HI + IM = Nulli

Nulli experts share their Human Information + Identity Management knowledge

Forget Your Passwords

Have you ever forgotten a password?  Maybe it's time to finally forget our passwords for good.......

Conversion of Access Policies from OAM to OpenAM

This post introduces a tool we recently developed to aid the transition from Oracle Access Manager (OAM) to OpenAM, an access management solution by ForgeRock. Specifically, the tool converts access policies from an OAM instance and translates it to XACML, a standard based policy language supported by OpenAM.

 

OAM 11gR2 Authentication via Apache HTTP Client

Problem: We want to use an HTTP Client to authenticate against OAM 11g, so that a service account can make RESTful calls to an OAM-protected service. However, we are new to the concept of the DCC (detached credential collector), and cannot craft our HTTP Client for OAM 11g and its DCC Webgate in the same way that we could for OAM 10g.

Common REST and ForgeRock: Architecture Deployment Considerations

The following report has been prepared by Nulli - Identity Solution Architects for use by our peers, customers, partners and Identity and Access Management teams interested in learning more about deploying the ForgeRock Identity Relationship Management stack with the REST API.

How do I manage the volume of Role Request emails in OIM 11g R2?

Oracle Identity Manager - OIM 11g R2 introduced a new feature called "Catalog" that provides users of OIM the opportunity to request roles.  An user of an Organization can search or request roles using a traditional shopping cart type of process.  The process provides an option to generate emails used to notify the requesting user of the progress or stage of his/ her Role Request.  The Role Request might require multiple approvals and thus the request would generate many emails being sent at each stage of the approval process.  The Out of the Box (OOTB) Role Request workflow could have up to nine emails sent during the OIM Role Approval process.  If the Role Request is denied then the process could generate five to eight emails that would be sent to the requesting user.  This might be a useful feature for some customers but it could be a nuisance for others who would find the volume of email to be annoying and might desire to have at most two emails for either Role Approval or Role Rejection.

This post describes a way to limit the number of emails generated to two, one when the initial Role Request is made and one when a final decision (either Approve or Reject) is made.

OIM Issues after installing ORACLE IDENTITY MANAGEMENT SUITE BUNDLE PATCH 11.1.2.0.2 (BP02)

After installing Patch 14760806 also called ORACLE IDENTITY MANAGEMENT SUITE BUNDLE PATCH 11.1.2.0.2 (BP02),  to fix a few existing issues with OIM 11.1.2.0.1, we saw "access denied" issues while accessing OIM Identity Console as an "End User".   "System Administrator" users could access the console with out any issues.  The reason for this is that an OOTB Authorization plugin that allows an "End User" to access his/ her profile is not applied after applying the patch and it has to be manually deployed.  The same plugin is also responsible for allowing a user to request roles using Catalog tool.  This post describes the error messages displayed, the worked around (suggested by Oracle) and a few missing instructions in Oracle documentation for the plugin deployment.

Oracle Identity Management 11gR2 Enterprise Deployment

Oracle has just released an updated version of its Identity Management 11.1.2 Enterprise Deployment Blueprint and I must say, this is tremendous effort from Oracle to fill in some of the gaps in its documentation.  It is nice to have a single place to go to for the steps that are required for setting up OAM and OIM to work together in a clustered, highly available design.

Properties file dbimp.properties does not have correct key-value format.

While trying to create a DIP (11.1.1.2) profile for Database Import using manageSyncProfiles command from ../Oracle_IDM1/bin,  I was getting the following error.  

[oracle@somehost bin]$ ./manageSyncProfiles register -h localhost -p 7005 -D weblogic -f dbimp.properties
Properties file dbimp.properties does not have correct key-value format.

Oracle Waveset 8.1.1.6

Oracle Waveset 8.1.1 Patch 6 is available for download

Nulli Speaking at COUG - Dec 15th, 2011

Trevor Roskewich, Senior Identity Consultat at Nulli will be presenting to the Calgary Oracle User Group (COUG) at the Suncor Energy Centre at 8:00 AM on December 15, 2011.   His presentation, co-produced with Lisa Gryschuk, Senior Human Information Consultant at Nulli, addresses the critical business integration between Human Capital Management and Identity Management.

This Ain’t Your Grandma’s HCM:  Identity for the Enterprise

Aside from the wonderful grammar, this 11:15 AM session being held at Western Canada Regional User Group (WCRUG) in Vancouver, BC on November 10, 2011 will be of interest to everyone in the enterprise.

Human Capital Management (HCM), also known as Human Resources (HR), is a critical application forming the foundation of every business’ success. Knowing who your people are and what role they play along with associated cost/benefit metrics is what HCM/HR applications are best at performing.  Nulli believes this Human Information (HI) is central to the success of many applications.  High quality Human Information is a key requirement for reliable security and identity processes as well as for HCM.

PeopleTools 8.51 SSO using Oracle Access Manager 11g (11.1.1.3)

For many years, Oracle has provided a well documented OAM SSO solution for PeopleSoft using typical header variable integration. However, PeopleBooks for PeopleTools 8.51 has become so, shall we say, refined, it's now harder to acheive success with such time-tested integration steps.

Unable to open wallet error while bringing up OVD11g

OVD 11g installed on Windows 2008 workstation fails to start with the following diagnostic log error:

Good ol’  Oblix schema alive and well in OAM11g

While preparing to install OAM 11g, some of us were curious whether all the "ob..." attributes would remain intact or if they would be renamed with, for instance, an "orcl..." prefix. It struck one of my colleagues that the "ob" attributes would survive, if only to facilitate a workable upgrade path or to ease product development.

Enterprise Manager (EM) Console 11g shows OID is down

The Oracle Enterprise Manager Fusion Middleware Control 11g shows OID is down even though opmnctl shows OID is up.

ForgeRock OpenICF Community Launch - Identity Connector Framework (ICF)

ForgeRock, the open source Identity-Oriented middleware company, has joined a global community to launch a new open source project today.   The OpenICF, Identity Connector Framework (ICF) community will provide a home for the development of multi-purpose connectors used by identity providers such as ForgeRock's OpenIDM, Oracle Waveset (formerly Sun Identity Manager) and other governance and compliance software.

Oracle Specialized Gold Partner - Security and Identity

Oracle has designated Nulli as an Oracle Gold Partner in the Oracle PartnerNetwork Specialized Program. Nulli having achieved Pillar Partner - Security and Identity status is now being recognized as a Gold Specialized partner for our implementation services excellence for the Oracle Access Manager, Identity Manager, Internet Directory, Virtual Directory and the Oracle suite of identity products including the Oracle Entitlement Server.

VDE Shadow Object LDIF

If you are using the OVD Shadow Joiner feature then you will need to add the vdeShadowObject object class to the directory hosting the shadow objects. Here is a little LDIF file for just such a need...