Wednesday, December 26, 2012

OIM 11g R2 UI Customization Tips and Tricks


OIM 11g R2 has finally provided OIM Developers with the means to implement very sophisticated and functional rich customizations to the Out of the Box User Interface of OIM; and the best part is, all these customizations are patching and upgrade transparent, which means that when the OIM installation is upgraded or patched, the customizations don’t have to be re-applied. Everything is stored in the metadata repository (MDS) and it is applied on top of the standard user interface. This article presents a few techniques to implement customizations that go a little beyond the capabilities of Web Composer; but still are within the scope of OIM’s MDS. Each technique will be presented in the context of a use case addressed by the customization implemented using the given technique.

On a recent post by Daniel Gralewski, there was a very nice customization for the Catalog. The purpose of such customization was to filter the resources already provisioned to a user from the results of a catalog search. In a follow up question, one of our readers asked if the search screen could be customized to add a drop down box that can be used to trigger a predefined search, like a catalog search based on role category.

So I thought that would be a nice use case to start, here is what I envisioned based on certain requirements from an actual customer I am helping at the present time.

Wednesday, December 19, 2012

More on Upstart

I did a couple of blog posts on Upstart - introducing it in my post Starting and stopping WebLogic automatically using Upstart and doing the same for OID.

I pointed a couple of people at those posts and they told me they wanted more. More explanation, more clarity, and more about how to use Upstart to boot the entire environment.

So in this post I'm going to show how to use Upstart to start the Oracle database, then (once the database is started) start OID and OVD, and only then start OAM and the other WebLogic services.

The first thing I did was convert my Oracle database startup from a SysV-style init script to Upstart. Colm Divilly did the heavy lifting for me and blogged his config file for Ubuntu. I took that and tweaked it for OEL.
This goes in /etc/init/oracledb.conf:

description  "Oracle Database"

# Based on blog post at

# The location of the Oracle install
env ORACLE_HOME=/home/oracle/database/product/11.2.0/dbhome_1
# The user to execute Oracle as
env ORACLE=oracle

start on runlevel [2345]
stop on runlevel [016]

expect fork

pre-start script
    logger "Starting Oracle DB"
    su - $ORACLE -c "$ORACLE_HOME/bin/dbstart $ORACLE_HOME"
end script

post-stop script
    logger "Stopping Oracle DB"
    su - $ORACLE -c "$ORACLE_HOME/bin/dbshut $ORACLE_HOME"
end script

Then /etc/init/oid.conf for OID, OVD and the WebLogic server where I run ODSM:

start on started oracledb
stop on stopping oracledb

# This is good for debugging purposes but it's a bad idea to leave
# this on long term.
#console output

# this starts OPMN, OID and OVD
pre-start script
    logger "pre-start for OID/OVD"
    /bin/su - oracle -c "/home/oracle/middleware/asinst_1/bin/opmnctl startall"
    logger "pre-start for OID/OVD complete"
end script

# and this stops them
post-stop script
    logger "pre-stop for OID/OVD complete"
    /bin/su - oracle -c "/home/oracle/middleware/asinst_1/bin/opmnctl stopall"
    logger "pre-stop for OID/OVD complete"
end script

# this is the AdminServer only:
exec /bin/su - oracle -- /home/oracle/middleware/user_projects/domains/IDMDomain/bin/

The important thing there is the "start on started oracledb" stanza. What that says in English is much as you would expect - "start this once the 'oracledb' service is started". The "stop on" does the same for when the database is being stopped; which will cause Upstart to stop OID and OVD before it tries to stop the database.

Upstart works out the dependencies automatically so no need to worry about numbers or pinging the database via sqlplus or tnsping.

The Upstart config for the OAM Server looks the much the same:

start on started oracledb
stop on stopping oracledb

exec /bin/su - oracle -- /home/oracle/middleware/user_projects/domains/IAMDomain/bin/

Monday, December 17, 2012

OIM 11g Assets

Since the first 11g release, OIM engineering and product management teams have been working hard on field enablement. As part of this work, they created a wonderful set of reusable OIM customizations examples. Such components are called 'OIM assets'.

Among these great assets, you can find examples of approval workflow, event handler, scheduled task, UI customization, and others.  They can be used as learning assets; and they can be easily modified and deployed to your OIM environment to address some common use cases. Another nice thing is that there are examples for the three major releases of OIM 11g:, and

They can be found at Oracle Technology Network on this page. Have fun!

Unsolicited login with OAM 11gR2

In a previous post Chris Johnson has discussed unsolicited login with OAM 11g.

In OAM 11gR2 this functionality is supported out of the box and with little effort you can implement Unsolicited Login.

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

If you're interested to authenticate using unsolicited POST, please read on…

Friday, December 14, 2012

My Silly (and common) Mistake with the OAM Mobile and Social SDK on iOS

I recently created an iOS application using the OAM Mobile and Social SDK for iOS and got an error in my debugger output window:
2012-12-05 19:06:38.038 PiggyBank[24799:1303] -[__NSCFString OMJSONValue]: unrecognized selector sent to instance 0xb2be000
This error appeared after the Application Profile was downloaded and I couldn't figure out what I had done wrong.

