Prevent disabled users to login to application protected by Oracle Access Manager

Hi All,

I am working in 11g environment involving products OIM/OAM/OID/OVD.  The user management is happening through OIM – for eg., disable user. There is an application protected in OAM and using OVD Authentication Module. OVD Auth Module uses OID in the backend. OIM is talking to OID using OID connector.

Now the point is how to prevent disabled users in OID to login to application protected by OAM 11g. The answer is NO EXTRA configuration is required. It happens by default with attribute orclisenabled.

So when an user is disabled through OIM console then user attribute in OID orclisenabled will set to DISABLED (the default value is ENABLED). You will not have any attribute in OAM authentication scheme to specify the type of users to be allowed to authenticate against OAM 11g – this is unlike in OAM 10g where we can specify the attribute values or authentication constraits in credential_mapping plugin.

The disabled user will also appear in OVD console by default (with attribute orclisenabled). Now when the disabled user tries to access OAM protected application then it will throw Custom Form login page (in our case) and after entering correct credentials it will redirect to login page once again.

NOTE: The attribute orclisenabled should have proper value to prevent authentication. For eg., if it has value say FALSE then user will be able to login without any issues.

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

7 comments
Naveen Agarwal says March 28, 2012

Hi ,

i want training on oracle idm ,(admin , not devrlpmnt)

please suggest where can i get this course .

Reply
Atul Kumar says March 28, 2012

@ Naveen,
Focus Thread is starting OAM Administration Training. Check

http://focusthread.com/training/oracle-access-manager-administrator-training

Reply
tcraffa says May 15, 2012

I am not using OIM, so I am manually setting orclisenabled to DISABLED when I want to disable a user. The problem is that when logging in to OAM, the wrong error code is returned. Instead of getting OAM-5 for a disabled account, I am getting OAM-2 which is an authentication failure. Is there a setting somewhere that is suppressing the correct error code?

Reply
Mahendra says May 16, 2012

That is as expected. OAM user session class does not have error code or message showing user disabled and hence you will see login failed.

The available error codes can be seen from BaseUserSession class as shown below.

UserSession.ERR_WRONG_PASSWORD
UserSession.ERR_USER_LOCKED_OUT
UserSession.ERR_PASSWORD_EXPIRED
and so on.

getStatus of UserSession will return only few error codes.

Reply
    Kiran says August 16, 2016

    Hi Mahendra,

    I need your help on displaying OAM-5 error response on login page when user is disabled. How can we achieve in OAM 11g. Could you please let me know the steps.

    Thanks,
    Kiran

    Reply
Siju says February 7, 2013

Hi,

Am using OID, which is associated with OAM. Can you help me on adding orclisenabled attribute to a user.

Reply
Mahendra says February 7, 2013

Siju,

orclisenabled attribute will be available for all users in OID. Please check it in LDAP browser.

-Mahendra

Reply
Add Your Reply