My Oracle Support Banner

OIF SP-initiated SSO With 3rd Party IdP Causes OAM Error " System error. Please re-try your action......" (Includes An Explanation Of How RelayState Parameter Is Used By OIF) (Doc ID 1415943.1)

Last updated on OCTOBER 09, 2019

Applies to:

Oracle Identity Federation - Version 11.1.1.5.0 to 11.1.1.2.0 [Release 11g]
Oracle Access Manager - Version 11.1.1.5.0 and later
Information in this document applies to any platform.
Oracle is not responsible for instructions/information from 3rd party sites that may be contained in this KM note.

Symptoms


After following the steps to integrate Oracle Access Manager (OAM) 11.1.1.5.0 with Oracle Identity Federation (OIF) 11.1.1.5.0 in SP mode, if a resource protected by the OAM OIF authentication scheme (OIFScheme) is accessed then after submitting credentials in the Identity Provider (IdP) login page the user sees an Oracle Access Manager page with blue background displaying message:

System error. Please re-try your action. If you continue to get this error, please contact the Administrator.



Documentation reference:

Oracle Fusion Middleware Integration Guide for Oracle Access Manager 11g Release 1 (11.1.1)
4.3 Integrate Oracle Identity Federation in SP Mode


The OAM managed server diagnostic log shows an error similar to the following:

[2011-12-29T22:10:52.980+00:00] [] [NOTIFICATION] [] [oracle.oam.engine.token] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <>] [ecid: ] [APP: ] [URI: /oam/server/dap/cred_submit] Token parsed for <OIF_USER> username
[2011-12-29T22:10:52.981+00:00] [] [ERROR] [OAM-00002] [oracle.oam.binding] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <>] [ecid: ] [APP: ] [URI: /oam/server/dap/cred_submit] Error occurred while handling the request.[[
oracle.security.am.common.utilities.exception.AmRuntimeException: java.net.MalformedURLException: no protocol: <RELAY_STATE_VALUE>

....



The HTTP Header trace from the client browser shows that after successful IdP authentication, OIF SP processes the SAMLResponse successfully and redirects to OAM resource /oam/server/dap/cred_submit when the error occurs.

Example HTTP Header trace showing last few requests before the error occurs:

POST /fed/sp/authnResponse20 HTTP/1.1
Host: <HOSTNAME>:<PORT>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 7879
RelayState=<RELAY_STATE_VALUE>&SAMLResponse=<VALUE>....<SAMLResponse value>.......<VALUE>==

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Connection: close
Date: Tue, 27 Dec 2011 22:57:25 GMT
Pragma: no-cache
Transfer-Encoding: chunked
Location: http://<HOSTNAME>/oam/server/dap/cred_submit?osso_sassoToken=v1.0~....<token>......==
Expires: Sat, 1 Jan 2005 12:00:01 GMT
Set-Cookie: ORA_OSFS_SESSION=id--; path=/
Set-Cookie: JSESSIONID=; path=/; HttpOnly
X-ORACLE-DMS-ECID:
X-Powered-By: Servlet/2.5 JSP/2.1


GET /oam/server/dap/cred_submit?osso_sassoToken=v1.0~....<token>.....== HTTP/1.1
Host: oam.oracle.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Cookie: OAMAuthnCookie_<HOSTNAME>:<PORT>=OAM_REQ=VERSION_; JSESSIONID=

HTTP/1.1 200 OK
Date: Tue, 27 Dec 2011 22:57:25 GMT
Server: Oracle-Application-Server-11g
Cache-Control: no-cache, no-cache, no-store
Pragma: no-cache, no-cache
Content-Length: 928
Expires: 0
Set-Cookie: OAM_JSESSIONID=; path=/; HttpOnly
X-ORACLE-DMS-ECID:
X-Powered-By: Servlet/2.5 JSP/2.1
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Content-Encoding: gzip




If the OIF Test SP SSO page (/fed/user/testspsso) page is used to test SAML 2.0 SSO, the Test SP SSO application result page shows 'Authentication Successful' but the page shows:

Relay State: <RELAY_STATE_VALUE>


It does not show the OIF Service Provider Unsolicited SSO Relay State URL as expected.

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Symptoms
Changes
Cause
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.