Skip Headers
Oracle® Access Manager Access Administration Guide
10g (

Part Number B25990-01
Go to Documentation Home
Go to Book List
Book List
Go to Table of Contents
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
View PDF


A  B  C  D  E  F  G  H  I  K  L  M  N  O  P  R  S  T  U  V  W 


see also access control, 3.7.3
denying access to all resources by default, 3.7.3
DenyOnNotProtected flag, 3.7.3
access control
see also authentication schemes
and Windows Impersonation, B.2
for single sign-on,
increasing or decreasing, 4.8.1
removing for a group,
Access Control Lists and Entries, B.7.3
access control templates
see authentication schemes
see authorization schemes
see policy domains
Access Domain, 4.3.3
Access Manager API
effect on Policy Manager API Support Mode, 3.4.2
processing of resource requests, 3.9.1
use in authorization requests, 6.11
Access Manager SDK, 3.4.3, 3.9.1, A.1.6, E.1.6
affect on AccessGate configuration parameters, 3.4.2
authorization clients that use, 6.11
cache, E.1.6
effect on AccessGate configuration parameters, 3.4.2
formerly named Access Server SDK, Preface
Access Server, 1.2
Access Server service,
adding, 3.3.2, 3.3.2
assocating with AccessGates, 3.6
audit log, 4.12.5
Audit to Database,
auditing parameters,
cache,,, 5.3.2, 5.10.7, 5.10.8, 6.3.2, 6.5.2
cache configuration parameters,
cache flush, 2.3.3
cache timeout,
cache, updating,,, 4.10.1, 6.3.4
about, 3.3.5
reason for configuring, 3.3.5
who configures, 2.2
command line configuration, 3.3.6
configuration parameters,,
configuration, prerequisites for, 3.2
configureAAAServer tool, 3.3.6
configuring, 2.3, 3, 3.3, 3.3
configuring to communicate with AccessGate, 3.6.2
debug file,
definition, 1.2
definition of, 3.1
deleting, 3.3.4, 3.3.4
diagnostics, 8.2.2
directory server profile for,
disassociating from an AccessGate, 3.6.4
duplicate action handling,
evaluation of policy domains, 4.5.1
how it checks policies, 4.3.2
how it processes expressions,
how it selects policy domains, 4.5.1
installing, 3.3
instance, adding, 3.3.2
managing from the command line, 3.3.6, 3.3.6
Maximum Client Session Time,
modifying, 3.3.3, 3.3.3
naming, 3.4.3
number of connections with AccessGate,
Number of Threads,
Password Policy Reload Period,
policy cache timeout,
policy evaluation order, 4.11.4
Policy Manager API Support Mode,
Policy Manager API Support Mode field,
polling between it and directory,
polling between it and WebGate,
queues, setting the number of,
re-installing Access Server service,
removing Access Server service,
requests to,
role in matching URLs with resources, 4.3.2
session token cache parameters,
silent installation, 3.3.6
SNMP Agent Registration Port,
transport security mode,
URL Prefix Reload Period,,
viewing, 3.3.3
viewing details, 3.3.1, 3.3.1
who configures, 2.2
Access Server SDK
now named Access Manager SDK, Preface
Access Server Timeout Threshold field, 3.4.2, 3.4.3
Access System
Access Server, 1.2, 1.2
authorization, 1.1
cache flush, automatic, 9.2
components, 1.2, 1.2
configuration of, 1.4
configuration, about, 1.1
configuration, prerequisites for, 2.1
Identity Server logged you in but the Access System logged you out error, E.1.3
installation overview, 1.3, 1.3
management overview, 1.5
Policy Manager, 1.2, 1.2
setup, 1.3
sychronizing clocks, 9.3.1
synchronizing components, 9.3
WebGate, 1.2, 1.2
Access Tester, 4.13
Access Tokens, B.7.1
AccessGate, 3.3.4
adding, 3.4.3
Audit to Database,
Audit to File field,
Buffer Size,
cache, 3.4.2
configuration parameters, 3.4.2
configuration, prerequisites for, 3.2
configure in the console before installing, 3.4.3
configureAccessGate tool, 3.4.4
configuring, 3.4
creating, Preface
Debug File Name,
Debug parameter,
definition, 3.1
delegating administration of, 2.2.2
deleting, 3.4.5
disassociating from an Access Server or cluster, 3.6.4
Engine Configuration Refresh Period,
installing, 3.4.3
modifying through command line, 3.4.4
out-of-box Access Client, 3.5
Policy Manager API Support Mode,
Session Token Cache field,
SNMP, enabling,
Transport Security,
transport security mode for, 3.4.4
User Cache Timeout,
user-defined parameters,
viewing, 3.4.1
viewing associated Access Server, 3.4.1
WebGate, 3.5
who manages, 2.2
AccessGate Name field, 3.4.2, 3.4.3
AccessGate Password field, 3.4.2, 3.4.3
associating with Access Servers, 3.6
actions, A.2
and header variables, 5.10.4, 7.6
and redirection, 5.10.5
authentication, 5.10
authentication actions and session cookies, A.1.4
authentication actions, setting, 5.10.7
combining from two or more rules, 6.6.6
configuring for AD, 5.10
custom authorization actions, 6.7.6
determining which ones are returned from an authorization expression, 6.6.5
duplicate action defaults, 6.7.4
duplicate actions, 6.5.1,
evaluation order, 6.6.7
for authorization expressions, 6.7.2
for authorization success or failure,, 6.2.3
for inconclusive results,
for redirection, 5.10.5
form action, A.3.1.1
form action URLs, A.3.1.1
in a policy authentication rule, 5.10.8
in authorization expression rules,
in authorization plug-ins,
in authorization rules, 6.6, 6.7.1
in disjoint domains,
passing header variables, A.1.5
passing information using actions, 5.10.3
redirection, 6.2.3
to pass information, 6.6.4
triggering after ObSSOCookie is set, Preface, 5.10.9
triggering after setting the session cookie, 5.10.9
types of actions, 5.10.1
used to define the user type, 7.7.2
Active Directory
and impersonation, B.6
authentication scheme for, 5.2.5,
configuring a trusted user for impersonation, B.3.3
configuring actions when using AD, 5.10
configuring impersonation for services, B.1
credential mapping parameter for, 5.4.9
example of changing the security level when using, 5.4.7
form-based authentication and AD, A.4.1.2
multiple searchbases using AD, 5.3.6
return attributes to set for impersonation, B.3.5
AD forest
authentication scheme for,
about, 1
Access Administrators, 2.2
configuring, 2
Delegated Access Administrator, 2.2
Delegated Access Administrator, configuring, 2.2.2
Delegated Access Administrators, configuring a group of, 2.2.3
Master Access Administrator, 2.2
Master Access Administrator, configuring, 2.2.1
Master Administrator, 2.2
policy domain administrators, 4.14
privileges for each type, 2.2
AES encryption, 7.3.2, 8.4
allow access, 6.3.3
Anonymous authentication scheme
and form-based authentication, A.1, A.2
anonymous login, 3.7.3
Master Audit Rule, 4.10
rule, 4.8
Audit Date Type field, 4.10.1
Audit Event Mapping field, 4.10.1
Audit Events field, 4.10.1
Audit File Name field,
Audit File Size field,
Audit Record Format field, 4.10.1
audit rule
definition, 4.8
Audit to Database field,,, 3.3.2
Audit to File,,, 3.3.2
AUTH_TYPE, B.5, B.6.4
authentication, Preface, 1.1
auditing, 4.12
plug-Ins, A.1.3
process overview, 3.9
rule, 4.8
actions for, 5.10
creating in the Policy Manager, 5.9.1
definition, 4.8
deleting, 5.9.3
modifying, 5.9.2
rules, in a policy, 4.11
default schemes, Preface
WebGate, role in, 3, 3.1
who configures, 4.14
authentication scheme, 5.2.3
about, 5, 5.2
about steps in, 5.6.2
actions, 5.10.8
actions, triggering, 5.10.9
Anonymous, 3.7.3
anonymous login, 3.7.3
caching, 3.4.2
chained, 5.1.2, 5.6
challenge methods, 5.3.2, 5.4.8
Basic, 5.3.2
Ext, 5.3.2
Form, 5.3.2
None, 5.3.2
X.509, 5.3.2
challenge redirects,
credential mapping, 5.4.9
default, 5.2.5
defining, 5.3
deleting, 5.3.5
deleting plug-ins, 5.5.3
disabling, 5.3.7
disabling before deleting, Preface
enabling, 5.3.7
external call for data in, A.1.6
flows, 5.2.4
flows, about, 5.8
flows, creating, 5.8.3
flows, viewing, 5.8.2
for Security Bridge, 5.12.2
form plug-ins, 5.4.8
form-based, 3.9.1,
form-based authentication,
general information, 5.2.1
modifying, 5.3.3
multiple searchbases, 5.3.6
multi-step, 5.6
persistent cookies in, Preface
plug-ins, 4.7, 5.2.2, 5.4
plug-ins, adding, 5.5
plug-ins, reusing, 5.4.5
redirecting to a challenge page, 5.3.2
redirection in, 5.3.2
rules, 4.2.3
securing the ObSSOCookie in, 5.3.11
security levels, 5.3.2, 5.4.7
single sign-on, 3.9
single-step, about, 5.6.3
steps, 5.2.3
steps, adding, 5.7.3
steps, deleting, 5.7.5
steps, viewing, 5.7.1
steps, viewing details, 5.7.2
time-based, Preface, 5.3.12
validate password, 5.4.11
viewing, 5.3.1, 5.3.4
who can create, 2.2.2
authorization, Preface, Preface, 1.1, 4.7, 6.6.5, A
about, 6.1
actions, 6.6
actions associated with authentication,
actions, about, 6.6
actions, creating for a rule, 6.7.1
actions, custom, 6.7.6
actions, duplicate, 6.7.3
actions, for an authorization rule, 6.7.1
actions, for inconclusive results,
actions, in disjoint domains,
actions, in form-based authentication, A.1.5
allow access, 6.3.3
allow conditions, 6.2.1
and Windows impersonation, B.2
auditing, 4.12
based on external data, 6.11
components, illustration of, 4.8
configuring, 6
deny access, 6.3.4
deny conditions, 6.2.1
evalution, use of operators,
events, 6.10
expressions, 4.8, 4.8
definition, 4.8
illustration of, 4.8
expressions, about, 6.4
expressions, actions for, 6.7.2
expressions, creating, 6.1.2, 6.5.2
expressions, creating for a policy,
expressions, deleting,, 6.5.4
expressions, illustration of, 6.4.1
expressions, modifying, 6.5.3,
expressions, viewing, 6.5.1
expressions, viewing for a policy domain, 6.5.1,
external data used in, 6.11
how it is used, 4.3
in the Access System, 1.1
plug-ins, 4.7
process overview, 3.9
process, illustration of, 3.9
rules, 4, 4.3.1, 4.8, 4.8
rules and expressions, 6.1.2
rules, about, 6.2, 6.2.3
rules, compound conditions,
rules, configuring, 6.3.2
rules, deleting, 6.3.8
rules, evaluation of,
rules, general information, 6.3.6
rules, in a policy, 4.11
rules, modifying, 6.3.7
rules, replacing operators,
rules, reuse, 6.2.2
rules, viewing, 6.3.1
schemes, 4.3.1
schemes, about, 4.6
schemes, configuring, 6.9.3
schemes, deleting, 6.9.5
schemes, for custom plug-ins, 6.8
schemes, for single sign-on,
schemes, modifying, 6.9.4
schemes, plug-ins, 6.9.1
schemes, viewing, 6.9.2
single sign-on cookies, use of, 7.3
timing coditions, 6.3.5
WebGate, role in, 3, 3.1
who can configure, 2.2
who configures, 2.2.2, 4.14
authorization expression
see also authorization
authorization expressions
see expressions
authorization rule
Actions, 6.2.3
Allow Access, 6.2.3
Deny Access, 6.2.3
evaluation, 6.2.4
General Information, 6.2.3
Timing Conditions, 6.2.3
timing conditions for, 6.3.5
authorization rules
definition, 4.8
timing conditions for, 6.3.5
authorization scheme
external data, retrieving for authorization, 6.11
Authorization Success, B.6.4


