Go to main content
1/36
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
What's New in Oracle Access Management?
Guide Changes: 11
g
Release 2 Patch Set 3 (11.1.2.3.0)
New Features in 11
g
Release 2 (11.1.2)
Product and Component Name Changes
Part I Introduction
1
Developing with Oracle Access Management Components
1.1
About Access Manager
1.2
About Mobile and Social
1.3
About Identity Federation
1.4
About Security Token Service
1.5
System Requirements and Certification
Part II Developing with Access Manager
2
Developing Access Clients
2.1
About Developing Access Clients
2.1.1
About the Access SDK and APIs
2.1.2
About Custom Access Clients
2.1.2.1
When to Create a Custom Access Client
2.1.2.2
Access Client Architecture
2.1.3
About Access Client Request Processing
2.2
Installing Access SDK
2.3
Developing Access Clients
2.3.1
Structure of an Access Client
2.3.2
Typical Access Client Execution Flow
2.3.3
Sample Code: Simple Access Client
2.3.4
Annotated Sample Code: Simple Access Client
2.3.5
Sample Code: Java Login Servlet
2.3.6
Annotated Sample Code: Java Login Servlet
2.3.7
Sample Code: Additional Methods
2.3.8
Annotated Sample Code: Additional Methods
2.3.9
Sample Code: Certificate-Based Authentication in Java
2.3.10
Sample Code: OAM_ID Cookie Creation Using ASDK
2.4
Generating Access SDK Logs
2.5
Building an Access Client Program
2.5.1
Setting the Development Environment
2.5.2
Compiling a New Access Client Program
2.6
Configuring and Deploying Access Clients
2.6.1
Configuration Requirements
2.6.2
Generating the Required Configuration Files
2.6.3
SSL Certificate and Key File Requirements
2.6.3.1
Simple Transport Security Mode
2.6.3.2
Cert Transport Security Mode
2.7
Compatibility: 11
g
versus 10
g
Access SDK and APIs
2.7.1
Compatibility of the 11
g
Access SDK
2.7.2
Compatibility of 10
g
JNI ASDK and 11
g
Access SDK
2.7.3
Deprecated: 10
g
JNI ASDK
2.8
Migrating or Converting 10g Applications
2.8.1
Migrating Your 10g ASDK Component To Work with 11g
2.8.1.1
Migrating the 10g ASDK Component in Simple Mode
2.8.1.2
Migrating the 10g ASDK Component in Cert Mode
2.8.2
Converting Your 10g Code
2.8.2.1
Initializing and Uninitializing Access SDK
2.8.2.2
Performing Access Operations
2.9
Best Practices
2.9.1
Avoiding Problems with Custom Access Clients
2.9.2
Identifying and Resolving Access Client Problems
2.9.3
Resolving Environment Problems
2.9.3.1
Java EE Containers
2.9.3.2
Oracle WebLogic Server
2.9.3.3
Other Application Servers
2.9.4
Tuning for High Load Environment
3
Developing Custom Authentication Plug-ins
3.1
Introduction to Authentication Plug-ins
3.1.1
About the Custom Plug-in Life Cycle
3.1.2
About Planning, the Authentication Model, and Plug-ins
3.1.2.1
About the Decision Engine Approach Process
3.1.2.2
About the Hard-Coded Approach Process
3.2
Introduction to Multi-Step Authentication Framework
3.2.1
About the Multi-Step Framework
3.2.2
Process Overview: Multi-Step Authentication
3.2.3
About the PAUSE State
3.2.4
About Information Collected
3.2.4.1
UserContextData
3.2.4.2
UserActionContext
3.2.4.3
UserAction
3.2.4.4
UserActionMetaData
3.3
Introduction to Plug-in Interfaces
3.3.1
About the Plug-in Interfaces
3.3.1.1
GenericPluginService
3.3.1.2
AuthnPluginService
3.3.2
About Plug-in Hierarchies
3.4
Sample Code: Custom Database User Authentication Plug-in
3.4.1
Sample Code: Database User Authentication Plug-in
3.4.2
Sample Plug-in Configuration Metadata Requirements
3.4.3
Sample Manifest File for the Plug-in
3.4.4
Plug-in JAR File Structure
3.5
Developing an Authentication Plug-in
3.5.1
About Writing a Custom Authentication Plug-in
3.5.2
Writing a Custom Authentication Plug-in
3.5.3
Error Codes in an Authentication Plug-In
3.5.4
JAR Files Required for Compiling a Custom Authentication Plug-in
4
Developing Custom Pages
4.1
Introducing the Custom Pages Framework
4.1.1
Returning the OAM_REQ Token
4.1.2
Returning the End Point
4.2
Authenticating with Custom Pages
4.2.1
Using mod_osso Agent
4.2.1.1
OSSO 10
g
4.2.1.2
11
g
OAM Server
4.2.1.3
Process Overview: Developing Programmatic Clients
4.2.2
Using Unsolicited Post
4.2.3
Using Unsolicited Login With DCC WebGates
4.2.4
Setting Custom OSSO Cookies After Authentication
4.3
Understanding Custom Login Pages
4.3.1
Creating a Form-Based Login Page
4.3.2
Page Redirection Process
4.4
Understanding Custom Error Pages
4.4.1
Enabling Error Page Customization
4.4.2
Standard Error Codes
4.4.3
Security Level Configuration
4.4.4
Secondary Error Message Propagation
4.4.5
Sample Code: Retrieving Error Codes
4.4.6
Error Data Sources Summary
4.5
Understanding Custom Password Pages
4.5.1
Customizing the Password Page WAR
4.5.2
Using the Request Cache
4.5.3
Specifying the Password Service URL
4.5.4
Sample Code: Retrieving Warning Messages
4.5.5
Sample Code: Retrieving Password Policy Error Codes
4.5.6
Sample Code: Obtaining Password Policy Rules
4.6
Using the Credential Collectors with Custom Pages
4.6.1
About the Detached Credential Collector with Custom Pages
4.6.2
Creating a Form-Based Login Page Using DCC
4.6.3
About Custom Login and Error Pages for DCC Tunneling
4.7
Specifying the Custom Error and Logout Page Deployment Paths
5
Managing Policy Objects
5.1
About the Policy Administration API
5.1.1
Access Manager Policy Model
5.1.2
Security Model
5.1.3
Resource URLs
5.1.4
URL Resources and Supported HTTP Methods
5.1.5
Error Handling
5.2
Compatibility
5.3
Managing Policy Objects
5.3.1
HTTP Methods
5.3.2
Media Types
5.3.3
Resources Summary
5.4
Client Tooling
5.5
cURL Command Examples
Retrieve Application Domains cURL Command
Create a New Application Domain cURL Command
Retrieve All Authentication Schemes cURL Command
Create an Authentication Scheme cURL Command
Retrieve a Specific Authentication Scheme cURL Command
Retrieve All Resources in an Application Domain cURL Command
Create a Resource in an Application Domain cURL Command
Retrieve All Policies in an Application Domain cURL Command
6
Developing an Application to Manage Impersonation
6.1
About Impersonation
6.1.1
Impersonation Concepts and Terminology
6.1.2
Impersonation Grant Syntax
6.1.3
Impersonation Trigger Invocation Using the SSO Service
6.1.4
Triggering Impersonation Without API Abstraction
6.1.5
Impersonator Identity Communication During Impersonation Sessions
6.2
Configuring Impersonation Support
6.2.1
Configuring Impersonation Using oam-config.xml
6.2.2
Configuring Impersonation Using idmConfigTool
6.2.3
Configuring the Authentication Scheme
6.3
Testing SSO Login and Impersonation
Part III Developing with Mobile and Social
7
Developing Applications Using the Mobile and Social Client SDKs
7.1
Before you Begin
7.2
Introduction to Developing Mobile and Social Services Applications
7.3
Introduction to Building Applications With User Profile Services
7.4
Introduction to Developing Internet Identity Services Applications
8
Developing Mobile and Social Services Applications with the Java Client SDK
8.1
Before You Begin
8.2
Invoking Authentication Services With the Java Client SDK
8.2.1
Import the Java Client SDK Classes
8.2.2
Initialize Objects and Define Endpoints
8.2.3
Create a Client Token
8.2.4
Create a User Token
8.2.5
Create an Access Token
8.2.6
Validate a Client Token
8.2.7
Validate a User Token
8.2.8
Perform a User Lookup Using the User Token
8.2.9
Delete the Client Token
8.3
Invoking User Profile Services with the Java Client SDK
8.3.1
Working with People
8.3.1.1
Importing Java Classes and Declaring People
8.3.1.2
Creating a User
8.3.1.3
Reading a User
8.3.1.4
Updating a User
8.3.1.5
Deleting a User
8.3.1.6
Searching for a User
8.3.1.7
Retrieving User Attributes and Validating the Results
8.3.2
Working With Groups
8.3.2.1
Importing Java Classes and Declaring Groups
8.3.2.2
Creating a Group
8.3.2.3
Reading a Group
8.3.2.4
Updating a Group
8.3.2.5
Deleting a Group
8.3.2.6
Searching a Group
8.3.2.7
Searching Groups With Paging Support
8.3.2.8
Adding a User to a Group
8.3.2.9
Getting Group Membership Info
8.3.2.10
Searching for a Member Within a Group
8.3.2.11
Removing a Member From a Group
8.3.2.12
Assigning Group Ownership
8.3.2.13
Getting Group Ownership Info
8.3.2.14
Searching for the Owner of a Group
8.3.2.15
