How to integrate OAM 11g with OID 11g for User/Identity Store

  • Oracle Access Manager (OAM) is Oracle’s recommended Single Sign-On solution, for step by step installation of OAM 11g click here
  • Oracle Internet Directory (OID) is LDAP version 3 complaint directory server from Oracle. For high level steps to install OID 11.1.1.4 click here

Why should you integrate OAM with OID ?
OAM’s default user store is weblogic’s embedded ldap server which is not recommended user store for production environment. After OAM installation it is recommended to set Oracle Internet Directory as OAM’s primary identity store.

Pointing OAM’s user store to Oracle Internet directory including integration with Oracle Identity Manager is also explained in my Book “Oracle Identity and Access Manager 11g for Administrators”

Steps to configure OAM to use OID as Identity Store

1. Create a groups “Administrators” in OIDunder dc=[your_domain], cn=groups using ODSM

2. Create a user weblogicoid in OID under dc=[your_domain] , cn=users  (This user will then be used to connect to login to weblogic console) – Ensure that attribute userPassword is set for this user.

3. Add user weblogicoid in OID to group “Administrator“. Use ODSM to create user/group in OID 11g. More on ODSM here

4. Login to OAM Console ( http://server:7001/oamconsolewhere 7001 is weblogic admin server port on which OAM is deployed)

5. Click tab “System Configuration” and select User Identity Stores under Data Source

6. From Actions -> select Create
.

.

7. Enter OID server details and click on Test Connections
.

.

If you get “failed to connect to Identity Store : Invalid Role Security Admin” make sure that group Administrators is created in OID
.
8. Click Apply when connection is successful

9. Select newly create User Store from OAM Console and click on button “Set as Primary” on top right

10. Log out from OAM console and login using newly created user in OID (weblogicoid)

Note: You can also use WebLogic Scripting Tool (WLST) to manage identity store in OAM using createUserIdentityStore, deleteUserIdentityStore, displayUserIdentityStore, editUserIdentityStore

.

How to use WLST commands for OAM ?

1.set environment – DOMAIN_HOME/bin/setDomainEnv.sh
2.Start WLST – cd $ORACLE_HOME/common/bin/wlst.sh
3.Connect to WebLogic Server – connect()
4. List all OAM commands – help(‘oam’)
5.To list User Identity Store with name UserIdentityStore1 – displayUserIdentityStore( name=”UserIdentityStore1″)

.

References

If you are looking for commonly asked interview questions for Oracle Access Manager then just click below and get that in your inbox.

banner-_oam

About the Author Masroof Ahmad

Leave a Comment:

55 comments
nagendra says May 26, 2011

hi atul kumar,
i’m using Embedded LDAP as User Identity Store for OAM11g. now i changed it to OVD and sets as primary. now i can’t access the OAMconsole. i don’t have the orcladmin password. now how can i change the User Identity Store to Embedded LDAP?

Reply
Atul Kumar says May 26, 2011

@nagendra,
You have two options here

1. Create group administrators in OVD’s ldap store (like OID) and add any OVD/OID user to this group (Administrators) and login to OAMConsole using that.

2. Use editUserIdentityStoreConfig (WLST command) to edit user identity store.

Stay tuned for steps to change user Identity store from command line (i.e. WLST)

Reply
» How to Edit (create, delete, modify) Identity Store of OAM 11g from command line (WLST) - editUserIdentityStoreConfig Online Apps DBA: One Stop Shop for Apps DBA’s says May 26, 2011

[…] my earlier post here I explained How to create Identity Store for OAM 11g pointing to enterprise LDAP server like OID […]

Reply
nagendra says May 27, 2011

hi Atul Kumar…

thank you for your reply.

i resolve that issue. now i’m login to OAMconsole successfully.

now i want change my UserIdentityStore to OID…

i followed the steps as you mentioned in previous posts…

but i can’t login with user “weblogicoid”… it gives incorrect credintials…

when i login with “orcladmin”… it gives “access to administration console is restricted”…

now, what can i do….

Reply
Atul Kumar says May 27, 2011

@ nagendra

Q1: How to change the User Identity Store to Embedded LDAP from command link

A1: check
http://onlineappsdba.com/index.php/2011/05/26/how-to-edit-create-delete-modify-identity-store-of-oam-11g-from-command-line-wlst-displayuseridentitystoreconfig-edituseridentitystoreconfig-createuseridentitystoreconfig-deleteuseridentit/

Q2: when i login with “orcladmin”… it gives “access to administration console is restricted”…

A2: Create a group “Administrators” in OID and add user cn=orcladmin, cn=users, dc=yourdomain to group “Administrators”

Q3: I can’t login with user “weblogicoid”… it gives incorrect credintials

A3: Did you enter value for attribute userpassword (or I think it is userpasswd) for user weblogicoid in OID ?

Reply
nagendra says May 27, 2011

hi Atul Kumar…

i resolve that issue…

i changed UserIdentityStore to OID…

it works fine…

but it asks credintials two times…

after given the credintials 2 times it’s login successfully and accessing the OAMconsole…

why it was asking credintials 2 times?

Reply
Swathi says May 31, 2011

Hi Atul,

I have successfully configured OVD as User Identity Store for OAM 11g ,i.e Iam able to login to OAM Administrative Console with the users present in OVD by following the below steps.

1. Configured and tested successfully OVD as User Identity Store in System Configuration tab in OAM Administrative Console.
2. Set OVD as Primary.
3. Set OID (OID is backend user store for OVD) as User Identity Store for LDAP Authentication Modules (LDAP and LDAPNoPasswordAuthModule).
4. Able to login to OAM console using the testuser present in OVD.

But everytime I have to provide the credentials twice , i.e login as Single Sign On User and to login as Administer to login to OAM Console.

Can you please tell whether this is a valid behavior ?
If not could you please suggest a better approach.

Thanks & Regards,
Swathi.

Reply
Atul Kumar says May 31, 2011

@ Swathi,
Do you see same login page twice or different login page (check URL) ?

Reply
Swathi says May 31, 2011

Hi Atul,

Thanks a lot for your reply.

I’m getting different login pages when I try to login to OAM console.

The URL I’m accessing initially is htt://:7001/oamconsole

When I give the test credentials it is initially redirected to http://:7001/oamconsole/faces/pages/PolicyManager.jspx but it is again being redirected to http://:7001/oamconsole/faces/login.jspx?_afrLoop=2820051999734120&_afrWindowMode=0&_adf.ctrl-state=5ayfr5phc_4 where if I provide my credentials I’m redirected successfully to http://:7001/oamconsole/faces/pages/PolicyManager.jspx (OAM Administrator Console page).

Regards,
Swathi.

Reply
swathi says May 31, 2011

Hi Atul,

Thanks for your reply.

I’m getting different loggin pages when I try to login to OAM Console.

When I give my test credentials to URL http://:7001/oamconsole.

It is initially being redirected to http://:7001/oamconsole/faces/pages/PolicyManager.jspx
but again the page is being redirected to
http://:7001/oamconsole/faces/login.jspx?_afrLoop=2820051999734120&_afrWindowMode=0&_adf.ctrl-state=5ayfr5phc_4
where if I provide my test credentials Iam successfully being redirected to http://cmamapd1.emulex.com:7001/oamconsole/faces/pages/PolicyManager.jspx

Regards,
Swathi.

Reply
Atul Kumar says June 1, 2011

@ Swathi,
This could be because of IDMDomain Agent in oam’s weblogic security realm

More information here http://download.oracle.com/docs/cd/E17904_01/doc.1111/e15478/webgate.htm#AIAAG5219

and here http://download.oracle.com/docs/cd/E17904_01/doc.1111/e15478/agents.htm#AIAAG5182

You should not see double login for your applications (webcenter, UCM…) protected by OAM 11g. OAM Console is used only by Admins.

You want to fix this issue , try removing IDM Domain agent and see if that helps

Reply
» OID 11g Integration with OAM (11.1.1.5) for Identity Store Online Apps DBA: One Stop Shop for Apps DBA’s says July 11, 2011

[…] OAM 11.1.1.5 integration with OID as identity store. If you are on OAM 11.1.1.3 , please refer HERE for integration with […]

Reply
vamsi56 says July 18, 2011

There are two contexts in OAM, one is oamconsole and another is oam. If we start the oam managed server from weblogic, the oamconsole url fails to connect and if we stop the managed server, it was successfully logging in and connecting to policy configurations etc.
What is the real difference between those two contexts and why is the context oamconsole, not working when the managed server started.

Krish.

Reply
vamsi56 says July 18, 2011

one more thing is that, I have OID, but not configured to OAM.

Reply
Atul Kumar says July 18, 2011

@ vamsi56, There is default agent IDMAgent (another name in 11.1.1.5) which kicks in as soon as you start OAM managed server. I can say there is issue with in your oam managed server which protects you from loggin in to OAM while oam server start (check managed server log file)

Workaround is to remove IDMAgent from weblogic’s security realm (under providers)

Reply
nagendra says August 1, 2011

Hi Atul,

I configured OVD11g(contains AD) as user store for OAM11g. I configured SSO for OIF11g/salesforce.com and protected OIF11g/SAML.SALESFORCE.COM using OAM 11g. working fine. Now I want to perform WNA for OAM 11g.
I followed the below document http://download.oracle.com/docs/cd/E14571_01/doc.1111/e15740/wna.htm
But while accessing the OIF11g/SAML.SALESFORCE.COM url it displays the following error…

http://studentshela.blogspot.com/2011/08/oam11goif11gsalesforcecom-wna.html

Thanks & Regards,
Nagendra

Reply
Atul Kumar says August 1, 2011

@ nagendra,
What is your OAM & OIF version (is this 11.1.1.3 or 11.1.1.5) ?

For WNA to work OAM should integrate with AD as identity store directly and not via OVD or any other virtual LDAP server.

Is AD configured as identity store in OAM ?

Reply
nagendra says August 1, 2011

Hi Atul,

Thanks for your reply.

In my machine OAM version is 11.1.1.3 and OIF version is 11.1.1.2.0.

Yes, I configured AD as User Identity Store in OAM & OIF.

Configured OAM as authentication engine in OIF and User Unique ID Header is “cn”.

Still I getting same error.

While I’m accessing the SAML.Salesforce.com url from Windows Machine, getting the error which was posted previously.

I disabled the WNA option in IE(i.e., in windows machine) then I accessed the same url, it asks the OAM credintials. I given that credintials then it directly logged into salesforce home page.

If I enabled the WNA option, it’s getting error.

Thanks & Regards,
Nagendra.

Reply
Atul Kumar says August 1, 2011

@Nagendra,
In your earlier update you mentioned that AD is configured via OVD , is this the case ?

Could you please share what are you trying to achieve here ?

Reply
Nagendra says August 2, 2011

Hi Atul Kumar,

Now, I configured directly AD as user store for OAM and OIF.

I integrated OIF with OAM using authentication mode.

Configured OAM as authentication engine in OIF and User Unique ID Header is “cn”.

I protected “/fed/user/authnoam”,”sample.html” using “kerberos scheme” and in Authorization policy responses sets the header variables such as $user.attr.mail,$user.attr.uid,$user.attr.cn .

In sample.html I provide a link “http://host-name:7777/fed/idp/initiatesso?providerid=https://saml.salesforce.com”.

Now I performed WNA. I logged into Windows machine and then accessing the sample.html, it is successfully opened without asking any credintials.

Now I click on salesforce link it displays the error which was posted earlier.

While I’m accessing “sample.html” from other machine, it throughs a login pop-up. I’m given OAM credintials then displays the sample.html page.

Then I clicked the “salesforce” link it directly displays the SALESFORCE home page.

Please suggest me how to perform WNA for SALESFORCE.COM

Thanks & Regards,
Nagendra.

Reply
Atul Kumar says August 2, 2011

@ Nagendra,
I am still not clear what you are trying to achieve here or what is business requirement ?

For WNA – “”Configured OAM as authentication engine in OIF and User Unique ID Header is “cn”. “” looks fishy to me . AS I said above I am clear about requirement so I may be wrong.

Reply
Nagendra says August 3, 2011

Hi Atul kumar,

I want to perform SSO for SALESFORCE.COM.

If I loggoed into windows machine as “testuser” and accessing this url “http://host-name:7777/fed/idp/initiatesso?providerid=https://saml.salesforce.com” then it directly goes to salesforce.com testuser’s home page.

This is my requirement.

I installed OAM and OIF in LINUX machine.

Please suggest me how to acheive this.

Thanks & Regards,
Nagendra.

Reply
Gupta says September 20, 2011

Hi Atul,

I upgraded OAM 11.1.1.3.0 to OAM 11.1.1.5.0 and I set OID as System store for OAM but i had a doubt that is it possible to set OVD as system store for OAM 11.1.1.5.0?

If yes then please suggest me that approach…

Thanks & Regards,

Gupta katakam

Reply
bernie says October 11, 2011

Hi guys,

I’m struggling to work out how to configure OAM 11g with OID 11g to return the necessary authentication and post-authentication event codes to allow me to intercept and redirect as necessary to custom pages.

These include password nearing expiry and password expired.

When I login I don’t see these included in the HTTP response….

Thanks,

Bernie

Reply
Atul Kumar says October 11, 2011

@ bernie,
One way is to configure it via response (as header variable or cookie) in Authentication or Authorisation Policy .

Do you have my book https://www.packtpub.com/oracle-identity-and-access-manager-11g-for-administrators/book

I can give you chapter number to find this information in book.

Reply
bernie says October 11, 2011

Thanks Atul – book bought. I can configure some useful response data but does OAM 11g not return event codes like 10g and OSSO on the query string?

Thanks,

Bernie

Reply
Atul Kumar says October 11, 2011

@ bernie ,
No , as far as I know.

You need to customise login page and once you have user attribute like lastLoginDate or accountLockstatus (using response in authentication schemes) you can present different page to user.

Reply
veeru says December 23, 2011

Hi Atul,

I am trying to create identity store for OVD.I created the identity store for ovd and also repointed the identity store in the authentication scheme.But i could not authenticate the users in OVD.
Please let me know if i miss any prerequisites steps before creating the identity store for OVD.

Reply
Atul Kumar says December 23, 2011

@ Veeru,
what is ldap server behind OVD (OID , AD or something else) ?

Can you run ladpbind against OVD for this user ?

Reply
gadba says January 14, 2012

Hello Atul,
I have oam11.1.1.5.1 and oid 11.1.1.5.
I switched the embedded ldap to OID as the default as well as the system identity store.

In the oid I have created the group Administrators and added the users to: weblogic, weblogicoi, oamtester and more.
Only weblogic can sign into the oam console by one login :
http://:/oamconsole , redirected to the page having oam port 14100 with the login wizard, get in with weblogic account credential.

and for the others have to have two logins:
http://:/oamconsole , redirected to the page having oam port 14100 with the login wizard,
After keyed in the user credential, got redirected to back to the page having port 7001 with the login wizard, keyed in the user credential again and got in.

All the passwords are using in the oid’s, that confirms the oid is the oam’s identity store.

The weblogic is the seed account with the group Administrators in the WLS. Could I miss something for granting privs for the others? if so what did I miss?

I have tried a couple of “workaround”s to see if those help:
a. Have the OID prodvider created in the WLS’ security realm does not help.
b. It works if added the other users in the WLS’ security repos realm with the group Administrators. Is this a mandatroy? Seems not. correct?

Thanks a lot!

Reply
Atul Kumar says January 15, 2012

@ gadba,
For OAM 11.1.1.5 you should use http://onlineappsdba.com/index.php/2011/07/11/oid-11g-integration-with-oam-11115-for-identity-store/

Confirm what you added under “Access System Administrators”

Reply
gadba says January 18, 2012

Thanks Atul,
Yes, I have set the Administrators/group in “Access System Administrators”. And I followed the instructions you referred.
What else I need? Do I have to add the OID Authenticator to the OAMDomain’s WLS as well?

Reply
Atul Kumar says January 20, 2012

@ gabdba,
You are missin some step, Check our book at http://onlineappsdba.com/index.php/book/ (This book has step by step instruction for 11.1.1.5 too) .

We will provide support remotely if you can’t fix it using our book.

Reply
» EBS R12 integrated with SSO (OAM/OSSO) prompting for username / password again : Your Oracle E-Business Suite account has not been linked Online Apps DBA: One Stop Shop for Apps DBA’s says March 27, 2012

[…] OAM to OID for username password validation. To change OAM 11.1.1.3 identity store to OID click here  and for OAM 11.1.1.5 to OID integration steps click […]

Reply
ChuLy says August 31, 2012

Hi Kumar,

I am configuring OAM with a DSEE. There are some dffirents attribute in a OID user. Do i need configure the same attributes from OID to DSEE in cn=Groups and cn=Users.

Reply
ChuLy says August 31, 2012

Hi,

I had configure OAM and DSEE ok. But i still got a problem.I create 4 new users having objectclass relatively are:

User A: top
User B: top, person
User C: top, person, organizationalPerson,
User D: top, person, organizationalPerson, inetOrgPerson

If i configure
* User Name Attribute : cn
User Filter Object Classes: non configure.

Only user D can logging in. If I try to configure User Filter Object Classes:organizationalPerson, user C still cannot logging in. Only user D can still log in. I don’t know whether this parameter ‘User Filter Object Classes’ works property.

If i leave User Filter Object Classes to non configure, I will face a problem that exsting ~20 000 users already have user-defined object class: MegaMV. And i don’t know is it possible to add inetOrgPerson object class to this object class: MegaMV in schema.

Reply
Atul Kumar says August 31, 2012

@ ChuLy ,
What is login attribute in OAM set to ? (is this cn or uid or something else)

Is this login attribute and attribute userPassword set for all these four users (A, B, C, D) ?

Reply
ChuLy says September 1, 2012

As i descripted, login attribute = User Name Attribute: cn. And all users already have cn and userPassword value.

Reply
ChuLy says September 12, 2012

Hi

I have configured successfully. The reason is my organizationalUnit has too much users ( ~ 300 .000 users ). I change to other organizationalUnit and it’s already worked.

Reply
bernie says September 20, 2012

OAM 11g with OID but without OIM – How to force password change on first login?

Hi Atul, I was wondering if this was something that you have ever pondered? I can achieve this using an authz policy and a dynamic group that reflects the state of the pwdreset attribute in OID but I don’t really like it that much!

I also want to avoid developing a custom authentication plugin if possible.

Cheers,
Bernie

Reply
Atul Kumar says September 20, 2012

@ Bernie,
There is no option apart from OIM or custom development in 11g R1 how ever there is some password management capability in OAM 11gR2 . Did you check that ?

Reply
bernie says September 20, 2012

Thanks Atul, I’ll take a look at R2 although it’s probably not an option for the client’s initial go-live. At least I haven’t missed a trick 😉

Regards,
Bernie

Reply
» OIM-OAM-OAAM integration using TAP – Request Flow you must understand !! Online Apps DBA: One Stop Shop for Apps DBA’s says September 21, 2012

[…] with OAM). More on OAM identity store configuration (steps mentioned here are manual integration) here […]

Reply
» How to identify which LDAP (OID/AD/OVD) server OAM 11g connects to and as what user ? Online Apps DBA: One Stop Shop for Apps DBA’s says September 27, 2012

[…] can integrate OAM to external LDAP store like OID/OVD/AD using step for 11.1.1.3 click here and for 11.1.1.5 click here . You can also integrate OAM with LDAP store using idmConfigTool.sh […]

Reply
Jericho says January 17, 2013

Is it possible to login using email id in OAM protected Application. The application is using Weblogic authenticator set to uid. Do we need to set response in authn or authz

Reply
Ramesh says April 22, 2013

Hi Atul,

For OAM EBS SSO integration there is a feature to Auto Link (via a profile) the EBS username with the OID username (a linking page is shown upon first login and once valid authentication occurs at Oracle EBS, the EBS user is linked with the OID user). We have multiple applications to protect with OAM11g for SSO and the usernames for the same person are different in different applications like Peoplesoft, JDE etc. Could you please advise if there is any way to link those usernames also with the OID user?

