This appendix provides a look at sample artifacts that are either bundled with Access Manager, or generated during agent registration. This appendix includes the following sections:
This section provides the following topics:
This 10g OAM Agent, and the companion Application Domain, described in Chapter 18, are available with 11.1.1.5. Oracle strongly recommends that you do not alter these definitions.
Note:
The original IDMDomainAgent is not available with this patch set. It remains as an artifact after you apply the patch set. However, all content is removed.The IAMSuiteAgent provides single sign-on functionality for the IDM Administration Console. The IAMSuiteAgent is installed and pre-configured as part of the OAM Server installation and configuration.
The IAMSuiteAgent is a domain-wide agent:
Once deployed, the IAMSuiteAgent is installed on every server in the domain
Unless disabled, every request coming into the WebLogic Application Server is evaluated and processed by the IAMSuiteAgent
Configuration details are located under the 10g Webgates node (Policy Configuration tab) in the Oracle Access Management Console
Certain IAMSuiteAgent configuration elements are available in the WebLogic Administration Console (in the Security Provider section) and others in the Oracle Access Management Console.
In the Security Provider section of the WebLogic Administration Console are five bootstrap configuration parameters.
While Oracle recommends that you retain these without making changes, there are circumstances where you might need to change one of the following parameters:
Primary Access Server: You can replace this value with information for your actual OAM Server. The default value (localhost:5575) can be replaced with information for your actual OAM Server if more than one host is part of the IDM Domain. The IAM Suite Agent and companion Application Domain (IAMSuite) replaces the 11.1.1.3.0 IDM Domain Agent and its companion Application Domain.Agent Password: By default there is no password. However, you can add one here if you want to establish a password for the IAMSuiteAgent connection to the OAM Server through the NetPoint (now Oracle) Access Protocol (NAP or OAP).
Figure D-1 illustrates the default Security Provider settings for the IAMSuiteAgent.
Figure D-1 IAMSuiteAgent Settings in the WebLogic Administration Console
The IAMSuiteAgent registration page provides details about the agent, like all other OAM agent registration pages.
Security Mode: Open is the only security mode available for the IAMSuiteAgent. This cannot be changed.
Preferred Host: IAMSuiteAgent is the pre-configured host required by this agent
Note:
The Access Client Password here must match the Agent Password in the WebLogic Administration Console. If you changed the Agent Password, you must also change the Access Client Password.Figure D-2 shows the IAMSuiteAgent page. Notice the User Defined Parameter, which informs behavior to fall back to the container policy in the WebLogic Server and provides a redirect URL for logout.
You can replace this agent with a 10g Webgate, as described in Chapter 23, "Registering and Managing 10g Webgates with Access Manager 11g".
Table D-1 outlines the differences between IAMSuiteAgent and 11g and 10g Webgates.
Table D-1 Comparing IAMSuiteAgent with 11g and 10g Webgates
Element | 11g Webgate | 10g Webgate | IAMSuiteAgent |
---|---|---|---|
Primary Cookie Domain |
N/A |
x |
x |
Token Validity Period |
x |
N/A |
N/A |
Preferred Host |
x |
x |
x |
Logout URL |
x |
x |
x |
Logout Callback URL |
x |
N/A |
N/A |
Logout Redirect URL |
x |
N/A |
N/A |
Logout Target URL |
x |
N/A |
N/A |
Cache Pragma Header Cache Control Header |
x x |
x x |
x x |
User Defined Parameters |
proxySSLHeaderVar=IS_SSL URLInUTF8Format=true client_request_retry_attempts=1 inactiveReconfigPeriod=10 |
proxySSLHeaderVar=IS_SSL URLInUTF8Format=true client_request_retry_attempts=1 inactiveReconfigPeriod=10 |
fallbackToContainerPolicy=true logoutRedirectUrl=http://hostname.domain.com:14100/oam/server/logout protectWebXmlSecuredPagesOnly=true |
Deny on Not Protected |
x |
x |
x |
Figure D-3 illustrates the resources protected by the IAMSuiteAgent, including the exact Authentication and Authorization policies. Oracle recommends that you do not make any additions or changes. The WebLogic Administration Console (/console) is protected.
Figure D-3 Resources Protected by the IAMSuiteAgent
The following figures present Authentication Policies in the IAM Suite Application Domain:
Figure D-4, "IAMSuite Authentication Policy: OAM Admin Console Policy"
Figure D-5, "Protected HigherLevel Policy: Authentication, LDAP Scheme"
Figure D-6, "Protected LowerLevel Policy: Authentication, OIMScheme"
Figure D-4 IAMSuite Authentication Policy: OAM Admin Console Policy
Figure D-5 Protected HigherLevel Policy: Authentication, LDAP Scheme
Figure D-6 Protected LowerLevel Policy: Authentication, OIMScheme
Figure D-7 Public Policy: Authentication, AnonymousSheme
IAM Suite Authorization Policy
Figure D-8 presents Authorization Policy in the IAM Suite Application Domain. By default, no explicit conditions or responses are defined. However, you can add any that are appropriate for your environment.
Figure D-8 IAM Suite Authorization Policy
IAM Suite Token Issuance Policy
Figure D-9 presents IAM Suite Token Issuance Policy in the IAM Suite Application Domain. By default, there are no explicit conditions defined. However, you can define any that are needed in your environment.
Figure D-9 IAM Suite Token Issuance Policy and Resource URLs
This section shows the custom authentication module, host identifier, Application Domain, and policies generated during OpenSSO Agent provisioning.
Generated Authentication Policy: OpenSSOAgent Application Domain
Generated Authorization Policy: OpenSSOAgent Application Domain
Figure D-10 shows the OpenSSOAgent Custom Authentication Module: OpenSSOAgentAuthPlugin.