Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Access Management
11g Release 2 (11.1.2)

Part Number E27239-03
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

What's New in This Guide?

This section describes changes and updates to this book. See the following sections for details:

November 2012 Book Refresh

The following information has been added or updated:

August 2012 Book Refresh

This book has been updated to address reported issues. Global updates include cosmetic changes and updated screens.

See Also:

The following topics are new or updated in this release.

Product Enhancements in Oracle Access Management 11.1.2.0.0

Oracle Access Management 11.1.2.0.0 provides new functions and enhancements outlined in following topics:

Access Management Services

Several previously separate access products of the Oracle Identity Management portfolio are combined into one product: Oracle Access Management.

See Also:

Access Tester

The Access Tester can validate the connections in the pool and make cache flush (SYNC_INFO) requests to be sent over a connection that is already established; instead of using out-of-band connection for cache flush requests.

See Also:

Chapter 18, "Validating Connectivity and Policies Using the Access Tester"

Attribute Type Authorization Condition

Authorization conditions enable you to implement dynamic security policies and resulted in changes to the Policy Configuration interface in the Oracle Access Management Console:

Deprecation

Standard Authentication Modules (LDAP, Kerberos, and X509) are targeted for deprecation in future releases. Oracle strongly recommends using native or custom Plug-ins rather than standard Authentication Modules.

See Also:

Detached Credential Collection

Detached credential collection is an additional capability of the 11g Webgate (OAM Agent). This is required for secure dynamic multi-factor/multi-step authentication. You can easily enable the 11g Webgate to use as a DCC; or continue using the embedded credential collector (ECC) in the OAM Server.

See Also:

"Configuring 11g Webgate and Authentication Policy for DCC"

Dynamic Multi-Factor/Multi-Step Authentication

Multi-factor authentication requires a custom authentication plug-in to transmit information to the back-end authentication scheme several times during the login process. All information collected by the plug-in and saved in the context will be available to the plug-in through the authentication process. Context data can also be used to set cookies or headers in the user's login page.

See Also:

Identity Context

Identity Context leverages the context-aware policy management and authorization capabilities built into the Oracle Access Management platform. Identity Context secures access to resources using traditional security controls (roles and groups) as and dynamic data established during authentication and authorization (strength, risk levels, device trust, and so on).

See Also:

Chapter 41, "Using Identity Context"

Integration with Third Party Products

Details of integrating Access Manager with third-party products have moved from the earlier Oracle Fusion Middleware Integration Guide for Oracle Access Manager to this book. The following integrations are supported:

See Also:

Part XI, "Integrating Access Manager with Other Products"

LDAP Search Filters in Identity Conditions

Access Manager authorization conditions accept a list of users, groups, and LDAP search filters as part of allowed or denied identities. LDAP search filters provide a simple way of specifying a target identity population without having to reorganize or create new groups in the identity store (directory server). This brings to Access Manager 11g, parity with Oracle Access Manager 10g.

See Also:

"About LDAP Search Filter Support in Identity Conditions"

Leverage SubjectAltName Extension Data/Integrate with Multiple OCSP Endpoints

Access Manager support for personal identity verification (PIV) cards (a United States Federal smart card), is to use FASC-N and EDIPI attributes from the SubjectaltName extension to map the user during X.509 authentication. While multiple OCSP providers are not supported, you can use an OCSP Gateway or write a custom authentication plug-in that uses the OSDT OCSP APIs to validate against multiple OCSP providers.

See Also:

Mobile and Social

Mobile and Social serves as an intermediary between a user seeking to access protected resources, and the back-end Oracle Access Management and Oracle Identity Management services that protect those resources. Mobile and Social services' pluggable architecture enables Administrators to add, modify, and remove Identity and Access Management services without having to update user installed software.

See Also:

Part IX, "Managing Oracle Access Management Mobile and Social"

Multiple Identity Store Support

Administrators can install multiple user identity stores for Access Manager. Each identity store can rely on a different LDAP provider. Each authentication module (or plug-in within an authentication step) can be configured to use a specific user identity store.

See Also:

OpenSSO Support

Access Manager supports Web and Java Agents deployed on Web or J2EE containers. Each OpenSSO Agent is a filter that is plugged into the container (Oracle WebLogic Server, JBoss, Apache, and so on) that hosts applications.

Access Manager provides an OpenSSO Proxy to handle requests for resources protected by OpenSSO Agents. The Oracle-provided OpenSSO Proxy facilitates single sign-on to OpenSSO Agent-protected applications by enabling communication between the agent and the OAM Server.

See Also:

Password Policy Management

Access Manager enables password policy management through the Oracle Access Management Console. The global password policy applies to Access Manager users when the Password Policy Validation Module is implemented. The password policy is stored within the policy store and applies to all resources protected by Access Manager.

See Also:

Query String Name and Value Parameters in a Resource Definition Pattern

The Policy Model supports Query String Name and Value Parameters in a Resource Pattern Definition:

See Also:

Resource Type TokenServiceRP for Non-Browser Client-enabled Webgate

A TokenServiceRP type resource represents resources for, and is based on, the Token Service Relying Party (required for non-browser clients such as Identity Connect).

See Also:

"Managing TokenServiceRP Type Resources in Application Domains"

RESTful Services

Oracle Access Management supports programmatic RESTful services.

See Also:

Oracle Fusion Middleware Developer's Guide for Oracle Access Management

Shared Secret Key: Access Client and Software Developer Kit Enhancement

Custom Access Clients developed using the Access Manager 11g Access Software Developer Kit support the 11g Shared Secret Key Per Agent (Webgate or Access Client) security feature. Each agent has its own secret key that is shared between the Access Client and the OAM Server to encrypt or decrypt the host-based Access-Client-specific OAMAuthnCookie. Even if one Access Client is compromised, the impact is limited to that particular Access Client; no other Access Clients are affected.

Note:

There is no impact to existing 10g ASDK users. Oblix class wrappers can be modified to create Access Client instances with 10g mode transparently. However, to operate in 11g compatible mode, Oracle java APIs should be used.

Access Manager 11g Pure Java ASDK provides both Oracle Java APIs (in oracle.security.am.asdk packages) and Oblix Java APIs (in com.oblix.access packages). Access Manager 11g Pure Java Access Clients:

See Also:

Oracle Fusion Middleware Developer's Guide for Oracle Access Management

Token Issuance Policy for Mobile and Social

A Token Issuance Policy is required for clients for Mobile and Social performing authentication and authorization.

See Also:

Part IX, "Managing Oracle Access Management Mobile and Social" for details about Mobile and Social Authentication Service

Tuning Performance

A survey of topics is provided to help tune a deployed Oracle Access Management environment to ensure optimal performance and stability.

See Also:

Oracle Fusion Middleware Performance and Tuning Guide

User-Defined Parameters: 11g Webgate

11g Webgate works with browser clients. However, there are cases where a non-browser (Representational State Transfer (REST) client needs to access HTTP resources and perform authentication and authorization.

See Also:

Product and Component Name Changes with 11.1.2

Oracle Access Management provided some product and component name changes, as shown in the following table.

Item In Oracle Access Management 11.1.2 In Oracle Access Management 11.1.1

Services

Access Manager

Identity Federation

Security Token Service

Mobile and Social

Identity Context (always enabled)

Access Manager

N/A

Security Token Service

N/A

Agents

Webgate (OAM Agent)

Access Client (OAM Agent)

OSSO Agent

OpenSSO Agent

Webgate (OAM Agent)

Access Client (OAM Agent)

OSSO Agent

N/A

Console Names

Oracle Access Management Console

Oracle Access Manager Console

Administrators

Administrator or Oracle Access Management Administrator

Oracle Access Manager Administrator

Agent and Application Domain Registration

Policy Creation

Oracle Access Management Console

Remote registration tool for automated Agent registration, Application Domain creation with default security policies.

Oracle Access Manager Console

Remote registration tool

Authorization

Conditions and Rules

Constraints