1/29
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
What's New in Oracle Access Management?
Guide Changes: 11
g
Release 2 Patch Set 1 (11.1.2.1)
Guide Changes: 11
g
Release 2 (11.1.2) November 2012 Library Refresh
New Features in 11
g
Release 2 (11.1.2)
New Features in 11
g
Release 1 (11.1.1)
Product and Component Name Changes
Part I Introduction
1
Developing with Oracle Access Management Components
1.1
About Oracle Access Management
1.2
About Access Manager
1.3
About Mobile and Social
1.4
About Identity Federation
1.5
About Security Token Service
1.6
System Requirements and Certification
Part II Developing with Access Manager
2
Developing Access Clients
2.1
About Developing Access Clients
2.1.1
About the Access SDK and APIs
2.1.2
About Installing Access SDK
2.1.3
About Custom Access Clients
2.1.3.1
When to Create a Custom Access Client
2.1.3.2
Access Client Architecture
2.1.4
About Access Client Request Processing
2.2
Developing Access Clients
2.2.1
Structure of an Access Client
2.2.2
Typical Access Client Execution Flow
2.2.3
Sample Code: Simple Access Client
2.2.4
Annotated Sample Code: Simple Access Client
2.2.5
Sample Code: Java Login Servlet
2.2.6
Annotated Sample Code: Java Login Servlet
2.2.7
Sample Code: Additional Methods
2.2.8
Annotated Sample Code: Additional Methods
2.2.9
Sample Code: Certificate-Based Authentication in Java
2.3
Messages, Exceptions, and Logging
2.3.1
Messages
2.3.2
Exceptions
2.3.3
Logging
2.4
Building an Access Client Program
2.4.1
Setting the Development Environment
2.4.2
Compiling a New Access Client Program
2.5
Configuring and Deploying Access Clients
2.5.1
Task Overview: Configuring and Deploying an Custom Access Client
2.5.2
Configuration Requirements
2.5.3
Generating the Required Configuration Files
2.5.4
SSL Certificate and Key Files
2.5.4.1
Simple Transport Security Mode
2.5.4.2
Cert Transport Security Mode
2.6
Compatibility: 11
g
versus 10
g
Access SDK and APIs
2.6.1
Compatibility of the 11
g
Access SDK
2.6.2
Compatibility of 10
g
JNI ASDK and 11
g
Access SDK
2.6.3
Deprecated: 10
g
JNI ASDK
2.7
Migrating Earlier Applications or Converting Your Code
2.7.1
Modifying Your Development and Runtime Environment
2.7.2
Migrating Your Application
2.7.2.1
Configuration Specific to Migration
2.7.3
Converting Your Code
2.7.3.1
Understanding Differences Between 10
g
JNI ASDK and 11
g
Access SDK
2.7.3.2
Converting Code
2.8
Best Practices
2.8.1
Avoiding Problems with Access Clients
2.8.1.1
Thread Safe Code
2.8.2
Identifying and Resolving Access Client Problems
2.8.3
Resolving Environment Problems
2.8.3.1
Java EE Containers
2.8.3.2
Oracle WebLogic Server
2.8.3.3
Other Application Servers
2.8.4
Tuning for High Load Environment
3
Developing Custom Authentication Plug-ins
3.1
Introduction to Authentication Plug-ins
3.1.1
About the Custom Plug-in Life Cycle
3.1.2
About Planning, the Authentication Model, and Plug-ins
3.2
Introduction to Multi-Step Authentication Framework
3.2.1
About the Multi-Step Framework
3.2.2
Process Overview: Multi-Step Authentication
3.2.3
About the PAUSE State
3.2.4
About Information Collected
3.2.4.1
UserContextData
3.2.4.2
UserActionContext
3.2.4.3
UserAction
3.2.4.4
UserActionMetaData
3.3
Introduction to Plug-in Interfaces
3.3.1
About the Plug-in Interfaces
3.3.1.1
GenericPluginService
3.3.1.2
AuthnPluginService
3.3.2
About Plug-in Hierarchies
3.4
Sample Code: Custom Database User Authentication Plug-in
3.4.1
Sample Code: Database User Authentication Plug-in
3.4.2
Sample Plug-in Configuration Metadata Requirements
3.4.3
Sample Manifest File for the Plug-in
3.4.4
Plug-in JAR File Structure
3.5
Developing an Authentication Plug-in
3.5.1
About Writing a Custom Authentication Plug-in
3.5.2
Writing a Custom Authentication Plug-in
3.5.3
Error Codes in an Authentication Plug-In
3.5.4
JAR Files Required for Compiling a Custom Authentication Plug-in
4
Developing Custom Pages
4.1
Introduction to Custom Pages
4.1.1
About Developing Custom Pages
4.1.2
About Authentication and Custom Pages
4.2
Developing Custom Login Pages
4.2.1
Creating a Form-Based Login Page
4.2.1.1
Returning OAM_REQ Token
4.2.1.2
Returning the End Point
4.2.2
Page Redirection Process
4.3
Developing Custom Error Pages
4.3.1
Process Overview: Creating a Custom Error Page
4.3.2
Standard Error Codes
4.3.3
Default Page Locations
4.3.4
Security Level Configuration
4.3.5
Password Policy Validation Error Codes
4.3.6
Secondary Error Message Propagation
4.3.7
Retrieving Error Codes
4.3.7.1
Code Samples
4.3.7.2
Retrieving Password Policy Error Codes
4.3.7.3
Password Policy Rules
4.3.8
Error Data Sources Summary
4.4
Developing Using the Detached Credential Collector
4.4.1
Detached Credential Collector Considerations
4.4.2
Process Overview: Creating a Form-Based Login Page Using DCC
4.5
Deploying the Custom Login Page
4.6
Programmatic Authentication
4.6.1
Using mod_osso Agent
4.6.1.1
OSSO 10
g
4.6.1.2
11
g
OAM Server
4.6.1.3
Process Overview: Developing Programmatic Clients
4.6.2
Using Unsolicited Post
4.7
Setting Custom OSSO Cookies After Authentication
5
Managing Policy Objects
5.1
Introduction to Policy Administration API
5.1.1
Access Manager Policy Model
5.1.2
Security Model
5.1.3
Resource URLs
5.1.4
URL Resources and Supported HTTP Methods
5.1.5
Error Handling
5.2
Compatibility
5.3
Managing Policy Objects
5.3.1
HTTP Methods
5.3.2
Media Types
5.3.3
Resources Summary
5.4
Examples
5.4.1
Retrieve Application Domains
5.4.2
Create a New Application Domain
5.4.3
Get All Authentication Schemes
5.4.4
Create a New Authentication Scheme
5.4.5
Get a Particular Authentication Scheme
5.4.6
Get All Resources in an Application Domain
5.4.7
Create a Resource in an Application Domain
5.4.8
Get All Policies in an Application Domain
5.5
Client Tooling
6
Developing an Application to Manage Impersonation
6.1
About Impersonation
6.1.1
Impersonation Concepts and Terminology
6.1.2
Impersonation Grant Syntax
6.1.3
Impersonation Trigger Invocation Using the SSO Service
6.1.4
Triggering Impersonation Without API Abstraction
6.1.5
Impersonator Identity Communication During Impersonation Sessions
6.2
Configuring Impersonation Support
6.2.1
Configuring Impersonation Using oam-config.xml
6.2.2
Configuring Impersonation Using idmConfigTool
6.2.3
Configuring the Authentication Scheme
6.3
Testing SSO Login and Impersonation
Part III Developing with Mobile and Social
7
Developing Applications Using the Mobile and Social Client SDKs
7.1
Before you Begin
7.2
Introduction to Developing Mobile Services Applications
7.2.1
Building Applications With User Profile Services
7.3
Introduction to Developing Internet Identity Services Applications
8
Developing Mobile Services Applications with the Java Client SDK
8.1
Overview
8.2
Invoking Authentication Services With the Java Client SDK
8.2.1
Getting Started
8.2.2
Create a Client Token
8.2.3
Create a User Token
8.2.4
Create an Access Token
8.2.5
Validate a Client Token
8.2.6
Validate a User Token
8.2.7
Perform a User Lookup Using the User Token
8.2.8
Delete the Client Token
8.3
Invoking User Profile Services with the Java Client SDK
8.3.1
Working with People
8.3.1.1
Getting set up
8.3.1.2
Creating a User
8.3.1.3
Reading a User
8.3.1.4
Updating a User
8.3.1.5
Deleting a User
8.3.1.6
Searching for a User
8.3.1.7
Retrieving User Attributes and Validating the Results
8.3.2
Working With Groups
8.3.2.1
Getting set up
8.3.2.2
Creating a Group
8.3.2.3
Reading a Group
8.3.2.4
Updating a Group
8.3.2.5
Deleting a Group
8.3.2.6
Searching a Group
8.3.2.7
Searching Groups With Paging Support
8.3.2.8
Adding a User to a Group
8.3.2.9
Getting Group Membership Info
8.3.2.10
Searching for a Member Within a Group
8.3.2.11
Removing a Member From a Group
8.3.2.12
Assigning Group Ownership
8.3.2.13
Getting Group Ownership Info
8.3.2.14
Searching for the Owner of a Group
8.3.2.15
Removing a Group Owner
8.3.2.16
Adding a Group (or a User) to a Group Using addMemberOf
8.3.2.17
Getting the Membership of a Group Using getMemberOf
8.3.2.18
Searching a Group Using searchMemberOf
8.3.2.19
Removing a Group (or a User) from a Group Using deleteMemberOf
8.3.2.20
Assigning Group Ownership Using addOwnerOf
8.3.2.21
Getting Group Ownership Info Using getOwnerOf
8.3.2.22
Searching for the Owner of a Group Using searchOwnerOf
8.3.2.23
Removing a Group (or a User) from a Group Using deleteOwnerOf
8.3.3
Working With Organizations
8.3.3.1
Getting set up
8.3.3.2
Creating Helper Utilities
8.3.3.3
Verifying a Manager
8.3.3.4
Verifying Direct Reports
8.3.3.5
Retrieve All Reports Using Scope=All Feature
8.3.3.6
Retrieve the Manager Chain Using Scope=toTop Feature
8.3.3.7
Retrieve Report Details Using Pre-Fetch Feature
8.3.3.8
Retrieve Manager Data using the Pre-Fetch feature
8.3.3.9
Deleting a Report From the Manager
8.3.4
Searching With Paging Support
8.4
Invoking Authorization Services With the Java Client SDK
9
Developing Mobile Services Applications with the iOS Client SDK
9.1
Getting Started With the iOS Client SDK
9.1.1
Getting Started Using the iOS Client SDK With XCode
9.2
Invoking Authentication Services With the iOS Client SDK
9.3
Initialization Properties
9.4
About Offline Authentication
9.5
Invoking Relying Party Authentication
9.6
Invoking User Profile Services With the iOS Client SDK
9.6.1
Working With People
9.6.2
Working With Groups
9.6.3
Working With Organizations
9.7
Invoking the Mobile Single Sign-on Agent App
9.7.1
Invoking the Mobile Single Sign-on Agent App From a Web Browser
9.8
Invoking REST Web Services
9.8.1
Understanding the OMRESTRequest API Flow
9.9
Using the iOS SDK to Create a Custom Mobile Single Sign-on Agent App
9.10
Using the Cryptography Module
9.11
Using the Credential Store Service (KeyChain)
10
Developing Mobile Services Applications with the Android Client SDK
10.1
Getting Started With the Android Client SDK
10.1.1
Developing and Packaging Android Applications
10.2
Invoking Authentication Services With the Android Client SDK
10.3
Alternate Approach to Initializing the Android Client SDK
10.4
About Offline Authentication
10.5
Invoking Relying Party Authentication Using the Android Client SDK
10.6
Invoking the Mobile Single Sign-on Agent App
10.6.1
Invoking the Mobile Single Sign-on Agent app from another application(SSO Client)
10.6.2
Invoking the Mobile Single Sign-on Agent App Using a Mobile Browser
10.7
Invoking User Profile Services With the Android Client SDK User Role Module
10.8
Invoking REST Web Services
10.9
Creating a Custom Mobile Single Sign-on Agent App Using the Android Client SDK
10.10
Login View and KBA View Customization
10.11
Using the Cryptography APIs
10.12
Invoking the CredentialStoreService With the Android Client SDK Secure Storage Module
10.13
Error Codes
11
Developing Applications Using the Internet Identity Services Client SDK
11.1
Before you Begin
11.2
Introduction to Developing Internet Identity Services Applications
11.2.1
About the Internet Identity Services Client SDK
11.3
Getting the List of Identity Providers for an Application
11.4
Integrating Internet Identity Services With a Web Application Running on a Server
11.4.1
Defining the Web Application on the Mobile and Social Server
11.4.2
Integrating the Internet Identity Services Login Page With the Web Application
11.4.2.1
Adding the Pre-built Internet Identity Services Login Page
11.4.2.2
Building a Custom Login Page
11.4.3
Handling User Registration
11.4.3.1
Using a Custom User Registration Page
11.4.3.2
Using the Mobile and Social Built-in User Registration Page
11.4.4
Handling the Final Return Response
11.4.4.1
Secured Attribute Exchange (SAE) Token Response Attributes
11.5
Integrating With an Access Manager Protected Web Application
11.6
Integrating Internet Identity Services With a Mobile Application
11.6.1
Defining the Mobile Application on the Mobile and Social Server
12
Extending the Capabilities of the Mobile and Social Server
12.1
Create a new Authentication Services Provider for Mobile Services
12.1.1
Developing the Custom Authentication Service Provider
12.1.1.1
Implementing the TokenService Interface
12.1.1.2
Extending the MobileCompositeTokenServiceProvider
12.1.2
Building the Custom Authentication Service Provider
12.1.2.1
To Build the Custom Authentication Service Provider
12.1.3
Deploying the Custom Authentication Service Provider
12.1.3.1
To Deploy the Custom Authentication Service Provider
12.2
Create a new Identity Service Provider for Internet Identity Services
12.2.1
Developing the Custom Identity Service Provider
12.2.2
Building the Custom Identity Service Provider
12.2.2.1
To Build the Custom Identity Service Provider
12.2.3
Deploying the Custom Identity Service Provider
12.2.3.1
To Deploy the Custom Identity Service Provider
13
Using the Mobile and Social REST API
Request and Response Header Attribute Name Reference
X-IDAAS-REST-VERSION
Where to use This Attribute
Attribute Type
Sample cURL Command
Comments
X-IDAAS-SERVICEDOMAIN
Where to use This Attribute
Attribute Type
Sample cURL Command
Comments
X-IDAAS-REST-AUTHORIZATION
Where to use This Attribute
Attribute Type
Sample cURL Commands
Comments
AUTHORIZATION
Where to use This Attribute
Attribute Type
Sample cURL Command
Comments
X-Idaas-Rest-Subject-Type
Where to use This Attribute
Attribute Type
Sample cURL Command
Comments
X-Idaas-Rest-Subject-Value
Where to use This Attribute
Attribute Type
Sample cURL Command
X-Idaas-Rest-Subject
Where to use This Attribute
Attribute Type
Sample cURL Command
X-Idaas-Rest-Subject-Username
Where to use This Attribute
Attribute Type
Sample cURL Command
X-Idaas-Rest-Subject-Password
Where to use This Attribute
Attribute Type
Sample cURL Command
X-Idaas-Rest-New-Token-Type-To-Create
Where to use This Attribute
Attribute Type
Sample cURL Command
Comments
X-Idaas-Rest-Application-Context
Where to use This Attribute
Attribute Type
Sample cURL Command
X-Idaas-Rest-Application-Resource
Where to use This Attribute
Attribute Type
Sample cURL Command
X-Idaas-Rest-User-Principal
Where to use This Attribute
Attribute Type
Sample cURL Command
X-Idaas-Rest-Provider-Type
Where to use This Attribute
Attribute Type
Sample cURL Command
Mobile and Social REST Security Filter Reference
Authorize With UIDPASSWORD
cURL Command
Expected Output
Comments
Authorize With HTTP Basic
cURL Command
Expected Output
Comments
Authorize With an Access Manager Token
cURL Command
Expected Output
Comments
Mobile Services REST Reference: Authentication and Authorization
Authentication for a Client Token
cURL Command
Expected Output
Comments
Authentication for a User Token
cURL Command
Expected Output
Comments
Authentication for an Access Token
cURL Command
Expected Output
Comments
Authentication for Multiple Tokens
cURL Command
Expected Output
Comments
Get or Validate a (Client) Token
cURL Command
Expected Output
Comments
Delete a Token
cURL Command
Expected Output
Comments
Authorization
cURL Command
Expected Output
Comments
Create a JWT User Token
cURL Command
Expected Output
Create a JWT User Token, OAM User Token, and OAM Master Token
cURL Command
Expected Output
Exchanging a JWT Token for OAM Tokens
cURL Command
Expected Output
Create an OAM Access Token Using an OAM User Token
cURL Command
Expected Output
Validate a JWT USER TOKEN
cURL Command
Expected Output
Validate an OAM USER TOKEN
cURL Command
Expected Output
Delete an OAM USER TOKEN
cURL Command
Expected Output
Mobile Services REST Reference: Commands for Mobile Single Sign-on Tokens
Create a Client Registration Handle for a Mobile Single Sign-on Agent App
cURL Command
Expected Output
Comments
Create a Client Registration Handle for a Mobile Single Sign-on Client App (User Name Scenario)
cURL Command
Expected Output
Comments
Create a Client Registration Handle for a Mobile Single Sign-on Client App (User Token Scenario)
cURL Command
Expected Output
Comments
Create a Request for a User Token
cURL Command
Expected Output
Comments
Create a Request for an Access Token
cURL Command
Expected Output
Comments
The Single Sign-on Agent Request to Create an Access Token for its own use
cURL Command
Expected Output
Comments
Verify a Client Reg Handle
cURL Command
Expected Output
Comments
Mobile Services REST Reference: Commands for User Profile Services
Basic User Operations
Create a User
Read a User
