OAM : Custom Login Page Times out after 15 mins (Prior to User Login)

Product Versions : 
OAM 11.1.2.2.0, OHS 11.1.1.7 , Webgate for OHS - 11.1.2.2, Weblogic Server 10.3.6
Single Sign On implemented with WebCenter Custom Portal & WebCenter Content 11.1.1.8
A custom login page was used instead of the OOTB Login Page provided by Oracle.

Issue Summary : 

If User stays idle on custom login page (without having logged in) for  more than 15 mins and then tries to login, he is redirected to a blue screen/error page which says 'System error, please contact your administrator'

Error Logs -

Error occurred while handling the request.

Supplemental Detail     java.lang.RuntimeException:   Authentication request Timed out. Eapsed time in min: 79560 at oracle.security.am.controller.BaseRequest.updateObjectWithCachedMap(BaseRequest.java:482)

  

Note - 
If the user logs in to the application before 15 mins, the SSO enabled application honours the timeout values:

Webgate level 'Max Session Time' = 60 mins

OAM Console - Common Settings 'Idle Timeout' = 65 mins

The user has connected to the custom authentication page but not logged in yet. So there is no user session yet. The user just idles for a while and then attempts to login and gets the error - The 'Idle Timeout' is only applicable to logged-in sessions. The timeout we are hitting is the 'Request Time Out' which is somehow hardcoded by Oracle to 15 mins.

Solution :
This is a pretty weird Oracle Bug ! Workaround is as follows :

Add a meta tag such as following one behind <head> in the custom login page.
    <meta http-equiv="refresh" content="890; URL=http://host.example.com/public/public.html">
The Http mechanism for a meta tag is described on:  http://www.w3schools.com/tags/att_meta_http_equiv.asp

The time value of 890 seconds comes from :
The idle time of 15 minutes set by OAM minus 10 seconds, that is:
         => (15*60=900)  minus (tolerance time of 10 second)
If the user stays now for 890 seconds on the custom login page, the browser will bring him back to a public page as defined with URL  (http://host.example.com/public/public.html).

References : Doc Id 1908294.1

OAM 11.1.2.2 (11gR2) - System error after submitting credentials from Custom Login Page

Scenario : Standard Custom Login Page doing form post to /oam/server/auth_cred_submit with username/pwd and 'request_id' in cookie.

Issue - Sporadic redirection to an error page with 'System Error has occurred' message with details -

[oam_server1] [TRACE] [] [oracle.oam.binding] [tid: [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 004sto37QpzDoYX5HvH7if00063I00002b,0:2] [SRC_CLASS: oracle.security.am.pbl.protocol.plugin.oam.AMFailureResponseHandler] [APP: oam_server#11.1.2.0.0] [SRC_METHOD: processResponse] [URI: /oam/server/auth_cred_submit] OAM-02073[[

oracle.security.am.common.utilities.exception.AmRuntimeException: OAM-02073
at oracle.security.am.engines.enginecontroller.AuthzEngineController.checkProtected(AuthzEngineController.java:438)
at oracle.security.am.engines.enginecontroller.AuthzEngineController.processEvent(AuthzEngineController.java:177)
at oracle.security.am.controller.MasterController.processEvent(MasterController.java:570)
at oracle.security.am.controller.MasterController.processRequest(MasterController.java:759)

Solution - 

As per Support Document Id 1578776.1-

"Verify that the custom login page is submitting the credentials to /oam/server/auth_cred_submit with the correct OAM Server Host and Port.The OAM_SERVER_HOST.DOMAIN and SSLPORT values should match those configured in the OAM Console -> System Configuration -> Access Manager Settings page for Load Balancing OAM Server Host and OAM Server Port.”

In  my case, the form post URL was pointing to https://<host>/oam/server/auth_cred_submit.

Once I had it changed to https://<host>:443/oam/server/auth_cred_submit, (adding missing port) this issue got resolved.

Please check the above support document for some other causes for this issue.

OAM 11gR2 : Single-Sign-On to an internal Portal, logging in from an external facing public Portal

A common requirement for many Portal clients -

Allow single signed on access to an Internal Portal, with the user logging in from an external portal using a custom login form (one at the top right corner of the screen).

Why is this not straight forward ?

Well, you might ask what's the big deal with this. Isn't this a standard custom login page being implemented ? Nope, a standard OAM Custom Login page posts to the /oam/server/auth_cred_submit URL endpoint alongwith request_id as a parameter which contains the details of the protected resource to which it should navigate on successful authentication. In short, the protected page was solicited by the user, and after a series of redirects it lands at the custom login page. Once the user authenticates successfully, the resource is picked up from the request_id parameter and navigated to.

In the above scenario, the user needs to navigate to a resource which was not solicited.e.g. The user requested for  www.oracle.com and after logging in needs to navigate to oracle.com/EmployeePortal.

This introduces the concept of Unsolicited Login -

Unsolicited Login is used when we want to authenticate user without any request_id or resource. The page which is navigated to, upon successful authentication is not the one which was initially solicited hence the name Unsolicited Login.

This feature has been introduced by Oracle in 11gR2 (11.1.2.x series). Prior to 11gR2, this feature would need to be custom built.

Following are the steps needed to enable this feature in OAM :
1. Enable Direct Authentication for OAM.

Navigate to OAM Domain for your installation, under config/fmwconfig/oam-config.xml, ensure that ServiceStatus under DirectAuthenticationServiceDescriptor is set to true. (DirectAuthenticationServiceDescriptor is under OAMServicesDescriptor).

It is highly recommended that, you first stop the Admin Server and OAM Cluster before you make any changes to the oam-config.xml. Further, it is sufficient to do the above changes in the oam-config.xml under the AdminServer/config/fmwconfig incrementing the Version field by 1. Once you have restarted the AdminServer and the OAM Clusters, the oam-config.xml for OAM Cluster will get automatically updated.

2. Submit the following information to the endpoint via Custom Login Form (External Public facing Portal Page) https://oam_host:oam_port/oam/server/authentication:

a.      username

b.      password

c.       successurl, for example, http://machinename.mycompany.com:7778/sample-web/headers.jsp.

Code Example

<form id="loginForm" name="loginForm" action="http://OAMHost:Port/oam/server/authentication" method="post" hidden="true" >

<input id="username" type="text" name="username" />

<input id="password" type="password" name="password" />

<input id="successurl" type="text" name="successurl" value="http://chinni-pc:7777/"/>

<input type="submit" value="submit" />

</form>

You can use the above code bit in a JSP and package it within the same Custom Login Page app archive used for the Internal Portal. This will need to be re-deployed to the Weblogic Server for the functionality to work.

 In case you would like to use it in an external Portal page which is an HTML or the like you can iframe the above code as a JSP.

Once the credentials are validated, OAM Server redirects to the success URL after setting OAM_ID cookie as part of HTTP redirect (HTTP response code 302).

Note – Internal Portal Login page or code does not need to be changed.

3. To allow direct authentication only for POST, or vice-versa:

i)        Login to Oracle Access Management administration console and navigate to Policy Configuration, then Application Domains.

ii)      Select edit default application domain IAMSuite. Navigate to Resources, then search and edit resource /oamDirectAuthentication.

iii)    Under Operations, de-select all operations that are not to be supported, except POST. For example, GET, DELETE.

iv)    Make sure that the AuthenticationPolicy for the /oamDirectAuthentication points to the same AuthenticationScheme as for the Internal Portal.

If the above is not present in your OAM environment, please create it similar to the screenshots below.

Once user logs in, user will be redirected to successurl.

4. The URL pattern of the external Public facing Portal needs to be marked as ‘Unprotected’ with a ‘PublicAuthenticationPolicy’ which uses an ‘Anonymous Scheme’.

The internal Portal would continue to be as-it-is marked ‘Protected’ with a ‘PrivateAuthenticationPolicy’ pointing to the relevant ‘LDAPScheme’.

