Table of Contents
- List of Examples
- List of Figures
- List of Tables
- Title and Copyright Information
- Preface
-
What's New in This Guide?
- Updates in October 2024 Documentation Refresh for 12c Release 2 (12.2.1.4.0)
- Updates in April 2021 Documentation Refresh for 12c Release 2 (12.2.1.4.0)
- Updates in April 2024 Documentation Refresh for 12c Release 2 (12.2.1.4.0)
- Updates in October 2023 Documentation Refresh for 12c Release 2 (12.2.1.4.0)
- Updates in October 2022 Documentation Refresh for 12c Release 2 (12.2.1.4.0)
- Updates in October 2021 Documentation Refresh for 12c Release 2 (12.2.1.4.0)
- Updates in January 2021 Documentation Refresh for 12c Release 2 (12.2.1.4.0)
- Updates in October 2020 Documentation Refresh for 12c Release 2 (12.2.1.4.0)
- Updates in July 2020 Documentation Refresh for 12c Release 2 (12.2.1.4.0)
- Updates in April 2020 Documentation Refresh for 12c Release 2 (12.2.1.4.0)
- Features of Oracle Access Management 12c Release 2 (12.2.1.4.0)
-
Part I Introduction to Oracle Access Management
- 1 Introducing Oracle Access Management
-
2
Getting Started with Oracle Access Management
- 2.1 Starting and Stopping Servers in Your Deployment
- 2.2 About Oracle Access Management Administrators
- 2.3 Oracle Access Management Console and the Policy Manager Console
- 2.4 Understanding the Oracle Access Management Console
- 2.5 About Logging Into the Oracle Access Management Console
- 2.6 Using the Oracle Access Management Console
- 2.7 Command-Line Tools for Configuration
- 2.8 Logging, Auditing, Reporting, and Monitoring Performance
- 2.9 Configuring Oracle Access Management Login Options
-
Part II Managing Common and System Configurations
- 3 Managing Common Services and Certificate Validation
- 4 Delegating Administration
-
5
Managing Data Sources
- 5.1 Data Sources for Oracle Access Management
-
5.2
Registering and Managing User Identity Stores
- 5.2.1 Understanding User Identity Stores
- 5.2.2 About using the System Store for User Identities
- 5.2.3 About Using Multiple Identity Stores
- 5.2.4 User Identity Store Settings
- 5.2.5 Registering a New User Identity Store
- 5.2.6 Viewing or Editing a User Identity Store Registration
- 5.2.7 Deleting a User Identity Store Registration
-
5.3
Managing the Identity Directory Service User Identity Stores
- 5.3.1 Identity Directory Services
- 5.3.2 Creating an Identity Directory Service Profile
- 5.3.3 Editing or Deleting an Identity Directory Service Profile
- 5.3.4 Creating a Form-fill Application Identity Directory Service Profile
- 5.3.5 Understanding the Pre-Configured Identity Directory Service Profile
- 5.3.6 Creating an Identity Directory Service Repository
- 5.3.7 Editing an Identity Directory Service Repository
- 5.4 Managing Administrator Roles
- 5.5 Managing the Policy and Session Database
- 5.6 Introduction to Oracle Access Management Keystores
- 5.7 Integrating a Supported LDAP Directory with Oracle Access Manager
- 6 Managing Server Registration
-
Part III Logging, Auditing, Reporting and Monitoring Performance
- 7 Logging Component Event Messages
-
8
Auditing Administrative and Run-time Events
- 8.1 Introduction to Oracle Fusion Middleware Auditing
-
8.2
Oracle Access Management Auditing
- 8.2.1 Understanding Oracle Access Management Auditing
- 8.2.2 About Oracle Access Management Auditing Configuration
- 8.2.3 About Audit Record Storage
- 8.2.4 About Audit Reports and Oracle Business Intelligence Publisher
- 8.2.5 Oracle BI Enterprise Edition (Oracle BI EE)
- 8.2.6 About the Audit Log and Data
- 8.3 Access Manager Events You Can Audit
- 8.4 Identity Federation Events You Can Audit
- 8.5 Setting Up Auditing for Oracle Access Management
- 8.6 Validating Auditing and Reports
-
9
Logging WebGate Event Messages
- 9.1 Understanding Logging for WebGate Instances
- 9.2 About Log Configuration File Paths and Contents
- 9.3 About Directing Log Output to a File or the System File
-
9.4
Structure and Parameters of the WebGate Log Configuration File
- 9.4.1 Structure of WebGate Log Configuration XML File Header
- 9.4.2 Structure of WebGate Initial Compound List
- 9.4.3 Parameters in the WebGate Simple List and Logging Threshold
- 9.4.4 Parameters in the WebGate Second Compound List and Log Handlers
- 9.4.5 Parameters in the WebGate List for Per-Module Logging
- 9.4.6 Parameters in the WebGate Filter List
- 9.4.7 WebGate XML Element Order
- 9.5 Activating and Suppressing Logging Levels
- 9.6 Mandatory Log Configuration File Parameters
- 9.7 Configuring Different Threshold Levels for Different Types of Data
- 9.8 Filtering Sensitive Attributes
-
10
Understanding Oracle Access Management Reports
- 10.1 About Reports in Oracle Access Management
- 10.2 Accessing Oracle Access Management Reports
- 10.3 Supported Output Formats
- 10.4 Classification of Reports for Access Manager
- 10.5 About Creating Reports Using Third-Party Software
-
11
Monitoring Oracle Access Management Performance and Access Manager Health
- 11.1 Introduction to Performance Monitoring
- 11.2 Monitoring Server Metrics Using Oracle Access Management Console
- 11.3 OAM Proxy Metrics and Tuning
- 11.4 Monitoring Metrics Using the DMS Console
- 11.5 Monitoring the Health of an Access Manager Server
- 11.6 Monitoring Server Health with Health Check Framework
-
12
Monitoring Performance and Logs with Fusion Middleware Control
- 12.1 Introduction to Fusion Middleware Control
- 12.2 Logging In to and Out of Fusion Middleware Control
- 12.3 Displaying Menus and Pages in Fusion Middleware Control
- 12.4 Viewing Performance in Fusion Middleware Control
- 12.5 Managing Log Level Changes in Fusion Middleware Control
- 12.6 Managing Log File Configuration from Fusion Middleware Control
- 12.7 Viewing Log Messages in Fusion Middleware Control
- 12.8 Displaying MBeans in Fusion Middleware Control
-
Part IV Managing Access Manager Settings and Agents
-
13
Configuring Access Manager Settings
- 13.1 Oracle Access Management Overview
- 13.2 Managing Load Balancing
- 13.3 Managing Secure Error Modes
- 13.4 Managing WebGate Traffic Load Balancer
- 13.5 Managing SSO Tokens and IP Validation
- 13.6 Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security
- 13.7 Managing Run Time Policy Evaluation Caches
- 13.8 Configuring Policy Cache Parameters
- 14 Introduction to Agents and Registration
-
15
Registering and Managing OAM Agents
- 15.1 Before Registering and Managing Agents
- 15.2 OAM Agent Registration Parameters in the Console
- 15.3 Registering an OAM Agent Using the Console
- 15.4 Bulk Updates to WebGates
- 15.5 Configuring and Managing Registered OAM Agents Using the Console
- 15.6 Remote Registration Tool, Modes, and Process
- 15.7 Remote Registration Templates: OAM Agents
- 15.8 Performing Remote Registration for OAM Agents
- 15.9 Remote Agent Update Modes and Templates
- 15.10 Updating Agents Remotely
- 15.11 Validating Remote Registration and Resource Protection
- 15.12 setAllowEmptyHostIdentifier
-
16
Maintaining Access Manager Sessions
- 16.1 Introducing Access Manager Session Management
- 16.2 Understanding Server-Side Session Management
- 16.3 Server-Side Session Enforcement Examples
- 16.4 Configuring the Server-Side Session Lifecycle
- 16.5 Managing Active Server-Side Sessions
- 16.6 Validating Server-Side Session Operations
- 16.7 Using REST APIs for CRUD Operations on a Session
-
13
Configuring Access Manager Settings
-
Part V Implementing Multi-Data Centers
-
17
Understanding Multi-Data Centers
- 17.1 Introducing the Multi-Data Center
-
17.2
Multi-Data Center Deployments
- 17.2.1 Session Adoption Without Re-authentication, Session Invalidation or Session Data Retrieval
- 17.2.2 Session Adoption Without Re-authentication But With Session Invalidation andSession Data Retrieval
- 17.2.3 Session Adoption Without Re-authentication and Session Invalidation But With On-demand Session Data Retrieval
- 17.2.4 Authentication and Authorization Requests Served By Different Data Centers
- 17.2.5 Logout and Session Invalidation
- 17.2.6 Stretch Cluster Deployments
- 17.3 Active-Active Multi-Data Center Topology Deployment
- 17.4 Load Balancing Between Access Management Components
- 17.5 Understanding Time Outs and Session Syncs
- 17.6 Replicating a Multi-Data Center Environment
- 17.7 Multi-Data Center Recommendations
- 18 Configuring Multi-Data Centers
-
19
Synchronizing Data In A Multi-Data Center
- 19.1 Understanding the Multi-Data Center Synchronization
- 19.2 Enabling Data Replication
- 19.3 Synchronizing Master and Clone Metadata
- 19.4 Using REST API for Replication Agreements
- 19.5 Customizing Transformation Rules
- 19.6 Disabling Automated Policy Synchronization
- 19.7 Best Practices for Replication
-
20
Setting Up the Multi-Data Center: A Sequence
- 20.1 Before You Begin
- 20.2 Setting Up a Multi-Data Center
- 20.3 Enabling Automated Policy Synchronization
-
20.4
Troubleshooting the Multi-Data Center Setup
- 20.4.1 Unauthorized Error Displayed When the Authorization Header is Correct
- 20.4.2 Curl Command Returns Curl: (35) SSL Connect Error
- 20.4.3 APS Synchronization Failed With 401-UnAuthorized Error
- 20.4.4 Fail to Decrypt oamkeystore Data with Cipher Key from OAM Config
- 20.4.5 Modifying the Polling Interval in Clone Data Centers
- 20.4.6 Overwriting the Existing MDC Configuration or Recovering from an Inconsistent State
- 20.4.7 Changing the Security Mode of Managed Servers in Working MDC Environment
- 20.4.8 MDC Session Adoption Issues in 11g–12c OAM Setup with SIMPLE Mode Servers
- 20.4.9 Request Failed When the Input Parameters Passed are Valid
- 20.4.10 Modifying Session Control Parameters
- 20.4.11 Modifying Backward Compatibility Flag
- 20.4.12 Disabling MDC
- 20.4.13 Backup Existing Artifacts in a Data Center
-
17
Understanding Multi-Data Centers
-
Part VI Managing Access Manager SSO, Policies, and Testing
-
21
Understanding Single Sign-On with Access Manager
- 21.1 Access Manager Single Sign-On Components
- 21.2 Access Manager Policy Model
- 21.3 Anatomy of an Application Domain and Policies
- 21.4 Policy Conditions and Rules
- 21.5 Understanding SSO Cookies
- 21.6 Configuring Single Sign-On with Access Manager
-
22
Managing Authentication and Shared Policy Components
- 22.1 Prerequisites to Managing Authentication and Shared Policy Components
- 22.2 Configuring Shared Policy Components
- 22.3 Managing Resource Types
- 22.4 Managing Host Identifiers
- 22.5 Understanding Authentication Methods and Credential Collectors
- 22.6 Managing Native Authentication Modules
-
22.7
Orchestrating Multi-Step Authentication with Plug-in Based Modules
- 22.7.1 Simple Form Versus Multi-Factor (Multi-Step) Authentication
- 22.7.2 Access Manager Plug-ins for Multi-Step Authentication Modules
- 22.7.3 Pre-populated Plug-ins for Configuring Access Manager with Multi-Step Authentication
- 22.7.4 Example: Leveraging SubjectAltName Extension Data and Integrating with Multiple OCSP Endpoints
- 22.7.5 Creating a Custom Authentication Module using Bundled Plug-ins
- 22.7.6 Steps and Plug-ins in Customized Step-up Authentication Module
- 22.7.7 Configuring Step-up Authentication
- 22.7.8 Configuring an HTTPToken Extractor Plug-in
- 22.7.9 JSON Web Token Plug-in
- 22.7.10 X.509 Authentication Using Extended Key Usage (EKU)
- 22.8 Deploying and Managing Individual Plug-ins for Authentication
- 22.9 Managing Authentication Schemes
- 22.10 Extending Authentication Schemes with Advanced Rules
- 22.11 Configuring Challenge Parameters for Encrypted Cookies
- 22.12 Configuring Authentication POST Data Handling
- 22.13 Long URL Handling During Authentication
- 22.14 Using Application Initiated Authentication
-
23
Understanding Credential Collection and Login
- 23.1 Overview of Access Manager Credential Collection
- 23.2 Overview of the SSO Login Process with OAM Agents and ECC
- 23.3 Overview of the SSO Login Process with OAM Agents and DCC
- 23.4 Configuring OAM WebGate and Authentication Policy for DCC
- 23.5 Tunneling from DCC to Access Manager Over Oracle Access Protocol
- 23.6 Configuring a DCC WebGate for X509 Authentication
-
24
Using Password Policy
- 24.1 Understanding Password Management
- 24.2 Enabling Password Management
- 24.3 Accessing Password Policy Configuration Page
- 24.4 Specifying Credential Collector URLs with Password Policy
- 24.5 Oracle-Provided Password Forms
- 24.6 Managing Global Password Policy
- 24.7 Configuring Password Policy Authentication
- 24.8 Completing Password Policy Configuration
- 24.9 Configuring the PasswordManagementPlugin
- 24.10 Multiple Password Policies
-
25
Managing Policies to Protect Resources and Enable SSO
- 25.1 Prerequisites to Managing Policies and Protecting Resources
- 25.2 Introduction to Application Domain and Policy Creation
- 25.3 Understanding Application Domain and Policy Management
- 25.4 Managing Application Domains Using the Console
-
25.5
