTORE_SYSTEMIDBASE
Enter the location of a container in the directory where system-operations users are stored. There are only a few system operations users and are kept separate from enterprise users stored in the main user container.
For example, the Oracle Identity Governance reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.
cn=systemids,dc=example,dc=com
IDSTORE_USERSEARCHBASE
Enter the Container under which Access Manager searches for the users.
cn=users,dc=example,dc=com
OIM_SERVER_NAME
Enter the OIG server name.
oim_server1
OIM_WLSADMIN
Enter the weblogic administrator user in OIM domain.
weblogic
OIM_WLSADMIN_PWD
Enter the password for the weblogic admin user in OIM domain.
<password>
OIM_WLSHOST
Enter the OIG admin server host name.
oimadminhost.example.com
OIM_WLSPORT
Enter the OIG admin server port.
7001
-
Run the automated script for OIG-OAM integration to enable OAM notifications.
OIGOAMIntegration.sh -enableOAMSessionDeletion
You have successfully executed the automated script to enable OAM notifications.
2.3.3.8 Adding Missing Object Classes Using Automated Script
Add the Missing Object Classes using the automated script for OIG-OAM integration, OIGOAMIntegration.sh
.
-
Set
addMissingObjectClasses=true
inssointg-config.properties
file.generateIndividualConfigFiles=false prepareIDStore=false configOAM=false addMissingObjectClasses=true populateOHSRules=false configureWLSAuthnProviders=false configureLDAPConnector=false ## configureLDAPConnector takes care of updating container rules ## Additional option is provided in case rules need to be updated again updateContainerRules=false configureSSOIntegration=false enableOAMSessionDeletion=false
-
Update
prepareIDStore.all.config
with values forIDSTORE_HOST
,IDSTORE_PORT
,IDSTORE_BINDDN
,IDSTORE_BINDDN_PWD
, andIDSTORE_USERSEARCHBASE
. -
Run the automated script for OIG-OAM integration to enable OAM notifications.
OIGOAMIntegration.sh -addMissingObjectClasses
Note:
This step depends on the number of users in the LDAP directory. It is estimated to take 10 minutes per 10000 users in the LDAP directory.2.3.3.9 Restarting Servers
After executing the automated script to complete the OIG-OAM integration process, restart all the servers.
-
Copy the
oim.conf
file fromORACLE_HOME/server/ssointg/templates/oim.conf
toOHS_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/moduleconf
. -
Restart OHS Server.
-
Restart OIG and OAM domain.
You have successfully executed the automated script and completed the OIG-OAM Integration process.
Proceed with validation of your integration setup. See Validating OIG-OAM integration.
2.4 Validating the Access Manager and Oracle Identity Governance Integration
Performing the following sanity checks (validating the integrated environment) can help you avoid some common issues that could be encountered during runtime.
In this release, Oracle Identity Governance is integrated with Access Manager when the idmconfig
command is run with the configOIM
option. After Oracle Identity Governance is integrated with Oracle Access Manager, the following configuration settings and files are updated::
-
The
SSOConfig
section in theoim-config.xml
file, stored in the OIG Metadata store. -
The realm security providers in
OIM_DOMAIN_HOME
/config.xml
. -
The OIG domain credential store in
OIM_DOMAIN_HOME
/config/fmwconfig/cwallet.sso
. -
The orchestration event-handlers required for SSO integration in
Eventhandler.xml
, stored in the OIG Metadata store.. -
The SSO logout configuration in
OIM_DOMAIN_HOME
/config/fmwconfig/jps-config.xml
.
See Also:
-
Validating the Oracle Identity Manager SSO Configuration Settings
-
Validating the Oracle Identity Governance Security Provider Configuration
-
Validating the Access Manager Security Provider Configuration
-
Validating the Oracle Identity Governance Domain Credential Store
-
Validating the Oracle Identity Governance Event Handlers Configured for SSO
-
Validating the Oracle Identity Governance SSO Logout Configuration
-
Functionally Testing the Access Manager and Oracle Identity Governance Integration
2.4.1 Validating the Oracle Identity Governance SSO Configuration Settings
This procedure explains how to validate the SSOConfig
settings in oim-config.xml
:
See Also:
Getting Started Using the Fusion Middleware Control MBean Browsers in Administering Oracle Fusion Middleware.2.4.2 Validating the Oracle Identity Governance Security Provider Configuration
This procedure explains how to validate the Oracle Identity Governance Security Provider configuration.
2.4.3 Validating the Access Manager Security Provider Configuration
This procedure explains how to validate the Access Manager Security Provider configuration.
2.4.4 Validating the Oracle Identity Governance Domain Credential Store
All passwords and credentials used during communication between Oracle Identity Governance and Access Manager are stored in the domain credential store.
To validate the passwords and credentials used to communicate:
2.4.5 Validating the Oracle Identity Governance Event Handlers Configured for SSO
EventHandlers.xml
file, located at /db/ssointg/EventHandlers.xml
.
See Also:
-
Getting Started Using the Fusion Middleware Control MBean Browsers in Administering Oracle Fusion Middleware.
-
Deploying and Undeploying Customizations in Developing and Customizing Applications for Oracle Identity Governance.
To confirm all event handlers are configured correctly, export the EventHandlers.xml
file using Oracle Enterprise Manager Fusion Middleware Control:
2.4.6 Validating the Oracle Identity Governance SSO Logout Configuration
Oracle Identity Governance logout is configured to use single logout after the integration is complete. After a user logs out from Oracle Identity Governance, they are logged out from all the Access Manager protected applications as well.
To verify the configuration of single logout, do the following:
2.4.7 Functionally Testing the Access Manager and Oracle Identity Governance Integration
The final task is to verify the Access Manager and Oracle Identity Governance integration.
Perform the steps shown in the following table in sequence.
Table 2-11 Verifying Access Manager and Oracle Identity Governance Integration
Step | Description | Expected Result |
---|---|---|
1 |
Log in to the Oracle Access Management Console as the http://admin_server_host:admin_server_port/oamconsole |
Provides access to the administration console. |
2 |
Access the Oracle Identity Governance administration page with the URL:
where hostname:port can be for either Oracle Identity Management or OHS, depending on whether a Domain Agent or WebGate is used. |
The Oracle Access Management login page from the Access Manager managed server should display. Verify the links for "Forgot Password", "Self Register" and "Track Registration" features appear in the login page. Verify that each link works. For more information about these features, see About Password Management Scenarios. |
3 |
Log in as |
The Oracle Identity Governance Admin Page should be accessible. |
4 |
Create a new user using Oracle Identity Self Service. Close the browser and try accessing the OIG Identity Page. When prompted for login, provide valid credentials for the newly-created user. |
You should be redirected to Oracle Identity Governance and be required to reset the password. After resetting the password and setting the challenge question, user should be automatically logged into the application. Auto-login should work. |
5 |
Close the browser and access Oracle Identity Self Service. |
The Oracle Access Management login page from the Access Manager managed server should display. Verify the links for "Forgot Password", "Self Register" and "Track Registration" features appear in the login page. Verify that each link works. For more information about these features, see About Password Management Scenarios. |
6 |
Verify the lock/disable feature works by opening a browser and logging in as a test user. In another browser session, log in as an administrator, then lock the test user account. |
The user must be redirected back to the login page while accessing any of the links. |
7 |
Verify the SSO logout feature works by logging into Oracle Identity Self Service as test user or system administrator. |
Upon logout from the page, you are redirected to the SSO logout page. |
2.4.8 Validating Integration Configuration
Validate is the oam-config.xml
in the OAM Domain under DOMAIN_HOME/config/fmwconfig
contains the IDStore provided during OAM configuration, say OAMIDStore
. XML node SessionRuntime>UserStore should not have UserIdentityStore1
, but OAMIDStore
.
-
Validate if scheduled jobs exist:
-
SSO Group Create And Update Full Reconciliation
-
SSO Group Create And Update Incremental Reconciliation
-
SSO Group Delete Full Reconciliation
-
SSO Group Delete Incremental Reconciliation
-
SSO Group Hierarchy Sync Full Reconciliation
-
SSO Group Hierarchy Sync Incremental Reconciliation
-
SSO Group Membership Full Reconciliation
-
SSO Group Membership Incremental Reconciliation
-
SSO Post Enable Provision Role Hierarchy to LDAP
-
SSO Post Enable Provision Roles to LDAP
-
SSO Post Enable Provision Users to LDAP
-
SSO User Incremental Reconciliation
-
-
Validate if the IT Resources are updated or created appropriately.
-
Navigate to Provisioning Configuration>ITResource.
