Oracle Fusion Middleware : 11.1.1.x / 11gR1 Support

Your 11gR1(11.1.1.x) customer does not wish to upgrade to 11gR2 (11.1.2.x) or to 12c (12.1.x) as he probably is not too keen on the new features or is not excited about the cloud yet.

Well, what about support on 11gR1 ? This can be a major factor for upgrade apart from new features!

11.1.1.x Premier support ends June 2015
As per http://www.oracle.com/us/support/library/lifetime-support-middleware-069163.pdf page 36

Note there are three kinds of support - Premier Support, Extended Support and Lifetime Support.

The extended support may not support integrations with new third party vendors and the sustaining support does not include new fixes!

Typically premier support is for 5 years since the launch of the product, extended support for 2 more years and sustaining support thereafter.

Oracle Security : Getting Started

Oracle Identity Management(IDM) is a vast collection of products with confusing terminology and it can be difficult to understand where to start. Hope the below links help.

Concepts

Oracle IDM Basics - (Keep clicking to navigate through entire topics)

A few simple Tutorials from Oracle to get started

Oracle IDM Home Page (Source to Datasheets, Whitepapers, Customer Use Cases and various Data)

Installs

Software Downloads Page

Installation Guide 

Issues/Continuous learning of tricky use cases & finer concepts

Oracle IDM A-Team Blogs (Learn tricks of the trade)

Oracle IDM Forums

OnlineAppsDBA Blogs

Oracle Security Facebook Page

Mapping of use cases with products

IDM Customer Success Stories  

Collated IDM 11gR2 Blog Dashboard

Abhishek Gupta's Blog

UCM / Webcenter Content : Configuring an Admin User for UCM which resides in OID

UseCase :

• The default install of Webcenter Content/UCM results in weblogic as the Default Content Admin which resides in the embedded LDAP.
• In our Webcenter implementations we end up using a variety of LDAP's.
• This post details how to change the Admin user for UCM to a user residing in OID which is easier to manage and the recommended approach instead of using weblogic.

Advantages : 

• This can also be extended to use any LDAP like AD, OUD, ODSEE etc.
• Another reason why this needs to be configured is so that the UCM Console can be logged in using a OHS URL or Virtual IP which has a LDAP configured as its IdentityStore instead of having to log in via the managed server port.

Configuration Steps :

1.Create a new user called ucmadmin in OID with object classes simialr to those present for orcladmin.

2.Create a new group called ucmadmingroup in OID with object classes top and groupOfUniqueNames.

3.Assign ucmadmin as a member of the ucmadmingroup.

4.Make sure the users and groups mentioned here reside in the DN hierarchy defined in the OID Authenticator(e.g. cn=Users,dc=oracle,dc=com)

5.You also need to create the Credential Maps to grant ucmadmingroup as the administrator in UCM. Then, in UCM, we mapp the OID group ucmadmin to UCM internal roles and all accounts priveliges. All the users who belong to the ucmadmin group will be automatically granted the UCM admin roles.

- Login to Content Server as weblogic and configure credential map (http://<host>:16200/cs)
  Administration -> Credential Maps, create a new map (e.g.: called "MyOIDMap")
- Add the following mapping

ucmadmingroup ,                  admin
ucmadmingroup ,                  guest
ucmadmingroup ,                  sysmanager
ucmadmingroup ,                  refineryadmin
ucmadmingroup ,                  rmaadmin
ucmadmingroup ,                  pcmadmin
ucmadmingroup ,                  ermadmin
ucmadmingroup ,                  @#all

6.Edit the provider.hda  and add the credit map "MyOIDMap" which would be at the location -
 <UCM-Domain>/ucm/cs/data/providers/jpsuserprovider/provider.hda
  Here is an example:

<feff><?hda version="11gR1-11.1.1.6.0-idcprod1-111219T111403" jcharset="UTF8" encoding="utf-8"?>
Properties LocalData
DefaultNetworkAccounts=#none
DefaultNetworkRoles=guest
PasswordScope=jpsuserprovider
ProviderClass=idc.provider.jps.JpsUserProvider
ProviderDescription=csJpsUserProviderDescription
ProviderName=JpsUserProvider
ProviderType=jpsuser
SourcePath=jpsuser
ProviderCredentialsMap=MyOIDMap
blDateFormat=M/d{/yy}{ h:mm[:ss]{ a}}!mAM,PM!tAmerica/Los_Angeles
pDescription=csJpsUserProviderDescription
end

7.Restart the UCM Managed Server.
 
8. Repeat the steps for the other machine if its a clustered environment.

9.After that , if you login to Content Server as ucmadmin, in the ucadmin profile, you should see something similar as the following:

 

 In the ucmadminprofile, you should see the "#all" in the Accounts fields. Otherwise, when users accessing documents in Spaces, it will fail the following error:
  User 'ucmadmin' does not have sufficient privileges to access the content account.

Reference : https://support.oracle.com/epmos/faces/DocumentDisplay?id=1454012.1#aref_section310

OID 11.1.1.7 - Unlocking superuser orcladmin account

We weren't able to login to WebCenter Portal which uses OID as the Authentication store today.
On investigation we found out that the superuser orcladmin account was itself locked.

Note -
1.There are 2 orcladmin accounts: the superuser account, cn=orcladmin, and the REALM administrator cn=orcladmin, for example: cn=orcladmin,cn=users,dc=oracle,dc-com.

2. The superuser account is hard coded and is not seen in the Oracle Directory Manager (ODM), nor the Oracle Directory Services Manager (ODSM) in 11g.

Following commands* executed from a command line tool helped to fix this issue -

export ORACLE_HOME=/u01/app/oracle/middleware/Oracle_IDM1/

export ORACLE_INSTANCE=/u01/app/oracle/admin/OID_Domain/oid_inst_2/

cd /u01/app/oracle/middleware/Oracle_IDM1/ldap/bin

>./oidpasswd connect=OIDDB unlock_su_acct=true      #find connect string from #/u01/app/oracle/admin/OID_Domain/oid_inst1/config/tnsnames.ora

OID DB user password:<ODS Schema pwd>

*This is just a representation of what i had to do in my environment to fix this.

Post this, you would need to login to ODSM, go to Data Browser tab and change the password for cn=orcladmin,cn=Users,dc=<companyName>,dc=com and change the password which in all probability might have expired as well.

Reference : https://support.oracle.com/epmos/faces/DocumentDisplay?id=251354.1

Atul Kumar's post here also helps with similar issues.

To change password policies have a look at this Oracle Doc

OAM 11gR2/Weblogic : The important of parameters in mod_wl_ohs.conf(Web Server plugins)

Configurations of various parameters in web server plugins plays in a major part in ensuring that Single-Sign-On works fine using OAM.

Oracle Documentation -
http://docs.oracle.com/cd/E23943_01/web.1111/e14395/plugin_params.htm

This post is intended to share my experiences with certain parameters and the repercussions if you don't include them :)

WLProxyPassThrough
WLProxySSl works great if webserver is doing the SSL work. But if SSL being terminated by a load balancer then mod_wl will remove any incoming WL-Proxy-SSL and the request will reach OHS over HTTP this means that the WebLogic server won't ever get that header and so request.isSecure() will always return false. If you add that directive and set it to ON then the WebLogic plug-in will not remove any incoming WL-Proxy-SSL header. This lets WebLogic Server know that the original request was initiated over SSL.  WL-Proxy-SSL header should not be sent if the inbound traffic to the load balancer was not SSL (HTTPS).

Error Scenario : 
Once I added this parameter for under the <if weblogic_module> tag and set it to true, this issue no longer reccurred .




WLCookieName
If you change the name of the WebLogic Server session cookie in the WebLogic Server Web application, you need to change the WLCookieName parameter in the plug-in to the same value. The name of the WebLogic session cookie is set in the WebLogic-specific deployment descriptor, in the <session-descriptor> element.

Error Scenario :
The Webcenter Portal application I was implementing SSO using OAM for, had changed the weblogic session cookie name to a non-JSESSION ID value for some reason.
This was not giving me any issues until I was configuring "Weblogic Cluster" value(instead of "Weblogic Host") in the OHS layer pointing to the Webcenter managed servers.Once I did so,the Webcenter Portal page would not load and instead would give me a flickering page with consistently changing values of adf_ctrl.state and the page would not load up.
This issue was resolved once I added WLCookieName <cookieName> under the context root tag for the Webcenter Portal app in mod_wl_ohs.conf

This post is also relevant in this regard.

Oracle IDM 11gR2 : Integrating with MS Active Directory 2003

The latest versions of OIM and OAM 11gR2(11.1.2.x) donot support LDAP Sync or OIM-OAM Integration using Active Directory(AD) 2003 as per the 11gr2 certification matrix. 

We had a use case to support federation using OAM 11gR2 somehow with AD 2003 as the Identity Store. 

Option 1 : Using OVD

We noticed that the latest version of OVD was 11.1.1.7 which happens to support AD 2003 as per the 11gR1 FMW certification matrix .So potentially we could hook OAM with OVD as the Identity Store and still connect to Active Directory 2003, which is not directly supported!

Extending this theory we could provision to OVD from OIM which finally would create relevant user accounts in Active Directory 2003!!

Oracle confirmed this in SR # 3-9503114871(you may not be able to view it directly but can refer to this in another SR if need be).

Option 2 : Using OID and DIP

Standup OID(11.1.1.7 is the latest as of today) and sync existing users from AD 2003 using a DIP process.

Option 3 : Use IDM 11gR1

Least preferred since it's never a good idea to go back to a older release when the newer release has so much to offer and IDM 12c is in the pipeline.If none of the above can be made to work for whatever reasons, AD 2003 is definitely supported both with OIM and OAM 11gR1(11.1.1.x).

OAM 11gR2 : 500 Internal Server Error after registering new 11g Webgate

I got the error as in the subject after I had registered a new webgate , done other necessary configurations and tried to access a WebCenter Portal page which I was trying to protect.

The error in the oblog.log said - 

Request Failed for : /index.html, Resp Code : [500]

OBWebGate_AuthnAndAuthz: Cannot get message for ObAccessException_NO_AGENT_KEY

Oracle Support had a similar issue for Fusion Apps which didnot really help -

https://support.oracle.com/epmos/faces/DocumentDisplay?id=1534423.1

Finally , after using the OAM Tester , a colleague suggested to edit and re-copy Webgate related files from Output Directory of the OAM_Domain pertaining to the webgate to <OHS_Instance>/config/OHS/ohs1/webgate/config.

Hope this helps someone facing a similar issue.

Debugging SSO issues using OAM Tester

The OAM Tester is a great desktop based tool to test issues while accessing resources protected using OAM. It will help you with basic logs and categorizes on what exactly fails(authentication,authorization etc).

This is a quick way to ensure that everything works fine at the OAM layer without having to look at the logs and/or tools like Firebug or HTTPAnalyzers/Fiddler.

The port for the server connection would be 5575 which is the port for Access Manager.All the rest should be self explanatory.

Copy the following files from <ORACLE_IAM_HOME>/oam/server/tester & launch oamtest to get to this dialog.

Links from Oracle documentation -

Validating Connectivity and Policies Using the Access Tester

Validating Connectivity and Policies Using the Access Tester  (Linkfor quick install)

Thanks to my colleague Shivram Sundaram to help find this thus quickly resolving multiple issues.

Note - I was on the 11gR2 version of OAM.

ADF / Webcenter : POJO Data Control caches values even when container taskflow is refreshed [UI Aware Data Model - I]

Oracle says ADF BC , EJBs , Webservices , POJOs etc. are supported as Business Services layer in ADF.

The Data control layer which happens to be the Model layer can be generated from each of the above ( gets generated automatically from ADF BC).






Use Case -
I had a taskflow which contained a jsff as a default view activity. The view in turn pulled data from a Webservice proxy (a POJO for all practical purposes) via a POJO DataControl.We had a requirement to refresh the taskflow when the value of a selectOneChocie outside the region changed .

Issue -
Though the taskflow refreshed but the page showed the same data  within the ADF Table (based on the POJO Data control) which was surprising !

Concern - 
Since as per the documentation -

http://docs.oracle.com/cd/E21764_01/web.1111/b31974/taskflows_regions.htm#CHDEIFBB

Example 17-8 says :
You do not need to refresh an ADF region to refresh the data controls inside the ADF region. During the ADF lifecycle, the refresh events telling the iterators to update will be propagated to the binding container of the current page of the ADF region.

Solution -
We had to re-execute the iterator's Query to get this to work either as a method call before your view is loaded or by overriding the refreshRegion() method of the Region Controller class.

Explanation - 
The actual reason why this is expected is because the way ADF works with ADF BC as the business services layer and the UI-aware data model aspect from the Oracle documentation. Other non - ADF BC business services implementation donot support this pattern and we would need to refresh iterators programmatically or clear cache's etc to reflect most recent data when using POJO's/ WS Datacontrols etc.

"When you use ADF Business Components in combination with the ADF Model layer and ADF Faces UI components, the data model is "UI aware" because your UI components will automatically update to reflect any changes to the row sets of these business objects
Thus, the UI-aware data model represents a solution that works across application technology layers to ensure that the UI and data model remain synchronized."

Here is the forum thread for reference.

Conclusion - 
Though many people who have worked in open source platforms and are used to having a handle to the code aren't fans of ADF BC - but ADF BC simplifies development by providing really cool features like the UI Aware Data Model.I would try to outline more in this in another post.

ADF/Webcenter : High Availability/Failover Configuration

We need to add the following parameters to our config files to enable High Availability in ADF /Webcenter applications.

Specifically ensure the weblogic-application.xml file has the following:
<session-descriptor>
<cookie-path>/appname</cookie-path>
<persistent-store-type>REPLICATED_IF_CLUSTERED</persistent-store-type>
</session-descriptor>

And the adf-config.xml file has the following:
<adf-controller-config xmlns="http://xmlns.oracle.com/adf/controller/config">
<adf-scope-ha-support>true</adf-scope-ha-support>
</adf-controller-config>

http://www.oracle.com/technetwork/database/availability/bestpracticescustomwcapps-1854907.pdf

Some other factors you should consider at a code level.

ADF : Refactoring/Modularizing your AMImpl code

Lot of our ADF Applications use a single Application Module(AM henceforth) to house most of the business logic. Thus results in a huge AMImpl.java which keeps growing and eventually becomes difficult to maintain with multiple developers working on it.

With this file being the heart and soul of the application , it would not hurt to refactor the business logic within it to separate standalone Java classes which can be separated out based on some functional/logical separation.

This can be easily achieved by calling these standalone Java classes from the AMImpl.java and passing the AM instance to them so that the required operation could be carried out independantly and in context.The AMImpl.java just houses the skeleton methods to call the standalone Java class methods.

Example

Code in <yourAMName>Impl.java

       public void scheduleJobViaAM(){ // this could be called from the UI via method call in a Taskflow

        Scheduler scheduler=new Scheduler(); // can be made a static class as well based on need

        scheduler.scheduleJobsViaQuartz(this);

    }

Code in StandAlone java class

    public void scheduleJobsViaQuartz(ApplicationModuleImpl am){// accepts an instance of super Class of our AMImpl.java'

         OrgAMImpl orgAM=(OrgAMImpl)am; //typecast AM  to its appropriate Impl class to get access to its method and objects

        orgAM.commitSalaryForEmployee(100); // call AM method to do processing with its VO Instances , alternatively that code could be written here too since we have a handle to the AM instance !

 }

Finally we have more readable , manageable code which goes a huge way in having a timely delivered project with minimum issues  !

ADF/WebCenter : Things to keep in mind while integrating Google Analytics

Download this article here to configure Google Analytics with ADF ( Pretty much similar to integration of GA with JSP)  . This will help you see page views by location , browser

Few Issues I faced & might help you -

1)Tracking not Installed is misleading , check Real Time reports -> http://stackoverflow.com/questions/16952379/google-analytics-says-tracking-not-installed-but-i-see-it-working

2)Enabling IP Address on IWLS -

http://www.coderanch.com/t/570109/BEA-Weblogic/Resolving-Replacing-localhost-IP-Address

3)Use Universal Analytics or Basic Classic Analytics (without additional settings) as clearly mentioned here -

https://support.google.com/analytics/answer/2817075

4)Limitations & how to capture button clicks -
https://groups.google.com/forum/#!topic/adf-methodology/7h8JulWeHZU

ADF : Lifecycle of a POJO Data Control

Though ADF BC is the Oracle recommended Business Services layer , but for many use cases  we end up using POJOs and exposing them in the UI via POJO Datacontrols

e.g. consuming Webservices as WS Proxy , calling 3rd party or IDM APIs

I would like to point out that its highly recommended that you generate datacontrols out of the POJO and consume them in the UI rather than get a handle to the POJO directly in the UI surpassing any binding layer per se. That ways we can leverage cool features like sorting , filtering etc OOTB as well as the results are not cached when the table is bound to a pageFlowScope bean.

I have seen even ignorant so called 'Sr Solution Architects' use the wrong approach & face weird issues & blame it on ADF !!

This post is intended to share the insights I received from Oracle PMs and others on the popular ADF Enterprise Methodology Group (EMG) on the below use case.

A POJO  in the model layer with its constructor and a few public methods which return a list or the like which is finally exposed as a Datacontrol to a ADF UI.

When will the POJO Datacontrol and the POJO be initialized and in what memory scope would it be kept in case it needs to be accessed in various places on the same page or in different pages in same/different TFs ?

See   the ADF EMG post & Frank's reply on the forum post for more details  and precise answers on the above.

Oracle Access Manager(OAM) & Oracle Internet Directory(OID)'s restricted use license with WebCenter Portal

A restricted use of Oracle Access Manager(OAM) & Oracle Internet Directory(OID) is allowed with WebCenter Suite Plus licensing which is one of the most common licenses available to Customers implementing a WebCenter Portal.

Thus OAM & OID can be used to provide Single Sign On (SSO) between WebCenter , UCM/Content & IPM without the client having to buy any additional licenses albeit with a few technical limitations.

In addition out of the box features like Impersonation can be leveraged easily.

On a whole this should help customers easily leverage Single-Sign-On using OAM & use Oracle's LDAP - OID when implementing a WebCenter Portal.

Source :

Oracle® Fusion Middleware Licensing Information 11g Release 1 (11.1.1)

"Oracle Access Manager(OAM) for enabling Single-Sign On (SSO) between WebCenter Portal components. Use of Oracle Access Manager to a) enable SSO for any custom services or functions or third party applications;

b) Direct Oracle Access Manager SDK calls; or c) Third party directory integration, is not allowed.

Oracle Internet Directory(OID) - The use of OID is restricted to storing credentials and policies specific to WebCenter Portal and its delivered components."

Limitations :

1) OAM & OID alongwith the WebTier would need to be installed in the same VMs as Webcenter Portal when leveraged as a part of this licensing.

This makes it slightly different from Oracle's recommended deployment Architecture for OAM.

What is Oracle Mobile Application Framework (MAF) ?

 Oracle Mobile Application Framework (MAF) was launched on June 30 , 2014. 

It is Oracle's latest mobile platform to develop hybrid mobile applications(which run on device and are built using web technologies like Java/ADF) and can be deployed to iOS & Android platforms.

It is basically an extension of ADF Mobile with a few additional features -

• Ability to develop using multiple IDE Tools like Eclipse(OEPE*) besides Jdeveloper.
• Additional AMX* components (totally 80 now) to develop mobile applications & provide a rich look & feel.
• Newly suppported ADF DVT* components like Sunburst & Timeline.[Demos]
• Supoort for Apache Cordova Plugins .
• Support for O-Auth & web-SSO for Security.
• Complete integration with Oracle Mobile Security Suite (OMSS) which is a part of Oracle IDM.
• Available Jdeveloper 12.1.3 onwards.
• Migration of existing ADF Mobile Applications is easy , just open application in new Jdeveloper !
• Licensing for Oracle MAF is now seperate ( per user per app or unlimited users per app).
• Higher reusability using Feature Archives (FARs) & custom components.
• Support for HTML5 and Javscript development.

Architecture ( Source : Oracle )

Resources

Announcement

Datasheet

Introduction video & videos for developers (by Grant Ronald)

Demos

Certification Matrix

Glossary
*  DVT - Data Visualization Components (Graphs/Charts etc)
*  OEPE - Oracle Enterprise Pack for Eclipse
*  AMX - ADF Mobile XML

Allowing unauthenticated access to Webcenter Content/UCM public documents via OAM SSO

Recently we had a requirement at a client wherein Public Documents in UCM be accessed via a SSO URL (using the OHS Port) without the user being challenged for credentials.

Sounds pretty straighforward right ? Since anyways using the default managed server port of 16200 of the Content Server , anyways those documents don't popup asking for user credentials.

Well , wasn't that simple really! Took us(myself , Sachin Saxena et al) a few days to exactly figure this out and now we have Oracle's stamp on it as well !

Following were the examples of documents which needed to be publically accessible

1)http://<host>:7778/cs/idcplg?idcService=GET_FILE&dID=1445&dDocName=DEV_COMPLOGO_31364&allowInterrupt=1

(Accessing public document  called 'DEV_COMPLOGO_31364' having Public Security group via IdcService)

2)http://<host>:7778/cs/groups/public/documents/digitalmedia/b2dv/xzmx/~edisp/dev_complogo_31364.jpg

(This has a definite URL Pattern of /cs/groups/public)

3)Also this general service/document search page needs to open up without authentication.

http://<host>:7778/cs/idcplg?IdcService=GET_DOC_PAGE

**Oracle Access Manager (OAM) basically protects URLs or definite URL parameters , it cannot go inside an end-user application and check security assigned to a resource to determine if that should be challenged for credentials.

(Example in this case is that it cannot go and check the authorization / security Group using IdcService URL for the file DEV_COMPLOG_31364)**

Hence we have only two options here -

1)Either the URL pattern /cs/groups/public can be marked as unprotected in OAM Application Domain and hence user won't be challenged when using Pattern 2 as above.

2)Create a mapping folder pattern in UCM , like pretty URL to access even webDav content)

3)You can configure the IdcService url pattern to be public via OAM. (something like http://oamserver.com/cs/idcplg as url and query parameters as IdcService=GET_FILE) .But by exposing that people can still construct url of private documents if they know the dID and bypass OAM as the pattern is public. But once they reach UCM, ucm security will deny them access as they are not authenticated/have required permissions [Courtesy : Shidharth Mishra]

References

1)Oracle SR [Closed]            2) Forums

Database Security - Enterprise User Security (EUS)

About Enterprise User Security (EUS)

• Enterprise User Security (EUS) is a way of integrating Oracle Database with LDAP compliant directory server like Oracle Internet Directory (OID) or Microsoft AD
  so that database Users , Passwords & Roles can be centrally managed in a LDAP Directory Server.
• Belongs to Database Security category of the IdM stack.

Advantages 

• Offers low costs & centralized authentication.
• Increases security & compliance.
• No data migration needed , clients continue to use existing directories.

Architecture

• Oracle Virtual Directory (OVD) has a EUS Adapter and EUS Plugins OOTB.
• The LDAP Directory (OID or AD or Novell or Sun eDirectory) needs to be setup for EUS.
• The Oracle Database/s need to be EUS enabled using NETCA & DBCA utility.
• The Database/s can be logged into using a centralized EUS User/s later.
• Kerberos authentication can be enabled to do native authentication for SQL clients like sql plus & SQL Developer.

Useful Resources 

1. EUS DataSheet with Architecture
2. Enterprise User Security Guide
3. Integrating Enterprise Security with AD
4. Oracle Whitepaper
5. Atul Kumar’s Blog
6. How To Configure EUS with OVD 11.1.1.6 and Active Directory - AD (Doc ID 1449132.1)
7. Expected Issues - How To Avoid Extending The Active Directory Schema With extendAD For OVD-OID-AD-EUS 11g Integration? (Doc ID 1159337.1)

Impersonation feature for WebCenter Spaces 11.1.1.8 with Oracle Acess Mgr(OAM) 11gR2

What is Impersonation ? 

WebCenter Portal Impersonation lets a WebCenter Portal administrator or system administrator assign impersonation rights to a group of users ("impersonators"), such as support representatives or application administrators, so that they can impersonate another Portal user and perform operations as that user ("impersonatees"). This may be useful in the following instances:

• A customer support representative may want to perform actions as another user in order to understand the issues being faced by that user
• An administrator may want to perform operations on behalf of a user
• A company executive may need to delegate someone to act on his or her behalf while away. (Source : Oracle Documentation)

Pre-requisites

1) WebCenter Spaces 11.1.1.8 +

2) Oracle Access Manager(OAM) 11.1.2 (11gR2+)

3) Setups need to be done in OAM , Webcenter Spaces application using EM , and in Oracle Internet Directory(OID) for the users (OID 11.1.1.7+)

Key Advantages -

1) Feature just needs to be configured as mentioned above . Effort is markedly less than implementing this feature in a custom manner using ADF/Web Technologies.

2) Feature once configured along with OAM can be monitored using OAM.

3) Out of the box UI are available and supported by Oracle , hence the solution is standardized.

4)Feature being a very common use case can be used to sell OAM and the Security Team has expertise in implementing it within a cpl of weeks.

Note - 

• After weeks of ado , I have got this up and running in our environments for Webcenter Spaces 11.1.1.8 which is Oracle's new way of developing webcenter portal applications.

• But for a Custom Portal Application in 11.1.1.8, though Security Taskflows for Impersonation are available in Jdeveloper , Impersonation is not currently supported (Doc ID 1606526.1) but I have an ER open with Oracle [BUG 18882638 - ENABLE IMPERSONATION FOR WEBCENTER CUSTOM FRAMEWORK APS ]

Walkthrough of this new & exciting feaute via screenshots - 

1) Screen in WC Spaces / Custom Portal Security Taskflow to select impersonators. (Validations to prevent users not been setup as Impersonators available Out of the Box).

2) Search Impersonators screen .

Only those users who have been granted Impersonator access in OID can be searched here.

3)Selected Impersonator who can be given access rights for a time duration.

4) Once Switch User Link is clicked ( as in second image above) after logging in with the 
Impersonators credentials , the Impersonator is asked to enter your credentials as under.

5) Once logged in the Impersonation session is in progress. Remember - The impersonatee's credentials were not used at all !

Click on Stop Impersonation to return back 
to the Impersonator's home page.

6) Cool feature  !! Monitor the Impersonation session as an Admin in OAM Console as below

Reference - 

http://docs.oracle.com/cd/E29542_01/webcenter.1111/e27785/pers_impersonate.htm