This post covers issue encountered by one of our trainee login to EBS R12.2 environment integrated with OAM/OID for Single Sign-On (SSO) encountered by one of the trainee in EBS-OAM Integration Training.
Issue:
Trainee was hitting issue while logging to OAM Console using user in OID after integrating OAM to OID and changing OAM’s System Store to OID. It was showing below error. log file is under $DOMAIN_HOME/servers/<OAM_Server>/logs/*diagntotics*.log
<Error> <oracle.oam.user.identity.provider> <OAMSSA-20142> <Authentication Failure for user oamadmin, user not found in idstore UserIdentityStore1 with exception oracle.igf.ids.EntityNotFoundException: Entity not found for the search filter (&(objectclass=person)(uid=oamadmin)).>
Root Cause:
Before we come to fix, lets understand what this issue is. If you look at oam-config.xml (Under <DOMAIN_HOME>/config/fmwconfig), idStore UserIdentityStore1 is pointing to embedded LDAP Server
Note: OAM can have multiple Identity Store but Identity Store designeated as System Store (IsSystem=True) is used to login to OAMConsole
Setting Name=”UserIdentityStore” Type=”htf:map”>
<Setting Name=”SECURITY_PRINCIPAL” Type=”xsd:string”>cn=Admin</Setting>
<Setting Name=”GROUP_SEARCH_BASE” Type=”xsd:string”>ou=groups,ou=myrealm,dc=base_domain</Setting>
<Setting Name=”USER_NAME_ATTRIBUTE” Type=”xsd:string”>uid</Setting>
<Setting Name=”Type” Type=”xsd:string”>LDAP</Setting>
<Setting Name=”IsSystem” Type=”xsd:boolean”>false</Setting>
<Setting Name=”IsPrimary” Type=”xsd:boolean”>false</Setting>
<Setting Name=”Name” Type=”xsd:string”>UserIdentityStore1</Setting>
<Setting Name=”SECURITY_CREDENTIAL” Type=”xsd:string”>{AES}F8E3A9FAD9D662F753D842979423ED3D</Setting>
<Setting Name=”LDAP_PROVIDER” Type=”xsd:string”>EMBEDDED_LDAP</Setting>
<Setting Name=”USER_SEARCH_BASE” Type=”xsd:string”>ou=people,ou=myrealm,dc=base_domain</Setting>
<Setting Name=”ENABLE_PASSWORD_POLICY” Type=”xsd:boolean”>false</Setting>
<Setting Name=”LDAP_URL” Type=”xsd:string”>ldap://ldap-host:7001</Setting>
<Setting Name=”UserIdentityProviderType” Type=”xsd:string”>OracleUserRoleAPI</Setting>
</Setting>
Now the question is “Why is this going to embedded LDAP server even though in OAM-config.xml IsSystem is pointing to OID (System Store is pointing to OID)?”
<Setting Name=”LDAP” Type=”htf:map”>
<Setting Name=”3FD25D70107FDEF319″ Type=”htf:map”>
<Setting Name=”SECURITY_PRINCIPAL” Type=”xsd:string”>cn=orcladmin</Setting>
<Setting Name=”GROUP_SEARCH_BASE” Type=”xsd:string”>cn=Groups,dc=hussain,dc=net</Setting>
<Setting Name=”ConnectionRetryCount” Type=”xsd:integer”>3</Setting>
<Setting Name=”USER_NAME_ATTRIBUTE” Type=”xsd:string”>uid</Setting>
<Setting Name=”Type” Type=”xsd:string”>OID</Setting>
<Setting Name=”IsSystem” Type=”xsd:boolean”>true</Setting>
<Setting Name=”GroupCacheEnabled” Type=”xsd:boolean”>false</Setting>
<Setting Name=”IsPrimary” Type=”xsd:boolean”>true</Setting>
<Setting Name=”ConnectionWaitTimeout” Type=”xsd:integer”>120</Setting>
<Setting Name=”Name” Type=”xsd:string”>OID1</Setting>
<Setting Name=”SECURITY_CREDENTIAL” Type=”xsd:string”>{AES}488ED2E6384ACFB3027B13355AEC1A4E</Setting>
<Setting Name=”NATIVE” Type=”xsd:boolean”>false</Setting>
<Setting Name=”SearchTimeLimit” Type=”xsd:integer”>0</Setting>
<Setting Name=”MIN_CONNECTIONS” Type=”xsd:integer”>10</Setting>
<Setting Name=”LDAP_PROVIDER” Type=”xsd:string”>OID</Setting>
<Setting Name=”USER_SEARCH_BASE” Type=”xsd:string”>cn=Users,dc=hussain,dc=net</Setting>
<Setting Name=”ENABLE_PASSWORD_POLICY” Type=”xsd:boolean”>false</Setting>
<Setting Name=”LDAP_URL” Type=”xsd:string”>ldap://oid01.hussain.net:3060</Setting>
<Setting Name=”ReferralPolicy” Type=”xsd:string”>follow</Setting>
<Setting Name=”MAX_CONNECTIONS” Type=”xsd:integer”>50</Setting>
<Setting Name=”GroupCacheTTL” Type=”xsd:integer”>0</Setting>
<Setting Name=”UserIdentityProviderType” Type=”xsd:string”>OracleUserRoleAPI</Setting>
<Setting Name=”GroupCacheSize” Type=”xsd:integer”>10000</Setting>
Answer is because in your WebLogic Config File ($DOMAIN_HOME/config/config.xml) you still have IAMSuiteAgent in place . You need to remove IAMSuiteAgent from OAM WebLogic Domain Authentication Providers .
<sec:authentication-provider xmlns:ext=”http://xmlns.oracle.com/weblogic/security/extension” xsi:type=”ext:oam-servlet-authentication-filter-ia-providerType”>
<sec:name>IAMSuiteAgent</sec:name>
</sec:authentication-provider>
Because of this SSO for OAMConsole is coming into picture and OAMConsole is protected by ATN scheme LDAP and LDAP is pointing to Embedded LDAP Server (and not to OID) .
Fix:
You have two options to fix it:
1. Either remove IAMSuiteAgent from OAM WebLogic Domain with below steps and re-start services.
Access OAM console (http://<hostname>:<oam_port>/console) and click on Security realms.
Click on My Realm and select Providers tab.
Click on Lock and Edit. Now select the IAMSuiteAgent and then click delete.
Click yes and it will delete IAMSuiteAgent. Now restart the services and try again.
or
2. Change LDAP ATN Module in OAM from Embedded LDAP to OID server.