Showing posts with label OIF. Show all posts
Showing posts with label OIF. Show all posts

Thursday, March 21, 2013

Resolving OIF Error "FED-15132: Unknown refID" when JSP based form login is used for OAM authentication

The Issues :- 
My OIF server is integrated with OAM for authentication. I used a JSP based form login to collect credential when User makes an IntitateSSO call. I started seeing this error in OIF logs. This is very much reproducible in clustered OAM and OIF servers.

FED-15132: Unknown refID
Cause: User previously accessed the Oracle Identity Federation server with a different host name than the one in the current request and cookies were not transmitted.
Action: Use the same hostname and fully qualified domain URL to access the Oracle Identity Federation 

FED-15128: An internal error occurred while processing the credentials Cause: The authentication engine did not return the required refID parameter.
Action: Check that the authentication flow correctly sent the refID parameter to the Oracle Identity Federation server 


Whats Going on under the hood :- 
The OIF servers is a J2EE application runs on weblogic server which creates a JSessionId. My custom jsp based form login is also another J2EE application deployed on OAM server. When this login page is invoked, it also create a JSession Id. To add a pinch of salt to this issue, I am using same load balancer address (e.g. sso.abc.com) to access multiple Weblogic applications. They all try to use the same JSessionId cookie, which is issued to domain=sso.abc.com path=/.  Now my custom form login session is clashing with OIF's session that is created inside OIF after successful authentication.

Solution :-
You may have already guessed it. Open the weblogic.xml file of you custom Login Form war file and add the followings .

<session-descriptor>
<cookie-name> MyJSessionId </cookie-name>
</session-descriptor>


Basically, you are instructing Weblogic server to create a custom JSessionId (MyJessionId) for your Form login to avoid clashing with OIF's session.

Wednesday, October 10, 2012

Quick Tips: Finding the IAM component versions

It was little harder than I thought :(  My weblogic expert friend shared it.

For OIF and OAM :-

Assuming that you have installed OIF from Oracle_IDM2
$ export ORACLE_HOME=/opt/apps/Oracle/Middleware/Oracle_IDM2
$ export PATH=$PATH:/opt/apps/Oracle/Middleware/Oracle_IDM2/OPatch
$ opatch lsinventory -detail -invPtrLoc /opt/apps/Oracle/Middleware/Oracle_IDM2/oraInst.loc

For OHS  :-
opatch lsinventory -detail -invPtrLoc /opt/apps/OHS/Oracle_WT1/oraInst.loc

For WEBGATE :-
opatch lsinventory -detail -invPtrLoc /opt/apps/OHS/Oracle_OAMWebGate1/oraInst.loc -jdk /opt/apps/OHS/oracle_common/jdk/




Monday, October 1, 2012

Changing OIF server parameter using WLST

A quick reference on WLST usage. Here is an example of setting of an OIF server parameter (userldapconnectionreadtimeout') using WLST command.

$ export DOMAIN_HOME=..Directory/Oracle/Middleware/user_projects/domains/OIF_DOMAIN  
$ . Directory/opt/apps/Oracle/Middleware/Oracle_IDM2/fed/scripts/setOIFEnv.sh
$ java weblogic.WLST
wls:/offline> setConfigProperty('datastore','userldapconnectionreadtimeout', '120','long')
                   Please enter your username :weblogic
                   Please enter your password :
                   Please enter your server URL [t3://localhost:7001] :t3://oifServer.abc.com:7499

wls:/EPP_STAGE_SECURITY_DOMAIN/serverConfig> disconnect()

wls:offline >exit()

check for your change at :-
$ vi /opt/apps/Oracle/Middleware/user_projects/domains/EPP_STAGE_SECURITY_DOMAIN/config/fmwconfig/servers/wls_oif2/applications/OIF_11.1.1.2.0/configuration/config.xml