OIM 11g Error: IAM-3050021:The user with the key null does not exist.:null
After only seeing 2 results in google, with no answers. I decided to consume up my Saturday night to resolve this issue
When successfully entering the username into the identity url with the correct password, I would end up getting an IAM-3050021:The user with the key null does not exist error. I did notice the stack trace differed to the other remaining 2 results so this may (or may not) resolve your Error 500--Internal Server Error when accessing OIM
The stack error is as follows:
javax.servlet.ServletException: oracle.iam.identity.exception.UserManagerException: oracle.iam.platform.authopss.exception.AccessDeniedException: java.lang.RuntimeException: LoggedIn userKey 'null' OR the passed user key 'null' is coming as NULL.
at oracle.iam.platform.servletfilter.PwdMgmtNavigationFilter.redirectBasedOnRoles(PwdMgmtNavigationFilter.java:192)
at oracle.iam.platform.servletfilter.PwdMgmtNavigationFilter.doFilter(PwdMgmtNavigationFilter.java:147)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.bpel.services.workflow.client.worklist.util.WorkflowFilter.doFilter(WorkflowFilter.java:175)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.bpel.services.workflow.client.worklist.util.DisableUrlSessionFilter.doFilter(DisableUrlSessionFilter.java:70)
...
Caused by: oracle.iam.identity.exception.UserManagerException: oracle.iam.platform.authopss.exception.AccessDeniedException: java.lang.RuntimeException: LoggedIn userKey 'null' OR the passed user key 'null' is coming as NULL.
at oracle.iam.platform.servletfilter.PwdMgmtNavigationFilter.getLoginFlowDetailsForUser(PwdMgmtNavigationFilter.java:324)
at oracle.iam.platform.servletfilter.PwdMgmtNavigationFilter.redirectBasedOnRoles(PwdMgmtNavigationFilter.java:190)
... 29 more
Caused by: oracle.iam.platform.authopss.exception.AccessDeniedException: java.lang.RuntimeException: LoggedIn userKey 'null' OR the passed user key 'null' is coming as NULL.
at oracle.iam.platform.authopss.impl.AuthorizationServiceImpl.hasAccess(AuthorizationServiceImpl.java:153)
at sun.reflect.GeneratedMethodAccessor1234.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
SOLUTION
I noticed that within the stack trace, the last method to be called was 'redirectBasedOnRoles'. Knowing that I recently configured the HOW TO: Configure OIM 11g AD/LDAP Authentication from Weblogic, turns out that the group assigned to the users were not getting assigned within weblogic under the users within the 'user and group' section.
To immediately resolve this, I deleted the AD provider within WLS that I created a few days ago. To resolve this issue moving forward, I re-created the Authentication Provider and ensured that the AD user has the associated oimusers group membership
Then I used a LDAP query to ensure the group in question was getting transferred over. Once you restarted WLS admin, you would be able to see the group within the 'user and group' tab with the group having a parent group of 'oimusers' also.
I was then able to log into OIM using the account
About the author
Daniel is a Technical Manager with over 10 years of consulting expertise in the Identity and Access Management space.Daniel has built from scratch this blog as well as technicalconfessions.com
Follow Daniel on twitter @nervouswiggles
Comments
Other Posts
February 6, 2020
Created by: Daniel Redfern
AS I was migrating my environment into an S3 environment, I wanted to leverage off the SES services that AWS provide, more specifically, to leverage the off the SMTP functionality by sending an email via PHP
Read More...
AS I was migrating my environment into an S3 environment, I wanted to leverage off the SES services that AWS provide, more specifically, to leverage the off the SMTP functionality by sending an email via PHP
Read More...
February 24, 2019
Created by: Daniel Redfern
The WeMos D1 is a ESP8266 WiFi based board is an extension to the current out-of-the-box library that comes with the Arduino installation. Because of this, you need to import in the libraries as well as acknowledging the specific board. This process is highly confusion with a number of different individuals talking about a number of different ways to integrate.
Read More...
The WeMos D1 is a ESP8266 WiFi based board is an extension to the current out-of-the-box library that comes with the Arduino installation. Because of this, you need to import in the libraries as well as acknowledging the specific board. This process is highly confusion with a number of different individuals talking about a number of different ways to integrate.
Read More...
August 7, 2018
Created by: Daniel Redfern
NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration.
Read More...
NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration.
Read More...
June 15, 2018
Created by: Daniel Redfern
For what I see, there's not too many supportive documentations out there that will demonstrate how provision AD group membership with the ICF connector using OpenIDM. The use of the special ldapGroups attribute is not explained anywhere in the Integrators guides to to the date of this blog. This quick blog identifies the tasks required to provision AD group membership from OpenIDM to AD using the LDAP ICF connector. However this doesn't really explain what ldapGroups actually does and there's no real worked example of how to go from an Assignment to ldapGroups to an assigned group in AD. I wrote up a wiki article for my own reference: AD group memberships automatically to users This is just my view, others may disagree, but I think the implementation experience could be improved with some more documentation and a more detailed example here.
Read More...
For what I see, there's not too many supportive documentations out there that will demonstrate how provision AD group membership with the ICF connector using OpenIDM. The use of the special ldapGroups attribute is not explained anywhere in the Integrators guides to to the date of this blog. This quick blog identifies the tasks required to provision AD group membership from OpenIDM to AD using the LDAP ICF connector. However this doesn't really explain what ldapGroups actually does and there's no real worked example of how to go from an Assignment to ldapGroups to an assigned group in AD. I wrote up a wiki article for my own reference: AD group memberships automatically to users This is just my view, others may disagree, but I think the implementation experience could be improved with some more documentation and a more detailed example here.
Read More...
November 8, 2017
Created by: Daniel Redfern
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...
November 8, 2017
Created by: Daniel Redfern
org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...
org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...
September 17, 2017
Created by: Daniel Redfern
ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...
ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...
September 17, 2017
Created by: Daniel Redfern
When performing the attempt of a reconciliation from ForgeRock IDM to Active Directory, I would get the following error
Read More...
When performing the attempt of a reconciliation from ForgeRock IDM to Active Directory, I would get the following error
Read More...
September 17, 2017
Created by: Daniel Redfern
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...
September 12, 2017
Created by: Daniel Redfern
During the reconcilation from OpenIDM to the ICF google apps connector, the following error response would occur. ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_grant
Read More...
During the reconcilation from OpenIDM to the ICF google apps connector, the following error response would occur. ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_grant
Read More...
Tags
Recent Posts
Monthly Activity
Group by date