Tuesday, March 13, 2018

Oracle Identity Manager(OIM) 12c New Features

                          Oracle Identity Manager(OIM) 12c New Features

In this blog we are going to see some new features introduced in Oracle Identity manager 12C.

From my search, I found there is not much major changes from UI level.

End user experience will be same for access request catalog and approval/ certification.

1. Oracle Identity Governance 12c infrastructure requires below components.
    Oracle database (, any 12c)
2. RCU (Repository Creation Utility) is in-built and can be run from /u03/oracle_common/bin.

3. OIM 12c finally support encryption of database. During creation of OIM users in database,
    RCU can encrypt database table-space.
    TDE (Transparent Data Encryption) option must be enabled in Oracle 12c database.
    TDE allow application to encrypt the table-space using secret key.
    Data is transparently decrypted for database users and applications that access this data.
    Database users and applications do not need to be aware that the data they are accessing
     is stored  in encrypted form.
    If the TDE is enabled in Oracle 12c database, RCU will automatically provide you an 
    option to make OIM table-space encrypted.

4. If you do not have DBA privilege, then you can create a script for DBA to run.
    Once DBA completed running the RCU generated scripts, you can run the
    post process configuration.
    This is very helpful where Database is managed by different administrative team.
5. OIM 12c is now having Application Onboarding capability through GUI.
    It will allow you to create and manage applications, templates, and instances of applications
    , and clone applications.
   This will faster the on-boarding process of applications into OIM.
6.Access Policy can be created and managed from the Manage tab in Identity Self Service
  In OIM12C By enabling and by setting XL.AllowRoleHierarchicalPolicyEval system property to TRUE
  You can achieve Inheriting the access granted via access policies from the parent role to child role 
7.In OIM 11gR2 PS3, single certifier was supported in the certification workflow
   From OIM 12c supports group of certifiers for Application Instance, Entitlement,
   Role and User certification.
8. In above screenshot as we can able to see OIM 12c introduces custom reviewer
    option in certification.

    It is applicable for Identity certification. Custom reviewer for certifications can 
    be specified by  defining certification rules in the 

    The advantage of above feature is, we can now assign certification request based on a rule
    defined for custom reviewer.

9. OIM 12c can Limit the entitlement-assignments, Role-assignment and Application-assignment
     to certify for each user option for creating a user certification definition.
     For example, while identity certification assigned to reviewer, only the selected roles,
     selected entitlements and selected Application instances will be visible for certification.
     In this way we can remove the birth rights for being certified.

9.We can publish multiple sandboxes in bulk and in a specified sequence using CSV file.

10.In OIM 12c, From Mange Connector you can define your new connectors from 
      all the available components.
      Below images shows, which allow you to choose components and create your 
      new connector inside OIM.
11. Below is new interface for deployment manager for import and export any new
     Development,Testing or Migration.

Feel free to drop your comments.

Friday, December 29, 2017

OIF 11g: Federation Fails With time sync issue between SP and IDP


OIF 11g partners are running out of sync in the time.  
That let's fail the federation with the error message: "AuthnResponse failed validation due to an invalid condition related to time".

Available solutions to fix the issue.

Solution 1: Solution Make sure that all the OIF partners are timely in sync.

Solution 2: But as a complete time sync accross all OIF partners could be challenging to accomplishand and verify, then there is actually this ... :

... that has been implemented, and which allows now to set a time clockdrift delta for the times on the SAML Assertion Conditions->NotBefore

The ER (Enhancement Request) bug is implemented only in (11gR2 PS2).
So, the OAM/OIF Federation has been enhanced to support setting outgoing clock drift adjustment, using WLST command updatePartnerProperty with "senderserverclockdrift" property.

The relevant documentation the WLST command as for this  release is available at : http://docs.oracle.com/cd/E40329_01/web.1112/e28155/custom_infra_security.htm#CHDEECBH

PS: Oracle Support strongly suggests and recommends the customers to move to the newer releases versions of the products as they use, and thus to benefit to the new available features as well as known bugs fixes.

Solution 3: If you cannot really move or plan to upgrade to OIF 11gR2PS2 for now, but still desperately need this ER fix, then an One-Off patch for the ER (Enhancement Request) bug 16906719  backport as on top of OIF 11gR1 has been completed.

The patch 16906719 is available from My Oracle Support as per patch 16906719


p16906719_111160_Generic.zip   59.2 KB

So, if you use the exact release of OIF 11gR1 version and still would like the fix of this, then please download 
Patch 16906719 and review the patch README file as included in the zip for patch installation.

Please test this on your testing environment, before moving it to Production environment.

As per this patch 
16906719, the OIF 11gR1 is enhanced with the backport of this bug in order to support setting outgoing clock drift adjustment, using the below WLST command to configure OIF :

- setConfigProperty("serverconfig", "senderserverclockdrift", "VALUE_IN_SECONDS", "long")
for OIF global setting, replace VALUE_IN_SECONDS by the value in seconds

- setFederationProperty("PROVIDER_ID", "senderserverclockdrift", "VALUE_IN_SECONDS", "long")
replace VALUE_IN_SECONDS by the value in seconds and PROVIDER_ID by the partner's ProviderID

Test case:
- set up Fed SSO for SAML2.0
- configure IdP using the WLST commands listed above
- at SP, go to test sp sso
- perform Fed SSO with IdP
- in the result, see the SAML assertion
- look for Conditions->NotBefore

Without fix it will be equals to IssueInstant (in Assertion)

With fix it will be equals to IssueInstant (in Assertion) minus senderserverclockdrift

PS: This patch is only applicable to OIF 11gR1 and you might need to double-check with possible patches conflict (as if you might have other existing OIF 11gR1 patches as running on the same environment).

4)* If you use any other OIF 11gR1 11.1.1.x (other than the OIF, then there is currently no other patch available on the same for OIF 11.1.1.x, and thus you would need to double check with OIF product support team on any further specific request on the same.
But still, the best option and recommended solution is to really move to newer version of OAM/OIF 11gR2PS2 and/or any later/newer version coming after it.

Siva Pokuri

Wednesday, December 27, 2017

The HTTP Filter DLL C:\oracle\product\11.1.1\as_1\webgate\iis\lib\webgate.dll failed to load. The data is the error.

The HTTP Filter DLL C:\oracle\product\11.1.1\as_1\webgate\iis\lib\webgate.dll failed to load.  The data is the error. 
Could not load all ISAPI filters for site 'examplesite'.  Therefore site startup aborted.


After installation of IIS7 webgate on Windows 2008 R2 when a protected
resource is accessed following error is displayed


The HTTP Filter DLL C:\oracle\product\11.1.1\as_1\webgate\iis\lib\webgate.dll
failed to load.The data is the error.Could not load all ISAPI filters for site 'examplesite'.  
Therefore site startup aborted.


Missing Microsoft VC++ libraries and incorrect information in webgate.ini file

To resolve above issue:
  1. Download and install Visual C++ Redistributable for Visual Studio 2012 Update 4 64bit on windows 2008 R2 machine where IIS webgate is installed.
  2. Now try to access protected resource.
  3. You should be successfully redirected to login page