Removing a Group Owner
8.3.2.16
Adding a Group (or a User) to a Group Using addMemberOf
8.3.2.17
Getting the Membership of a Group Using getMemberOf
8.3.2.18
Searching a Group Using searchMemberOf
8.3.2.19
Removing a Group (or a User) from a Group Using deleteMemberOf
8.3.2.20
Assigning Group Ownership Using addOwnerOf
8.3.2.21
Getting Group Ownership Info Using getOwnerOf
8.3.2.22
Searching for the Owner of a Group Using searchOwnerOf
8.3.2.23
Removing a Group (or a User) from a Group Using deleteOwnerOf
8.3.3
Working With Organizations
8.3.3.1
Importing Java Classes and Declaring Groups
8.3.3.2
Creating User Data with a Helper Utility
8.3.3.3
Establishing Manager and Reports Relationships with a Helper Utility
8.3.3.4
Creating Users at Different Hierarchies with a Data Preparation Utility
8.3.3.5
Verifying a Manager
8.3.3.6
Verifying Direct Reports
8.3.3.7
Retrieve All Reports Using Scope=All Feature
8.3.3.8
Retrieve the Manager Chain Using Scope=toTop Feature
8.3.3.9
Retrieve Report Details Using Pre-Fetch Feature
8.3.3.10
Retrieve Manager Data using the Pre-Fetch feature
8.3.3.11
Deleting a Report From the Manager
8.3.4
Searching With Paging Support
8.4
Invoking Authorization Services With the Java Client SDK
9
Developing Mobile and Social Services Applications with the iOS Client SDK
9.1
Getting Started With the iOS Client SDK
9.1.1
Getting Started Using the iOS Client SDK With Xcode
9.2
Invoking Authentication Services With the iOS Client SDK
9.2.1
Initializing the Required Objects
9.2.2
Setting Up the Service
9.2.3
Completing the Authentication Process
9.2.4
Logging a User Out
9.3
Setting Up URL-Based Configuration
9.4
About Initialization Properties for M&S Authentication
9.5
About Offline Authentication
9.6
Invoking Social Identity Authentication
9.7
Invoking User Profile Services With the iOS Client SDK
9.7.1
Working With People
9.7.2
Working With Groups
9.7.3
Working With Organizations
9.7.4
Using the Asynchronous API
9.8
Invoking the Mobile Single Sign-on Agent App
9.8.1
Invoking the Mobile Single Sign-on Agent App From a Web Browser
9.9
Authenticating Using Client Certificate
9.9.1
Importing a Client Certificate
9.9.1.1
importClientCertificateFromFile:presenter:delegate:
9.9.1.2
importClientCertificateFromFile:password:error:
9.9.2
Performing Standalone Authentication
9.9.3
Performing Mixed Mode Authentication
9.10
Understanding and Using OAuth2.0 for iOS SDK
9.10.1
OAM Mobile and Social (M&S) OAuth
9.10.1.1
Authentication
9.10.2
Standard Flows (Generic Implementation)
9.10.2.1
Authentication Scopes
9.10.3
New APIs
9.10.4
Using the External Browser
9.10.5
Accessing Protected Resources
9.10.5.1
Initializing the SDK for Identity Domain Header Injection
9.10.5.2
Initializing the SDK for Client Token
9.10.5.3
Initializing the SDK for User Token
9.10.6
Credential Collection
9.11
Invoking REST Web Services
9.11.1
Understanding the OMRESTRequest API Flow
9.12
Using the iOS SDK to Create a Custom Mobile Single Sign-on Agent App
9.13
Login and KBA View Customization
9.13.1
Implementing Native View Customization
9.13.2
Implementing Progress View Customization
9.14
Using the Cryptography Module
9.14.1
Hashing
9.14.2
Symmetric Key Encryption/Decryption
9.14.3
Asymmetric Key Cryptography
9.15
Using the Auto Login and the Remember Credentials Features
9.15.1
Enabling the Auto Login and Remember Credentials Feature
9.15.2
Handling User Preferences
9.15.3
Clearing Credentials and Preferences from Mobile Devices
9.15.4
Creating a Custom Login Screen
9.16
Using the Credential Store Service (KeyChain)
9.16.1
Adding a User Name and Password
9.16.2
Adding a User Name, Password and Tenant Name
9.16.3
Deleting a Credential
9.16.4
Updating a User Name and Password
9.16.5
Updating a User Name, Password and Tenant Name
9.16.6
Getting a User Name and Password
9.16.7
Storing a Property in KeyChainItem
9.16.8
Storing Multiple Properties in KeyChainItem
9.16.9
Deleting a Property in KeyChainItem
9.16.10
Getting a Property
10
Developing Mobile and Social Services Applications with the Android Client SDK
10.1