Update a User
Delete a User
Basic Group Operations
Create a Group
Read a Group
Update a Group
Delete a Group
"memberOf" Relationship Operations
Create a "memberOf" Relationship
Read a "memberOf" Relationship
Delete a "memberOf" Relationship
"members" Relationship Operations
Create a "members" Relationship
Read a "members" Relationship
Delete a "members" Relationship
"manager" Relationship Operations
Create a "manager" Relationship
Read a "manager" Relationship
Delete a "manager" Relationship
"reports" Relationship Operations
Create a "reports" Relationship
Read a "reports" Relationship
Delete a "reports" Relationship
"ownerOf" Relationship Operations
Create an "OwnerOf" Relationship
Read an "OwnerOf" Relationship
Delete an "OwnerOf" Relationship
"personOwner" Relationship Operations
Create a "personOwner" Relationship
Read a "personOwner" Relationship
Delete a "personOwner" Relationship
"groupOwner" Relationship Operations
Create a "groupOwner" Relationship
Read a "groupOwner" Relationship
Delete a "groupOwner" Relationship
"groupOwnerOf" Relationship Operations
Create a "groupOwnerOf" Relationship
Read a "groupOwnerOf" Relationship
Delete a "groupOwnerOf" Relationship
"groupMemberOf" Relationship Operations
Create a "groupMemberOf" Relationship
Read a "groupMemberOf" Relationship
Delete a "groupMemberOf" Relationship
"groupMembers" Relationship Operations
Create a "groupMembers" Relationship
Read a "groupMembers" Relationship
Delete a "groupMembers" Relationship
Search User Operations
Search Users
Search Users With PageSize and PagePos
Search Users With a Search Parameter and Without a Search Filter
Search Users With a Search Filter
Search Groups
Search Relationships
The "attrsToFetch" Query Parameter Feature
Read a User With attrsToFetch
Search Groups With attrsToFetch
Search a Relationship With attrsToFetch
The "prefetch" Query Parameter Feature
Read a User With prefetch
The "scope" Query Parameter Feature
Search a Relationship With scope
Practical Examples
Mobile SSO Agent Requests Client Registration Handle (Client Token)
Mobile SSO Agent Requests Client Registration Handle on Behalf of Business App
A User Token Request
An Access Token Request
Access Manager Master Token Authentication
Device Registration Request with KBA Response
Specifying the Tenant Name in the Header
Error Messages
Part IV Developing with Identity Federation
14
Developing a Custom User Provisioning Plug-in
14.1
Introduction to User Provisioning Plug-ins
14.2
Introduction to Plug-in Interfaces
14.3
Sample Code: Custom User Provisioning Plug-in
14.4
Developing a User Provisioning Plug-in
14.4.1
Process Overview: Developing a Custom Plug-in
14.4.2
Files Required for Compiling a Plug-in
Part V Developing with Security Token Service
15
Developing a Custom Token Module
15.1
Introduction to Oracle Security Token Service Custom Token Module Classes
15.2
Writing a TokenValidatorModule Class
15.2.1
About Writing a TokenValidatorModule Class
15.2.2
Writing a TokenValidatorModule Class
15.3
Writing a TokenIssuanceModule Class
15.3.1
About Writing a TokenIssuanceModule Class
15.3.2
Writing a TokenIssuanceModule Class
Part VI Appendices
A
Creating Deployment-Specific Pages
A.1
How the Single Sign-On Server Uses Deployment-Specific Pages
A.1.1
Change Password Page Behavior
A.1.1.1
Password Has Expired
A.1.1.2
Password Is About to Expire
A.1.1.3
Grace Login Is in Force
A.1.1.4
Force Change Password
A.2
How to Write Deployment-Specific Pages
A.2.1
Login Page Parameters
A.2.2
Change Password Page Parameters
A.3
Page Error Codes
A.3.1
OSSO 10g Login Page Error Codes
A.4
Adding Globalization Support
A.4.1
Deciding What Language to Display the Page In
A.4.1.1
Use the Accept-Language Header to Determine the Page
A.4.1.2
Use Page Logic to Determine the Language
A.4.2
Rendering the Page
A.5
Guidelines for Deployment-Specific Pages
A.6
Examples of Deployment-Specific Pages
A.6.1
Using Custom Classes
A.7
Adding an External Application
Scripting on this page enhances content navigation, but does not change the content in any way.