Deepak Dubey on Cloud, Big Data Analytics, Data Science, Machine Learning, DevOps, Full Stack, Java: May 2014

Tuesday, May 27, 2014

Sun Identity Manager to Oracle Identity Manager Migration

This post is a work in progress ....

In this post I will talk about the migration from Sun Identity Manager to Oracle Identity Manager Environment.

The target OIM version which I am considering is 11g R2 PS2 (11.1.2.2.0) which is most recent as of this writing.

Well to start off with let just consider a feature by feature comparison of the 2 products.

Let us first look at what all things need to be migrated if we want to move from Sun IdM to Oracle IdM.

Data - Users, Orgs, Roles, Audit Data, Operational Data, Passwords, Challenge Questions & Answers
Configuration - Resources, Connectors, Workflows, Forms, UI, Password Polices, Access Policies, XPRESS Code,

Here is a Diagram of Sun Identity Manager Component Architecture

and here is a diagram of OIM component architecture

I will break down the different development artifacts and way to go about it while doing the migration

UI - SIM uses jsp as its view technology. It was easier so complicated UI could be built as the developer saw it fit. OIM uses adf and far more complex way of doing the UI requirements.
Approval Workflow - SIM used xpress based workflows where UI can be embedded directly into workflows and you could achieve any flow by coding for it. OIM has few different component like SOA composite, notification, escalation reminders etc but few things like form cannot be directly inserted wherever we feel like to present customized look and feel. There are lot of out-of-the-box which we will have to use when they are migrated to OIM
Forms in SIM are a way to present data to end user using html components. There are lot of triggers which can attached to create javascript like affects.
Access Policies - There is no direct equivalents in SIM for Access Policy in OIM. though resource can be directly assigned to roles for role based access policy.
Rules - Role Membership rules are missing in SIM though similar equivalents can be developed.
Roles - In SIM there are various catagories of roles but essentially they achieve the same goal. SIM roles can be directly mapped to OIM roles.
Resources vs. Application Entities - In SIM a resource modeled a physical system with connection details where the provisioning and reconciliation operations were performed. Approval and Provisioning workflows worked in top of these. In OIM application instances which consists of RO + ITR represented both but within AIs to achieve that effect.
Connectors - SIM connectors though java based were created with SIM framework in mind wherein the CRUD events were triggered based on standardized naming convention. In OIM, the connector operations are mapped individually wherein what class method will be triggered on these CRUD operations were configured regardless of any strict naming convention. The connector classes are ordinary java classes with 1to1 mapping of an event to a method. SIM connector classes implements and extends certain top level classes so that method could be automatically triggered based on event type. SIM Connectors cannot be used when migrating to OIM and new Out-of-the-box oim connectors needs to be used.
Data Access - In SIM target end systems data of the users are fetched in real time but in OIM the data that is used for display is what was last stored during provisioning or reconciliation operation in the process forms.
Support for attestation - Present in OIM not in SIM.
Deferred Task Scanner was feature that allowed to trigger any kind of workflow on a later date one-time or a regular basis in SIM. To achieve something similar we have create scheduled job and task in OIM.
Views - SIM offered views of all standard entities like user, org, roles etc which can be checked out and data can be accessed in forms, emails or any business workflows. OIM offers API to do something similar.
APIs - Most of programming activities in SIM are done via XPRESS code but in OIM we have to make of standard java api to accomplish these.
Reports - SIM offered out-of-the-box reports within the product itself and also customized reports could be developed without requiring any additional product. OIM 11g uses BI Publisher to view all out-of-the-box reports or to develop custom ones.
Approval Engine - In SIM the approval engine is within the product itself but OIM 11g requires SOA Server as its approval engine.
There is no equivalent of Sandbox feature for UI changes within OIM 11g to SIM.
All the connectors to end systems were self contained within SIM and did not require any additional download unlike OIM wherein the connector needs to downloaded separately and installed.

Monday, May 19, 2014

OAM 11g R2 PS2 (11.1.2.2) Cannot Open The Federation Settings Page, MBean Operation Access Denied

After I changed my system store to OUD via oamconsole
and
configured that as Security Provider in security realms in weblogic console.
I was receiving the below error message.

Cannot Open The Federation Settings Page, MBean Operation Access Denied

This was stopping to access any federation settings.

