OIF SP-initiated SSO With 3rd Party IdP Causes OAM Error " System error. Please re-try your action......" (Includes An Explanation Of How RelayState Parameter Is Used By OIF) (Doc ID 1415943.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Identity Federation - Version: 11.1.1.5.0 and later   [Release: 11g and later ]
Oracle Access Manager - Version: 11.1.1.5.0 and later ]
Information in this document applies to any platform.

Symptoms


After following the steps to integrate Oracle Access Manager (OAM) 11.1.1.5.0 with Oracle Identity Federation (OIF) 11.1.1.5.0 in SP mode, if a resource protected by the OAM OIF authentication scheme (OIFScheme) is accessed then after submitting credentials in the Identity Provider (IdP) login page the user sees an Oracle Access Manager page with blue background displaying message:

System error. Please re-try your action. If you continue to get this error, please contact the Administrator.


Documentation reference:

Oracle Fusion Middleware Integration Guide for Oracle Access Manager 11g Release 1 (11.1.1)
4.3 Integrate Oracle Identity Federation in SP Mode


The OAM managed server diagnostic log shows an error similar to the following:

[2011-12-29T22:10:52.980+00:00] [WLS_OAM1] [NOTIFICATION] [] [oracle.oam.engine.token] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 004hK9ZkFmTDsX25zr5EiW00025C00071l,0:1] [APP: oam_server] [URI: /oam/server/dap/cred_submit] Token parsed for oiftest1 username
[2011-12-29T22:10:52.981+00:00] [WLS_OAM1] [ERROR] [OAM-00002] [oracle.oam.binding] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 004hK9ZkFmTDsX25zr5EiW00025C00071l,0:1] [APP: oam_server] [URI: /oam/server/dap/cred_submit] Error occurred while handling the request.[[
oracle.security.am.common.utilities.exception.AmRuntimeException: java.net.MalformedURLException: no protocol: id-xSphmIWljxor7sFMWUe0jusUoKs-
at oracle.security.am.engines.enginecontroller.plugin.DAPResponseHandler.getResource(DAPResponseHandler.java:362)
at oracle.security.am.engines.enginecontroller.plugin.DAPResponseHandler.processRequest(DAPResponseHandler.java:307)
at oracle.security.am.engines.enginecontroller.CredCollectEngineController.processEvent(CredCollectEngineController.java:196)
at oracle.security.am.controller.MasterController.processEvent(MasterController.java:354)
at oracle.security.am.controller.MasterController.processRequest(MasterController.java:517)
at oracle.security.am.controller.MasterController.process(MasterController.java:457)
at oracle.security.am.pbl.PBLFlowManager.delegateToMasterController(PBLFlowManager.java:209)
at oracle.security.am.pbl.PBLFlowManager.handleBaseEvent(PBLFlowManager.java:147)
at oracle.security.am.pbl.PBLFlowManager.processRequest(PBLFlowManager.java:107)
....


The HTTP Header trace from the client browser shows that after successful IdP authentication, OIF SP processes the SAMLResponse successfully and redirects to OAM resource /oam/server/dap/cred_submit when the error occurs.

Example HTTP Header trace showing last few requests before the error occurs:

POST /fed/sp/authnResponse20 HTTP/1.1
Host: oifsrv01.oracle.com:7499
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 7879
RelayState=id-xSphmIWljxor7sFMWUe0jusUoKs-&SAMLResponse=PFJlc3BvbnNlIHht....<SAMLResponse value>.......o8L1Jlc3BvbnNlPg%3D%3D

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Connection: close
Date: Tue, 27 Dec 2011 22:57:25 GMT
Pragma: no-cache
Transfer-Encoding: chunked
Location: http://oam.oracle.com/oam/server/dap/cred_submit?osso_sassoToken=v1.0%7ENEUyMTM2MjQ2MTZGMkUw....<token>......FhOTI1MzM5YTY1MDQ0MGVkZQ%3D%3D
Expires: Sat, 1 Jan 2005 12:00:01 GMT
Set-Cookie: ORA_OSFS_SESSION=id-uschMK-OfwNr0QrIWcM66plcIQ4-; path=/
Set-Cookie: JSESSIONID=2GLDT6NVPPMshYF9LbvlTcF445Cnv2jv4LHxPnLByfWTNHWjBp1n!-771191739; path=/; HttpOnly
X-ORACLE-DMS-ECID: 56e881fadfe1bff2:-45223d2b:134801f0d68:-8000-0000000000003427
X-Powered-By: Servlet/2.5 JSP/2.1


GET /oam/server/dap/cred_submit?osso_sassoToken=v1.0%7ENEUyMTM2MjQ2MTZGMkUwQjdGOEZBRX42MkYxQjMyQTkyQT....<token>.....5YTY1MDQ0MGVkZQ%3D%3D HTTP/1.1
Host: oam.oracle.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Cookie: OAMAuthnCookie_oam.oracle.com:80=K9AK3TUwnN%2BnZp....Dz4WiG1ixqZW5xPBUGn4RLRxFnsD8rc03S%2BIUL5GONRq85SgUiJzjA7; OAM_REQ=VERSION_4~3qoQXA........ZBu5niS4EpjEMpJPgT40m0tgc0MQh9hM0gAPlC%2bhiAQM%2fbpJR; JSESSIONID=6rYgT6NJ252GT5y3MszvyYvymkhJzWzg5JGjKfrGkT7dwLDK2h2D!-771191739

HTTP/1.1 200 OK
Date: Tue, 27 Dec 2011 22:57:25 GMT
Server: Oracle-Application-Server-11g
Cache-Control: no-cache, no-cache, no-store
Pragma: no-cache, no-cache
Content-Length: 928
Expires: 0
Set-Cookie: OAM_JSESSIONID=Wh2KT6NVHLRZchtby1FMbhtz7hKVLLs1W1B4xJ1jh2YbtFyknN31!-1625350468; path=/; HttpOnly
X-ORACLE-DMS-ECID: 004hHfEZ5JBDsX25zr5EiW0006N70000B0
X-Powered-By: Servlet/2.5 JSP/2.1
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Language: en
Vary: Accept-Encoding
Content-Encoding: gzip



If the OIF Test SP SSO page (/fed/user/testspsso) page is used to test SAML 2.0 SSO, the Test SP SSO application result page shows 'Authentication Successful' but the page shows:

Relay State: id-xSphmIWljxor7sFMWUe0jusUoKs-

It does not show the OIF Service Provider Unsolicited SSO Relay State URL as expected.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms