14.1 Introduction to Policy Enforcement Agents

An agent is a software plug-in that can be installed on a Web server (such as Oracle HTTP Server) where the application resides. To secure access to protected resources, a Web server, Application Server, or third-party application must be associated with an agent that is registered with Access Manager. To spare users from re-authenticating when accessing multiple resources, the application delegates the authentication function to the single sign-on (SSO) provider: Access Manager.

During agent registration, the application can be automatically registered and basic policies automatically generated. Alternatively, you can turn off automatic policy generation during Agent registration and manually create policies.

After registration, the Agent acts as a filter for HTTP/HTTPS requests, communicating between the OAM Server and its services. The Agent intercepts requests for resources protected by Access Manager and works with Access Manager to fulfill access requirements. The following sections introduce the types of agents.

• Agent Types and Runtime Processing for OAM Agents

• About 11g WebGate Configured as a Detached Credential Collector

• About 11g WebGate Functionality for Mobile and Social

• About the Pre-Registered 10g WebGate IAMSuiteAgent

14.1.1 Agent Types and Runtime Processing for OAM Agents

With Access Manager 11.1.2, each Agent acts as a filter for requests.

Your deployment can include the agent types described in Table 14-1, in any combination.

Table 14-1 Agent Types

Agent Type	Description
OAM Agents Note: Unless explicitly stated, the terms Webgate and Access Client are used interchangeably.	OAM Agents must be installed independently, following Oracle Access Management installation. After registering the agent with Access Manager, the agent communicates directly with registered OAM Servers and Access Manager services. OAM Agents communicate with Access Manager using the OAM Proxy to "sanitize" the request and respond identically for all agents. The following OAM Agents types are available: Webgate: An out of an box Web server access client that intercepts HTTP requests for Web resources and forwards these to the OAM Server. WebGates for various Web servers are shipped with Access Manager. 11g WebGates (Registering and Managing 10g WebGates with Access Manager 11g) provide: Oracle Universal Installer for platform Host-based cookie Individual WebGate OAMAuthnCookie_<host:port> Resource to Authorization Policy Authorization Result Webgate Authorization Caching Diagnostic page to tune parameters Capability to act as a detached credential collector See Also: "About 11g WebGate Functionality for Mobile and Social" "About 11g WebGate Configured as a Detached Credential Collector" Tuning Performance 10g WebGates provide: InstallShield and One installer per platform Domain-based cookie ObSSOCookie (one for all 10g WebGates) Web server configuration See Also: 10g Pre-registered IAMSuiteAgent in this table and Registering and Managing 10g WebGates with Access Manager 11g Custom, Programmatic Access Clients: Access Manager provides a pure Java software developer kit (SDK). Use this SDK to create custom Access Clients and extensions for Access Manager authentication and authorization functionality (and custom tokens). An Access Client processes requests for Web and non-Web resources (non-HTTP) from users or applications. See details in the Oracle Fusion Middleware Developer's Guide for Oracle Access Management.
IAMSuiteAgent a Pre-registered OAM 10g Agent	This pre-registered 10g agent provides single sign-on functionality for the IAM suite of consoles. The IAM Suite Agent includes a companion Application Domain (IAMSuite) and basic policies that should not be modified. See Also: About the Pre-Registered 10g WebGate IAMSuiteAgent
Legacy OSSO Agents	mod_osso is part of the OracleAS 10g single sign-on (OSSO) solution that authenticates users at a central OSSO Server. The mod_osso module is an Oracle HTTP Server module that provides authentication to OracleAS applications. After registration with Access Manager, OSSO 10g Agents communicate directly with Access Manager 11g services through an OSSO proxy. The OSSO proxy supports existing OSSO agents when upgrading to Access Manager. The OSSO proxy handles requests from OSSO Agents and translates the OSSO protocol into a protocol for Access Manager 11g authentication services. Access Manager gives mod_osso the redirect URL for the user based on the authentication scheme associated with the OAM policy defined for the resource See Also: Registering and Managing Legacy OSSO Agents as well as the following topics:
Legacy OpenSSO Agents	Java Agents are deployed J2EE containers to work with the OpenSSO server. Web Agents can be deployed on any Web or Servlet container. Each OpenSSO Agent is a filter that is plugged into the container (Oracle WebLogic Server, JBoss, Apache, and so on) that hosts applications. Access Manager provides an OpenSSO Proxy to handle requests for resources protected by OpenSSO Agents: Scope can be Host- or Domain-based OpenSSO Agent key stored locally (Agent bootstrap file, Agent host) See Also: Registering and Managing Legacy OpenSSO Agents.

Table 14-2 introduces Access Manager features that support agent registration, configuration, management, and single-sign on. Links to topics providing more information are included.

Table 14-2 Agent Registration and SSO Support

Oracle Provides	Description
Oracle Access Management Console	Agent Registration, Configuration, Management. See Also: "Registering an OAM Agent Using the Console"
oamreg tool	Remote Agent Registration and Management See Also: "Acquiring and Setting Up the Remote Registration Tool".
SSO Implementations	Access Manager supports numerous SSO scenarios. See Also: "Access Manager Single Sign-On Components"
Protocols that secure information exchange on the Internet	This depends on the credential collector you choose. See Also: Table 22-5
Login and Logout Forms	The location of the login and logout forms depends on the credential collector. See Also: Table 22-5 and Configuring Centralized Logout for Sessions Involving 11g WebGates
Cryptographic keys	One key is generated and used per registered mod_osso or 11g Webgate. However, one single key is generated for all 10g Webgates. See Also: Table 1-2
Keys storage	Agent side: A per agent key is stored locally in the Oracle Secret Store in a wallet file. OAM Server side: A per agent key, and server key, are stored in the credential store on the server side.

Table 14-3 provides run time processing information for OAM Agents.

See Also:

"Understanding Credential Collection and Login"

Table 14-3 Run Time Processing Overview for Access Manager

Agent Type	Description
11g WebGates 11g Access Clients	After installation and registration, 11g WebGates communicate with Access Manager using the OAM Proxy to "sanitize" the request and respond identically for all agents. Process overview, Authentication Request without OAMAuthnCookie: When a request for a resource protected by Basic authentication scheme comes without an authorization header (credentials) WebGate redirects through the front channel to either Embedded or Detached Credential Collector (depending on scheme configuration) to collect credentials. Credential Collector collects user credentials based on the challenge method defined for the authentication scheme. User is authenticated; OAM Proxy (Embedded Collector) or Detached Collector itself (DCC) communicates with the OAM Server through the back channel protocol for the token and returns a response through the front channel with a token issued by the OAM Server. WebGate validates the response, extracts the authentication token issued by the OAM Server, and sets a token in OAMAuthnCookie. WebGate is redirected to the requested resource, with the newly set OAMAuthnCookie attached. WebGate validates the OAMAuthnCookie, performs authorization through the back channel, and serves the page when authorization is successful. Process overview, Basic Authentication: When a request for a resource protected by Basic authentication scheme comes without an authorization header (credentials) WebGate responds with WWW-Authenticate header containing the realm mentioned in the authentication scheme with status code 401(authorization required). Browser client interprets the WWW-Authenticate header and collects credentials from user. Browser client performs request again with authorization header containing credentials. See Also: "About 11g WebGate Configured as a Detached Credential Collector" "About 11g WebGate Functionality for Mobile and Social"
10g Webgates 10g Access Clients	After installation and registration, 10g WebGates communicate directly with Access Manager using the OAM proxy, which acts as a bridge. See Also: IAMSuiteAgent for details about this agent and Application Domain. Registering and Managing 10g WebGates with Access Manager 11g for details about registering legacy 10g WebGates with Access Manager. Integrating Oracle ADF Applications with Access Manager SSO for details about legacy 10g WebGates currently operating with Web Applications coded for Oracle ADF Security and the OPSS SSO Framework. Securing Applications with Oracle Platform Security Services for details about legacy 10g Webgates configured as the Identity Assertion Provider (IAP) for SSO (for applications using WebLogic container-based security with Access Manager 11g (or Oracle Access Manager 10g).
OpenSSO Agents	See Also: "Runtime Processing Between OpenSSO Agents and Access Manager".
OSSO Agent (mod_osso 10g)	See: "Understanding OSSO Agents with Access Manager".

14.1.2 About 11g WebGate Configured as a Detached Credential Collector

With Oracle Access Manager 11.1.1, the Embedded Credential Collector (ECC) is the default. The ECC was and is integrated with the OAM Server.

Access Manager 11.1.2 also supports the ECC by default. However, Access Manager 11.1.2 also enables you to configure an 11g WebGate to use a detached credential collector (DCC). The DCC is considered more secure when compared to the default ECC.

An 11g WebGate configured to act as a DCC is known as an Authenticating WebGate. WebGates that protect resources are known as Resource WebGates.

See Also:

"Configuring 11g WebGate and Authentication Policy for DCC"

14.1.3 About 11g WebGate Functionality for Mobile and Social

WebGates interact with the client to perform authentication and authorization; this involves redirection to collect credentials, set the cookie to hold the session, report errors, and so on. WebGates work with browser clients, which usually have all the support required for this interaction end to end.

However, there are cases where a non-browser client making REST calls directly needs to access resources and perform authentication and authorization. This use case can be addressed with Mobile and Social.

Mobile and Social support is enabled using two user-defined parameters within the WebGate agent registration page. Mobile and Social services use a programmatic non-browser client with Access Manager. For details, see the following documentation.

• Managing Oracle Access Management Mobile and Social

• Oracle Fusion Middleware Developer's Guide for Oracle Access Management

14.1.4 About the Pre-Registered 10g WebGate IAMSuiteAgent

The 10g WebGate and the companion Application Domain provides single sign-on functionality for the IDM Administration Console. IAMSuiteAgent is installed and pre-configured for this purpose as part of the initial OAM Server installation and configuration.

Oracle strongly recommends that you do not alter IAMSuiteAgent and the companion Application Domain. However, you can replace the IAMSuiteAgent with a fresh 10g WebGate. For details, see the following sections.

• "Replacing the IAMSuiteAgent with an 11g WebGate"

• "Configuring Centralized Logout for IAMSuiteAgent"

• "Bundled 10g IAMSuiteAgent Artifacts"