SSO login processing with registered OSSSO Agents (mod_osso) is similar to login processing with WebGates. However, mod_osso provides only authentication using Access Manager 11g authentication policies.
mod_osso does not support authorization either on its own or using Access Manager 11g policies.
Figure 23-4 illustrates the login processing with mod_osso and Access Manager 11g.
Figure 23-4 SSO Login Processing with OSSO Agents and ECC
Process overview: SSO Log-in Processing with OSSO Agents and ECC
The user requests a resource.
mod_osso forwards the request to Access Manager for policy evaluation.
Checks for the existence of an SSO cookie.
Checks policies to determine if the resource protected and if so, how?
OAM Server logs and returns decisions.
mod_osso responds as follows:
Unprotected Resource: Resource is served to the user.
Request is redirected to the credential collector.
The login form is served based on the authentication policy.
Authentication processing begins
User sends credentials.
ECC verifies credentials.
Access Manager starts the session, passes an authentication token to the application, and creates the following cookies:
One per partner: OHS_host_port
One for the OAM Server: OAM_ID
Global Inactivity Out: A domain-level cookie GITO, described in mod_osso Cookies.
Access Manager logs Success or Failure.
Credential collector redirects to mod_osso, which transmits the simple header values that applications can use to authorize the user.
Resource is served upon authentication success and the OHS-host-port cookie is set.