Wednesday, November 18, 2015

Customizing Okta Accounts Page, Organization Logo and Appearance

Customizing Okta

The Settings menu allows you to customize the look and feel of your organization. Admins can customize elements such as headings, labels, and the appearance of the Okta My Applications or "home" page, as well as the look and feel of the activation email. The Settings menu also includes a Downloads option to the latest browser plug-ins and admin downloads.
The Settings menu is an option on the Administrator Dashboard:
User-added image

Account Page

As an admin, you can supply contact information for your org, including organization, end-user support, billing, and technical contacts. You can also give Okta Support temporary access to your account for troubleshooting purposes, and can select the type of email notifications you want to receive. The Account page hosts all of this information.

  1. Select Settings > Account.
  2. Click the corresponding Edit link to specify the following:
    • Organization Contact: Used by Okta to communicate with your organization.
    • End User Support Contact: Enter a support phone number that will display on Okta help pages.
    • Technical Contact: Receives notices when users send a help request. The email address appears on all new user registration emails.
    • Billing Information: Used by Okta for billing purposes.
    • Give Access to Okta Support: By default this is Disabled. If you want to allow Okta Support to login to your account as an administrator for troubleshooting purposes, click Edit, then change this option toEnabled. Access is only enabled for 8 hours; after which you will need to re-enable access for Okta Support again.
    • Email Notifications: Configure which email notifications are sent to you by doing the following:
    1. From your Administrator Dashboard, select Settings > Account, and then click Edit in the Email Notifications section.
    2. For each email notification that you want to receive, select the corresponding check box.
  1. Once you have made any changes to your account settings, click Save.

Appearance Page

Admins can specify the look and feel of their end users'  My Applications or "home" page. The Appearancepage allows for customizing how much or how little of Okta is shown for an org.

Display Options

The elements under Display Options have a large impact on how your end users experience their My Applications home page, as well as the admin user experience.  
  1. Select Settings > Appearance.
  1. In the Display Options section, click Edit
  1. You can specify 2 display options here:
  • Logo URL: If you choose to upload your org's logo (as explained in the following section), you can have the logo link to your company's website. Specify the URL you want to link to in this field.
Note: A logo must be uploaded before the link can become active. See Organization Logo below for instructions on how to add a company logo. 
  • Enable Okta Home Footer: Specify whether you want to the Okta footer to appear on your end users' Home pages (True/False)
  1. Click Save.

Organization Logo

One way you can customize your end users' My Applications or "home" page is to add the company logo for your org.
  1. Prepare a logo file. The file must be in .jpg, .png, or .gif format. The maximum file size is 100kB, and the maximum dimensions are 3000 x 500px.
  1. ​Select Settings > Appearance.
  1. Under Organization Logo, click Upload Logo, and then browse to find the logo file you previously created.
  1. Click Upload Logo. The image appears as a thumbnail which displays when your users sign in.

Application Theme

Choose an application theme to customize the look and feel for your end users. Click on a thumbnail to choose a theme.
  1. Select Settings > Appearance.
  1. From under Application Theme, select a thumbnail. The Change Theme button appears. This is the color scheme that will appear on your end user's My Applications home page. 
The selected theme appears with these colors when your end users sign in.

Tuesday, November 10, 2015

Oracle® HTTP Server:Generate the Certification Request

Generate the Certification Request

Perform the following steps to generate a certificate request:
  1. Use the commands below to generate the certification request:
    prompt> ORACLE_HOME/Apache/open_ssl/binopenssl md5 *>rand.dat
    prompt> ORACLE_HOME/Apache/open_ssl/binopenssl genrsa -rand rand.dat -des3 
    prompt> ORACLE_HOME/Apache/open_ssl/binopenssl req -new -key server.pem -out 
    server.pem -config ./openssl.cnf
    When you run the final command, a certificate request is generated. The following is an example of a certification request:
    Country Name (2 letter code) [AU]: US
    State or Province Name (full name)[Some-State]: California
    Locality name (eg, city) []: Redwood Shores
    Organization Name (eg, company) [Internet Widgits Pty Ltd}: Oracle
    Organizational Unit Name (eg, section) []: EITQA
    Common Name (eg, YOUR name) []
    Email Address []:
    Enter the following "extra" attributes to be sent with your certification request. This step is optional.
    A challenge password []:
    An optional company name []:
    Be sure to take note of the following:
    • These commands create two files: server.pem and server.csr (certificate request).
    • For Common Name, include the FULL name of the HOST and DOMAIN you are running the command on, for example:
    • Remember the password you enter. This password is used every time Oracle HTTP Server is started.
  2. Send the Certification Request. In the CSR area, paste the certification request from server.csr file.
  3. When you receive the certificate, paste it into a file named server.crt.
    Be sure that you get the Root Trial CA certificate by going to the URL mentioned in the Certificate Authority email. Export that certificate from the browser to a file named rootcacert.crt. If you are getting a trial certificate, only then do you need to put the trial CA certificate in the browser.
  4. Copy the following in appropriate directories:
    • Certificate file server.key into the ./Apache/Apache/conf/ssl.crt directory.
    • server.pem file into the.../Apache/Apache/conf/ssl.key directory.
    • Root Trial CA file rootcacert.crt into the.../Apache/Apache/conf/ssl.crt directory.

Modify httpd.conf File to Enable SSL

Make the following changes to the httpd.conf file to enable SSL:

  1. Port changes: Be sure your entries are similar to the ones in the example below:
    # This port is used when starting without SSL
    Port 7777
    # This port is used when starting with SSL
    <IfDefine SSL>
       Port 7777
       Port 7788
    ##SSL Support
    ##When we also provide SSL we have to listen to the standard HTTP port
    ##(see above) and to the HTTPS port
    <IfDefine SSL>
       Listen 7777
       Listen 7788
    ##SSL Virtual Host Context
  2. SSL Certificate related entries: To configure the httpd.conf file to your certificate, search for SSLCertificateFile and make this entry as below pointing to your certificate that came from the certificate authority. This is illustrated in the following example:
    SSLCertificateFile .../Apache/Apache/conf/ssl.crt/server.crt
    Entry for Server Private Key
    SSLCertificateKeyFile .../Apache/Apache/conf/ssl.key/server.pem
    Entry for Server Certificate Chain: (The Root Trial CA Certificate)
    SSLCertificateChainFile .../Apache/Apache/conf/ssl.crt/rootcacert.crt
    Entry for Certificate Authority (CA): as below
    #Certificate Authority (CA):
    #Set the CA certificate verification path where to find CA 
    #certificates for client authentication or alternatively one 
    #huge file containing all of this (file must be PEM encoded). 
    #Note: Inside SSLCACertificatePath you beed hash symlinks 
    #to point to the certificate files. Use the provided
    #Makefile to update the hash symlinks after changes.
    #SSLCACertificateFile conf/ssl.crt/ca-bundle.crt
    SSLCACertificateFile conf/ssl.crt
    SSLCACertificateFile conf/ssl.crt/rootcacert.crt
  3. Restart Oracle HTTP Server.

Thursday, October 29, 2015

Oracle® Identity Federation : Export SAML 2.0 Metadata

The SAML 2.0 Metadata for the IdP and SP is contained in a single XML document and can be retrieved using either the Oracle Access Management Console or by accessing either of the following URLs:


The certificates used for signature and encryption operations are published via the SAML 2.0 Metadata. The certificates can be retrieved by using a Service URL that specifies the Key ID of the key/certificate entry as defined in the Keystore Settings. 

The Provider ID and the Issuer ID of the IdP and SP profiles are identical and can be retrieved from the applicable Provider Partner profile using the Oracle Access Management Console.

Monday, October 26, 2015

Okta Universal directory. Customize user Profile

Okta Universal directory. Customize user Profile (Okta User and App User)

UD introduces profiles, representations of user accounts. In particular, UD supports two types of profiles: theOkta User profile, and the App user profile. The two profile types are used to 1. store rich attributes in Okta, and 2. move rich attributes from Okta to 3rd-party apps.

Use the Profile Editor to view or modify these profiles. To access it
  1. From the Administrative Dashboard, go to the People tab.
  2. Select Profile Editor.
  3. Select Profiles.
User-added image

The Okta User Profile

The Okta user profile represents a user in Okta (an Okta account) and is comprised of two parts: base attributes and custom attributes. To view to view the Okta user profile
  1. From the Administrative Dashboard, go to the People tab.
  2. Select Profile Editor.
  3. Select Profiles.
  4. Expand the OKTA section then select User.
Okta has defined 31 default base attributes for all users in an org. These base attributes are fixed and cannot be modified or removed. If you wish to add more attributes to the user profile, you can add them as custom attributes.
User-added imageUser-added imageUser-added image

Adding Custom Attributes

Extend an Okta User profile by adding an attribute to the custom portion of the profile. Base attributes cannot be altered.
To add an attribute
  1. Select User under the OKTA profile type.
  2. Click the Add Attribute button.
  3. The following window appears.
User-added image
  1. Complete the following fields:
  • Display name: A human readable label that will appear in the UI
  • Variable name: Name of attribute that can be referenced in mappings
  • Description: Description of the attribute
  • Data typeThere are 8 admissible data types:
    • string: a chain of zero or more unicode characters (letters, digits, and/or punctuation marks)
    • number: floating-point decimal in Java's 64-bit Double format. For details see the Java Platform Specification.
    • boolean: stores true, false, or null data values
    • integer: whole numbers in 64-bit Java's Long format
    • date: stores only the calendar date and requires four bytes in ISO 8601 format
    • array of string: sequential collection of strings
    • array of number: sequential collection of numbers
    • array of integer: sequential collection of integers
  1. When completed, click the Add Attribute button or, if you wish to add more than one, click the Save and Add Another button.
  2. After adding the attribute, configure the following:
  • Attribute required: Select this checkbox if the attribute must be populated.
  • User permission: Choose options to hide the attribute or make it read-only or read-write.
  1. Click Save Attribute.


