23.1 Overview of Access Manager Credential Collection

Access Manager provides two mechanisms for credential collection during authentication processing.

  • The default Embedded Credential Collector (ECC) is installed with the Access Manager Server and can be used as-is with no additional installation or set up steps (except the global password policy configuration described in "Managing Global Password Policy").

    The mechanism that redirects the user from the Policy Enforcement Point to the Credential Collector is a proprietary front channel protocol over HTTP. This protocol currently provides a context of the request and the authentication response on the query string.

  • The OAM WebGate provides a single switch for the optional Detached Credential Collector (DCC). The DCC provides network isolation for greater security in production deployments, and is required for some forms of authentication.

For a detailed comparison of the two mechanisms for credential collection, see Understanding Authentication Methods and Credential Collectors.


Although the DCC is the recommended approach for credential collection, instructions in this book presume you are using the ECC unless explicitly stated.

Single Sign On login processing determines whether the user is a valid user and whether the session state is active or inactive (either a first time user or the user session has expired). Session management support locates, persists, and cleans up the session context and user token. Details are in the following sections.

23.1.1 Overview of the Login process with Self-Service Provisioning Applications

Provisioning does not create the session in Access Manager. When a new user uses a self-service provisioning application to create an account, he is prompted for his userID and password again when accessing an application.

The protected application is directed to Access Manager 11g, which requests the user's credentials. For example, if Oracle Identity Manager is protected by Access Manager, the user request is redirected to Access Manager from which a request to enter credentials is made.


Success and failure results are the same as described in "Overview of the Login Process with Access Manager-Protected Resources".

23.1.2 Overview of the Login Process with Access Manager-Protected Resources

The first time a user attempts to access a protected resource, she is prompted for her credentials based on the authentication scheme and authentication level for the resource. Typically a userID and password are needed.

Failure: Authentication fails if the wrong userID or password is entered. The user is not authenticated and another prompt for credentials appears.

With Oracle Access Manager 11.1.1, only the ECC in the OAM server was available. Access Manager 11.1.2 supports the ECC by default. However, Access Manager also enables you to configure an 11g WebGate to use as a detached credential collector (DCC). A DCC-enabled WebGate can be separate from (or combined with) a Resource WebGates.

Both the ECC and DCC provide an authentication flow that includes form login, error, and login retries. They provide SecurID and server affinity as well as password policy enforcement and a dynamic, multi-step, iterative, and variable (multi-step authentication) where the credentials are not supplied all at one time. A customizable authentication flow can include authentication plug-ins with contracts between the plug-in, OAM Proxy, and Credential Collector; a contract between the plug-in and login application; and between the Credential Collector and login application.

When deciding whether to use one credential collector or both, consider:

  • Co-existence: Allowing both the ECC and DCC to co-exist enables you to use authentication schemes and policies configured for either the ECC or the DCC. This enables a fallback mechanism for resources that rely on the ECC ( Oracle Access Management Console, for instance).

  • Disabling ECC: Disabling the ECC entirely prohibits access to resources that rely on the ECC mechanism ( Oracle Access Management Console, for instance).

Table 23-1 provides links to more information.

Table 23-1 Login Processing with Access Manager-Protected Resources

Login Processing Topic See

With OAM Agents and ECC

"Overview of the SSO Login Process with OAM Agents and ECC"

With OAM Agents and DCC

"Overview of the SSO Login Process with OAM Agents and DCC"

With OSSO Agents and ECC

"Overview of the SSO Login Process with OSSO Agents (mod_osso) and ECC"

With Other Agents or Mixed Agent Types

Mixed agent types are supported. Processing is the same for each agent type. For other agent types, see:

Login and Auto Login for Applications Using Oracle ADF Security

Oracle Platform Security Services (OPSS) comprise Oracle WebLogic Server's internal security framework. On the Oracle WebLogic Server, you can run a Web application that uses Oracles Application Development Framework (Oracle ADF) security, integrates with Access Manager 11g SSO, and uses OPSS SSO for user authentication.

For more information, see Integrating Oracle ADF Applications with Access Manager SSO.