Thursday, August 31, 2017

Tuesday, May 9, 2017

OIM: Sample code to Publish roles to Organizations

                   This post covers a sample OIM code that publishes the roles to specific organization provided through inputs. 

Our example code performs the following operations
  • Publish APP_USER to new Organization "Google" and set "include sub-orgs" flag to False.
  • Publish APP_USER to existing Organization "Microsoft" and set "include sub-orgs" flag to True.
  • Remove APP_USER from existing Organization "Yahoo" 
Initial role configuration in OIM before update: 

  • OIM
  • OEL/RHEL 6

import java.util.ArrayList;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;

import oracle.iam.identity.exception.NoSuchRoleException;
import oracle.iam.identity.exception.RoleLookupException;
import oracle.iam.identity.exception.SearchKeyNotUniqueException;
import oracle.iam.identity.orgmgmt.api.OrganizationManager;
import oracle.iam.identity.orgmgmt.vo.Organization;
import oracle.iam.identity.rolemgmt.api.RoleManager;
import oracle.iam.identity.rolemgmt.api.RoleManagerConstants;
import oracle.iam.identity.rolemgmt.vo.Role;
import oracle.iam.platform.OIMClient;
import oracle.iam.platform.authopss.api.PolicyConstants;
import oracle.iam.platform.authopss.vo.EntityPublication;
import oracle.iam.platform.authz.exception.AccessDeniedException;
import oracle.iam.platformservice.api.EntityPublicationService;

public class UpdateOIMRoleOrgAssociation {

       public static void main(String[] args) {

              try {
                     String roleKey = "";
                     String roleName = "APP_USER";

                     // Connect to OIM
                     Hashtable<Object, Object> env = new Hashtable<Object, Object>();

                     env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, "t3://oimenv:14100");

                     System.setProperty("OIMConnect.AppServerType", "wls");
                     System.setProperty("APPSERVER_TYPE", "wls");

                     OIMClient oimClient = new OIMClient(env);
                     oimClient.login("xelsysadm", "Welcome123!");

                     // Update Role Manager
                     RoleManager roleManager = oimClient.getService(RoleManager.class);

                     // Update Organization Manager
                     OrganizationManager orgManager = oimClient

                     // Update EntityPublicationService
                     EntityPublicationService entityPubService = oimClient

                     // Get role Key information
                     try {
                           roleKey = roleManager.getDetails("Role Name", roleName, null)
                                         .getAttribute("Role Key").toString();

                           System.out.println("=====>Retrieved role Key ::" + roleKey);

                     } catch (SearchKeyNotUniqueException | NoSuchRoleException
                                  | RoleLookupException | AccessDeniedException e1) {
                           // TODO Auto-generated catch block

                     // To modify/delete existing publication, it must first be fetched
                     List<EntityPublication> entityPubsAssigned = entityPubService
                                                roleKey, null);

                     // Initializing additions
                     System.out.println("----- Initializing updates/removes -----");
                     List<EntityPublication> entityPubsAddList = new ArrayList<EntityPublication>();
                     List<EntityPublication> entityPubsUpdateList = new ArrayList<EntityPublication>();
                     List<EntityPublication> entityPubsDeleteList = new ArrayList<EntityPublication>();

                     // Get Organization keys
                     Organization org1 = orgManager.getDetails("Google", null, true);
                     Organization org2 = orgManager.getDetails("Yahoo", null, true);
                     Organization org3 = orgManager.getDetails("Microsoft", null, true);
                     System.out.println("Google" + " Key ::" + org1.getEntityId());

                     // Add a new entity publication to the list
                     entityPubsAddList.add(new EntityPublication(roleKey,
                                  PolicyConstants.Resources.ROLE, Long.valueOf(org1
                                                .getEntityId()), false));

                     // Update existing entity publication
                     // Loop through Entity Pub result
                     for (EntityPublication entityPub : entityPubsAssigned) {
                           // Add to update list if Org name matches
                           if (entityPub.getScopeName().equalsIgnoreCase("Microsoft")) {