-
Search for IT resource Type OID Connector.
-
Verify that IT Resources such as
SSOTargetApp
andSSOTrusted-for-SSOTargetApp
have correct parameter values.
-
-
Verify that the
/db/LDAPContainerRules.xml
file contains expected values. -
Verify that the log at
$ORACLE_HOME/idm/server/ssointg/logs/oig-oam-integration_*.log
contains:[2017-12-22 02:25:13] Seeding OIM Resource Policies into OAM [2017-12-22 02:25:13] Loading xml... /scratch/userid/devtools/Middleware///idm/server/ssointg/templates/Resources.xml [2017-12-22 02:25:14] Loading xml... /scratch/userid/devtools/Middleware///idm/server/ssointg/templates/AuthnPolicies.xml [2017-12-22 02:25:14] Loading xml... /scratch/userid/devtools/Middleware///idm/server/ssointg/templates/AuthzPolicies.xml [2017-12-22 02:25:14] Getting Application Domains... [2017-12-22 02:25:14] WebResourceClient::getAppDomainResource(): http://host:port/oam/services/rest/11.1.2.0.0/ssa/policyadmin/appdomain [2017-12-22 02:25:15] Authenticating using {oamAdmin:******} [2017-12-22 02:25:15] Getting Resources from domain 'IAM Suite' [2017-12-22 02:25:15] WebResourceClient::getResource(): http://host:port/oam/services/rest/11.1.2.0.0/ssa/policyadmin/resource [2017-12-22 02:25:16] Getting Resources from domain 'Fusion Apps Integration' [2017-12-22 02:25:16] WebResourceClient::getResource(): http://host:port/oam/services/rest/11.1.2.0.0/ssa/policyadmin/resource [2017-12-22 02:25:16] Getting Authentication Policies from domain 'IAM Suite' [2017-12-22 02:25:16] WebResourceClient::getAuthenticationPolicyResource(): http://host:port/oam/services/rest/11.1.2.0.0/ssa/policyadmin/authnpolicy [2017-12-22 02:25:16] Getting Authorization Policies from domain 'IAM Suite' [2017-12-22 02:25:16] WebResourceClient::getAuthorizationPolicyResource(): http://host:port/oam/services/rest/11.1.2.0.0/ssa/policyadmin/authzpolicy [2017-12-22 02:25:16] Resources Seeded!!
2.5 Troubleshooting Common Problems in Access Manager and OIG Integration
These sections describe common problems you might encounter in an Oracle Identity Governance and Access Manager integrated environment and explain how to solve them.
-
Troubleshooting Single Sign-On Issues in an Access Manager and OIG Integrated Environment
-
Troubleshooting Auto-Login Issues in an Access Manager and OIG Integrated Environment
-
Troubleshooting Miscellaneous Issues in an Access Manager and OIG Integrated Environment
In addition to this section, review the Error Messages for information about the error messages you may encounter.
For information about additional troubleshooting resources, see Using My Oracle Support for Additional Troubleshooting Information.
2.5.1 Troubleshooting Single Sign-On Issues in an Access Manager and OIG Integrated Environment
This section describes common problems and solutions relating to single sign-on in the integrated environment. Using single sign-on, a user can access Oracle Identity Governance resources after being successfully authenticated by Access Manager. When accessing any Oracle Identity Governance resource protected by Access Manager, the user is challenged for their credentials by Access Manager using the Oracle Access Management Console login page.
This section discusses the following single sign-on issues:
2.5.1.1 Diagnosing Single Sign-On Issues By Capturing HTTP Headers
Checking the HTTP headers may provide diagnostic information about login issues.You can collect information from the HTTP headers for troubleshooting issues. This can be done by enabling HTTP tracing in the web browser, logging into Access Manager as a new user, and examining the headers for useful information.
2.5.1.2 Access Manager Redirection to OIG Login Page
After accessing an Oracle Identity Governance resource using OHS (for example, http://
OHS_HOST:OHS_PORT
/identity)
, the user is redirected to the Oracle Identity Governance login page instead of the Oracle Access Management Console login page.
Cause
The Access Manager WebGate is not deployed or configured properly.
Solution
Confirm the httpd.conf
file contains the following entry at the end:
include "<ORACLE_WEBTIER_INST_HOME>/config/OHS/ohs1/webgate.conf"
where webgate.conf
contains the 11g WebGate configuration.
If this entry is not found, review the 11g WebGate configuration steps to verify none were missed. For more information, see Installing and Configuring Oracle HTTP Server 11g WebGate for OAM in the Installing WebGates for Oracle Access Manager and Configuring Access Manager Settings in the Administering Oracle Access Management.
2.5.1.3 Access Manager Failure to Authenticate User
User login fails with the following error:
An incorrect Username or Password was specified.
Cause
Access Manager is responsible for user authentication but authentication has failed. The identity store configuration may be wrong.
Solution
Check that the identity store is configured correctly in the Oracle Access Management Console.
To resolve this problem:
- Login to Oracle Access Management Console.
- Navigate to Configuration >User Identity Stores > OAMIDStore.
- Verify the Default Store and System Store configuration.
- Click Test Connection to verify the connection.
2.5.1.4 Troubleshooting Oracle Access Management Console Login Operation Errors
User is not directed to the Oracle Access Management Console to login and the following error message appears:
Oracle Access Manager Operation Error.
Cause 1
The OAM Server is not running.
Solution 1
Start the OAM Server.
Cause 2
The WebGate is not correctly deployed on OHS and is not configured correctly for the 11g Agent located on the OAM Server.
An error message displays, for example: The AccessGate is unable to contact any Access Servers.
The issue may be with the SSO Agent.
See Understanding Credential Collection and Login in Administering Oracle Access Management.Solution 2
To resolve this problem:
2.5.1.5 Troubleshooting Authenticated User Redirection to OIG Login
User authenticated using the Oracle Access Management Console but is redirected to the Oracle Identity Governance login page to enter credentials.
Cause 1
The security providers for the OIG domain are not configured correctly in Oracle WebLogic Server.
Solution 1
Verify the WebLogic security providers are configured correctly for the OIG domain security realm. Check the LDAP Authenticator setting. For more information, see Validating the Oracle Identity Governance Security Provider Configuration.
Cause 2
OAMIDAsserter
is not configured correctly in Oracle WebLogic Server.
Solution 2
To resolve this problem:
2.5.1.6 User Redirected to OIG During OIG Forgot Password, Self-Registration, or Track Registration Flows
Access Manager relies upon Oracle Identity Governance for password management. If the user logs in for the first time or if the user password is expired, Access Manager redirects the user to the Oracle Identity Governance First Login page.
From the Access Manager login screen, user should be able to navigate to the Oracle Identity Governance Forgot Password, the Self-Registration or Track Registration flows.
Cause
If there is any deviation or error thrown when performing these flows, the configuration in oam-config.xml
(OAM_DOMAIN_HOME
/config/fmwconfig
) is incorrect.
Solution
Verify the contents of oam-config.xml
resembles the following example. Specifically, that HOST
and PORT
corresponds to the OHS (or any supported web server) configured to front-end Oracle Identity Governance resources.
Setting Name="IdentityManagement" Type="htf:map"> <Setting Name="IdentityServiceConfiguration" Type="htf:map"> <Setting Name="IdentityServiceProvider" Type="xsd:string">oracle.security.am.engines.idm.provider.OracleIdentityServiceProvider</Setting> <Setting Name="AnonymousAuthLevel" Type="xsd:integer">0</Setting> <Setting Name="IdentityServiceEnabled" Type="xsd:boolean">true</Setting> <Setting Name="IdentityServiceProviderConfiguration" Type="htf:map"> <Setting Name="AccountLockedURL" Type="xsd:string">/identity/faces/accountlocked</Setting> <Setting Name="ChallengeSetupNotDoneURL" Type="xsd:string">/identity/faces/firstlogin</Setting> <Setting Name="DateFormatPattern" Type="xsd:string">yyyy-MM-dd'T'HH:mm:ss'Z'</Setting> <Setting Name="ForcedPasswordChangeURL" Type="xsd:string">/identity/faces/firstlogin</Setting> <Setting Name="IdentityManagementServer" Type="xsd:string">OIM-SERVER-1</Setting> <Setting Name="PasswordExpiredURL" Type="xsd:string">/identity/faces/firstlogin</Setting> <Setting Name="LockoutAttempts" Type="xsd:integer">5</Setting> <Setting Name="LockoutDurationSeconds" Type="xsd:long">31536000</Setting> </Setting> </Setting> <Setting Name="RegistrationServiceConfiguration" Type="htf:map"> <Setting Name="RegistrationServiceProvider" Type="xsd:string">oracle.security.am.engines.idm.provider.DefaultRegistrationServiceProvider</Setting> <Setting Name="RegistrationServiceEnabled" Type="xsd:boolean">true</Setting> <Setting Name="RegistrationServiceProviderConfiguration" Type="htf:map"> <Setting Name="ForgotPasswordURL" Type="xsd:string">/identity/faces/forgotpassword</Setting> <Setting Name="NewUserRegistrationURL" Type="xsd:string">/identity/faces/register</Setting> <Setting Name="RegistrationManagementServer" Type="xsd:string">OIM-SERVER-1</Setting> <Setting Name="TrackUserRegistrationURL" Type="xsd:string">/identity/faces/trackregistration</Setting> </Setting> </Setting> <Setting Name="ServerConfiguration" Type="htf:map"> <Setting Name="OIM-SERVER-1" Type="htf:map"> <Setting Name="Host" Type="xsd:string">myhost1.example.com</Setting> <Setting Name="Port" Type="xsd:integer">7777</Setting> <Setting Name="SecureMode" Type="xsd:boolean">false</Setting> </Setting> </Setting> </Setting>
2.5.1.7 User Redirection in a Loop
A new user attempts to access Oracle Identity Management Self-Service and after successful authentication, the user is redirected in a loop. The service page does not load and the browser continues spinning or refreshing.
Cause
OHS configuration setting for WLCookieName
for front-ending identity
is incorrect.
Solution
Check the OHS configuration for front-ending identity
and verify that WLCookieName
directive is set to oimjsessionid
. If not, set this directive as oimjsessionid
for each Oracle Identity Management resource Location
entry. For example:
<Location /identity> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicHost myhost1.example.com WebLogicPort 8003 WLLogFile "$ Unknown macro: {ORACLE_INSTANCE} /diagnostics/logs/mod_wl/oim_component.log" </Location>
2.5.1.8 Troubleshooting SSO Integration Configuration
Cause
During Configuring SSO Integration execution, the script could fail due to OAM-related issues:
Solution
-
Verify if OAM server is up.
-
Ensure that the credentials used for this step are correct.
-
Check from the console log if it is
Error 401--Unauthorized
. -
Restart OAM admin and managed servers.
-
Ensure that the sso-config.properties file reflects the following:
generateIndividualConfigFiles=false prepareIDStore=false configOAM=false addMissingObjectClasses=false populateOHSRules=false configureWLSAuthnProviders=false configureLDAPConnector=false configureSSOIntegration=true enableOAMSessionDeletion=false updateContainerRules=false
-
Run
OIGOAMIntegration.sh -configureSSOIntegration
.
2.5.2 Troubleshooting Auto-Login Issues in an Access Manager and OIG Integrated Environment
The auto-login feature enables user login to Oracle Identity Governance after the successful completion of the Forgot Password or Forced Change Password flows, without prompting the user to authenticate using the new password.
Communication between Oracle Identity Governance and Access Manager can be configured to use Oracle Access Protocol (OAP) or TAP channels. Debugging auto-login issues is simplified if you determine which channel is being used. Determine the channel by examining the Oracle Identity Governance SSOIntegrationMXBean
(version attribute) using the System MBean Browser in Oracle Enterprise Manager Fusion Middleware Control. For more information, see "Using the System MBean Browser" in Administering Oracle Fusion
Middleware.
Depending upon the Access Manager version being used, the following applies:
-
If the version is 11g, the TAP channel is used during auto-login. See Troubleshooting Oracle Access Protocol (OAP) Issues.
After a password is reset in Oracle Identity Governance and in LDAP through LDAP synchronization, Oracle Identity Governance redirects the user to the Access Manager TAP endpoint URL (
SSOIntegrationMXBean: TAPEndpointUrl
). Access Manager will auto-login the user by redirecting to the requested resource.
Note:
In an 11g R2 Oracle Identity Governance and Access Manager integrated environment, the TAP protocol is configured for auto-login by default.
2.5.2.1 Troubleshooting TAP Protocol Issues
Check the OIG Server and Access Manager Server logs for any of the following error messages:
-
404 Not Found Error. For possible solution, see 404 Not Found Error
-
System error. Please re-try your action. For possible solution, see System Error
2.5.2.1.1 404 Not Found Error
After resetting the password, user is redirected to a 404 Not Found error page.
Cause
The Access Manager TAP endpoint URL (SSOIntegrationMXBean: TAPEndpointUrl)
is configured incorrectly.
Solution
Verify that TAPEndpointUrl
is correctly configured in Oracle Identity Governance SSOIntegrationMXBean
and is accessible. For example:
http://OAM_HOST:OAM_PORT/oam/server/dap/cred_submit
Or
http://OHS_HOST:OHS_PORT/oam/server/dap/cred_submit
where Access Manager is front-ended by OHS.
2.5.2.1.2 System Error
After resetting the password, user is redirected to Access Manager TapEndpointUrl
(configured in Oracle Identity Governance SSOIntegrationMXBean
), and the following error displays in the UI:
System error. Please re-try your action. If you continue to get this error, please contact the Administrator.
Cause 1
A message similar to the following displays in the Access Manager Server logs:
Sep 19, 2012 4:29:45 PM EST> <Warning> <oracle.oam.engine.authn> <BEA-000000> <DAP Token not received> <Sep 19, 2012 4:29:45 PM EST> <Error> <oracle.oam.binding> <OAM-00002> <Error occurred while handling the request. java.lang.NullPointerException at oracle.security.am.engines.enginecontroller.token.DAPTokenEncIssuerImpl.issue(DAPTokenEncIssuerImpl.java:87)
Solution 1
This error could be due to mis-configuration in TAPResponseOnlyScheme
in Access Manager. Verify oam-config.xml
(located at OAM_DOMAIN_HOME
/config/fmwconfig
) contains the following entry:
<Setting Name="DAPModules" Type="htf:map"> <Setting Name="7DASE52D" Type="htf:map"> <Setting Name="MAPPERCLASS" Type="xsd:string">oracle.security.am.engine.authn.internal.executor.DAPAttributeMapper</Setting> <Setting Name="MatchLDAPAttribute" Type="xsd:string">uid</Setting> <Setting Name="name" Type="xsd:string">DAP</Setting> </Setting> </Setting>
The value of MatchLDAPAttribute
should be uid
. If not, change the value.
To resolve the problem:
-
Login to Oracle Access Management Console.
-
Navigate to
TapResponseOnlyScheme
. Add the following asChallenge
parameter:MatchLDAPAttribute=uid
-
Save the changes.
Cause 2
The following error displays in the Access Manager Server logs:
javax.crypto.BadPaddingException: Given final block not properly padded
This may occur if OIM_TAP_PARTNER_KEY
is not include in the OIG credential map in the credential store, or if an invalid key is present.
Solution 2
Reregister Oracle Identity Governance as a TAP partner with Access Manager by rerunning the OIGOAMIntegration.sh -configureSSOIntegration
option. and restart the complete OIG domain.
Cause 3
After resetting the password, if auto-login is not successful, the OIG server logs contain the following error:
Error occured while retrieving TAP partner key from Credential store
Solution 3
To resolve the problem:
- Using Fusion Middleware Control, verify the
OIM_TAP_PARTNER_KEY
generic credential is present in the OIG credential map in the credential store. - If
OIM_TAP_PARTNER_KEY
is present, verify that LDAP synchronization is configured correctly, and that the password is reset in LDAP provider. Check this by issuing anldapbind
command with the user and the new/reset password.
Cause 4
After resetting the password, if auto-login is not successful, the OIG server logs have the following error:
Error occured while retrieving DAP token from OAM due to invalid TAP partner key
The OIM_TAP_PARTNER_KEY
present in the OIG credential map of credential store is not valid.
Solution 4
Reregister Oracle Identity Management as a TAP partner with Access Manager by rerunning OIGOAMIntegration.sh -configureSSOIntegration
option. You must restart the complete OIG domain.
Cause 5
After resetting the password, if auto-login is not successful, the OIG server logs may show the following error:
Error occurred when decrypting the DAP token
Solution 5
Restart the OAM domain.
2.5.2.2 Troubleshooting Oracle Access Protocol (OAP) Issues
Check the OIG Server logs for any of the following types of error messages.
The resource URL is not protected.
Corrective action:
Verify that the correct host:port
combination is configured in the Access Manager host identifier configuration.
-
Log in to the Oracle Access Management Console:
http://oam_adminserver_host:oam_adminserver_port/oamconsole
-
In the Oracle Access Management Console, click Application Security at the top of the window.
-
In the Application Security Console, click Agents in the Agents section.
The Search SSO Agents page opens with the WebGates tab active.
-
In the Search SSO Agents page that appears, enter
IAMSuiteAgent
as the name of the Agent you want to find. -
Click Search to initiate the search.
-
Click IAMSuiteAgent in the Search Results table.
-
Check the host identifiers for
host:port
combination in the identifier. For example:IAMSuiteAgent:/oim
-
For the correct
host:port
combination, check the OIG logs for "Setting web resource url ". This statement will be above "Resource not protected URL" statement.In general, Host Identifier should have a combination of OHS (webserver)
host:port
which is front-ending Oracle Identity Management.
aaaClient
is not initialized.
Corrective action:
Verify that the passwords seeded into OIG domain credential store are correct. For OPEN
mode, check for the WebGate password. For SIMPLE
mode, check that SSO keystore password and SSO global passphrase are seeded in correctly. For more information, see Validating the Oracle Identity Governance Domain Credential Store.
Failed to communicate with any of configured OAM Server.
Corrective action:
-
Verify that it is up and running.
-
Verify that the passwords seeded into OIG domain credential store are correct.
-
For OPEN mode, check for the WebGate password.
-
For SIMPLE mode, check that SSO keystore password and SSO global passphrase also are seeded in correctly.
See Validating the Oracle Identity Governance Domain Credential Store.
SSOKeystore
tampered or password is incorrect.
Corrective action:
-
Check that the keystore file
ssoKeystore.jks
is present inOIM_DOMAIN_HOME
/config/fmwconfig
. -
If present, then check if the keystore password is seeded properly into OIG domain credential store.
See Validating the Oracle Identity Governance Domain Credential Store.
Oracle Identity Management logs do not have any information about the failure.
Corrective action:
-
Enable HTTP headers and capture the headers while running through the First Login, Forgot Password flows. See Diagnosing Single Sign-On Issues By Capturing HTTP Headers.
-
In the HTTP headers, look for
Set-Cookie: ObSSOCookie
after the POST method on the First Login, Forgot Password page. Check the domain of the cookie. It should match with the domain for the protected resource URL. -
If cookie domain is different, update the
CookieDomain
in the Oracle Identity Management SSO configuration using Fusion Middleware Control. See Validating the Oracle Identity Governance SSO Configuration Settings. -
If cookie domain is correct, then check for any time differences on the machines which host the OIG and OAM Servers.
2.5.3 Troubleshooting Session Termination Issues
The session termination feature enables the termination of all active user sessions after the user status is modified by an Oracle Identity Management administrator. The following Oracle Identity Management operations lead to session termination: user lock, disable or delete.
To troubleshoot session termination issues:
-
Verify the OAM REST URL, http://<OAM_HOST>:<OAM_PORT>/oam/services/rest/access/api/v1/session?userId=<uid>is accessible.
Here, OAM_HOST refers toSSOIntegrationMXBean: AccessServerHost
and OAM_PORT refers toSSOIntegrationMXBean: OAMServerPort
-
Verify if OAM Admin has authorization to invoke OAM REST API (
SSOIntegrationMXBean: OAMAdminUser
). -
Verify in
oam-config.xml
in OAM domain thatUserStore
inSessionRuntime
points toIDStore
created during integration. -
Verify
/db/sssointg/EventHandlers.xml
is in Oracle Identity Governance MDS. See Validating the Oracle Identity Governance Event Handlers Configured for SSO.
2.5.4 Troubleshooting Account Self-Locking Issues
Use Case 1
Both LDAP store and Access Manager lock out the user due to multiple failed login attempts. The user attempts to reset his or her password using the Oracle Identity Governance (OIG) "Forgot Password" page, but the reset operation fails.
Possible explanation: the user's locked status has not yet propagated to Oracle Identity Governance.
-
Check if the user is locked in Oracle Identity Governance:
-
Log in to the Identity Self Service application as an Oracle Identity Governance administrator.
-
Navigate to the Users section, then search for the user.
-
Check if the Identity status is
locked
.
-
-
If the status is not
locked
, run an LDAP User Create and Update Reconciliation scheduled job, and then confirm that the user status islocked
.
Use Case 2
The user account self-locks due to multiple invalid credentials login attempts. Later, when the user attempts to log in with the correct credentials, he or she is not able to log in. The user expects to log in first and then change the password, but login fails consistently.
Possible explanation: both LDAP directory and Access Manager may have locked the user account. In this case the user cannot log in to Oracle Identity Governance or to any protected page. The user has to use the Forgot Password flow to reset the password.
Note that if only Access Manager locks out the user, the user can log in to Oracle Identity Governance and change the password immediately.
Use Case 3
The LDAP directory pwdMaxFailure
count of three is less than the oblogintrycount
value of five. The LDAP directory locks out the user due to multiple invalid credentials login attempts (in this case, three attempts). Later, when the user tries to log in with the correct credentials, on the fourth attempt the user still cannot log in. The user expects to log in first and then change the password, but login fails consistently.
Possible explanation: LDAP directory locked out the user, but Access Manager did not. The user cannot log in with the correct password even though the oblogintrycount
is less than five, but following the Forgot Password flow works and resets the password.
Note that when LDAP directory locks out the user there is nothing to reconcile into OIG, because OIG does not reconcile user accounts that are locked in LDAP store. When LDAP store locks the user, OIG shows the user as active. Following the Forgot Password flow is the only way to reset the password.
Use Case 4
The LDAP directory pwdMaxFailure
count value of seven is less than the oblogintrycount
value of five. Access Manager locked out the user due to multiple invalid credentials login attempts. Later, when the user tries to login with the correct credentials, the user is able to log in and is redirected to change the password, but the reset password operation fails.
Possible explanation: the user locked status has not yet propagated to OIG.
-
Check if the user is locked in OIG:
-
Login to Identity Self Service application as an OIG administrator.
-
Navigate to Users section, then search for the user.
-
Check if the Identity status is
locked
.
-
-
If the status is not
locked
, run an LDAP User Create and Update Reconciliation scheduled job, and then confirm that the user status islocked
.
Note that use case one and this use case look similar. In use case one, both LDAP directory and Access Manager locked the user account, whereas in this use case only Access Manager locks the user. The remedy for both use cases is the same, however.
Use Case 5
The user cannot remember his or her password and tries to reset the password using the Forgot Password flow. The user provides his or her user login, provides a new password, and provides incorrect challenge answers. After three failure attempts, both LDAP directory and Access Manager lock the user. The user expects to get locked out after five attempts instead of three attempts because the oblogintrycount
value is 5.
Possible explanation: the password reset attempts in the OIG Reset/Forgot Password flow are governed by the OIG system property XL.MaxPasswordResetAttempts
and the default value is 3. Consequently, the user is locked out immediately after three attempts. OIG locks the user natively in LDAP directory and in Access Manager.
Note that password reset attempts are different from login attempts. Login attempts are governed by Access Manager (oblogintrycount=5
) and password reset attempts by OIG (XL.MaxPasswordResetAttempts=3
).
Use Case 6
LDAP directory locks the user because some constant LDAP binding used incorrect credentials. Access Manager does not lock out the user. When the user tries to log in with the correct credentials, he is not able to log in.
Possible explanation: LDAP directory locks the user out in this use case, not Access Manager. The user cannot log in with the correct password even if the oblogintrycount
is still less than 5, but the user can reset his or her password by following the Forgot Password flow.
Note that when a user is only locked out by LDAP directory, the user's lock-out status is not reconciled into OIG. Consequently, the user shows up as still active in OIG even though the user is locked in LDAP directory.
Use Case 7
For Access Manager and OIG integrated environments prior to 11.1.2.1, the automatic unlocking of users does not work.
Possible explanation: for the automatic unlocking feature to work, additional patches to Oracle Access Manager, OIG and Oracle Virtual Directory are required.
Use Case 8
When the user resets his password, the password reset is not immediate.
-
The user account self-locks due to multiple invalid credentials login attempts.
-
The user uses the Forgot Password flow to reset the password.
-
The user account is still locked, and he is not able to login to Oracle Identity Governance.
Possible explanation: the user's locked
status has not yet propagated to OIG.
-
Check if the user is locked in OIG:
-
Login to Identity Self service application as an OIG administrator.
-
Navigate to the Users section, and then search for the user.
-
Check if the Identity status is
locked
.
-
-
If the status is not
locked
, run an LDAP User Create and Update Reconciliation scheduled job, and then confirm that the user status islocked
.
2.5.5 Troubleshooting Miscellaneous Issues in an Access Manager and OIG Integrated Environment
This provides solutions for the following miscellaneous issues:
2.5.5.1 Client Based Oracle Identity Governance Login Failure
For successful client-based login to Oracle Identity Governance:
-
The client-based login user must be present in the LDAP provider.
-
An LDAP Authenticator must be configured in the OIG domain security realm corresponding to the LDAP provider where the user is present. See Validating the Oracle Identity Governance Security Provider Configuration.
2.5.5.2 Logout 404 Error Occurs After Logging Out of OIG protected Application
If logging out of an Oracle Identity Governance protected application throws a 404
error, verify that the logout configuration is present in jps-config.xml
. See Validating the Oracle Identity Governance SSO Logout Configuration.
If needed, the JPS configuration can be fixed by editing the jps-configuration
file located in $DOMAIN_HOME
/config/fmwconfig
and then restarting all the servers.
To resolve a misconfiguration in jps-config.xml
:
2.5.5.3 Old Password Remains Active After Password Reset
In Active Directory environments, old passwords can remain active for up to one hour after a password reset. During this interval, both the old and new password can successfully bind to the Active Directory server. This is the expected behavior.
2.5.5.4 OIG Configuration Failure During Seeding of OIG Policies into Access Manager
As part of running configOIM, Oracle Identity Governance policies are seeded into Access Manager using the Access Management exposed REST endpoint.
An exception while seeding Oracle Identity Governance policies occurs when the user credentials used for accessing Access Manager exposed endpoint does not have enough privileges to perform the operation.
The solution is as follows:
2.5.6 Troubleshooting Target Account Creation
Container rules are not configured in SSOIntegrationMXBean
Corrective action:
-
Execute
addContainerRules
operation manually againstSSOIntegrationMXBean
. -
Or update the appropriate configuration file and run one of the following scripts:
-
$ORACLE_HOME/idm/server/ssointg/bin/OIGOAMIntegration.sh -configureLDAPConnector
-
$ORACLE_HOME/idm/server/ssointg/bin/OIGOAMIntegration.sh -updateContainerRules
-
Application Instance is not created
Corrective action:
-
Create the Application Instance manually.
See Creating Target Application Instance. -
Or update the appropriate configuration file and run the following script:
$ORACLE_HOME/idm/server/ssointg/bin/OIGOAMIntegration.sh -configureLDAPConnector
LDAP server is not running
Corrective action: Start the LDAP server
Directory is not seeded
Corrective action:
Update the appropriate configuration file and run the following script:$ORACLE_HOME/idm/server/ssointg/bin/OIGOAMIntegration.sh -prepareIDStore
mds-oim connection pool is unable to allocate another connection
Corrective action:
-
From the WebLogic console, navigate to Services>Data Sources>mds-oim>Connection Pool.
-
On the Connection Pool page, increase the values of Initial Capacity, Minimum Capacity, and Maximum Capacity.
-
Click Save.
-
On the Connection Pool page, select Advanced link available at the bottom of the page.
-
On the Advanced page, set the value of
Inactive Connection Timeout
to a non-zero value, for example 10. -
Click Save
Resetting password in OUD
When the System Administrator manually locks a user in OIG, the attributes obLockedOn
and pwdAccountLockedTime
are set for the user in OUD. If the System Administrator resets the user's password, pwdAccoundLockedTime
is cleared in the OUD. This is a default behavior in OUD.
When the pwdAccoundLockedTime
attribute is cleared, the user status gets updated to unlocked after user reconciliation in OIG. However, obLockedOn
is still set in OUD and OAM treats this user as locked.
Corrective action:
It is recommended to lock (or unlock) the user from OIG. This scenario is applicable only to reset password for a manually locked-user. It does not apply to change password for self-locked user where user is locked due to failed password attempts.
2.6 Scheduled Jobs for OIG-OAM Integration
OIG offers two sets of scheduled jobs for synchronizing with LDAP: Reconciliation Jobs and SSO Post Enable Jobs.
Reconciliation Jobs
The following reconciliation jobs are provided:
-
SSO User Full Reconciliation
-
SSO User Incremental Reconciliation
-
SSO Group Create and Update Full Reconciliation
-
SSO Group Create and Update Incremental Reconiliation
-
SSO Group Delete Full Reconciliation
-
SSO Group Delete Incremental Reconciliation
-
SSO Group Membership Full Reconciliation
-
SSO Group Membership Incremental Reconciliation
-
SSO Group Hierarchy Sync Full Reconciliation
-
SSO Group Hierarchy Sync Incremental Reconciliation
Note:
SSO Group Hierarchy Sync Incremental Reconciliation is supported only for Oracle Internet Directory and Oracle Unified Directory.
Parameter Values for Reconciliation Jobs
Table 2-12 Parameter values for reconciliation jobs
Reconciliation job | Parameter Name | Parameter Value | Description |
---|---|---|---|
SSO User Full Reconciliation |
Resource Object Name |
SSOTarget |
Name of the target resource object against which reconciliation runs must be performed. This corresponds to the target account which has to be reconciled for the user. This value is equal to the target application instance name. |
SSO User Full Reconciliation |
IT Resource Name |
SSOTarget |
Name of the target IT resource instance that the connector must use to reconcile data.This corresponds to the target account which has to be reconciled for the user. This value is equal to the target application instance name. |
SSO User Full Reconciliation |
Object Type |
User |
This attribute holds the type of object you want to reconcile. This value is fixed. |
SSO User Full Reconciliation |
Trusted Resource Object Name |
SSOTrusted-for-SSOTarget |
Name of the trusted resource object against which reconciliation runs must be performed. This corresponds to the target account which has to be reconciled for the user. This value is equal to the trusted application instance name (auto-generated by OIGOAMIntegrationScript.sh). |
SSO User Full Reconciliation |
Trusted IT Resource Name |
SSOTrusted-for-SSOTarget |
Name of the trusted IT resource instance that the connector must use to reconcile data.This corresponds to the target account which has to be reconciled for the user. This value is equal to the trusted application instance name (auto-generated by OIGOAMIntegrationScript.sh). |
SSO User Full Reconciliation |
Scheduled Task Name |
SSO User Full Reconciliation |
This attribute holds the name of the scheduled job. This value is fixed. |
SSO User Full Reconciliation |
Incremental Recon Attribute |
NA |
This attribute should be left empty for SSO User Full Reconciliation job |
SSO User Full Reconciliation |
Latest Token |
NA |
This attribute should be left empty for SSO User Full Reconciliation job |
SSO User Full Reconciliation |
Sync Token |
NA |
This attribute should be left empty for SSO User Full Reconciliation job |
SSO User Full Reconciliation |
Filter |
NA |
Expression for filtering records that must be reconciled by the scheduled job. Sample value: startsWith('cn','Samrole1') Default value: None See Section 7.8 ICF Filter Syntax in Integrating ICF with Oracle Identity Governance documentation for the syntax of this expression. |
SSO User Incremental Reconciliation |
Resource Object Name |
SSOTarget |
Name of the target resource object against which reconciliation runs must be performed. This corresponds to the target account which has to be reconciled for the user. This value is equal to the target application instance name. |
SSO User Incremental Reconciliation |
IT Resource Name |
SSOTarget |
Name of the target IT resource instance that the connector must use to reconcile data.This corresponds to the target account which has to be reconciled for the user. This value is equal to the target application instance name. |
SSO User Incremental Reconciliation |
Object Type |
User |
This attribute holds the type of object you want to reconcile. This value is fixed. |
SSO User Incremental Reconciliation |
Trusted Resource Object Name |
SSOTrusted-for-SSOTarget |
Name of the trusted resource object against which reconciliation runs must be performed. This corresponds to the target account which has to be reconciled for the user. This value is equal to the trusted application instance name (auto-generated by OIGOAMIntegrationScript.sh). |
SSO User Incremental Reconciliation |
Trusted IT Resource Name |
SSOTrusted-for-SSOTarget |
Name of the trusted IT resource instance that the connector must use to reconcile data.This corresponds to the target account which has to be reconciled for the user. This value is equal to the trusted application instance name (auto-generated by OIGOAMIntegrationScript.sh). |
SSO User Incremental Reconciliation |
Scheduled Task Name |
SSO User Full Reconciliation |
This attribute holds the name of the scheduled job. This value is fixed. |
SSO User Incremental Reconciliation |
Incremental Recon Attribute |
Name of the target system attribute that holds the change number at which the last reconciliation run started. The value in this attribute is used during incremental reconciliation to determine the newest or latest record reconciled from the target system. This value is fixed. |
|
SSO User Incremental Reconciliation |
Latest Token |
This attribute holds the value of the uSNChanged attribute of a domain controller that is used for reconciliation. Note: The reconciliation engine automatically enters a value for this attribute. It is recommended that you do not change the value of this attribute. If you manually specify a value for this attribute, then only group whose uSNChanged value is greater than the Latest Token attribute value are reconciled. Default value: None |
|
SSO User Incremental Reconciliation |
Sync Token |
This job parameter is only present if the target directory is Oracle Internet Directory or Oracle Unified Directory. You can manually enter the first Sync Token. To retrieve this token, query cn=changelog on rootDSE on the target system. Then, every time sync reconciliation is run, Sync Token is updated. Browse the changelog attribute of the target system to determine a value from the changelog that must be used to resume a reconciliation run. From the next reconciliation run onward, only data about records that are created or modified since the last reconciliation run ended are fetched into Oracle Identity Governance. Or, you can also leave this field blank, which causes the entire changelog to be read. This attribute stores values in one of the following formats: If you are using a target system for which the value of the standardChangelog entry in the Configuration lookup definition is set to true, then this attribute stores values in the following format: <Integer>VALUE</Integer> Sample value: <Integer>476</Integer> If you are using a target system (for example, OUD) for which the value of the standardChangelog entry in the Configuration lookup definition is set to false, then this attribute stores values in the following format: <String>VALUE</String> Sample value: <String>dc=example,dc=com:0000013633e514427b6600000013;</String> Default value: None |
|
SSO User Incremental Reconciliation |
Filter |
Default value: None Expression for filtering records that must be reconciled by the scheduled job. Sample value: startsWith('cn','Samrole1') Default value: None See Section 7.8 ICF Filter Syntax in Integrating ICF with Oracle Identity Governance documentation for the syntax of this expression. |
|
SSO Group Create and Update Full Reconciliation |
Resource Object Name |
SSO Group |
Name of the resource object against which reconciliation runs must be performed This value is fixed. |
SSO Group Create and Update Full Reconciliation |
Object Type |
Group |
This attribute holds the type of object you want to reconcile. This value is fixed. |
SSO Group Create and Update Full Reconciliation |
IT Resource Name |
SSO Server |
Name of the IT resource instance that the connector must use to reconcile data. This value is fixed. |
SSO Group Create and Update Full Reconciliation |
Scheduled Task Name |
SSO Group Create And Update Full Reconciliation |
This attribute holds the name of the scheduled job. This value is fixed. |
SSO Group Create and Update Full Reconciliation |
Filter |
Expression for filtering records that must be reconciled by the scheduled job. Sample value: startsWith('cn','Samrole1') Default value: None See Section 7.8 ICF Filter Syntax in Integrating ICF with Oracle Identity Governance documentation for the syntax of this expression. |
|
SSO Group Create and Update Full Reconciliation |
Organization Name |
Top |
This job parameter is only present if the target directory is Active Directory. OIG Organization to which the reconciled role should be provisioned. This value is fixed. |
SSO Group Create and Update Full Reconciliation |
Organization Type |
Company |
This job parameter is only present if the target directory is Active Directory. Type of therganization to which the reconciled role is being provisioned. This attribute is used only with in connector reconciliation scope and does not have significance in OIG. This value is fixed. |
SSO Group Create and Update Incremental Reconciliation |
Resource Object Name |
SSO Group |
Name of the resource object against which reconciliation runs must be performed This value is fixed. |
SSO Group Create and Update Incremental Reconciliation |
Object Type |
Group |
This attribute holds the type of object you want to reconcile. This value is fixed. |
SSO Group Create and Update Incremental Reconciliation |
IT Resource Name |
SSO Server |
Name of the IT resource instance that the connector must use to reconcile data. This value is fixed. |
SSO Group Create and Update Incremental Reconciliation |
Scheduled Task Name |
SSO Group Create And Update Incremental Reconciliation |
This attribute holds the name of the scheduled job. This value is fixed. |
SSO Group Create and Update Incremental Reconciliation |
Filter |
Expression for filtering records that must be reconciled by the scheduled job. Sample value: startsWith('cn','Samrole1') Default value: None See Section 7.8 ICF Filter Syntax in Integrating ICF with Oracle Identity Governance documentation for the syntax of this expression. |
|
SSO Group Create and Update Incremental Reconciliation |
Sync Token |
This job parameter is only present if the target directory is Oracle Internet Directory or Oracle Unified Directory. You can manually enter the first Sync Token. To retrieve this token, query cn=changelog on rootDSE on the target system. Then, every time sync reconciliation is run, Sync Token is updated. Browse the changelog attribute of the target system to determine a value from the changelog that must be used to resume a reconciliation run. From the next reconciliation run onward, only data about records that are created or modified since the last reconciliation run ended are fetched into Oracle Identity Governance. Or, you can also leave this field blank, which causes the entire changelog to be read. This attribute stores values in one of the following formats: If you are using a target system for which the value of the standardChangelog entry in the Configuration lookup definition is set to true, then this attribute stores values in the following format: <Integer>VALUE</Integer> Sample value: <Integer>476</Integer> If you are using a target system (for example, OUD) for which the value of the standardChangelog entry in the Configuration lookup definition is set to false, then this attribute stores values in the following format: <String>VALUE</String> Sample value: <String>dc=example,dc=com:0000013633e514427b6600000013;</String> Default value: None |
|
SSO Group Create and Update Incremental Reconciliation |
Incremental Recon Attribute |
uSNChanged |
This job parameter is only present if the target directory is Active Directory. Name of the target system attribute that holds the change number at which the last reconciliation run started. The value in this attribute is used during incremental reconciliation to determine the newest or latest record reconciled from the target system. This value is fixed. |
SSO Group Create and Update Incremental Reconciliation |
Latest Token |
This attribute holds the value of the uSNChanged attribute of a domain controller that is used for reconciliation. Note: The reconciliation engine automatically enters a value for this attribute. It is recommended that you do not change the value of this attribute. If you manually specify a value for this attribute, then only group whose uSNChanged value is greater than the Latest Token attribute value are reconciled. Default value: None |
|
SSO Group Create and Update Incremental Reconciliation |
Organization Name |
Top |
This job parameter is only present if the target directory is Active Directory. OIG Organization to which the reconciled role should be provisioned. This value is fixed. |
SSO Group Create and Update Incremental Reconciliation |
Organization Type |
Company |
This job parameter is only present if the target directory is Active Directory. Type of therganization to which the reconciled role is being provisioned. This attribute is used only with in connector reconciliation scope and does not have significance in OIG. This value is fixed. |
SSO Group Delete Full Reconciliation |
IT Resource Name |
SSO Server |
Name of the IT resource instance that the connector must use to reconcile data. This value is fixed. |
SSO Group Delete Full Reconciliation |
Object Type |
Group |
This parameter holds the type of object you want to reconcile. This value is fixed. |
SSO Group Delete Full Reconciliation |
Resource Object Name |
SSO Group |
Name of the group resource object against which reconciliation runs must be performed This value is fixed. |
SSO Group Delete Full Reconciliation |
Scheduled Task Name |
SSO Group Delete Full Reconciliation |
This attribute holds the name of the scheduled job. This value is fixed. |
SSO Group Delete Full Reconciliation |
Delete Recon |
yes |
This parameter is present only in SSO Group Delete Reconciliation for Active Directory. This value is fixed. |
SSO Group Delete Full Reconciliation |
Organization Name |
This parameter is present only in SSO Group Delete Reconciliation for Active Directory. This value can be left empty. |
|
SSO Group Delete Incremental Reconciliation |
IT Resource Name |
SSO Server |
Name of the IT resource instance that the connector must use to reconcile data. This value is fixed. |
SSO Group Delete Incremental Reconciliation |
Object Type |
Group |
This attribute holds the type of object you want to reconcile. This value is fixed. |
SSO Group Delete Incremental Reconciliation |
Resource Object Name |
SSO Group |
Name of the group resource object against which reconciliation runs must be performed This value is fixed. |
SSO Group Delete Incremental Reconciliation |
Scheduled Task Name |
SSO Group Delete Full Reconciliation |
This attribute holds the name of the scheduled job. This value is fixed. |
SSO Group Delete Incremental Reconciliation |
Sync Token |
