1 Introduction to Oracle Adaptive Access Manager

Oracle Adaptive Access Manager protects companies exposing Web applications and services, and their end users from online threats and insider fraud. Oracle Adaptive Access Manager provides risk-aware authentication, real-time behavior profiling, and transaction and event risk analysis.

Oracle Adaptive Access Manager contains functionality in two major areas as summarized in Table 1-1.

Table 1-1 Oracle Adaptive Access Manager Functionality

Functionality Description

Real-time or offline risk analysis

Oracle Adaptive Access Manager provides functionality to calculate the risk of an access request, an event or a transaction, and determine proper outcomes to prevent fraud and misuse. A portion of the risk evaluation is devoted to verifying a user's identity and determining if the activity is suspicious.

Functionality that support risk analysis are:

  • Rules Engine

  • Entities

  • Transactions

  • Patterns

  • Alerts

  • Actions

  • Configurable actions

End-user facing functionality to prevent fraud

Oracle Adaptive Access Manager protects end users from phishing, pharming, and malware. The virtual authentication devices secure credential data at the entry point; this ensures maximum protection because the credential never resides on a user's computer or anywhere on the Internet where it can be vulnerable to theft. As well, Oracle Adaptive Access Manager provides interdiction methods including risk-based authentication, blocking and configurable actions to interdict in other systems.

Functionality that supports end-user facing security are:

  • Virtual authentication devices

  • Knowledge-Based Authentication (KBA)

  • OTP Anywhere

  • Security policies

This chapter provides an overview of Oracle Adaptive Access Manager 11g and includes the following topics:

1.1 Benefits of Oracle Adaptive Access Manager

Oracle Adaptive Access Manager is a security solution to protect the enterprise and its end users of the Web applications and services it exposes.

Oracle Adaptive Access Manager provides:

  • Risk-aware authentication

  • Authentication security

  • Real-time and offline risk analytics

  • Flexible deployment options

  • Out-of-the-box integrations with single sign-on and identity management

1.2 Oracle Adaptive Access Manager Features

Adaptive access systems can provide the highest levels of security with context-sensitive online authentication and authorization. Thus, situations are evaluated and proactively acted upon based on various types of data.

This section outlines key components used for fraud monitoring and detection.


The Oracle Adaptive Access Manager Dashboard is a unified display of integrated information from multiple components in a user interface that organizes and presents data in a way that is easy to read.

The Oracle Adaptive Access Manager dashboard present monitor data versions of key metrics. Administrators can easily see up-to-the-minute data on application activity from a security perspective. The reports that are presented help users visualize and track general trends.

Case Management

Oracle Adaptive Access Manager provides a framework and set of tools for investigators and customer service representatives.

The Case Management feature of Oracle Adaptive Access Manager is used in two ways.

  • Users of the enterprise using Oracle Adaptive Access Manager can call the enterprise asking for assistance with customer-facing features of Oracle Adaptive Access Manager such as images, phrases, or challenge questions, or any issues with their account. The CSR uses Case Management to create a case which records all the actions performed by the CSR to assist the user as well as various account activities of the user.

  • The Case Management feature is also used by Fraud Investigators to investigate potentially fraudulent activity performed on user accounts.

Knowledge-Based Authentication

Oracle Adaptive Access Manager provides out-of-the-box secondary authentication in the form of knowledge-based authentication (KBA) questions. The KBA infrastructure handles registration, answers, and the challenge of questions. Since KBA is a secondary authentication method, it is presented after successful primary authentication.

KBA is used to authenticate an individual based on knowledge of personal information, substantiated by a real-time interactive question and answer process.

Oracle Adaptive Access Manager's Rules Engine and organizational policies are responsible for determining if it is appropriate to use challenge questions to authenticate the customer.

Policy Management

Policies and rules can be used by organizations to monitor and manage fraud or to evaluate business elements.

The policy and rules are designed to handle patterns or practices, or specific activities that you may run across in the day-to-day operation of your business.

Using Oracle Adaptive Access Manager, you can define when the collection of rules is to be executed, the criteria used to detect various scenarios, the group to evaluate, and the appropriate actions to take when the activity is detected.

Configurable Actions

Configurable actions are actions that are triggered based on the result action or risk scoring or both after a checkpoint execution.

Java classes and action templates for certain configurable actions are provided out-of-the-box, but you have the option to create configurable actions based on business requirements.

Transaction Definition

A transaction is any process a user performs after successfully logging in. Examples of transactions are making a purchase, bill pay, money transfer, stock trade, address change, and others.

