7-18 Oracle Fusion Middleware Integration Guide for Oracle Access Manager
6. On the Authentication Policy page, select LDAPScheme in the Authentication
Scheme field.
7.
Add IAMSuiteAgent:oamTAPAuthentication as a resource.
8. Click Apply.
7.14 Troubleshooting Tips
This section provides additional troubleshooting and configuration tips for the integration of Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle
Identity Manager.
■
Policies and Challenge Questions
■
Cookie Domain Definition
■
In the OAM and OAAM Integration TAP Could Not Modify User Attribute
■
TAP: setupOAMTapIntegration Script Does Not Provide Exit Status Message
7.14.1 Policies and Challenge Questions
You may encounter a non-working URL if policies and challenge questions are not available as expected in your Oracle Adaptive Access Manager environment. For
example, the Forgot Password page will fail to come up and you are redirected back to the login page.
To ensure correct operation, make sure that the default base policies and challenge questions shipped with Oracle Adaptive Access Manager have been imported into
your system. For details, see Setting Up the Oracle Adaptive Access Manager Environment in the Oracle Fusion Middleware Administrators Guide for Oracle Adaptive
Access Manager.
7.14.2 Cookie Domain Definition
Incorrect value of the cookie domain in your configuration can result in login failure. For correct WebGate operation, ensure that the property oaam.uio.oam.obsso_
cookie_domain is set to match the corresponding value in
Oracle Access Manager
; for example, .us.oracle.com.
7.14.3 In the OAM and OAAM Integration TAP Could Not Modify User Attribute
In integration scenarios coupled with multiple identity stores, the user identity store that is set as the Default Store is used for authentication and assertion. If you change
the Default Store to point to a different store, ensure that the TAPScheme also points to same store.
For the OAM-OAAM TAP integration, the assertion for the TAPScheme Authentication Scheme is made against the Default Store. In this case the backend
channel authentication made against the LDAP module uses a specific user identity store OID, for example. When the username is returned to Oracle Access Manager,
the assertion occurs against the Default Store not the same OID that was used for the authentication.
Note: For Session Impersonation, the Oracle Internet Directory
instance that is used for the user and grants must be the Default Store.
Integrating Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager 7-19
If you change the Default Store, ensure that the TAPScheme also points to same store. Otherwise, authentication can succeed but the final redirect can fail with the following
errors:
Module oracle.oam.user.identity.provider Message Principal object is not serializable; getGroups call will result in
an extra LDAP call
Module oracle.oam.engine.authn Message Cannot assert the username from DAP token
Module oracle.oam.user.identity.provider Message Could not modify user attribute for user : cn, attribute :
userRuleAdmin, value : {2} .
7.14.4 TAP: setupOAMTapIntegration Script Does Not Provide Exit Status Message
