OAM – OIF integration : Login Fails when value for attribute cn is different than uid in LDAP Store
I recently integrated OAM with OIF where OAM is configured as OIF SP Integration Module. In this integration OAM resource is protected by authentication scheme OIFScheme and OAM’s authentication is delegated to OIF. More on Federation basics here
- User can have multiple attributes defined like firstname, lastname, cn, uid, mail..
OIF by default send attribute (uid or cn or email) defined as user name attribute on OIF OSSO SP Integration Module screen to OAM. In my case this is set to uid.
My OIF-OAM integration works fine for users whose value for attribute cn is same as attribute uid . This integration fails (error below) for users whose value for cn is different than value stored in attribute uid.
In OAM Server diagnostic logs at $DOMAIN_HOME/ servers/ <oam_server1>/ logs/
_____
<Mar 3, 2012 12:07:35 PM BST> <Error> <oracle.oam.user.identity.provider> <OAMSSA-20086> <Locate user via a
specific attribute failed for attr cn and value oidiuseruid>
<Mar 3, 2012 12:07:35 PM BST> <Error> <oracle.oam.engine.authn> <OAMSSA-12126> <Cannot assert the username from DAP
token.>
<Mar 3, 2012 12:07:35 PM BST> <Error> <oracle.oam.user.identity.provider> <OAMSSA-20086> <Locate user via a
specific attribute failed for attr cn and value oiduseruid>
<Mar 3, 2012 12:07:35 PM BST> <Error> <oracle.oam.engine.authn> <OAMSSA-12126> <Cannot assert the username from DAP
token.>
<Mar 3, 2012 12:07:35 PM BST> <Error> <oracle.oam.user.identity.provider> <OAMSSA-20086> <Locate user via a
specific attribute failed for attr cn and value oiduseruid>
____
For this user value of attribute uid is set to oiduseruid and value of attribute cn is set as oidusercn
Root Cause : OIF is sending value (oiduseruid) stored in attribute uid (This is because of User Name Attribute set in OIF OSSO SP Integration Module) where as OAM is trying to compare it against value (oidusercn) stored in attribute cn.
Bug: OAM hard code value of attribute to compare in configuration file $DOMAIN_HOME/config/fmwconfig/oam-config.xml
____
<Setting Name=”DAPModules” Type=”htf:map”>
<Setting Name=”7DASE52D” Type=”htf:map”>
<Setting Name=”name” Type=”xsd:string”>DAP</Setting>
<Setting Name=”MatchLDAPAttribute” Type=”xsd:string”>cn</Setting>
******
</Setting>
____
Fix : Shutdown WebLogic Admin Server and Managed Server where OAM server is deployed. Update value of setting MatchLDAPAttribute under DAPModule from cn to uid (same as defined in OIF OSSO Integration Module).
Hitting any OIF integration issue or confused about OIF integration with Facebook, Google, or OpenID then post your doubt/issue under comments section.