How to allow multiple login attributes in OAM/OAAM integrated environment

Requirement:

The requirement is to allow users to choose at login time from 2 different attributes from LDAP (e.g. uid and email address). 

Oracle solution:

Ref: How to allow multiple login attributes in OAM/OAAM integration using a custom TAP module (Doc ID 2190079.1)

For login user enters username and password on the OAAM page used when integrated with OAM (oaam_server/oamLoginPage.jsp).

Doing so, however, will imply that OAAM will have to keep two security profiles corresponding to each login attribute. When user is authenticated using a different attribute for the first time he will be seen as a new user (OAAM will create a new user record with login_id set to the new attribute value in the VCRYPT_USERS database table) so the registration process will take place again.

This will affect as well any pattern, behavior data which OAAM registers for that user (which will actually be seen by OAAM as 2 users now) so it's not recommended in case one wants to have highly accurate login and pattern data for each user.

Custom solution:

Since there is a limitation when OAAM is part of solution as mentioned in Oracle solution. Below custom solution will prevent creating duplicate OAAM security profiles for same user who login with either username or email address and no custom TAP modules need to be created in OAM.

By customizing OAAM login flow using OAAM extensions it can be achieved.

High level steps below.

1. Copy struts config file action mapping for /login.do from oaam_server.ear to OAAM extensions WAR file struts XML file.
2. Change the "/login.do" action mapping "success" redirect to custom action(Example: /validateUser.do)
3. Write an action class extending struts action with below logic.
1. Get user entered email address/username entered in OAAM login page screen from OAAM session.
2. Write custom logic(JNDI code) to get user login attribute(uid) from user store in custom action class
3. Update UIOSessionData instance with user login attribute(uid) retrieved from user store
4. Recreate VcryptAuthUser with login username(uid attribute retrieved from user store) if user has already OAAM security profile already created.
5. Send action forward to "/loginJump.do" to continue login process with username(uid attribute) even though user entered email address.
4. Build custom action class into a custom jar file and deploy in OAAM extensions war under /WEB-INF/lib folder

Thanks

Siva Pokuri.

TIPS: Change Database Hostname After OAM security store configured

Change Database Hostname After OAM security stored configured

Issue: 

Database Hostname need to be changed after OAM security store is configured.

Changes: 

1. Login to Weblogic console and modify below connection pools 
1. Navigate to "Services > Datasources > oamDS > Connection Pool" and modify connection details
2. Navigate to "Services > Datasources > opss-DBDS > Connection Pool" and modify connection details.
3. If weblogic console is not accessible then modify two files "oam-db-jdbc.xml and opss-jdbc.xml" under <MW_HOME>/user_projects/domains/base_domain/config/jdbc.
2. Login to server and navigate to below location.
1. <MW_HOME>/user_projects/domains/base_domain/config/fmwconfig/
2. Modify jps-config-jse.xml, jps-config-migration.xml and jps-config.xml  file
3. Modify "jdbc.url" property and update with new hostname.
3. Restart Admin server and managed server.
4. Repeat step 2 in all your cluster nodes.

Expected Error if  jps-config-jse.xml, jps-config-migration.xml and jps-config.xml  files not modified.

Info: Data source is: opss-DBDS

[EL Severe]: 2017-03-14 20:39:37.575--ServerSession(1547285287)--Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.exceptions.DatabaseException

Internal Exception: java.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection

Error Code: 17002

Mar 14, 2017 8:39:37 PM oracle.security.jps.internal.common.config.AbstractSecurityStore getSecurityStoreVersion

WARNING: Unable to get the Version from Store returning the default. Reason: java.net.ConnectException: Connection refused.

[EL Severe]: 2017-03-14 20:39:37.978--ServerSession(1619843188)--Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.3.1.v20111018-r10243): org.eclipse.persistence.exceptions.DatabaseException

Internal Exception: java.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection

Error Code: 17002

Mar 14, 2017 8:39:37 PM oracle.security.jps.internal.credstore.ldap.LdapCredentialStore init

WARNING: Could not create credential store instance. Reason oracle.security.jps.service.policystore.PolicyStoreConnectivityException: JPS-00027: There was an internal error: java.net.ConnectException: Connection refused

JPS-01055: Could not create credential store instance. Reason oracle.security.jps.service.policystore.PolicyStoreConnectivityException: JPS-00027: There was an internal error: java.net.ConnectException: Connection refused

Error: Diagnostics data was not saved to the credential store.

Error: Validate operation has failed.

Need to do the security configuration first!

Thanks

Kiran Pokuri

OAM 11g R2 PS3 Yahoo Social Authentication demo video

-- Siva Pokuri.

OAM 11g R2 PS3 LinkedIn Social Authentication video

-- Siva Pokuri.

Oracle Access Manager(OAM) 11g R2 PS3 Google OAuth Social Authentication demo video

Hi All,

I have got chance to do a quick POC on OAM social authentication with Google. Below is the demo video for the same. I will try to post brief steps soon. 

Reference Oracle support doc: How to Protect a Resource With the Google Social Identity Provider (Doc ID 2106718.1)

-- Siva Pokuri.

How to configuration and test OAM Access SDK 10g + OAM 11g with Dot Net

Access SDK 10g Installation & Configuration with OAM 11g R2 PS2 

Purpose

1. Install & configure ASDK 10g with OAM 11g R2 PS2 and test SSO using .NET ASDK API’s.

Environment

1. OS: Windows 2008 Server SP2 (64-bit)
2. DOT Net Framework: 4.0
3. OAM: 11g R2 PS2 (11.1.2.2.0) running on OEL 5.9
4. Access SDK: 10g (10.1.4.3.0+BP10, BP13+IP09 (Patch Number 18110352))

Installation

• Download & Install Access SDK

• Install ASDK using Oracle_Access_Manager10_1_4_3_0_Win64_AccessServerSDK.exe from oam_int_win_v17_cd1.zip

URL:       http://www.oracle.com/technetwork/middleware/ias/downloads/101401-099957.html

• Access Gate Registration 

• Download and install apply patch “18110352” from Oracle Support which is the BP13-IP09 (latest version of the ASDK for Win64).
• Patch Output:

C:\Users\Administrator\Downloads\p18110352_10143_MSWIN-x86-64\AccessSDK\Oracle_Access_Manager10_1_4_ 3_0_BP13-IP09_Patch_win64_AccessServerSDK_binary_parameter>patchinst.exe

Please enter Installation directory:
C:\NetPoint\AccessServerSDK
--- Oracle Access Manager System install ---
Upgrading Access Server SDK from release 10.1.4.3.0 BP 10 to release 10.1.4.3.0.13-IP09 BP 13-IP09. Unloading files to C:\NetPoint\AccessServerSDK/unload-Oracle-10143013-IP09BP13-IP09-2564.
unloading 'include/obaccess_api_c.h'
unloading 'include/obaccess_api_mgd.h'
unloading 'oblix/config/np1014_sdk.txt'
unloading 'oblix/lib/access_api_mgd.lib'
unloading 'oblix/lib/access_flush.dll'
unloading 'oblix/lib/jobaccess.jar'
unloading 'oblix/lib/obaccess.dll'
unloading 'oblix/lib/obaccess.lib'
unloading 'oblix/lib/obaccess_api_mgd.dll'
unloading 'oblix/lib/obnlsrtl.dll'
unloading 'oblix/lib/obxmlengine.dll'
unloading 'oblix/tools/configureAccessGate/configureAccessGate.exe'
unloading 'oblix/tools/migration_tools/obmigratefiles.exe'
unloading 'oblix/tools/migration_tools/obmigratenp.exe'
unloading 'oblix/tools/migration_tools/obpdiff.exe'
Backing up old files to C:\NetPoint\AccessServerSDK/backup-Oracle-101430BP10-binary_parameter. backing up 'include/obaccess_api_c.h'
backing up 'include/obaccess_api_mgd.h'
backing up 'oblix/config/np1014_sdk.txt'
backing up 'oblix/lib/access_api_mgd.lib'
backing up 'oblix/lib/access_flush.dll'
backing up 'oblix/lib/jobaccess.jar'
backing up 'oblix/lib/obaccess.dll'
backing up 'oblix/lib/obaccess.lib'
backing up 'oblix/lib/obaccess_api_mgd.dll'
backing up 'oblix/lib/obnlsrtl.dll'
backing up 'oblix/lib/obxmlengine.dll'
backing up 'oblix/tools/configureAccessGate/configureAccessGate.exe'
backing up 'oblix/tools/migration_tools/obmigratefiles.exe'
backing up 'oblix/tools/migration_tools/obmigratenp.exe'
backing up 'oblix/tools/migration_tools/obpdiff.exe' C:\NetPoint\AccessServerSDK/backup-Oracle-101430BP10-binary_parameter/include: File exists
backing up 'include/obaccess_api_c.h'
backing up 'include/obaccess_api_mgd.h' C:\NetPoint\AccessServerSDK/backup-Oracle-101430BP10-binary_parameter/oblix: File exists C:\NetPoint\AccessServerSDK/backup-Oracle-101430BP10-binary_parameter/oblix/config: File exists backing up 'oblix/config/np1014_sdk.txt' C:\NetPoint\AccessServerSDK/backup-Oracle-101430BP10-binary_parameter/oblix/lib: File exists
backing up 'oblix/lib/access_api_mgd.lib'
backing up 'oblix/lib/access_flush.dll'
backing up 'oblix/lib/jobaccess.jar'
backing up 'oblix/lib/obaccess.dll'
backing up 'oblix/lib/obaccess.lib'
backing up 'oblix/lib/obaccess_api_mgd.dll'
backing up 'oblix/lib/obnlsrtl.dll'
backing up 'oblix/lib/obxmlengine.dll' C:\NetPoint\AccessServerSDK/backup-Oracle-101430BP10-binary_parameter/oblix/tools: File exists C:\NetPoint\AccessServerSDK/backup-Oracle-101430BP10-binary_parameter/oblix/tools/configureAccessGat e: File exists
backing up 'oblix/tools/configureAccessGate/configureAccessGate.exe' C:\NetPoint\AccessServerSDK/backup-Oracle-101430BP10-binary_parameter/oblix/tools/migration_tools: F ile exists
backing up 'oblix/tools/migration_tools/obmigratefiles.exe'
backing up 'oblix/tools/migration_tools/obmigratenp.exe'
backing up 'oblix/tools/migration_tools/obpdiff.exe' C:\NetPoint\AccessServerSDK/backup-Oracle-101430BP10-binary_parameter/include: File exists
backing up 'include/obaccess_api_c.h'
backing up 'include/obaccess_api_mgd.h' C:\NetPoint\AccessServerSDK/backup-Oracle-101430BP10-binary_parameter/oblix: File exists C:\NetPoint\AccessServerSDK/backup-Oracle-101430BP10-binary_parameter/oblix/config: File exists backing up 'oblix/config/np1014_sdk.txt'
C:\NetPoint\AccessServerSDK/oblix/config/np1014_sdk.txt: Permission denied C:\NetPoint\AccessServerSDK/backup-Oracle-101430BP10-binary_parameter/oblix/lib: File exists
backing up 'oblix/lib/access_api_mgd.lib'
backing up 'oblix/lib/access_flush.dll'
backing up 'oblix/lib/jobaccess.jar'
backing up 'oblix/lib/obaccess.dll'
backing up 'oblix/lib/obaccess.lib'
backing up 'oblix/lib/obaccess_api_mgd.dll'
backing up 'oblix/lib/obnlsrtl.dll'
backing up 'oblix/lib/obxmlengine.dll' C:\NetPoint\AccessServerSDK/backup-Oracle-101430BP10-binary_parameter/oblix/tools: File exists C:\NetPoint\AccessServerSDK/backup-Oracle-101430BP10-binary_parameter/oblix/tools/configureAccessGat e: File exists
backing up 'oblix/tools/configureAccessGate/configureAccessGate.exe'

C:\NetPoint\AccessServerSDK/backup-Oracle-101430BP10-binary_parameter/oblix/tools/migration_tools: F ile exists
backing up 'oblix/tools/migration_tools/obmigratefiles.exe'
backing up 'oblix/tools/migration_tools/obmigratenp.exe'
backing up 'oblix/tools/migration_tools/obpdiff.exe' C:\NetPoint\AccessServerSDK/backup-Oracle-101430BP10-binary_parameter/include: File exists
backing up 'include/obaccess_api_c.h'
backing up 'include/obaccess_api_mgd.h' C:\NetPoint\AccessServerSDK/backup-Oracle-101430BP10-binary_parameter/oblix: File exists C:\NetPoint\AccessServerSDK/backup-Oracle-101430BP10-binary_parameter/oblix/config: File exists
backing up 'oblix/config/np1014_sdk.txt'
C:\NetPoint\AccessServerSDK/oblix/config/np1014_sdk.txt: Permission denied C:\NetPoint\AccessServerSDK/backup-Oracle-101430BP10-binary_parameter/oblix/lib: File exists
backing up 'oblix/lib/access_api_mgd.lib'
backing up 'oblix/lib/access_flush.dll'
backing up 'oblix/lib/jobaccess.jar'
backing up 'oblix/lib/obaccess.dll'
backing up 'oblix/lib/obaccess.lib'
backing up 'oblix/lib/obaccess_api_mgd.dll'
backing up 'oblix/lib/obnlsrtl.dll'
backing up 'oblix/lib/obxmlengine.dll' C:\NetPoint\AccessServerSDK/backup-Oracle-101430BP10-binary_parameter/oblix/tools: File exists C:\NetPoint\AccessServerSDK/backup-Oracle-101430BP10-binary_parameter/oblix/tools/configureAccessGat e: File exists
backing up 'oblix/tools/configureAccessGate/configureAccessGate.exe' C:\NetPoint\AccessServerSDK/backup-Oracle-101430BP10-binary_parameter/oblix/tools/migration_tools: F
ile exists
backing up 'oblix/tools/migration_tools/obmigratefiles.exe'
backing up 'oblix/tools/migration_tools/obmigratenp.exe'
backing up 'oblix/tools/migration_tools/obpdiff.exe'
Copying files from 'C:\NetPoint\AccessServerSDK/unload-Oracle-10143013-IP09BP13-IP09-2564' to 'C:\Ne tPoint\AccessServerSDK'.
Copy command using is: 'xcopy /S /Y /R /K /F "C:\NetPoint\AccessServerSDK\unload-Oracle-10143013-IP0 9BP13-IP09-2564" "C:\NetPoint\AccessServerSDK"'. C:\NetPoint\AccessServerSDK\unload-Oracle-10143013-IP09BP13-IP09-2564\include\obaccess_api_c.h -> C: \NetPoint\AccessServerSDK\include\obaccess_api_c.h C:\NetPoint\AccessServerSDK\unload-Oracle-10143013-IP09BP13-IP09-2564\include\obaccess_api_mgd.h -> C:\NetPoint\AccessServerSDK\include\obaccess_api_mgd.h C:\NetPoint\AccessServerSDK\unload-Oracle-10143013-IP09BP13-IP09-2564\oblix\config\np1014_sdk.txt ->
C:\NetPoint\AccessServerSDK\oblix\config\np1014_sdk.txt C:\NetPoint\AccessServerSDK\unload-Oracle-10143013-IP09BP13-IP09-2564\oblix\lib\access_api_mgd.lib - > C:\NetPoint\AccessServerSDK\oblix\lib\access_api_mgd.lib C:\NetPoint\AccessServerSDK\unload-Oracle-10143013-IP09BP13-IP09-2564\oblix\lib\access_flush.dll -> C:\NetPoint\AccessServerSDK\oblix\lib\access_flush.dll C:\NetPoint\AccessServerSDK\unload-Oracle-10143013-IP09BP13-IP09-2564\oblix\lib\jobaccess.jar -> C:\ NetPoint\AccessServerSDK\oblix\lib\jobaccess.jar C:\NetPoint\AccessServerSDK\unload-Oracle-10143013-IP09BP13-IP09-2564\oblix\lib\obaccess.dll -> C:\N etPoint\AccessServerSDK\oblix\lib\obaccess.dll C:\NetPoint\AccessServerSDK\unload-Oracle-10143013-IP09BP13-IP09-2564\oblix\lib\obaccess.lib -> C:\N etPoint\AccessServerSDK\oblix\lib\obaccess.lib C:\NetPoint\AccessServerSDK\unload-Oracle-10143013-IP09BP13-IP09-2564\oblix\lib\obaccess_api_mgd.dll
-> C:\NetPoint\AccessServerSDK\oblix\lib\obaccess_api_mgd.dll C:\NetPoint\AccessServerSDK\unload-Oracle-10143013-IP09BP13-IP09-2564\oblix\lib\obnlsrtl.dll -> C:\N etPoint\AccessServerSDK\oblix\lib\obnlsrtl.dll C:\NetPoint\AccessServerSDK\unload-Oracle-10143013-IP09BP13-IP09-2564\oblix\lib\obxmlengine.dll -> C :\NetPoint\AccessServerSDK\oblix\lib\obxmlengine.dll C:\NetPoint\AccessServerSDK\unload-Oracle-10143013-IP09BP13-IP09-2564\oblix\tools\configureAccessGat e\configureAccessGate.exe -> C:\NetPoint\AccessServerSDK\oblix\tools\configureAccessGate\configureAc cessGate.exe C:\NetPoint\AccessServerSDK\unload-Oracle-10143013-IP09BP13-IP09-2564\oblix\tools\migration_tools\ob migratefiles.exe -> C:\NetPoint\AccessServerSDK\oblix\tools\migration_tools\obmigratefiles.exe C:\NetPoint\AccessServerSDK\unload-Oracle-10143013-IP09BP13-IP09-2564\oblix\tools\migration_tools\ob migratenp.exe -> C:\NetPoint\AccessServerSDK\oblix\tools\migration_tools\obmigratenp.exe C:\NetPoint\AccessServerSDK\unload-Oracle-10143013-IP09BP13-IP09-2564\oblix\tools\migration_tools\ob pdiff.exe -> C:\NetPoint\AccessServerSDK\oblix\tools\migration_tools\obpdiff.exe
15 File(s) copied
Error: could not execute the tool 'C:\NetPoint\AccessServerSDK\oblix\tools\migration_tools\obmigrate paramsg.exe' successfully
Starting default Language message patch process ...
--- Oracle Access Manager System install ---
Upgrading Access Server SDK from release 10.1.4.3.0 BP 10 to release 10.1.4.3.0.13-IP09 BP 13-IP09. Unloading files to C:\NetPoint\AccessServerSDK/unload-Oracle-10143013-IP09BP13-IP09-2668. unloading 'oblix/lib/jobaccess.jar'
Backing up old files to C:\NetPoint\AccessServerSDK/backup-Oracle-101430BP10-message_en-us. backing up 'oblix/lib/jobaccess.jar'
backing up 'oblix/lib/jobaccess.jar'
backing up 'oblix/lib/jobaccess.jar'
backing up 'oblix/lib/jobaccess.jar'
Copying files from 'C:\NetPoint\AccessServerSDK/unload-Oracle-10143013-IP09BP13-IP09-2668' to 'C:\Ne tPoint\AccessServerSDK'.

