The following topics provide an overview:
IAMSuiteAgent is a Java agent filter that is pre-registered with Access Manager 11.1.2 out of the box. This agent and the companion Application Domain are installed pre-configured with Access Manager.
The IAMSuiteAgent is a domain-wide agent:
Once Access Manager is deployed, the IAMSuiteAgent is installed on every server in the domain
Unless disabled, every request coming into the WebLogic Application Server is evaluated and processed by the IAMSuiteAgent
Certain IAMSuiteAgent configuration elements are available in the WebLogic Administration Console (in the Security Provider section) and others in the Oracle Access Management Console.
IAMSuiteAgent and related policies provide SSO protection for the IDM Administration Console, Oracle Identity Console, Oracle Access Management Console, and specific resources in the Identity Management domain.
You can replace the IAMSuiteAgent with a 10g WebGate to protect Oracle Identity Management Consoles and resources in the Identity Management domain, if you choose.
11g OAM Servers support 10g WebGates that are registered to operate with Access Manager 11.1.2.
Such WebGates may include:
Legacy 10g WebGates currently operating with Oracle Access Manager 10g.
Legacy 10g WebGates configured as the Identity Assertion Provider (IAP) for SSO (for applications using IAP WebLogic container-based security with Oracle Access Manager 10g, as described in the Securing Applications with Oracle Platform Security Services).
Legacy 10g WebGates currently operating with Web Applications coded for Oracle ADF Security and the OPSS SSO Framework
You can register these agents to use Access Manager SSO using either the Oracle Access Management Console or the remote registration tool. After registration, 10g WebGates directly communicate with Access Manager through a Java-based OAM Proxy that acts as a bridge.
See Table 1-2.
The following topics outline the tasks that you must perform to set up an existing 10g WebGate to operate with Access Manager:
Task overview: Setting up a legacy 10g WebGate to operate with Access Manager:
Optional: Deploying Applications in a WebLogic Container
See the Securing Applications with Oracle Platform Security Services.
You can install fresh 10g WebGates for use with Access Manager 11g. 10g WebGates are available for a number of Web server platforms.
After installation and registration, 10g WebGates directly communicate with Access Manager through a Java-based OAM proxy that acts as a bridge.
When installing fresh 10g WebGates for Access Manager, Oracle recommends that you use the latest WebGates. Oracle also recommends that you install multiple WebGates for failover and load balancing.
There are several differences between installing a 10g WebGate to operate in an 11g Access Manager deployment versus installing the 10g WebGate in an 10g Oracle Access Manager deployment.
Table 30-1 outlines these differences.
Table 30-1 Installation Comparison with 10g WebGates
|10g WebGates in 11g Deployments||10g WebGates in 10g Deployments|
The following overview lists the topics that describe 10g WebGate installation and registration tasks for Access Manager 11g in detail.
You must complete all the following procedures for a successful operation with Access Manager 11g:
Registering a 10g WebGate:
Optional: Deploying Applications in a WebLogic Container.
See Securing Applications with Oracle Platform Security Services.
Logout is initiated when an application causes the invocation of the logout.html file configured for any registered 10g WebGate.
Generally speaking, during centralized logout with 10g WebGates the SSO Engine receives a user-session-exists request. The Session Management Engine looks up the session and responds that the session exists. The SSO engine sends a Clear Session request. The Session management engine clears the token and session context. The SSO engine sends a Session Cleared response.
Clearing the user token and the session context clears the server-side state, which includes clearing the OAM_ID cookie set on the server side. When the agent is notified, the agent clears the client-side state of the application. For more information, see Configuring Centralized Logout for 10g WebGate with 11g OAM Servers.