Basic authentication,
basics, 1
Buffer Size,
Buffer Size field,, 3.3.2


Access Manager SDK, E.1.6
Access Server,,, 5.3.2, 5.10.7, 5.10.8, 6.3.2, 6.3.4, 6.5.2
Access Server, flushing, 2.3.3
Access System, 9.2
AccessGate, 3.4.2
credential mapping, 5.4.9, 5.4.9
default timeout,
flushing users from, 8.3.2
form-based login errors and caching, E.1.6
header variables,,
Identity Server cache flush, 2.3.3
minimum elements in Access Server,
password, 5.4.11, 5.4.13
password policy, 2.2, 8.5
Policy Cache Timeout field,
session token,
session token cache,
timeout,, 9.3.2
timeout, default, 9.3.2
updating for Access Server,
user cache timeout,
WebGate, 3.4.2
Cache Timeout field, 3.4.2, 3.4.3
CacheControlHeader field, 3.4.2, 3.4.2, 3.4.3
CachePragmaHeader field, 3.4.2, 3.4.2, 3.4.3
Cert mode, 3.4.2, 3.4.3
cert_decode, 5.4.8
about, 5.4.12
cert_decode plug-in, 5.4.8
challenge methods
cert_decode plug-in, 5.4.8
Client Cert (X509),
credential_mapping plug-in, 5.4.8
form, 5.3.2, 5.3.2,
NT/Win2000 plug-in, 5.4.8
SecurID plug-in, 5.4.8
selection_filter plug-in, 5.4.8
validate_password plug-in, 5.4.8
challenge parameter
form, 5.12.2
challenge redirects,
Client Certificate authentication,
Access Server clusters, 3.3.5
compound condition, 6.4.1
conditions, complex, 6.4.1
about, 1
configureAAAServer tool, 3.3.6
configureAccessGate tool, 3.4.4
configureWebGate command, 3.4.4
CONNECT operation, 4.4.3
Connector for WebSphere, 7.6.1
client cookie,
encrypted session token and, 7.3
encrypting the single sign-on cookie, 2.2, 2.2.1
for single sign-on, 7.3
form-based authentication cookie,
generated during login, 3.9.2
HTTP header variable size, effect of, 5.10.2
Identity application session cookie,,
lasting over multiple sessions, 5.3.12
multi-domain SSO, 7.5
ObFormLoginCookie, 3.9.2,, A.2.1
OBPERM Cookie, 3.9.2
ObSSOCookie, 3.4.2, 3.9.2, A.1
ObTEMC Cookie, 3.9.2
ObTEMP Cookie, 3.9.2
passing actions in, 6.6.2
persistent, Preface
primary HTTP cookie domain, 3.4.2, 3.4.3
securing the ObSSOCookie, 5.3.11
sending credentials in, 7.6
single sign-on cookie,
single sign-on logout, 2.3.3
system settings cookie,
triggering actions after setting, 5.10.9
triggering actions after setting the ObSSOCookie, Preface
now named Oracle Access Manager, Preface
Credential Mapping Authentication Plug-In, A.1.3
credential mapping cache, 5.4.9, 5.4.9
credential_mapping, 5.4.8
about, 5.4.9
for form-based authentication, A.1.3
parameters, 5.4.9
sent in a URL, 7.6
custom plug-in, A.1.3


Debug field, 3.3.2, 3.4.2, 3.4.3
Debug File Name field, 3.3.2
decimal addressing, 3.7.1
DELETE operation, 4.4.3
deny access, 6.3.4
DenyOnNotProtected, 3.4.2, 3.4.3
advantages of, 3.7
allow access to all resources,
deny all access unless explicitly allowed, 3.7
setting for a WebGate, 3.4.2
Description field, 3.4.2, 3.4.3
diagnostics, 3.5.4, 8.2.2
running, 8.6
directory server
configuration, 2.3.4
Display Name field, 4.4.6
duplicate actions,
defaults for, 6.7.4
restrictions on,


EJB, 4.4.2
operations, 4.4.4
configuring user feedback email address, 2.3.2
Enabling Impersonation, B
With a Header Variable, B.3
with a User Name and Password, B.5
schemes, 7.3.2
Engine Configuration Refresh Period field,, 3.3.2
expressions, 4.3.1, 4.8, 6.1.2
about, 4.8, 6.4
associating with actions, 6.6.1, 6.7.2
complex conditions in, 6.4.1
compound conditions in, 6.4.1
contents of, 6.4.1
creating, 6.5.2
creating, overview, 6.1.2
duplicate actions, 6.7.5
duplicate actions in, 6.7.5
evaluation of, 6.4.1
evaluation of rules in,
illustration of, 6.4.1
in authorization rules, 6.2
inconclusive results in,
status codes,
testing, 4.13
viewing, 6.5.1
external data
retrieving for authorization, 6.11


Failover Threshold field, 3.4.2, 3.4.3
new, Preface
email address for, 2.3.2
File Rotation Interval field,, 3.3.2
challenge method, 5.3.2
challenge parameter, 5.12.2
form challenge method, 5.3.2,
form login
Identity System, 3.9
form-based authentication, 3.9.1,, 5.3.2, A.1
about, A, C
action challenge parameter, A.1.1
challenge parameters, A.1.1
collecting external data for, A.1.6
configuring, A.3, A.3
considerations, A.2
creating the form, A.2
credential_mapping plug-in, A.1.3
creds challenge parameter, A.1.1
custom plug-in, A.1.3
examples, A.4.1
form challenge parameter, A.1.1
header variables, A.1.5
instead of a plug-in,
multi-language form, A.4.3
ObFormLoginCookie,, A.2.1
passthrough challenge parameter, A.1.1
plug-ins, 5.4.8, A.1.3
redirection, use of, A.1.2
session cookie, A.1.4
task overview, A.1
validate_password plug-in, A.1.3


GET operation, 4.4.3
getting started, 1
Global Pass Phrase, 3.4.4
globalization, Preface, Preface,


HEAD operation, 4.4.3
header variables, 7.6
actions and, 5.10.4, 6.6.2
cookies and, 6.6.3
duplicate actions and,
for impersonation, B.3
HTTP, 5.10.7
in authorization rules, 6.2.3
in single sign-on, 7.6
passing information via, 3.9.1, 5.10.1
passing on redirection, 5.10.5, 5.10.7, 5.10.7
redirection and, 5.10.4
setting credentials in, 7.6
use with cookies, 5.10.2
Web server handling of,
with WebGate behind a reverse proxy,
host identifiers, 2.2, 2.2.2, 3.1, 3.4.2, 3.4.3, 4.3.1
and SSO,
and virtual Web hosting, 3.7.1
definition, 4.3.1,
using, 3.7.1,
using vs preferred hosts, 3.7
vs DenyOnNotProtected, 3.4.2, 3.7.3
Hostname field, 3.3.2, 3.4.2, 3.4.3
configuring identifiers for, 3.7
HTTP, 4.4.2
operations, 4.4.3


Identity application
cookies generated at login, 3.9.1,
login process for, 3.9
protecting, 7.7.1
Identity Domain, 4.3.3
Identity Server
cache flush, 2.3.3
logged you in but other system logged you out error, E.1.3
Identity Server logged you in but other system logged you out error, E.1.3
Identity System
anonymous access to,
configuring, Preface
form login, 3.9
IdentityXML, Preface
protecting, process for, 3.9
SSO logout for, C.1
Idle Session Time field, 3.4.2, 3.4.3
IIS, A.3.2
IIS Lockdown tool, 3.5.4
IIS6, 3.5.4
impersonation, 3.4.2, 3.4.3, B.1
about, B.1
action in a policy domain, B.3.5
and third-party products, B.4
creating an Impersonator as a Trusted User, B.3.2
Domino, 7.8
enabling, B
enabling in the Access System, 7.9, 7.9
enabling with a header variable, B.3
enabling with user name and password, B.5
for OWA, B.6
impersonator as a trusted user, B.3.2
requirements for, B.3.1
testing, B.3.7
Windows impersonation, about, B.7
Impersonation Password field, 3.4.2, 3.4.3
Impersonation Username field, 3.4.2, 3.4.3
inconclusive results,
installation, Preface, 4.1
silent, 3.3.6, 3.3.6
introduction, 1
IP address
deny access according to IP address, 6.3.4
IP address validation, 3.5.3
IPValidation, 3.4.2, 3.5.3
configuring, 3.5.3
IPValidation field, 3.4.2, 3.4.3
IPValidationException field, 3.4.2, 3.4.3


Kerberos Protocol, B.7.5


multi-language form, A.4.3
localization, A.3.2
automatic updates, Preface, Preface
new features in this release, Preface
what's new in this release, Preface
login, 2.3.3
cookies generated during, 3.9.2
form-based, A
form-based login, configuring, A.1
on Netscape,
process, 3.7.3, 3.9, 3.9
process, scenarios for, 3.9.1
self-registration auto login, 3.4.2
logout, 2.3.3
adding logout URLs, 3.4.2
button for,
configuring, C
configuring, for WebGates, 3.4.2
custom logout pages, C.2
for an Identity System resource,
forced, 3.4.2
from a multi-domain SSO session, 7.5.3
from a single-domain SSO session, 7.4.4
how it works, C.1
issues with form-based authetication, A.2.1
logout URL, 7.4.4, C, C.1
SSO logout URL, configuring, 2.3.3
logout.html, 7.6.2
LogOutUrls field, 3.4.3
Lotus Domino, 7.8


Master Audit Rule, 4.10
Maximum Client Session Time field,, 3.3.2, 3.4.2, 3.4.3
Maximum Connections field, 3.4.2, 3.4.3
Maximum Elements in Cache field, 3.4.2, 3.4.3
Maximum Elements in Policy Cache field,, 3.3.2
Maximum Elements in Session Token Cache field,
Maximum Elements in User Cache field,, 3.3.2
Maximum User Session Time field, 3.4.2, 3.4.3
mySAP, 7.6.1


name changes, Preface
names, new, Preface
now named Oracle Access Manager, Preface
NetPoint 5.x,
NetPoint SAML Services
now named Oracle Identity Federation, Preface
network traffic,
cache timeout, 9.3.2
for Access System,
new features
logging, Preface
NT/Win2000 plug-in, 5.4.8
number of connections,
Number of Threads field,, 3.3.2


ob_date, 4.10.1
ob_datetime, 4.10.1
ob_event, 4.10.1
ob_ip, 4.10.1
ob_operation, 4.10.1
ob_reason, 4.10.1
ob_serverid, 4.10.1
ob_time, 4.10.1
ob_time_no_offset, 4.10.1
ob_url, 4.10.1
ob_userid, 4.10.1
ObFormLoginCookie, 3.9.2,, A.2.1
obMappingFilter, A.3.3
ObPERM Cookie, 3.9.2
ObPERM cookie,
ObSSOCookie, 3.4.2, 3.4.3, 3.5.3, 3.5.3, 3.9, 3.9.2,, 7.3
and redirection for SSO, 7.5.1
and single domain SSO, 7.4.1
configuring, 7.3.2
form-based authentication and, A.1
grandfathering, 7.3.2
multi-domain SSO and, 7.5
security of, 7.3.1
single sign-on and, 7.4.1
unencrypted data in, 7.3
ObTEMC Cookie, 3.9.2
ObTEMC cookie,
ObTEMP Cookie, 3.9.2
ObTEMP cookie,
Open mode, 3.4.2, 3.4.3
OPTIONS operation, 4.4.3
Oracle Access and Identity authentication scheme,
Oracle Access Manager
formerly NetPoint or COREid, Preface
protecting, 5.2.5
unprotecting, 5.2.5
Oracle HTTP Server 2,
Oracle Identity Federation, Preface
formerly SHAREid, Preface
OracleAS, 7.6.1, 7.6.1, 7.6.1, 7.6.1
OTHER operation, 4.4.3


