Leave a Comment:
30 comments
[…] this article, I will explain the case 1 and the other article explains case […]
Reply
Hello.
I have any question: how to configure an external site login, such as the login page of a portal?
Tanks
Reply
Wilparra,
If I understood correctly, you want to have the login page at remote location for your portal ?
If so, this post would answer that question.
mahendra.
Reply
Hi Mahendra,
Do we need to provide the complete url like
http://apachesvr_hostname:80/login.html
in the Challenge Redirect parameter?
Thanks
Joe
Thanks, for his responses.
I configured my external login page, and i configured form settings to point to OAM, but the OAM do not authenticate.
I configure with the normal mechanism.
Reply Joe,
Challenge redirect parameter has to be created to specify where the form login is residing. Hence, it is required to specify the value like this http://form_page_hostname:port
Mahendra
Reply wilparra,
Please elaborate what is the normal mechanism you meant by?
When you have protected an application using Form login scheme, is it showing the login page when you access the URL ?
If not, please configure it properly.
What is the exact behavior you are seeing?
Mahendra
Reply Hello:
I configure the Form Login Schema. And i place the login page into the web server (the same with Webgate). I do not speak english, so i will explain in spanish.
Excuse me (…)
________
Existía un requerimiento, en el que solicitaba que la página de login estuviera controlada por un WebCenter sobre WebLogic. Intenté la configuración de envío de credenciales a través del método post de la forma sugerida en los webgates, hacia la URL correcta la cual configuré dentro del action de la forma, pero al intentar hacer login sobre esta página, no era posible obtener una autenticación efectiva. La configuración de autenticación basada en formas y la página de redirección sobre Oracle Access Manager funciona correctamente, no funciona es el paso de credenciales desde la página personalizada. La configuración que finalmente dejé, fué Basada en formas, perso con una página alojada en el mismo servidor web sobre el que configuré el WebGate y los proxy inversos.
Mahendra,
When I provide Challenge Redirect parameter in the format http://form_page_hostname:port, the login page is not rendered. I can confirm that the request is being redirected to the webserver hosting the login page as I can see the entries in the access logs in the web server. But it goes into a loop causing the log file to grow indefinitely. Not sure what’s happening. Please advise.
Thanks
Bino
Without challenge redirect parameter, Login Page on separate servers work just fine.
Reply Joe,
If you are using OAM above 10.1.4.0.1, then you will need to protect form action. The behavior of form page looping seems to be a known issue. Please let me know the OAM version you are using. Please be cautious with the order of plugins configured in Form authentication scheme. Credential_mapping should be first and validate_password should be next.
Reply Hi Mahendra,
OAM version is 10.1.4.3
I tried changing the order of plugins but the looping issue remains. Could you tell more on protecting form action? What authentication scheme do we need to use for the same?
Regards
Joe
Mahendra, to add – the form action “/dummy” has already been protected using anonymous authentication rules. Any other configuration that I have left out?
Regards
Joe
Joe,
Do you have Form page residing in different machine from OAM Access Server? Form action URL should be protected using Anonymous scheme. Please check if this policy domain is enabled or not.
The WebServer on which the form login page is residing should have webgate installed.
-Mahendra.
Reply Hi Mahendra,
Yes, the form page is residing in a different machine from OAM Access Server (is this a problem ?) and web gate has been installed in that machine.
Form action URL has been protected using Anonymous scheme and the policy is enabled.
Regards
Joe
Joe,
Please check if there is a time difference between those two machines. This could be the cause for the the behavior you are seeing. what does Access Server & WebGate logs say? You can also use the ie http headers tool to verify whether the obssocookie is getting created and again set to loggedoutcontinue. If you see this behavior in ie http headers, then it could be due to time difference.
Mahendra.
Reply Mahendra,
I have checked – there is no time difference between the two machines.
Yes, the ObSSOCookie is created and set to loggedoutcontinue.
As before, Mozilla says the request cannot be completed due to Redirect Loop.
regards
Joe
Hi,
We are having a separate web application that should be integrated with IDM for SSO. The IDM team has a OID where the users and roles for our web application URL are configured in policy admin.Our webapplication has a tomcat webserver that is integrated with tomcat. A user already logs-in portal.When he hits our webapp url the username is passed in URL and obssocookie is set. we have to validate this obssocookie to authenticate the user. How we can route the user to our webapp defined in our web.xml. Please explain the flow.
