OIF Production issue

I would like to share my experience with strange issue that encountered in our OIF production environment. We are using OIF in cluster mode. OIF is using OVD as user store which is talking to AD underneath.

OIF is also using DB for Federation and configuration data stores. We are acting as Identity Provider with email address as mapping mechanism between two partners.

An user called JDoe (example) exists in AD and his NT ID was changed due to some requirements and he is supposed to get new NT ID generated by AD and so is the email address. New NT ID and email address got generated and it can be seen through OVD too. The partner data store also got updated with new email address in their system.

While the user is trying to perform Federation, the assertion generated at IDP (our end) is not validated by Partner. The SAML assertion contains below Name ID value as OLD email address.

<saml:NameID Format=\”urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\”>

However there are some additional attributes that are being passed along with assertion and email address is one of them. Interestingly new email address is seen in the attributes list.

We’ve tried restarting the servers, refreshed the AD/OVD caches etc., but no luck.

Finally I’ve deleted the SAML assertion record generated for that user in OIF EM console at Oracle Identity Federation -> Administration -> Identities. User has tried federation and it has worked. This time the Name ID in assertion has new email address value.

This could be something with timeout parameter of federation data store but this issue is not seen for any of the other users. We can’t even reproduce this issue.

Share This Post with Your Friends over Social Media!

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment: