Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Access Management
11g Release 2 (11.1.2)

Part Number E27239-03
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

D Reviewing Bundled, Generated, and Migrated Artifacts

This appendix provides a look at sample artifacts that are either bundled with Access Manager, or generated during agent registration. This appendix includes the following sections:

D.1 Bundled 10g IAMSuiteAgent Artifacts

This section provides the following topics:

D.1.1 Pre-Registered 10g IAMSuiteAgent

This 10g OAM Agent, and the companion Application Domain, described in Chapter 17, are available with 11.1.1.5. Oracle strongly recommends that you do not alter these definitions.

Note:

The original IDMDomainAgent is not available with this patch set. It remains as an artifact after you apply the patch set. However, all content is removed.

The IAMSuiteAgent provides single sign-on functionality for the IDM Administration Console. The IAMSuiteAgent is installed and pre-configured as part of the OAM Server installation and configuration.

The IAMSuiteAgent is a domain-wide agent:

  • Once deployed, the IAMSuiteAgent is installed on every server in the domain

  • Unless disabled, every request coming into the WebLogic Application Server is evaluated and processed by the IAMSuiteAgent

  • Configuration details are located under the 10g Webgates node (Policy Configuration tab) in the Oracle Access Management Console

Certain IAMSuiteAgent configuration elements are available in the WebLogic Administration Console (in the Security Provider section) and others in the Oracle Access Management Console.

D.1.2 IAMSuiteAgent Security Provider Settings, WebLogic Administration Console

In the Security Provider section of the WebLogic Administration Console are five bootstrap configuration parameters.

While Oracle recommends that you retain these without making changes, there are circumstances where you might need to change one of the following parameters:

  • Primary Access Server: You can replace this value with information for your actual OAM Server. The default value (localhost:5575) can be replaced with information for your actual OAM Server if more than one host is part of the IDM Domain. The IAM Suite Agent and companion Application Domain (IAMSuite) replaces the 11.1.1.3.0 IDM Domain Agent and its companion Application Domain.Agent Password: By default there is no password. However, you can add one here if you want to establish a password for the IAMSuiteAgent connection to the OAM Server through the NetPoint (now Oracle) Access Protocol (NAP or OAP).

Figure D-1 illustrates the default Security Provider settings for the IAMSuiteAgent.

Figure D-1 IAMSuiteAgent Settings in the WebLogic Administration Console

IAMSuiteAgent Configuration, WebLogic Console
Description of "Figure D-1 IAMSuiteAgent Settings in the WebLogic Administration Console"

D.1.3 IAMSuiteAgent Registration

The IAMSuiteAgent registration page provides details about the agent, like all other OAM agent registration pages.

  • Security Mode: Open is the only security mode available for the IAMSuiteAgent. This cannot be changed.

  • Preferred Host: IAMSuiteAgent is the pre-configured host required by this agent

Note:

The Access Client Password here must match the Agent Password in the WebLogic Administration Console. If you changed the Agent Password, you must also change the Access Client Password.

Figure D-2 shows the IAMSuiteAgent page. Notice the User Defined Parameter, which informs behavior to fall back to the container policy in the WebLogic Server and provides a redirect URL for logout.

Figure D-2 IAMSuiteAgent Registration

IAMSuiteAgent Characteristics
Description of "Figure D-2 IAMSuiteAgent Registration"

You can replace this agent with a 10g Webgate, as described in Chapter 22, "Registering and Managing 10g Webgates with Access Manager 11g".

Table D-1 outlines the differences between IAMSuiteAgent and 11g and 10g Webgates.

Table D-1 Comparing IAMSuiteAgent with 11g and 10g Webgates

Element 11g Webgate 10g Webgate IAMSuiteAgent

Primary Cookie Domain

N/A

x

x

Token Validity Period

x

N/A

N/A

Preferred Host

x

x

x

Logout URL

x

x

x

Logout Callback URL

x

N/A

N/A

Logout Redirect URL

x

N/A

N/A

Logout Target URL

x

N/A

N/A

Cache Pragma Header

Cache Control Header

x

x

x

x

x

x

User Defined Parameters

proxySSLHeaderVar=IS_SSL
URLInUTF8Format=true
client_request_retry_attempts=1
inactiveReconfigPeriod=10
proxySSLHeaderVar=IS_SSL
URLInUTF8Format=true

client_request_retry_attempts=1
inactiveReconfigPeriod=10
fallbackToContainerPolicy=true
logoutRedirectUrl=http://hostname.domain.com:14100/oam/server/logout
protectWebXmlSecuredPagesOnly=true

Deny on Not Protected

x

x

x


D.1.4 Resources Protected by IAMSuiteAgent

Figure D-3 illustrates the resources protected by the IAMSuiteAgent, including the exact Authentication and Authorization policies. Oracle recommends that you do not make any additions or changes. The WebLogic Administration Console (/console) is protected.

Figure D-3 Resources Protected by the IAMSuiteAgent

IAMSuiteAgent Protected Resources
Description of "Figure D-3 Resources Protected by the IAMSuiteAgent"

D.1.5 Pre-seeded IAM Suite Application Domain and Policies

The following figures present Authentication Policies in the IAM Suite Application Domain:

Figure D-4 IAMSuite Authentication Policy: OAM Admin Console Policy

Policy, Scheme, and Resources
Description of "Figure D-4 IAMSuite Authentication Policy: OAM Admin Console Policy"

Figure D-5 Protected HigherLevel Policy: Authentication, LDAP Scheme

Protected HigherLevel Policy
Description of "Figure D-5 Protected HigherLevel Policy: Authentication, LDAP Scheme"

Figure D-6 Protected LowerLevel Policy: Authentication, OIMScheme

Protected LowerLevel Policy
Description of "Figure D-6 Protected LowerLevel Policy: Authentication, OIMScheme "

Figure D-7 Public Policy: Authentication, AnonymousSheme

Public Policy
Description of "Figure D-7 Public Policy: Authentication, AnonymousSheme"

IAM Suite Authorization Policy

Figure D-8 presents Authorization Policy in the IAM Suite Application Domain. By default, no explicit conditions or responses are defined. However, you can add any that are appropriate for your environment.

Figure D-8 IAM Suite Authorization Policy

IAM Suite Authorization Policy
Description of "Figure D-8 IAM Suite Authorization Policy"

IAM Suite Token Issuance Policy

Figure D-9 presents IAM Suite Token Issuance Policy in the IAM Suite Application Domain. By default, there are no explicit conditions defined. However, you can define any that are needed in your environment.

Figure D-9 IAM Suite Token Issuance Policy and Resource URLs

IAM Suite Token Issuance Policy
Description of "Figure D-9 IAM Suite Token Issuance Policy and Resource URLs"

D.2 Generated Artifacts: OpenSSO

This section shows the custom authentication module, host identifier, Application Domain, and policies generated during OpenSSO Agent provisioning.

D.2.1 Generated OpenSSOAgentAuthPlugin

Figure D-10 shows the OpenSSOAgent Custom Authentication Module: OpenSSOAgentAuthPlugin.

Figure D-10 Generated Authentication Module: OpenSSOAgentAuthPlugin

Surrounding text describes Figure D-10 .

D.2.2 Generated Host Identifier: OpenSSOAgent

Figure D-11 Generated Host Identifier: OpenSSOAgent

Surrounding text describes Figure D-11 .

D.2.3 Generated Application Domain: OpenSSOAgent

Figure D-12 Generated Application Domain: OpenSSOAgent

Surrounding text describes Figure D-12 .

D.2.4 Generated Resources: OpenSSOAgent

Figure D-13 Application Domain Resources: OpenSSOAgent

Surrounding text describes Figure D-13 .

D.2.5 Generated Authentication Policy: OpenSSOAgent Application Domain

Figure D-14 Generated Authentication Policy: OpenSSOAgent Application Domain

Surrounding text describes Figure D-14 .

D.2.6 Generated Authorization Policy: OpenSSOAgent Application Domain

Figure D-15 Generated Authorization Policy: OpenSSOAgent Application Domain

Surrounding text describes Figure D-15 .

D.3 Migrated Artifacts: OpenSSO

This section shows the artifacts that are migrated when you use Oracle-provided tools to analyze and migrate an OpenSSO environment to Oracle Access Management Console.

D.3.1 Migrated User Identity Store: OpenSSO

Figure D-16 Migrated User Identity Store: OpenSSO

Surrounding text describes Figure D-16 .

D.3.2 Migrated Agents: OpenSSO

Figure D-17 Migrated Agent: OpenSSO

Surrounding text describes Figure D-17 .

D.3.3 Migrated Authentication Module: OpenSSO

Figure D-18 Migrated Authentication Module: OpenSSO

Surrounding text describes Figure D-18 .

D.3.4 Migrated Host Identifier: OpenSSO

Figure D-19 Migrated Host Identifier: OpenSSO

Surrounding text describes Figure D-19 .

D.3.5 Migrated Application Domain: OpenSSO

Figure D-20 Migrated Application Domain: OpenSSO

Surrounding text describes Figure D-20 .

D.3.6 Migrated Resources: OpenSSO

Figure D-21 Migrated Resources: OpenSSO

Surrounding text describes Figure D-21 .

D.3.7 Migrated Authentication Policy: OpenSSO

Figure D-22 Migrated Authentication Policy: OpenSSO

Surrounding text describes Figure D-22 .

D.3.8 Migrated Authorization Policy: OpenSSO

Figure D-23 Migrated Authorization Policy2 Condition: OpenSSO

Surrounding text describes Figure D-23 .

Figure D-24 Migrated Authorization Policy2: IP Condition Details

Surrounding text describes Figure D-24 .