Copy command using is: 'xcopy /S /Y /R /K /F "C:\NetPoint\AccessServerSDK\unload-Oracle-10143013-IP0 9BP13-IP09-2668" "C:\NetPoint\AccessServerSDK"'. C:\NetPoint\AccessServerSDK\unload-Oracle-10143013-IP09BP13-IP09-2668\oblix\lib\jobaccess.jar -> C:\ NetPoint\AccessServerSDK\oblix\lib\jobaccess.jar
1 File(s) copied
Error: could not execute the tool 'C:\NetPoint\AccessServerSDK\oblix\tools\migration_tools\obmigrate paramsg.exe' successfully
Patch complete
Successfully applied default Language message patch!
Patch complete
Note: Ignore the highlighted warning in the patch update log.

• Check Installed windows updates from control panel
  

  

  
  
• Make sure Visual C++ redistributable packs for 2005, 2008 64-bit is installed. 

• Sample Application code Access_API_Test.cs 

using System;

using System.Reflection;

using System.Collections; 

using Oblix.Access.Server; 

using Oblix.Access.Common; 

class Access_API_Test 

{

public static void Main(string[] args) 

{ 

Console.WriteLine("Initialize the configuration directory!");

String resourceString = "//pokuri.demo.com:7777/"; Console.WriteLine("Initialize the configuration directory!"); 

try 

{

String config = "C:/NetPoint/AccessServerSDK";

ObConfigMgd.initialize(config);

} 

catch (ObAccessExceptionMgd ex) 

{

Console.WriteLine("Initialization Exception caught: " + ex.String); 

}

ObDictionary parameters = new ObDictionary();

ObResourceRequestMgd resource = new ObResourceRequestMgd("http",resourceString,"GET",parameters); 

if ( resource.IsProtected == true ) 

{

Console.WriteLine("Resource " + resourceString + " is protected ..." ); 

try 

{

ObAuthenticationSchemeMgd authnScheme = new ObAuthenticationSchemeMgd(resource);

if ( authnScheme.IsForm ) 

{

Console.WriteLine("Authentication is basic" );

ObDictionary credentials = new ObDictionary(); credentials.Add("userid","user.1"); credentials.Add("password","Abcd123");

ObUserSessionMgd user = new ObUserSessionMgd(resource,credentials); ObUserStatusMgd status = user.Status;

if ( !status.IsLoggedIn ) 

{

Console.WriteLine("User is not logged in"); 

}

user.Location = "127.0.0.1";

Console.WriteLine("User: " + user.UserIdentity + " is logged in..."); Console.WriteLine("User location is: " + user.Location);

if ( user.IsAuthorized(resource) ) 

{

Console.WriteLine("User is authorized"); 

} 

else 

{

Console.WriteLine("User is not authorized"); }

} 

else 

{

Console.WriteLine("Authentication is not basic" );

}

} 

catch (ObAccessExceptionMgd ex) 

{

Console.WriteLine("Access Exception caught: " + ex.String);

}

} 

else 

{

Console.WriteLine("Resource is NOT protected ... " );

} 

}

}

• Environment Variables:
  set CLASSPATH=%CLASSPATH%;.;C:\NetPoint\AccessServerSDK\oblix\lib set PATH=%PATH%;.;C:\NetPoint\AccessServerSDK\oblix\lib
  set OBACCESS_INSTALL_DIR=C:\AccessSDK64\NetPoint\AccessServerSDK 
  

• Add obaccess_api_mgd.dll in Global Cache. Use below command.
  C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\NETFX 4.0 Tools\x64>gacutil.exe –l
  C:\NetPoint\AccessServerSDK\oblix\lib\obaccess_api_mgd.dll
  Note: If gacutil.exe is not available in any of the folder, download and install Dot Net SDK for 64 –bit OS

• Compile the C# code using below command. “access_api_test.exe” file will be generated

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe           /reference:C:\NetPoint\AccessServerSDK\oblix\lib\obaccess_api_mgd.dll /out:C:\NetPoint\access_api_test.exe C:\NetPoint\access_api_test.cs

• Run the code C:\NetPoint>access_api_test.exe

If every thing is good code should run and check if user is authenticated & authorized for protected URL.


Useful Link & Commands

• http://oracle.developer-works.com/article/4628709/OAM+Access+SDK
  
• http://msdn.microsoft.com/en-us/library/ms379563(v=vs.80).aspx
  
• http://docs.oracle.com/cd/E11857_01/em.111/e18155/mgmt_console/policy_templates/configuring_orac
  le_amclient_machines.htm
  
• Trace Error commands
  C:\Windows\System32>sxstrace.exe Parse -logFile:C:\Test.log -outfile:C:\test2.txt
  C:\Windows\System32>sxstrace.exe Trace -logFile:C:\Test.log
  
• How to: View the Contents of the Global Assembly Cache
  C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\NETFX 4.0 Tools\x64>gacutil.exe -l 
  

Hope this will be useful to some one out there.

-- Siva Pokuri.

Nice post on protecting and accessing resources with OAuth in Oracle Access Manager (OAM 11g)

Follow the Link below:

https://community.oracle.com/docs/DOC-911149?sr=stream&ru=2823477

-- Siva Pokuri.

How to integrate OBIEE with OAM

OBIEE Integration with Oracle Access Manager

Demo:

Quick Demo is HERE

Prerequisites

1. Install and Configure Oracle Access Manager. Steps here

2. Install and configure OBIEE. Steps here.

3. Install and configure LDAP. Steps here

4. Install Webserver/Webgate and register webgate with Oracle Access Manager. 

Integration Steps:

1. Configure reverse proxy for OBIEE applications. In my case I am using OHS as proxy server and i have OHS webgate on top of it. 

   

2. Create required OBIEE Groups in LDAP.

3. Login to Weblogic admin console and navigate to Security realm > my realm > providers.

    Create two new providers (LDAP provider and OAM Asserter) as per the below screen shot 

4. Reorder the providers as per the below screen shot. and Restart weblogic Admin server and Managed servers.

5. Login to the http://<hostname>:<port>/em. 

6. Navigate to Weblogic domain> bifoundation_domain> Security> Security provider configuration.

7. Scroll down to Single sign on provider and click on Configure.

8. Configure as per below screen shot.

9. Login to http://<hostname>:<port>/analytics.

10. Navigate to Administration> Manage BI Publisher> Security Configuration.

11. In Authentication section do the changes as per the below screen shot.

12. Login to http://<hostname>:<port>/em

13. Click on coreapplication under Business Inteligence.

14. Perform the changes as per the below screen shot. and click on Apply and click on Activate changes.

15. Login to workspace http://<hostname>:<port>/workspace.

16. Go to Navigate> Administer> Workspace Settings> Server Settings.

17. Modify Log off URL and select Yes in Enable Single Sign on as per the below screen shot.

18. Restart Weblogic Admin server and Managed Servers.

19. Now try to access the application with proxy URL. User will get OAM login page for Authentication.

http://dev.kiran.com:7777/analytics

Hope this is helpful. 

Thanks

Kiran Pokuri

OAAM policy risk evaluation in OAM policies(OAM 11g Identity Context)

OAAM policy risk evaluation in OAM policies

Demo Video: https://youtu.be/NOAW2JE0km8

Steps: 

Login to OAAM Admin Console

Search for DAP token version property and change to v2.1 

Update OAAM TAP Token version from v2.0 to v2.1 in oam-config.xml file. 

Note: Since I have integrated OAM + OAAM already I changed OAM DAP token version in oam-config.xml file from "v2.0" to "v2.1". Else you can provide version v2.1 directly while executing ThirdParty TAP registration command(while OAM + OAAM integration)

Create a group for to hold all the restricted IP Addresses as shown in the screen shot below.

Add IP Address to the group

Create new OAAM Policy as post authentication

Create rule and condition to determine if user login in from restricted IP Address or not.

Select IP Address Group created initially from the drop down 

Click on Results Tab and enter score as "1"

Click on "Group Linking" and select "All Users"

Login to OAM Admin Console and click on "Application Domain".

Select the "ohs_webgate". This is the OHS webgate I have already created and used OAAM TAP Authentication Schema to protect resource.

Click on "Authentication Policies"

Click on "Protected Resource Policy"

Click on "Responses"

Add response as shown in the screen shot below.

This "session_risk_level" is the session attribute that passes as part of DAP token from OAAM to OAM after policy evaluation created in the above steps. 

Click on "Authorization Policies"

Click on "Protected Resource Policy"

Click on "Conditions"

Click on "+" sign

Enter the condition details as shown in the screen shot below.

Add Condition Details as shown in the screen shot below.

This is the "session_risk_level" session attribute returned from OAAM and the attribute value that gets "1"

Click on "Rules" tab and add new rule in the "Deny Rule" list and click "Apply".

Now test the protected application from two different machines!!!

-- Siva Pokuri.