I was involved in implementing OAM 11g integration with IPM for one of the customer. Most of the steps are provided in the documents but sometimes it's difficult to troubleshoot if you miss one of those steps. So, I thought of putting some of the issues one might face while implementing the OAM-IPM integration. Summary
User is not able to login into IPM. But,
- Able to see users/groups in Weblogic Server
- Able to login into other application like Webcenter and UCM.
Possible Causes
1. Check the Authenticator Order and Control Flag in Weblogic Server
OAMIdentityAsserter must be on the top - Control Flag: Required
LDAPAuthenticatior (where IPM user reside) - MUST be the first authenticator - Control Flag: Sufficient
DefaultAuthenticator (Default WLS Ldap Authenticator) - Control Flag: Sufficient
By default, the WebCenter Content server (formerly UCM, Universal Content Management) JpsProvider calls User/Role API to fetch the list of roles a user is a member of. User/Role API gets the list of roles only from the first authentication provider and ignores other authentication providers.
The Weblogic jps can be configured so that the User/Role API goes against all the configured authentication providers. This by adding a property, virtualize, and setting it to be true.
Read Oracle Support Doc for details - How to Configure 11g WCC so that it Works Correctly Against Multiple Authentication Providers (Doc ID 1359171.1)
2. Check Mapping of GUID attribute in LDAP and authenticator configuration in WLS
Check if GUID attribute is mapped correctly in the LDAP authenticators. Also check if the correct GUID attribute name is given in the WLS authenticator configuration.
IPM users are coming from Active Directory (AD). There are multiple identity source involved so I implemented OVD-AD adapter using Adapter template - OAM/AD Adapter with Mapper.
IPM users can login into the application, only if GUID attribute is mapped correctly in the adapter configuration. Steps to map GUID attribute differ for different LDAP directories.
Steps to map GUID attribute in OVD-AD Adapter -
- Connect to the OVD server via ODSM > Adapters tab, and select the AD adapter.
- Click on the Plug-in tab of the AD adapter
- Click on the Create Plugin button and add a new plugin with the following parameters:
Name: UserManagement
Class: com.octetstring.vde.chain.plugins.usermanagement.UserManagement
(Note: Select the above class from the list of values available.)
Class: com.octetstring.vde.chain.plugins.usermanagement.UserManagement
(Note: Select the above class from the list of values available.)
Under the "Parameters" section, add the following two parameters, as shown:
Name Value
----------------- --------------------------
mapAttribute orclguid=objectguid
directoryType ActiveDirectory
----------------- --------------------------
mapAttribute orclguid=objectguid
directoryType ActiveDirectory
- Click the Apply button, so it is saved to the adapter.
- Go to the Data Browser tab, and highlight "Client View" and click the Refresh icon under Data Tree.
- Navigate/Expand down into your AD adapter's namespace in "Client View". See if you are able to see the value for orclguid attribute.
- Use a command line to execute ldapsearch directly to a backend OVD and check if it's returning values for the orclguid attribute
dn: cn=username,ou=Employees,ou=People,o=org
orclGUID: 6f014b9ce3724bcb91be04d6c9db4baf
- Verify that the Active Directory entries "orclguid's" appear with the same value. If not, try restarting the OVD server and WebLogice Server Admin Server and Managed Servers (for ODSM).
After mapping the GUID attribute next step is to validate the WLS authenticator configuration.
Login into WLS console and navigate to - Home >Summary of Security Realms >myrealm >Providers
Click on OVD authenticator on the Providers tab and then click on Provider Specific tab
Check the GUID attribute at the bottom -
GUID attribute should be same as what you defined in the OVD adapter mapping.
No comments:
Post a Comment