Friday 5 September 2014

Setting up Oracle Access Portal Service

While setting up Oracle Access Portal Service I ran into some issues, and came up with the following workarounds.

Issue #1 – Configuring Web Application Templates


Although not very clear, the documentation states that one must use de ESSO LM Administration console to configure web application templates and then either publish them directly to the LDAP repository, or export from ESSO LM Admin Console and import them back through the OAM Administration console.

None of these methods work! Once the application is published to the LDAP and you access it from the OAM admin console, the application is listed but if you try to access it the only thing that you will get is ADF exceptions. As for the export/import method, when you try to import the file from the OAM admin console, nothing happens, not even an ADF exception.

With this scenario the way to configure applications is to use the ESSO LM Admin Console to configure a Web Application, then create a new application in the OAM Admin Console, replicating the application settings defined in the ESSO LM Admin Console.

Issue #2 – Oracle Traffic Director Webgate


Oracle Access Portal Service works by injecting a javascript resource (columbiaWeb.js) into html pages, which then calls methods located in /idaas.
The requests made by columbiaWeb.js to the /idaas resources were coming back with HTTP error 405 - method not allowed. The HTTP method used to request these resources is GET, and included in the response was a list of allowed methods which included every HTTP method except for GET.

While investigating this issue I found that the Webgate has some hardcoded directives regarding /idaas.
I realized this by executing the command: strings /WebGate_HOME/webgate/iplanet/lib/esso_webproxy.so|grep idaas
This command yelds the following output:
/idaas/am/esso/v1/userwallet/credentials?ESSO_Payload_Request=
/idaas/am/esso/v1/app/policies?ESSO_Payload_Request=
/idaas/am/esso/v1/userwallet/credentials


I tried many different approaches to solve this issue with the OTD webgate, including commenting the entry in the Oracle Traffic Director instance instance-obj.conf configuration file that pointed to the /idaas resource and getting the resource from OAM Server through other means, but was unsuccessful.

Eventually the solution I came up with is to use Apache HTTP Server instead of Oracle Traffic Director.

I installed and configured mod_webglogic in Apache so that I could map /idaas resources to the OAM Server and then copied OTDs columbiaWeb.js to the Apache Webgate folder /Webgate_HOME/webgate/apache/oamsso/global/.

Added the following entries to APACHEs configuration files where needed, to inject columbiaWeb.js:

AddOutputFilterByType SUBSTITUTE text/html
Substitute "s|</head>|<script type='text/javascript' id='OracleSSOProxy' essoLoggingLevel='0' src='/oamsso/columbiaWeb.js' oam_partner='Webgate_IDM_11g' essobasepath='http://oap.oam.demo' essoProxyType='DNS' essoConsoleLoggingLevel='0'></script></head>|i"

Added this entry to webgate.conf:

<LocationMatch "/idaas/*">
Satisfy any
</LocationMatch>

This last entry unprotects the /idaas resource, not doing so will result in an empty json response and the following entry in the OAM server log: <ESSOTokenManager object is null. Session could not created and hence use-case can not move ahead. Returning the empty response back.>

Issue #3 – Dealing With Iframes


While configuring Gmail I realized that columbiaWeb.js was not handling iframes correctly so I created a new Javascript file based on columbiaWeb.js  and after this entry:

        var validFrames = this.getFrames();
        if (validFrames[0] === null) {
            if (global.oracleESSO.globals.logger.enabled(5)) global.oracleESSO.globals.logger.debug("matchTemplates end; No valid frames.");
            return 0;
        }

I added this piece of code so that it would ignore iframes:

        var validFramesTmp = [];
        for (i =0; i < validFrames.length; i++) {
                if(validFrames[i] === window) {
                        validFramesTmp[i] =  validFrames[i];
                }
         }
         validFrames = validFramesTmp;


This separate Javascript file was created because I don't know the impact of this workaround in other configurations.

Unsolved Issues


While adding other forms to the configuration, for example a password change form, I get the following Javascript error in every form: global.oracleESSO.templateData.templates[matchedSections[0][prop].ParentKey1] is undefined
The fields get highlighted but there is no credential insertion. Hopefully this and other issues will be fixed in a future release.