Friday, May 21, 2010

Some Problems Related with ESSO

 How To Integrate Oracle Enterprise Single Sign-On (ESSO) Password Reset With Oracle Identity Manager (OIM)?

Applied on Identity Manager - Version: 9.1.0.2 & Oracle Enterprise Single Sign-On Suite - Version: 10.1.4.1 and later.

Point ESSO Password Reset to the Forgot Password page in the out-of-the-box OIM web interface. This solution works, but will have some rough edges.

Build your own custom forgot password page which calls the OIM APIs. This can provide a higher quality integration with ESSO Password Reset.

STEP 1 - Using out-of-the-box forgot your password page

Create a status HTML page on a web server, called e.g. StatusURL.html. Use the following as the page contents:

  1. <HTML>
    <HEAD>
    <TITLE>CHECKSTATUS</TITLE>
    </HEAD>
    <BODY>
    GOOD SSPR STATUS
    </BODY>
    </HTML>

    Configure the StatusURL in your ESSO-PR configuration to point to the URL of this page.

    Create a redirect HTML page on a web server, called e.g. ResetURL.html. Use the following contents:

    <html>
    <head>
    <title>Password Reset Page</title>
    <script>location.replace('http://host:port/xlWebApp/forgetPassword.do?method=displayVerifyUserId');</script>
    </head>
    <body>
    If you are not redirected, please click <a href='http://host:port/xlWebApp/forgetPassword.do?method=displayVerifyUserId'>here</a>.
    </body>
    </html>

    1. Replace host and port in the above with the correct host and port of the OIM server.
      Configure the ResetURL in your ESSO-PR configuration to point to the URL of this page.
    Step (2) is necessary because we cannot use the OIM forgot password page http://host:port/xlWebApp/forgetPassword.do?method=displayVerifyUserId directly as the ResetURL. This is because ESSO appends to the end of the URL something similar to the following:

    ?GINA=Yes&User=Administrator&Domain=TESTDOMAIN&Lang=en-us

    This causes the resulting request to be:

    GET /xlWebApp/forgetPassword.do?method=displayVerifyUserId?GINA=Yes&User=Administrator&Domain=TESTDOMAIN&Lang=en-us

    And that causes an error in the OIM web interface.
    So the redirect HTML page is used to strip the additional parameters being passed by ESSO (which OIM does not know how to use.) The redirect is based of Javascript, with also a HTML link in case the Javascript-based redirect fails for any reason.

    Limitations of approach #1

    There are a number of rough edges in the user experience which results from this approach:

    • you probably don't want the links along the side of the screen for "Create Request" / "Track Request"
    • the "Cancel" button sends you to the OIM login page (instead of closing the Window)
    • upon successful reset there is a link to the OIM Login page, rather than closing the window to show the Windows login again
    • OIM does not know how to use the User, Domain and Lang parameters being passed by ESSO-PR, and so must, e.g. ask for the username a second time even though it is already provided; cannot determine the language based on the language chosen at login, etc
    The second approach, using a custom web application to call the OIM APIs, is the only way to overcome these limitations.

    Approach #2 - Custom page calling OIM APIs
    The particular APIs you need to use are on tcUtilityFactory:
    • getChallengeValuesForUser(): retrieves the given users secret questions
    • resetForgottenPassword(): supplies secret question answers to reset the user's password
    Note that the "env" argument is the same hash table you normally supply when instantiating a tcUtilityFactory. You will find this documented in the directory documentation/SDK/javadocs/api/index.html of the OIM installation media.