The fix for it

1. Log in to the WebLogic Administration Server Console
2. In the left pane of the console, click Security Realms.
3. On the Summary of Security Realms page, click myrealm under the Realms table.
4. On the Settings page for myrealm, click the Roles & Policies tab.
5. On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles.
6. Click the View Role Conditions link next to Admin Role
7. On the Edit Global Roles page, under Role Conditions, click Add Conditions.
8. On the Choose a Predicate page, select Group from the predicates list and click Next.
9. On the Edit Arguments Page, specify the admin group specified in OUD store (while setting it to system store in oamconsole) in the Group Argument field and click Add.
10. Click Finish to return to the Edit Global Rule page.
11. The Role Conditions now show the the admin group specified in OUD store Group as an entry.
12. Click Save to finish adding the Admin role to the admin group specified in OUD store Group.

Screen shot below

OIM 11g R2 PS2 List of all Metadata Files

In this post I will provide the list of all metadata files that are there in the OIM MDS and the command to do so.
Exporting all files is specially handy when you are troubleshooting any issues with event handlers or want to understand where all the settings related to certain features are located.

Please create a folder as per toLocation below before proceeding

C:\>cd Oracle\Middleware\Oracle_IDM1\common\bin

C:\Oracle\Middleware\Oracle_IDM1\common\bin>wlst.cmd

wls:/offline> connect()
Please enter your username :weblogic
Please enter your password :
Please enter your server URL [t3://localhost:7001] :
Connecting to t3://localhost:7001 with userid weblogic ...
Successfully connected to Admin Server 'AdminServer' that belongs to domain 'base_domain'.

Warning: An insecure protocol was used to connect to the
server. To ensure on-the-wire security, the SSL port or
Admin port should be used instead.

wls:/base_domain/serverConfig> exportMetadata(application='OIMMetadata', server='oim_server1', toLocation='C:/Oracle/Middleware/Oracle_IDM1/exportAllM
etaData')
Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.
For more help, use help(domainRuntime)

Executing operation: exportMetadata.

Operation "exportMetadata" completed. Summary of "exportMetadata" operation is:
List of documents successfully transferred:

/adf/META-INF/connections.xml
/custom/metadata/LDAP User/LDAPAccountSchema.xml
/custom/metadata/MyDisconnectedApp/MyDisconnectedApp.xml
/db/DBAT Connector Lookup Reconciliation.xml
/db/DBAT Trusted User
/db/FLATFILEGTC_GTC
/db/FLATFILEGTC_GTC.xml
/db/GTC/ProviderDefinitions/CSVReconFormat.xml
/db/GTC/ProviderDefinitions/Concatenation.xml
/db/GTC/ProviderDefinitions/DBProvisioningFormat.xml
/db/GTC/ProviderDefinitions/DBProvisioningTransport.xml
/db/GTC/ProviderDefinitions/DBReconFormat.xml
/db/GTC/ProviderDefinitions/DBReconTransport.xml
/db/GTC/ProviderDefinitions/IsBlankOrNullValidatorProvider.xml
/db/GTC/ProviderDefinitions/IsByteValidatorProvider.xml
/db/GTC/ProviderDefinitions/IsDoubleValidatorProvider.xml
/db/GTC/ProviderDefinitions/IsFloatValidatorProvider.xml
/db/GTC/ProviderDefinitions/IsInRangeValidatorProvider.xml
/db/GTC/ProviderDefinitions/IsIntValidatorProvider.xml
/db/GTC/ProviderDefinitions/IsLongValidatorProvider.xml
/db/GTC/ProviderDefinitions/IsShortValidatorProvider.xml
/db/GTC/ProviderDefinitions/IsValidDateValidatorProvider.xml
/db/GTC/ProviderDefinitions/MatchRegexpValidatorProvider.xml
/db/GTC/ProviderDefinitions/MaxLengthValidatorProvider.xml
/db/GTC/ProviderDefinitions/MinLengthValidatorProvider.xml
/db/GTC/ProviderDefinitions/OnetoOne.xml
/db/GTC/ProviderDefinitions/SPMLProvisioningFormat.xml
/db/GTC/ProviderDefinitions/SharedDriveReconTransport.xml
/db/GTC/ProviderDefinitions/Translation.xml
/db/GTC/ProviderDefinitions/ValidateDateFormat.xml
/db/GTC/ProviderDefinitions/WSProvisioningTransport.xml
/db/GTC/Schema/Providers-def.xsd
/db/GTC/Schema/pstc_spmlv2_core.xsd
/db/HR APPLICATION TABLES_GTC
/db/HR APPLICATION TABLES_GTC.xml
/db/LDAP Connector Lookup Reconciliation.xml
/db/LDAP Connector Search Delete Reconciliation.xml
/db/LDAP Connector Search Incremental Reconciliation.xml
/db/LDAP Connector Sync Reconciliation.xml
/db/LDAP Group
/db/LDAP Organisation Unit
/db/LDAP Role
/db/LDAP Trusted User
/db/LDAP User
/db/MyDisconnectedApp
/db/RAMLS_FLATFILEGTC_GTC.xml
/db/RA_DBATTRUSTEDUSER4753023.xml
/db/RA_FLATFILEGTC_GTC.xml
/db/RA_HRAPPLICATIONTA5D0970E2.xml
/db/RA_LDAPGROUPAD314A6.xml
/db/RA_LDAPORGANISATIO9223D0D1.xml
/db/RA_LDAPROLE9503816F.xml
/db/RA_LDAPTRUSTEDUSERC570B56D.xml
/db/RA_LDAPUSER9504ECC4.xml
/db/RA_LDAP_GRP.xml
/db/RA_LDAP_ROL.xml
/db/RA_MYDISCONNECTEDAPP.xml
/db/RA_XELLERATEUSER37B8BD73.xml
/db/RA_XELLERATE_ORG.xml
/db/Xellerate Organization
/db/Xellerate User
/db/form-metadata/FormMetaData.xml
/db/identity/entity-definition/OIMOrgDataProvider.xml
/db/identity/entity-definition/OIMPendingRoleGrantRelationProvider.xml
/db/identity/entity-definition/OIMRoleCategoryDataProvider.xml
/db/identity/entity-definition/OIMRoleDataProvider.xml
/db/identity/entity-definition/OIMRoleGrantRelationProvider.xml
/db/identity/entity-definition/OIMRoleRelationshipRelationProvider.xml
/db/identity/entity-definition/OrgUserRelationProvider.xml
/db/identity/entity-definition/Organization.xml
/db/identity/entity-definition/OrganizationUserRelationship.xml
/db/identity/entity-definition/PendingRoleUserMembership.xml
/db/identity/entity-definition/Role.xml
/db/identity/entity-definition/RoleCategory.xml
/db/identity/entity-definition/RoleRoleRelationship.xml
/db/identity/entity-definition/RoleUserMembership.xml
/db/identity/entity-definition/UserDataProvider.xml
/db/oim-config.xml
/db/task.xml
/file/RECON_ROLE_OLDSTATE.xml
/file/RECON_USER_OLDSTATE.xml
/file/User.xml
/file/async-messaging.xml
/file/recon/profile.xsd
/metadata/UpgradeMetadata.xml
/metadata/iam-features-OIMMigration/EventHandlers.xml
/metadata/iam-features-Scheduler/EventHandlers.xml
/metadata/iam-features-accesspolicy/event-definition/EventHandlers.xml
/metadata/iam-features-accesspolicy/model-data/AccessPolicyBasedApplicationInstanceProvisioning.xml
/metadata/iam-features-accesspolicy/model-data/AccessPolicyBasedProvisioning.xml
/metadata/iam-features-asyncwsclient/EventHandlers.xml
/metadata/iam-features-asyncwsclient/plugin.xml
/metadata/iam-features-autoroles/event-definition/EventHandlers.xml
/metadata/iam-features-callbacks/CallbackConfiguration.xjb
/metadata/iam-features-callbacks/CallbackConfiguration.xsd
/metadata/iam-features-catalog/CatalogableEntities.xml
/metadata/iam-features-catalog/EventHandlers.xml
/metadata/iam-features-certification/event-definition/EventHandlers.xml
/metadata/iam-features-configservice/event-definition/EventHandlers.xml
/metadata/iam-features-configservice/plugin.xml
/metadata/iam-features-identity/IdentityNotificationEvent.xml
/metadata/iam-features-identity/event-definition/EventHandlers.xml
/metadata/iam-features-identity/plugin.xml
/metadata/iam-features-ldap-sync/LDAPContainer.xml
/metadata/iam-features-ldap-sync/LDAPDataProvider.xml
/metadata/iam-features-ldap-sync/LDAPRelationshipProvider.xml
/metadata/iam-features-ldap-sync/LDAPRepository.xml
/metadata/iam-features-ldap-sync/LDAPRole.xml
/metadata/iam-features-ldap-sync/LDAPRoleMembership.xml
/metadata/iam-features-ldap-sync/LDAPUser.xml
/metadata/iam-features-ldap-sync/LDAPUserMembership.xml
/metadata/iam-features-ldap-sync/OVDInstance.xml
/metadata/iam-features-ldap-sync/ReconScheduleTasks.xml
/metadata/iam-features-ldap-sync/plugin.xml
/metadata/iam-features-notification/EventHandlers.xml
/metadata/iam-features-notification/NotificationEvent.xsd
/metadata/iam-features-notification/NotificationProviders.xml
/metadata/iam-features-oimupgrade/UpgradeMetadata.xml
/metadata/iam-features-oimupgrade/mds-metadata-mergeclass-map.xml
/metadata/iam-features-oimupgrade/mds-transfer-config.xml
/metadata/iam-features-passwordmgmt/event-definition/EventHandlers.xml
/metadata/iam-features-passwordmgmt/notification/ResetPasswordEvent.xml
/metadata/iam-features-provisioning/event-definition/EventHandlers.xml
/metadata/iam-features-provisioning/model-data/DisableAccountRequest.xml
/metadata/iam-features-provisioning/model-data/EnableAccountRequest.xml
/metadata/iam-features-provisioning/model-data/ModifyAccountRequest.xml
/metadata/iam-features-provisioning/model-data/ModifyEntitlement.xml
/metadata/iam-features-provisioning/model-data/ProvisionApplicationInstance.xml
/metadata/iam-features-provisioning/model-data/ProvisionEntitlement.xml
/metadata/iam-features-provisioning/model-data/RevokeAccountRequest.xml
/metadata/iam-features-provisioning/model-data/RevokeEntitlement.xml
/metadata/iam-features-push-identity-toldap/ScheduleTasks.xml
/metadata/iam-features-reconciliation/entity-definition/OperationalDB.xml
/metadata/iam-features-reconciliation/entity-definition/RDBMSChildDataProvider.xml
/metadata/iam-features-reconciliation/entity-definition/RDBMSDataProvider.xml
/metadata/iam-features-reconciliation/entity-definition/RDBMSRepository.xml
/metadata/iam-features-reconciliation/entity-definition/RECON_TABLES.xml
/metadata/iam-features-reconciliation/event-definition/EventHandlers.xml
/metadata/iam-features-reconciliation/plugin.xml
/metadata/iam-features-request/ApprovalCategory.xml
/metadata/iam-features-request/event-definition/EventHandlers.xml
/metadata/iam-features-request/notification/BulkRequestCreationEvent.xml
/metadata/iam-features-request/notification/CreateUserEvent.xml
/metadata/iam-features-request/notification/RequestCreationEvent.xml
/metadata/iam-features-request/notification/RequestStatusChangeEvent.xml
/metadata/iam-features-request/plugin.xml
/metadata/iam-features-requestactions/common/metadata/event-definition/EventHandlers.xml
/metadata/iam-features-requestactions/event-definition/EventHandlers.xml
/metadata/iam-features-requestactions/model-data/AssignRolesDataset.xml
/metadata/iam-features-requestactions/model-data/AssignRolesRequest.xml
/metadata/iam-features-requestactions/model-data/CreateRoleDataSet.xml
/metadata/iam-features-requestactions/model-data/CreateRoleRequestModel.xml
/metadata/iam-features-requestactions/model-data/CreateUserDataSet.xml
/metadata/iam-features-requestactions/model-data/CreateUserRequestModel.xml
/metadata/iam-features-requestactions/model-data/DeleteRoleDataSet.xml
/metadata/iam-features-requestactions/model-data/DeleteRoleRequestModel.xml
/metadata/iam-features-requestactions/model-data/DeleteUserDataset.xml
/metadata/iam-features-requestactions/model-data/DeleteUserRequest.xml
/metadata/iam-features-requestactions/model-data/DeprovisionResourceRequest.xml
/metadata/iam-features-requestactions/model-data/DisableProvisionedResourceRequest.xml
/metadata/iam-features-requestactions/model-data/DisableUserDataset.xml
/metadata/iam-features-requestactions/model-data/DisableUserRequest.xml
/metadata/iam-features-requestactions/model-data/EnableProvisionedResourceRequest.xml
/metadata/iam-features-requestactions/model-data/EnableUserDataset.xml
/metadata/iam-features-requestactions/model-data/EnableUserRequest.xml
/metadata/iam-features-requestactions/model-data/HeterogeneousRequest.xml
/metadata/iam-features-requestactions/model-data/ModifyResourceRequest.xml
/metadata/iam-features-requestactions/model-data/ModifyRoleDataSet.xml
/metadata/iam-features-requestactions/model-data/ModifyRoleRequestModel.xml
/metadata/iam-features-requestactions/model-data/ModifyUserDataset.xml
/metadata/iam-features-requestactions/model-data/ModifyUserRequestModel.xml
/metadata/iam-features-requestactions/model-data/ProvisionEntitlementsDataset.xml
/metadata/iam-features-requestactions/model-data/ProvisionResourceRequest.xml
/metadata/iam-features-requestactions/model-data/RemoveRolesDataset.xml
/metadata/iam-features-requestactions/model-data/RemoveRolesRequest.xml
/metadata/iam-features-requestactions/model-data/ResourceCommonDataset.xml
/metadata/iam-features-requestactions/model-data/RevokeEntitlementsDataset.xml
/metadata/iam-features-requestactions/model-data/SelfCreateUserDataset.xml
/metadata/iam-features-requestactions/model-data/SelfCreateUserRequest.xml
/metadata/iam-features-requestactions/plugin.xml
/metadata/iam-features-requestprofile/event-definition/EventHandlers.xml
/metadata/iam-features-rolesod/EventHandlers.xml
/metadata/iam-features-selfservice/event-definition/EventHandlers.xml
/metadata/iam-features-selfservice/notification/AddProxyUser.xml
/metadata/iam-features-selfservice/notification/CreateNewSelfUser.xml
/metadata/iam-features-selfservice/notification/ForgottenUsername.xml
/metadata/iam-features-sil/db/Registration.xml
/metadata/iam-features-sil/db/Registration.xsd
/metadata/iam-features-sil/db/SILConfig.xml
/metadata/iam-features-sod/EventHandlers.xml
/metadata/iam-features-system-configuration/EventHandlers.xml
/metadata/iam-features-system-configuration/plugin.xml
/metadata/iam-features-tasklist/plugin.xml
/metadata/iam-features-templatefeature/EventHandlers.xml
/metadata/iam-features-transUI/EventHandlers.xml
/metadata/iam-features-transUI/common/metadata/EventHandlers.xml
/metadata/iam-features-transUI/plugin.xml
/metadata/mds-metadata-mergeclass-map.xml
/metadata/mds-transfer-config.xml
/oracle/rules/oracle/iam/certification/rules/EventListenerBase.rules
/oracle/rules/oracle/iam/certification/rules/EventListenerCustom.rules

201 documents successfully transferred.
wls:/base_domain/serverConfig>

OIM 11g - Add Child Data to Child Tables

In this post I will post some sample code to add child data to child tables.
The below sample code will be helpful in scenarios like below

Child Form Auto Prepopulate Doesn't Work (Doc ID 1672861.1)

Currently in OIM custom pre-pop adapters are not supported on child forms

As a workaround you can use a adapter to add a record in child form on success of "create user" task. This will update the child form as expected.

Let me try to explain what I am doing in the code below

Well, this code adds a dsee group in a child table based on the role to which a user belong.

pKey - Process Instance Key
tcdp - OIM Database Reference available via adapter variable mapping
lookupName - This lookup holds User Role to DSEE Group Mappings
userKey - USR Key
childTableColumName - Child Table Column Name

package com.dubey.deepak.oim.dsee.provisioning;

import Thor.API.Operations.tcFormInstanceOperationsIntf;
import Thor.API.Operations.tcLookupOperationsIntf;
import Thor.API.Operations.tcUserOperationsIntf;
import Thor.API.tcResultSet;
import Thor.API.tcUtilityFactory;
import com.thortech.util.logging.Logger;
import com.thortech.xl.dataaccess.tcDataProvider;
import java.util.HashMap;
import java.util.Map;

public class AddChildData {

    public AddChildData() {
 }

 public String AddProcessChildData(long pKey, tcDataProvider tcdp,
   String lookupName, long userKey, String childTableColumName)
   throws Exception {
  String result = "false";
  try {
   tcUserOperationsIntf userOp = (tcUserOperationsIntf) tcUtilityFactory
     .getUtility(tcdp,
       "Thor.API.Operations.tcUserOperationsIntf");
   Thor.API.tcResultSet groupResults = userOp.getGroups(userKey);
   for (int i = 0; i < groupResults.getRowCount(); i++) {
    groupResults.goToRow(i);
    String roleName = groupResults
      .getStringValue("Groups.Group Name");
    System.out.println("roleName--->" + roleName);
    tcLookupOperationsIntf lookupOp = (tcLookupOperationsIntf) tcUtilityFactory
      .getUtility(tcdp,
        "Thor.API.Operations.tcLookupOperationsIntf");
    tcResultSet lookupRes = lookupOp.getLookupValues(lookupName);
    for (int j = 0; j < lookupRes.getRowCount(); j++) {
     lookupRes.goToRow(j);
     String CodeKey = lookupRes
       .getStringValue(
         "Lookup Definition.Lookup Code Information.Code Key")
       .trim();
     if (CodeKey.equalsIgnoreCase(roleName)) {
      String groupName = lookupRes
        .getStringValue(
          "Lookup Definition.Lookup Code Information.Decode")
        .trim();
      System.out.println("groupName----->" + groupName);
      tcFormInstanceOperationsIntf formOp = (tcFormInstanceOperationsIntf) tcUtilityFactory
        .getUtility(tcdp,
          "Thor.API.Operations.tcFormInstanceOperationsIntf");
      tcResultSet childFormDef = formOp
        .getChildFormDefinition(formOp
          .getProcessFormDefinitionKey(pKey),
          formOp.getProcessFormVersion(pKey));
      long childKey = childFormDef
        .getLongValue("Structure Utility.Child Tables.Child Key");
      Map attrChildData = new HashMap();
      attrChildData.put(childTableColumName, groupName);
      formOp.addProcessFormChildData(childKey, pKey,
        attrChildData);
      result = "true";
     }
    }
   }
  } catch (Exception e) {
   System.out.println("exception ---->" + e.getMessage());
   e.printStackTrace();
  }
  return result;
 }
}

This can be hooked to a dependent task like below

Create a Task and add a dependent task on it which will trigger this

Monday, May 12, 2014

OIM 11g R2 PS2 (11.1.2.2.0) : Email Notification Services

In this post I will cover some of the notification services that are available within OIM 11g R2 Ps2 and how to use them.

First lets see where these services are located.

Login to weblogic em console
Go to base_domain->Identity and Access->OIM-> Right Click oim(11.1.2.0.0)

Then go to System MBean Browser->Application Defined MBeans-> oracle.iam, Server: oim_server_name, Application: oim, IAMAppRuntimeMBean, and select UMSEmailNotificationProviderMBean

Default Service used by OIM: UMSEmailNotificationProviderMBean

If your SOA server is down you will receive the below error message in console

Using SMTP for Notification :

There is another simpler provider for pure mail notification EmailNotificationProviderMBean which is disabled by default.

Can be used by OIM bi disabling the UMSNotificationProvider as it is not dependent on SOA Server to be up and running.

Using SOA Composite for Notification: SOAEmailNotificationProviderMBean

This is also disabled by default.
Used within the SOA Server by SOA Composites.

OIM 11g R2 PS2 (11.1.2.2.0) : Database Application Tables Installaton Issue-Resolution

I was installing the Database Application Tables Connector on OIM 11g R2 Ps2 and it was throwing the below error

As the error message says that it is expecting Start Date attribute defined on Organization Entity.
So I created an attribute Start Date on Organization. To do so you will have to create a sandbox and make the change in organization and then activate the sandbox.

But the above did not help and connector installation showed a new attribute requirement.

So I checked the connector xml file DBAT-ConnectorConfig.xml

and found that Order for flag is incorrectly set in the out-of-the-box connector package

Retry the connector install

Sunday, May 11, 2014

OAM 11g R2 PS2 (11.1.2.2.0) Federation Setup

In this post I will cover the federation setup with in the oracle access manager latest version

Beginning with the 11g Release 2 (11.1.2), the Oracle Access Management Access Manager server (OAM Server) has been integrated with an Oracle Access Management Identity Federation server. All configuration for the Identity Federation server is performed using the Oracle Access Management Console.

Benefits of using the new Identity Federation 11g Release 2 (11.1.2.2) server integrated with Access Manager include:

Eliminating the need to install and maintain separate servers.
Simplifying post-install configuration of the federation features, particularly when accessing those features through the Oracle Access Management Console.
Improving the scalability of the two services working together.
Providing enhanced diagnostics and troubleshooting.

Enable Identity Federation within the Available Services.

Go to Configuration->Federation Settings

Click Export SAML 2.0 Metadata

Go to Service Provider Administration -> Click Create Identity Provider Partner

Create a IdP with the exported metadata file.

Click "Create Authentication Scheme and Module"

This will create Authentication Scheme configured to be used with above IdP.

Similarly Go to Identity Provider Administration -> Click Create Service Provider Partner ->

Referral Auth Scheme

Referral Auth Module

Use the Authentication Scheme in the Authentication Policy of the Application Domain.

Go to App Domain -> Domain Name -> Authentication Policies -> Protected Resource Policy -> Change Authentication Scheme -> IdP1FederationScheme

Now we are ready to test

Access the protected resource

you will be redirected to identity provider SAML credential collector page

SAML GET Request

After Successful Login

SAML POST Response

Referral IdP and SP "https___Deepak-PC.mydomain.com_14101_oam_fed.xml" File :-

It contains metadata for both IdP and SP

<?xml version="1.0" encoding="UTF-8"?>

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:ns7="urn:oasis:names:tc:SAML:profiles:v1metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="id-0G95cJmk6LYZcGQEqYuHtrUHzJkKkXQCRCfamW-3" cacheDuration="P30DT0H0M0S" entityID="https://Deepak-PC.mydomain.com:14101/oam/fed" validUntil="2014-06-03T17:32:57Z">