Getting Started With the Android Client SDK
10.1.1
Developing and Packaging Android Applications
10.2
Invoking Authentication Services With the Android Client SDK
10.3
URL-Based Initialization
10.4
Initialization Properties
10.5
About Offline Authentication
10.6
Invoking Social Identity Authentication Using the Android Client SDK
10.7
Invoking the Mobile Single Sign-on Agent App
10.7.1
Invoking the Mobile Single Sign-on Agent App from Another Application (SSO Client)
10.7.2
Invoking the Mobile Single Sign-on Agent App Using a Mobile Browser
10.8
Invoking User Profile Services With the Android Client SDK User Role Module
10.9
Authenticating Using Client Certificate
10.9.1
Importing Certificates
10.9.1.1
Importing Server Certificates
10.9.1.2
Importing Client Identity Certificates
10.9.2
Performing Operations on Imported Certificates
10.9.2.1
Server Certificates
10.9.2.2
Client Certificates
10.10
Developing OAuth and Mobile OAuth Services Applications With the Android Client SDK
10.10.1
Understanding OAuth2.0 for Android
10.10.2
Oracle Access Manager Mobile and Social (M&S) OAuth
10.10.2.1
Authentication
10.10.3
Standard Flows(Generic Implementation)
10.10.3.1
Authentication
10.10.4
New APIs
10.10.5
Getting the Tokens From SDK
10.10.6
Using the External Browser
10.10.7
Accessing Protected Resources
10.10.8
Credential Collection
10.11
Invoking REST Web Services
10.12
Creating a Custom Mobile Single Sign-on Agent App Using the Android Client SDK
10.13
Login View and KBA View Customization
10.14
Using the Cryptography APIs
10.15
Using the Auto Login and the Remember Credentials Features
10.16
Invoking the CredentialStoreService With the Android Client SDK Secure Storage Module
10.17
Error Codes
11
Developing Applications Using the Social Identity Client SDK
11.1
Before you Begin
11.2
Introduction to Developing Social Identity Applications
11.2.1
About the Social Identity Client SDK
11.3
Getting the List of Identity Providers for an Application
11.4
Integrating Social Identity With a Web Application Running on a Server
11.4.1
Defining the Web Application on the Mobile and Social Server
11.4.2
Integrating the Social Identity Login Page With the Web Application
11.4.2.1
Adding the Pre-built Social Identity Login Page
11.4.2.2
Building a Custom Login Page
11.4.3
Handling User Registration
11.4.3.1
Using a Custom User Registration Page
11.4.3.2
Using the Mobile and Social Built-in User Registration Page
11.4.4
Handling the Final Return Response
11.4.4.1
Secured Attribute Exchange (SAE) Token Response Attributes
11.5
Integrating With an Access Manager Protected Web Application
11.6
Integrating Social Identity With a Mobile Application
11.6.1
Defining the Mobile Application on the Mobile and Social Server
12
Extending the Capabilities of the Mobile and Social Server
12.1
Create a new Authentication Services Provider for Mobile and Social Services
12.1.1
Developing the Custom Authentication Service Provider
12.1.1.1
Implementing the TokenService Interface
12.1.1.2
Extending the MobileCompositeTokenServiceProvider
12.1.2
Building the Custom Authentication Service Provider
12.1.2.1
To Build the Custom Authentication Service Provider
12.1.3
Deploying the Custom Authentication Service Provider
12.1.3.1
To Deploy the Custom Authentication Service Provider
12.2
Create a new Identity Service Provider for Internet Identity Services
12.2.1
Developing the Custom Identity Service Provider
12.2.2
Building the Custom Identity Service Provider
12.2.2.1
To Build the Custom Identity Service Provider
12.2.3
Deploying the Custom Identity Service Provider
12.2.3.1
To Deploy the Custom Identity Service Provider
13
Customizing Oracle Mobile Authenticator
13.1
Understanding the Oracle Mobile Authenticator
13.2
Customizing Oracle Mobile Authenticator on iOS
13.2.1
Using Xcode
13.2.2
Customizing Oracle Mobile Authenticator
13.2.2.1
Changing the Application Art
13.2.2.2
Modifying the Application Name and Text
13.2.2.3
Toggling Online and Offline Mode
13.2.2.4
Changing the Application Version
13.2.2.5
Signing the Application
13.3
Customizing Oracle Mobile Authenticator on Android
