Oracle Access Management Core Services

Oracle Access Management core services provide the primary perimeter access control services for the whole Oracle Access Management platform, including web authentication, web single sign-on (SSO), and coarse-grained authorization.

Oracle Access Management core services are deployed in a layered architecture across web, application, and data tiers as shown below

1) Users access protected web applications by authenticating to Oracle Access Management. 

2) The user request is intercepted by a filter referred to as WebGate acting as a Policy Enforcement Point (PEP) deployed in the DMZ. 

3) The WebGate communicates with Oracle Access Management’s policy server, which acts as the Policy Decision Point (PDP).

4) The administrator sets up security policies and selects authentication schemes from the administration console, which acts as the Policy Administration Point (PAP). 

5) If authentication is successful, a cookie is returned to the user’s browser to enable repeated log-ins to the same application or SSO with other web applications similarly protected by Oracle Access Management. 

6) For authorization, the WebGate prompts the Access Management policy server to look up authorization policies. The Access Management policy server evaluates the user’s identity and determines the user’s level of authorization for the requested resource (coarse-grained authorization). 

Few more features about Oracle Access Management in short:-

Persistent log-in :- OAM  lets users log in without credentials after first-time log-in,  based on configurable cookie technology. This capability, known as “persistent log-in,” is enabled by the application domain’s system administrator.

Basically this means that OAM will have the option to remember a user’s session for some defined period of time so even if they close their browser, they’ll be able to log back in again without providing credentials.

At the High level you need to perform the below steps to setup persistent login :-

• Check the “Allow Persistent Login” option on your Application Domain.
• Run a WLST command to enable persistent login globally in OAM
• Create a new Authentication Scheme with an additional Challenge Parameter: enablePersistentLogin=true
• Associate your resources with this new Authentication Scheme.
• For your Authorization Policies, add a new session response called allowPersistentLogin with value true.

All of these steps are fairly straightforward from the doc (which can be found here)

 WNA/Kerberos:- Oracle Access Management supports Windows Native Authentication (WNA) whereby a client logs in to their Windows desktop, opens an  browser, navigates to an Access Management protected HTTP resource, and is let in using the Kerberos Service Ticket without being challenged. Credentials are sent to the Access Management runtime servers for collection, regardless of where the login pages are (sample log-in pages are provided out-of-the-box). Find more details in my another blogs. 

DCC(detached credential collector) :-   Oracle Access Management extends WebGate 11g with a detached credentials collector (DCC) capability enabling the decoupling of credential collection from the server thus providing additional security (end-user HTTP sessions get terminated in the DMZ), and reducing overhead on the server in addition to improving performance.  Find more details in my another blogs. 

Session Management :- Oracle Access Management supports the session management life cycle (session life time, idle timeout, maximum number of sessions, database persistence of active sessions). Server-side session management allows for advanced session management across nodes via Oracle Coherence-based caching. Client-side session management stores the session details in the browser cookie with no information saved on the server side (stateless session), providing higher performance and smaller footprint than server-side session management. 

For Technical Implementation please refer my other blogs