Turns out I'd forgotten one step after adding the SDK bits to the XCode project - I had forgot to add the linker flags "-ObjC -all_load" under Build Settings.

To fix this click on the Project, then click the Target, then click the "Build Settings" tab and find the "Other Linker Flags" row. Edit it and add -ObjC -all_load to whatever's already there. Here's a screen shot:

Those flags are needed whenever a new message (function) will be passed to existing class without extending it. Inside the bits of the M&S SDK NSString doesn't have OMJSONValue but the SDK will pass OMJSONValue to NSString, so those flags are needed to make it work.

Of course this is documented in a block marked "Important:" but I missed it and I'm guessing if you found this blog post via Google you did too!

Wednesday, December 12, 2012

Password Policy in OAM 11g R2

One of the features in the new 11G R2 (or 11.1.2) release of Oracle Access Manager that's been most eagerly anticipated is the support for password policy within the OAM product; that is, the ability for OAM itself to support a subset of password management processes without the need to use Oracle Identity Manager and LDAP Sync. In this post, I'd like to explore this functionality in a little more detail and also explore exactly which use cases are supported.

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

Tuesday, December 4, 2012

Starting OID 11g with Upstart

If you read my post on Upstart a while ago you know that I'm a fan of Upstart.

But I hadn't sat down to redo my old (and crummy) OID/OVD start scripts to use Upstart until this week partly because "if it ain't broke don't fix it" but partly because who the heck has time?!

This week I needed to create a new environment to put together a demo of the Mobile side of OAM Mobile and Social and thought I'd take a few minutes to fix that. It didn't take all that long.

Here's my /etc/init/oid.conf

start on runlevel [345]

# This is good for debugging purposes but it's a bad idea to leave
# this on long term.
#console output

# this starts OPMN, OID and OVD
pre-start script
    /bin/su - oracle -c "/home/oracle/middleware/asinst_1/bin/opmnctl startall"
end script

# and this stops them
post-stop script
    /bin/su - oracle -c "/home/oracle/middleware/asinst_1/bin/opmnctl stopall"
end script

# note that I'm only starting the AdminServer here
exec /bin/su - oracle -- /home/oracle/middleware/user_projects/domains/IDMDomain/bin/
Note: Because this is a little test environment and I want to keep the memory down and don't need DIP or a bunch of other stuff I simply moved ODSM from wls_ods1 to the Admin Server. That lets me run OID and ODSM without needing to start the wls_ods1 managed server.

Wednesday, November 28, 2012

Protecting Intranet and Extranet Applications with a Single OAM 11g Deployment

I frequently get asked how to setup a single OAM deployment to protect both intranet and extranet apps. Today I’d like to explore the issues and solutions around such a setup.

This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

Wednesday, November 14, 2012

X509 Fallback to Form

OAM 11G does not provide an out of box solution for falling back to FORM authentication if X509 Certificate is not available or if the certificate is not accepted by the user. I have seen this requirement coming from customers and found a solution after brainstorming with my colleagues (special thanks to Chris Johnson and Brian Eidelman). The solution is not very difficult, though it needs some additional configurations and coding.

It should be noted that this solution is not for the use case where the user's authentication is rejected due to an invalid certificate by OAM and then the user needs to fallback to a FORM for another authentication attempt.

Thursday, November 8, 2012

Converting SSL certificate generated by a 3rd party to an Oracle Wallet

     Recently a customer asked me how to import his private key and certificate into an Oracle HTTP Server Wallet.
The customer generated a CSR outside the OHS Wallet Manager, using Open SSL, and sent it to a CA to get his certificates issued by them.
Unfortunately, the Wallet Manager only allows you to import certificates which were created for a CSR generated by the Wallet itself.
Despite this minor limitation, there is a workaround to get your private key, certificate and CA trusted certificates chain into Oracle Wallet.
This post explains the simple steps to achieve this, with a little help from Open SSL.

Monday, November 5, 2012


Over the past few weeks I've been involved in several performance tuning exercises involving OAM and OVD.  I thought it would be helpful if I created a post sharing the process I use to analyse and improve performance in OVD and OAM.

Tuesday, October 30, 2012

Eating our own dog food – Oracle’s internal deployment of Oracle IDM

A good podcast was just released covering Oracle’s own internal deployment of Oracle IDM; more specifically OAM and OID.

This was a big project that involved migrating a bunch of critical, high volume applications to leverage OAM and OID. I mostly approve of what was done and how it was done. So I suggest you tune in to see and hear more about how we deploy our own software.

Oracle plans to leverage OIM internally are also discussed.

Podcast: Oracle on Oracle – How Oracle IT uses Oracle IDM
Slidecast: How Oracle uses Identity Management

Tuesday, October 9, 2012

Maximum Availability Whitepaper for IDM 11gR2

The Enterprise Deployment Guide (EDG) is a great resource to familiarize yourself with the Oracle recommended approach to deploying highly available infrastructure using Oracle's Fusion Middleware products.