parameter files, D
about, D
passing information in a header variable, 5.10.3
cache, 5.4.11
password policy cache, 2.2, 8.5
Password Policy Reload Period field,, 3.3.2
caching, 5.4.13
PDF files, 3.4.2
performance, 3.3.2, 3.7.3
caching passwords, 5.4.13
configure cache timeout, 9.3.2
duplicate actions, impact,
logout URLs, impact, 7.4.4
viewing policy domains, impact, 9.4
personalizing the end user's interaction, 5.10.3
about, 4.7
adding, 5.5
adding to an authentication scheme, 5.5.2
cert_decode, 5.4.8, 5.4.8
about, 5.4.12
credential_mapping, 5.4.8
about, 5.4.9
for form-based authentication, A.1.3
parameters, 5.4.9
for form-based authentication, A.1.3
custom plug-ins, creating, 4.7
custom, authorization schemes for, 6.8
custom, to use in authorization schemes, 6.8
definition, 4.7
deleting from an authentication scheme, 5.5.3
for a step, 5.6.2
for authentication
about, 5.4
Access System-provided, 5.4.1
custom, 5.4.2
for challenge methods, 5.4.8
to change security levels, 5.4.7
for authentication flows, 5.8.1
for authentication schemes, 4.6, 4.7, 5.1.2
for authorization
specifying, 6.9.1
task overview,
for authorization schemes, 4.7
optional parameters,
required parameters,
for custom authorization actions, 6.7.6
for disjoint (multiple) searchbases, 5.3.6
for UNIX, 4.7
for Windows, 4.7
form-based authentication, A.1.3
in a step, changing, 5.7.4
NT/WIN2000, 5.4.8
return codes, 5.4.3
reuse of, 5.4.4
SecurID, 5.4.8
Security Bridge, 5.12.1
selection_filter, 5.4.8, 5.4.8
validate_password, 5.4.8, 5.4.8
about, 5.4.11
for form-based authentication, A.1.3
parameters, 5.4.11
versus form-based authentication,
viewing, 5.5.1
vs using form-based authentication,
why separate into steps, 5.6.4
Windows NT/2000, 5.12.4
Plumtree Corporate Portal, 7.6.1
policy, 4
see also policy domain
adding, 4.11.2
finding, 4.9.5
policy base
about, 4.1.1
policy cache,
policy cache timeout,
Policy Cache Timeout field,,, 3.3.2
policy domain
about, 4, 4
about, 4.2
configuring, 4.14.1
delegating, 4.14, 4.14.1
task overview, 4.2.2, 4.2.3
why have multiple administrators, 4.3.6
administrators, 4.14
administrators, configuring, 4.14.1
administrators, viewing, 4.14.1
audit rules for, 4.12.1
creating, 4.12.3
audit rules for, modifying, 4.12.2
auditing access to resources, 4.10, 4.12
authentication actions for, setting, 5.10.8
authorization expressions for, deleting, 6.5.4
authorization expressions for, viewing, 6.5.1
authorization rules for, viewing, 6.3.1
components of, 4.3.1
creating, 4.9.1
creating the first one, 4.2.1
creating, overview, 4.2.3
default, Preface, 4.3.3
default domains, 4.3.3
default rules for, 5.9
defining subsets of protected resources, 4.11
delegated administration, 4.14
delegated administration, caveat, 2.2.2
delegating administration of, 4.14
deleting, 4.9.3
denying access to all resources in, 3.7.3
disabling, 4.9.4
effect of multiple policy domains and policies, 4.5.1
EJB resource, 4.4.5
enabling, 4.9.1, 4.9.1, 4.9.4
examples of, 4.3.5, 4.3.5
finding, 4.9.5, 4.9.5
granularity of domains, 4.5.1
host identifiers, 4.3.1,
HTTP resource, 4.4.5
location of policy data in the DIT, 4.1.1
managing, about, 4.2.2
master audit rule, 4.10
modifying, 4.9.2
order of evaluation, 4.3.2
overview of creating, 4.1
about, 4.3, 4.11
adding, 4.11.2
audit rules for, 4.12.3, 4.12.4
configuring, 4.11
deleting, 4.11.5
deploying, 4.11.6
finding, 4.9.5
modifying, 4.11.3
order of evaluation, 4.11.1
ordering, 4.11.4
overlapping patterns for, 4.11.1
policies within, 4.3.1
policy base, 4.1.1
Policy Manager application, 3.1
prerequisites for configuring, 4.1
protecting all resources,
RDBMS resource, 4.4.5
resource types, configuring, 4.4
resources, adding, 4.9.7
root, 4.1.2
root URL, 4.1.2
rules and expression in, 4.8
rules in policy domains, about, 4.8.1
schemes in, 4.6
servlet resource, 4.4.5
single sign-on across domains, 7.2.1
single sign-on with third-party applications, 7.2.1
single sign-on within a domain, 7.2, 7.2.1
structure, 4.3.1
testing the configuration, 4.13
top URL prefix in the DIT, 4.1.2
unprotecting all resources,
URL patterns, 4.5.3
URL patterns, about, 4.5.3
URL prefixes,, 4.5, 4.5.1
URL prefixes, illustration of, 4.5
URLs for resources, configuring, 4.5
URLs in, 4.3.1
viewing, 4.9.6
who administers, 4.3.6
who creates, 4.3.4
Policy Manager, 1.2
see also policy domain
authentication schemes created during setup, 5.2.5
authorization rules defined in, 6.3.1
capturing messages sent to, 3.3.2
changing the default landing page, 9.5.1
changing the search interface, 9.5.2
creating authentication rules in, 5.9.1
creating authorization expression rules in, 6.1.2
creating authorization rules in, 6.3.2
customizing the user interface, 9.5
debugging, 3.3.2
definition, 3.1
Identity Server logged you in but Policy Manager logged you out error, E.1.3
installation, 4.1.1
installed on same Web server as WebPass, 1.2
location of policy data, 4.1.1
policy base, 4.1.1
policy domain root, 4.1.2
Policy Manager API Support Mode,,
preconfigured policy domains, 4.3.3
purpose of, 4.9.1
setting allow access in, 6.3.3
setting deny access in, 6.3.4
setting timing conditions for authorization rules, 6.3.5
synchronizing clocks with other components, 9.3.1
use for, 4.9.1, 6.1.2
Policy Manager API, Preface
Policy Manager API Support Mode,,,,, 3.3.2,, 3.4.2, 3.4.3
Port field, 3.3.2, 3.4.2, 3.4.3
POST operation, 4.4.3
preferred host
advantage, 3.7.2
and virtual servers, 3.7.2
disadvantage, 3.7.2
vs DenyOnNotProtected, 3.7.3
vs host identifiers, 3.7,
with multi-domain single sign-on, 7.5
Preferred HTTP Host field, 3.4.2, 3.4.3
Primary HTTP Cookie Domain field, 3.4.2, 3.4.3, 3.4.3
AccessGates and WebGates
To associate an AccessGate with an Access Server, 3.6.2
To associate an AccessGate with an Access Server cluster, 3.6.2
To change the configuration polling frequency,
To change the default configuration cache timeout, 9.3.2
To check the status of a WebGate, 3.5.5
To create an AccessGate instance, 3.4.3
To delete an AccessGate, 3.4.5
To disassociate an AccessGate from an Access Server or an Access Server cluster, 3.6.4
To modify a WebGate through the command line, 3.5.2
To modify an AccessGate through the Access System Console, 3.4.4
To modify an AccessGate through the command line, 3.4.4
To view AccessGates, 3.4.1
To view AccessGates associated with a cluster, 3.6.3
To add a Master Access Administrator, 2.2.1
To create a group of Delegated Access Administrators, 2.2.3
To modify a group of delegated administrators, 2.2.4
To modify policy domain rights, 4.14.1
To view Delegated Access Administrators for a policy domain, 4.14.1
audits, logs, and reports
To add a user access privilege report, 8.7.1
To configure a server's Master Audit policy, 4.10.1
To create an audit rule for a policy domain, 4.12.1
To define an audit rule for a policy, 4.12.3
To delete the Master Audit Rule, 4.10.3
To modify an audit rule for a policy, 4.12.4
To modify an audit rule for a policy domain, 4.12.2
To modify the Master Audit Rule, 4.10.2
To add a step to an authentication scheme, 5.7.3
To add plug-ins to an authentication scheme, 5.5.2
To add, remove, or re-order plug-ins in an existing step, 5.7.4
To configure the flows of an authentication scheme, 5.8.3
To correct an authentication flow containing a cycle, 5.8.4
To create a default authentication rule for a policy domain, 5.9.1
To create an authentication rule for a policy, 5.9.4
To create an authentication scheme, 5.3.2
To define a persistent cookie in the authentication scheme, 5.3.12
To delete a policy domain's authentication rule, 5.9.3
To delete a policy's authentication rule, 5.9.6
To delete a step from an authentication scheme, 5.7.5
To delete an authentication scheme, 5.3.5, 5.3.10
To delete plug-ins from an authentication scheme, 5.5.3
To enable or disable an authentication scheme, 5.3.7
To modify a policy domain's authentication rule, 5.9.2
To modify a policy's authentication rule, 5.9.5
To modify the content of an authentication scheme, 5.3.3, 5.3.8
To view a list of authentication schemes, 5.3.1
To view the configuration for an authentication scheme, 5.3.4, 5.3.9
To view the configuration of an authentication flow, 5.8.2
To view the details for a step, 5.7.2
To view the list of plug-ins for an authentication scheme, 5.5.1
To view the steps of an authentication scheme, 5.7.1
To configure an authentication scheme for disjoint domains,
To create an action for an authorization expression, 6.7.2
To create an action for an authorization rule, 6.7.1
To create an authorization expression for a policy,
To create an authorization expression for a policy domain, 6.5.2
To create an authorization scheme, 6.9.3
To define an authorization rule, 6.3.2
To delete an authorization rule, 6.3.8
To delete an authorization scheme, 6.9.5
To delete an item,
To delete the authorization expression for a policy, 6.5.4
To delete the authorization expression for a policy domain, 6.5.4
To delete the entire content of an expression,
To display a current list of authorization rules, 6.3.1
To display the Authorization Expression page for a policy to modify the expression,
To display the page for modifying the authorization expression for a policy domain,
To implement a custom action, 6.7.6
To modify an authorization rule, 6.3.7
To modify an authorization scheme, 6.9.4
To replace one authorization rule with another,
To replace one operator with another,
To retrieve external data for an authorization request, 6.11
To set a timing condition, 6.3.5
To set Allow access, 6.3.3
To set Deny Access, 6.3.4
To set the behavior for handling duplicate actions for an expression, 6.7.5
To set the system default duplicate actions behavior for the Access Server, 6.7.4
To view an authorization expression for a policy,
To view an authorization expression for a policy domain, 6.5.1
To view configured authorization schemes, 6.9.2
To view the general information for an authorization rule, 6.3.6
form-based authentication
To configure a form-based authentication scheme, A.3.1
To include only active users in the obMappingFilter, A.3.3.1
To include only non-active users in the obMappingFilter, A.3.3.2
To retrieve external data for an authentication request, A.1.6
To set the login form encoding to UTF-8 for 10g Release 3 (10.1.4), A.4.1.2
hosts and resources
To change a resource description, 4.9.8
To define a resource type, 4.4.6
To delete a resource, 4.9.9
To deny access to all unprotected resources, 3.7.3
To view or delete existing Host Identifiers,
To add an impersonation action to your policy domain, B.3.5, B.6.4
To add the impersonation dll to your IIS configuration, B.3.6, B.6.5
To bind your trusted OWA user to your WebGate, B.6.3
To bind your trusted user to your WebGate, B.3.4
To create a trusted user account, B.3.2
To create a trusted user account for OWA, B.6.1
To create an IIS virtual site not protected by SPPS, B.3.7.1, B.3.7.1
To give appropriate rights to the trusted user, B.3.3, B.6.2
To test impersonation through a Web page, B.6.6.2
To test impersonation through a Web page that displays server variables, B.3.7.3
To test impersonation through the Event Viewer, B.3.7.2, B.6.6.1
policy domains and policies
To add a policy, 4.11.2
To add resources to a policy domain,,
To create a policy domain, 4.9.1
To create an authentication rule for a policy, 5.9.4
To create an authorization expression for a policy,
To delegate rights for a policy domain, 4.14.1
To delete a policy, 4.11.5
To delete a policy domain, 4.9.3
To delete a policy domain's authentication rule, 5.9.3
To delete a policy's authentication rule, 5.9.6
To delete the authorization expression for a policy, 6.5.4
To delete the authorization expression for a policy domain, 6.5.4
To disable a policy domain, 4.9.4
To display the Authorization Expression page for a policy to modify the expression,
To display the page for modifying the authorization expression for a policy domain,
To enable a policy domain, 4.9.4
To modify a policy, 4.11.3
To modify a policy domain, 4.9.2
To modify a policy domain's authentication rule, 5.9.2
To modify a policy's authentication rule, 5.9.5
To run Access Tester, 4.13
To search for existing policy domains or policies, 4.9.5
To set authentication actions for a policy domain, 5.10.7
To set the order of policies within a domain, 4.11.4
To turn off the display of Resource Type and URL Prefix columns, 9.4
To view policy domains and configuration information, 4.9.6
Policy Manager
To change search parameters, 9.5.2
To change the default number of search results, 9.5.2
To set Search as the default page, 9.5.1
To access the configureAAAserver tool,
To add an Access Server cluster,
To add an Access Server instance, 3.3.2
To archive sync records, 8.8
To configure the directory server, 2.3.4
To create the revoked user list, 8.3.1
To customize email, 2.3.2
To delete an Access Server, 3.3.4
To flush all redirect URLs, 8.5
To flush user information from the cache, 8.3.2
To generate a cryptographic key, 8.4
To implement synchronization, 9.3.1
To install an Access Server in silent mode, 3.3.6
To modify common parameters,
To purge sync records, 8.8
To re-configure an Access Server,
To remove an Access Server service,
To run diagnostics for Access Servers, 8.6
To set the number of queues on Solaris,
To set the number of queues on Windows 2000,
To set the number of queues on Windows NT,
To view Access Server configuration details, 3.3.1
To view certificate details, 5.4.12
To view or modify an Access Server cluster,
To view server settings, 2.3.1
single sign-on
To configure a second WebGate for single sign-on,
To configure redirection, 7.5.1
To configure single sign-on using a Lotus Domino Web server, 7.8
To configure the logout button,
To configure the ObSSOCookie, 7.3.2
To configure the SSO Logout URL, 2.3.3
To configure the WebGate,
To create a policy domain that protects the Access System applications, 7.7.1
To create a policy domain that protects the Identity System applications, 7.7.1
To secure the ObSSOCookie, 5.3.11
To configure the sample scheme to obtain external authorization data, 6.11.1
To set authentication actions for a policy, 5.10.8
Process overview
Form-based authentication from the user's perspective,
How a URL prefix is used, 4.5.1
How URL patterns are used, 4.5.3
Identity resource protected by WebGate, 3.9.1
Multi-domain single sign-on, 7.5
WebGate-to-Access Server configuration polling,
proxy, 7.4.3
PUT operation, 4.4.3


RC4 encryption, 7.3.2
RC6 encryption, 7.3.2
redirecting users to a specific URL, 5.10.3
redirection, 5.10.5, 6.2.3
and header variables, 5.10.1
authorization rules and, 6.2.3
configured in an action, 5.10.5
configuring, 7.5.1
for authentication success and failure, 5.10.7
in form-based login, A.1.1, A.1.2
in multi-domain SSO, 7.5.1
multi-domain SSO use of, 5.3.2
to a URL for authentication, 5.3.2
Redirection URL field, 5.10.7
report files, 3.4.2
user access privileges, 8.7
impersonation, B.3.1
adding to a policy domain, 4.9.7,
auditing of, 4.12.1
authenticating users who try to access, 5
deleting, 4.9.9
denying access by default, 3.7, 3.7.3
EJB, 4.4.2
HTTP, 3.4, 4.4.2
identified by host identifier, 3.7
identified by preferred host, 3.7
J2EE, 4.4.5
policies for, 4.5
policy domain root, 4.1.2
protecting, 2.2
protecting all resources,
protecting with policy domain, 4
protecting with WebGate, 3.1
configuring, 4.4
defining, 4.4.6
unprotecting all resources,
URL pattern for, 4.5
URL patterns, about, 4.5.3
URL prefix, about, 4.5.1
URLs for, 4.5
who can define resource types, 2.2.2
Resource Matching field, 4.4.6
Resource Name field, 4.4.6
Resource Operation field, 4.4.6
resource types
about, 4.4
C programs, 4.4.5
C++ programs, 4.4.5
CRM applications, 4.4.5
directories, 4.4.5
Enterprise Java Beans (EJBs), 4.4.5
ERP applications, 4.4.5
Java programs, 4.4.5
Java Server pages (JSPs), 4.4.5
query strings, 4.4.5
supported, 4.4.5
web applications, 4.4.5
web pages, 4.4.5
reverse proxy,, 7.4.3
revoking users, 8.3.1
deny access to a role, 6.3.4
RSA SecurID, 7.6.1
deny access filters, 6.3.4
about, 4.8
illustration of, 4.8
types of, 4.8


S4U2Self Extension, B.7.6
see also authentication scheme
about, 4.6
see also authorization scheme
multiple searchbases, 5.3.6
SecurID plug-in, 5.4.8
Security Bridge, 5.12.3
Security Bridge plug-in, 5.12.1
Security IDs, B.7.2
Security Provider for WebLogic SSPI, 7.6.1
Select Cluster Type field, 3.6.2
selection filter plug-in, 5.4.8
selection_filter, 5.4.8
server settings
directory servers, 2.3.4
email addresses, 2.3.2
SSO logout URL, 2.3.3
viewing, 2.3.1
see also Access Server
virtual, 3.7.2
session token cache,
Session Token Cache field, 3.3.2
shared secret, 8.4
changing, 8.4.1
configuring, 7.3.2
creating, 8.4
definition, 7.3.2
frequency of reading,
read interval,
who creates, 2.2, 2.2.1
now named Oracle Identity Federation, Preface
silent mode, 3.3.6
Simple mode, 3.4.2, 3.4.3
single sign-on, 3.9
between Identity and Access System, 7.7
configuring, 7
cookies, 7.3
definition, 7.2
issues with IP addresses, 3.5.3
logout from, 2.3.3, 7.4.4
logout from multi-domain, 7.5.3
multi-domain, 7.5
ObSSOCookie, securing, 5.3.11
passing user information, 5.10.3, 6.6.4
prerequisites, 7.1
reverse proxy, 7.4.3
security level for, 5.3.2
single domain, 7.4
single domain, setting up, 7.4.2
triggering authentication actions after signing on,
types of, 7.2.1
using older WebGates, 7.3.2
Sleep For field, 3.4.2, 3.4.3
see also Oracle Access Manager Identity and Common Administration Guide
enabling,,,, 3.3.2, 3.3.2
SNMP Agent Registration Port,
SNMP Agent Registration Port field,, 3.3.2
SNMP State field,
see single sign-on
SSO Logout URL, 7.6.2
SSO logout value
cache flush after changing, 2.3.3
State field, 3.4.2
sync records, 8.8
synch records, 8.8
System Console
Identity Server logged you in but the System Console logged you out error, E.1.3