13.3.1
Using apktool
13.3.2
Customizing Options
13.3.2.1
Changing Application Icons
13.3.2.2
Modifying the Application Name and Text
13.3.2.3
Toggling Online and Offline Mode
13.3.2.4
Modifying the Version and Code Number
13.3.2.5
Signing the Application
14
Using the Mobile and Social REST API
Request and Response Header Attribute Name Reference
X-IDAAS-REST-VERSION
Where to use This Attribute
Attribute Type
Sample cURL Command
Comments
X-IDAAS-SERVICEDOMAIN
Where to use This Attribute
Attribute Type
Sample cURL Command
Comments
X-IDAAS-REST-AUTHORIZATION
Where to use This Attribute
Attribute Type
Sample cURL Commands
Comments
AUTHORIZATION
Where to use This Attribute
Attribute Type
Sample cURL Command
Comments
X-Idaas-Rest-Subject-Type
Where to use This Attribute
Attribute Type
Sample cURL Command
Comments
X-Idaas-Rest-Subject-Value
Where to use This Attribute
Attribute Type
Sample cURL Command
X-Idaas-Rest-Subject
Where to use This Attribute
Attribute Type
Sample cURL Command
X-Idaas-Rest-Subject-CREDENTIAL
Where to use This Attribute
Attribute Type
Sample cURL Command
Comments
X-Idaas-Rest-Subject-Username
Where to use This Attribute
Attribute Type
Sample cURL Command
X-Idaas-Rest-Subject-Password
Where to use This Attribute
Attribute Type
Sample cURL Command
X-Idaas-Rest-New-Token-Type-To-Create
Where to use This Attribute
Attribute Type
Sample cURL Command
Comments
X-Idaas-Rest-Application-Context
Where to use This Attribute
Attribute Type
Sample cURL Command
X-Idaas-Rest-Application-Resource
Where to use This Attribute
Attribute Type
Sample cURL Command
X-Idaas-Rest-User-Principal
Where to use This Attribute
Attribute Type
Sample cURL Command
X-Idaas-Rest-Provider-Type
Where to use This Attribute
Attribute Type
Sample cURL Command
Mobile and Social REST Security Filter Reference
Authorize With UIDPASSWORD
cURL Command
Expected Output
Comments
Authorize With HTTP Basic
cURL Command
Expected Output
Comments
Authorize With an Access Manager Token
cURL Command
Expected Output
Comments
Mobile and Social Services REST Reference: Authentication and Authorization
Authentication for a Client Token
cURL Command
Expected Output
Comments
Authentication for a User Token
cURL Command
Expected Output
Comments
Authentication for an Access Token
cURL Command
Expected Output
Comments
Authentication for Multiple Tokens
cURL Command
Expected Output
Comments
Get or Validate a (Client) Token
cURL Command
Expected Output
Comments
Delete a Token
cURL Command
Expected Output
Comments
Authorization
cURL Command
Expected Output
Comments
Create a JWT User Token
cURL Command
Expected Output
Create a JWT User Token, OAM User Token, and OAM Master Token
cURL Command
Expected Output
Exchanging a JWT Token for OAM Tokens
cURL Command
Expected Output
Testing the JWT-OAM + PIN Token Service Provider (Mobile Case)
Testing the JWT-OAM + PIN Token Service Provider (Desktop Case)
Create an OAM Access Token Using an OAM User Token
cURL Command
Expected Output
Validate a JWT USER TOKEN
cURL Command
Expected Output
Validate an OAM USER TOKEN
cURL Command
Expected Output
Delete an OAM USER TOKEN
cURL Command
Expected Output
Mobile and Social Services REST Reference: Commands for Mobile Single Sign-on Tokens
Create a Client Registration Handle for a Mobile Single Sign-on Agent App
cURL Command
Expected Output
Comments
Create a Client Registration Handle for a Mobile Single Sign-on Client App (User Name Scenario)
cURL Command
Expected Output
Comments
Create a Client Registration Handle for a Mobile Single Sign-on Client App (User Token Scenario)
cURL Command
Expected Output
Comments
Create a Request for a User Token
cURL Command
Expected Output
Comments
Create a Request for an Access Token
cURL Command
Expected Output
Comments
The Single Sign-on Agent Request to Create an Access Token for its own use
cURL Command
Expected Output
Comments
Verify a Client Reg Handle
cURL Command
Expected Output
Comments
Mobile and Social Services REST Reference: Commands for User Profile Services
Basic User Operations
Create a User
Read a User
Update a User
Delete a User
Basic Group Operations
Create a Group
Read a Group
Update a Group
Delete a Group
"memberOf" Relationship Operations
Create a "memberOf" Relationship
Read a "memberOf" Relationship
Delete a "memberOf" Relationship
"members" Relationship Operations
Create a "members" Relationship
Read a "members" Relationship
Delete a "members" Relationship
"manager" Relationship Operations
Create a "manager" Relationship
Read a "manager" Relationship
Delete a "manager" Relationship
"reports" Relationship Operations
Create a "reports" Relationship
Read a "reports" Relationship
Delete a "reports" Relationship
"ownerOf" Relationship Operations
Create an "OwnerOf" Relationship
Read an "OwnerOf" Relationship
Delete an "OwnerOf" Relationship
"personOwner" Relationship Operations
Create a "personOwner" Relationship
Read a "personOwner" Relationship
Delete a "personOwner" Relationship
"groupOwner" Relationship Operations
Create a "groupOwner" Relationship
Read a "groupOwner" Relationship
Delete a "groupOwner" Relationship
"groupOwnerOf" Relationship Operations
Create a "groupOwnerOf" Relationship
Read a "groupOwnerOf" Relationship
Delete a "groupOwnerOf" Relationship
"groupMemberOf" Relationship Operations
Create a "groupMemberOf" Relationship
Read a "groupMemberOf" Relationship
Delete a "groupMemberOf" Relationship
"groupMembers" Relationship Operations
Create a "groupMembers" Relationship
Read a "groupMembers" Relationship
Delete a "groupMembers" Relationship
Search User Operations
Search Users
Search Users With PageSize and PagePos
Search Users With a Search Parameter and Without a Search Filter
Search Users With a Search Filter
Search Groups
Search Relationships
The "attrsToFetch" Query Parameter Feature
Read a User With attrsToFetch
Search Groups With attrsToFetch
Search a Relationship With attrsToFetch
The "prefetch" Query Parameter Feature
Read a User With prefetch
The "scope" Query Parameter Feature
Search a Relationship With scope
Practical Examples
Mobile SSO Agent Requests Client Registration Handle (Client Token)
Mobile SSO Agent Requests Client Registration Handle on Behalf of Business App
A User Token Request
An Access Token Request
Access Manager Master Token Authentication
Device Registration Request with KBA Response
Specifying the Tenant Name in the Header
Error Messages
Part IV Developing with the OAuth Service
15
Using the OAuth Services API
Using REST in Standard 3-Legged OAuth Services Flows
Sample Request
Part One: The Front-Channel Request
Part Two: The Back-Channel Request
Using REST in Standard 2-Legged OAuth Services Flows
Sample Response
Using Client Credentials
Using the Resource Owner Credentials
Using a Refresh Token
Using a SAML Client Assertion
Using a JWT Client Assertion
Using User ID/Password Credentials and ClientID+Secret in an HTTP Basic Header
Using User ID/Password Credentials and a JWT Client Assertion
Using UserID/Password Credentials and a SAML Client Assertion
Using a SAML User Assertion Credential and ClientID+Secret in an HTTP Basic Header
Using a SAML User Assertion Credential and a SAML Client Assertion
Using a SAML User Assertion Credential and a JWT Client Assertion
Using a JWT User Assertion Credential and ClientID+Secret in an HTTP Basic Header
Using a JWT User Assertion Credential and a SAML Client Assertion
Using a JWT User Assertion Credential and a JWT Client Assertion
Getting Identity Tokens
Getting a Client Identity Token
Using Client Credentials
Using a Third-Party Generated SAML Client Assertion
Using a Third-Party Generated JWT Client Assertion
Getting a User Identity Token
Getting a User Identity Token With a User ID and Password and Varying Client Credentials
Getting a User Identity Token With a SAML User Assertion Credential and Varying Client Credentials
Getting a User Identity Token With a JWT User Assertion Credential and Varying Client Credentials
Validating an Access Token
Using the Client ID and Secret in an HTTP Basic Header
Using a Client Assertion
Performing Access Token Introspection
Using the Client ID and Secret in the HTTP Basic Header