Thanks.

Reply
bernie says April 23, 2013

Hi Ramesh,
This is a theory – I haven’t tried it in practice but you might like to try it….

As you know, the user Id is linked by configuring policy responses for the eBus accessgates to return:

USER_NAME : Header : $user.userid
USER_ORCLGUID : Header : $user.attr.orclguid

The USER_NAME variable is used as the primary key to the FND_APPS table and USER_ORCLGUID as a secondary – if this is different then the user is prompted to link manually but the USER_NAME must match.

What might work is this:

First you would need to store the mapping of the user id for each eBus app in OID – for example by using spare attributes, or creating a new objectclass. So you would now store all the mappings of eBus_app_name / eBus_app_userid in OID as part of the user entry.

Now you would define an authorization policy for each eBus accessgate where the policy response returns the id for that app and not the OID user_id – if each of your accessgates has a unique URL prefix this should be easy to do.

So for instance, if you decided to use ‘businessCategory’ as a spare attribute for your Peoplesoft user Id you would return:

USER_NAME : Header : $user.attr.businessCategory

in the policy response for that accessgate.

In this way, each accessgate will use the appropriate eBus user Id for creating the eBus session instead of the OID user Id.

As I mentioned – I haven’t tried this but if you do then please let me know if it works!

Regards,
Bernie

Reply
Viruls says July 23, 2013

Hi Atul,

I am using OAM 11gr2.

I configured OVD as user store. In which I configured a join adapter(AD-JOIN-OID) by using OID adapter(primary) and AD adapter(Bind adapter).

Now I am doing WNA with OVD as user store, I am able to access the resource (http://sso.orademo.com/test/wna.jsp)
successfully which means WNA is working fine for me(I verified the http headers).

Now I want to print a OVD user attribute as HTTP header or cookie on the resource jsp page.

Please guide me…

Thanks,
Viruls

Reply
Narendra says July 31, 2013

Hi Atul,

I created a authorization policy in which a condition of type Identity is created. I choose OVD as the store name and “test” is the entityname and entitytype is group and configured an authentication policy to a resource in a policy, but while accessing the resource i am getting authorization failed for the user who is present in the test group(Verified in OID he is assigned to this group ).

Please help me to solve the issue.

Thanks in advance.

Regards,
Narendra

Reply
kamal says March 20, 2014

Hi All,

I have installed OIM, OAM , OID and configured all components and also enabled LDAPSYNC and intgeration done for OIM-OAM. After this When i create a user through identity applicaiton it successfully get sychronized to OID but if i try to login on OIM identity application it fails.

I noticed if i login with display name then it works but with uid (uid in OID and usr_login in OIM) it fails with Invalid Sign In error.

Want to know how to change the login attribute in OIM from display name to usr_login .

Reply
    Atul Kumar says April 12, 2016

    @Kamal,
    Don’t change that , When you login I am assuming you login via OAM login screen . Ensure that login attribute in OAM-OID integration is UID and value of usr_login in OIM is same as uid in OID .

    We cover this in detail in our OAM-OID integration module VIII of OAM 11gR2 Training / Workshop at http://k21academy.com/courses/oracle-access-manager/

    Reply
Senthil says April 11, 2016

Hi Atul,
Is there a way I can connect to OAM console through WLST and create new Authentication Scheme for custom login page and associate the authentication scheme to the application domains?

Reply
Mike says January 16, 2019

Hello Atul kumar, Learnt a lot from your blog,
Mike Miller, Director, SSOgen.

Reply
Add Your Reply