Tuesday, November 17, 2015

WATCH: Oracle Access Manager(OAM) 11g R2 PS3 Impersonation Demo

Oracle Access Manager 11g R2 PS3 Impersonation Demo

Pre-requisites:
  1. OAM 11g R2 PS3 environment is up and running with OUD as user store & protected sample resource called “spokuri.html” with LDAPSchema
  2. Enabled Impersonation in OAM & Extend OAM LDAP schema into OUD directory server
  3. Created user “kpokuri”(Impersonatee) with “orclIDXPerson” object class in OUD
  4. Created user “spokuri”(Impersonator) in OUD
  5. Added an attribute “orclImpersonationGrantee” to “kpokuri” and value as “8c69d7465afc406a947669204ad88ecf|20100324163000Z|20180524172000Z”

Description: orclImpersonationGrantee attribute value has 3 parameters separated by pipe “|”.

1.     Impersonator orclguid. In this case, it’s “spokuri” user orclguid.
2.     Impersonation start date
3.     Impersonation end date


Demo Video: 




Test Case:

  1. Access OAM LDAP Schema protected resource http://pokuri.demo.com:7777/spokuri.html
  2. Enter impersonator credentials spokuri/<<password>>
  3. Open a new tab and access http://pokuri.demo.com:14100/oam/server/impersonate/start?userid=kpokuri&success_url=http://pokuri.demo.com:7777/kpokuri.html&failure_url=http://pokuri.demo.com:7777/error.html
  4. When prompted enter impersonator password again
  5. Up on successful impersonation to user “kpokuri” new session will be created in OAM for user “kpokuri”.
  6. Check the “kpokuri” user session in OAM admin console “session management” and notice that impersonation field will be “true”.



Hope this helps some one out there!!

-- Siva Pokuri.
Posted by
Labels: , , , , , ,

5 comments:

  1. UnknownAugust 23, 2016 at 9:32 AM

    Thanks, this was helpful. Do you know if there is a way to skip the requirement to enter your password when starting an impersonation session?

    ReplyDelete
  2. David CorvalánAugust 7, 2017 at 2:41 PM

    Hi Siva.
    I tried to perform your Impersonation example, but I don't achieve perform the inpersonation.
    I have OAM 11.1.2.3 with an OHS 11g.
    I have a test2 and test3 users in OUD instance. The user test3 have the attribute "orclImpersonationGrantee" with the value "651aa626a3444a8999062e58c79a99d3|20170724163000Z|20180524172000Z", when "651aa626a3444a8999062e58c79a99d3" is the orclGUID from test2 user.
    I have another WLS instance with a test static pages deployed: app01.html, app02.html and apperror.html.
    app01 and app02 are protected in OAM and apperror is an excluded resource.
    I will tried access to app01 (http://mydomain:7778/app01/app01.html), and OHS redirect to OAM. Then I put credentials from test2 user and obtain the static page app01. At this point all fine.
    Now I tried to access to http://mydomain:14100/oam/server/impersonate/start?userid=test3&success_url=http://mydomain:7778/app02/app02.html&failure_url=http://mydomain:7778/apperror/error.html.
    Then, the "impconsent.jsp" is never displayed and the request was redirected to http://mydomain:7778/apperror/error.html. In logs files any error is displayed. Can you help me?

    ReplyDelete
    Replies
    1. UnknownMarch 16, 2018 at 8:19 AM

      Hi David,
      Did you solve the problem? I got the same problem.

      Thanks

      Delete
    2. UnknownMarch 16, 2018 at 8:20 AM

      Hi David,
      Did you solve the problem? I got the same error.
      Thanks

      Delete
    3. siva pokuriMarch 16, 2018 at 9:22 AM

      Did you perform all the configuration steps as mentioned above?

      And please check OAM diagnostic logs and reply with exact error message to suggest possible reason for the issue.

      Thanks

      Delete

Subscribe to: Post Comments (Atom)