Using a Client Assertion
Revoking an Access Token
Revoking an Access Token with Client ID and Secret in an HTTP Basic Header
Revoking an Access Token with a Client Assertion
Administering a Secret Key
Creating a Secret Key
Getting a Secret Key
Deleting a Secret Key
Creating a Secret Key Using Basic Authentication
Administering the OAuth Services User Profile Service with REST
Read My Profile
Update My Profile
Create a User Profile
Read a User Profile
Update a User Profile
Delete a User Profile
Create a Group Profile
Read a Group Profile
Update a Group Profile
Delete a Group Profile
Delete a User Profile
Administering OAuth Services Consent Management Services with REST
Getting an Access Token with Client Credentials and Scope
Accessing the Consent Management Server to Grant Consent
Accessing the Consent Management Server to Retrieve Consent
Accessing the Consent Management Server to Revoke Consent
Granting the Client Permission to Access the a UserProfile Resource
Getting the Access Token for a User's UserProfile Resource
Accessing a User's UserProfile Resource with the Access Token
Using REST in OAuth Services Mobile Client 3-Legged Flows
Getting an Application Profile
Requesting a Mobile Device Client Verification Code
Requesting an Authorization Code for Device Registration
Creating a Client Assertion and JWT User Assertion
Creating a Client Assertion and JWT User Assertion Using Social Authentication
Requesting a Verification Code for Mobile Client Registration
Requesting an Authorization Code for Mobile Device Registration
Creating an Access Token
Creating an Access Token Using Social Authentication
Logging Out
Using REST in OAuth Services Mobile Client 2-Legged Flows
Getting an Application Profile
Requesting a Mobile Device Client Verification Code
Registering a Mobile App and Creating Assertions
Answer the Knowledge-Based Authentication (KBA) Challenge Request
Logging Out
Logging In
Creating OAM User and Master Tokens with Valid JWT
Creating OAM Access and Master Tokens with Valid OAM User Token
Creating an OAuth Services Access Token Using an OAM Credential Grant Type
Creating an OAuth Services Access Token Using a Standard JWT User Assertion Grant
Mobile Flows When the Server-Side SSO Feature is Disabled
Register Mobile App1 Using a User Name and Password
Register Mobile App2 Using a JWT User Assertion Grant
Create an Access Token Using a Standard JWT User Assertion Grant With a JWT Client Assertion and a User Assertion
Answer the Knowledge-Based Authentication (KBA) Challenge Request
Create an Access Token Using a Refresh Token
Terminate the JWT User Assertion
Login (Create JWT User Assertion)
Create an OAM User Token and OAM Master Token using a JWT User Assertion (Token Exchange)
Create an OAM User Token and OAM Master Token Using JWT User Assertion + User PIN Credential (Token Exchange)
Create an OAM Access Token using the OAM User Token
Using Credentials, PIN and Assertions to Get Tokens
Using a Client Credential + User Name and Password Combination
Overview
How to Get a JWT User Token
How to Get a JWT Access Token
How to Get an OAM User Token and Master Token
Using a Client Credential + oracle_user_credentials Combination
Overview
How to Get a JWT User Token
How to Get a JWT Access Token
How to Get an OAM User Token and Master Token
Using JWT Assertion
Overview
How to Get a JWT User Token
How to Get a JWT Access Token
How to Get an OAM User Token and Master Token
How to Get an OAM Access Token With an OAM User Token Located in the Server-Side Key Store
Using JWT Assertion + PIN
Overview
How to Get an OAM User Token and Master Token
Using SAML2 Assertion
Overview
How to Get a JWT User Token
How to Get a JWT Access Token
How to Get an OAM User Token and Master Token
Getting OAM Tokens on Mobile Devices
How to Request a Verification Code
How to Register the Client
How to Get an OAM User Token and Master Token
How to Get an OAM Access Token
16
Customizing the OAuth Services
16.1
Introduction
16.2
Creating a Custom Client Management Plug-in
16.2.1
The Default Client Management Plug-in Implementation
