OAM Authentication Fails with Multiple User Matches from OVD

Recently we encountered an issue at a client where we were seeing intermittent failures for some users when they tried to authenticate via OAM.

In the logs, we saw errors indicating authentication failed because multiple users had the same UID (which was the attribute OAM was using to find users in the identity store.)

As it turns out, the identity store was an Oracle Virtual Directory instance with multiple adapters pointing to several different backend data stores. In the case of these authentication failures, there were matching users in several backend data stores with the same UID, meaning OAM could not authenticate.

The solution was to apply the UniqueEntry plugin to OVD so OAM will only get a single user DN match. Remember, this is a global plugin so it should not be applied at the adapter level.

Configure the UniqueEntry Plugin

In ODSM, login to your OVD instance and navigate to Advanced -> Global Plugins. Click the Create Plug-in Button and click Select to choose the UniqueEntryPlugin from the Class list. Specify a name for this plugin (you can use any name you want). Finally, add a parameter called uniqueattribute and specify the attribute you want to use for a unique key. In our case, it was uid. Finally, click OK.

b2ap3_thumbnail_plugin_creation.png

 

The obvious question here is this: who wins? In other words, if there exists a JSMITH in three different backend data sources in OVD, which one will the UniqueEntry plugin return? The answer lies in the Adapter Priority feature.

Setting Adapter Priorities

To configure Adapter Priorities, navigate to the Adapter tab, and then choose an Adapter from the list on the left. Click on the Routing tab, and enter a number in the box as seen below.

b2ap3_thumbnail_adapter_risk.png

Remember that the lower the value you specify, the higher the priority. For example, if you have an employee directory with a priority of 10 and a customer directory with a value of 20, the employee directory will be searched first, followed by the customer directory. 

For more information about the UniqueEntry Plugin, refer to the documentation.

Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.