25.3 Understanding Application Domain and Policy Management
Whether you create an Application Domain manually or you accept automatic policy generation when registering an Agent, the elements of an Application Domain are the same. All policies and Application Domains are managed using the Oracle Access Management Console.
For details, see the following topics:
25.3.1 Application Domain Pages
Figure 25-1 is the Application Domains Search page, controls, and the Search Results table with its own tool bar.
Figure 25-1 Application Domains Search Page
Description of "Figure 25-1 Application Domains Search Page"
25.3.2 Application Domain Summary Page
When you click the name of an Application Domain in the Search results, the Name, an optional description and Policy Ordering configuration are displayed on the Summary tab.
Other information is organized in the following tabs.
-
Resources
-
Authentication Policies
-
Authorization Policies
-
Token Issuance Policies
-
Administration
Figure 25-2 is a screenshot of a typical Application Domain page. In a generated Application Domain, the Name and Description are populated as shown. When you create an Application Domain manually, the Description is entered by the Administrator.
Figure 25-2 Example Application Domain Summary Page
Description of "Figure 25-2 Example Application Domain Summary Page"
25.3.3 Resource Container in an Application Domain
The Resources tab in the Application Domain represents the container for all resource definitions in that domain. When the Resources tab is clicked and displayed, the Search controls are available to help you find specific definitions quickly.
Figure 25-3 illustrates Search controls that you can use to refine your resource definition search. There is also a New Resource button in the upper-right corner. The Search Results table provides key information about each definition found.
Figure 25-3 Search Results for Resources in an Application Domain
Description of "Figure 25-3 Search Results for Resources in an Application Domain"
The default Resource Type is HTTP; default Resource URL is /**. With HTTP resource definitions you can also search on a query string defined for that resource. The query string can be only the Base URL and can include optional pattern-matching special characters to represent a set of URLs. In this generated domain, the Host Identifier matches the name of the HTTP agent that was registered. Basic information about the policies is also provided.
25.3.4 Authentication Policy Pages
The Authentication Policies tab provides access to defined or generated policies with no search controls needed.
When an Administrator creates an Application Domain manually she must also manually create all policies. In a generated Application Domain, two Authentication policies are created automatically, as shown in Figure 25-5:
-
Authentication Policy: Protected Resource Policy
-
Authentication Policy: Public Resource Policy
Authentication policies are local, which means that each policy applies only to the resources specified for the policy. Each resource can be protected by only a single authentication policy.
Figure 25-5 shows the Protected Resource Policy and the columns of information displayed automatically on the policy's Resources tab. The Responses tab is available.
Figure 25-5 Authentication Policy Page: Resources and Responses
Description of "Figure 25-5 Authentication Policy Page: Resources and Responses "
Note:
Initially, all resources are protected. Success and Failure URLs and Responses must be added manually; no default values are supplied.
A description is provided during automatic generation:
"Policy set during domain creation. Add resources to this policy to protect them."
This generated policy uses the LDAPScheme as the authentication scheme. However, the optional elements of the policy are not yet defined.
Protected Resources are identified on the Resources tab as HostIdentifier/**.
Note:
Administrators can change the authentication scheme, specify Success and Failure URLs, add other resources, and define SSO Responses.
Public Resource Policy: A second authentication policy is also generated automatically. This policy uses AnonymousScheme as the default scheme for authentication, which allows anyone access.
Initially, this Public Resource Policy does not include or serve any Resources. The Description tells Administrators what is needed:
Policy set during domain creation. Add resources to this policy to allow anyone access.
See Also:
25.3.5 Authorization Policy Pages
The Authorization Policies tab provides access to defined or generated policies with no search controls needed.
In a generated Application Domain, two Authorization policies are created automatically; however, each resource can be protected by only a single authorization policy:
-
Protected Resource Policy
-
Public Resource Policy
The Authorization Policy tab is shown in Figure 25-7. From this tab, you can select a policy to edit or create a new policy.
The Authorization Policy page is shown Figure 25-7. It provides several tabs where you can define the various components of this Authorization policy. Initially, all resources are protected and access is denied. Success and Failure URLs Conditions, Rules, and Responses must be added manually (no default are supplied).
Figure 25-7 Individual Authorization Policy Page
Description of "Figure 25-7 Individual Authorization Policy Page"
The Authorization Policy Resources tab is shown in Figure 25-8. You use this page to add (or remove) resources for this policy.
Figure 25-8 Individual Authorization Policy Resources tab
Description of "Figure 25-8 Individual Authorization Policy Resources tab"
Administrators can also define Conditions, Rules, and Responses for this policy. None are generated automatically.
