53.6 Configuring OAM Session Synchronization

The OAM User session synchronization feature prevents multiple OAM sessions from being created by a mobile user.

The initial OAM session is created during the 3-legged Mobile scenario when the authorization code is created (provided that the OAuth consent UI pages are protected by OAM). This session is stored in the device keystore and used for subsequent OAM token requests for as long as the session is valid.

A one-time Authorization Policy change in Oracle Access Management is required for OAM session synchronization to work. The following steps configure OAM to send Session ID values to OAuth Services. Once configured, OAM session synchronization will always be used for mobile authorization requests when using OAM protection (as opposed to Mobile and Social protection) for the authorization endpoint.


OAM Session Synchronization requires a WebGate protecting the OAuth Services consent UI pages. See Configuring a WebGate to Protect OAuth Services for details.

  1. In the Oracle Access Management console, click Application Security at the top of the window.
  2. Under Access Manager, click Application Domains.
  3. Under Search Application Domains, enter the name of the target WebGate domain (or enter a partial name and wild card, *, or leave the field blank to retrieve all domains). For example:
  4. Click Search.
  5. In the Search Results section, highlight the WebGate domain and click Edit.
  6. Click the Authorization Policies tab.
  7. In the policies table, click Protected Resource Policy to open it for editing.
  8. Click the Responses tab.
  9. Click Add.
  10. Enter the following values in the Add Response dialog:
    • Type - choose Header from the menu.

    • Name - Enter any name, for example: mysession.

    • Value - Enter: ${session.id}

    Click Add.

  11. Click Apply.