Enabling unsolicited login in OAM 11gR2

Unsolicited Login IAM Image

What Is Unsolicited Login?

Unsolicited login is the functionality where users access some part or feature of an application anonymously, but another part or feature requires them to login/authenticate before using those features.

An Unsolicited Login Scenario For OAM

Let’s assume that there’s an application ABC which we access using www.abc.com. By default, any user accessing the ABC application will be shown the homepage. Homepage will have a login button, and once the user clicked on login they would be redirected to the login page. The login page would display a login form that had a username, password and a submit button. After clicking on submit button, the user’s credentials would be submitted and authenticated using OAM.

Steps To Implement Unsolicited Login

  1.  Shutdown all the servers of the OAM domain
  2.  Navigate to OAM_DOMAIN/config/fmwconfig/(where OAM_DOMAIN is weblogic domain folder for the OAM domain where Adminserver is present).
  3. Take the backup of oam-config.xml, Open the oam-config.xml and search for below entry,
<Setting Name=”Version” Type=”xsd:integer”>                                      

Increase the version by one as below,

<Setting Name=”Version” Type=”xsd:integer”>101</Setting>

Search for below entry,

<Setting Name=”DirectAuthenticationServiceDescriptor” Type=”htf:map”> 

 Set the ServiceStatus to true as below,

<Setting Name=”DirectAuthenticationServiceDescriptor” Type=”htf:map”>

<Setting Name=”ServiceStatus” Type=”xsd:boolean”>True</Setting>    

</Setting> 

How To Ensure That Unsolicited Login Is Enabled In OAM

Bounce back the servers of OAM domain so that Admin server will push the updated oam-config.xml to all the servers in distributed environment. Now change the application’s login page so that it posts the login info to this OAM endpoint:

https://oam_host:oam_port/oam/server/authentication

The information we need to post to the endpoint is:
a)username
b)password
c)successurl

If authentication succeeds, the user will be redirected to successurl passed to the endpoint or else an error page will be shown by OAM with an error message showing incorrect username or password was specified.

How Authentication Happens?

Once you post the info to the endpoint, /oamDirectAuthentication resource comes into picture and user is authenticated by the authentication policy for this resource.

/oamDirectAuthentication is a virtual resource that is defined in the system representing physical endpoint for unsolicited login and is present under the IAMSuiteapplication domain of OAM.

Troubleshooting

After following the steps mentioned above I was facing below error when trying to authenticate user using unsolicited post:

“System error. Please re-try your action. If you continue to get this error, please contact the Administrator.”

The Problem

After enabling TRACE32 logs it is found that in unsolicited login the condition is checked whether the successurl passed to the endpoint is protected or not and if it’s not protected you will get the above error.

The Solution

The successurl passed to the endpoint must be protected in OAM.