OAM provides challenge parameters that you can use within any authentication scheme to control flags of the encrypted cookies.
In addition to the OAM Server cookie (OAM_ID), Access Manager implements single sign-on through an encrypted cookie
11g Webgate, One per agent: OAMAuthnCookie_<host:port>_<random number> set by Webgate using the authentication token received from the OAM Server after successful authentication
Note: A valid OAMAuthnCookie is required for a session.
10g Webgate, One ObSSOCookie for all 10g Webgates.
Access Manager provides the ssoCookie
challenge parameter that you can use within any authentication scheme to control how Webgates set the flags of the encrypted cookie. For example:
Securing Encrypted Cookie: Ensures that the encrypted cookie is sent only over an SSL connection and prevents the encrypted cookie from being sent back to a non-secure Web server.
Persisting Encrypted Cookie: Allows the user to log in for a time period rather than a single session. Persistent cookie functionality works with Internet Explorer and Mozilla browsers.
Note:
The value of the challenge parameter is note case sensitive. Syntax is the same regardless of your Webgate release. A single value is specified after the equal sign (=):
ssoCookie=
value
Multiple values must be separated by a semicolon (;). For example:
ssoCookie=
value1
;
value2
;...
For detached credential collector-enabled Webgates, set these parameters directly in the agent registration page (Table 15-2).
For non-DCC agents (Resource Webgates), these parameters are configured through Authentication Scheme challenge parameters (Table 22-30).
Table 22-30 describes specific challenge parameters that control how Webgates set encrypted cookie flags for single sign-on.
Table 22-30 Challenge Parameters for 10g/11g Encrypted Cookies
11g /10g Webgate Challenge Parameter Syntax for Encrypted Cookies | Description |
---|---|
ssoCookie= |
Parameter that controls flags for the SSO cookie OAMAuthnCookie. |
miscCookies= |
Parameter that controls flags for all other Access Manager encrypted cookies. |
Secure |
Ensures that the encrypted cookie is sent only when the resource is accessed through HTTPS. A secure cookie is required only when a browser is visiting a server using HTTPS. ssoCookie=Secure miscCookies=Secure |
|
Explicitly disables Secure cookies. ssoCookie=disableSecure miscCookies=disableSecure |
httponly |
Enabled by default with 11g Webgate SSO OAMAuthnCookie and miscellaneous cookies. ssoCookie=httponly miscCookies=httponly |
disablehttponly |
Explicitly disables ssoCookie=disablehttponly miscCookies=disablehttponly |
ssoCookie=max-age=time-in-seconds
|
Creates a persistent cookie in browsers, rather than one that lasts for a single session, and specifies the time interval in-seconds when the cookie expires. For example, to set the cookie to expire in 30 days (2592000 seconds): max-age=2592000 |
The challenge parameter is not case sensitive.
See Also: