OIF SP-initiated SSO With 3rd Party IdP Causes OAM Error " System error. Please re-try your action......" (Includes An Explanation Of How RelayState Parameter Is Used By OIF)
Last updated on MARCH 08, 2017
Applies to:
Oracle Identity Federation - Version: 11.1.1.5.0Oracle Access Manager - Version: 11.1.1.5.0 and later ]
Information in this document applies to any platform.
Symptoms
After following the steps to integrate Oracle Access Manager (OAM) 11.1.1.5.0 with Oracle Identity Federation (OIF) 11.1.1.5.0 in SP mode, if a resource protected by the OAM OIF authentication scheme (OIFScheme) is accessed then after submitting credentials in the Identity Provider (IdP) login page the user sees an Oracle Access Manager page with blue background displaying message:
System error. Please re-try your action. If you continue to get this error, please contact the Administrator.Documentation reference:
Oracle Fusion Middleware Integration Guide for Oracle Access Manager 11g Release 1 (11.1.1)
4.3 Integrate Oracle Identity Federation in SP Mode
The OAM managed server diagnostic log shows an error similar to the following:
[2011-12-29T22:10:52.980+00:00] [WLS_OAM1] [NOTIFICATION] [] [oracle.oam.engine.token] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 004hK9ZkFmTDsX25zr5EiW00025C00071l,0:1] [APP: oam_server] [URI: /oam/server/dap/cred_submit] Token parsed for oiftest1 username
[2011-12-29T22:10:52.981+00:00] [WLS_OAM1] [ERROR] [OAM-00002] [oracle.oam.binding] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 004hK9ZkFmTDsX25zr5EiW00025C00071l,0:1] [APP: oam_server] [URI: /oam/server/dap/cred_submit] Error occurred while handling the request.[[
oracle.security.am.common.utilities.exception.AmRuntimeException: java.net.MalformedURLException: no protocol: id-xSphmIWljxor7sFMWUe0jusUoKs-
at oracle.security.am.engines.enginecontroller.plugin.DAPResponseHandler.getResource(DAPResponseHandler.java:362)
at oracle.security.am.engines.enginecontroller.plugin.DAPResponseHandler.processRequest(DAPResponseHandler.java:307)
at oracle.security.am.engines.enginecontroller.CredCollectEngineController.processEvent(CredCollectEngineController.java:196)
at oracle.security.am.controller.MasterController.processEvent(MasterController.java:354)
at oracle.security.am.controller.MasterController.processRequest(MasterController.java:517)
at oracle.security.am.controller.MasterController.process(MasterController.java:457)
at oracle.security.am.pbl.PBLFlowManager.delegateToMasterController(PBLFlowManager.java:209)
at oracle.security.am.pbl.PBLFlowManager.handleBaseEvent(PBLFlowManager.java:147)
at oracle.security.am.pbl.PBLFlowManager.processRequest(PBLFlowManager.java:107)
....The HTTP Header trace from the client browser shows that after successful IdP authentication, OIF SP processes the SAMLResponse successfully and redirects to OAM resource /oam/server/dap/cred_submit when the error occurs.
Example HTTP Header trace showing last few requests before the error occurs:
POST /fed/sp/authnResponse20 HTTP/1.1
Host: oifsrv01.oracle.com:7499
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 7879
RelayState=id-xSphmIWljxor7sFMWUe0jusUoKs-&SAMLResponse=PFJlc3BvbnNlIHht....<SAMLResponse value>.......o8L1Jlc3BvbnNlPg%3D%3D
HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Connection: close
Date: Tue, 27 Dec 2011 22:57:25 GMT
Pragma: no-cache
Transfer-Encoding: chunked
Location: http://oam.oracle.com/oam/server/dap/cred_submit?osso_sassoToken=v1.0%7ENEUyMTM2MjQ2MTZGMkUw....<token>......FhOTI1MzM5YTY1MDQ0MGVkZQ%3D%3D
Expires: Sat, 1 Jan 2005 12:00:01 GMT
Set-Cookie: ORA_OSFS_SESSION=id-uschMK-OfwNr0QrIWcM66plcIQ4-; path=/
Set-Cookie: JSESSIONID=2GLDT6NVPPMshYF9LbvlTcF445Cnv2jv4LHxPnLByfWTNHWjBp1n!-771191739; path=/; HttpOnly
X-ORACLE-DMS-ECID: 56e881fadfe1bff2:-45223d2b:134801f0d68:-8000-0000000000003427
X-Powered-By: Servlet/2.5 JSP/2.1
GET /oam/server/dap/cred_submit?osso_sassoToken=v1.0%7ENEUyMTM2MjQ2MTZGMkUwQjdGOEZBRX42MkYxQjMyQTkyQT....<token>.....5YTY1MDQ0MGVkZQ%3D%3D HTTP/1.1
Host: oam.oracle.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Cookie: OAMAuthnCookie_oam.oracle.com:80=K9AK3TUwnN%2BnZp....Dz4WiG1ixqZW5xPBUGn4RLRxFnsD8rc03S%2BIUL5GONRq85SgUiJzjA7; OAM_REQ=VERSION_4~3qoQXA........ZBu5niS4EpjEMpJPgT40m0tgc0MQh9hM0gAPlC%2bhiAQM%2fbpJR; JSESSIONID=6rYgT6NJ252GT5y3MszvyYvymkhJzWzg5JGjKfrGkT7dwLDK2h2D!-771191739
HTTP/1.1 200 OK
Date: Tue, 27 Dec 2011 22:57:25 GMT
Server: Oracle-Application-Server-11g
Cache-Control: no-cache, no-cache, no-store
Pragma: no-cache, no-cache
Content-Length: 928
Expires: 0
Set-Cookie: OAM_JSESSIONID=Wh2KT6NVHLRZchtby1FMbhtz7hKVLLs1W1B4xJ1jh2YbtFyknN31!-1625350468; path=/; HttpOnly
X-ORACLE-DMS-ECID: 004hHfEZ5JBDsX25zr5EiW0006N70000B0
X-Powered-By: Servlet/2.5 JSP/2.1
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Content-Encoding: gzipIf the OIF Test SP SSO page (/fed/user/testspsso) page is used to test SAML 2.0 SSO, the Test SP SSO application result page shows 'Authentication Successful' but the page shows:
Relay State: id-xSphmIWljxor7sFMWUe0jusUoKs-
It does not show the OIF Service Provider Unsolicited SSO Relay State URL as expected.
Cause
Sign In with your My Oracle Support account |
|
Don't have a My Oracle Support account? Click to get started |
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms