Tuesday, November 17, 2015

WATCH: Oracle Access Manager(OAM) 11g R2 PS3 Impersonation Demo

Oracle Access Manager 11g R2 PS3 Impersonation Demo

  1. OAM 11g R2 PS3 environment is up and running with OUD as user store & protected sample resource called “spokuri.html” with LDAPSchema
  2. Enabled Impersonation in OAM & Extend OAM LDAP schema into OUD directory server
  3. Created user “kpokuri”(Impersonatee) with “orclIDXPerson” object class in OUD
  4. Created user “spokuri”(Impersonator) in OUD
  5. Added an attribute “orclImpersonationGrantee” to “kpokuri” and value as “8c69d7465afc406a947669204ad88ecf|20100324163000Z|20180524172000Z”

Description: orclImpersonationGrantee attribute value has 3 parameters separated by pipe “|”.

1.     Impersonator orclguid. In this case, it’s “spokuri” user orclguid.
2.     Impersonation start date
3.     Impersonation end date

Demo Video: 

Test Case:

  1. Access OAM LDAP Schema protected resource http://pokuri.demo.com:7777/spokuri.html
  2. Enter impersonator credentials spokuri/<<password>>
  3. Open a new tab and access http://pokuri.demo.com:14100/oam/server/impersonate/start?userid=kpokuri&success_url=http://pokuri.demo.com:7777/kpokuri.html&failure_url=http://pokuri.demo.com:7777/error.html
  4. When prompted enter impersonator password again
  5. Up on successful impersonation to user “kpokuri” new session will be created in OAM for user “kpokuri”.
  6. Check the “kpokuri” user session in OAM admin console “session management” and notice that impersonation field will be “true”.

Hope this helps some one out there!!

-- Siva Pokuri.


  1. Thanks, this was helpful. Do you know if there is a way to skip the requirement to enter your password when starting an impersonation session?

  2. Hi Siva.
    I tried to perform your Impersonation example, but I don't achieve perform the inpersonation.
    I have OAM with an OHS 11g.
    I have a test2 and test3 users in OUD instance. The user test3 have the attribute "orclImpersonationGrantee" with the value "651aa626a3444a8999062e58c79a99d3|20170724163000Z|20180524172000Z", when "651aa626a3444a8999062e58c79a99d3" is the orclGUID from test2 user.
    I have another WLS instance with a test static pages deployed: app01.html, app02.html and apperror.html.
    app01 and app02 are protected in OAM and apperror is an excluded resource.
    I will tried access to app01 (http://mydomain:7778/app01/app01.html), and OHS redirect to OAM. Then I put credentials from test2 user and obtain the static page app01. At this point all fine.
    Now I tried to access to http://mydomain:14100/oam/server/impersonate/start?userid=test3&success_url=http://mydomain:7778/app02/app02.html&failure_url=http://mydomain:7778/apperror/error.html.
    Then, the "impconsent.jsp" is never displayed and the request was redirected to http://mydomain:7778/apperror/error.html. In logs files any error is displayed. Can you help me?

    1. Hi David,
      Did you solve the problem? I got the same problem.


    2. Hi David,
      Did you solve the problem? I got the same error.

    3. Did you perform all the configuration steps as mentioned above?

      And please check OAM diagnostic logs and reply with exact error message to suggest possible reason for the issue.