1.3 About Access Manager 11.1.2.3.0

The following sections provide details on the features available (and not available) in Access Manager 11.1.2.3.0.

• Features of Access Manager 11.1.2.3.0

• Features Not In Access Manager 11.1.2.3.0

1.3.1 Features of Access Manager 11.1.2.3.0

Table 1-2 provides an overview of Access Manager 11.1.2. For a list of names that have changed with 11.1.2, see "Product and Component Name Changes with 11.1.2".

Table 1-2 Features in Access Manager 11.1.2

Access Manager 11g	Description
Oracle Identity Management Infrastructure	Enables secure, central management of enterprise identities
Policy Enforcement Agents	Resides with the relying parties and delegate authentication and authorization tasks to OAM Servers 11g OAM Agents, Registering and Managing OAM 11g Agents 10g OAM Agents and the Pre-configured IAMSuiteAgent (10g OAM Agent), Registering and Managing 10g WebGates with Access Manager 11g OpenSSO Agents, Registering and Managing Legacy OpenSSO Agents 10g OSSO Agents (mod_osso), Registering and Managing Legacy OSSO Agents Notes: Nine Administrator languages are supported. Unless explicitly stated, the term "Webgate" refers to both an out of the box Webgate or a custom Access Client. See Introduction to Agents and Registration for an introduction to agents.
Server-side components	OAM Server (installed on a WebLogic Managed Sever)
Console	Oracle Access Management Console provides access to all services and configuration details. See Getting Started with Oracle Access Management.
Protocols for information exchange on the Internet	Front-channel protocols exchanged between Agent and Server are HTTP and HTTPS. Back-channel protocols: Authenticated clients can perform session operations using enhancements in the Oracle Access Protocol (OAP).
Proxy	Provides support for legacy systems OAM Proxy supports legacy Access Manager implementations by acting as a legacy Access Server. "Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security" "OAM Proxy Metrics and Tuning" OSSO Proxy supports OSSO Agents by acting as the legacy OSSO Server. See Registering and Managing Legacy OSSO Agents. Oracle-provided OpenSSO Proxy handles requests for resources protected by OpenSSO Agents. See Registering and Managing Legacy OpenSSO Agents. See Also: About the Embedded Proxy Server and Backward Compatibility and the new Managing Oracle Access Management Oracle Access Portal
Cryptographic keys	Note: One key is generated and used per registered mod_osso or 11g Webgate. However, one single key is generated for all 10g Webgates. During 11g agent registration, one per-agent secret key shared is generated for encrypting and decrypting SSO cookies between 11g Webgate and OAM Server. See Registering and Managing OAM 11g Agents. During 10g agent registration, a global shared secret key is generated across all of Access Manager 11g (all Agents and OAM Servers). See Registering and Managing 10g WebGates with Access Manager 11g. During OSSO agent registration, One key per partner shared between mod_osso and OSSO server. See Registering and Managing Legacy OSSO Agents. OpenSSO Agent Host- or Domain-based key stored locally in Agent bootstrap file on the Agent host. See Registering and Managing Legacy OpenSSO Agents. During OAM Server registration, one server key is generated.
Keys storage	Agent-side: A per-agent key is stored locally in the Oracle Secret Store in a wallet file OAM Server-side: Per- agent keys, and server keys, are stored in the credential store on the server side
Encryption / Decryption (The process of converting encrypted data back into its original form)	Introduces client-side cryptography and ensures that cryptography is performed at both the agent and server ends: Webgate encrypts obrareq.cgi using the agent key. Note: obrareq.cgi is the authentication request in the form of a query string redirected from Webgate to OAM Server. OAM Server decrypts the request, authenticates, creates the session, and sets the server cookie. OAM Server also generates the authentication token for the agent (encrypted using the agent key), packs it in obrar.cgi with a session token (if using cookie-based session management), authentication token and other parameters, then encrypts obrar.cgi using the agent key. Note: obrar.cgi is the authentication response string redirected from the OAM Server to Webgate. Webgate decrypts obrar.cgi, extracts the authentication token, and sets a host-based cookie.
Policy Store	Database in production environments; file-based in demonstration and development environments, as described in "Managing the Policy and Session Database".
Applications	An application that delegates authentication and authorization to Access Manager and accepts headers from a registered Agent. Note: External applications do not delegate authentication. Instead, these display HTML login forms that ask for application user names and passwords. For example, Yahoo! Mail is an external application that uses HTML login forms.
SSO Engine	Manages the session lifecycle, facilitates global logout across all relying parties in the valid session, and provides consistent service across multiple protocols. Uses Agents registered with Access Manager 11g: Authentication with the default embedded credential collector occurs across the HTTP (HTTPS) channel Authentication with the optional detached credential collector occurs across the Oracle Access Protocol (OAP) channel Authorization occurs across the Oracle Access Protocol (OAP) channel See: Understanding Single Sign-On with Access Manager
Session Management	Global session specifications are enabled for all Application Domains and resources. In addition, Application Domain-specific session overrides can be configured. See Maintaining Access Manager Sessions.
Policies	Registered agents rely on Access Manager authentication, authorization, and token issuance policies to determine who gets access to protected applications (defined resources). See: Managing Policies to Protect Resources and Enable SSO
Client IP	Maintains this client's age, and includes it in the host-based cookie: OAMAuthnCookie for 11g Webgate (or ObSSOCookie for 10g Webgate)
Response token replay prevention	Include RequestTime (the timestamp just before redirect) in obrareq.cgi and copy it to obrar.cgi (the authentication response string redirected from the OAM Server to Webgate) to prevent response token replay.
Multiple network domain support	Access Manager 11g supports cross-network-domain single sign-on out of the box. Oracle recommends you use Oracle Federation for this situation.
Cookies	Host-based authentication cookie: 11g Webgate, One per agent: OAMAuthnCookie_host:port_random_number set by Webgate using the authentication token received from the OAM Server after successful authentication. Note: A valid OAMAuthnCookie is required for a session. 11g Webgate, Transient: OAM_REQ is scoped to the OAM Server. OAM_REQ is set or cleared by the OAM Server if the Authentication request context cookie is enabled. Protected with keys known to the OAM Server only. This cookie is configured as a high availability option to store the state about the user's original request to a protected resource while his credentials are collected and authentication is performed. 10g Webgate: One ObSSOCookie for all 10g Webgates. One for the OAM Server: OAM_ID, which is scoped to the OAM Server. OAM_ID is generated by the OAM Server when the user is challenged for credentials and submitted to the server on every redirect to the server. See Understanding Single Sign-On with Access Manager.
Centralized log-out	The logOutUrls (10g Webgate configuration parameter) is preserved. 10g logout.html requires specific details for Access Manager 11g. See Registering and Managing 10g WebGates with Access Manager 11g. 11g Webgate parameters are new: Logout Redirect URL Logout Callback URL Logout Target URL See Configuring Centralized Logout for Sessions Involving 11g WebGates.
Case Insensitive Policy Resource Matching	An optional setting is available to enable case insensitive policy resource matching. This is a global setting and both entries must be added to the oam-config.xml file under Policy Service > OAMPolicy Provider > properties: <Setting Name = “UseCaseInsensitiveResourceMatch” Type = “xsd:boolean”>true</Setting> <Setting Name = “USE_CASE_INSENSITIVE_RESOURCE_MATCH” Type = “xsd:boolean”>true</Setting>

1.3.2 Features Not In Access Manager 11.1.2.3.0

Features provided in Access Manager 10g but not included in Access Manager 11.1.2 are as follows:

• Extensibility framework required for building custom authorization plug-in.

• Authorization for mod_osso-protected resources.