×

IDMWORKS Blog

New Features in OAM 11.1.2.2: Persistent Login (Remember Me)


One of the new features in OAM 11g R2 PS2 (11.1.2.2) is called Persistent Login also known as Remember Me. Basically this means that OAM will have the option to remember a user’s session for some defined period of time so even if they close their browser, they’ll be able to log back in again without providing credentials.

This is a common feature you see on many websites, but up until this point, in OAM 11g this feature was not available. It was possible with custom code but it was not out-of-the-box. Now with PS2, this is an out-of-the-box feature. In this blog post we will give you some pointers on configuring this new feature, with special emphasis on a few key points you won’t find in the Oracle documentation.

Configuration

The Oracle documentation does a good job of walking you through the configuration, so we won’t cover these steps specifically. At a high level, you will need to:

  • Check the “Allow Persistent Login” option on your Application Domain.
  • Run a WLST command to enable persistent login globally in OAM
  • Create a new Authentication Scheme with an additional Challenge Parameter: enablePersistentLogin=true
  • Associate your resources with this new Authentication Scheme.
  • For your Authorization Policies, add a new session response called allowPersistentLogin with value true.

All of these steps are fairly straightforward from the doc (which can be found here). The only key point missing is that it does not explicitly spell out that you need to check “Allow Persistent Login” for your Application Domain. This is buried in the introductory paragraph and it is easy to miss, so don’t forget this important step.

With these steps complete, the feature will now be enabled using the default out of the box login page. 

b2ap3_thumbnail_Oam-OOTB-Login-Screen-RM.png

Using A Custom Login Page

What the documentation doesn’t mention and isn’t completely clear about is how you can enable this feature with your own custom login page. Obviously not many customers stick with the default Oracle login page, so enabling this feature with a custom login page is essential.

To enable this feature with your own custom login page, you’ll simply need to add the following HTML form field to your login form:

  • type: checkbox
  • name: PersistentLogin
  • value: true

That’s all there is to it. 

To verify this functionality, access to your OAM protected resource, check the box, and login. When you close your browser and try again, you’ll find you will not be challenged for credentials. Take note of the new OAM_RM persistent cookie in your browser once this feature is enabled. If you remove this cookie, you will be challenged again for your credentials. 

 

Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.

Comments on: “New Features in OAM 11.1.2.2: Persistent Login (Remember Me)”

  1. Hi Justin,

    I have enabled persistence login for one application domain in my enterprise
    I am ok with that application but facing issue with apps in another domains
    Here is my test case

    1. Accessed application (Example : App1 )which is under application domain with persistent login enabled
    2. Provided credentials with keep me signed in and accessed resource
    3. closed browser
    4. Accessed App1 again and this time i am logged in without any login page (Expected)
    5. In same browser accessed another app (Say App2) which is in another domain for which persistent is not enabled
    6. it challenged me with login page without keep me sign in check box (expected)
    7 I provided correct credentials, but i got invalid username and password error specified error
    8. when i access App2 in another browser with same credentails,logged in successfully

    Error i am seeing in diagnostic logs

    [2015-01-19T23:52:14.129-05:00] [WLS_OAM1] [TRACE:16] [] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 0053GsnpY0RDOdJLMml3ie0000gK000MOn,0:1] [APP: oam_server#11.1.2.0.0] [URI: /oam/server/auth_cred_submit] [SRC_CLASS: oracle.security.am.engine.authn.internal.controller.AuthenticationEngineControllerImpl] [SRC_METHOD: validateUser] Authenticated User Name: VXFK73
    [2015-01-19T23:52:14.157-05:00] [WLS_OAM1] [ERROR] [OAM-02054] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 0053GsnpY0RDOdJLMml3ie0000gK000MOn,0:1] [APP: oam_server#11.1.2.0.0] [URI: /oam/server/auth_cred_submit] SSO session creation failed.[[
    oracle.security.am.common.utilities.exception.AmRuntimeException: LoggedIn user is different than the existing session user
    at oracle.security.am.engines.sso.adapter.MultipleUserSessionAdapterImpl.shouldUpdateOnSubjectValidationFailure(MultipleUserSessionAdapterImpl.java:252)
    at oracle.security.am.engines.sso.adapter.AbstractSessionAdapterImpl.createUpdateSession(AbstractSessionAdapterImpl.java:577)
    at oracle.security.am.engines.enginecontroller.SSOEngineController.createSession(SSOEngineController.java:3352)
    at oracle.security.am.engines.enginecontroller.SSOEngineController.processEvent(SSOEngineController.java:524)
    at oracle.security.am.controller.MasterController.processEvent(MasterController.java:596)
    at oracle.security.am.controller.MasterController.processRequest(MasterController.java:788)
    at oracle.security.am.controller.MasterController.process(MasterController.java:708)
    at oracle.security.am.pbl.PBLFlowManager.delegateToMasterController(PBLFlowManager.java:209)
    at oracle.security.am.pbl.PBLFlowManager.handleBaseEvent(PBLFlowManager.java:147)
    at oracle.security.am.pbl.PBLFlowManager.processRequest(PBLFlowManager.java:107)
    at oracle.security.am.pbl.transport.http.AMServlet.handleRequest(AMServlet.java:199)
    at oracle.security.am.pbl.transport.http.AMServlet.doPost(AMServlet.java:158)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
    at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
    at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:324)
    at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:460)
    at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
    at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
    at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.security.wls.filter.SSOSessionSynchronizationFilter.doFilter(SSOSessionSynchronizationFilter.java:292)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.security.am.agent.wls.filters.OAMServletAuthenticationFilter.doFilter(OAMServletAuthenticationFilter.java:265)
    at oracle.security.am.agent.wls.filters.OAMValidationSystemFilter.doFilter(OAMValidationSystemFilter.java:133)
    at oracle.security.wls.oamagent.OAMAgentWrapperFilter.doFilter(OAMAgentWrapperFilter.java:120)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:163)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

    I have followed steps from oracle doc
    Can you please suggest
    Thanks

  2. Hi Justin,

    I have enabled persistence login for one application domain in my enterprise
    I am ok with that application but facing issue with apps in another domains
    Here is my test case

    1. Accessed application (Example : App1 )which is under application domain with persistent login enabled
    2. Provided credentials with keep me signed in and accessed resource
    3. closed browser
    4. Accessed App1 again and this time i am logged in without any login page (Expected)
    5. In same browser accessed another app (Say App2) which is in another domain for which persistent is not enabled
    6. it challenged me with login page without keep me sign in check box (expected)
    7 I provided correct credentials, but i got invalid username and password error specified error
    8. when i access App2 in another browser with same credentails,logged in successfully

    Error in OAM diagnostics logs

    [2015-01-19T23:52:14.129-05:00] [WLS_OAM1] [TRACE:16] [] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 0053GsnpY0RDOdJLMml3ie0000gK000MOn,0:1] [APP: oam_server#11.1.2.0.0] [URI: /oam/server/auth_cred_submit] [SRC_CLASS: oracle.security.am.engine.authn.internal.controller.AuthenticationEngineControllerImpl] [SRC_METHOD: validateUser] Authenticated User Name: VXFK73
    [2015-01-19T23:52:14.157-05:00] [WLS_OAM1] [ERROR] [OAM-02054] [oracle.oam.controller] [tid: [ACTIVE].ExecuteThread: ‘1’ for queue: ‘weblogic.kernel.Default (self-tuning)’] [userId: ] [ecid: 0053GsnpY0RDOdJLMml3ie0000gK000MOn,0:1] [APP: oam_server#11.1.2.0.0] [URI: /oam/server/auth_cred_submit] SSO session creation failed.[[
    oracle.security.am.common.utilities.exception.AmRuntimeException: LoggedIn user is different than the existing session user
    at oracle.security.am.engines.sso.adapter.MultipleUserSessionAdapterImpl.shouldUpdateOnSubjectValidationFailure(MultipleUserSessionAdapterImpl.java:252)
    at oracle.security.am.engines.sso.adapter.AbstractSessionAdapterImpl.createUpdateSession(AbstractSessionAdapterImpl.java:577)
    at oracle.security.am.engines.enginecontroller.SSOEngineController.createSession(SSOEngineController.java:3352)
    at oracle.security.am.engines.enginecontroller.SSOEngineController.processEvent(SSOEngineController.java:524)
    at oracle.security.am.controller.MasterController.processEvent(MasterController.java:596)
    at oracle.security.am.controller.MasterController.processRequest(MasterController.java:788)
    at oracle.security.am.controller.MasterController.process(MasterController.java:708)
    at oracle.security.am.pbl.PBLFlowManager.delegateToMasterController(PBLFlowManager.java:209)
    at oracle.security.am.pbl.PBLFlowManager.handleBaseEvent(PBLFlowManager.java:147)
    at oracle.security.am.pbl.PBLFlowManager.processRequest(PBLFlowManager.java:107)
    at oracle.security.am.pbl.transport.http.AMServlet.handleRequest(AMServlet.java:199)
    at oracle.security.am.pbl.transport.http.AMServlet.doPost(AMServlet.java:158)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
    at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
    at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:324)
    at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:460)
    at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
    at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
    at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.security.wls.filter.SSOSessionSynchronizationFilter.doFilter(SSOSessionSynchronizationFilter.java:292)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.security.am.agent.wls.filters.OAMServletAuthenticationFilter.doFilter(OAMServletAuthenticationFilter.java:265)
    at oracle.security.am.agent.wls.filters.OAMValidationSystemFilter.doFilter(OAMValidationSystemFilter.java:133)
    at oracle.security.wls.oamagent.OAMAgentWrapperFilter.doFilter(OAMAgentWrapperFilter.java:120)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:163)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

    Can you please suggest

    Thanks

  3. Shravani,

    Thank you for your comment. At first glance, this might actually be a bug. I recommend opening an SR with Oracle to confirm.

    I’m also not totally sure if this use case is supported, where you want to SSO between two apps with only one app supporting persistent login. You may be able to work around this programmatically.

    Good luck.

    Regards,
    Justin

Leave a Reply

Your email address will not be published. Required fields are marked *