Sunday, October 25, 2015

Okta-Create a Security Token

  • Navigate to Okta console.
  • Navigate to API, to create a token

  • On Clicking the Create Token button, enter the Token Name

  • Toke is created

  • click on "OK, got it"

Friday, July 31, 2015

Oracle® Identity and Access Manager / SOA Workflows OWSM default-keystore.jks

Oracle® Identity and Access Manager / SOA Workflows  OWSM default-keystore.jks

Regenerate the default-keystore.jks following the steps descrided in the document below :  

1.In an empty working folder execute the following in order to generate a new keystore file:
keytool -genkey -alias xell -keyalg RSA -keysize 1024 -dname "CN=Customer, OU=Customer, O=Customer, L=City, ST=NY, C=US" -validity 3650 -keypass <password> -keystore default-keystore.jks -storepass <password> -storetype jks -provider

Please ensure that JDK_HOME\jre\bin is in your PATH environment variable.

2.Generate a certifcate request:
keytool -certreq -alias xell -file xell.csr -keypass <password> -keystore default-keystore.jks -storepass <password> -storetype jks -provider

3.Export the certificate:
keytool -export -alias xell -file xlserver.cert -keypass <password> -keystore default-keystore.jks -storepass <password> -storetype jks -provider

4.Trust the certificate:
keytool -import -trustcacerts -alias xeltrusted -noprompt -keystore default-keystore.jks -file xlserver.cert -storepass <password>

5.Copy all the 3 generated files (default-keystore.jks, xell.csr, xlserver.cert) in MIDDLEWARE_HOME\user_projects\domains\<OIM Domain>\config\fmwconfig

You should repeat this step for each node in a clustered environment.

6.Change the values of the CSF keys for default-keystore.jks and xell:
- Login to Enterprise Manager
  - Right-click the domain
  - Navigate to Security, and then Credential
  - Expand oim
  - Edit default-keystore.jks and xell and change the password for both keys with the values used in steps 1-4.

Note: You should NOT change the passwords for other CSF keys!

7.Restart OIM server and check if everything is working fine.

One should do the following, saving in between :

1) Go to EM --> --> Security --> Credentials
2) Expand map
3) Change paswords of the following keys
  - keystore-csf-key (user=owsm, password=keystore password)
  - enc-csf-key (user=xell, password)
  - sign-csf-key (user=xell, password)
  - recipient-alias-key (user=xell, password)

Thursday, July 16, 2015

Oracle® Identity Manager and SOA Callback and ReqSvc Service Discovery

In a recent project we had to face the challenge of debugging the issues with Callback and Reqsvc Services from SOA to OIM. The  URL doe the services is set during the install and configuration time, however this can be changed by using the following JMX Bean

  • Using the EM console, Navigate to Identity And Access 
  • Right Click on oim(
  • Go to the System MBean Browser
  • Navigate to Application Defined MBeans
  • Navigate to oracle.iam
  • Navigate to server_xxxxx (server name)
  • Navigate to XML Config
  • Navigate to Discovery Config

  • On the RHS, for the OimFrontEndURL and OIMExternalFacingFrontEndURL, set the URL of the desired server https:://

Monday, June 1, 2015

Oracle® Identity and Access Manager:: Develop a Custom SOA Composite

Create a JDeveloper application for custom SOA composite by running the helper utility:

1. Set up the environment (for Linux machines)
cd <BEAHOME>/wlserver_10.3/server/bin
2. Run the utility by executing following commands:
cd <OIMHOME>/server/workflows/new-workflow
ant -f new_project.xml
3. Enter the JDeveloper application name (AssignRoleApprovalApp) when the following prompt is displayed:

Please enter application name

4. Enter the JDeveloper project name (AssignRoleApproval) when the following prompt is displayed:

Please enter project name
5. Enter the name of the ADF binding service (AssignRoleApprovalService) for the composite when the following prompt is displayed:

Please enter the service name for the composite. This needs to be unique across applications

The following screenshot (Figure 1) shows creation of AssignRoleApprovalApp.