                     // Delete existing entity publication
                     for (EntityPublication entityPub : entityPubsAssigned) {
                           // Add to update list if Org name matches
                           if (entityPub.getScopeName().equalsIgnoreCase("Yahoo")) {

                     // Add all the entityPublication Lists to a Map
                     Map<String, List<EntityPublication>> entityPubsMap = new HashMap<String, List<EntityPublication>>();
                     entityPubsMap.put("ADD", entityPubsAddList);
                     entityPubsMap.put("UPDATE", entityPubsUpdateList);
                     entityPubsMap.put("DELETE", entityPubsDeleteList);

                     //Now update the role
                     Role newRole = new Role(roleKey);
              } catch (Exception e) {


After updating through code, APP_USER role will be updated as shown below:


Monday, April 17, 2017

OAM: Enable White Listing mode

                       We are going to cover about the commands that can be used to enable White listing of URLs in OAM and enable it on OAM Protected applications. This white listing of URLs helps to avoid re-directions to external sites/URLs that are not registered with OAM.

  • OAM
  • RHEL6/OEL6

      Enabling and configuring White-listing  mode is very simple and just requires the following acitivites.
  1. Enable OAM White listing Mode
  2. Adding/Removing URLs to/from the list of White listed URLs
1. Enable OAM White listing Mode:
  • Login to the server that contains installation of OAM component
  • Browse to the following directory
    • <Oracle_IDM_Home>/common/bin
  • Execute the following commands
    • ./
    • connect('weblogic','password','t3://oamhost:7001'>)
    • domainRuntime()
    • oamSetWhiteListMode(oamWhiteListMode="true")
  • This returns the success message as shown below.

2. Adding/Removing URLs to/from the list of White listed URLs :
  • Execute the below command to add a URL to the list
    • oamWhiteListURLConfig(Name="google",Value="",Operation="Update")  

  • Execute the below command to remove a URL from the list
    • oamWhiteListURLConfig(Name="google",Value="",Operation="Remove") 

  • We can validate the behaviour during the logout process of any protected application with OAM Logout URL. For example, Add a URL like "" to white list and  invoke the following Logout URL which has end_url parameter with the URL
    • http://<OHSHost:7777/oamsso/logout.html?end_URL=
  • After successful logout, above URL will redirect you back to "" as it is trusted URL.
  • You can validate by removing the same URL from the White Listed URLs list and invoke logout again. Then OAM will just log you out but will not redirect the user to ""
Thanks for visiting.

Wednesday, April 12, 2017

OAM: Storage not configured error in Session Management

               Receiving "Storage not configured" error popup in OAM console while accessing user session management information.  

  • OAM BP07
  • RHEL6/OEL6
  • OUD

OAM Console throws "Storage not configured" error due to couple of reasons. This might happen
  • If there is no single OAM managed server up and running.
  • When Admin server failed to initialize session manager with the following exception in Admin logs
<Oct 12, 2016 7:06:41 PM EDT> <Warning> <oracle.oam.admin.console.policy> <BEA-000000> <Exception in getting sessionmanager OAMSSA-02008: Cannot instantiate the persistence access implementation for class PersistedSessionCache.

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(
        at java.lang.reflect.Method.invoke(
        at model.SessionSearchVOImpl.executeSMESearch(
        at model.SessionSearchVOImpl.retrieveResultSet(
        at model.SessionSearchVOImpl.executeQueryForCollection(
        at oracle.jbo.server.ViewRowSetImpl.execute(
        at oracle.jbo.server.ViewRowSetImpl.executeQueryForMasters(
        at oracle.jbo.server.ViewRowSetImpl.executeQueryForMode(
        at oracle.jbo.server.ViewRowSetImpl.executeQuery(
        at oracle.jbo.server.ViewObjectImpl.executeQuery(
        at oracle.adf.model.bc4j.DCJboDataControl.executeIteratorBinding(
        at oracle.adf.model.binding.DCIteratorBinding.doExecuteQuery(


Following actions can help in the fixing the issue.
  • Make sure to start the OAM Managed server before accessing the Session Management information through OAM Admin console
  • If the above action doesn't work, Restart the OAM Admin Server(Weblogic Admin Server) again after having the OAM Managed server Up and Running.
Thank you for visiting.

