Oracle Access Management 220.127.116.11.0 provides new functions and enhancements outlined in following topics.
The following information has been added or updated:
Chapter 1: Added "System Requirements and Certification".
Chapter 2: Removal (redundant) has altered chapter numbers.
Chapter 3: Moved password policy, refocused for ECC, into Chapter 16 with other authentication details.
Chapter 6: Added descriptions of loggers to:
Chapter 12: Re-focused for 11g OAM Agents (WebGates and Access Clients).
Combined console and remote registration for 11g OAM Agents.
Moved Configuring 11g WebGate and Authentication Policy for DCC to chapter 20.
Chapter 16: Relocated authentication details with other shared policy components:
Combined console and remote registration for 11g OAM Agents.
Refocused and moved from chapter 3: "Managing Global Password Policy"
Moved "Configuring 11g WebGate and Authentication Policy for DCC" from chapter 3.
Chapter 20: Relocated OpenSSO Agent registration and management details here.
Chapter 20: Relocated OSSO Agent registration and management details here.
Chapter 22: Expanded 10g OAM Agent details to include console and remote registration updates, and logout with Access Manager.
Appendix A: Relocated to relevant logout configuration details.
This book has been updated to address reported issues. Global updates include cosmetic changes and updated screens.
Several previously separate access products of the Oracle Identity Management portfolio are combined into one product: Oracle Access Management.
The Access Tester can validate the connections in the pool and make cache flush (SYNC_INFO) requests to be sent over a connection that is already established; instead of using out-of-band connection for cache flush requests.
Authorization conditions enable you to implement dynamic security policies and resulted in changes to the Policy Configuration interface in the Oracle Access Management Console:
Authorization Conditions: The earlier constraint class is renamed as a Condition Type. Conditions contain no Allow or Deny specification; however, new Rules specify Allow or Deny access options.
A new condition type: Attribute.
Use of Implied Constraints option in policies is replace, allowing you to create particular condition types by instantiating those and selecting rules.
Standard Authentication Modules (LDAP, Kerberos, and X509) are targeted for deprecation in future releases. Oracle strongly recommends using native or custom Plug-ins rather than standard Authentication Modules.
Oracle Fusion Middleware Developer's Guide for Oracle Access Management if you want to create custom authentication plug-ins.
Detached credential collection is an additional capability of the 11g WebGate (OAM Agent). This is required for secure dynamic multi-factor/multi-step authentication. You can easily enable the 11g WebGate to use as a DCC; or continue using the embedded credential collector (ECC) in the OAM Server.
Multi-factor authentication requires a custom authentication plug-in to transmit information to the back-end authentication scheme several times during the login process. All information collected by the plug-in and saved in the context will be available to the plug-in through the authentication process. Context data can also be used to set cookies or headers in the user's login page.
Identity Context leverages the context-aware policy management and authorization capabilities built into the Oracle Access Management platform. Identity Context secures access to resources using traditional security controls (roles and groups) as and dynamic data established during authentication and authorization (strength, risk levels, device trust, and so on).
Details of integrating Access Manager with third-party products have moved from the earlier to this book. The following integrations are supported:
Access Manager authorization conditions accept a list of users, groups, and LDAP search filters as part of allowed or denied identities. LDAP search filters provide a simple way of specifying a target identity population without having to reorganize or create new groups in the identity store (directory server). This brings to Access Manager 11g, parity with Oracle Access Manager 10g.
Access Manager support for personal identity verification (PIV) cards (a United States Federal smart card), is to use FASC-N and EDIPI attributes from the SubjectaltName extension to map the user during X.509 authentication. While multiple OCSP providers are not supported, you can use an OCSP Gateway or write a custom authentication plug-in that uses the OSDT OCSP APIs to validate against multiple OCSP providers.
Mobile and Social serves as an intermediary between a user seeking to access protected resources, and the back-end Oracle Access Management and Oracle Identity Management services that protect those resources. Mobile and Social services' pluggable architecture enables Administrators to add, modify, and remove Identity and Access Management services without having to update user installed software.
Administrators can install multiple user identity stores for Access Manager. Each identity store can rely on a different LDAP provider. Each authentication module (or plug-in within an authentication step) can be configured to use a specific user identity store.
Access Manager supports Web and Java Agents deployed on Web or J2EE containers. Each OpenSSO Agent is a filter that is plugged into the container (Oracle WebLogic Server, JBoss, Apache, and so on) that hosts applications.
Access Manager provides an OpenSSO Proxy to handle requests for resources protected by OpenSSO Agents. The Oracle-provided OpenSSO Proxy facilitates single sign-on to OpenSSO Agent-protected applications by enabling communication between the agent and the OAM Server.
Access Manager enables password policy management through the Oracle Access Management Console. The global password policy applies to Access Manager users when the Password Policy Validation Module is implemented. The password policy is stored within the policy store and applies to all resources protected by Access Manager.
The Policy Model supports Query String Name and Value Parameters in a Resource Pattern Definition:
A TokenServiceRP type resource represents resources for, and is based on, the Token Service Relying Party (required for non-browser clients such as Identity Connect).
supports programmatic RESTful services.
Custom Access Clients developed using the Access Manager 11g Access Software Developer Kit support the 11g Shared Secret Key Per Agent (WebGate or Access Client) security feature. Each agent has its own secret key that is shared between the Access Client and the OAM Server to encrypt or decrypt the host-based Access-Client-specific OAMAuthnCookie. Even if one Access Client is compromised, the impact is limited to that particular Access Client; no other Access Clients are affected.
There is no impact to existing 10g ASDK users. Oblix class wrappers can be modified to create Access Client instances with 10g mode transparently. However, to operate in 11g compatible mode, Oracle java APIs should be used.
Access Manager 11g Pure Java ASDK provides both Oracle Java APIs (in oracle.security.am.asdk packages) and Oblix Java APIs (in com.oblix.access packages). Access Manager 11g Pure Java Access Clients:
Communicate with OAM Servers using Oracle Java APIs and either Oracle Access Protocol version 3 (or version 4 which supports Shared Secret Key Per WebGate security feature)
Communicate with 10g Servers using Oblix Java APIs and Oracle Access Protocol version 3 only (with no support for SSKPA)
A Token Issuance Policy is required for clients for Mobile and Social performing authentication and authorization.
Managing Oracle Access Management Mobile and Social for details about Mobile and Social Authentication Service
A survey of topics is provided to help tune a deployed environment to ensure optimal performance and stability.
11g WebGate works with browser clients. However, there are cases where a non-browser (Representational State Transfer (REST) client needs to access HTTP resources and perform authentication and authorization.