This job parameter is only present if the target directory is Oracle Internet Directory or Oracle Unified Directory. You can manually enter the first Sync Token. To retrieve this token, query cn=changelog on rootDSE on the target system. Then, every time sync reconciliation is run, Sync Token is updated. Browse the changelog attribute of the target system to determine a value from the changelog that must be used to resume a reconciliation run. From the next reconciliation run onward, only data about records that are created or modified since the last reconciliation run ended are fetched into Oracle Identity Governance. Or, you can also leave this field blank, which causes the entire changelog to be read. This attribute stores values in one of the following formats: If you are using a target system for which the value of the standardChangelog entry in the Configuration lookup definition is set to true, then this attribute stores values in the following format: <Integer>VALUE</Integer> Sample value: <Integer>476</Integer> If you are using a target system (for example, OUD) for which the value of the standardChangelog entry in the Configuration lookup definition is set to false, then this attribute stores values in the following format: <String>VALUE</String> Sample value: <String>dc=example,dc=com:0000013633e514427b6600000013;</String> Default value: None |
|
SSO Group Delete Incremental Reconciliation |
Delete Recon |
yes |
This parameter is present only in SSO Group Delete Reconciliation for Active Directory. This value is fixed. |
SSO Group Delete Incremental Reconciliation |
Organization Name |
This parameter is present only in SSO Group Delete Reconciliation for Active Directory. This value can be empty. |
|
SSO Group Membership Full Reconciliation |
Application Name |
SSOTarget |
Name of the target application name from which you reconcile records |
SSO Group Membership Full Reconciliation |
Object Type |
User |
This attribute holds the type of object you want to reconcile. This value is fixed. |
SSO Group Membership Full Reconciliation |
IT Resource Name |
SSOTarget |
Name of the IT resource user by target application instance from which you reconcile records. |
SSO Group Membership Full Reconciliation |
Scheduled Task Name |
SSO Group Membership Full Reconciliation |
This attribute holds the name of the scheduled job. This value is fixed. |
SSO Group Membership Full Reconciliation |
Filter |
<Empty> |
Expression for filtering records that must be reconciled by the scheduled job. Sample value: startsWith('cn','Samrole1') Default value: None See Section 7.8 ICF Filter Syntax in Integrating ICF with Oracle Identity Governance documentation for the syntax of this expression. |
SSO Group Membership Incremental Reconciliation |
Application Name |
SSOTarget |
Name of the target application name from which you reconcile records |
SSO Group Membership Incremental Reconciliation |
Resource Object Name |
SSO Group |
Name of the group resource object against which reconciliation runs must be performed This value is fixed. |
SSO Group Membership Incremental Reconciliation |
IT Resource Name |
SSO Server |
Name of the IT resource instance that the connector must use to reconcile data. This value is fixed. |
SSO Group Membership Incremental Reconciliation |
User IT Resource Name |
SSOTarget |
Name of the IT resource used by target application instance installation from which you reconcile records. This would be same as target application instance |
SSO Group Membership Incremental Reconciliation |
User Resource Object Name |
SSOTarget |
Resource Object name corresponding to target application instance. This would be same as target application instance |
SSO Group Membership Incremental Reconciliation |
Scheduled Task Name |
SSO Group Membership Incremental Reconciliation |
Fixed for this job. Not changeable |
SSO Group Membership Incremental Reconciliation |
Object Type |
Group |
This attribute holds the type of object you want to reconcile. This value is fixed. |
SSO Group Membership Incremental Reconciliation |
Sync Token |
This job parameter is only present if the target directory is Oracle Internet Directory or Oracle Unified Directory. You can manually enter the first Sync Token. To retrieve this token, query cn=changelog on rootDSE on the target system. Then, every time sync reconciliation is run, Sync Token is updated. Browse the changelog attribute of the target system to determine a value from the changelog that must be used to resume a reconciliation run. From the next reconciliation run onward, only data about records that are created or modified since the last reconciliation run ended are fetched into Oracle Identity Governance. Or, you can also leave this field blank, which causes the entire changelog to be read. This attribute stores values in one of the following formats: If you are using a target system for which the value of the standardChangelog entry in the Configuration lookup definition is set to true, then this attribute stores values in the following format: <Integer>VALUE</Integer> Sample value: <Integer>476</Integer> If you are using a target system (for example, OUD) for which the value of the standardChangelog entry in the Configuration lookup definition is set to false, then this attribute stores values in the following format: <String>VALUE</String> Sample value: <String>dc=example,dc=com:0000013633e514427b6600000013;</String> Default value: None |
|
SSO Group Membership Incremental Reconciliation |
Incremental Recon Attribute |
uSNChanged |
This job parameter is only present if the target directory is Active Directory. Name of the target system attribute that holds the change number at which the last reconciliation run started. The value in this attribute is used during incremental reconciliation to determine the newest or latest record reconciled from the target system. This value is fixed. |
SSO Group Membership Incremental Reconciliation |
Latest Token |
This attribute holds the value of the uSNChanged attribute of a domain controller that is used for reconciliation. Note: The reconciliation engine automatically enters a value for this attribute. It is recommended that you do not change the value of this attribute. If you manually specify a value for this attribute, then only group whose uSNChanged value is greater than the Latest Token attribute value are reconciled. Default value: None |
|
SSO Group Membership Incremental Reconciliation |
Filter |
Expression for filtering records that must be reconciled by the scheduled job. Sample value: startsWith('cn','Samrole1') Default value: None See Section 7.8 ICF Filter Syntax in Integrating ICF with Oracle Identity Governance documentation for the syntax of this expression. |
|
SSO Group Hierarchy Full Reconciliation |
Resource Object Name |
SSO Group |
Name of the resource object against which reconciliation runs must be performed This value is fixed. |
SSO Group Hierarchy Full Reconciliation |
Object Type |
Group |
This attribute holds the type of object you want to reconcile. This value is fixed. |
SSO Group Hierarchy Full Reconciliation |
IT Resource Name |
SSO Server |
Name of the IT resource instance that the connector must use to reconcile data. This attribute holds the type of object you want to reconcile. This value is fixed. |
SSO Group Hierarchy Full Reconciliation |
Scheduled Task Name |
SSO Group Hierarchy Full Reconciliation |
This attribute holds the name of the scheduled job. This value is fixed. |
SSO Group Hierarchy Full Reconciliation |
Sync Token |
This value should always be empty for SSO Group Hierarchy Full Reconciliation |
|
SSO Group Hierarchy Incremental Reconciliation |
Resource Object Name |
SSO Group |
Name of the resource object against which reconciliation runs must be performed This value is fixed. |
SSO Group Hierarchy Incremental Reconciliation |
Object Type |
Group |
This attribute holds the type of object you want to reconcile. This value is fixed. |
SSO Group Hierarchy Incremental Reconciliation |
IT Resource Name |
SSO Server |
Name of the IT resource instance that the connector must use to reconcile data. This value is fixed. |
SSO Group Hierarchy Incremental Reconciliation |
Scheduled Task Name |
SSO Group Hierarchy Full Reconciliation |
This attribute holds the name of the scheduled job. This value is fixed. |
SSO Group Hierarchy Incremental Reconciliation |
Sync Token |
This job parameter is only present if the target directory is Oracle Internet Directory or Oracle Unified Directory. You can manually enter the first Sync Token. To retrieve this token, query cn=changelog on rootDSE on the target system. Then, every time sync reconciliation is run, Sync Token is updated. Browse the changelog attribute of the target system to determine a value from the changelog that must be used to resume a reconciliation run. From the next reconciliation run onward, only data about records that are created or modified since the last reconciliation run ended are fetched into Oracle Identity Governance. Or, you can also leave this field blank, which causes the entire changelog to be read. This attribute stores values in one of the following formats: If you are using a target system for which the value of the standardChangelog entry in the Configuration lookup definition is set to true, then this attribute stores values in the following format: <Integer>VALUE</Integer> Sample value: <Integer>476</Integer> If you are using a target system (for example, OUD) for which the value of the standardChangelog entry in the Configuration lookup definition is set to false, then this attribute stores values in the following format: <String>VALUE</String> Sample value: <String>dc=example,dc=com:0000013633e514427b6600000013;</String> Default value: None |
SSO Post Enable Jobs
OIG offers post enable jobs to seed identities and their relation from OIG to LDAP.
The post enable jobs are to be used in case of following deployment scenario: OIG is already been in deployment for certain period of time and OIG is now being integrated with OAM and LDAP. During such scenarios, the existing users and roles and their relations in OIG needs to seeded to synchronize LDAP with data in OIG. After OIG-OAM integration configuration has been performed, these jobs should be run once to seed the users, roles and their relationships to LDAP.
