OAM 12c as Federation Proxy unable to forward SP request to IDP

Application sending request to SP <----> OAM 12c(as a federation proxy) <----> IDP(forgerock) issue is when application is sending the request to OAM, it was unable to forward the request to IDP for authentication. actions we took 1. Run commands to enable OAM as a federation proxy. 2. Integrated OAM with another IDP 3. Run commands to forward requests coming from Application to external IDP. 4. User trying to login to Application and request is going to Federation Proxy(OAM) but it is not being forwarded to External IDP. 5. OAM was not forwarding request to the External IDP, it was on OAM login screen instead of IDP login screen. Solution: Issue was IDP authentication scheme(IDPFederationScheme) was not showing up on OAM. We have to run commands to add this scheme. wlst> domainRuntime() wlst> listPartnerProfileAuthnMethods("sp-partner-profile", "sp") You will not see IDPFederationScheme Make sure it does not list IDPFederationScheme wlst> addSPPartnerProfileAuthnMethod("sp-partner-profile", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", IDPFederationScheme) wlst> listPartnerProfileAuthnMethods("sp-partner-profile", "sp") Make sure it now lists IDPFederationScheme

Okta error Cannot disable the following factors because they are enabled in the following policies: SOFT_TOKEN or in the Default Policy policy. Please disable the factor(s) in the appropriate policies and try again.

When you try to delete the MFA you are getting below error Cannot disable the following factors because they are enabled in the following policies: SOFT_TOKEN in the Default Policy policy. Please disable the factor(s) in the appropriate policies and try again. or below error Cannot disable the following factors because they are enabled in the following policies: OKTA_SOFT_TOKEN in the Default Policy policy. Please disable the factor(s) in the appropriate policies and try again. Solution: 1. go to Factor Enrollment 2. Edit the Policy( default of whatever Policy you have configured). 3. Select Disabled from the Effective Factors. 4. go back to the Factor Type and select Deactivate. you have disabled the MFA Options

Salesforce developer account error "We can't log you in because of an issue with single sign-on. Contact your Salesforce admin for help."

Senario we have created developer account on salesforce and integrated with Okta, once i try to login with new user which is also on the Salesforce side i am getting below error We can't log you in because of an issue with single sign-on. Contact your Salesforce admin for help. Solutions: 1. make sure the user you have create on salesforce side has right role. If role type is Org Proxy User, it will not work. Change the type to any other type like Identity, salesforce or others 2. make Sure SAML is enabled at SalesForce side 3. replace metadata on Salesforce side with Okta metadata -- it will remove any spaces

deleting Salesforce Single Sign one setting

Under Administration Setup - Security Controls - Single Sign-On Settings, I need to turn off Federated Single Sign-On Using SAML. However, whenever I disable the SAML Enabled checkbox and click [Save], I get the following error: Error: Your organization or community is currently using SAML as an authentication method, so you can’t disable it. Solution: 1. go to "Single Sign-On Settings" 2. Click "Edit" 3. Uncheck "SAML Enabled" from "Federated Single Sign-On Using SAML" section 4. Now Click on the the Provider and delete If you logged in with the user you will get above error 1. on Search bar search for "My Domain" and go all the way down to "Authentication Configuration" 2. Edit the section 3. from "Authentication Service" remove the Provider you want to remove. 4. now go ""SAML Single Sign on Settings" and delete the provider

command to create system scripts in OpenIDM

openidm/bin ./create-openidm-rc.sh --systemd | sudo tee /etc/systemd/system/openidm.service

forgerock openidm to get header information via curl

curl -X GET --header "Content-Type: application/json" "http://subscribers.example.com:18080/am/oauth2/.well-known/openid-configuration " | jq .

Openidm Syncing OpenIDM with LDAP cn configuration steps

1. Add a target userPassword property that maps to the source password property. Notice when you select password from the Property List, you get a warning message that the source property is encrypted. For example: 2. Select the option in the editor to create the default transformational behavior for this property. You should be directed to the Tranformation Script tab and the inline script will be automatically populated with the following script: openidm.decrypt(source); Note: The business logic is that if the source password property is not null, then decrypt the source password property before sending it to the target. 3. Go to the Conditional Updates tab and view the automatically populated script: object.password != null Save your changes. 4. Verify the target userPassword property was added to the list, the source property is password, and the property has both a condition and 296 Create a Situational Event Script You need to use a situational event script to create the dn for a directory entry during provisioning (onCreate). There is no single attribute on the user managed object in the repository to create the necessary dn on the LDAP directory server, therefore, you need to use a script to construct the entry: 1. Select the Behaviors tab while editing the mapping. 2. Expand the Situational Event Scripts section so you can view the option to add a script. 3. Select the onCreate event from the selector option, if necessary, and select Add Script. 4. Leave the Type as Javascript and select Inline Script, if necessary. 5. Enter the following in the Inline Script field: target 5. Enter the following in the Inline Script field: target.dn = 'uid=' + source.userName + ',ou=People,ou=subscribers,dc=example,dc=com'; The script should be on one line. 6. Save your changes to return to the Behaviors tab and then select Save again to save the changes. Warning: It is easy to forget to select Save again to ensure your settings on the Behaviors tab are updated. You will lose your changes if you move away from the page.