23.4 Overview of the SSO Login Process with OSSO Agents (mod_osso) and ECC

SSO login processing with registered OSSSO Agents (mod_osso) is similar to login processing with WebGates. However, mod_osso provides only authentication using Access Manager 11g authentication policies.


mod_osso does not support authorization either on its own or using Access Manager 11g policies.

Figure 23-4 illustrates the login processing with mod_osso and Access Manager 11g.

Figure 23-4 SSO Login Processing with OSSO Agents and ECC

Description of Figure 23-4 follows
Description of "Figure 23-4 SSO Login Processing with OSSO Agents and ECC"

Process overview: SSO Log-in Processing with OSSO Agents and ECC

  1. The user requests a resource.

  2. mod_osso forwards the request to Access Manager for policy evaluation.

  3. Access Manager:

    • Checks for the existence of an SSO cookie.

    • Checks policies to determine if the resource protected and if so, how?

  4. OAM Server logs and returns decisions.

  5. mod_osso responds as follows:

    1. Unprotected Resource: Resource is served to the user.

    2. Protected Resource:

      Request is redirected to the credential collector.

      The login form is served based on the authentication policy.

      Authentication processing begins

  6. User sends credentials.

  7. ECC verifies credentials.

  8. Access Manager starts the session, passes an authentication token to the application, and creates the following cookies:

    • One per partner: OHS_host_port

    • One for the OAM Server: OAM_ID

    • Global Inactivity Out: A domain-level cookie GITO, described in mod_osso Cookies.

  9. Access Manager logs Success or Failure.

  10. Credential collector redirects to mod_osso, which transmits the simple header values that applications can use to authorize the user.

  11. Resource is served upon authentication success and the OHS-host-port cookie is set.