×

IDMWORKS Blog

Enabling unsolicited login in OAM 11gR2


What Is Unsolicited Login?
Unsolicited login is the functionality where users access some part or feature of an application anonymously, but another part or feature requires them to login/authenticate before using those features.

An Unsolicited Login Scenario For OAM
Let’s assume that there’s an application ABC which we access using www.abc.com. By default, any user accessing the ABC application will be shown the homepage. Homepage will have a login button, and once the user clicked on login they would be redirected to the login page. The login page would display a login form that had a username, password and a submit button. After clicking on submit button, the user’s credentials would be submitted and authenticated using OAM.

Steps To Implement Unsolicited Login

1. Shutdown all the servers of the OAM domain

2. Navigate to OAM_DOMAIN/config/fmwconfig/(where OAM_DOMAIN is weblogic domain folder for the OAM domain where Adminserver is present).

3. Take the backup of oam-config.xml, Open the oam-config.xml and search for below entry,

<Setting Name=”Version” Type=”xsd:integer”>                                      

Increase the version by one as below,

<Setting Name=”Version” Type=”xsd:integer”>101</Setting>

Search for below entry,

<Setting Name=”DirectAuthenticationServiceDescriptor” Type=”htf:map”> 

 Set the ServiceStatus to true as below,

<Setting Name=”DirectAuthenticationServiceDescriptor” Type=”htf:map”>

<Setting Name=”ServiceStatus” Type=”xsd:boolean”>True</Setting>    

</Setting> 

 

How To Ensure That Unsolicited Login Is Enabled In OAM
Bounce back the servers of OAM domain so that Admin server will push the updated oam-config.xml to all the servers in distributed environment. Now change the application’s login page so that it posts the login info to this OAM endpoint:

https://oam_host:oam_port/oam/server/authentication

The information we need to post to the endpoint is:
a)username
b)password
c)successurl

If authentication succeeds, the user will be redirected to successurl passed to the endpoint or else an error page will be shown by OAM with an error message showing incorrect username or password was specified.

How Authentication Happens?
Once you post the info to the endpoint, /oamDirectAuthentication resource comes into picture and user is authenticated by the authentication policy for this resource.

/oamDirectAuthentication is a virtual resource that is defined in the system representing physical endpoint for unsolicited login and is present under the IAMSuiteapplication domain of OAM.

Troubleshooting
After following the steps mentioned above I was facing below error when trying to authenticate user using unsolicited post:

“System error. Please re-try your action. If you continue to get this error, please contact the Administrator.”

 

The Problem
After enabling TRACE32 logs it is found that in unsolicited login the condition is checked whether the successurl passed to the endpoint is protected or not and if it’s not protected you will get the above error.

The Solution
The successurl passed to the endpoint must be protected in OAM.

Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.

Leave a Reply

Your email address will not be published. Required fields are marked *