Oracle Access Manager (OAM) Federation Flow -After Session Timeout Re-authentication Fails "System Error"
(Doc ID 2778526.1)
Last updated on JULY 26, 2024
Applies to:
Oracle Access Manager - Version 11.1.2.3.0 and laterInformation in this document applies to any platform.
Symptoms
After idle timeout, system error is seen if a resource from different SP is accessed.
- Using multiple Identity Providers(IdP) and Service Providers (SP)
- Users are mapped to different ID stores
- DN's of the users are the same
- The issue is temporally resolved by restarting the browser, which is very disruptive and not welcomed by the users
Flow
- SSO session is initiated from the SP <SP_1>, authentication done by IdP <IDP_1> and <SP_1> is mapping user from assertion to <ID_STORE_1:USER_1> which works properly
- Using session created in step 1, now access <RESOURCE_1> protected by OAM as SP using Fed scheme of <IDP_2>. Access to <RESOURCE_1> is successful without authentication
- While still on <RESOURCE_1>, wait for idle session to occur and then refresh the page
- Authentication is required by OAM, at which point OAM redirects to <IDP_2>
- After authentication and SAML Response & Assertion sent to OAM (which tries to map the user to <ID_STORE_2:USER_1>, but with an existing session of <ID_STORE_1:USER_1>, a "System Error" is returned and "User"1" from existing session ... is different from user locally authenticated"
- From the log
- <USER_1> has identical DN in both <ID_STORE_1> and <ID_STORE_1>
Is user uniqueness based on IDStore+UserDN or only UserDN?
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |
References |