Posts

Showing posts from August, 2019

Web Services vs API

Difference between Web Service and API Both are means of communication. The difference is that web services communicate over network (http is the most common protocol used). API can use any means of communication. API is a generic term - here is video explaining what is an API . Whereas Web Service is a particular type of API.  For example, an SOAP Web Service is a Web Service which is compliant with the W3C specification of a SOAP Web Service protocol/definition. So we can say: All Web Services are API but APIs are not Web Services. Web Services are API that uses web network for communication are web services

ldapadd, ldapmodify, ldapsearch

Image
ldapadd, ldapmodify are command line or shell accessible ways to add or modify entries into a LDAP Directory Information Tree or DIT. Similarly ldapsearch can be used to search for existing entries in a LDAP Directory. (1) ldapadd   ldapadd can be used to add a new entry to a LDAP Directory. Here is an example of how to use the ldapadd command to add a new user via the command line. One can add a new user via the GUI or user interface for the LDAP Directory.  For this example we will add a new user, say "user3" to LDAP Directory.  See the screenshot below with the complete command and syntax.  The syntax of the command is    ldapadd -h localhost -p 3060 -D cn=orcladmin -w xxxx << EOF   (and then press Enter, to continue adding the various entries required.) Below is a complete example that should enter a new user entry into the LDAP Directory. Here cn=orcladmin is the administrator account which is being used to interact with the Oracle Internet Directory (OID) wi

OAM with ADFS

OAM integration with ADFS, where ADFS is the IDP and OAM is SP. URLs are protected by WebGate/OAM. User accesses URL of applications protected by WebGate/OAM. Following is the flow of the steps when user accesses the URL of protected Application 1. User logs in to Active Directory and gets a Kerberos ticket. 2. User launches their browser and points to Application's URL. 3. Webgate on the Application server intercepts the request and looks for a valid session cookie but the user does not have one. 4. Webgate redirects the browser to OAM for authentication. OAM determines that the web page is protected and that the authentication method is SAML. It looks for a valid SAML token but does not find one. 5. OAM redirects the browser to ADFS to get a SAML token. 6. ADFS, through Integrated Windows Authentication, validates the user authentication against Active Directory, and once successful, it creates a SAML token and redirects the browser back to OAM. 7. OAM reads the SAML to

Difference between Direct and Request role assignment in Oracle Identity Manager OIM 11gR2

Image
The Request and Direct Role assignments are two types of operations that are defined in OIM.  Here is the link to the doc . For example, if you are a user administrator, then all operations such as create user, modify user, grant account, enable user account, and so on are direct operations. Similarly, if you have been assigned the User Viewer admin role, then operations such as create user, enable user, delete user, grant role, revoke entitlements, and so on result in a request being created. See below table for various Request or Direct Operations that are allowed based on the type of Role in OIM. The Help Desk role is an interesting one, it has capabilities for both operations (Direct and Request based) - for example, Change User Password can be done by the Help Desk role via Direct operation, whereas in order to Enable a User, the Help Desk user will have to invoke a Request based operation. In other words Help Desk role/user cannot directly enable a user. However as you

Oracle EBS integration with OAM and OID

Image
Oracle EBS E-Business suite can be integrated with Oracle IAM suite to provide a complete user access management solution. However in order to use integration with Oracle Access Manager (OAM) it is mandatory to use Oracle Internet Directory (OID). ( Note: There is a newer integration of Oracle EBS with Oracle Identity Cloud Service where there is no requirement of OAM or OID. Here is the link for this new integration . )  To understand the integration of EBS with OAM/OID, see below the (a) architecture EBS+OAM+OID integration and (b) flow of authentication with EBS+OAM+OID. (Note: EBS has the capability to provide authentication and access control without OAM since EBS has its own native AccessGate which uses the header variables to create user sessions. These header variables similar to OAM_HEADER can be sent by any other external Access Management solution.) Also refer here for the concepts of how Single sign on works with OAM and Oracle Fusion Middleware. Update (July 2019) : N