OAM 10g: Webgate - Credential Mapping In Form Based Authentication Can't Search Strings Incluing A Backslash in the Username

(Doc ID 1300610.1)

Last updated on MARCH 08, 2017

Applies to:

COREid Access - Version: 10.1.4.3.0 and later   [Release: and later ]
Information in this document applies to any platform.

Symptoms


In OAM, using IWA with Form Based Authentication, when Credential Mapping plugin is used with parameter; obMappingBase="dc=domain,dc=com", obMappingFilter="(description=%LOGON_USER%)" ,
description attribute of the OID user, is in domain\username format. So, the string we got with LOGON_USER variable from IWA, contains a backslash. For some users, the search is successful, you will observe that access manager escapes the backslash with another backslash. But for some of the users, this backslash need to be escaped with four backslashes. e.g.domain\username1 is successful if it is searched as domain\\username1, but domain\username2 is not successful if it is searched as domain\\username2. When this search is executed as domain\\\\username2 then it succeeds. Simulating the situation with an Ldap browser, you will observe that by using 4 backlashes it is possible to success any object including a backslash.

This situation causes the problem that many users can't login via SSO, because they can't be authenticated through OAM.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms