If an OAM SSO session times out, the user is redirected to the OAM login form to re-authenticate. When passing the request to the Business Control Center, OAM inserts a new header into the HTTP request that contains the user ID of the authenticated user. Similar to the log in process, this user ID must match the Business Control Center user ID. Once the authenticated user ID is passed to the Business Control Center, the Business Control Center uses this header value to load the user’s profile and make the user active.

If the Business Control Center session times out, yet the OAM SSO is still active, the Business Control Center user will not be required to re-authenticate, but a new application session is created. Note that this may result in session information being lost.

Some parts of the Business Control Center, such as parts of the Asset Manager framework, are built in Flex. Other parts of the Business Control Center use JavaServer Page (JSP) technology. If the Business Control Center user is working in a part of the Business Control Center that was written in Flex, the user will be presented with a dialog box warning that their session is about to expire.