OAM 10g: Webgate - Credential Mapping In Form Based Authentication Can't Search Strings Incluing A Backslash in the Username
Last updated on MARCH 08, 2017
Applies to:COREid Access - Version: 10.1.4.3.0
Information in this document applies to any platform.
In OAM, using IWA with Form Based Authentication, when Credential Mapping plugin is used with parameter; obMappingBase="dc=domain,dc=com", obMappingFilter="(description=%LOGON_USER%)" ,
description attribute of the OID user, is in domain\username format. So, the string we got with LOGON_USER variable from IWA, contains a backslash. For some users, the search is successful, you will observe that access manager escapes the backslash with another backslash. But for some of the users, this backslash need to be escaped with four backslashes. e.g.domain\username1 is successful if it is searched as domain\\username1, but domain\username2 is not successful if it is searched as domain\\username2. When this search is executed as domain\\\\username2 then it succeeds. Simulating the situation with an Ldap browser, you will observe that by using 4 backlashes it is possible to success any object including a backslash.
This situation causes the problem that many users can't login via SSO, because they can't be authenticated through OAM.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
Million Knowledge Articles and hundreds of Community platforms