The following post enable jobs are offered:
-
SSO Post Enable Provision Users to LDAP:
For each user in OIG, this job creates an user in LDAP and provisions SSO target application instance to the user. -
SSO Post Enable Provision Roles to LDAP:
For each role in OIG, this job creates a role in LDAP and subsequently creates a lookup, entitlement and catalog entry for the entitlement. -
SSO Post Enable Provision Role Membership to LDAP:
For each role granted to the user, this job grants entitlement (corresponding to the role) and in-turn grants the membership for the user in LDAP. -
SSO Post Enable Provision Role Hierarchy to LDAP:
For each role-role relation in OIG, this job adds relationship for the groups in LDAP.
Reconciliation Behavior
User Reconciliation
-
InetOrgPerson
-
orclIDXPerson
-
OblixOrgPerson
-
OblixPersonPwdPolicy
-
OIMPersonPwdPolicy
For user reconciliation, set the value for the two mandatory attributes: sn
and uid
.
User Matching rule:
<matchingRule>((UPPER(USR.usr_ldap_guid)=UPPER(RA_SSOTRUSTEDFORSSAEC4C34A.RA_LDAPGUID94FE1B62)) OR (UPPER(USR.usr_login)=UPPER(RA_SSOTRUSTEDFORSSAEC4C34A.RA_USERLOGIN7C7B96D4)))</matchingRule>
Account Matching rule:
<matchingRule>((UPPER(USR.usr_login)=UPPER(RA_SSOTARGE.RA_USERLOGIN7C7B96D4)) OR (UPPER(USR.usr_ldap_guid)=UPPER(RA_SSOTARGE.RA_ORCLGUID)))</matchingRule>
Group Reconciliation
-
groupOfUniqueNames - in case of OID and OUD
-
group - in case of AD
Group reconciliation job requires that group names are unique in OIG. That is, when the job reconciles a create changelog for a group with name 'Business Administrator' and if OIG already has a role with name 'Business Administrator', then Business Administrator group would not be created again in OIG and the reconciled role will be skipped from further processing.
Alternatively, if a group exists in OIG that has a matching GUID with the group being reconciled from LDAP, then reconciliation engine would perform an update for the existing group in OIG.
Group Matching Rule:<matchingRule>(UD_SSO_GR.UD_SSO_GR_SERVER=RA_SSOGROUP4DF6ECEE.RA_ITRESOURCENAME70C9F928 and UD_SSO_GR.UD_SSO_GR_ORCLGUID=RA_SSOGROUP4DF6ECEE.RA_ORCLGUID)</matchingRule>
Group Membership Reconciliation
Group membership reconciliation reconciles the current role grants for user in LDAP. On successful reconciliation, for each role granted to the user, an entitlement corresponding to the role is assigned to the user's SSO account.
Entitlement assignment to the user during reconciliation is executed by database trigger for child form table. This child form table stores the membership grants for the user (i.e. account). In some circumstances, the entitlement assignment trigger may not have executed and hence, the user may not have the entitlement assignment yet corresponding to the role grant reconciliation. In such scenarios, execute 'Entitlement Assignment' job to assign entitlments.
Group Hierarchy Reconciliation
Group hierarchy reconciliation job reconcilies current role relations from LDAP.
Reconciliation Job Errors and Remedial Actions
-
Group membership reconciliation
-
Group hierarchy reconciliation
Group membership reconciliation
Group membership Full reconciliation
-
The user entry which is reconciled is looked up in OIG corresponding to it's GUID. If no matching user is found, recon event creation for that user entry is skipped and an error message corresponding to the skipped user entry is added to job error messages.
-
If the user entry is present but one of the parent roles, with matching role DN, is not existing in OIG, then recon event creation for that user entry is skipped and an error message corresponding to the skipped user entry is added to job error messages.
If there are no missing parent roles for an user entry, then recon event is created for the user entry and added to batch recon service. Once reconciliation job, error message is set for the Job ID.
Group membership Incremental reconciliation
Group membership incremental reconciliation has same behavior as group membership full reconciliation. In addition to reporting the error message, incremental reconciliation also doesn't update the latest incremental token. This is to ensure that when the job is re-run (after performing remedy actions such as running user or group reconciliation jobs), then the user entry(s) which were skipped earlier are assigned a recon event during their next error-free execution.
In situations where customer decide to bypass the error-encountered user entry and want to run incremental reconciliation with latest incremental token, they can do so by checking the schedule job error message from the job UI and the latest token will be printed at the end of the error message. Refer 'Example for reconciliation error due to missing user or role'
Group hierarchy reconciliation
Group Hierarchy Full reconciliation
-
The role entry which is reconciled is looked up in OIG corresponding to it's GUID. If no matching role is found, recon event creation for that role entry is skipped and an error message corresponding to the skipped user entry is added to job error messages
-
If the role entry is present but one of the child roles, with matching role DN, is not existing in OIG, then recon event creation for the parent role entry is skipped and an error message corresponding to the skipped user entry is added to job error messages.
If there are no missing parent or child roles, then recon event is created for the parent role entry and added to batch recon service.
Once reconciliation job completes, error message is set for the Job ID.
Group Hierarchy Incremental reconciliation
Group hierarchy incremental reconciliation has same behavior as group hierarchy full reconciliation. In addition to reporting the error message if dataErrorDetected is true, incremental reconciliation also doesn't update the latest incremental token. This is to ensure that when the job is re-run (after performing remedy actions), then the role entry(s) which were skipped earlier are assigned a recon event during their next error-free execution.
In situations where customer decide to bypass the error-encountered role entry and want to run hierarhcy incremental reconciliation with latest incremental token, they can do so by checking the schedule job error message from the job UI and the latest token will be printed at the end of the error message.
Example for Reconciliation Error due to Missing User or Role
The scheduled job status would be failed.
oracle.iam.connectors.icfcommon.exceptions.OIMException: Role with GUID 54A78A7F44E41C39E053211CF50A7639 does not exist in OIM. Skipping group membership incremental reconciliation for the role Role with GUID 5E750AB0341F16D3E053211CF50A866D does not exist in OIM. Skipping group membership incremental reconciliation for the role Role with GUID 5E750AB0342016D3E053211CF50A866D does not exist in OIM. Skipping group membership incremental reconciliation for the role Role with GUID 5E750AB0346116D3E053211CF50A866D does not exist in OIM. Skipping group membership incremental reconciliation for the role Role with GUID 5E750AB0346216D3E053211CF50A866D does not exist in OIM. Skipping group membership incremental reconciliation for the role Role with DN cn=SYSTEM ADMINISTRATORS,cn=Groups,dc=us,dc=oracle,dc=com is not found in OIM - Skipping group membership reconciliation for the user with GUID: 5376289A3A766EE7E053211CF50A8B24. Latest Token value: <Integer>4204</Integer>
Corrective Actions for Reconciliation Error
-
Customer can execute 'SSO Group Create or Update Reconciliation' job to fix the above errors and re-run group membership incremental reconciliation job. Similarly, execute 'SSO User Reconciliation' job if the error message relates to 'user not existing in OIG'.
-
Alternatively, if customer prefer to ignore the error for these roles and would like to proceed beyond with incremental reconciliation in future, then customer can set the Sync Token job parameter value to the latest token value listed in the error message. For example, for the above sample message, the Sync Token job parameter value would be: <Integer>4204</Integer>
-
In case of group membership full reconciliation or group hierarchy full reconciliation, if any of the user(s) and/or group(s) reconciled does not exist in OIG, then the job would report failed status for the missing user and/or group in all subsequent runs.
Ensuring identity Tables Data Synchronization With Child Form Tables
During group membership reconciliation and group hierarchy reconciliation, the reconciliaiton engine updates the child form table corresponding to each recon event data in reconciliation batch. When reconciliation engine triggers post process orchestration for each reconciliation batch, the post process handlers fetches the child form entry corresponding to each recon event in batch and updates OIG's identity relation tables.
-
Sync Group Membership with SSO Form Table:
For each user in parent form, this job synchronizes membership child form data with USG table. This job accepts an 'Group Membership Child Form Table' name as input parameter and it is assigned a default value. If membership child form table name is different in customer's deployment, then this parameter has to be assigned with appropriate value. -
Sync Group Hierarchy with SSO Form Table:
For each role in parent form, this job synchronizes role relationship data with GPG table. Child form table name for role relationship is fixed for a deployment and hence, this job does not accept child form table name as input.
2.7 Known Limitations and Workarounds in OIG-OAM Integration
For Oracle Identity Governance Integration Issues and Workarounds, see Integration Issues and Workarounds in Release Notes for Oracle Identity Management.