3/72
List of Figures
1-1 Oracle Access Management Overview
1-2 Access Manager 11g Components and Services
1-3 Access Manager 11g Component Distribution
1-4 Oracle STS Architecture
1-5 Oracle STS Token Support
1-6 Token Translation at a Centralized Authority
1-7 Translating Tokens Behind a Firewall
1-8 Web Services SSO
2-1 Default Oracle Access Management Console Log In Page
2-2 Sign Out Link, Oracle Access Management Console
2-3 Oracle Access Management Console Welcome Page
2-4 Navigation Trees with Menu and Tool Bars
2-5 Menu and Tool Bar Above Common Configuration Navigation Tree
2-6 View Menu
2-7 Actions Menu
2-8 Tabs of Open Pages, and Page Controls
2-9 Sample OAM Agent Search Page
3-1 Common Configuration Nodes in the System Configuration
3-2 System Configuration, Available Services Page (right)
3-3 Common Settings Page (Collapsed View)
3-4 Common Coherence Settings
3-5 OCSP/CDP Settings for Global Certificate Validation
3-6 Certificate Revocation List Dialog Box
4-1 Creating User Identity Store Registration
4-2 System Store Registration
4-3 Default and System Store Options within a Registration Page
4-4 Designated Store within a Registration Page
4-5 Common Settings Page: Default and System Identity Stores
4-6 System Store Registration with Access System Administrators Section
4-7 Add System Administrator Roles
5-1 OAM Server Registration Page with Proxy Tab Displayed
5-2 Coherence Page and Values for an Individual OAM Server
7-1 Log-Level Activation in the Default Log Configuration File
8-1 Audit to Database Architecture
8-2 Common Settings: Auditing Configuration
9-1 Server Processes Overview Page
9-2 OAM Server Metrics: Session Operations Monitoring Page
9-3 OAM Server Metrics: Server Operations Tab
9-4 OAM Server Metrics: OAM Agents Tab
9-5 OAM Agent Metrics: Monitoring Characteristics
9-6 OAM Agent Metrics: Detached Connectivity Table
9-7 OAM Agent Metrics: Detached Operations Overview Table
9-8 OAM Agent Metrics: Detached Operations Detail Table
9-9 OAM Agent Metrics: Detached Information Table
9-10 OSSO Agent Monitoring Page with Operation Details
9-11 OSSO Agent Monitoring Process Overview Table
9-12 OSSO Agent Information Table
10-1 Fusion Middleware Control (AS-Control) Deployment Architecture
10-2 OAM Farm Page in Fusion Middleware Control
10-3 Farm Navigation Tree in Fusion Middleware Control
10-4 Node Information Page in Fusion Middleware Control
10-5 Application Deployment Summary for the Selected Internal Application
10-6 Application Deployment Menu
10-7 WebLogic Server Domain Summary with Context Menu Exposed
10-8 Cluster Page
10-9 Key Metrics for Server Pages
10-10 Aggregated Access Manager Component Metrics for the Cluster
10-11 Access Manager Component Metrics for a Single OAM Server Instance
10-12 Aggregated STS Component Metrics for the Cluster
10-13 STS Component Metrics for an Individual OAM Server Instance
10-14 Performance Summary Command
10-15 Performance Summary Page with Metric Palette
10-16 Access Manager Log Levels on the Log Configuration Tab
10-17 Log Levels for Security Token Service
10-18 Log Files Configuration Page
10-19 Typical Log Messages Page in Fusion Middleware Control
10-20 System MBean Browser and Attributes Tab
10-21 Routing Topology with Context Menu
11-1 Access Manager Settings
11-2 Access Manager Settings: Load Balancer
11-3 Access Manager Settings: Server Error Mode
11-4 Access Manager Settings: SSO
11-5 Common Policy Evaluation Caches
13-1 Create OAM 11g Webgate Page
13-2 Confirmation Window and Expanded 11g Webgate Page with Defaults
13-3 Webgate Search Controls and Create ... Buttons
13-4 Key Generation
14-1 Session Data and the Role of Oracle Coherence
14-2 Session Details: Common Settings Page
14-3 Common Configuration: Session Management Page
15-1 Access Manager 11g Policy Model
15-2 Access Manager Shared Policy Components
15-3 Anatomy of Access Manager Policies
15-4 SSO Log-in with Embedded Credential Collector and OAM Agents
15-5 Example: Separate Resource Webgate and DCC Webgate Deployment
15-6 Combined DCC and Webgate Configuration
15-7 SSO Login Processing with OSSO Agents and ECC
16-1 Default HTTP Resource Type Definition
16-2 Default Resource Type wl_authen
16-3 Default Resource Type TokenServiceRP Resource Type
16-4 Host Identifier Page
16-5 Native Kerberos Authentication Module
16-6 Native LDAP Authentication Module
16-7 Native X509 Authentication Module