Adding and Managing Policy Resource Definitions
-
25.5.1
Resources in an Application Domain
- 25.5.1.1 Resource Type in a Resource Definition
- 25.5.1.2 Host Identifier in a Resource Definition
- 25.5.1.3 Resource URL, Prefixes, and Patterns
- 25.5.1.4 Query String Name and Value Parameters for Resource Definitions
- 25.5.1.5 Literal Query Strings in Resource Definitions
- 25.5.1.6 Run Time Resource Evaluation
- 25.5.2 Defining Resources in an Application Domain
- 25.5.3 Searching for a Resource Definition
- 25.5.4 Viewing, Editing, or Deleting a Resource Definition
-
25.5.1
Resources in an Application Domain
- 25.6 Defining Authentication Policies for Specific Resources
- 25.7 Defining Authorization Policies for Specific Resources
- 25.8 Configuring Success and Failure URLs for Authorization Policies
- 25.9 Introduction to Authorization Policy Rules and Conditions
- 25.10 Defining Authorization Policy Conditions
- 25.11 Defining Authorization Policy Rules
- 25.12 Configuring Policy Ordering
-
25.13
Introduction to Policy Responses for SSO
- 25.13.1 Authentication and Authorization Policy Responses for SSO
- 25.13.2 About the Policy Response Language
- 25.13.3 Namespace and Variable Names for Policy Responses
- 25.13.4 About Constructing a Policy Response for SSO
- 25.13.5 About Policy Response Processing
- 25.13.6 Assertion Claims and Processing
- 25.14 Adding and Managing Policy Responses for SSO
- 25.15 Validating Authentication and Authorization in an Application Domain
- 25.16 Understanding Remote Policy and Application Domain Management
- 25.17 Managing Policies and Application Domains Remotely
- 25.18 Application and Application-types
- Using Passwordless Authentication with OAM
-
26
Validating Connectivity and Policies Using the Access Tester
- 26.1 Prerequisites to Using the Access Tester to Validate Connectivity and Policies
- 26.2 Introduction to the Access Tester for Access Manager 12c
- 26.3 Installing and Starting the Access Tester
- 26.4 Access Tester Console, Navigation, and Controls
-
26.5
Testing Connectivity and Policies from the Access Tester Console
- 26.5.1 Establishing a Connection Between the Access Tester and the OAM Server
- 26.5.2 Validating Resource Protection from the Access Tester Console
- 26.5.3 Testing User Authentication from the Access Tester Console
- 26.5.4 Testing User Authorization from the Access Tester Console
- 26.5.5 Observing Request Latency
- 26.6 Creating and Managing Test Cases and Scripts
- 26.7 Evaluating Scripts, Log File, and Statistics
- 27 Configuring Centralized Logout for Sessions Involving OAM WebGates
- 28 Supporting Authentication in Multiple Browser Tabs
- 29 Supporting Multiple Split SSO Domains Using ECC
-
21
Understanding Single Sign-On with Access Manager
-
Part VII Managing Oracle Access Management Identity Federation
-
30
Introducing Identity Federation in Oracle Access Management
- 30.1 Integrating Identity Federation with Access Manager
- 30.2 Deploying Identity Federation with Oracle Access Management
- 30.3 Understanding How Identity Federation Works
- 30.4 Using Identity Federation
- 30.5 Initiating Federation SSO
- 30.6 Exchanging Identity Federation Data
- 30.7 Administrating Identity Federation
- 30.8 Enabling Identity Federation
-
31
Managing Identity Federation Partners
- 31.1 Understanding Federation And Partners
- 31.2 Managing Federation Partners
- 31.3 Administering Identity Federation As A Service Provider
- 31.4 Administering Identity Federation As An Identity Provider
- 31.5 Using Attribute Mapping Profiles
- 31.6 Mapping Federation Authentication Methods to Access Manager Authentication Schemes
- 31.7 Using the Attribute Sharing Plug-in for the Attribute Query Service
- 31.8 Using the Federation Proxy
- 31.9 Using WLST for Identity Federation Administration
- 31.10 Configuring OAM (IDP) for SAML Holder-of-Key (HoK) Profile with OCI Government Regions (SP)
-
32
Managing Settings for Identity Federation
- 32.1 Prerequisites for Settings in Federation Identity
- 32.2 About Federation Settings
- 32.3 Managing General Federation Settings
- 32.4 Managing Proxy Settings for Federation
-
32.5
Defining Keystore Settings for Federation
- 32.5.1 About Managing Keytore Settings for Identity Federation
-
32.5.2
Managing Identity Federation Encryption/Signing Keys