As of today, the current EDG documentation supports the R1 release.  The R2 release will be out in a few months.  

However, there is an Maximum Availability Architecture white paper that describes in detail how to configure OAM, OIM and LDAP for maximum/high availability.

The first section of this white paper is a good overview of the design topology for a robust infrastructure.  The later part gets into more detail of actually installing and configuring the system.  No matter where you are in your implementation cycle, this white paper will help you prepare for your installation/configuration.

If you are planning on integrating OAM and OIM for R2, please use Maximum Availability white paper link below.

Identity Management 11.1.2 Enterprise Deployment Blueprint

Happy Reading!

Monday, October 8, 2012

OAM and OIM 11g Academies

As many of you know, last year we created indexes of posts on OAM and OIM 11g R2 that we call OAM 11g Academy and OIM 11g Academy.

These indexes contain the articles we’ve written that we believe provide long lasting guidance on OAM and OIM.  Posts covered in these series include articles on key aspects of OAM and OIM 11g, best practice architectural guidance, integrations, and customizations.

It is our hope that these series will prove valuable to new and experience architects, implementers, and administrators of OAM and OIM.

Thursday, October 4, 2012

Patch Management of an Oracle Identity Management Deployment

Today I’d like to discuss a very important topic which is patch management in an Oracle IDM/IAM deployment.  Patching seems like a pretty basic topic.  It is often taken for granted.  However, experience has shown me that patching is a frequent source of confusion for many enterprise software customers including those deploying the Oracle Identity Management  stack.

So, I thought I’d address some common questions / topics related to patching so that people have a better understanding of what patches to apply to their environments and when to apply them. 

This post is a part of both the OAM 11g academy and OIM 11g academy series.

Tuesday, October 2, 2012

Detached Credential Collector Configuration - OAM 11GR2

Detached Credential Collector (DCC) has been introduced in OAM 11GR2 release. And the documentation,, explains in detail about how to deploy it in various architecture scenarios.
 In addition to the documentation, this blog post will help clarify the configuration steps.

Monday, October 1, 2012

OAM-OIM Integration Note for 11GR2

Recently while integrating Oracle Access Manager (OAM) and Oracle Identity Manager (OIM) 11g Release2, I found some issues which I want to highlight in this post.

Friday, September 28, 2012

Oracle OpenWorld 2012 is almost here

As I'm sure you're all aware OpenWorld is almost upon us. I haven't been since 2009 so I'm pretty excited to be able to go this year.

For those of you going a couple of items of interest:

There's a Meet and Greet with the Identity Management Team on Wednesday afternoon so if you're around please stop by.

My Hands On Lab (HOL10478) on Monday afternoon at the Marriott is currently fully booked but the weather looks like it's going to be amazing. If you haven't been able to get in you might want to try just showing up and see if anyone blows it off. If you're desperate to get in for some crazy reason send me an email or leave a comment here and I'll see if I can convince the room monitor to let a few extra people in.

There are a bunch of interesting sessions on the IdM track this year and unless I have booth duty or a meeting you'll probably find me sitting in the back of most those sessions. If you see me please say hi.

See you at OpenWorld!

Virtual Directory Performance Tuning Guidelines

In its simplest deployment possible, a Virtual directory has a listener, a server component and an adapter that talks to a backend target. In such a deployment, the Virtual directory only plays the role of being a proxy that receives a request, forwards it to the target and sends the response back from the target to the client.

In such a deployment, one can still encounter performance issues if OVD isn’t tuned adequately.

Wednesday, September 26, 2012

Front-ending a SAML Service Provider with OHS

This is a follow-up to one of my previous posts titled Integrating OBIEE 11g into Weblogic’s SAML SSO, where I mention the following when configuring the Service Provider:

The Published Site URL field value is the base URL for federation services on the server. For SAML2, make sure the webcontext path is saml2. This is going to be used in the metadata file as the prefix to build the ACS (Assertion Consumer Service) endpoint necessary for allowing an Identity Provider to properly communicate with this Service Provider.

When OBIEE managed servers are in a cluster, there’s typically an HTTP load balancer in front of the servers. In such case, make sure the Published Site URL refers to the name and port of the load balancer, because they are the ones the IdP needs to know.

In this post, I assume there’s an OHS (Oracle HTTP Server) proxying requests to OBIEE analytics application, which is a fairly common production scenario. Let’s take a look at the necessary configuration changes to make it work.

Tuesday, September 25, 2012

Attaching OWSM policies to JRF-based web services clients

I've recently came across a question in one of our internal mailing lists where a person was under the impression that he would have to write code to propagate the identity when making a web service call using OWSM policies. My answer was something like: "depending on the type of your client you may have to write some very small piece of code to attach a policy, but you should not write code at all to either retrieve the executing client identity or to do the propagation itself". Fortunately, I had an unpublished article that applied 100% to his use case. And here it is now (a little bit revamped).

OWSM (Oracle Web Services Manager) is Oracle's recommended method for securing SOAP web services. It provides agents that encapsulate the necessary logic to interact with the underlying software stack   on both service and client sides. Such agents have their behavior driven by policies. OWSM ships with a bunch of policies that are adequate to most common real world scenarios.

Applying policies to services and clients is usually a straightforward task and can be accomplished in different ways. This is well described in the OWSM Administrators Guide. Looking from the client perspective, the docs describe how to attach policies to SOA references, connection-based clients (typically ADF-based clients) and standard Java EE-based clients using either Enterprise Manager or wlst.

Oracle FMW components (like OWSM agents) are typically deployed on top of a thin software layer called JRF (Java Required Files), providing for the required interoperability with software stacks from different vendors.

This post is a step-by step showing how to code a JRF-based client and attach OWSM policies to it at development-time using Oracle JDeveloper.

Friday, September 21, 2012

OIM-OAM-OAAM integration using TAP

I was going to make a test post just to test our RSS feed.  However, Atul Kumar published a good introductory post today on OAM-OAAM-OIM integration.  So I figured that I would share that with you today and suggest it as a little light weekend reading.

You can find Atul's post here.

Wednesday, September 19, 2012

OIM 11g R2 Catalog Customization Example

This post shows how OIM catalog can be customized by using OIM UI capabilities such as managed beans and EL expressions. The post first describes the use case and the solution to address the use case; then it describes the solution details as well as provides links to the artifacts.

In order to have a better understanding of the customization described in this post, one should read the posts about the catalog and about the OIM UI customization.

Tuesday, September 18, 2012

OIM 11g R2 UI customization

OIM 11g R2 new user interface is probably one of the most expected new features of this release. The main reason for that is the great customization capability provided by the underlying technologies: Oracle ADF and Oracle WebCenter Composer.

OIM user interface customizations are easier now, and they 'survive' patch applications (there is no need to reapply them after patching). Adding new artifacts,  new skins, and 'plugging' code directly into the user interface components became an easier task.

This post introduces some of the customization related concepts provided by the new OIM user interface.

Monday, September 17, 2012

Creating your first OAM 11g R2 domain

So you downloaded the Identity Management R2 release bits, spun up your little test environment and created a WebLogic domain. But the first time you sign in you get the error message "The policy store is not available; please see the log file for more details." in a pop up.

like this:

The logs aren't particularly helpful:
####<Sep 13, 2012 6:19:42 PM EDT> <Error> <oracle.oam.engine.policy> <> <AdminServer> <[ACTIVE] ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <e3b75e49ebb52881:-4d179e40:139c1939ab6:-8000-00000000000005a3> <1347574782661> <BEA-000000> <The policy store is not available; please see the log file for more details. OAMSSA-06252: The policy store is not available; please see the log file for more details.
And in the -diagnostic log:
[2012-09-13T18:19:42.364-04:00] [AdminServer] [NOTIFICATION] [] [oracle.adfdt.model.mds.MDSApplicationService] [tid: [ACTIVE].ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: weblogic] [ecid: e3b75e49ebb52881:-4d179e40:139c1939ab6:-8000-00000000000005a3,0] [APP: oam_admin#] [[
oracle.mds.exception.ReadOnlyStoreException: MDS-01273: The operation on the resource /oracle/oam/ui/adfm/DataBindings.cpx failed because source metadata store mapped to the namespace / DEFAULT is read only.
        at oracle.mds.core.MDSSession.checkAndSetWriteStoreInUse(
        at oracle.mds.core.MDSSession.checkAndSetWriteStoreInUse(
        at oracle.mds.core.MDSSession.getMutableMO(
        at oracle.mds.core.MDSSession.getMutableMO(
        at oracle.mds.core.MDSSession.getMutableMO(
        at oracle.adfdt.model.mds.MDSApplicationService.findApplication(
        at oracle.adfdt.model.mds.MDSModelDesignTimeContext.initServices(
        at oracle.adfdt.model.mds.MDSModelDesignTimeContext.<init>(
        at oracle.adfdt.mds.MDSDesignTimeContext.<init>(

What did you do wrong?!

Thursday, September 13, 2012

Starting and stopping WebLogic automatically using Upstart

I've been using Unix and Linux a while. Like a while while. So long ago that the first time I installed Linux it was by floppy disk. I'm not telling you that to brag, or imply that I'm old. I say that to give you a sense of how exciting this change is for and old hat.

In the olden days when you wanted to start a program when the machine booted there were a bunch of options. You could put it in /etc/inittab and let init handle it for you; but there were a bunch of problems with that. In recent vintages of Linux we have Sys-V (pronounced System Five) style init scripts where you'd write a shell script that took a command line option "start" or "stop" and started or stopped the service, then put that script in /etc/rc3.d with a name like S99myservice. Or better yet you'd tuck it into /etc/init.d and then symlink it to the right name in /etc/rc3.d (for example). If you were reasonably smart you'd put a "chkconfig" stanza at the top and let chkconfig do the symlinking for you. You still needed to write that script which basically meant a bunch of copy/pasting the same thing over and over. And you needed to make sure the process ran "in the background" which lead to lots of people using the "&" in really awful ways that made me feel dirty to see.