16-8 Access Manager Plug-ins for Customized Authentication Modules
16-9 Creating Custom Authentication Modules: General
16-10 Adding a Step and Associating a Plug-in
16-11 Plug-in Based Authentication Module Steps and Details
16-12 Steps Orchestration for Plug-in Based Authentication Modules
16-13 Oracle-provided Plug-in Based Authentication Modules
16-14 KerberosPlugin
16-15 Default KerberosPlugin Steps and Details
16-16 Default KerberosPlugin Steps and Orchestration
16-17 LDAPPlugin
16-18 Default LDAPPlugin Steps and Details
16-19 Default Orchestration of Steps for LDAPplugin
16-20 X509Plugin
16-21 X509Plugin Default Steps and Details
16-22 Default Orchestration for X509Plugin Steps
16-23 Password Policy Validation Module Plug-ins
16-24 Steps Orchestration: Password Policy Validation Plug-ins
16-25 Plug-ins Page
16-26 Plugin Details: Activation Status of Selected Plug-in
16-27 Default LDAPScheme Page
16-28 Password Policy Configuration Page
16-29 Default Store with New Administrator Designated
16-30 Password Policy Validation Authentication Module with Orchestrated Plug-ins
16-31 Step Orchestration for Password Policy Validation Module
16-32 Sample ECC PasswordPolicyValidationScheme
16-33 Server Error Mode for Password Management
17-1 Application Domains Search Page
17-2 Summary Tab: Generated Application Domain
17-3 Search Results for Resources in an Application Domain
17-4 Authentication Policies Tab
17-5 Authentication Policy Page: Resources and Responses
17-6 Authorization Policies Page
17-7 Individual Authorization Policy Page
17-8 Individual Authorization Policy Resources tab
17-9 Token Issuance Policies Page
17-10 Fresh Application Domain Summary Page
17-11 Fresh Resources (Definition) Page in the Application Domain
17-12 HTTP Resources, Query String Resource URL Controls
17-13 Sample Resource Definitions Search within an Application Domain
17-14 Sample Search Results for Resource Definitions in an Application Domain
17-15 Sample Authentication Policies Page in the Application Domain
17-16 Sample Individual Authentication Policy Page
17-17 Sample Individual Authorization Policy Page
17-18 Authorization Policies Page
17-19 Authorization Policy Response in the Console
17-20 Simple Response Samples
17-21 Complex Response Sample
17-22 Individual Authorization Policy Conditions Tab
17-23 Add Condition Window
17-24 Condition Containers on the Authorization Policy Page
17-25 Add Identities Window
17-26 Identity Condition and Details
17-27 Add Search Filter Controls
17-28 Identity Conditions: Details
17-29 IP4 Range Conditions
17-30 Temporal Condition Type Details Page
17-31 Attribute Conditions Page
17-32 Add Attributes Dialog
17-33 Authorization Policy Rules Tab: Simple Mode
17-34 Rules Tab: Expression Rule Mode
18-1 OAM Agent (PEP) and OAM Server (PDP) Inter-operability
18-2 User Interactions with the Access Tester
18-3 Access Tester Console
18-4 Server Connection Panel in the Access Tester
18-5 Protected Resource URI Panel in the Access Tester
18-6 Access Tester User Identity Panel
18-7 Test Case Workflow
20-1 Typical Deployment with OpenSSO and Access Manager
20-2 New OpenSSO Agent Page
20-3 Expanded OpenSSO Web Agent Registration Page
20-4 Expanded OpenSSO J2EE Agent Registration Page
21-1 Create OSSO Agent Page
21-2 OSSO Agent Page and Confirmation Window
27-1 Available Services Page
28-1 New Identity Provider Page, Service Details Loaded from Metadata
28-2 New Identity Provider Page, Service Details entered Manually
28-3 Searching for Identity Providers
28-4 Updating an Identity Provider
29-1 Identity Federation Service Settings Page
29-2 General Section of Federation Settings Page
29-3 Federation Proxy Settings
29-4 Keystore Settings
30-1 FederationScheme
30-2 FederationPlugin
30-3 FederationPlugin Orchestration
30-4 Setting Up the Authentication Policy with FederationScheme
30-5 OIFScheme
30-6 OIFMTLDAPPlugin
30-7 Authorization Policy Response Tab
30-8 Adding a Federation Response Attribute to an AuthZ Policy
31-1 Typical Token Ecosystem
31-2 Identity Propagation with the OAM Token
31-3 Process Flow During Identity Propagation
31-4 Identity Propagation Deployment
31-5 Identity Propagation Processing
31-6 Required v1.0 WebLogic Server Identity Assertion Providers
31-7 IAP-Security Token Service Details
31-8 LDAP Provider: IAP-DSEE
31-9 Default Identity Store Defined in Access Manager
