Thursday, November 9, 2017

OIF 11g: Federation Fails With time sync issue between SP and IDP

Issue:

OIF 11g partners are running out of sync in the time.  
That let's fail the federation with the error message: "AuthnResponse failed validation due to an invalid condition related to time".

Available solutions to fix the issue.

Solution 1: Solution Make sure that all the OIF partners are timely in sync.

Solution 2: But as a complete time sync accross all OIF partners could be challenging to accomplishand and verify, then there is actually this ... :
ER 16906719 - FEDERATION FAILS WHEN IDP AND SP ARE NOT TIMLY IN SYNC - CLOCKS SKEW NEEDED

... that has been implemented, and which allows now to set a time clockdrift delta for the times on the SAML Assertion Conditions->NotBefore

The ER (Enhancement Request) bug is implemented only in 11.1.2.2.0 (11gR2 PS2).
So, the OAM/OIF Federation 11.1.2.2.0 has been enhanced to support setting outgoing clock drift adjustment, using WLST command updatePartnerProperty with "senderserverclockdrift" property.

The relevant documentation the WLST command as for this  11.1.2.2.0  release is available at : http://docs.oracle.com/cd/E40329_01/web.1112/e28155/custom_infra_security.htm#CHDEECBH

PS: Oracle Support strongly suggests and recommends the customers to move to the newer releases versions of the products as they use, and thus to benefit to the new available features as well as known bugs fixes.


Solution 3: If you cannot really move or plan to upgrade to OIF 11gR2PS2 for now, but still desperately need this ER fix, then an One-Off patch for the ER (Enhancement Request) bug 16906719  backport as on top of OIF 11gR1 11.1.1.6.0 has been completed.

The patch 16906719 is available from My Oracle Support as per patch 16906719

--> Patch 16906719: FEDERATION FAILS WHEN IDP AND SP ARE NOT TIMELY IN SYNC - CLOCKS SKEW NEEDED (Patch)

p16906719_111160_Generic.zip   59.2 KB

So, if you use the exact release of OIF 11gR1 11.1.1.6.0 version and still would like the fix of this, then please download 
Patch 16906719 and review the patch README file as included in the zip for patch installation.

Please test this on your testing environment, before moving it to Production environment.

As per this patch 
16906719, the OIF 11gR1 11.1.1.6.0 is enhanced with the backport of this bug in order to support setting outgoing clock drift adjustment, using the below WLST command to configure OIF 11.1.1.6.0 :

- setConfigProperty("serverconfig", "senderserverclockdrift", "VALUE_IN_SECONDS", "long")
for OIF global setting, replace VALUE_IN_SECONDS by the value in seconds

- setFederationProperty("PROVIDER_ID", "senderserverclockdrift", "VALUE_IN_SECONDS", "long")
replace VALUE_IN_SECONDS by the value in seconds and PROVIDER_ID by the partner's ProviderID

Test case:
- set up Fed SSO for SAML2.0
- configure IdP using the WLST commands listed above
- at SP, go to test sp sso
- perform Fed SSO with IdP
- in the result, see the SAML assertion
- look for Conditions->NotBefore

Without fix it will be equals to IssueInstant (in Assertion)

With fix it will be equals to IssueInstant (in Assertion) minus senderserverclockdrift

PS: This patch is only applicable to OIF 11gR1 11.1.1.6.0 and you might need to double-check with possible patches conflict (as if you might have other existing OIF 11gR1 patches as running on the same environment).

4)* If you use any other OIF 11gR1 11.1.1.x (other than the OIF 11.1.1.6.0), then there is currently no other patch available on the same for OIF 11.1.1.x, and thus you would need to double check with OIF product support team on any further specific request on the same.
But still, the best option and recommended solution is to really move to newer version of OAM/OIF 11gR2PS2 11.1.2.2.0 and/or any later/newer version coming after it.


Thanks
Siva Pokuri

Tuesday, October 10, 2017

How to allow multiple login attributes in OAM/OAAM integrated environment

Requirement:

The requirement is to allow users to choose at login time from 2 different attributes from LDAP (e.g. uid and email address). 

Oracle solution:

Ref: How to allow multiple login attributes in OAM/OAAM integration using a custom TAP module (Doc ID 2190079.1)

For login user enters username and password on the OAAM page used when integrated with OAM (oaam_server/oamLoginPage.jsp).

Doing so, however, will imply that OAAM will have to keep two security profiles corresponding to each login attribute. When user is authenticated using a different attribute for the first time he will be seen as a new user (OAAM will create a new user record with login_id set to the new attribute value in the VCRYPT_USERS database table) so the registration process will take place again.

This will affect as well any pattern, behavior data which OAAM registers for that user (which will actually be seen by OAAM as 2 users now) so it's not recommended in case one wants to have highly accurate login and pattern data for each user.

Custom solution:

Since there is a limitation when OAAM is part of solution as mentioned in Oracle solution. Below custom solution will prevent creating duplicate OAAM security profiles for same user who login with either username or email address and no custom TAP modules need to be created in OAM.

By customizing OAAM login flow using OAAM extensions it can be achieved.

High level steps below.

  1. Copy struts config file action mapping for /login.do from oaam_server.ear to OAAM extensions WAR file struts XML file.
  2. Change the "/login.do" action mapping "success" redirect to custom action(Example: /validateUser.do)
  3. Write an action class extending struts action with below logic.
    1. Get user entered email address/username entered in OAAM login page screen from OAAM session.
    2. Write custom logic(JNDI code) to get user login attribute(uid) from user store in custom action class
    3. Update UIOSessionData instance with user login attribute(uid) retrieved from user store
    4. Recreate VcryptAuthUser with login username(uid attribute retrieved from user store) if user has already OAAM security profile already created.
    5. Send action forward to "/loginJump.do" to continue login process with username(uid attribute) even though user entered email address.
  4. Build custom action class into a custom jar file and deploy in OAAM extensions war under /WEB-INF/lib folder
Thanks
Siva Pokuri.



Friday, September 22, 2017

Tuesday, September 5, 2017

OUD (Oracle Unified Directory) 12c PS3 (12.2.1.3.0) is released!

Oracle Unified Directory 12cPS3 (12.2.1.3.0) is released!

Download link: http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/oid-11gr2-2104316.html



Oracle Note on OUD 12c installation and configuration:

OUD 12c: How to Download and Install OUD 12c in Standalone Mode (with No Domain Configuration) (Doc ID 2298379.1)

Wednesday, August 23, 2017

Oracle Mobile Authenticator (OMA) Offline secret key generation curl command


Curl command to generate Oracle Mobile Authenticator account registration in OMA app.

curl --user <<USERID>>:<<PASSWORD>> --data "" http://<<HOST_NAME>>:14100/ms_oauth/resources/userprofile/secretkey


Click Here for Oracle Mobile Authenticator integration with OAM.

Thanks
Siva Pokuri.

OIF 11g "Authentication request is expired" error message


Issue

When IDP and SP system time is not in sync you might see "Authentication request is expired" error message in OIF log messages. And you can notice "RequestDenied" status SAML message.

Error Message:

[2017-08-23T10:05:11.877-04:00] [oam_server1] [ERROR] [FED-15063] [oracle.security.fed.eventhandler.fed.profiles.utils.CheckUtils] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 8eeddbe1def2bc04:-43c8fb68:15df144d399:-8000-000000000106474c,0] [APP: oam_server#11.1.2.0.0] Authentication request is expired.

Cause

When Identity Provider (OIF) and Service Provider servers system time is not in sync above error message appears.

Resolution

Make sure both Service Provider and Identity Provider machines system time is in sync.

Thanks
Siva Pokuri.

Tuesday, July 25, 2017

OAAM Tips: Enable Secure and HTTPonly to all OAAM cookies

There are two properties to set OAAM cookies Secure and HTTPOnly.

  1. "oaam.cookies.secure" property can be "true" or "false". By default property value always "false". If all OAAM cookies needed to be secure make this property "true".
  2. "oaam.cookies.httponly" property is "true" by default.
It's always good practice to have both true as it prevents sending the cookie over the network in clear text.

Thanks
Siva Pokuri.



Tuesday, March 14, 2017

TIPS: Change Database Hostname After OAM security store configured

Change Database Hostname After OAM security stored configured

Issue: 

Database Hostname need to be changed after OAM security store is configured.

Changes: 
  1. Login to Weblogic console and modify below connection pools 
    1. Navigate to "Services > Datasources > oamDS > Connection Pool" and modify connection details
    2. Navigate to "Services > Datasources > opss-DBDS > Connection Pool" and modify connection details.
    3. If weblogic console is not accessible then modify two files "oam-db-jdbc.xml and opss-jdbc.xml" under <MW_HOME>/user_projects/domains/base_domain/config/jdbc.
  2. Login to server and navigate to below location.
    1. <MW_HOME>/user_projects/domains/base_domain/config/fmwconfig/
    2. Modify jps-config-jse.xml, jps-config-migration.xml and jps-config.xml  file
    3. Modify "jdbc.url" property and update with new hostname.
  3. Restart Admin server and managed server.
  4. Repeat step 2 in all your cluster nodes.

Expected Error if  jps-config-jse.xml, jps-config-migration.xml and jps-config.xml  files not modified.


Info: Data source is: opss-DBDS
[EL Severe]: 2017-03-14 20:39:37.575--ServerSession(1547285287)--Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.exceptions.DatabaseException
Internal Exception: java.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection
Error Code: 17002
Mar 14, 2017 8:39:37 PM oracle.security.jps.internal.common.config.AbstractSecurityStore getSecurityStoreVersion
WARNING: Unable to get the Version from Store returning the default. Reason: java.net.ConnectException: Connection refused.
[EL Severe]: 2017-03-14 20:39:37.978--ServerSession(1619843188)--Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.exceptions.DatabaseException
Internal Exception: java.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection
Error Code: 17002
Mar 14, 2017 8:39:37 PM oracle.security.jps.internal.credstore.ldap.LdapCredentialStore init
WARNING: Could not create credential store instance. Reason oracle.security.jps.service.policystore.PolicyStoreConnectivityException: JPS-00027: There was an internal error: java.net.ConnectException: Connection refused
JPS-01055: Could not create credential store instance. Reason oracle.security.jps.service.policystore.PolicyStoreConnectivityException: JPS-00027: There was an internal error: java.net.ConnectException: Connection refused
Error: Diagnostics data was not saved to the credential store.
Error: Validate operation has failed.
Need to do the security configuration first!


Thanks
Kiran Pokuri

Wednesday, January 18, 2017

Update: Oracle IDM Suite BP 11.1.2.3.170117 (Patch 25038775) with OAM login page bookmark fix

Oracle released a new build patch yesterday for Oracle IDM 11g R2 PS3 release.

It looks like Oracle Access Manager introduced feature with "Ability to access login form from favourites(Bookmarks)".

I just noticed and thought to share it. I will have to give it a try. If you are already running on PS3 give it a try and share the experience.


Hope it helps some one out there.

-- Siva Pokuri.