Oracle IAM 12c SSO integration on Windows - Fixing Common Name (CN) generation

Oracle IAM 12c SSO integration on Windows - Fixing Common Name (CN) generation

This is a story about overcoming a technical hurdle with Oracle Identity and Access Management (OIAM) 12.2.1.4. The goal was to integrate Single Sign-On (SSO) functionality on Windows servers, but there was a catch: Oracle doesn't officially support this integration automatically on the Windows platform.

The Challenge:

Everything was installed according to the guide, yet the integration between OIM (Oracle Identity Manager) and OUD (Oracle Unified Directory) wasn't working. The culprit? A missing "common name" that should have been created automatically during user creation. This meant users wouldn't be properly provisioned in OUD, hindering the entire SSO flow. The missing common name could potentially lead to a cascade of issues down the line, causing headaches for both users and administrators.

A Workaround, But Not Ideal:

A temporary solution was implemented: users created in OIM were provisioned to OUD via a connector with an access policy. However, this wasn't ideal. The workaround bypassed the standard user creation flow of OIM, which could lead to inconsistencies and unexpected behavior in the future. It was a solution that would hold the fort, but not one that would win the war.

Limited Oracle Support:

Since the configuration wasn't officially supported, seeking help from Oracle proved to be a dead end. With official documentation and support channels unavailable, the path forward required venturing outside the realm of standard procedures.

The Old-Fashioned Way: Digging In

The troubleshooting approach shifted to a more investigative mode. This meant putting aside the deployment guide and diving into the inner workings of the product itself. The focus turned to understanding what was different in this version of OIAM compared to previous iterations. Hours were spent meticulously examining the OIMServer.jar and oimclient.jar files. It was a time-consuming process, like sifting through grains of sand to find a hidden gem.

The Aha Moment:

The culprit, finally revealed, was a missing event handler from Metadata Services (MDS).  Automated scripts provided by Oracle typically import this event handler during installation. However, since these scripts weren't available for Windows environments, the handler was absent in MDS. This explained the missing "common name" creation – a critical step that the handler would normally orchestrate.

A Hard-Earned Victory:

With the missing piece identified, the path forward was clear. The solution involved manually adding the event handler to MDS. It was a moment of triumph, a victory earned through perseverance and a deep dive into the product's inner workings. Sure, a celebratory drink would have been nice, but 1 am on a Sunday called for a different kind of satisfaction – the quiet gratification of a problem solved.

The Lesson Learned:

This experience served as a valuable lesson. While official documentation and support are undeniably important, there are times when venturing outside the prescribed path is necessary. The ability to think critically, troubleshoot independently, and delve into the intricacies of the system can prove invaluable in overcoming unexpected challenges. After all, some victories are sweetest when they are hard-won.


Tags: