Thursday, May 3, 2018

Automated Policy Synchronization for Federation

Readers,

Today I would like to discuss specifics about Automated Policy Synchronization feature for Federation. As you might know APS feature has been introduced in 11g for syncing agents, policies and other OAM artifacts from Master to Clone data center in Multi Data center deployment.
However the federation topics were not documented properly from APS perspective. When a new SAML partner is created in Master DC, the partner details will be updated in oam-config.xml (be it an IDP or SP) along with federation partner profiles.
In order to sync federation artifacts for proper functioning of partner application in Clone DC, ensure that below lines are added in transformation rules XML.
  1. <changes-to-include entity-path="/config/NGAMConfiguration/DeployedComponent/Federation/IdentityProvider"/>
  2. <changes-to-include entity-path="/config/NGAMConfiguration/DeployedComponent/Federation/ServiceProvider"/>
  3. <changes-to-include entity-path="/config/NGAMConfiguration/DeployedComponent/Server/NGAMServer/Profile/STS/fedattributeprofiles"/>
  4. <changes-to-include entity-path="/config/NGAMConfiguration/DeployedComponent/Server/NGAMServer/Profile/STS/serverconfig"/>
Failing to sync all the necessary artifacts to Clone will result in NullPointerException in Clone OAM logs (pertaining to Token Policy issue only) as shown below when partner application is accessed.


[2018-04-13T12:31:28.871-04:00] [oam_server1] [WARNING] [OAMSSA-06364] [oracle.oam.engine.policy] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: d543f813b7c4a66e:75fed341:162bf95f333:-8000-000000000000257f,0] [APP: oam_server#11.1.2.0.0] No Token Issuance Policy found for "Type: TokenServiceRP Operation: ISSUE Name: null URL: GoogleApps Host: null Port: 0".