But I'm here to tell you that while that's all well and good, and you can still do that if you want under Oracle or RedHat Linux 6 you no longer have to.

In Ubuntu, RedHat and Oracle Linux there's a new flavor of init called Upstart that all the kids are using and it's the new hotness when it comes to making programs into daemons and wiring them to start and stop at appropriate times.

After using it for a little bit I think I might be in love. It is a pleasure to use compared to the (now) old way.

Say you want to start Node Manager every time the machine boots. To do that you just create a file named /etc/init/nodemanager.conf and put this in it the /etc/init directory.

start on runlevel [345]
exec /bin/su - oracle -- /home/oracle/Oracle/Middleware/wlserver_10.3/server/bin/
Substitute oracle for whichever user you run the stuff as and adjust the path as needed for your particular environment.

Want to start the OAM Admin and Managed servers on boot?

Create a file named /etc/init/oamadminserver.conf:

start on runlevel [345]
exec /bin/su - oracle -- /home/oracle/Oracle/Middleware/user_projects/domains/OAMDomain/bin/
And /etc/init/oamserver1.conf:
start on runlevel [345]
exec /bin/su - oracle -- /home/oracle/Oracle/Middleware/user_projects/domains/OAMDomain/bin/ oam_server1

Reboot the machine and the OAM AdminServer and the Managed Server will come up automatically.

If you want to start, check the status of, or stop the service? It's super simple:

[root@r2d2 init]# start oamserver1
oamserver1 start/running, process 5573
[root@r2d2 init]# status oamserver1
oamserver1 start/running, process 5573
[root@r2d2 init]# stop oamserver1
oamserver1 stop/waiting
And this is just scratching the surface of what you can do with Upstart.

You've got to try it out!

Wednesday, September 12, 2012

Oracle IAM 11g R2 docs are now available

The docs for the OAM 11g R2 release are now up and available either online at or as a download on via eDelivery.

To get your very own copy from eDelivery:

  1. go to
  2. Sign in
  3. Pick "Oracle Fusion Middleware" as the Product Pack
  4. Pick Linux x86-64 as the Platform (or pick Windows if that's your thing!)
  5. hit Go
You should get a list that includes "Oracle Fusion Middleware Identity Management 11g R2 Media Pack":

Click that and scroll down to the bottom and you'll see the doc set:

One of the great things about the new doc set is the inclusion of ePub files. This means that if you have an iPad you can load up the doc library onto that and read the docs on the couch. On on a plane.
Or on the throne!
(just don't lend me your iPad afterwards please!)

You can pull the ePubs out of the zip directly or you can get them by opening the library's index, picking one of the docs inside and then looking in the upper right hand corner:


Tuesday, September 11, 2012

OIM 11g R2 Catalog

The Catalog is one of most commented new features in OIM 11g. It introduces a new way to search items and to create access requests and it also introduces the ‘shopping cart’ experience.

The request process was drastically simplified with the Catalog. Whereas in OIM 11g R1 users have to go through a multiple step wizard to create a request, in OIM 11g R2 the work is done in two pages: the catalog search and the shopping cart summary.

Friday, September 7, 2012

Identity and Access Management at Oracle Open World 2012

Oracle Open World 2012 is fast approaching. This year Open World will run September 30 – October 4th.

As usual, there will be lots of great Identity and Access Management events and activities to participate in.

There is a dynamically updated document entitled Focus On: Identity Management which highlights all the Identity Management related sessions, events, and activities.

That being said, there are three events that I’d like to highlight.

1) It almost goes without saying that the highlight of Open World (yes even more than Larry’s key note or all the cool concerts that they are throwing) will be the hands-on lab run by our very own Chris Johnson on Complete Access Management. The schedule says that Chris’s lab will be on Monday Oct 1, 1:45 @ Marriot Marquis. There are people who would give their right arms for a chance to interact in person with Chris on the latest trends and best practices in Access Management. So, do not miss out on this opportunity.

2) Amit Jasuja, Senior Vice President, Oracle Identity Management and Security will be giving a session entitled Trends in Identity Management. This session focuses on how the latest release of Oracle Identity Management addresses emerging identity management requirements for mobile, social, and cloud computing and reduces TCO for organizations. Amit is a great guy, a great speaker, and a visionary in IDM and middleware security in general. So, I recommend that you definitely attend this event. Amit’s session will be on Monday Oct 1, 10:45AM @ Moscone West L3, Room 3003.

3) There is another hands-on lab led by Javed Beg on Integrated Identity Governance. The schedule says that this lab will be on Thursday, Oct 4, 12:45 @ Marriot Marquis. These hands-on IDM labs should be some of the most instructive and informative events at OOW and Javed is a seasoned expert in the space. So, I encourage you to attend.

Wednesday, August 22, 2012

OIM 11g R2 & X.509 authentication

OIM 11g R2 is out! This release brings a lot of new features and also improvements to existing features.

OIM authentication providers are among the ones that were improved. The improvements make easier to integrate OIM with SSO solutions (for both SSO products and custom SSO solutions).

