22.11 Configuring Challenge Parameters for Encrypted Cookies

OAM provides challenge parameters that you can use within any authentication scheme to control flags of the encrypted cookies.

22.11.1 Challenge Parameters for Encrypted Cookies

In addition to the OAM Server cookie (OAM_ID), Access Manager implements single sign-on through an encrypted cookie

  • 11g Webgate, One per agent: OAMAuthnCookie_<host:port>_<random number> set by Webgate using the authentication token received from the OAM Server after successful authentication

    Note: A valid OAMAuthnCookie is required for a session.

  • 10g Webgate, One ObSSOCookie for all 10g Webgates.

Access Manager provides the ssoCookie challenge parameter that you can use within any authentication scheme to control how Webgates set the flags of the encrypted cookie. For example:

  • Securing Encrypted Cookie: Ensures that the encrypted cookie is sent only over an SSL connection and prevents the encrypted cookie from being sent back to a non-secure Web server.

  • Persisting Encrypted Cookie: Allows the user to log in for a time period rather than a single session. Persistent cookie functionality works with Internet Explorer and Mozilla browsers.

Note:

The value of the challenge parameter is note case sensitive. Syntax is the same regardless of your Webgate release. A single value is specified after the equal sign (=):

ssoCookie=value

Multiple values must be separated by a semicolon (;). For example:

ssoCookie=value1;value2;...

  • For detached credential collector-enabled Webgates, set these parameters directly in the agent registration page (Table 15-2).

  • For non-DCC agents (Resource Webgates), these parameters are configured through Authentication Scheme challenge parameters (Table 22-30).

Table 22-30 describes specific challenge parameters that control how Webgates set encrypted cookie flags for single sign-on.

Table 22-30 Challenge Parameters for 10g/11g Encrypted Cookies

11g /10g Webgate Challenge Parameter Syntax for Encrypted Cookies Description 
ssoCookie=

Parameter that controls flags for the SSO cookie OAMAuthnCookie.

 
miscCookies=

Parameter that controls flags for all other Access Manager encrypted cookies.

 
       Secure

Ensures that the encrypted cookie is sent only when the resource is accessed through HTTPS. A secure cookie is required only when a browser is visiting a server using HTTPS.

ssoCookie=Secure
miscCookies=Secure

disableSecure

Explicitly disables Secure cookies.

ssoCookie=disableSecure
miscCookies=disableSecure

       httponly

Enabled by default with 11g Webgate SSO OAMAuthnCookie and miscellaneous cookies.

ssoCookie=httponly
miscCookies=httponly

       disablehttponly

Explicitly disables httponly functionality, making the encrypted cookies accessible to client-side scripts.

ssoCookie=disablehttponly
miscCookies=disablehttponly

ssoCookie=max-age=time-in-seconds

Creates a persistent cookie in browsers, rather than one that lasts for a single session, and specifies the time interval in-seconds when the cookie expires.

For example, to set the cookie to expire in 30 days (2592000 seconds):

max-age=2592000

22.11.2 Configuring Challenge Parameters for Security of Encrypted Cookies

The challenge parameter is not case sensitive.

See Also:

"Creating an Authentication Scheme"

  1. Create an authentication scheme.
  2. In the Challenge Parameter field, enter your specification for the desired encrypted cookies (Table 22-30).
  3. Confirm that the OAM Servers and clients (OAM Agents) are communicating securely across the Oracle Access Protocol channel, as described in Securing Communication.

22.11.3 Setting Challenge Parameters for Persistence of Encrypted Cookies

The challenge parameter is not case sensitive.

See Also:

"Creating an Authentication Scheme"

  1. Define an authentication scheme.
  2. In the challenge parameter for this scheme, add the following (Table 22-30):

    WebGate ssoCookie=max-age=time-in-seconds