16.2.2
The Client Runtime Flow
16.2.3
Deployment Notes
16.2.4
Sample Code
16.3
Creating a Custom Resource Server Profile-Management Plug-in
16.3.1
The Default Resource Server Profile-Management Plug-in Implementation
16.3.2
Resource Server Usage and Validation
16.3.3
Development and Deployment Notes
16.3.4
Sample Code
16.4
Creating a Custom Token Attributes Plug-in
16.4.1
Deployment Notes
16.4.2
Sample Code
16.5
Creating a Custom Authorization and Consent Service Plug-in
16.5.1
The Default Resource Authorization and User Consent Services Implementations
Part V Developing with Identity Federation
17
Developing a Custom User Provisioning Plug-in
17.1
Introduction to User Provisioning Plug-ins
17.2
Introduction to Plug-in Interfaces
17.3
Sample Code: Custom User Provisioning Plug-in
17.4
Developing a User Provisioning Plug-in
17.4.1
Process Overview: Developing a Custom Plug-in
17.4.2
Files Required for Compiling a Plug-in
18
Using the REST API for Identity Federation
18.1
Resource URLs
18.2
URL Resources and Supported HTTP Methods
18.3
Resources Summary
18.4
cURL Command Examples
Configuring SSO Service using POST cURL Command
Retrieving SSO Service using GET cURL Command
Configuring SSO Service using PUT cURL Command
Creating an SP Partner cURL Command
Listing all SP Partners cURL Command
Retrieving SP Partner Data cURL Command
Updating SP Partner Details cURL Command
Deleting SP Partner Details cURL Command
Enabling Test SP using POST cURL Command
Retrieving Test SP Enablement using GET cURL Command
Disabling Test SP using PUT cURL Command
Configuring SSO Service using POST cURL Command using /fedrest/configuresso
Creating an SP Partner cURL Command using /fedrest/createsp
Creating an IdP Partner cURL Command using /fedrest/createidp
Connecting Federation Servers to remote REST services using /fedrest/orchestrator
19
Developing a Message Processing Plug-in
19.1
Understanding Custom SAML Elements
19.2
Extending the OIFMessageProcessingPlugin
19.3
Deploying the Message Processing Plug-in
19.4
Enabling the Message Processing Plug-in
20
Implementing Custom Authentication Actions
20.1
Understanding Custom Authentication Actions
20.1.1
Using Pre and Post Processing Custom Authentication Actions
20.1.2
Setting Up a Custom Authentication Action Plug-in
20.1.3
Understanding the Custom Action Flow
20.2
Using Pre-Processing Custom Actions
20.2.1
Passing Data to the Pre-Processing Plug-in
20.2.2
Configuring Identity Federation for the Pre-Processing Action
20.3
Example: Custom Action Pre-processing
20.4
Using Post-Processing Custom Actions
20.4.1
Passing Data to the Post-Processing Plug-in
20.4.2
Configuring Identity Federation for the Post-Processing Action
20.5
Example: Custom Action Post-Processing
Part VI Developing with Security Token Service
21
Developing a Custom Token Module
21.1
Introduction to Oracle Security Token Service Custom Token Module Classes
21.2
Writing a TokenValidatorModule Class
21.2.1
About Writing a TokenValidatorModule Class
21.2.2
Writing a TokenValidatorModule Class
21.3
Writing a TokenIssuanceModule Class
21.3.1
About Writing a TokenIssuanceModule Class
21.3.2
Writing a TokenIssuanceModule Class
Part VII Appendices
A
Creating Deployment-Specific Pages
A.1
How the Single Sign-On Server Uses Deployment-Specific Pages
A.1.1
Change Password Page Behavior
A.1.1.1
Password Has Expired
A.1.1.2
Password Is About to Expire
A.1.1.3
Grace Login Is in Force
A.1.1.4
Force Change Password
A.2
How to Write Deployment-Specific Pages
A.2.1
Login Page Parameters
A.2.2
Change Password Page Parameters
A.3
Page Error Codes
A.3.1
OSSO 10g Login Page Error Codes
A.4
Adding Globalization Support
A.4.1
Deciding What Language to Display the Page In
A.4.1.1
Use the Accept-Language Header to Determine the Page
A.4.1.2
Use Page Logic to Determine the Language
A.4.2
Rendering the Page
A.5
Guidelines for Deployment-Specific Pages
A.6
Examples of Deployment-Specific Pages
A.6.1
Using Custom Classes
A.7
Adding an External Application
Scripting on this page enhances content navigation, but does not change the content in any way.