1.3 About Access Manager

The following sections provide details on the features available (and not available) in Access Manager

1.3.1 Features of Access Manager

Table 1-2 provides an overview of Access Manager 11.1.2. For a list of names that have changed with 11.1.2, see "Product and Component Name Changes with 11.1.2".

Table 1-2 Features in Access Manager 11.1.2

Access Manager 11g Description

Oracle Identity Management Infrastructure

Enables secure, central management of enterprise identities

Policy Enforcement Agents

Resides with the relying parties and delegate authentication and authorization tasks to OAM Servers


Nine Administrator languages are supported.

Unless explicitly stated, the term "Webgate" refers to both an out of the box Webgate or a custom Access Client.

See Introduction to Agents and Registration for an introduction to agents.

Server-side components

OAM Server (installed on a WebLogic Managed Sever)


Oracle Access Management Console provides access to all services and configuration details.

See Getting Started with Oracle Access Management.

Protocols for information exchange on the Internet

  • Front-channel protocols exchanged between Agent and Server are HTTP and HTTPS.

  • Back-channel protocols: Authenticated clients can perform session operations using enhancements in the Oracle Access Protocol (OAP).


Provides support for legacy systems

See Also: About the Embedded Proxy Server and Backward Compatibility and the new Managing Oracle Access Management Oracle Access Portal

Cryptographic keys

Note: One key is generated and used per registered mod_osso or 11g Webgate. However, one single key is generated for all 10g Webgates.

Keys storage

  • Agent-side: A per-agent key is stored locally in the Oracle Secret Store in a wallet file

  • OAM Server-side: Per- agent keys, and server keys, are stored in the credential store on the server side

Encryption / Decryption (The process of converting encrypted data back into its original form)

Introduces client-side cryptography and ensures that cryptography is performed at both the agent and server ends:

  1. Webgate encrypts obrareq.cgi using the agent key.

    Note: obrareq.cgi is the authentication request in the form of a query string redirected from Webgate to OAM Server.

  2. OAM Server decrypts the request, authenticates, creates the session, and sets the server cookie.

  3. OAM Server also generates the authentication token for the agent (encrypted using the agent key), packs it in obrar.cgi with a session token (if using cookie-based session management), authentication token and other parameters, then encrypts obrar.cgi using the agent key.

    Note: obrar.cgi is the authentication response string redirected from the OAM Server to Webgate.

  4. Webgate decrypts obrar.cgi, extracts the authentication token, and sets a host-based cookie.

Policy Store

Database in production environments; file-based in demonstration and development environments, as described in "Managing the Policy and Session Database".


An application that delegates authentication and authorization to Access Manager and accepts headers from a registered Agent.

Note: External applications do not delegate authentication. Instead, these display HTML login forms that ask for application user names and passwords. For example, Yahoo! Mail is an external application that uses HTML login forms.

SSO Engine

Manages the session lifecycle, facilitates global logout across all relying parties in the valid session, and provides consistent service across multiple protocols. Uses Agents registered with Access Manager 11g:

  • Authentication with the default embedded credential collector occurs across the HTTP (HTTPS) channel

  • Authentication with the optional detached credential collector occurs across the Oracle Access Protocol (OAP) channel

  • Authorization occurs across the Oracle Access Protocol (OAP) channel

See: Understanding Single Sign-On with Access Manager

Session Management

Global session specifications are enabled for all Application Domains and resources. In addition, Application Domain-specific session overrides can be configured.

See Maintaining Access Manager Sessions.


Registered agents rely on Access Manager authentication, authorization, and token issuance policies to determine who gets access to protected applications (defined resources).

See: Managing Policies to Protect Resources and Enable SSO

Client IP

Maintains this client's age, and includes it in the host-based cookie: OAMAuthnCookie for 11g Webgate (or ObSSOCookie for 10g Webgate)

Response token replay prevention

Include RequestTime (the timestamp just before redirect) in obrareq.cgi and copy it to obrar.cgi (the authentication response string redirected from the OAM Server to Webgate) to prevent response token replay.

Multiple network domain support

Access Manager 11g supports cross-network-domain single sign-on out of the box.

Oracle recommends you use Oracle Federation for this situation.


Host-based authentication cookie:

  • 11g Webgate, One per agent: OAMAuthnCookie_host:port_random_number set by Webgate using the authentication token received from the OAM Server after successful authentication.

    Note: A valid OAMAuthnCookie is required for a session.

  • 11g Webgate, Transient: OAM_REQ is scoped to the OAM Server. OAM_REQ is set or cleared by the OAM Server if the Authentication request context cookie is enabled. Protected with keys known to the OAM Server only. This cookie is configured as a high availability option to store the state about the user's original request to a protected resource while his credentials are collected and authentication is performed.

  • 10g Webgate: One ObSSOCookie for all 10g Webgates.

  • One for the OAM Server: OAM_ID, which is scoped to the OAM Server. OAM_ID is generated by the OAM Server when the user is challenged for credentials and submitted to the server on every redirect to the server.

See Understanding Single Sign-On with Access Manager.

Centralized log-out

See Configuring Centralized Logout for Sessions Involving 11g WebGates.

Case Insensitive Policy Resource Matching

An optional setting is available to enable case insensitive policy resource matching. This is a global setting and both entries must be added to the oam-config.xml file under Policy Service > OAMPolicy Provider > properties:

<Setting Name = “UseCaseInsensitiveResourceMatch” Type = “xsd:boolean”>true</Setting>

<Setting Name = “USE_CASE_INSENSITIVE_RESOURCE_MATCH” Type = “xsd:boolean”>true</Setting>

1.3.2 Features Not In Access Manager

Features provided in Access Manager 10g but not included in Access Manager 11.1.2 are as follows:
  • Extensibility framework required for building custom authorization plug-in.

  • Authorization for mod_osso-protected resources.