The above would need to be done within the appropriate ‘Application Domain’ which is used for the Portal.

In screenshot below, /ssologin/.../* represents the URL pattern for an External public facing Portal.

Oracle Documentation References

http://docs.oracle.com/cd/E27559_01/dev.1112/e27134/custpages.htm#AIDEV6382

http://fusionsecurity.blogspot.com/2012/12/unsolicited-login-with-oam-11gr2.html#more

http://fusionsecurity.blogspot.com/2012/04/unsolicited-login-with-oam-11g.html 

Screenshots from a POC on this
Below are the screenshots and summary from a POC done on OAM 11.1.2.2 with WebCenter Portal/Spaces 11.1.1.8.3 as the Success URL.

The below screenshot represents a public site with a login form. This page is not protected and is meant to represent an external portal.

Once the user enters the required credentials and clicks submit, they will be redirected to a protected resource. The protected resource shown below (WebCenter) is to reflect a protected internal portal.

Shown above, the user has successfully authenticated and has established an SSO session with Oracle Access Manager.

If the protected resource is accessed directly, a separate authentication method/form will be used to challenge the user. 

Impersonation feature for WebCenter Spaces 11.1.1.8 with Oracle Acess Mgr(OAM) 11gR2

What is Impersonation ? 

WebCenter Portal Impersonation lets a WebCenter Portal administrator or system administrator assign impersonation rights to a group of users ("impersonators"), such as support representatives or application administrators, so that they can impersonate another Portal user and perform operations as that user ("impersonatees"). This may be useful in the following instances:

• A customer support representative may want to perform actions as another user in order to understand the issues being faced by that user
• An administrator may want to perform operations on behalf of a user
• A company executive may need to delegate someone to act on his or her behalf while away. (Source : Oracle Documentation)

Pre-requisites

1) WebCenter Spaces 11.1.1.8 +

2) Oracle Access Manager(OAM) 11.1.2 (11gR2+)

3) Setups need to be done in OAM , Webcenter Spaces application using EM , and in Oracle Internet Directory(OID) for the users (OID 11.1.1.7+)

Key Advantages -

1) Feature just needs to be configured as mentioned above . Effort is markedly less than implementing this feature in a custom manner using ADF/Web Technologies.

2) Feature once configured along with OAM can be monitored using OAM.

3) Out of the box UI are available and supported by Oracle , hence the solution is standardized.

4)Feature being a very common use case can be used to sell OAM and the Security Team has expertise in implementing it within a cpl of weeks.

Note - 

• After weeks of ado , I have got this up and running in our environments for Webcenter Spaces 11.1.1.8 which is Oracle's new way of developing webcenter portal applications.

• But for a Custom Portal Application in 11.1.1.8, though Security Taskflows for Impersonation are available in Jdeveloper , Impersonation is not currently supported (Doc ID 1606526.1) but I have an ER open with Oracle [BUG 18882638 - ENABLE IMPERSONATION FOR WEBCENTER CUSTOM FRAMEWORK APS ]

Walkthrough of this new & exciting feaute via screenshots - 

1) Screen in WC Spaces / Custom Portal Security Taskflow to select impersonators. (Validations to prevent users not been setup as Impersonators available Out of the Box).

2) Search Impersonators screen .

Only those users who have been granted Impersonator access in OID can be searched here.

3)Selected Impersonator who can be given access rights for a time duration.

4) Once Switch User Link is clicked ( as in second image above) after logging in with the 
Impersonators credentials , the Impersonator is asked to enter your credentials as under.

5) Once logged in the Impersonation session is in progress. Remember - The impersonatee's credentials were not used at all !

Click on Stop Impersonation to return back 
to the Impersonator's home page.

6) Cool feature  !! Monitor the Impersonation session as an Admin in OAM Console as below

Reference - 

http://docs.oracle.com/cd/E29542_01/webcenter.1111/e27785/pers_impersonate.htm