WATCH: Oracle Access Manager(OAM) 11g R2 PS3 Impersonation Demo

Oracle Access Manager 11g R2 PS3 Impersonation Demo

Pre-requisites:

1. OAM 11g R2 PS3 environment is up and running with OUD as user store & protected sample resource called “spokuri.html” with LDAPSchema
2. Enabled Impersonation in OAM & Extend OAM LDAP schema into OUD directory server
3. Created user “kpokuri”(Impersonatee) with “orclIDXPerson” object class in OUD
4. Created user “spokuri”(Impersonator) in OUD
5. Added an attribute “orclImpersonationGrantee” to “kpokuri” and value as “8c69d7465afc406a947669204ad88ecf|20100324163000Z|20180524172000Z”

Description: orclImpersonationGrantee attribute value has 3 parameters separated by pipe “|”.

1.     Impersonator orclguid. In this case, it’s “spokuri” user orclguid.

2.     Impersonation start date

3.     Impersonation end date

Demo Video: 

Test Case:

1. Access OAM LDAP Schema protected resource http://pokuri.demo.com:7777/spokuri.html
2. Enter impersonator credentials spokuri/<<password>>
3. Open a new tab and access http://pokuri.demo.com:14100/oam/server/impersonate/start?userid=kpokuri&success_url=http://pokuri.demo.com:7777/kpokuri.html&failure_url=http://pokuri.demo.com:7777/error.html
4. When prompted enter impersonator password again
5. Up on successful impersonation to user “kpokuri” new session will be created in OAM for user “kpokuri”.
6. Check the “kpokuri” user session in OAM admin console “session management” and notice that impersonation field will be “true”.

Hope this helps some one out there!!

-- Siva Pokuri.

Extend OAM 11g Password Policy Schema into OUD and Test Force Change password scenario

Steps:

1. Login into OUD Server
2. Navigate to /home/oracle/Oracle/Middleware_OUD/asinst_1/OUD/bin
3. Execute below command

./ldapmodify -h pokuri.demo.com -D "cn=Directory Manager" -w Abcd1234 -p 10389 -f /opt/oracle/Oracle/Middleware_OAM/Oracle_IDM1/oam/server/pswdservice/ldif/OUD_PWDPersonSchema.ldif –v

Note:

- OAM & OUD installed in same machine.

- “OUD_PWDPersonSchema.ldif” is the schema file which will come by default with OAM product

Success Message:

4. Login to ODSM console and validate extended schema.

5. Add “oblixorgperson” & “oblixPersonPwdPolicy” object classes to user entry

6. Login to OAM console and click on “Authentication Modules”

7. Search and click on “Password Policy Validation Module”

8. Update Steps as shown below and click on “Apply”

User Identification Step  

   KEY_IDENTITY_STORE_REF - OUD

   KEY_SEARCH_BASE_URL - ou=People,dc=demo,dc=com

User Authentication step

   KEY_IDENTITY_STORE_REF - OUD

   KEY_PROP_AUTHN_EXCEPTION - true

User Password status Step

   PLUGIN_EXECUTION_MODE - PSWDONLY

   KEY_IDENTITY_STORE_REF - OUD

   URL_ACTION - REDIRECT_POST

   NEW_USERPSWD_BEHAVIOR - FORCECHANGEPASSWORD

   POLICY_SCHEMA - OAM10G

   CHALLENGES_SUPPORTED – FALSE

   DISABLED_STATUS_SUPPORT - TRUE

     9. Now add “PasswordPolicyValidationSchema” in Application Domain

     10. Restart OAM Service

Testing

1. Add “obpasswordchangeflag” and add value as “true” which will force the user to change password as soon as user tries to access the OAM protected resource.

2. Access Protected Resource http://pokuri.demo.com:7777/ and enter user credentials

3. Enter current and new passwords

4. Password Reset Success Screen and click on “Continue” to land in application welcome page

5. Now check LDAP attribute for change password flag. It will be updated to “false”

Hope this helps some one out there!!

-- Siva Pokuri.