The integration with OpenSSO is documented here. The integration with OAM is still a powerful solution for SSO and password management and it is documented here.

The improvements also bring the support to X.509 based user authentication. In previous 11g release, one would need to leverage a SSO solution like OAM to do such authentication. In R2, X.509 authentication can be directly configured in WebLogic. This post describes how to configure this authentication.

Friday, August 10, 2012

Simplifying OIM 11g (Chapter Two)


This is the second article in a series of posts with the common goal of providing customers with ideas and techniques that can be used to simplify the use of advanced features of OIM 11g. In Chapter One of this series, we described the components of a framework that would allow users at all levels to configure OIM 11g features like Provisioning and Approval Processes, Approval Routing Functions and Custom User Input Forms. In this second article I will start talking about a reference implementation of the components of the framework described in Chapter One.


The components that will be covered in this article are:
·         User Input Forms for OIM user creation and resource request.
·         Approval Flow Design Interface
·         Approval Flow Execution Agent Service
The above mentioned components comprise the part of the framework that takes care of Provisioning including the specification of approval flows that will be executed by the custom composite application described in chapter one, which will be the approval process for the Self Assign Roles request template which is out of the box and doesn’t need additional dataset configuration and importing to MDS.

Foundation Components

Before delving into details about the implementation of the higher level components, there are some elements that we need to put in place to support the implementation of the higher layer components. So, we will start by defining the infrastructure elements needed as a foundation for the implementation:
·         Database Tables:
o    Multi-valued User Profile Attributes: OIM_EXT_MV_UPATTR
o    Approval Flow Definitions: OIM_EXT_APPR_FLOW_DEF
o    Custom User Input Forms: OIM_EXT_CUSTOM_FORMS_DEF
·         Web Services:
o    Approval Flow Execution Service
o    Database Persistence Services
·         OIM Custom Adapters
o    OIM Multi Valued Pre-Populate Adapters
Once these components are created, and we will discuss the structure of each one of them, then the higher level components can be implemented. These include the following:
·         Approval Flow Design UI
·         Custom User Input Form Design UI
·         Custom User Input Form Rendering and Execution engine
While the goal here is to describe a reference implementation of the framework, it is just that, a high level description of the architecture and the elements that need to be built and the responsibilities of each element/component. The audience can take these descriptions and come up with their own actual implementation. Since this is a framework, once it is built, it can be reused and evolved over time to meet more specialized requirements.

Foundation Components Specification

Now I will start discussing the design and specification of the Foundation Components listed in the previous section.

Database Tables

This section describes the schema of the tables that will support the functionality of the provisioning components of the framework.
Description: This table stores the values of multi-valued attributes of OIM user profiles. This table extends the USR table to support user defined attributes as multi-valued.
Type – Length
This field contains the login id of the user whose profile contains the multi-value attribute.
This field links the values of an attribute to the specific user profile.
The name of the Field. This is the same value as the FIELD_ID column of table OIM_EXT_CUSTOM_FORMS_DEF described later.
This field contains the index of the values. This is also part of the primary key.
Stores individual values in a sequence of values for the multi-value attribute.
The amount of characters allowed in the field values.
The name of the Resource Object whose process form contains a child table that holds the values for this multi-value attribute. This field may be NULL if the multi-value attribute is not associated to any Resource Object.
The name of the Child Table where the attribute values will be contained.

Description: This table stores the definitions of approval flows. Basically the required data for these processes is merely the login IDs of users that should receive requests for approval. The structure of the table supports sequential approvals, parallel approvals and escalations.
Type – Length
This is a unique ID for the process.
This field stores the sequence number of approval routes in an approval flow.
The field contains either a single Login ID or a comma separated list of login IDs which represents the list of approvers that will receive the request in the way determined by the ROUTING_TYPE.
The type of Routing for the request. Valid values are: SEQUENTIAL or PARALLEL.
This is the time it will take for the approver to process the request before it gets escalated. The value is formatted according to the W3C notation for durations. Example: P1D (means after one day or no response for the task). If NO-LIMIT is specified then the escalation policy will be set P365D (1 year).
The Login ID of the user this will be escalated to.
This value indicates if this approver’s response terminates the approval flow immediately. Legal values are ‘Yes’ and ‘No’.

Description: This table contains the definitions of custom user input forms that are customizable via XSL style sheets. The contents of this table will be generated through a GUI created for this purpose.
Type – Length
This is a unique ID for the FORM.
This is a unique ID for a FORM Field.
The value of this field represents the HTML control that will be used to input the value of the field.
Flag that indicates whether the field is Multi-Valued or Single Valued. Allowed values for this field are ‘Yes’ and ‘No’.

