Thursday, March 20, 2014

Oracle Access Management SSO

Oracle Access Management SSO

Single Sign-On (SSO) allows users to log in once and gain access to all systems protected by the same SSO solution without being prompted to log in again.

OAM SSO login request flow

Applications protected by OAM SSO can use one of following three agents, OAM 11g WebGate—OAM 10g WebGate, or OSSO Agent—as a policy enforcement point (PEP). The login request flow for applications protected by OSSO is slightly different than the ones protected by 10g/11g WebGate. OSSO uses only authentication policies, whereas 10g/11g WebGate uses both authentication and authorization policies.

SSO login request flow with OAM 11g agents (WebGate)

1. The user requests a resource on the web server, which is protected by WebGate
2. WebGate forwards the request to the OAM server
3. OAM checks:
Whether the SSO cookie is present in the request or not
The authentication policy, to determine if the resource is protected and how?
4. OAM logs and returns the decision to WebGate
5. WebGate responds as follows:
If the resource is protected, then user is presented with the login form based on the authentication policy (move to step 6)
If resource is unprotected, then the resource is presented to user
6. User sends their credentials
7. OAM server verifies the credentials.
If the credentials are correct, then OAM starts the session and creates SSO cookies (move to step 8)
If credentials are incorrect, then the login form is again presented to the user (move to step 6)
8. Credential collector redirects to WebGate and the authorization process begins
9. WebGate asks OAM to look for the authorization policy, compare them to the user's identity, and determines if the user is authorized to access the resource
10. OAM server checks the session, evaluates policies, and caches the result
11. OAM logs and returns the authorization policy decision to WebGate
12. WebGate responds as follows:
If the user is authorized to access, the resource is presented to them
If user is not authorized to access, the user is redirected to the URL mentioned in the Failure URL field of the authorization policy

OAM SSO cookies
A cookie is a piece of text stored by a user's web browser. Cookie are used to maintain data related to the user during navigation across multiple visits. OAM maintains various cookies that can be set or cleared during user login. The cookies set or cleared by OAM are OAM_ID, OAMAuthn, ObSSO, OAM_REQ, OAMRequestContext, OHS-, and GITO.

For any queries please email me,