SP-Initiated SSO Using OAM 11gR2PS2 DCC WebGate Fails With HTTP-500 Internal Server Error
(Doc ID 1902235.1)
Last updated on AUGUST 20, 2020
Applies to:Oracle Access Manager - Version 184.108.40.206.0 and later
Information in this document applies to any platform.
Oracle Access Manager 11g Release 2 PatchSet 2 (11gR2PS2 - 220.127.116.11) Identity Federation Services has been configured. OAM is acting as Service Provider (SP) with a 3rd party Identity Provider (IdP).
SP-initiated SSO triggered by accessing an OAM-protected resource protected by FederationScheme is working with the OAM Embedded Credential Collector (ECC).
Access to the ECC protected resource triggers redirect to the IdP for login. After IdP credentials are submitted, the OAM-protected page is displayed.
When the WebGate Detached Credential Collector (DCC) is configured, SP-initiated SSO fails. First the DCC WebGate prompts for login - which should not happen for OAM SP-initiated SSO because OAM is SP and should not perform the login - then the IdP generates an Internal Server Error (HTTP-500).
The HTTP header trace shows that the SAML Authentication Request sent to the IdP by OAM is malformed. The POST request to the IdP has the SAMLRequest as URL query parameter and OAM_REQ as Post Data.
A properly formed POSTed authentication request will have the SAMLRequest and RelayState parameters sent as Post Data, and OAM_REQ will not be sent as it is not relevant to the IdP.
The resource and DCC WebGates are separate, the DCC WebGate does not protect applications.
Steps to reproduce
1. Configure OAM 18.104.22.168 with Oracle HTTP Server (OHS) 11g WebGate 22.214.171.124.
2. Configure the WebGate for DCC and configure the protected resource to use a DCC authentication scheme.
3. Configure the DCC authentication scheme to use the FederationPlugin authentication module.
3. Access the protected resource in a new browser session.
4. The DCC login page will be displayed
5. Submit OAM credentials: HTTP-500 Internal Server Error is returned by the IdP.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document