Web Services

In this section I describe the functionality provided by a couple of web services part of the framework’s implementation. Let me start by explaining the reason why web services are included in the picture. In OIM 11g, all operations associated to Approvals are carried out through Oracle’s SOA Suite. Some of the components that can be most naturally included in SOA Composite applications which represent Approval Processes in OIM 11g are Web Services. So not having Web Services would not make any sense at all. Also, the main purpose of emphasizing this point is to discourage the use of embedded Java in SOA composites specially when the implementation assumes that requests may not be approved for weeks at a time; I have come across some customers that have used OIM APIs in Embedded Java Tasks and have experienced PERM Gen issues on the SOA Server.
Approval Flow Execution Web Service
This web service provides the functionality of executing approval flows. Basically all it does is returning the next approver in line for a multi-approver request flow. The web service output includes the following:
·         Single Approver in turn
·         List of Approvers in a parallel flow
·         Approver for escalated request
The nextApprover value returned by this web service call is placed in the owner field of the human task for the next approval. The web service also returns the status of the approval flow to determine whether further routing must take place or the end of the approval flow has been reached. The composite will evaluate all these values to determine the appropriate flow.
Database Persistence Service
This web service will be generated out of entities associated to the above mentioned database tables. JPA entities will be created and a Session Bean will act as the session fa├žade for the entity beans generated out of the database tables. The persistence service will be invoked from the various GUIs used to define Approval Flows, Input Forms and other framework configuration elements.

OIM Custom Adapters

We have several options for the implementation of adapters that will deal with the multi-value attributes in a user profile. So the easiest way in my view to implement this is to have a post-insert entity adapter that will do the following:
Extract the names of the attributes associated to the user in question by querying the OIM_EXT_MV_UPATTR table for the User Login Name of the user in question. The reason why we do this search if because at a given time a user may not have all the attributes populated, so only the attributes that have been populated are processed.
Extract the key of each custom multi-value attribute from the user profile. The value is used to link the user profile with the OIM_EXT_MV_UPATTR extension table containing the values for each multi-value attribute of each user.
Extract the values of each multi-value attribute that is populated for the user in question using the key obtained above.
Using the tcUserOperationsIntf, tcFormDefinitionOperationsIntf and tcFormInstanceOperationsIntf populate the corresponding child tables potentially linked to each attribute. The information required to call these API’s is stored in table OIM_EXT_MV_UPATTR for each user.


I intended to present a potential implementation of multi-value attribute support and a mechanism to simplify the request process and potentially provide a more flexible customization mechanism. In the next chapter of the series we will discuss the implementation of the configuration GUI’s and the design of the customization mechanism for the input forms based on XML/XSLT transformations.

Wednesday, July 18, 2012

Achieve Faster WebLogic Authentications with Faster Group Membership Lookups

In my last post  I wrote about the complicated and timely process of determining all of a user’s group memberships when an LDAP namespace includes nested and dynamic group memberships. I wrote about how you can simplify and speed up getting a user’s group memberships through the use of a dynamic “member of” attribute and specifically the orclMemberOf attribute in OID.

Today I’d like to extend this discussion to WebLogic server authentications.

Tuesday, July 17, 2012

OIM & Connector Server

New versions of OIM connectors have been released in the past few months(version number is 11.1.1.x). These new releases bring an important change to OIM connectors: they are based on the Identity Connector Framework (IFC). The documentation for the ICF is available at:

One of the things that ICF brings is the capability of deploying connectors to an ‘Identity Connector Server’(but keep in mind you still need to deploy the connector to OIM as well). When using a connector server, OIM will delegate to the connector server the execution of the provisioning tasks. Except for the .NET based connectors (like AD and Exchange), the connector server is an optional piece in an OIM topology and its use depends on the project requirements.

Friday, July 13, 2012

Oracle Identity Management 11g R2 Launch Webcast

The 11g R2 release of the Oracle Identity Management stack is upon us. The 11g R2 release greatly expands the capabilities of the stack, especially in the area of cloud and mobile environments. On Thursday, July 19 at 10am PST / 1pm EST there will be an interactive Oracle Identity Management 11g R2 launch webcast hosted by Oracle product development executives Hasan Rizvi and Amit Jasuja.

Register now for the interactive launch Webcast, and don’t miss this chance to have your questions answered by Oracle product experts.

Thursday, July 12, 2012

Simplifying OIM 11g Series (Chapter One)

This is the first one in a series of posts dedicated to the design of tools that have the common goal of simplifying or enhancing the functionality provided by OIM 11g. As more and more customers implement OIM 11g, new challenges arise and new issues are uncovered. OIM 11g is a very powerful platform but given the complexity of the problems OIM tries to solve, we have to admit that the product itself is sometimes not the easiest to implement by customers. The tools described in this series of articles have the purpose of facilitating the implementation of advanced capabilities of OIM or enhance some of the features of OIM making them capable of fulfilling certain use cases that have been traditionally complex to implement (but nevertheless, always possible).
In this article we will cover the design of a framework that allows business users to define provisioning processes that include approvals, sophisticated approval request routing and advanced user interface customization capabilities. A reference implementation of this framework will be presented in subsequent posts along the series.


