OIF: Relay State parameter in Federation

            In  this post, we are going to cover the configuration of 'Relay State' parameter for SP partners. Again before we go into the configuration, Let us understand the purpose of 'Relay state'  parameter. Essentially we use this parameter to automate the redirection of a user to a specific target page URL as soon as authentication against IDP is completed successfully and SAML assertion is posted to SP. This way you can avoid adding 'returnurl' paramter to your SSO URL while redirecting to Service provider application.

          In our example, we are using trying this on Salesforce application by redirecting to some contentdoor specific url. We have configured Salesforce as Service Provider and OAM11.1.2.3 as IDP. You can refer to my earlier posts given below for more information on SSO configurations.

• IDP Initiated SSO to Salesforce
• SP Initiated SSO to Salesforce

Environment:

• OAM 11.1.2.3 BP07
• RHEL6
• Salesforce

Steps:

• Assuming you already have configured Federated SSO to a service provider application (For ex: Salesforce) by having OAM as IDP and Salesforce as SP.
• Now Login to OAM server
• Change directory to <Oracle_IDM1_Home>/common/bin
• Execute the follownig commands
• ./wlst.sh
• connect('weblogic', 'password123', 't3://localhost:7001')
• domainRuntime() 
• updatePartnerProperty(partnerName="salesforce",partnerType="SP",propName="providerrelaystate",propValue="https://mydomain.lightning.force.com/one/one.app#/sObject/ContentDocument/home",type="string") 

• On successful execution, You will receive the message as shown above.

 Validation:

• You can login by login to salesforce using IDP Initiated or SP URLl After the authentication, you will be automatically redirected to the URL that is configured as 'Relay State' URL as shown below.

 

You can also refer to various other properties that you can set through WLST command line. These are very well documented in Oracle docs. Please refer here.  

Thank you for visiting.

oracle.security.idaas.rest.provider.cruds.ResourceNameNotFoundException: Failed to get an user from principal for UID

Receiving "oracle.security.idaas.rest.provider.cruds.ResourceNameNotFoundException"  in OAM logs during the user search operations with IDS Profile services and hence unable to find the user profile from the identity store.

Environment:

• OAM 11.1.2.3BP07
• OUD 11.1.2.3
• RHEL6/OEL6 

Error:

<Aug 29, 2016 10:03:59 PM EDT> <Warning> <oracle.idaas.oauth.resourceserver> <BEA-000000> <Resource is not found :: Resource Name "/ms_oauth/resources/userprofile/me/testuser1" >
<Aug 29, 2016 10:03:59 PM EDT> <Error> <oracle.security.idaas.rest.provider.cruds.ids.IDSUtil> <BEA-000000> <Failed to get an user from principal for UID : testuser1
oracle.security.idaas.rest.provider.cruds.ResourceNameNotFoundException: Failed to get an user from principal for UID : testuser1
    at oracle.security.idaas.rest.provider.cruds.ids.IDSUtil.getUserFromUID(IDSUtil.java:748)
    at oracle.security.idaas.rest.provider.cruds.ids.IDSUtil.getAuthPrincipal(IDSUtil.java:234)
    at oracle.security.idaas.rest.provider.cruds.ids.IDSPersonService.readPerson(IDSPersonService.java:282)
    at oracle.security.idaas.oauth.resourceserver.jaxrs.userprofile.UserProviderFacade.getUser(UserProviderFacade.java:115)
    at oracle.security.idaas.oauth.resourceserver.jaxrs.userprofile.Me.getMyProfile(Me.java:133)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
................
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:263)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused By: oracle.igf.ids.EntityNotFoundException: Entity not found for the search filter (&(objectclass=top)(CN=testuser1)).
    at oracle.igf.ids.arisid.ArisIdServiceManager.findEntity(ArisIdServiceManager.java:1709)
    at oracle.igf.ids.UserManager.searchUser(UserManager.java:169)
    at oracle.security.idaas.rest.provider.cruds.ids.IDSUtil.getUserFromUID(IDSUtil.java:744)
    at oracle.security.idaas.rest.provider.cruds.ids.IDSUtil.getAuthPrincipal(IDSUtil.java:234)
    at oracle.security.idaas.rest.provider.cruds.ids.IDSPersonService.readPerson(IDSPersonService.java:282)
    at oracle.security.idaas.oauth.resourceserver.jaxrs.userprofile.UserProviderFacade.getUser(UserProviderFacade.java:115)
    at oracle.security.idaas.oauth.resourceserver.jaxrs.userprofile.Me.getMyProfile(Me.java:133)
........................................
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:263)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused By: oracle.igf.ids.arisid.ArisIdNoSuchSubjectException: Entity not found for the search filter (&(objectclass=top)(CN=testuser1)).
    at com.oracle.ovd.arisid.OvdIdsStackProvider.doFind(OvdIdsStackProvider.java:1287)
    at com.oracle.ovd.arisid.ArisIdStackProvider.doFind(ArisIdStackProvider.java:175)
    at org.openliberty.arisid.Interaction.doFind(Interaction.java:1022)
    at oracle.igf.ids.arisid.ArisIdServiceManager.findEntity(ArisIdServiceManager.java:1616)
    at oracle.igf.ids.UserManager.searchUser(UserManager.java:169)
    at oracle.security.idaas.rest.provider.cruds.ids.IDSUtil.getUserFromUID(IDSUtil.java:744) 


Cause: 

This might be due to the incorrect search filter configuration in IDS profile that is enabled in OAuth Service provider configuration. It is configured to CN as RDN attribute in my scanrio. Make sure the steps mentioned in the solution and correct the configuration.

Solution:




Make sure the following two services in OAuth default domain are pointed to correct IDS profile(In my case, it is OUDIDSProfile) where your user data is stored.

• OAuthDomain -> Resources Servers -> UserProfileServices -> Identity Store name -> OUDIDSProfile

 

• OAuthDomain -> Service Profiles -> User Store -> OUDIDSProfile

  
Also verify the Attribute configurations in IDS Profile settings are configured properly reflecting the correct ldap attributes.

• Navigate to Configuration -> UserIdentityStores -> IDS Profiles -> OUDIDSProfile -> Entities. Correct your RDN/login attribute settings as shown below.

After making required corrections according to your LDAPStore IDSProfile settings, It should be able to search the user now from your directory store.

Thank you for visiting.