OAM 10g: Webgate - Credential Mapping In Form Based Authentication Can't Search Strings Incluing A Backslash in the Username
(Doc ID 1300610.1)
Last updated on MARCH 25, 2019
Applies to:COREid Access - Version 10.1.4.3.0 and later
Information in this document applies to any platform.
In OAM, using IWA with Form Based Authentication, when Credential Mapping plugin is used with parameter; obMappingBase="dc=domain,dc=com", obMappingFilter="(description=%LOGON_USER%)" ,
description attribute of the OID user, is in domain\username format. So, the string we got with LOGON_USER variable from IWA, contains a backslash. For some users, the search is successful, you will observe that access manager escapes the backslash with another backslash. But for some of the users, this backslash need to be escaped with four backslashes. e.g.domain\username1 is successful if it is searched as domain\\username1, but domain\username2 is not successful if it is searched as domain\\username2. When this search is executed as domain\\\\username2 then it succeeds. Simulating the situation with an Ldap browser, you will observe that by using 4 backlashes it is possible to success any object including a backslash.
This situation causes the problem that many users can't login via SSO, because they can't be authenticated through OAM.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document