Task overview
Administering a policy domain, 4.2.2
Associating an AccessGate with an Access Server or cluster includes, 3.6.2
configuring a custom logout page, C.2
Configuring form-based authentication, A.1
Create an AccessGate, 3.4
Creating a form for authentication, A.3, A.3
Creating a policy domain, 4.2.3
Creating authorization expressions, 6.1.2
Creating the first policy domain, 4.2.1
Defining and managing authentication schemes, 5.3
Defining authentication and authorization schemes for single sign-on,
Enabling impersonation with a header variable, B.3
Enabling single domain single sign-on, 7.4.2
Implementing multi-domain single sign-on, 7.5
Prerequisite tasks for a Master Administrator, 4.1
Providing customized authorization plug-ins,
Creating an Access Server, 3.3
Setting up impersonation for OWA, B.6
TRACE operation, 4.4.3
traffic, network,
transport security,
changing, caveat for,
configuring from the command line, 3.4.4
for AccessGates, 3.4.3
options, 3.4.2, 3.4.2
password, command line option, 3.4.4
password, configuring, 3.4.4
reconfiguring, 3.4.4
searching based on, 3.4.1
selecting the mode, 3.3.2
when to use the same mode,
Transport Security field,, 3.3.2, 3.4.2, 3.4.3
troubleshooting, E, E
typical problems in Oracle Access Manager, E


containing the ObSSOCookie, 7.3
decimal addressing, 3.7.1
deny access to all URLs, 3.4.2
flushing from cache, 8.5
form action URLs, A.3.1.1
logout URLs, 3.4.2, 7.4.4, C, C.1
maximum number in cache, 3.4.2
Oracle Access Manager URLs, unprotecting, 5.2.5
pattern matching symbols, 4.5.4
patterns, how used, 4.5.3
policy domain root URL, 4.1.2
prefix, 4.1.2
prefix reload period,
prefix, how used, 4.5.1
prefixes for, 4.5
protecting Oracle Access Manager URLs, 5.2.5
redirection, 5.10.1, 5.10.3, 6.2.3
Redirection URL field, 5.10.7
SSO Logout URL, 2.3.3, 7.6.2
storing as https,
user credentials in, 7.6
WebGate diagnostic, 3.5.4
URL Prefix Reload Period field,, 3.3.2
user cache timeout,,
User Cache Timeout field,, 3.3.2
user-defined parameters, 3.4.2,
User-Defined Parameters field, 3.4.2, 3.4.3
access privilege reports, 8.7
authentication and authorization of, 1.2
authentication of, Preface, 1.1
authorization of, Preface, 1.1
deny access to specific user, 6.3.4
filtering inactive users, 5.4.10
flushing from the cache, 8.3.2
inactive, 5.4.10
revoking, 8.3.1


Validate Password Authentication Plug-Ins, A.1.3
validate_password, 5.4.8
about, 5.4.11
for form-based authentication, A.1.3
parameters, 5.4.11
validate_password plug-in, 5.4.8, A.1.3
virtual servers, 3.7.2
virtual Web hosting, 3.7.2


Web forms, A
Web pages
see resource, protecting
Web server hosts
configuring identifiers for, 3.7
WebGate, 1.2
see also AccessGate
Access Server Timeout Threshold, 3.4.2
cache, 3.4.2
CacheControlHeader, 3.4.2, 3.4.3
CachePragmaHeader, 3.4.2, 3.4.3
checking the status of, 3.5.5
configuration polling,
configureWebGate command, 3.4.4
configuring on IE, 3.4.3
definition, 1.2, 3.1
DenyOnNotProtected, 3.4.2
DenyOnNotProtected parameter, 3.4.3
diagnostic URL, 3.5.4
diagnostics, 3.5.4, 3.5.4
IP address validation, 3.5.3
IPValidation, 3.4.2
IPValidationException, 3.4.2
login when a resource is not protected, 3.9.1
login when a resource is protected, 3.9.1
LogOutUrls, 3.4.2, 3.4.3
managing, 3.5
modifying, 3.5.2
polling frequency,
polling frequency, changing,
status, checking, 3.5.5
synchronizing with Access Server, 3.5.1
updates in this release, Preface
user-defined parameters for, 3.4.2, 3.4.3
webgate.dll, 3.5.4
installed on same Web server as Policy Manager, 1.2
what's new in this release, Preface
attribute sharing, Preface
federated authorization, Preface
globalization, Preface
modifying authentication schemes without disabling them, Preface
persistent cookies in authentication schemes, Preface
triggering authentication actions after the ObSSOCookie is set, Preface
WebGate updates, Preface
Wildcard Extension, B.7.4
Windows 2000 plug-in, 5.12.4
Windows Impersonation, B.1
Windows NT plug-in, 5.12.4