3/75
List of Figures
1-1 Oracle Access Management Overview
1-2 Access Manager 11g Components and Services
1-3 Access Manager 11g Component Distribution
1-4 Oracle STS Architecture
1-5 Oracle STS Token Support
1-6 Token Translation at a Centralized Authority
1-7 Translating Tokens Behind a Firewall
1-8 Web Services SSO
2-1 Default Oracle Access Management Console Log In Page
2-2 Sign Out Link, Oracle Access Management Console
2-3 Oracle Access Management Console Welcome Page
2-4 Navigation Trees with Menu and Tool Bars
2-5 Menu and Tool Bar Above Common Configuration Navigation Tree
2-6 View Menu
2-7 Actions Menu
2-8 Tabs of Open Pages, and Page Controls
2-9 Sample OAM Agent Search Page
3-1 Common Configuration Nodes in the System Configuration
3-2 System Configuration, Available Services Page (right)
3-3 Common Settings Page (Collapsed View)
3-4 Common Coherence Settings
3-5 OCSP/CDP Settings for Global Certificate Validation
3-6 Certificate Revocation List Dialog Box
4-1 Creating User Identity Store Registration
4-2 System Store Registration
4-3 Default and System Store Options within a Registration Page
4-4 Designated Store within a Registration Page
4-5 Common Settings Page: Default and System Identity Stores
4-6 System Store Registration with Access System Administrators Section
4-7 Add System Administrator Roles
5-1 OAM Server Registration Page with Proxy Tab Displayed
5-2 Coherence Page and Values for an Individual OAM Server
7-1 Log-Level Activation in the Default Log Configuration File
8-1 Audit to Database Architecture
8-2 Common Settings: Auditing Configuration
10-1 Server Processes Overview Page
10-2 OAM Server Metrics: Session Operations Monitoring Page
10-3 OAM Server Metrics: Server Operations Tab
10-4 OAM Server Metrics: OAM Agents Tab
10-5 OAM Agent Metrics: Monitoring Characteristics
10-6 OAM Agent Metrics: Detached Connectivity Table
10-7 OAM Agent Metrics: Detached Operations Overview Table
10-8 OAM Agent Metrics: Detached Operations Detail Table
10-9 OAM Agent Metrics: Detached Information Table
10-10 OSSO Agent Monitoring Page with Operation Details
10-11 OSSO Agent Monitoring Process Overview Table
10-12 OSSO Agent Information Table
11-1 Fusion Middleware Control (AS-Control) Deployment Architecture
11-2 OAM Farm Page in Fusion Middleware Control
11-3 Farm Navigation Tree in Fusion Middleware Control
11-4 Node Information Page in Fusion Middleware Control
11-5 Application Deployment Summary for the Selected Internal Application
11-6 Application Deployment Menu
11-7 WebLogic Server Domain Summary with Context Menu Exposed
11-8 Cluster Page
11-9 Key Metrics for Server Pages
11-10 Aggregated Access Manager Component Metrics for the Cluster
11-11 Access Manager Component Metrics for a Single OAM Server Instance
11-12 Aggregated STS Component Metrics for the Cluster
11-13 STS Component Metrics for an Individual OAM Server Instance
11-14 Performance Summary Command
11-15 Performance Summary Page with Metric Palette
11-16 Access Manager Log Levels on the Log Configuration Tab
11-17 Log Levels for Security Token Service
11-18 Log Files Configuration Page
11-19 Typical Log Messages Page in Fusion Middleware Control
11-20 System MBean Browser and Attributes Tab
11-21 Routing Topology with Context Menu
12-1 Access Manager Settings
12-2 Access Manager Settings: Load Balancer
12-3 Access Manager Settings: Server Error Mode
12-4 Access Manager Settings: SSO
12-5 Common Policy Evaluation Caches
14-1 Create OAM 11g Webgate Page
14-2 Confirmation Window and Expanded 11g Webgate Page with Defaults
14-3 Webgate Search Controls and Create ... Buttons
14-4 Key Generation
15-1 Session Data and the Role of Oracle Coherence
15-2 Session Details: Common Settings Page
15-3 Common Configuration: Session Management Page
16-1 Access Manager 11g Policy Model
16-2 Access Manager Shared Policy Components
16-3 Anatomy of Access Manager Policies
16-4 SSO Log-in with Embedded Credential Collector and OAM Agents
16-5 Example: Separate Resource Webgate and DCC Webgate Deployment
16-6 Combined DCC and Webgate Configuration
16-7 SSO Login Processing with OSSO Agents and ECC
17-1 Default HTTP Resource Type Definition
17-2 Default Resource Type wl_authen
17-3 Default Resource Type TokenServiceRP Resource Type
17-4 Host Identifier Page
17-5 Native Kerberos Authentication Module
17-6 Native LDAP Authentication Module
17-7 Native X509 Authentication Module
17-8 Access Manager Plug-ins for Customized Authentication Modules
17-9 Creating Custom Authentication Modules: General
17-10 Adding a Step and Associating a Plug-in
17-11 Plug-in Based Authentication Module Steps and Details
17-12 Steps Orchestration for Plug-in Based Authentication Modules
17-13 Oracle-provided Plug-in Based Authentication Modules
17-14 KerberosPlugin
17-15 Default KerberosPlugin Steps and Details
17-16 Default KerberosPlugin Steps and Orchestration
17-17 LDAPPlugin
17-18 Default LDAPPlugin Steps and Details
17-19 Default Orchestration of Steps for LDAPplugin
17-20 X509Plugin
17-21 X509Plugin Default Steps and Details
17-22 Default Orchestration for X509Plugin Steps
17-23 Password Policy Validation Module Plug-ins
17-24 Steps Orchestration: Password Policy Validation Plug-ins
17-25 StandardLevelCheck-2 and SensitiveLevelCheck-6 Modules
17-26 Plug-ins Page
17-27 Plugin Details: Activation Status of Selected Plug-in
17-28 Default LDAPScheme Page
17-29 Password Policy Configuration Page
17-30 Default Store with New Administrator Designated
17-31 Password Policy Validation Authentication Module with Orchestrated Plug-ins
17-32 Step Orchestration for Password Policy Validation Module
17-33 Sample ECC PasswordPolicyValidationScheme
17-34 Sample DCC PasswordPolicyValidationScheme
17-35 Server Error Mode for Password Management
18-1 Application Domains Search Page
18-2 Summary Tab: Generated Application Domain
18-3 Search Results for Resources in an Application Domain
18-4 Authentication Policies Tab
18-5 Authentication Policy Page: Resources and Responses
18-6 Authorization Policies Page
18-7 Individual Authorization Policy Page
18-8 Individual Authorization Policy Resources tab
18-9 Token Issuance Policies Page
18-10 Fresh Application Domain Summary Page
18-11 Fresh Resources (Definition) Page in the Application Domain
18-12 HTTP Resources, Query String Resource URL Controls
18-13 Sample Resource Definitions Search within an Application Domain
18-14 Sample Search Results for Resource Definitions in an Application Domain
18-15 Sample Authentication Policies Page in the Application Domain
18-16 Sample Individual Authentication Policy Page
18-17 Sample Individual Authorization Policy Page
18-18 Authorization Policies Page
18-19 Authorization Policy Response in the Console
18-20 Simple Response Samples
18-21 Complex Response Sample
18-22 Individual Authorization Policy Conditions Tab
18-23 Add Condition Window
18-24 Condition Containers on the Authorization Policy Page
18-25 Add Identities Window
18-26 Identity Condition and Details
18-27 Add Search Filter Controls
18-28 Identity Conditions: Details
18-29 IP4 Range Conditions
18-30 Temporal Condition Type Details Page
18-31 Attribute Conditions Page
18-32 Add Attributes Dialog
18-33 Authorization Policy Rules Tab: Simple Mode
18-34 Rules Tab: Expression Rule Mode
19-1 OAM Agent (PEP) and OAM Server (PDP) Inter-operability
19-2 User Interactions with the Access Tester
19-3 Access Tester Console
19-4 Server Connection Panel in the Access Tester
19-5 Protected Resource URI Panel in the Access Tester
19-6 Access Tester User Identity Panel
19-7 Test Case Workflow
21-1 Typical Deployment with OpenSSO and Access Manager
21-2 New OpenSSO Agent Page
21-3 Expanded OpenSSO Web Agent Registration Page
21-4 Expanded OpenSSO J2EE Agent Registration Page
22-1 Create OSSO Agent Page
22-2 OSSO Agent Page and Confirmation Window
28-1 Available Services Page
29-1 New Identity Provider Page, Service Details Loaded from Metadata
29-2 New Identity Provider Page, Service Details entered Manually
29-3 Searching for Identity Providers
29-4 Updating an Identity Provider
30-1 Identity Federation Service Settings Page
30-2 General Section of Federation Settings Page
30-3 Federation Proxy Settings
30-4 Keystore Settings
31-1 FederationScheme
31-2 FederationPlugin
31-3 FederationPlugin Orchestration
31-4 Setting Up the Authentication Policy with FederationScheme
31-5 OIFScheme
31-6 OIFMTLDAPPlugin
31-7 Authorization Policy Response Tab
31-8 Adding a Federation Response Attribute to an AuthZ Policy
32-1 Typical Token Ecosystem
32-2 Identity Propagation with the OAM Token
32-3 Process Flow During Identity Propagation
32-4 Identity Propagation Deployment
32-5 Identity Propagation Processing
32-6 Required v1.0 WebLogic Server Identity Assertion Providers
32-7 IAP-Security Token Service Details
32-8 LDAP Provider: IAP-DSEE
32-9 Default Identity Store Defined in Access Manager
32-10 Token Issuance Policy for Identity Propagation
32-11 /wssuser Endpoint for Identity Assertion
32-12 Default Identity Store Defined for Access Manager
32-13 Token Issuance Policy for Identity Propagation
32-14 /wss11user Endpoint for Identity Assertion
33-1 Default Endpoints, Policies, and Validation Templates
33-2 WS-Security 1.0 and 1.1 Policies
33-3 Available Services Panel
33-4 Security Token Service Page
35-1 Validation Templates Search Controls
35-2 Issuance Template Search Controls
35-3 Issuance Template: General Details and Defaults
35-4 Issuance Properties: Username Token Type
35-5 Issuance Properties: SAML Token Types
35-6 Security Details: SAML Tokens
35-7 New Validation Template page: General Page Defaults
35-8 New Validation Template: General Authentication Details
35-9 Token Mapping: SAML2 WS-Security Validation Template
35-10 Token Mapping, username-wstrust-validation-template
35-11 Token Mapping: x509-wss-validation-template
35-12 Endpoints Page
35-13 Token Issuance Policies and Conditions
35-14 Pre-defined Resource Type: TokenServiceRP
35-15 Search: Resource Type TokenServiceRP in Application Domain
35-16 New Custom Token Page
35-17 Custom Token Definition: email
35-18 Custom Tokens Search Page and Controls
35-19 General Details: email-wstrust-valid-temp
35-20 Token Mapping: email-wstrust-valid-temp
35-21 General Details: email-issuance-temp
35-22 Issuance Properties: email-issuance-temp
36-1 New Requester Partner Page
36-2 New Relying Party Partners Page
36-3 Defined Requester Partner
36-4 Partner Search Controls
36-5 Requester Profile: General
36-6 Requester Profile: Token and Attributes
36-7 Relying Party Profile Token and Attributes
36-8 Token and Attributes: Issuing Authority
36-9 Issuing Authority Profile: Token Mapping Tab
36-10 Search Profiles Page: Requester
38-1 First Time Device/Application Registration and Authentication Process
38-2 Mobile SSO Agent Requests Access Token from Access Manager
38-3 Mobile SSO Agent Has Valid Access Token in Credential Store
38-4 Mobile SSO Agent Does Not Have Valid Access Token in Credential Store
38-5 User Authentication Using REST
38-6 Authenticating User From Browser-based Web App on Registered Mobile Device
38-7 Authenticating a Returning User with a Local Account
38-8 Authenticating a New User with No Local Account
38-9 Authenticating a User With an OAuth Identity Provider
38-10 Authenticating a User with Access Manager
38-11 Authenticating a User Locally
40-1 Internet Identity Account Linking
42-1 End to End Identity Context Process
42-2 End To End Identity Context Process Components
42-3 Identity Context Process Flow
42-4 OAM Authentication Provider Configuration
45-1 Various Clients Deployed on JBoss Application Server
45-2 JBoss Agent Deployed with an Oracle HTTP Server Webgate
45-3 Sample Integration Topology
46-1 Setting up a Trusted User Account for Windows Impersonation
46-2 Configuring Rights for the Trusted User in Windows Impersonation
46-3 Registering the Impersonation Module
46-4 Verifying Event Viewer Settings
46-5 Impersonation Authentication
47-1 Setting up a Trusted User Account for Windows Impersonation
47-2 Configuring Rights for the Trusted User in Windows Impersonation
47-3 Sample Webgate Registration Page
47-4 Impersonation Response in An Application Domain
47-5 Verifying Event Viewer Settings
47-6 Webgate Registration Page
47-7 Impersonation Authentication
C-1 Communication Channels for OAM Servers and Webgates
D-1 IAMSuiteAgent Settings in the WebLogic Administration Console
D-2 IAMSuiteAgent Registration
D-3 Resources Protected by the IAMSuiteAgent
D-4 IAMSuite Authentication Policy: OAM Admin Console Policy
D-5 Protected HigherLevel Policy: Authentication, LDAP Scheme
D-6 Protected LowerLevel Policy: Authentication, OIMScheme
D-7 Public Policy: Authentication, AnonymousSheme
D-8 IAM Suite Authorization Policy
D-9 IAM Suite Token Issuance Policy and Resource URLs
D-10 Generated Authentication Module: OpenSSOAgentAuthPlugin
D-11 Generated Host Identifier: OpenSSOAgent
D-12 Generated Application Domain: OpenSSOAgent
D-13 Application Domain Resources: OpenSSOAgent
D-14 Generated Authentication Policy: OpenSSOAgent Application Domain
D-15 Generated Authorization Policy: OpenSSOAgent Application Domain
D-16 Migrated User Identity Store: OpenSSO
D-17 Migrated Agent: OpenSSO
D-18 Migrated Authentication Module: OpenSSO
D-19 Migrated Host Identifier: OpenSSO
D-20 Migrated Application Domain: OpenSSO
D-21 Migrated Resources: OpenSSO
D-22 Migrated Authentication Policy: OpenSSO
D-23 Migrated Authorization Policy2 Condition: OpenSSO
D-24 Migrated Authorization Policy2: IP Condition Details
Scripting on this page enhances content navigation, but does not change the content in any way.