Monday, March 27, 2017

OIF: Encrypt SAML Assertions

               Today we are going to learn about the configurations required to enable encrypted SAML communication between IDP and SP. In my earlier posts, I have covered about SSO configurations and couple of other scenarios in Federated SSO by taking Salesforce as example. You can refer to my earlier posts for more information.

              This post specifically covers about configuration required to enable Encryption of SAML Assertion. Assuming we already have configured SSO to Service Provider application in SP Initiated mode which is Salesforce in our example.

  • OAM
  •  Salesforce
  • RHEL6/OEL6 

  • In this post, we are going to use the Self-Signed Certificate that can be generated inside Salesforce. In real environments, we usually get these certificates signed by third party certificate authority.
  • Lets login to Salesforce application to create a Self-Signed certificate
  • Go to Setup ->  Ceritificates and Key management 
  • Click on Create Self-Signed Certificate to create new certificate if there is no existing certificate
  • Once the certificate is created, Lets configure the IDP Profile to configure the encryption settings.
  • Navigate to Setup and search for Single Sign-on settings
  • Update the following options
    • Request Signature method -> RSA-SHA1
    • Assertion Decryption Certificate -> Select the previously created self-signed certificate
  •  Save the Changes and Download the metadata file
  • If you compare this latest downloaded metadata with earlier, this will have additional information about the encryption information.
  •  Now we need to import this latest metadata into Identity Provider which is OIF
  • Login to OAM Console and Go to Federation -> Identity Provider Administration
  • Open 'Salesforce' service provider profile
  • Click on 'Load metadata' to import this new metadata configuration
  • Go to Advanced section and check the 'Encrypt Assertion' setting
  • Save the changes made to this service provide profile.
  • Ok. We are now finished with the configuration changes. Let's validate the Encryption now.
  • Access the Salesforce application using the SP initiated URL.
    • https://<mydomain>
  • This will redirect to the IDP Url to authenticate against IDP
  • Provide the login credentials and click on Submit to login
  •  Once the authentication is successful, OIF engine generates SAML Response in encrypted manner as shown below. You can view this SAML messages using the browser plugins.
  • Once the Assertion is successfully decrypted and validated by Salesforce, you will be landed into your Salesforce domain. 
Thank you for visiting.

Wednesday, March 15, 2017

DCC: 404 NOT FOUND while accesing oamfed resource urls

Receiving the  "404 NOT FOUND" error while accessing the /oam, /oamfed resources or oam based resources through DCC (Detached credential collector) Webgate enabled webserver and shows no error logs on webserver except in access logs as 404.

For ex: http://<DCCHost>:<DCCPORT>/oamfed/idp/metadata

  • OAM
  • OHS
  • OAM Webgate 11.1.2 
  • RHEL 6/OEL 6 


This is due to missing configuration in the webgate. Need to add the list tunneled URLs explicitly that need to be served by DCC Webgate.


  • Login to OAM Console and navigate to the DCC Webagte configuration
  • Add the below URLs as "TunneledUrls" in the webgate user defined parameter section and save the webgate configuration
    • /oam
    • /oamfed

  • Redeploy the newly generated webgate artifacts from <OAMDomain_Home>/output/<webgate>/  to the webgate/config/ folder in the webserver
  • Restart the webserver and try again.  

For more information regarding dcc implementations with federation, Please refer to my earlier posts on the OAM DCC configuration settings.
  Thanks for visiting

Tuesday, March 14, 2017

OUD Instances Out of Sync ??

                 In the world of replication between nodes across data centers, there are chances of having some node failures due to power outages, disk issues or for several other reasons. These issue might result in the data going out of sync between the nodes.

So how do we fix it ???

            There are several approaches that we usually take depending on the amount of data lost, data quality etc and several other factors.. Now in this post we are going to sync the data using the Manual approach assuming there is only minor loss of data which can be fixed manually...

Below are the high level steps which we are going to take in order to fix this data inconsistency.
  • Find the OUD server which is stable. In this post, referring as oud1 in the post. 
  • Find the OUD server which is out of sync with stable server. refering as oud2. 
  • Export entries from oud1 and oud2 and compare
  • Export missing entries and data from oud1
  • Import the missing entries and data into oud2
  • OUD 
  • RHEL 6 

  • Export entries from oud1 using ldapsearch
Run below ldapserach command to write entries into file. by default ldapsearch utility will be available in <oud_instance>/bin folder. Here OUD1 is the best instance and OUD2 is the instance which is out of sync.

ldapsearch -h <oud1_hostName> -p <Port> -D "cn=Directory Manager" -j <Password_File> -b "dc=base,dc=com" "objectclass=*" dn | sort > oud1_entries.txt

dn: cn=group1,ou=users,dc=base,dc=com
dn: cn=group2,ou=users,dc=base,dc=com
dn: cn=Test User1,ou=users,dc=base,dc=com
dn: cn=Test User2,ou=users,dc=base,dc=com

P.S: When you open a file it might look empty but please scroll down and verify entries are available.

  • Export entries from oud2 using ldapsearch
ldapsearch -h <oud2_hostName> -p <Port> -D "cn=Directory Manager" -j <password_file> -b "dc=base,dc=com" "objectclass=*" dn | sort > oud2_entries.txt

dn: cn=group1,ou=users,dc=base,dc=com
dn: cn=Test User1,ou=users,dc=base,dc=com

P.S: When you open a file it might look empty but please scroll down and verify entries are available.
  • Compare two files from oud1 and oud2
Use below command to diff to compare the files and write the missing entries into a file.

diff oud1_entries.txt oud2_entries.txt > missing_entries.txt

dn: cn=group2,ou=users,dc=base,dc=com
dn: cn=Test User2,ou=users,dc=base,dc=com

Use grep or other tools to remove first two lines (dn:) in missing_entries.txt and sample file should looks like below.

cn=Test User2,ou=users,dc=base,dc=com

  • Export ldif data (with attributes) from oud1 for the missing entires. 
create file and update the content with below.

cat missing_entries.txt | while read LINE
echo "Processing $LINE" <oud_instance>/bin/ldapsearch -h <oud1_hostname> -p <port> -D "cn=Directory Manager" -j <password_file> -b "$LINE" -s base "objectclass=*" dn "*" + >> export_missing_dns.ldif

Run, it should create a file with name, export_missing_dns.ldif. Open the file and make sure there format of ldif is correct before importing.

  • Import the ldif into oud2 
Import the ldif into oud2 using ldapmodify

ldapmodify -J -h <oud2_hostname> -p <port> -D "cn=Directory Manager" -j <pwd_file> -f export_missing_dns.ldif

That's all. Now your instances are in sync..

Thank you for visiting.

Tuesday, February 28, 2017

SP Initiated SSO to Salesforce

                        In this post we are going to cover the configuration steps on how to enable the Service Provider(SP) initiated Federated SSO to Salesforce with OAM I have covered about Single Sign-on to Salesforce using OAM in IDP initiated mode in one of my earlier posts. This will will be continuation to those posts.
                       Once you finish the steps mentioned in earlier posts, You just have to finish the below steps to configure the SP initiated SSO to Salesforce. As described earlier, I have configured my OAM as IDP and Salesforce as SP. In this example, Request for authentication initiates from Salesforce(SP) and redirects it to OAM(IDP) which is nothing but the SP Initiated Single Sign-On.


  • End-user having accounts on IDP(OAM) and SP(salesforce) side with email as user login.
  • End-user will access salesforce URL directly.
  • End-user will be authenticated with IDP side credentials and will federate the user back to Salesforce.
  • Install and configure OAM
  • Configure Authentication store for OAM. In my lab, I have configured OUD as authentication store
  • Front-end OAM with OHS and protect with OAM

  • OAM BP07
  • RHEL6
  • Salesforce
  • OUD
  • OHS 
  • Make sure a domain created for your salesforce instance. In our example, Let is consider it as "
  • If domain is not created, created one by navigating as given below
    • Settings -> Setup -> Company Settings -> My Domain
  • Once the domain is enabled and deployed, Click on Edit to configure the Authentication provider.
  • Select the Single sign-provider  that your imported earlier as authentication provider now.
  • Save the Changes.
  • Now search for Single Sign-On Settings and open the current configured SSO Provider.
  • Configure the Identity Provider Login URL with your IDP Initiated URL. This is the same  OAM protected IDP Initiated Federation URL.
  • That's all folks. Now you finished additional configuration required for SP Initiated SSO to Salesforce.
  • Lets validate this now.
 Validation :
  • Access your Salesforce domain URL directly in the browser.
  • This should redirect you back to your configured IDP URL as shown below.
  • If you look at the above screenshot, you can see SAML Authentication request initiated from Salesforce(SP) and redirected to OAM IDP URL.
  • Enter your IDP credentials and click on Login button.
  • After successful authentication,  OAM responds back with SAML Response and posts it to Salesforce.
  • Similar to IDP initiated SSO, Salesforce will validate the SAML response message and redirect the user to home page.
  • You can view the SAML response highlighted in below screenshot.

  •  You are now landed onto Salesforce with the user you authenticated against IDP.
 Thank you for visiting.

Tuesday, February 21, 2017

Salesforce SSO with OAM PS3 ( [Part-2]

  • Click on 'Federation' and Go to 'Identity Provider administration'
  • Click on 'Create Service Provider Partner'
  • Click on 'browse' in Service information section and import the sp_metadata.xml file
  • Also provide the name and description of this partner profile
  • This will populate all the below details of service provider
    • providerid (Note: This is required while building this url for sso)
    • signing certificate and validity
  • Scroll down and update NameID format as below
    • NameID Format: Unspecified (SAML Subject NameID policy)
    • NameID value: UserID Store Attribute => mail  (OUD attribute name from which subject has to be populated)
  • Click on Save. This will finish the creation of Service provider partner profile on OAM side as shown below.
Test data setup in IDP and SP:
  • Lets create a test user profile on IDP authentication provider which is OUD in our lab.
  • Similarly create a user profile on salesforce side with same email as username.
  • Finally now let's validate the single sign-on to salesforce
  • Now build the OAM protected federation url as below and access it.
    • http://<ohs_host:ohsport>/oamfed/idp/initiatesso?providerid=<SP_partner_providerid>
  • From my environment, below is the URL
  • Provide the IDP user credentials as given below and click on submit
  •  Hurray... Now you are authenticated against IDP and seamlessly SSO'd into Salesforce
  • During this SSO, OAM will generate a SAML2.0 standards based message including user details and send it to salesforce. On the other end, salesforce will receive this message 
    • validates the sender with details configured in idp partner profile
    • identifies the user information in saml message
    • Redirects user to the home page
  • We can view SAML2.0 message flowing from IDP to SP with the help of browser extensions like 'SAML tracer' in firefox.
  •  Following is the SAML message that is generated from IDP to SP in our scenario which has various details like
    • Issuer information
    • NameID policy
    • subject value
    • validity of assertion  
    • audience
  • Purpose of all these information is very well explained in the link
  • That's all folks. In the future posts, I will post about various other features in Federated SSO using SAML2.0
Thanks for visiting..