- 32.5.2.1 Task Overview: Managing Identity Federation Encryption/Signing Keys
- 32.5.2.2 Resetting the System (.oamkeystore) and Trust (amtruststore) Keystore Password
-
32.5.2.3
Adding a New Key Entry to the System Keystore (.oamkeystore)
- 32.5.2.3.1 Task Overview: Adding a New Key Entry to the System Keystore (.oamkeystore)
- 32.5.2.3.2 Adding a New Entry in the .oamkeystore
- 32.5.2.3.3 Adding a New Entry in the Identity Federation Settings
- 32.5.2.3.4 Configuring the Signing and Encryption Key
- 32.5.2.3.5 Using WLST for Key Transport Algorithm
- 32.5.2.3.6 Configuring RSA OAEP Key Transport Digest and MGF Digest
- 32.5.2.3.7 Configuring Signature Algorithm
- 32.6 Exporting Metadata
- 32.7 Masking SAML Attributes in Log Records
-
33
Managing Federation Schemes and Policies
- 33.1 Use of Identity Federation and Access Manager Together
- 33.2 Using Authentication Schemes and Modules for Identity Federation
-
33.3
Using Authentication Schemes and Modules for Oracle Identity Federation
- 33.3.1 About Scheme OIFScheme
- 33.3.2 About the OIFMTLDAPPlugin Authentication Module
-
33.3.3
Managing Authentication with Oracle Identity Federation Release 11gR1
- 33.3.3.1 Prerequisites for Authentication with Oracle Identity Federation Release 11gR1
- 33.3.3.2 Viewing or Modifying the OIFScheme Authentication Scheme
- 33.3.3.3 Prerequisites for Viewing or Modifying the OIFMTLDAPPlugin Authentication
- 33.3.3.4 Viewing or Modifying the OIFMTLDAPPlugin Authentication
- 33.3.3.5 Adding an Authentication Policy with OIFScheme
- 33.4 Managing Access Manager Policies for Use with Identity Federation
- 33.5 Testing Identity Federation Configuration
- 33.6 Using the Default Identity Provisioning Plug-in
- 33.7 Configuring the Identity Provider Discovery Service
- 33.8 Integrating OAM Identity Provider With Microsoft Office 365 Service Provider
- 33.9 Automating SAML Certificate or Key or Metadata Rotation
-
34
Identity Federation Use
Cases
- 34.1 Using Test SP Application in OIF and SP
- 34.2 Using Federation Attributes for OAM Authorization and Protected Web Applications
-
34.3
Key and Certificate Management
and Rollover in OIF and OSTS
- 34.3.1 Introduction to Key and Certificate Management and Rollover
- 34.3.2 Generating Keys and Certificates
- 34.3.3 Setting New Key Entries
- 34.3.4 Using New Key Entries to Update Global Settings
- 34.3.5 Managing Key Rollover per Partner
- 34.3.6 Managing OIF Key Rollover
- 34.3.7 Managing OSTS Key Rollover
-
34.4
Cryptographic Settings in Oracle
Identity Federation
- 34.4.1 Hashing Algorithms
- 34.4.2 Examples on SHA-1 Signed Messages
- 34.4.3 Examples on SHA-256 Signed Messages
- 34.4.4 Configuring OIF to use SHA-1 or SHA-256 Hashing Algorithm
- 34.4.5 Signing Outgoing Messages
- 34.4.6 Signing Incoming Messages
- 34.4.7 Configuring X.509 Certificate in Outgoing Message
- 34.4.8 Managing SAML 2.0 Encryption
- 34.4.9 Encryption Algorithm
-
30
Introducing Identity Federation in Oracle Access Management
-
Part VIII Managing the Adaptive Authentication Service and Oracle Mobile Authenticator
-
35
Introducing the Adaptive Authentication Service
- 35.1 About Adaptive Authentication Service
- 35.2 Working with the Adaptive Authentication Service
- 35.3 Understanding Adaptive Authentication Service and OMA Configurations
-
35.4
Configuring an Adaptive Authentication Service
- 35.4.1 Generating a Secret Key for the Oracle Mobile Authenticator
- 35.4.2 Configuring Oauth Services to enable the Secret Key API
- 35.4.3 Configuring the Adaptive Authentication Plug-in in the Oracle Access Management Console
- 35.4.4 Enabling User Lockout During the Multi Factor Authentication Flow
- 35.4.5 Limiting PIN Generation During the Second Factor Authentication
- 35.4.6 Setting Credentials for UMS, iOS, and Android
- 35.4.7 Creating a Java KeyStore for iOS Access Request (Push) Notifications
-
35.4.8
Configuring Push Notifications on Mobile Device
- 35.4.8.1 Configuring Host Name Verifier for Android Access Request (Push) Notifications
- 35.4.8.2 Modifying OAMOMAPreferences
- 35.4.8.3 Verifying Push Notification Settings
- 35.4.8.4 Creating an Authentication Policy
- 35.4.8.5 Connecting with Messaging Server
- 35.4.8.6 Migrating to service account JSON for Android Push Notifications
- 35.4.8.7 Installing the Google CA Files into the OAM Keystore
- 35.4.8.8 Creating a Webpage to Deliver the OMA Application Profile to the Mobile Device
- 35.4.8.9 Testing SFA through Push Notification
- 35.4.8.10 Troubleshooting Push Notifications
- 35.4.9 Configuring Access Manager for VPN in a Use Case
- 35.4.10 Administering a Secret Key
-
36
Configuring the Oracle Mobile Authenticator
- 36.1 Understanding Oracle Mobile Authenticator Configuration
- 36.2 Using the Oracle Mobile Authenticator App
-
36.3
Managing the Oracle Mobile Authenticator App
- 36.3.1 Switching Between Grid View and List View
- 36.3.2 Editing Accounts in the OMA App
- 36.3.3 Reordering Accounts in the OMA App
- 36.3.4 Deleting an Account in the OMA App
- 36.3.5 Enabling App Protection
- 36.3.6 Changing Your OMA App PIN
- 36.3.7 Disabling OMA App PIN Protection
- 36.3.8 Managing Notification History in the OMA App
- 36.4 Configuring the Google Authenticator App
- 36.5 OAA Error Handling Plugins
- 37 Configuring TOTP-based Multi Factor Authentication in OAM
-
35
Introducing the Adaptive Authentication Service
-
Part IX Managing the Oracle Access Management OAuth Service and OpenIDConnect
- 38 Understanding OAuth Services
-
39
Configuring OAuth Services in 12c
- 39.1 Set-up OAuth Services
- 39.2 Configuring OAuth Services Settings
- 39.3 Enabling User Lock Validation
- 39.4 Enabling User Password Change Validation
- 39.5 Enabling Consent Management on MDC
- 39.6 Configuring OAuth in Multi-Data Centers
- 39.7 Optional Parameters for Consent Management in Multi-Data Centers
- 39.8 Error Codes and Troubleshooting Steps for Consent Management on MDC
- 39.9 Dynamic Client Registration
- 39.10 SSO Session Linking for OAuth Tokens
- 39.11 Runtime REST APIs for OAuth 12c
- 39.12 Revoking OAuth Tokens
- 39.13 Configuring Client Authentication
- 39.14 Configuring mTLS Client Authentication
- 39.15 Proof Key for Code Exchange (PKCE) Support in OAM
- 39.16 Token Exchange Support in OAM
- 39.17 Custom Issuer Support
-
40
Understanding OpenIDConnect
- 40.1 About OpenIDConnect Tokens
- 40.2 Claims
- 40.3 Custom Claims
- 40.4 OpenIDConnect Authentication Flows in Oracle Access Manager
- 41 OIDC Client Integrations with Social Identity Providers
-
42
OAuth Just-In-Time (JIT) User
Provisioning
- 42.1 Using Self-Registration for Just-in-Time User Provisioning
- 42.2 Configuring Just-In-Time User Auto-Provisioning with Password Prompt
- 42.3 Configuring Just-In-Time User Auto-Provisioning (No Password Prompt)
-
Part X Using Identity Context
-
43
Using Identity Context
- 43.1 Introducing Identity Context
- 43.2 Understanding Identity Context
- 43.3 Working With the Identity Context Service
- 43.4 Identity Context API
- 43.5 Configuring the Identity Context Service Components
- 43.6 Validating Identity Context
-
43
Using Identity Context
-
Part XI Using the OAM Snapshot Tool
- 44 Introduction to the OAM Snapshot Tool
- 45 Customizing the Paths for the OAM Snapshot Tool
- 46 Performing Backup and Restore and Migration of OAM Sytem Using Snapshot Tool
- 47 Using the OAM Snapshot Tool
- 48 Troubleshooting
-
Part XII Integrating Access Manager with Other Products
- 49 Integrating RSA SecurID Authentication with Access Manager
-
50
Configuring Access Manager for Windows Native Authentication
- 50.1 Introducing Access Manager with Windows Native Authentication
- 50.2 About Preparing Your Active Directory and Kerberos Topology
- 50.3 Confirming Access Manager Operations
- 50.4 Enabling the Browser to Return Kerberos Tokens
- 50.5 Integrating KerberosPlugin with Oracle Virtual Directory
- 50.6 Integrating the KerberosPlugin with Search Failover
-
50.7
Configuring Access Manager for Windows Native Authentication
- 50.7.1 Creating the Authentication Scheme for Windows Native Authentication
- 50.7.2 Configuring Policies for Windows Native Authentication
- 50.7.3 Configuring WNA for NTLM Fallback
- 50.7.4 Configuring WNA Fallback to FORM-based Authentication Scheme
- 50.7.5 Verifying the Access Manager Configuration File
- 50.8 Validating WNA with Access Manager Protected Resources
- 50.9 Configuring WNA For Use With DCC
- 50.10 Troubleshooting WNA Configuration
-
51
Integrating Microsoft SharePoint Server with Access Manager
- 51.1 What is Supported in This Release?
- 51.2 Introduction to Integrating With the SharePoint Server
- 51.3 Integration Requirements
- 51.4 Preparing for Integration With SharePoint Server
- 51.5 Integrating With Microsoft SharePoint Server
- 51.6 Setting Up Microsoft Windows Impersonation
- 51.7 Completing the SharePoint Server Integration
-
51.8
Integrating With Microsoft SharePoint Server Configured With LDAP Membership Provider
- 51.8.1 About Integrating With Microsoft SharePoint Server Configured With LDAP Membership Provider
- 51.8.2 Installing Access Manager for Microsoft SharePoint Server Configured With LDAP Membership Provider
- 51.8.3 Configuring an Authentication Scheme for Use With LDAP Membership Provider
- 51.8.4 Integrating SharePoint Server with OAM 12c using FBA
- 51.8.5 Ensuring Directory Servers are Synchronized
- 51.8.6 Testing the Integration
- 51.9 Configuring Single Sign-On for Office Documents
- 51.10 Configuring Single Sign-off for Microsoft SharePoint Server
- 51.11 Setting Up Access Manager and Windows Native Authentication
- 51.12 Synchronizing User Profiles Between Directories
- 51.13 Testing Your Integration
- 51.14 Troubleshooting
-
52
Integrating Access Manager with Outlook Web Application
- 52.1 What is New in This Release?
- 52.2 Introduction to Integration with Outlook Web Application
-
52.3
Enabling Impersonation With a Header Variable
- 52.3.1 Requirements for Impersonation with a Header Variable
- 52.3.2 Creating an Impersonator as a Trusted User
- 52.3.3 Assigning Rights to the Trusted User
- 52.3.4 Binding the Trusted User to Your WebGate
- 52.3.5 Adding an Impersonation Response to An Application Domain
- 52.3.6 Adding an Impersonation DLL to IIS
- 52.3.7 Testing Impersonation
-
52.4
Setting Up Impersonation for Outlook Web Application (OWA)
- 52.4.1 Prerequisites to Setting Impersonation for Outlook Web Application
- 52.4.2 Creating a Trusted User Account for Outlook Web Application
- 52.4.3 Assigning Rights to the Outlook Web Application Trusted User
- 52.4.4 Binding the Trusted Outlook Web Application User to Your WebGate
- 52.4.5 Adding an Impersonation Action to an Application Domain for Outlook Web Application
- 52.4.6 Adding an Impersonation dll to IIS
- 52.4.7 Configuring IIS Security
- 52.4.8 Testing Impersonation for Outlook Web Application
- 52.5 Setting Up Access Manager WNA for Outlook Web Application
-
53
Integrating Access Manager with SAP NetWeaver Enterprise Portal
- 53.1 What is Supported in This Release?
- 53.2 Supported Versions and Platforms
- 53.3 Integration Architecture
-
53.4
Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.0.x
- 53.4.1 Before You Begin Configuring OAM and NetWeaver Enterprise Portal 7.0.x
- 53.4.2 Configuring the Apache HTTP Server as a Proxy
- 53.4.3 Configuring SAP NetWeaver Enterprise Portal for External Authentication
- 53.4.4 Adjusting the Login Module Stacks for using Header Variables
- 53.4.5 Configuring Access Manager for SAP Enterprise Portal
-
53.5
Configuring Oracle Access Management and NetWeaver Enterprise Portal 7.4.x
- 53.5.1 Before You Begin Configuring OAM and NetWeaver Enterprise Portal 7.4.x
- 53.5.2 Configuring Access Manager for SAP NetWeaver Enterprise Portal 7.4.x
- 53.5.3 Configuring Apache Web Server 2.0.x or 2.2.x
- 53.5.4 Configuring SAP Enterprise Portal 7.4 for External Authentication
- 53.5.5 Adjusting the Login Module Stacks for Using Header Variables
- 53.6 Testing the Integration
- 53.7 Troubleshooting the Integration
- 54 Use Oracle Access Manager to sign on to Oracle Private Cloud Appliance
-
Appendixes
-
A
Integrating Oracle ADF Applications with Access Manager SSO
- A.1 Introducing Oracle Platform Security Services and Oracle Application Developer Framework
- A.2 Integrating Access Manager With Web Applications Using Oracle ADF Security and the OPSS SSO Framework
- A.3 Configuring Centralized Logout for Oracle ADF-Coded Applications
- A.4 Confirming Application-Driven Authentication During Runtime
-
B
Securing Communication
- B.1 Prerequisites to Setting up a Secure Communication between OAM Servers and Webgates
- B.2 Securing Communication Between OAM Servers and WebGates
-
B.3
Securing Communication between OAM Servers and WebGates using OAP over REST
- B.3.1 About OAP over REST Communication
- B.3.2 Configuring Load Balancer using Oracle mod_wl_proxy on OHS
- B.3.3 Configuring Work Manager for OAP over REST
- B.3.4 Configuring HTTP and HTTPS Communication between WebGate and Access Manager
- B.3.5 Connection Tuning for OAP over REST
- B.3.6 Troubleshooting OAP over REST
- B.4 Enabling FIPS Mode on Oracle Access Management
-
B.5
Configuring Cert Mode Communication for Access Manager
- B.5.1 About Cert Mode Encryption and Files
- B.5.2 Generating a Certificate Request and Private Key for OAM Server
- B.5.3 Retrieving the .OAMKeystore password stored in UDM
- B.5.4 Importing the Trusted, Signed Certificate Chain Into the Keystore
- B.5.5 Adding Certificate Details to Access Manager Settings
- B.5.6 Generating a Private Key and Certificate Request for WebGates
- B.5.7 Supporting Two-Way SSL for CERT Mode Communication
- B.5.8 Updating WebGate to Use Certificates
- B.5.9 About WebGate Usage of PFS and Approved Cipher Suites for OAP Simple/Cert Mode Communication
- B.6 Configuring Simple Mode Communication with Access Manager
- B.7 Configuring SSL in IHSWebServer
- C Setting the GCM API key within the OAM Credential Store
- D Mitigating Security Risks with Session Cookies
- E Best Practices for Oracle Access Manager (OAM) OAuth Security
- F OAA Banner Information JSP Page Template
-
G
Troubleshooting
-
G.1
Introduction to Oracle Access Management Troubleshooting
- G.1.1 System Analysis and Problem Scenarios
- G.1.2 LDAP Server or Identity Store Issues
- G.1.3 OAM Server or Host Issues
- G.1.4 Agent-Side Configuration and Load Issues
- G.1.5 Runtime Database (Audit or Session Data) Issues
- G.1.6 Change Propagation or Activation Issues
- G.1.7 Policy Store Database Issues
- G.2 My Oracle Support for Additional Troubleshooting Information
- G.3 Administrator Lockout
- G.4 Error During Federation Configuration After Upgrade from PS1 to PS2
- G.5 Oracle Access Management Console Inconsistent State
- G.6 AdminServer Won't Start if the Wrong Java Path Given with WebLogic Server Installation
- G.7 Agent Naming Not Unique
- G.8 Application URL Requirements
- G.9 Authentication Issues
- G.10 Authorization Issues
- G.11 Cannot Access Authentication LDAP or Database
- G.12 Cannot Find Configuration
- G.13 OAM unsupports Whole Server Migration
- G.14 Could Not Find Partial Trigger
- G.15 Denial of Service Attacks
- G.16 Diagnosing Initialization and Performance Issues
- G.17 Disabling Windows Challenge/Response Authentication on IIS Web Servers
- G.18 Changing UserIdentityStore1 Type Can Lock Out Administrators
- G.19 IIS Web Server Issues
- G.20 Import and File Upload Limits
- G.21 jps Logger Class Instantiation Warning is Logged on Authentication
- G.22 Internationalization, Languages, and Translation
- G.23 Login Failure for a Protected Page
- G.24 OAM Metric Persistence Timer IllegalStateException: SafeCluster
- G.25 Partial Cluster Failure and Intermittent Login and Logout Failures
- G.26 RSA SecurID Issues and Logs
- G.27 Registration Issues
- G.28 Rowkey does not have any primary key attributes Error
- G.29 SELinux Issues
- G.30 Session Issues
- G.31 SSL versus Open Communication
- G.32 Start Up Issues
- G.33 Synchronizing OAM Server Clocks
- G.34 Time delay in configuration change
- G.35 Validation Errors
-
G.36
Web Server Issues
- G.36.1 Server Fails on an Apache Web Server
- G.36.2 Apache v2 on HP-UX
- G.36.3 Apache v2 Bundled with Red Hat Enterprise Linux 4
- G.36.4 Apache v2 Bundled with Security-Enhanced Linux
- G.36.5 Apache v2 on UNIX with the mpm_worker_module for Webgate
- G.36.6 Domino Web Server Issues
- G.36.7 Errors, Loss of Access, and Unpredictable Behavior
- G.36.8 Known Issues for ISA Web Server
- G.36.9 Oracle HTTP Server Fails to Start with LinuxThreads
- G.36.10 Oracle HTTP Server Webgate Fails to Initialize On Linux Red Hat 4
- G.36.11 Oracle HTTP Server Web Server Configuration File Issue
- G.36.12 Issues with IIS v6 Web Servers
- G.36.13 PCLOSE Error When Starting Sun Web Server
- G.36.14 Removing and Reinstalling IIS DLLs
- G.37 Windows Native Authentication
-
G.38
WLST Commands for Multi-Data Centers
- G.38.1 enableMultiDataCentreMode
- G.38.2 disableMultiDataCentreMode
- G.38.3 addPartnerForMultiDataCentre
- G.38.4 removePartnerForMultiDataCentre
- G.38.5 setMultiDataCenterType
- G.38.6 setMultiDataCenterWrite
- G.38.7 setMultiDataCentreClusterName
- G.38.8 validateMDCConfig
- G.38.9 exportAccessStore
- G.38.10 importAccessStore
- G.39 Comparing Default Parameters and Values used in MDC Configuration for 11g and 12c
- G.40 WADL Generation Does not Show Description
- G.41 Safari Browser Does not Display Options Under the Configuration Tab of the OAM Console URL
- G.42 OAM Cookies Block the Fusion Page from Loading in Visual Builder after the 3rd Party Cookies are Deprecated
-
G.1
Introduction to Oracle Access Management Troubleshooting
-
A
Integrating Oracle ADF Applications with Access Manager SSO