OIM 11g defines two types of processes: Provisioning and Approval Processes. Provisioning processes are defined in OIM’s Design Console, whereas the Approval Processes are implemented in Oracle’s SOA Suite via SOA Composites and BPEL. As you can imagine, customers now have to deal with the intricacies of BPEL and the corresponding tools set. In some cases, the customers don’t have the necessary skills set to be able to customize Approval processes to fulfill complex use cases. This tends to produce less than desired results because - if best practices are not followed properly - there is a strong chance that the end solution won’t perform as expected. Now, due to the fact that Approval processes are defined using SOA Suite artifacts, only experienced developers that understand JDeveloper will be able to implement any required customizations to the processes. Moreover, Approval Processes are the ones that are mostly associated to the business, so Business Users should be able to define the proper approval flows that make sense to their business.
So the idea here is to design a set of tools that can be run on top the OIM 11g’s engine that will allow business users to define provisioning processes and approval flows. In order to achieve this, the tool kit needs to have the following:
  • A set of components that will perform tasks required by the framework including:
    • A Pre-Populate adapter that supports multi-value attributes.
    • A SOA Composite that will execute provisioning tasks and request application roles used to provision resources (this will be explained in detail later on).
    • An XML Schema to represent provisioning process definitions in XML.
  • The GUI that Administrators and/or Business Users can use to define provisioning processes.
  • A set of hooks where developers can implement extensibility interfaces to extend the functionality of the framework and can be deployed through the interface mentioned above.

Framework Components

The first thing to be addressed is the definition of the components in the framework. So the best way I know to start defining such components is to make a list of the tasks that are part of a provisioning operation, here they are:
  • Capture User Data
  • Route Approval Requests
  • Provision Approved Resources
Capture User Data

In this case the method used to capture data is via forms. Whereas OIM allows for the definition of input forms these apply to resource objects that are to be provisioned. OIM has the following process to configure request based provisioning:
  • Connectors define a Data Set which could potentially be customized. A data set is an XML file that contains the definition of the fields displayed in an input form including the UI element used to capture the value for the field and other metadata that indicates to whom the field is visible, the type of value it accepts and whether it is mandatory or not.
  • The Data Set has to be imported into MDS to be usable for Request Based Provisioning. This is not done at the time the connector is installed, it is done afterwards. The reason for this is that Data Sets can be customized to fulfill particular requirements so it would not make sense to import a dataset by default until customers are certain that the out of the box Data Set will address their needs.
  • A provisioning form is still required for entering the data for the request. This is the input form that OIM allows administrators to design and it is used for the actual resource provisioning. This form can be pre-populated with information coming from a variety of sources, including OIM’s user profile attributes. This is one of the capabilities we intend to leverage in our solution with a few tweaks.
  • If the provisioning of a resource is subject to approval, then a request template configured with the proper approval process is necessary. This is also dependent on the data sets for the resources being imported to MDS.
As made evident by the description above, OIM has a bit of a complex setup when it comes to self-service request based provisioning. Even though the complexity is sort of justified for the sake of flexibility and feature richness, it can easily get out of hand. So the approach I am going to follow to simplify this configuration is the following:
  • In order to prevent administrators from having to import datasets to MDS just to be able to request a resource object I am going to use access policies in combination with out of the box roles and a customization used to manage multi-value attributes in OIM’s User profile.
  • There are already out of the box request templates to self-request role assignment which don’t need importing a data set. So I intend to leverage those templates for my implementation.
  • A specialized composite will be written to execute my version of a provisioning process which internally will generate requests for roles associated to each requested resource.  An approval process that can be easily defined by business users through a provided user interface will be executed by a customized SOA Composite generated using OIM 11g’s command line tools (I call this composite OIM’s Composite). OIM’s Composite invokes a Web Service that generates a representation of an approval routing in XML which is read by the configuration of the participants of the composite’s Human Task. This representation is generated based on the specification of the approval process defined by the business users.

Route Approval Request

As part of any provisioning process, approvals may be and are often required. An approval process that can be easily defined by business users through a provided user interface will be executed by a customized SOA Composite generated using OIM 11g’s command line tools (I call this composite OIM’s Composite).

OIM’s Composite invokes a Web Service that generates a representation of an approval routing in XML which is read by the configuration of the participants of the composite’s Human Task. This representation is generated based on the specification of the approval process defined by the business users.

In this manner Business Users don’t need to be experts in JDeveloper or even need a developer to implement approval flows because these can be defined using an intuitive user interface. These descriptors are stored on the file system so if working with a cluster of OIM Servers they need to be available on all servers, but this requires only copying the files and that’s it; no server restarts are necessary.

Provision Approved Resources

Since all we are doing is leveraging OIM’s advanced capabilities for automatic provisioning this is taken care of by the access policies and potentially a pre-populate adapter to support multi-value attributes. 

The idea is to have a role associated to each Resource Object/IT Resource combination so a policy can easily be defined for the automatic provisioning of a resource object instance connected to an IT Resource target. If child forms need to be populated the custom pre-populate adapter will take that information from a special table (part of this framework) that extends the user profile of OIM to support multi value attributes.


This first article describes a framework that has the goal of simplifying the use of OIM 11g's features in customer implementations. The article only covers the design of such framework, while subsequent posts will cover a reference implementation of the components described here that customers and partners can leverage to build a tool kit targeted to make OIM 11g implementations simpler.