This chapter describes changes and updates to this book. See the following sections for details.
This list of enhancements has been developed for this Oracle Access Management 220.127.116.11.0 release. Where applicable, links to the documentation are included.
The Oracle Access Manager OAuth 2.0 Service provides a standards compliant OAuth 2.0 authorization server with support for both 3-legged and 2-legged OAuth flows and enables the OAuth 2.0 Client and the OAuth 2.0 Resource Server roles. It also provides support for mobile OAuth 2.0 clients (such as native applications on mobile devices) and includes built-in support for mobile application registration and device identification during the OAM OAuth 2.0 mobile flow ensuring trusted access from mobile devices and built-in server side single sign-on. It is ideally suited for enterprise scenarios that may require higher levels of security during an OAuth flow and would benefit from built-in OAM integrations provided by the OAM OAuth 2.0 service.
Policy Management Enhancements include:
Right click menu items available for all search result tables
Duplicate Resources, Authentication Policies, Authorization Policies and Token Issuance Policies and create new objects using the duplicate (Copy of)
Search for the Host Identifier from the Resource page
New Administrator tab in the Application Domain edit screen
New Advance Rules tab (with Pre-Authentication and Post-Authentication sub tabs) in Authentication Policy
For Granular Timeout and cookie-based session management, see Maintaining Access Manager Sessions
SHA2 encryption for all WebGate servers
Configuring Persistent Login (Remember Me)
Support added for Internet Protocol version 6 (IPv6)
The following list outlines the enhancements available with Oracle Access Management 18.104.22.168.0.
Newly certified integrations described in:
Chapter 53: Outlook Web Application (OWA) 2010
Chapter 54: Microsoft Forefront Threat Management Gateway (TMG) 2010
Chapter 55: SAP Enterprise Portal v6.0 and v7.0
Authentication POST Data preservation and restoration is explained in: "Configuring Authentication POST Data Handling".
Long URL handling is explained in "Long URL Handling During Authentication".
Step up authentication is described in "Creating and Managing Step-Up Authentication".
Language selection on Login page is described in "Choosing a User Login Language".
Configurable Webgate Request Context Cookie Expiry Time is explained in:
Oracle Access Management 22.214.171.124.0 provides new functions and enhancements outlined in following topics.
The following information has been added or updated:
Chapter 1: Added "System Requirements and Certification".
Chapter 2: Removal (redundant) has altered chapter numbers.
Chapter 3: Moved password policy, refocused for ECC, into Chapter 16 with other authentication details.
Chapter 6: Added descriptions of loggers to:
Chapter 12: Re-focused for 11g OAM Agents (Webgates and Access Clients).
Combined console and remote registration for 11g OAM Agents.
Moved "Configuring 11g WebGates and Authentication Policy for DCC" to chapter 16.
Chapter 16: Relocated authentication details with other shared policy components:
Combined console and remote registration for 11g OAM Agents.
Refocused and moved from chapter 3: "Managing Global Password Policy"
Moved "Configuring 11g WebGates and Authentication Policy for DCC" from chapter 3.
Chapter 20: Relocated OpenSSO Agent registration and management details here.
Chapter 20: Relocated OSSO Agent registration and management details here.
Chapter 22: Expanded 10g OAM Agent details to include console and remote registration updates, and logout with Access Manager.
Appendix A: Relocated to relevant logout configuration details.
This book has been updated to address reported issues. Global updates include cosmetic changes and updated screens.
See Also:The following topics are new or updated in this release.
Table 20-17, "Fresh OSSO Installation: Protected Policy Response (Header)" for details about obtaining subscriber DN information from Oracle Internet Directory.
Section 31.3.1, "Creating Remote Identity Provider Partners" for details about defining OpenID 2.0 IdP partners for federation.
Several previously separate access products of the Oracle Identity Management portfolio are combined into one product: Oracle Access Management.
The Access Tester can validate the connections in the pool and make cache flush (SYNC_INFO) requests to be sent over a connection that is already established; instead of using out-of-band connection for cache flush requests.
Authorization conditions enable you to implement dynamic security policies and resulted in changes to the Policy Configuration interface in the Oracle Access Management Console:
Authorization Conditions: The earlier constraint class is renamed as a Condition Type. Conditions contain no Allow or Deny specification; however, new Rules specify Allow or Deny access options.
A new condition type: Attribute.
See Also:"About Attribute Conditions"
Use of Implied Constraints option in policies is replace, allowing you to create particular condition types by instantiating those and selecting rules.
Standard Authentication Modules (LDAP, Kerberos, and X509) are targeted for deprecation in future releases. Oracle strongly recommends using native or custom Plug-ins rather than standard Authentication Modules.
Oracle Fusion Middleware Developer's Guide for Oracle Access Management if you want to create custom authentication plug-ins.
Detached credential collection is an additional capability of the 11g Webgate (OAM Agent). This is required for secure dynamic multi-factor/multi-step authentication. You can easily enable the 11g Webgate to use as a DCC; or continue using the embedded credential collector (ECC) in the OAM Server.
Multi-factor authentication requires a custom authentication plug-in to transmit information to the back-end authentication scheme several times during the login process. All information collected by the plug-in and saved in the context will be available to the plug-in through the authentication process. Context data can also be used to set cookies or headers in the user's login page.
Identity Context leverages the context-aware policy management and authorization capabilities built into the Oracle Access Management platform. Identity Context secures access to resources using traditional security controls (roles and groups) as and dynamic data established during authentication and authorization (strength, risk levels, device trust, and so on).
See Also:Chapter 48, "Using Identity Context"
Details of integrating Access Manager with third-party products have moved from the earlier Oracle Fusion Middleware Integration Guide for Oracle Access Manager to this book. The following integrations are supported:
See Also:Part I, "Integrating Access Manager with Other Products"
Access Manager authorization conditions accept a list of users, groups, and LDAP search filters as part of allowed or denied identities. LDAP search filters provide a simple way of specifying a target identity population without having to reorganize or create new groups in the identity store (directory server). This brings to Access Manager 11g, parity with Oracle Access Manager 10g.
Access Manager support for personal identity verification (PIV) cards (a United States Federal smart card), is to use FASC-N and EDIPI attributes from the SubjectaltName extension to map the user during X.509 authentication. While multiple OCSP providers are not supported, you can use an OCSP Gateway or write a custom authentication plug-in that uses the OSDT OCSP APIs to validate against multiple OCSP providers.
Mobile and Social serves as an intermediary between a user seeking to access protected resources, and the back-end Oracle Access Management and Oracle Identity Management services that protect those resources. Mobile and Social services' pluggable architecture enables Administrators to add, modify, and remove Identity and Access Management services without having to update user installed software.
Administrators can install multiple user identity stores for Access Manager. Each identity store can rely on a different LDAP provider. Each authentication module (or plug-in within an authentication step) can be configured to use a specific user identity store.
Access Manager supports Web and Java Agents deployed on Web or J2EE containers. Each OpenSSO Agent is a filter that is plugged into the container (Oracle WebLogic Server, JBoss, Apache, and so on) that hosts applications.
Access Manager provides an OpenSSO Proxy to handle requests for resources protected by OpenSSO Agents. The Oracle-provided OpenSSO Proxy facilitates single sign-on to OpenSSO Agent-protected applications by enabling communication between the agent and the OAM Server.
Access Manager enables password policy management through the Oracle Access Management Console. The global password policy applies to Access Manager users when the Password Policy Validation Module is implemented. The password policy is stored within the policy store and applies to all resources protected by Access Manager.
The Policy Model supports Query String Name and Value Parameters in a Resource Pattern Definition:
A TokenServiceRP type resource represents resources for, and is based on, the Token Service Relying Party (required for non-browser clients such as Identity Connect).
Oracle Access Management supports programmatic RESTful services.
Custom Access Clients developed using the Access Manager 11g Access Software Developer Kit support the 11g Shared Secret Key Per Agent (Webgate or Access Client) security feature. Each agent has its own secret key that is shared between the Access Client and the OAM Server to encrypt or decrypt the host-based Access-Client-specific OAMAuthnCookie. Even if one Access Client is compromised, the impact is limited to that particular Access Client; no other Access Clients are affected.
Note:There is no impact to existing 10g ASDK users. Oblix class wrappers can be modified to create Access Client instances with 10g mode transparently. However, to operate in 11g compatible mode, Oracle java APIs should be used.
Access Manager 11g Pure Java ASDK provides both Oracle Java APIs (in oracle.security.am.asdk packages) and Oblix Java APIs (in com.oblix.access packages). Access Manager 11g Pure Java Access Clients:
Communicate with OAM Servers using Oracle Java APIs and either Oracle Access Protocol version 3 (or version 4 which supports Shared Secret Key Per Webgate security feature)
Communicate with 10g Servers using Oblix Java APIs and Oracle Access Protocol version 3 only (with no support for SSKPA)
A Token Issuance Policy is required for clients for Mobile and Social performing authentication and authorization.
See Also:Part I, "Managing Oracle Access Management Mobile and Social" for details about Mobile and Social Authentication Service
A survey of topics is provided to help tune a deployed Oracle Access Management environment to ensure optimal performance and stability.
11g Webgate works with browser clients. However, there are cases where a non-browser (Representational State Transfer (REST) client needs to access HTTP resources and perform authentication and authorization.
Oracle Access Management provided some product and component name changes, as shown in the following table.
|Item||In Oracle Access Management 11.1.2||In Oracle Access Management 11.1.1|
Security Token Service
Mobile and Social
Identity Context (always enabled)
Security Token Service
|Agents||Webgate (OAM Agent)
Access Client (OAM Agent)
|Webgate (OAM Agent)
Access Client (OAM Agent)
|Console Names||Oracle Access Management Console||Oracle Access Manager Console|
|Administrators||Administrator or Oracle Access Management Administrator||Oracle Access Manager Administrator|
|Agent and Application Domain Registration
|Oracle Access Management Console
Remote registration tool for automated Agent registration, Application Domain creation with default security policies.
|Oracle Access Manager Console
Remote registration tool
|Authorization||Conditions and Rules||Constraints|