OIDDAS console looping while logging in
We were trying to sort out OIDDAS console login issue for a long time. Tired of troubleshooting as we could not find the root cause. However, we could see the below messages generating in OC4J logs unremittingly.
<diagnostic>
sessionId=c0a80b2e30d56d2985ead25746d7955fcbb30f13c0a0
sourcePageName=oiddashome
sourcePageEventName=ssologin
destinationPageName=OSSO_4LOGIN
stamp=1301412378117
duration=0
</diagnostic>
11/03/29 20:56:18 [info] diagnostic record for the current request:
<diagnostic>
sessionId=c0a80b2e30d56d2985ead25746d7955fcbb30f13c0a0
sourcePageName=oiddashome
sourcePageEventName=ssologin
destinationPageName=OSSO_4LOGIN
stamp=1301412378633
duration=1
</diagnostic>
Did this log message give any clue about the error? Certainly NO!!!!
But the below errors are logged in ssoServer.log file.
Tue Mar 29 20:56:12 IST 2011 [DEBUG] AJPRequestHandler-ApplicationServerThread-9 AuthUtil: Constructiong SSO cookie for partner app authentication
Tue Mar 29 20:56:12 IST 2011 [DEBUG] AJPRequestHandler-ApplicationServerThread-9 AuthUtil: SSO Cookie received: null
Tue Mar 29 20:56:12 IST 2011 [INFO] AJPRequestHandler-ApplicationServerThread-9 AuthUtil: :parseSSOCookie Null SSO cookie received
Tue Mar 29 20:56:12 IST 2011 [DEBUG] AJPRequestHandler-ApplicationServerThread-9 AuthUtil: SSO cookie not found or not able to parse: oracle.security.sso.server.auth.InsufficientCredException: Null SSO cookie received
Tue Mar 29 20:56:12 IST 2011 [DEBUG] AJPRequestHandler-ApplicationServerThread-9 constructCookie site time: 20110329205612
Tue Mar 29 20:56:12 IST 2011 [DEBUG] AJPRequestHandler-ApplicationServerThread-9 Clear SSO cookie: iesuutlupy~20110329205612~192.168.59.5~ORCLADMIN~cn=orcladmin,cn=users, dc=nic,dc=co,dc=in~85733C3C36AD2035E040A8C02E0B3090~1~DEFAULT COMPANY~dc=nic,dc=co,dc=in~85733C3C35FE2035E040A8C02E0B3090~00~00~40~E17CEC7A~0.333
Tue Mar 29 20:56:12 IST 2011 [DEBUG] AJPRequestHandler-ApplicationServerThread-9 CryptoUtil: ssoCreateToken: Null key received. Using SSO server key.
Tue Mar 29 20:56:12 IST 2011 [DEBUG] AJPRequestHandler-ApplicationServerThread-9 CryptoUtil: ssoCreateToken: Null token type received. Using SSO_TOKEN_TYPE: 4D .
Tue Mar 29 20:56:12 IST 2011 [DEBUG] AJPRequestHandler-ApplicationServerThread-9 CryptoUtil: ssoCreateIntegrityToken: Secret Key valid.
Tue Mar 29 20:56:12 IST 2011 [DEBUG] AJPRequestHandler-ApplicationServerThread-9 CryptoUtil: ssoCreateIntegrityToken:
Is not it looking bit complex, but the solution is much simpler than we thought it to be. The OssoSecureCookies param value in mod_osso.conf was set to On. I remember pretty well when the env was setup, it was set to Off and I am unsure how it got modified by itself.
mod_osso.conf is present in location $ORACLE_HOME/Apache/Apache/conf.
The content related to this param in mod_osso.conf file is as shown below:
<IfModule mod_osso.c>
OssoIpCheck off
OssoIdleTimeout off
OssoSecureCookies on
OssoConfigFile osso/osso.conf
<Location /j2ee/webapp>
require valid-user
AuthType Basic
</Location>
</IfModule>
Removing the line OssoSecureCookies on (you can either set to it off) and bouncing HTTP_Server process did the job!!
Let us talk about the importance of this parameter OssoSecureCookies : This is the directive to set the Secure flag on all cookies created by mod_osso. This tells the browser to only transmit those cookies on connections secured by HTTPS.
NOTE : We are not using SSL in our environment. The OSSO is integrated with OAM and disabling this integration also did not work.
About the Author Mahendra
I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com