Filtering by LDAP OU in OAM Authorization Policies

In order to use the OU the user is in in LDAP as part of the OAM Authorization Policies, the Store Name must reference an IDS Profile and not a regular OAM ID Store.

In an Authorization Policy, add a Condition:
Type: Identity

Click Add->Search Filter

Store Name: IDSProfile-OID-Profile
Search Filter: ou:dn:=external

Click Test Filter and users should return if any are under that OU.

If you reference an Identity Store of Type OAM ID Store then you’ll get this error when clicking Test Filter:
Failure locating user with search base: null. filter: ou:dn:=external and arguments: OIMIDStore, for idstore oracle.igf.ids.IDSException: Operations error: entity=cn=Users,dc=ovd,dc=mycompany,dc=com op=search mesg= AdditionalInfo: LDAP Error 1 : [LDAP: error code 1 - Error during search:java.lang.NullPointerException] with exception {4}

iPhone Restore from Backup - Beware!

I ran across this issue this weekend trying to help a friend recover their family member's iCloud password after upgrading from an iPhone 4 to an iPhone 5S.

Long story short, a change needs to be made to Apple's "Restore from Backup" process using iTunes.

According to this Apple Support article: https://support.apple.com/en-us/HT204184 there is no prompt for the iCloud/Apple ID password in the backup/restore process.

Here's the issue: what if the phone you have the backup for has an iCloud account that you don't know the password for and can't recover. The process will let you restore the backup without a prompt for an iCloud password. Then, on your new phone, any time you try to install a new App you will not be able to due to the unknown password for the Apple ID/iCloud account. Even worse, if Find My iPhone was enabled, the new phone is now worthless to you.

Instead, Apple should prompt you for the iCloud/Apple ID password used on the phone either during backup or during restore or, at the least, give some sort of warning message regarding this limitation.

My friend's family member still has no solution to recover their password and now has a phone that is hardly usable.

If they had been aware that they didn't know their Apple ID password BEFORE restoring it to their new phone, they could've decided to set it up as a new phone with a new Apple ID/iCloud account.

OIM - Re-Create Reconciliation Profile on Resource Object Form

If your target recon scheduled job is failing to create recon events, search your wls_oim1-diagnostic.log ($SERVER_NAME)-diagnostic.log.

If this error message is found:
DFW-99998 [org.xml.sax.SAXParseException][oracle.iam.reconciliation.impl.config.CoreProfileManagerImpl$ProfileMarshaller.unMarshal][oim]

Open the wls_oim1.log ($SERVER_NAME.log) file and find the name of the Resource Profile that is invalid.
For example:
oracle.iam.reconciliation.exception.ReconciliationException: Invalid Profile - Exchange User

To resolve this:

1. Login to the Design Console
2. Expand Resource Management
3. Double-click Resource Object. 
4. Click the Search (binoculars) icon
5. Click the Resource Objects Table tab which appears at the bottom. 
6. Double-click the object matching the Error message above "Invalid Profile - [Resource Object]". 
7. Select the Object Reconciliation tab at the top. 
8. Finally, click the Create Reconciliation Profile button. 
9. Re-run your target recon job (Note that if incremental is chosen you'll need to make a new change in the target system to re-test the recon).

Configuring Oracle Social Login Java App

This post provides detailed steps for how to create a Java application which allows users to login with their Social credentials (Facebook, Twitter, Google, Yahoo, LinkedIn).

Prerequisites

• OAM Installed and configured to authenticate users in OID. 

•  OAM and Social features enabled.

• If using OAuth, the shared secret has been configured and your app registered with the OAuth provider. 

Java App

Deploy the war

Deploy the custom war to WebLogic.

Here are some examples of important calls:

login-oic.jsp

-Create the RPClient

-Build the Login links

-Save the TAP Token and TAPSubmitURL parameters in the session for retrieval in oic_submit.jsp

oic_submit.jsp

-Create the RPClient

-Get the saeToken from the request and validate it and then extract the mail value.

-Extract the TAPToken and TAPSubmitURL from the session

-Create the DAPToken from tap_token.

-Build a new DAPToken with mail attribute as userID.

-Encrypt and encode token

-Send redirect to tapSubmitURL

Copy the OicClient.properties file

This properties file must exist outside of the war in a location accessible by the Managed Server.

I.e.

/home/oracle/oic_test/OicClient.properties

rp.server.hosturl=http://iamdemo.mycompany.com:14100
rp.server.idp.service=/oic_rp/rest/identityproviders
rp.server.init.service=/oic_rp/RPInitServlet
rp.server.connection.timeout=60000
rp.server.connection.sae.sharedsecret=
rp.server.connection.sae.cryptotype=symmetric
rp.server.connection.sae.keystrength=128
rp.server.connection.sae.algorithm=AES

Setup the Java Arguments

Restart the Managed Server once this change has been made.

OAM Configuration

Create Authentication Scheme

 

Be sure to select a unique Name and TAPPartnerId.

Create Custom Authentication Policy

 

Protect a resource with this policy and use the Authentication Scheme created above.

Register 3^rd Party TAP Provider

Connect to the AdminServer using WLST

> $ORACLE_HOME/common/bin/wlst.sh

> connect()

>

> registerThirdPartyTAPPartner(partnerName='CustomRPPartner',keystoreLocation='/u01/app/oracle11gr2/admin/OAMDomain/TAP/TAPKeyStore/customoictapkeystore.jks',password='abcd1234',tapTokenVersion='v2.1',tapScheme='CustomOICScheme',tapRedirectUrl='http://iamdemo.mycompany.com:14300/custom-oic/login-oic.jsp')

Reference the partnerName that corresponds to TAPPartnerId used in the scheme you created.

The keystoreLocation is a new keystore.

The tapScheme is the Name used above when creating the Authentication Scheme.

The tapRedirectUrl must be a valid path to the login-oic.jsp page of the custom-oic.war as deployed on WebLogic Server.

Create Application Profile

Create Application Profile called CustomOIC which uses the DefaultServiceProviderInterface and Disable Browser Popup.

Set the Return URL to /custom-oic/oic_submit.jsp

Validation

To validate, go to http://sso.mycompany.com/custom-oic/sso.jsp (this is the resource you created to be protected by the new Authentication Policy)

You should then be redirected to /custom-oic/login-oic.jsp (the tapRedirectUrl used in the register wlst command).

Click on the Facebook link to perform login with Facebook.

In order to successfully authenticate a user to OAM, there needs to exist in OID, a user with a uid that equals the mail attribute used by Facebook.

If successful, you’ll be redirected to your custom-oic/sso.jsp resource and see a OAM_REMOTE_USER HTTP Parameter. The app can then use this parameter to authenticate a user and allow use of the app.