You just can't turn around without hitting your head on some 'AJAX' these days. And, as it turns out, there are some pretty good reasons (here and here) for it. Assuming that you agree that there are real benefits associated with this new web tactic, lets take some time to look at what we can achieve by applying it to the OAM Identity System.
At Nulli, we've said it before and we'll say it again: There was some seriously good thinking going on at Oblix back in the day. While Microsoft was inventing the XMLHTTPRequest, the folks at Oblix we discussing the bold option of using (the very new) XSLT 1.0 to deliver an HTML user interface derived from the XML output of the Identity Server; a way to bring the directory service to the web in two short hops.
Now, chances are, if you are an Oblix / OAM customer that has made good use of the Identity System, you grimaced as you read 'XSLT'. And, in all fairness, it is true to say that the architectural decisions that Oblix made did have the result of pushing customers into technologies (namely XSL development) that they may not have chosen for themselves.
Monday, March 31, 2014
OIM Pre-populate Not Working
My colleague added a GTC resource to a user today but none of the pre-populate values got set. Clicking the pre-populate button did not set the values either. Upon further inspection there were no pre-populate definitions set for the form.
We reverted to an older project and imported only the form definitions. Once this was successful we tried adding the GTC resource to another user. It still did not auto pre-populate the values but the pre-populate button itself worked.
We fired up the design console and went to Process Management > Process Definition and searched for the form. Checked the Auto Pre-populate check box on the process definition and saved it. When we retested adding the GTC resource to another user it worked this time.
We reverted to an older project and imported only the form definitions. Once this was successful we tried adding the GTC resource to another user. It still did not auto pre-populate the values but the pre-populate button itself worked.
We fired up the design console and went to Process Management > Process Definition and searched for the form. Checked the Auto Pre-populate check box on the process definition and saved it. When we retested adding the GTC resource to another user it worked this time.
OIM Server in Admin Mode
Starting the OIM server goes to Running mode, it only starts in Admin mode. The logs contain an error indicating there was a problem creating a connection pool.
<Dec 31, 2012 11:00:14 AM MDT> <Warning> <JDBC> <BEA-001129> <Received exception while creating connection for pool "xxxxxxxxx": ORA-01034: ORACLE not availableORA-27101: shared memory realm does not exist
The xxxxxxxxx in the error matches the name of one of the data sources exactly. Upon closer inspection the Data Source did not belong. It applied to the OIM cluster and that is why OIM started in admin mode. Removing the offending Data Source from Weblogic and restarting the OIM managed service rectified the problem.
The origin of the Data Source is unknown; it was likely created erroneously.
Tuesday, November 19, 2013
OIM EventHandler Export WLST
I was just trying to export some EventHandlers prior to applying an Oracle bundle patch and encountered the following error:
The reference in the error looked pretty absolute to me but upon further inspection of the metadata_files property there was a space after the comma. I removed all of the spaces from the line and re-ran weblogicExportMetadata.sh; and voila no more error.
WLSTException: MDS-01160: Expecting absolute document reference. Reference " /metadata/iam-features-OIMMigration/EventHandlers.xml" is a relative reference to the document.MDS-91009: Operation "exportMetadata" failure. Use dumpStack() to view the full stacktrace.
The reference in the error looked pretty absolute to me but upon further inspection of the metadata_files property there was a space after the comma. I removed all of the spaces from the line and re-ran weblogicExportMetadata.sh; and voila no more error.
Monday, July 29, 2013
Nulli Gives Back to the Community – Floods Can’t Dampen Our Spirit!
On June 21, 2013, Southern Alberta was hit with devastating floods – the impacts both financially and emotionally will be felt for years. Despite being a relatively small team, the flooding has impacted all of us at Nulli. Some of our colleagues were temporarily evacuated from their homes, seeking shelter with colleagues, friends or neighbours until the dangers had passed. Others had to stay evacuated until waters subsided, power was restored and cleaning out of contaminated belongings could be completed. Yet others have family and friends who have had their homes and possessions completely destroyed and live day-to-day while they wait on flood policy and recovery decisions to determine their next steps for getting themselves into a home.
 |
| Flooded Neighbourhood - Sunnyside |
The magnitude of the destruction is overwhelming and it is hard to comprehend the amount of resources that will be required to rebuild. For many, the decision to rebuild or move out of flood prone areas will be uncertain for weeks to come as government guidelines and other factors come to fruition.
During these challenging times, Nulli has encouraged employees to give of their time wherever they can and to take time away from work to do so. Our team has definitely been helping out in a multitude of ways. Bringing their sweat labour, shovels, pumps, generators, fans, pressure washers, wrecking bars and bottomless energy, the Nulli team has placed their hearts on the line for anyone in need of a hand. Everyone wants to help and everyone wants to make a difference. When speaking of the volunteer support being offered by the Nulli team, a colleague recently stated, “I’m proud to be a part of Nulli, we have demonstrated our commitment to each other and to the community that we share so well”.
 |
| Nulli Team in High River |
This has been a significant learning experience for all of us whether we have been impacted directly or indirectly; some of us have learned how to help while others have learned how to accept help. The experience has been enormously rewarding on both a personal and community scale. It’s been humbling to witness the wonderful things that people are capable of when faced with adversity and to support them in the process.
Nulli honours its’ commitment to community, its' values and lives up to its’ namesake
– of truly being ‘Second to None’.
Friday, June 14, 2013
Nulli - Keeping IAM Simple Stupid - ForgeRock Open Identity Summit
Nulli showcased our views on IM KISS - "Keep IAM Simple Stupid" demo at the ForgeRock Open Identity Summit. Presenting identity management in a visible and open format with nothing to hide is a key principle of the open community that Nulli and ForgeRock support. The demo highlighted a rapidly deployed suite of the ForgeRock Open Identity Stack running on 4 Raspberry Pi computers. So for a few hundreds of dollars Nulli was able to demonstrate the use of OATH2 credentials from Google, Amazon and Facebook for accessing protected apps, provision accounts using the OpenIDM workflow engine and providing directory failover using OpenDJ. All of this neatly packaged in a picture frame illustrating the process flow and server interaction.
Truly lightweight, elegant and effective. Want to learn more about our POC showcased in the IAM world? Give me a shout at dsmall@nulli.com.
Many thanks to Ludo Poitou for the encouragement and congratulations to Rob who made it all happen.
 |
| ForgeRock Open Identity Stack running on Raspberry Pi |
Truly lightweight, elegant and effective. Want to learn more about our POC showcased in the IAM world? Give me a shout at dsmall@nulli.com.
Many thanks to Ludo Poitou for the encouragement and congratulations to Rob who made it all happen.
Monday, August 15, 2011
PeopleTools 8.51 SSO using Oracle Access Manager 11g (11.1.1.3)
For many years, OAM has provided a well documented SSO solution for PeopleSoft using typical header variable integration. However, PeopleBooks for PeopleTools 8.51 has become so, shall we say, refined, it's now harder to acheive success with such time-tested integration steps.
My hard-fought, but successful integration attempt rested on 3 key things:
- Apache 2.2 on Solaris, as reverse proxy for a PeopleTools 8.51 PIA instance
- Webgate 10.1.4.3 for Apache
- OAM 11.1.1.3
It could be that you don't need to lowercase your PS_SSO_UID header var name in your environment. Or maybe this will change in future patches of OAM 11g. But, if you figure you did everything else correctly, then give this a try! I hope it helps.
Update 06-Jan-2012:
I have been asked if any official PS-OAM integration docs or white-papers exist. Sorry, I have not found any silver bullet document yet. What I use is a combination of the following docs:
- PeopleTools 8.51 Security Admin
- Oracle Access Manager 11g Policy Management
My hard-fought, but successful integration attempt rested on 3 key things:
- Turning on Allow Public Access in the PeopleSoft PIA Web Profile - still required.
I realize this was done in previous Tools versions, but I don't find it as clearly documented by Oracle for Tools 8.51. The Web Profile screen shot is gone and they no longer refer to the checkbox "Allow Public Access"; they simply say you have to set up the "public access user ID". So you have to make a small inference as to what to configure. - Using "cmd=start", and not cmd=login. E.G. http://myhost:8080/psp/mypsoftdb/?cmd=start.
cmd=login just gave me the PeoplSoft login page after authenticating through OAM, rather than the user's home page in PeopleSoft. Again, this was documented more clearly in the past, but not for the latest Tools versions. An experienced colleague, as well as an OAM 10g/PeopleTools 8.50 example from Metalink, pointed me to using cmd=start. - Lowercasing header variable names when using Signon PeopleCode to retrieve them from the session. E.G. &userID = %Request.GetHeader("ps_sso_uid");
This was the most important nuance. Although PeopleSoft conveniently provides Signon PeopleCode for this integration out-of-the-box, it does not hint that the header variable name containing the OPRID might need to be lowercased.
The header var "PS_SSO_UID" is delivered in Signon PeopleCode, as the variable that PeopleSoft expects OAM to provide. I could dump the headers from the request object to prove that Signon PeopleCode could indeed see that header variable, but somehow it still could not read the value it contained. A colleague mentioned that another one of our customers integrated a home-grown app with OAM and had the same problem...until they tried lowercasing the header! Replacing "PS_SSO_UID" with "ps_sso_uid" did the trick. OAM 11g-PeopleTools 8.51 SSO --- done!
- Apache 2.2 on Solaris, as reverse proxy for a PeopleTools 8.51 PIA instance
- Webgate 10.1.4.3 for Apache
- OAM 11.1.1.3
It could be that you don't need to lowercase your PS_SSO_UID header var name in your environment. Or maybe this will change in future patches of OAM 11g. But, if you figure you did everything else correctly, then give this a try! I hope it helps.
Update 06-Jan-2012:
I have been asked if any official PS-OAM integration docs or white-papers exist. Sorry, I have not found any silver bullet document yet. What I use is a combination of the following docs:
- PeopleTools 8.51 Security Admin
- Oracle Access Manager 11g Policy Management
Subscribe to:
Posts (Atom)