31-10 Token Issuance Policy for Identity Propagation
31-11 /wssuser Endpoint for Identity Assertion
31-12 Default Identity Store Defined for Access Manager
31-13 Token Issuance Policy for Identity Propagation
31-14 /wss11user Endpoint for Identity Assertion
32-1 Default Endpoints, Policies, and Validation Templates
32-2 WS-Security 1.0 and 1.1 Policies
32-3 Available Services Panel
32-4 Security Token Service Page
34-1 Validation Templates Search Controls
34-2 Issuance Template Search Controls
34-3 Issuance Template: General Details and Defaults
34-4 Issuance Properties: Username Token Type
34-5 Issuance Properties: SAML Token Types
34-6 Security Details: SAML Tokens
34-7 New Validation Template page: General Page Defaults
34-8 New Validation Template: General Authentication Details
34-9 Token Mapping: SAML2 WS-Security Validation Template
34-10 Token Mapping, username-wstrust-validation-template
34-11 Token Mapping: x509-wss-validation-template
34-12 Endpoints Page
34-13 Token Issuance Policies and Conditions
34-14 Pre-defined Resource Type: TokenServiceRP
34-15 Search: Resource Type TokenServiceRP in Application Domain
34-16 New Custom Token Page
34-17 Custom Token Definition: email
34-18 Custom Tokens Search Page and Controls
34-19 General Details: email-wstrust-valid-temp
34-20 Token Mapping: email-wstrust-valid-temp
34-21 General Details: email-issuance-temp
34-22 Issuance Properties: email-issuance-temp
35-1 New Requester Partner Page
35-2 New Relying Party Partners Page
35-3 Defined Requester Partner
35-4 Partner Search Controls
35-5 Requester Profile: General
35-6 Requester Profile: Token and Attributes
35-7 Relying Party Profile Token and Attributes
35-8 Token and Attributes: Issuing Authority
35-9 Issuing Authority Profile: Token Mapping Tab
35-10 Search Profiles Page: Requester
37-1 First Time Device/Application Registration and Authentication Process
37-2 Mobile SSO Agent Requests Access Token from Access Manager
37-3 Mobile SSO Agent Has Valid Access Token in Credential Store
37-4 Mobile SSO Agent Does Not Have Valid Access Token in Credential Store
37-5 User Authentication Using REST
37-6 Authenticating User From Browser-based Web App on Registered Mobile Device
37-7 Authenticating a Returning User with a Local Account
37-8 Authenticating a New User with No Local Account
37-9 Authenticating a User With an OAuth Identity Provider
37-10 Authenticating a User with Access Manager
37-11 Authenticating a User Locally
41-1 End to End Identity Context Process
41-2 End To End Identity Context Process Components
41-3 Identity Context Process Flow
41-4 OAM Authentication Provider Configuration
44-1 Various Clients Deployed on JBoss Application Server
44-2 JBoss Agent Deployed with an Oracle HTTP Server Webgate
44-3 Sample Integration Topology
45-1 Setting up a Trusted User Account for Windows Impersonation
45-2 Configuring Rights for the Trusted User in Windows Impersonation
45-3 Registering the Impersonation Module
45-4 Verifying Event Viewer Settings
45-5 Impersonation Authentication
C-1 Communication Channels for OAM Servers and Webgates
D-1 IAMSuiteAgent Settings in the WebLogic Administration Console
D-2 IAMSuiteAgent Registration
D-3 Resources Protected by the IAMSuiteAgent
D-4 IAMSuite Authentication Policy: OAM Admin Console Policy
D-5 Protected HigherLevel Policy: Authentication, LDAP Scheme
D-6 Protected LowerLevel Policy: Authentication, OIMScheme
D-7 Public Policy: Authentication, AnonymousSheme
D-8 IAM Suite Authorization Policy
D-9 IAM Suite Token Issuance Policy and Resource URLs
D-10 Generated Authentication Module: OpenSSOAgentAuthPlugin
D-11 Generated Host Identifier: OpenSSOAgent
D-12 Generated Application Domain: OpenSSOAgent
D-13 Application Domain Resources: OpenSSOAgent
D-14 Generated Authentication Policy: OpenSSOAgent Application Domain
D-15 Generated Authorization Policy: OpenSSOAgent Application Domain
D-16 Migrated User Identity Store: OpenSSO
D-17 Migrated Agent: OpenSSO
D-18 Migrated Authentication Module: OpenSSO
D-19 Migrated Host Identifier: OpenSSO
D-20 Migrated Application Domain: OpenSSO
D-21 Migrated Resources: OpenSSO
D-22 Migrated Authentication Policy: OpenSSO
D-23 Migrated Authorization Policy2 Condition: OpenSSO
D-24 Migrated Authorization Policy2: IP Condition Details
Scripting on this page enhances content navigation, but does not change the content in any way.