<dsig:Signature>

<dsig:SignedInfo>

<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

<dsig:Reference URI="#id-0G95cJmk6LYZcGQEqYuHtrUHzJkKkXQCRCfamW-3">

<dsig:Transforms>

<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

</dsig:Transforms>

<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

<dsig:DigestValue>xLWmnQkPI7hMhUFE784zWsj3Bo0=</dsig:DigestValue>

</dsig:Reference>

</dsig:SignedInfo>

<dsig:SignatureValue>bKOcap2cBPpRAQs8YuBF0q4VTHgiXWZQP3ZOgACVc7eqxjOg08dHSAXSp1hrLuHUoCkmDRAJOi09uorb+YNvdtqAWUV+WUcjfm0Ge6jJaqJIrf6ADmzKY01ueGVelN2qS7SSviyug3uPmiDENYdCDIvM1UbPloaDpVPEiiq+O3g=</dsig:SignatureValue>

<dsig:KeyInfo>

<dsig:X509Data>

<dsig:X509Certificate>MIIB+DCCAWGgAwIBAgIBCjANBgkqhkiG9w0BAQQFADAhMR8wHQYDVQQDExZEZWVwYWstUEMubXlkb21haW4uY29tMB4XDTE0MDQxOTE0MTE1MFoXDTI0MDQxNjE0MTE1MFowITEfMB0GA1UEAxMWRGVlcGFrLVBDLm15ZG9tYWluLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAv26VHEabPL0pg/18fASQ9lgkE7d7WGDBeTmqcPcMh+/lAv/j0ISZLA1SPk25Z9q03AyrnY49darO3zA8gQt5gymP5G+tr66SCtZc4IZFj7r6e1YlrLXivpTttROMAOxtZQRJVHQl9sT3dApeL2wxNaYxEPcqWiYvoU45jsfSfx0CAwEAAaNAMD4wDAYDVR0TAQH/BAIwADAPBgNVHQ8BAf8EBQMDB9gAMB0GA1UdDgQWBBResQZp6WGrudaKwj2qoq2LCgJA7DANBgkqhkiG9w0BAQQFAAOBgQCDfN+jRHA+4F5SmVG1Gw7lLAGzzMweCgcxz/o0r8KBGdDSZTssI/m7isLuumaSCS98G22Hfr4Qadh+pcHwlaNFOcip4WwII9ag22afaqqXphRKFPUYFxrHCTFGzTOFMNXI3tyPZ6e1L2QCjeM2SHl8omDciSipdID7DmyqW4N2gQ==</dsig:X509Certificate>

</dsig:X509Data>

</dsig:KeyInfo>

</dsig:Signature>

<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

<md:KeyDescriptor use="signing">

<dsig:KeyInfo>

<dsig:X509Data>

<dsig:X509IssuerSerial>

<dsig:X509IssuerName>CN=Deepak-PC.mydomain.com</dsig:X509IssuerName>

<dsig:X509SerialNumber>10</dsig:X509SerialNumber>

</dsig:X509IssuerSerial>

<dsig:X509SubjectName>CN=Deepak-PC.mydomain.com</dsig:X509SubjectName>

</dsig:X509Data>

</dsig:KeyInfo>

</md:KeyDescriptor>

<md:KeyDescriptor use="encryption">

<dsig:KeyInfo>

<dsig:X509Data>

<dsig:X509IssuerSerial>

<dsig:X509IssuerName>CN=Deepak-PC.mydomain.com</dsig:X509IssuerName>

<dsig:X509SerialNumber>10</dsig:X509SerialNumber>

</dsig:X509IssuerSerial>

<dsig:X509SubjectName>CN=Deepak-PC.mydomain.com</dsig:X509SubjectName>

</dsig:X509Data>

</dsig:KeyInfo>

<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />

<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />

<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc" />

<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />

<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />

</md:KeyDescriptor>

<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://Deepak-PC.mydomain.com:14101/oamfed/idp/soap" index="1" isDefault="true" />

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://Deepak-PC.mydomain.com:14101/oamfed/idp/samlv20" ResponseLocation="https://Deepak-PC.mydomain.com:14101/oamfed/idp/samlv20" />

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://Deepak-PC.mydomain.com:14101/oamfed/idp/samlv20" ResponseLocation="https://Deepak-PC.mydomain.com:14101/oamfed/idp/samlv20" />

<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://Deepak-PC.mydomain.com:14101/oamfed/idp/samlv20" />

<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://Deepak-PC.mydomain.com:14101/oamfed/idp/soap" />

<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://Deepak-PC.mydomain.com:14101/oamfed/idp/samlv20" />

</md:IDPSSODescriptor>

<md:AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

<md:KeyDescriptor use="signing">

<dsig:KeyInfo>

<dsig:X509Data>

<dsig:X509IssuerSerial>

<dsig:X509IssuerName>CN=Deepak-PC.mydomain.com</dsig:X509IssuerName>

<dsig:X509SerialNumber>10</dsig:X509SerialNumber>

</dsig:X509IssuerSerial>

<dsig:X509SubjectName>CN=Deepak-PC.mydomain.com</dsig:X509SubjectName>

</dsig:X509Data>

</dsig:KeyInfo>

</md:KeyDescriptor>

<md:KeyDescriptor use="encryption">

<dsig:KeyInfo>

<dsig:X509Data>

<dsig:X509IssuerSerial>

<dsig:X509IssuerName>CN=Deepak-PC.mydomain.com</dsig:X509IssuerName>

<dsig:X509SerialNumber>10</dsig:X509SerialNumber>

</dsig:X509IssuerSerial>

<dsig:X509SubjectName>CN=Deepak-PC.mydomain.com</dsig:X509SubjectName>

</dsig:X509Data>

</dsig:KeyInfo>

<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />

<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />

<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc" />

<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />

<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />

</md:KeyDescriptor>

<md:AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://Deepak-PC.mydomain.com:14101/oamfed/aa/soap" />

<md:AttributeProfile>urn:oasis:names:tc:SAML:2.0:profiles:attribute:basic</md:AttributeProfile>

</md:AttributeAuthorityDescriptor>

<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

<md:KeyDescriptor use="signing">

<dsig:KeyInfo>

<dsig:X509Data>

<dsig:X509IssuerSerial>

<dsig:X509IssuerName>CN=Deepak-PC.mydomain.com</dsig:X509IssuerName>

<dsig:X509SerialNumber>10</dsig:X509SerialNumber>

</dsig:X509IssuerSerial>

<dsig:X509SubjectName>CN=Deepak-PC.mydomain.com</dsig:X509SubjectName>

</dsig:X509Data>

</dsig:KeyInfo>

</md:KeyDescriptor>

<md:KeyDescriptor use="encryption">

<dsig:KeyInfo>

<dsig:X509Data>

<dsig:X509IssuerSerial>

<dsig:X509IssuerName>CN=Deepak-PC.mydomain.com</dsig:X509IssuerName>

<dsig:X509SerialNumber>10</dsig:X509SerialNumber>

</dsig:X509IssuerSerial>

<dsig:X509SubjectName>CN=Deepak-PC.mydomain.com</dsig:X509SubjectName>

</dsig:X509Data>

</dsig:KeyInfo>

<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />

<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />

<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc" />

<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />

<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />

</md:KeyDescriptor>

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://Deepak-PC.mydomain.com:14101/oamfed/sp/samlv20" ResponseLocation="https://Deepak-PC.mydomain.com:14101/oamfed/sp/samlv20" />

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://Deepak-PC.mydomain.com:14101/oamfed/sp/samlv20" ResponseLocation="https://Deepak-PC.mydomain.com:14101/oamfed/sp/samlv20" />

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://Deepak-PC.mydomain.com:14101/oam/server/fed/sp/sso" index="0" isDefault="true" />

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://Deepak-PC.mydomain.com:14101/oam/server/fed/sp/sso" index="1" />

</md:SPSSODescriptor>

<md:RoleDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

<md:KeyDescriptor use="signing">

<dsig:KeyInfo>

<dsig:X509Data>

<dsig:X509IssuerSerial>

<dsig:X509IssuerName>CN=Deepak-PC.mydomain.com</dsig:X509IssuerName>

<dsig:X509SerialNumber>10</dsig:X509SerialNumber>

</dsig:X509IssuerSerial>

<dsig:X509SubjectName>CN=Deepak-PC.mydomain.com</dsig:X509SubjectName>

</dsig:X509Data>

</dsig:KeyInfo>

</md:KeyDescriptor>

<md:KeyDescriptor use="encryption">

<dsig:KeyInfo>

<dsig:X509Data>

<dsig:X509IssuerSerial>

<dsig:X509IssuerName>CN=Deepak-PC.mydomain.com</dsig:X509IssuerName>

<dsig:X509SerialNumber>10</dsig:X509SerialNumber>

</dsig:X509IssuerSerial>

<dsig:X509SubjectName>CN=Deepak-PC.mydomain.com</dsig:X509SubjectName>

</dsig:X509Data>

</dsig:KeyInfo>

<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />

<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />

<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc" />

<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />

<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />

</md:KeyDescriptor>

</md:RoleDescriptor>

</md:EntityDescriptor>