We installed Oracle Identity Federation (OIF) 11.1.1.2 a few months ago and had to move on to some other, more pressing IDM-related issues. We finally came back to the Federation tasks at the beginning of September. The first thing I did was take an inventory of where we left off and compared to what the current released version was from Oracle. I found that we were now a version behind with both Weblogic Server (WLS) and OIF. I initially put off upgrading because we were in a hurry to integrate with one of their business partners. We were able to configure the Circle of Trust with the Relying Party (RP, aka Service Provider) with just a few issues. This particular partner is using OpenSAML as their software of choice. The only issue for us is that they didn’t (or don’t) create metadata files. This is their choice because OpenSAML has a module for doing this. The metadata files is a feature in SAML 2.0 that allows for easy (…easier) integration with your Federation partners. I was able to create one manually for them by using the sp.xml file that was created when using the OpenSSO Fedlet (that’s for another post).
So, finally on to the point of this post. The only issues that we have had with OIF 11.1.1.2 is that when trying to search for local users (we are using OVD as our User Data Store … OVD front’s two different AD instances) we have some issues with the search function and not all users can authenticate. Yes, this is actually a major problem.
I noticed via http://support.oracle.com that there are a lot of patches available for 11.1.1.2. I ended up downloading the 11.1.1.3 version from OTN (here).
(Note: I talked to my contact at Oracle Support who said that 11.1.1.4 is coming very soon)
This version requires that Weblogic be at least 10.1.3. I went back to the support site and downloaded the 10.1.3 patch from there. It’s a jar file that is run and will open up as an OUI installer. I found this site which I used as a guide. It’s pretty simple and painless. Make sure that you restart WLS after upgrading and before upgrading OIF. When the OIF upgrade is complete you should restart the managed service.
After restarting OIF I noticed in Enterprise Manager (EM) that OIF is still displaying as 11.1.1.2. I am running the Upgrade Assistant (Oracle_Home/bin/ua). On the second screen you can select “Verify Instance”. This will walk you through and verify that your OIF instance is upgraded to the correct version. In my case the status is showing as “Failed”. One thing that seems odd to me is that the port shown (on the error message) is 7499. It looks like it’s trying to access the URL to the metadata file and is trying to go on 7499. (i.e., http://hostname:7499/fed/idp/metadata). I can get to the file via 7777 and not 7499. So, I’ll need to check later as to why the Upgrade Assistant is using that port.
I just tried to re-run the 11.1.1.3 patch installer. It complained that the patch had already been applied to this Oracle_Home. So, now I am perplexed. Let’s try rebooting the box and restarting the WLS and OIF services.
Interestingly, after the reboot the OIF version is still showing as 11.1.1.2 … but my OIF LDAP Authentication Engine error is no longer occurring. So, maybe it did get patched?? I am working on confirming this … maybe the version number doesn’t get updated? … that doesn’t sound right though.
HI Brad, this is Barry Ghotra again! I finally got my OVD/OID upgraded to 11.1.1.5. Some points to share:
a) the ORACLE_HOME/bin/ua seems to work only if you had a prior 10g installation.
b) I simply did the WLS upgrade to 10.3.5 , the upgraded the OID/OVD SOFTWARE to 11.1.1.5 and then ran the PATCH SET ASSISTANT to upgrade the schema.
c) Everything got upgraded and the versions indeed showed 11.1.1.5 in schema_version_registry as well as ODSM console. But EM still showed 11.1.1.2. I saw a note about registering the components using opmnctl in another blog:
/opmnctl updatecomponentregistration -componentName oid1 -Sport 3131 -Port 3060 , but that did not do anything. It’s also mentioned in the PATCHING guide.
Opened a SR with Oracle and they are saying it’s by design…go figure!!!
Hi Brad, I noticed that you are using AD as your underlying LDAP adapters with OVD. The key question I have is what are you mapping the orclguid to in AD. Is it objectGUID or objectSID and if you are doing one of the other what does your mapping look like if you don’t mind. We are using SAML 2.0 to SSO with Salesforce PRM and Remedy Force. We had been using OID so far and all was good, but we need to add AD for internal users for Remedy Force. But experiencing some issues without the proper GUID or orclFedGUID variables. I would appreciate any help/feedback please. Thank You.
Thank You for the article as it helped me earlier as well.
One correction, the exact variable is orclFedOwnerGUID
Did you find an answer to your question?