My Oracle Support Banner

Oracle Access Manager (OAM) Integration with Oracle Identity Manager (OIM) SSO User Full/Incremental Reconciliation Job Reconciling into OIM Wrong Date Format (Doc ID 2531828.1)

Last updated on AUGUST 11, 2021

Applies to:

Identity Manager - Version 12.2.1.3.180711 and later
Information in this document applies to any platform.

Symptoms

In an OAM/OIM 12c integrated environment an user is created with a start date and end date.

For example using the following json payload we create a user ${USERLOGIN} with a start date and end date

{
"requestDataMap": [
    {
      "name": "First Name",
      "value": "{FIRSTNAME}"
    },
   {
     "name": "Middle Name",
     "value": "${MIDDLENAME}"
   },
   {
     "name": "Last Name",
     "value": "${LASTNAME}"
   },
   {
     "name": "Email",
     "value": "${EMAIL}"
   },
  {
     "name": "Start Date",
     "value": "2019-03-02T00:00:00Z"
   },
  {
    "name": "End Date",
    "value": "2020-03-02T00:00:00Z"
   },
  {
    "name": "act_key",
    "value": 1
  },
  {
    "name": "Role",
    "value": "EMP"
   }
  ],
 "challengeQuestions": [
  {
    "name": "Who was your fifth grade teacher?",
    "value": "answer 1"
   },
  {
    "name": "Where were you New Year's 2000?",
    "value": "answer 2"
  },
  {
    "name": "What is the name of a city where you got lost?",
    "value": "answer3"
  }
  ],
 "userCredentials": [
  {
    "name": "User Login",
    "value": "${USRLOGIN}"
  },
 {
   "name": "usr_password",
   "value": "${PASSWORD}"
  },
 {
   "name": "Confirm Password",
   "value": "{$PASSWORD}"
  },
 {
   "name": "Postal Code",
   "value": "REPLACE_WITH_ZIP_CODE"
  },
 {
   "name": "Home Phone",
   "value": "0000000000"
  },
 {
   "name": "Mobile",
   "value": "0000000000"
  },
 {
  "name": "Postal Address",
  "value": "My postal address"
  },
 {
  "name": "Home Postal Address",
  "value": "My home postal address"
  },
 {
  "name": "PO Box",
  "value": "My PO Box"
 },
 {
  "name": "Street",
  "value": "My Street"
 },
 {
   "name": "State",
   "value": "2_LETTER_STATE_ABBREVIATION"
 },
 {
  "name": "Postal Code",
  "value": "REPLACE_WITH_ZIP_CODE"
 },
{
 "name": "Country",
 "value": "2_LETTER_COUNTRY_ABBREVIATION"
 }
 ]
}

 

This will create a user in the OIM USR table with a start date and end date with the correct format (note that dates provided in the payload are Zulu based)

 

alter session set nls_date_format='YYYY-MM-DD HH24:MI:SS';
select usr_login,usr_start_date,usr_end_date from usr where usr_login = ${USRLOGIN};

     usr_login      |            usr_start_date          |       usr_end_date

-----------------------------------------------------------------------------

${USR_LOGIN} |     2019-03-01 16:00:00   |   2020-03-01 16:00:00

 

If we look at the user in ldap we will see the dates with the correct format too

 

 

 

So far everything is as expected.

If we now run SSO User Full Reconciliation or SSO User Incremental Reconciliation (if a change took place in the user entry)

 

 

We will notice the following error in the logs:

[2019-04-17T08:42:24.253-06:00] [SERVERNAME] [ERROR] [] [ORACLE.IAM.CONNECTORS.ICFCOMMON.PROV.ICPROVISIONINGMANAGER] [tid: [ACTIVE].ExecuteThread: TID for queue: 'weblogic.kernel.Default
(self-tuning)'] [userId: oiminternal] [ecid: ECID] [APP: oim] [partition-name: DOMAIN] [tenant-name: GLOBAL]
oracle.iam.connectors.icfcommon.prov.ICProvisioningManager : doUpdate : Error while updating user[[
org.identityconnectors.framework.common.exceptions.ConnectorException: Cannot modify attributes, Error Occurred : [LDAP: error code 21 - When attempting to modify entry ${USERDN} to replace the set of values for
attribute orclActiveStartDate, value "2019-03-02" was found to be invalid according to the associated syntax: The provided value "2019-03-02" is too short to be a valid generalized time value]
at org.identityconnectors.ldap.modify.LdapUpdate.modifyAttributes(LdapUpdate.java:492)
at org.identityconnectors.ldap.modify.LdapUpdate.modifyAttributes(LdapUpdate.java:468)
at org.identityconnectors.ldap.modify.LdapUpdate.update(LdapUpdate.java:212)

and also notice that the start date and end date got modified in the USR table losing their timestamp and timezone

select usr_login,usr_start_date,usr_end_date from usr where usr_login = ${USRLOGIN};

usr_login           |       usr_start_date          |     usr_end_date

-----------------------------------------------------------------------

${USR_LOGIN} | 2019-03-01 16:00:00 | 2020-03-01 16:00:00

 

In this particular scenario when the start date was reconciled it also led to the following issue when trying to modify a user's attribute because the start date after the conversion was future dated one day

 

 

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.