When an Authorization Success or Failure redirect URL is set, the target URL for which the end user is seeking access should be passed along as a parameter.
The following information has relevance when configuring an Authorization policy Success or Failure URL.
The original resource location will be URL encoded and added as a value to the oam_res query parameter before redirecting to the success or failure URL. The following rules are relevant to building the oam_res value; during an authorization call, only the HostIdentifier is passed so building the URL with a fully qualified host and port is slightly more involved. Here are two examples.
Using the HostIdentifier, we find the first fully qualified host:port entry and construct the URL with it. The rest of the entries are then added as query parameters to the resource URL. For example:
HostList = [Host hostName:="adc00oyf.us.example.com", port=7777", Host hostName:="11gAgent", port=null", Host hostName:="adc00oyf.us.example.com", port=80"] , HostIdentifier = 11gAgent
The resource URL built will be:
HTTP://adc00oyf.us.example.com:7777/index.html?Host1=adc00oyf.us.example.com:80
In this second example:
HostList =[Host hostName:="adc00oyf.us.example.com", port=7777", Host hostName:="11gAgent", port=null] , HostIdentifier = 11gAgent
The resource URL built will be:
HTTP://adc00oyf.us.example.com:7777/index.html
To send a Hashed value of the resource URL for security reasons, run the displayAuthZCallBackKey() WLST command. This will return a Base64 encoded string value of the AES 128 key which is generated. This key can be used by the OAM server and the receiving app. It is stored in the oam-config.xml. The entry in oam-config.xml is found under /DeployedComponent/Server/NGAMServer/Profile.
<Setting Name="AuthZCallBack" Type="htf:map"> <Setting Name="AuthZHashKey" Type="xsd:string">1E8461DFA32AD746AF28BAAAA9F327327941C14CAC216DCFA9AC17985E09 7A0DD603EC1DF5C6D9F5C904ED44952A5D5F</Setting> <Setting Name="AuthZCallBackEnabled" Type="xsd:boolean">true</Setting> </Setting>
Note:
See Access Manager WLST Commands for details on the displayAuthZCallBackKey() WLST command.
If WLST in step 2 is enabled, we also send a hashed value of the original resource URL as a value of the oam_res_hash query parameter. For example:
http://adc00oyf.us.example.com:7001/SampleLoginWAR/pages/MFALogin.jsp? oam_res=HTTP%3A%2F%2Fadc00oyf.us.example.com%3A0%2Findex.html%3FHost1 %3D11gAgent%3Anull&oam_res_hash=45438D536865B256681D328AA1BFD47D5D4D0039