With each type of transaction, different types of details are involved.

Before the client-specific transaction with its corresponding entities can be captured and used for enforcing authorization rules, fraud analysis, and so on, it must be defined and mapped. Oracle Adaptive Access Manager's Transactions feature allows administrators to perform this task.

With the Transaction Definition feature, an administrator is able to create entity and data element definitions and map them to the client-specific data (source data).


Reporting is available through Oracle Adaptive Access Manager. A limited license of Oracle Business Intelligence Publisher is included for customizable reporting capabilities.

Oracle Identity Management BI Publisher Reports uses Oracle BI Publisher to query and report on information in Oracle Identity Management product databases. With minimal setup, Oracle Identity Management BI Publisher Reports provides a common method to create, manage, and deliver Oracle Identity Management reports.

The report templates included in Oracle Identity Management BI Publisher Reports are standard Oracle BI Publisher templates—though you can customize each template to change its look and feel. If schema definitions for an Oracle Identity Management product are available, you can use that information to modify and generate your own custom reports.

1.3 Oracle Adaptive Access Manager User Roles

The audience for the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager includes:

Table 1-2 Oracle Adaptive Access Manager User Roles

Role Description

Security Investigators and Customer Service Representatives

Security investigators and customer service representatives (CSR) use Oracle Adaptive Access Manager's case management tools to handle security and customers cases daily. They have detailed knowledge about user activity and security issues. Analysts work with security investigators and CSRs to identify the policies that require adjustment and new policies that need to be created.

Business/Security Analyst

Analysts gather intelligence from various sources to identify business and security needs and develop requirements to address them. Their sources for intelligence include investigators, industry reports, antifraud networks, compliance mandates, and company policies.

Security Administrator

Administrators plan, configure and deploy policies based on the requirements from analysts.

System Administrator

A system administrator configures environment-level properties and transactions.

Quality Assurance

Quality Assurance (QA) tests the policies to confirm that they meet requirements.

1.4 Oracle Adaptive Access Manager Integrations

This section provides a brief summary for the following integrations:

1.4.1 Native Integration

The server portion of Oracle Adaptive Access Manager can be natively integrated with a web application. In the native integration, the application invokes the Oracle Adaptive Access Manager APIs directly to access risk and challenge flows.

The two flavors of native integration are:

  • SOAP/Web Services Integration

    The web application communicates with OAAM Admin using the Oracle Adaptive Access Manager Native Client API or through Web Services.

  • Static Linked (In Proc) Integration

    The native integration involves only local API calls and therefore no remote server risk engine calls. The integration embeds the processing engine for OAAM Admin with the application and enables it to leverage the underlying database directly for processing.

Both flavors use the same APIs, but during a checkpoint, the appropriate option can be chosen by configuring the properties.

1.4.2 Reverse Proxy Integration

The Oracle Adaptive Access Manager reverse proxy option is a proxy-based deployment of the OAAM Admin and OAAM Server that requires little or no integration with enterprise applications.

A proxy intercepts site traffic and routes it through OAAM Admin for strong authentication and fraud detection and prevention.

1.4.3 Access Management Integration

Oracle Adaptive Access Manager is integrated or used along with an access management product. This option uses both OAAM Server and OAAM Admin applications.

1.4.4 SAML Integration

In this option, the customer can use Oracle Adaptive Access Manager as an authentication service provider. Oracle Adaptive Access Manager authenticates users against LDAP or other supported authentication mechanisms, generating SAML assertions on success.

1.5 Oracle Adaptive Access Manager Architecture

Oracle Adaptive Access Manager can be installed in an n-tier deployment to allow horizontal as well as vertical scalability.

Figure 1-1 shows the relationship between the Internet, the Web/Application Server that hosts OAAM Admin and OAAM Server, and the database that stores Oracle Adaptive Access Manager's data. The Web server accepts requests from the browser and forwards all site traffic to the Oracle Adaptive Access Manager engine for processing. To store and retrieve configuration data, the processing engine of OAAM communicates with the database through the JDBC or JNDI driver. The Application Server is able to access and store data in the database at all times.

1.5.1 Architectural Scenario for Deployment

Figure 1-1depicts an architectural scenario for deployment.

In this scenario, Oracle Adaptive Access Manager is separated for performance and scalability, and horizontal scalability for the OAAM Admin and database.

Figure 1-1 Sample deployment scenario for performance and scalability

This illustration shows a sample deployment