WATCH: Oracle Access Manager(OAM) 11g R2 PS3 Impersonation Demo
Oracle Access Manager 11g R2 PS3 Impersonation Demo
Pre-requisites:
- OAM 11g R2 PS3 environment is up and running with OUD as user store & protected sample resource called “spokuri.html” with LDAPSchema
- Enabled Impersonation in OAM & Extend OAM LDAP schema into OUD directory server
- Created user “kpokuri”(Impersonatee) with “orclIDXPerson” object class in OUD
- Created user “spokuri”(Impersonator) in OUD
- Added an attribute “orclImpersonationGrantee” to “kpokuri” and value as “8c69d7465afc406a947669204ad88ecf|20100324163000Z|20180524172000Z”
Description: orclImpersonationGrantee attribute value has 3 parameters separated by pipe “|”.
1. Impersonator orclguid. In this case, it’s “spokuri” user orclguid.
2. Impersonation start date
3. Impersonation end date
Demo Video:
Test Case:
- Access OAM LDAP Schema protected resource http://pokuri.demo.com:7777/spokuri.html
- Enter impersonator credentials spokuri/<<password>>
- Open a new tab and access http://pokuri.demo.com:14100/oam/server/impersonate/start?userid=kpokuri&success_url=http://pokuri.demo.com:7777/kpokuri.html&failure_url=http://pokuri.demo.com:7777/error.html
- When prompted enter impersonator password again
- Up on successful impersonation to user “kpokuri” new session will be created in OAM for user “kpokuri”.
- Check the “kpokuri” user session in OAM admin console “session management” and notice that impersonation field will be “true”.
Hope this helps some one out there!!
-- Siva Pokuri.
Thanks, this was helpful. Do you know if there is a way to skip the requirement to enter your password when starting an impersonation session?
ReplyDeleteHi Siva.
ReplyDeleteI tried to perform your Impersonation example, but I don't achieve perform the inpersonation.
I have OAM 11.1.2.3 with an OHS 11g.
I have a test2 and test3 users in OUD instance. The user test3 have the attribute "orclImpersonationGrantee" with the value "651aa626a3444a8999062e58c79a99d3|20170724163000Z|20180524172000Z", when "651aa626a3444a8999062e58c79a99d3" is the orclGUID from test2 user.
I have another WLS instance with a test static pages deployed: app01.html, app02.html and apperror.html.
app01 and app02 are protected in OAM and apperror is an excluded resource.
I will tried access to app01 (http://mydomain:7778/app01/app01.html), and OHS redirect to OAM. Then I put credentials from test2 user and obtain the static page app01. At this point all fine.
Now I tried to access to http://mydomain:14100/oam/server/impersonate/start?userid=test3&success_url=http://mydomain:7778/app02/app02.html&failure_url=http://mydomain:7778/apperror/error.html.
Then, the "impconsent.jsp" is never displayed and the request was redirected to http://mydomain:7778/apperror/error.html. In logs files any error is displayed. Can you help me?
Hello David,
DeleteI got the same issue as you have. Did you find any solution?