OAM is Oracle’s recommended single sign-on (SSO) solution and OIM is recommended user management (including password) and user/role provisioning solution. It is recommended to integrate OIM with OAM so that
a) Users accessing application via OAM (Single Sign-On – SSO) can be managed via OIM (self service password reset, account unlock…)
b) Users managed by OIM (for self service password reset, account unlock…) can access OIM application using SSO (OAM)
OIM/OAM 11g installation, configuration & Administration is also covered in my book
Test Case: On logon (after forgot password or password reset by administrator) after typing new password, user should not be prompted again for logon.
Actual Result: OAM was prompting for logon again after password reset.
Where to look for logs If you hit issue like this then you should look OIM server log files i.e. $DOMAIN_HOME/ servers/ <oim_server>/ logs/ oim_server1.out
In my case error message was :
_____
<Feb 14, 20124:50:10 PM GMT> <Error> <OAM Autologin Logger> <BEA-000000> <OAM client not initialized>
<Feb 14, 20124:50:10 PM GMT> <Error> <OAM Autologin Logger> <BEA-000000> <Could not initialize autologin provider from oim configoracle.iam.sso.exception.AutoLoginException: aaaClient not initialized properly>
URL Index27
<Feb 14, 20124:50:10 PM GMT> <Error> <OAM Autologin Logger> <BEA-000000> <Error while authentication java.lang.NullPointerException>
<Feb 14, 20124:50:10 PM GMT> <Error> <oracle.iam.passwordmgmt.impl> <BEA-000000> <INTERNAL ERROR: Autologin failed oracle.iam.sso.exception.AutoLoginException: Error while authentication >
javax.security.auth.login.LoginException: Error while autologin oracle.iam.sso.exception.AutoLoginException: Error while authentication
at oracle.iam.passwordmgmt.utils.PwdMgmtAutologinHelper.doAutologin(PwdMgmtAutologinHelper.java:146)
.
.
.
.
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Unknown Credential type to find the password for the given map : oim key : SSOAccessKey
____
Before I jump to fix, let us understand how autologin works with OIM-OAM integration and what is significance of key SSOAccessKey.
WebGate is Policy Enforcement Point (PEP) which protect resources protected by OAM. This WebGate can be further secured by setting passwordfor this WebGate Instance.
When you integrate Oracle Identity Manager (OIM – For user & password management) then OIM contact OAM via WebGate. If WebGate is protected by password then OIM needs this password to connect to WebGate. OIM stores this password in Credential Store (CSF) which can be managed by Enterprise Manager (EM) or WebLogic Scripting Tool (WLST).
idmConfigTool(tool to integrate OIM with OAM) should have created credential (keyName and password) for map oim as key SSOAccessKey with value as WebGate password. In my case this key SSOAccessKey for map OIM was missing.
Fix: Use EM or WLST to create key SSOAccessKey with value as password of WebGate used during OIM/OAM integration i.e. Webgate_IDM.
Steps to create key SSOAccessKey from EM
1. Login to EM http://weblogicHost:AdminPort/em
2. Navigate to WebLogic Domain -> <domain>
3. Right click on <domain> -> Security -> Credential
4. Select credential key OIM and click Create Key
5. Enter following
–Map: oim
–Key: SSOAccessKey
–Type: Password
–UserName: SSOAccessKey
–Password: <password for webgate Webgate_IDM>
–Description : OAM webgate password for webgate ID Webgate_IDM
Click Apply
Note: No re-start is required and OIM should pick password in key SSOAccessKeyon next auto login request.
