How to provide two Authentication Schem for Protected Application in Oracle Access Manager?

In my Organization have WNA authentication Scheme for all Application in oracle Access Manager.

So some user not have account in AD Domain(External user ,Vendor ), they have user login ID and password, But if user access the application url then it search for kerbrose token but user not have account in AD.

Solution :

1) we can provide separate url for external/ non AD user :

Simply we can provide the Direct Application URL.

Application Team is not ready to provide two url for single Application.

2)We can add second authentication Scheme in same Application for external or non AD user:

i)External user request to access the application then user authentication will be fail .

ii)we will add the authentication failure URL to direct Application URL  or form based URL.

iii) user will get login page then provide the credential  and able to access the application.

iv) failure  URL we need to protect with from base authentication scheme.

v) There is also other option to decide the Authentication scheme which is Advance Rule in       Authentication policy  where we can provide the condition based on the condition authentication scheme well select and server to user .

Drop me mail for more details :sudhirmca26@gmail.com

Error User Account Lock or Disable

Multiple new user getting error Account is locked or disabled .

Application Integrated with WNA authentication .

we have check user account in AD, there use account is active and unlock state.

later we check the user login ID and sAMAccountName is different.

actually if user name is more than 20 Character  then AD is not supporting the long login ID so Identity management team have change the logic Like user first name dot(.) user last name first character.

We have updated the user sAMAccountName with   user login name, after that every user who have log name(more than 20 Character ) they able to access the application successfully.

Issues : user login the system with user id which is different from sAMAccountName, user requesting the application and OAM searching the user in AD with user login ID which is not match with any user sAMAccountName so its throw the error user account is locked or disabled .

Process to Renew SAML Certificate

Process to Renew SAM / Federation  certificate:

1 )Backup Plan: Take the backup of bellow files

 i  .oamkeystore

 ii  .oamtruststore

iii  oam-config.xml 

2)Generate the .oamkestore and .oamtrust store on oam server :-

•   Development have removed the WLST command that was available in previous OAM versions to  obtain the .oamkeystore keystore password, to enhance security. Therefore you will need to reset the OAM keystore password before you start.
• Open a terminal session on your OAM machine
• Go to the Location    /middleware/Oracle_IDM1/common/bin
• ./wlst.sh (Run this command )
• connect()
• provide the server details and credencial to connect : t3://hostIP:port 
  user Id & password
•    domainRuntime()
  
  
•   resetKeystorePassword()
                 password : *********
  confirme password : *********
  
  
• Exit()
  
  Create oamkeystore run the bellow command :
  
  
• Go to the location of java keytool
  
•    /keytool -genkeypair -alias samlsigningcer -keyalg RSA -keysize 2048 -sigalg sha1withrsa -dname cn="<machine name> " -validity 1000 -keystore /u01/app/middleware/user_projects/domains/domain/config/fmwconfig.oamkeystore -storetype JCEKS 
  
  
   Create    oamtruststore by using bellow command :
• keytool -genkeypair -alias samlencryptiongcer -keyalg RSA -keysize 2048 -sigalg sha1withrsa -dname cn="<Machine name> " -validity 1000 -keystore /u01/app/middleware/user_projects/domains/domain/config/fmwconfig/.oamkeystore -storetype JCEKS
  
• OAM lunch pad → federation setting → oamkeystore → add the two new entry and select the samlining alisas name and samlencruption alisas and provide the password and save it.
• SAML Metadat we can find on OAM Lunch Pad ->  federation setting select  ->encryption  key and singing key and import the metadata .
  
  Import the certificate from metadata and save as .cer file and then
  
  Share the this meta data file and certificate with your service provider .
  
  ----------------------------------------------------------------------------------------------