Reply
Hi Mahendra,
When we access the protected url (http://localhost:port/testapplication in the browser is it redirecting to http://localhost:port/login.html .Can we hide the url with redirecting to login.html in browser as people adding http://localhost:port/login.html in favourites and next time they are accessing saved url instead of protected url resulting in its stopping in dummy.
Reply Madhu,
I feel this is something at browser level. Even if we proxy the Login.html to a protected resource in HTTP Server, it is not right approach. I understand your scenario, but cannot find a way to hide it. The only solution is to knowledge the people not to add Login page as favorites.
Hope this helps.
Thanks,
Mahendra
I found that you can test the login (i.e., verify the credentials) and bypass the login form by entering the the protected url with the login and password in the query string in the browser address bar.
http://server/protected/page.html?login=jsmith&password=MyPwd
How can i bypass that. I don’t want it be accessed using the credentials as it will breach the secure identity of the user. Is there a way i can avoid this. I remember a setting you could do in authentication scheme challenge parameter to use domain:MyDomain instead of creds:username password, but will it effect the login. Please help !
Thanks,
Reply To be precise, i want to preserve protected URL from being accessed using query string parameters. Can i mention the query string parameters directly in the policy console and will it stop using those parameters in the URL ? Why do we mention query string parameter in that policy configuration form anyway.
Thanks for the inputs.
Reply
Hi Mahendra,
I have configured OAM, OIM set up as part for SSO configuration. I am struggling with form base authentication.
As part of Form base authentication .. performed following activities
1. I have build small struts application with login.jsp, success.jsp and error.jsp
2. configured login.jsp at authentication scheme with challenge URL and
3. Expecting to authenticate the username & passowrd with OID.
4. Once its successful then it should redirect to successful.jsp else redirect to error.jsp and all these are configured at Authentication scheme.
5. Registered this Authentication module with Application domains -> Authorization policies.
ISSUE : Currently its not authenticating with the username and password. In case of valid credential or invalid credential its redirecting to success.jsp
As part of response I am not getting SSO cookies.
Only “OAMAuthnCookie” and I am expecting ‘OAM_ID’.
Please REPLY
============================================
Please below HTTP headers for more details
Header = Accept & Value =image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Header = Referer & Value =http://172.00.000.000:7021/testApp/index.jsp?authn_try_count=0&request_id=8776486164890632572&OAM_REQ=VERSION_4%7E9HP%252fwYIKtqB1Amjym4PTdbef91wqN1bKs6fnbv3lHelEB5bQLNmhtsxHOTn0YsrdTzqCmenoahihwMEp5u4GaCnF7fxqlapbkdxAWU1f5GjO3GY%252bF%252bkWT56s0AHjCgchtG4ivLNbVjuoq%252fm%252fQtR9uOe7uLwmpWpLZVNoUU9LjLq7EDDW2SEhQZWi2oMkhHSrwVj89TZ7g9R1GOq0RDtRlNpkw%252bCEI2cvcqNmF7bqfZBYADAqqNsICBiSOvJjD1UwGryFMymGfhLieij2XXslNUOWFWOkb1DcuxMTKdf8fOpOFzcUz4HYXn5sh5DtXEkG7YiqF2zHOjp4UdF2KIuA55FgyD7R7YFBNQEupjR0AY48GQqIpGWphegwYrXAnSpsz%252fTsO1OuHLQ9oVg%252fFG0EyV2wo%252fl7hLb94t8YxPexh8XSD%252bc3fSPVJussHlyGpwshZiN6MOfb8FDVcIdEci8Lx1tGB3J5Cv1C0OtUN3WXvVZ9VK2Go9yUXulkoFENdRftBaCBcKJupkoSE14vlJE1dt6cK5REOoz7lauklXa3Ew2gfriEIzK4EpIbE%252fRF9ejpNNpaXq9DFr2tRMycaBjoxeuq223j14O%252b%252blmobCR%252fbz81sW7ANr3ZdmpAnpWNQZdN8Lo%252fGSiQJJcGK3foLVGqmrcq33%252fhLuBfvNOvfPT5ndv4bZgdpuv5thLHluCYcKstB1uTQqhGRzSVec%252bf94lUp71fmSABu2tS5wIM2HcZNfFPtkMUpLLNO2O%252fbuTtEzFtJ8MvcF%252bs3xqvAERFB3jRIy1MysQd6EUD263pOM0ePd3bbgcej0SY8gE3ryFYwAYd3yprLejRvPgQWqJMD9lvwF%252bv5HfTLm%252bJXsPMxCmMbYvHpGNH27B0nXT1asNCO%252bP2bS9jDKgmGSNFxk4NAZ5tPcACneYZQ5KfKE8rmppAF9gIYWleOVSNYlPRtDlPI0VLNa9MOMXjhtGswen%252btESsZfZia%252b4LmETLK8A81lxjBukNGl9JzCy16bpLhZOVYHq84PbWkv85CEXm83b9JPHvwDX0Fyx2cpVXca2Kh8PIGemVQEzGcTWSSGJSriE1wi%252bUKy7E4ZiB2yQIV4A1dWusCp95Hhwzs9N9MTAniCmQB75wj9LL80tfDEBnxVpaIJAXdwMq2iHEf0O2hUDs9lKXHlcHMCAo5h8uc8Uk97Z0y%252fq5hqQTXF5mjVvJz52XFKtVFdbKPbLKY9joCccTCpNCnyDhh10Bf5fu%252fRRhYYwTViNsZ2TV3ws%252bGGq4IVMr%252b0CMoPcIWRwfd%252bBrOPviiIuGK7yPsQ57r5ZbOrIKm6DDhSVXjlXLHiKZIUg8Z47bvJGU8UpW5N4KC2KlSPXhgWzerBmHaCHNa6qN6tJ40ZbXMYNgoHmzuA6RKbgtXDBZOkH7xEs3NzbzmMYoaEO%252fTYQM9raBxwBB21P8dGmcTPJiPEpPzInVijQZW9nhhVk6bNNhZn3BIMLwQLk5Haf8DyW9UyrJW3AXP3fhpXxrPMwMUnmcw5lfO0Kmups%252fAi2Iw3fSqA4ZoyNJSrnfjY2yuHjZEVQMuWrFb8d6ll3lh4MJ57Qm0iah7tYziCPHxIgMRR6fqNDMVw43Vz6GvgOAeFVyMMOR7JMbv4CZn16fmHg7XO2iqQpNSXr7xzaGy%252fwrdpuM&locale=en_US
Header = Accept-Language & Value =en-us
Header = User-Agent & Value =Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Header = Content-Type & Value =application/x-www-form-urlencoded
Header = Accept-Encoding & Value =gzip, deflate
Header = Host & Value =172.00.000.000:7021
Header = Content-Length & Value =49
Header = Connection & Value =Keep-Alive
Header = Cache-Control & Value =no-cache
Header = Cookie & Value =http%3A%2F%2F172.00.000.000%3A7001%2Fsuite%2Fmasterapp%2Ftheme=%7B%22state%22%3A%7B%22id%22%3A%22s%3Aappian%22%2C%20%22file%22%3A%22s%3Ahttp%3A%2F%2F172.00.000.000%3A7001%2Fsuite%2Fmasterapp%2F..%2FappBuilder%2Fcss%2Fgxt-appian.css%22%7D%7D; OAMAuthnCookie_172.00.000.000:7777=loggedoutcontinue; OAMRequestContext_172.00.000.000:7777_337754=3wTHDPLdoDlp9+xCt+guSw==; JSESSIONID=GtXTP2CLh18s7f2LXPQpTlJ7Xx6kTNhpDWGJvppkMQyHTjYJDPhC!1941440109
Hello Mahendra,
I have DCC configured in http://localhost:7777 (OHS Server running there). I created a sample html and placed in the htdocs of the OHS server. Could you please explain the how to configure the authentication scheme?
Venkat,
You would need to define host identifier in OAM console. I presume webgate is already installed and working.
Create a policy domain with resource as / and assign form based auth scheme to test it.
Reply
Hi,
How to bypass sso in apache level while using the oam webgate plugin.
Reply Hi,
How to bypass sso in apache level while using the oam webgate plugin. Please help.
Reply
Hi,
We have configured SSO for one of the nagios Apache application.This application provide the runtime monitoring information of the servers. Below is the steps that we followed
1) Install the apache webgate on apache server
2) There is an existing OAM setup integrating with OID for user storage.
3) created the SSO webgate on OAM server to connect the apache
4) Access the apache application with apachehost and portnumber with context root as below.
http://apachehost:80/apace
This is is redirecting to OAM login pages
entered the user id and password which are stored in OID and successfully login the apache application.
Issue: After getting the login page user not able to see the monitoring information on the page.
Can any one suggest is there anything need to modify the apache configuration to user get the runtime information.
Reply