This chapter describes the Mobile Security Access Server (MSAS) predefined security and management policies. For more information about attaching policies, see "Attaching and Detaching Policies and Assertions" in Administering Mobile Security Access Server.
This chapter includes the following sections:
Note:
Oracle recommends that you do not edit the predefined assertion templates so that you will always have a known set of valid templates. You can, however, create a new assertion template from a predefined assertion template, or configure the attributes in an assertion after you have added it to a policy. For information about managing the assertion templates and adding them to policies, see "Managing Policy Assertion Templates" in Administering Mobile Security Access Server.This section describes the predefined security policies that are provided with your MSAS installation and which are listed on the Access Policies page in the MSAS Console.
The tables in the following sections distinguish how the MSAS security policies are documented in this release:
MSAS Security Policies – summarizes new MSAS security policies that are documented in this reference.
Note: Some policies are marked as internal because they are not available for attachment to URLs in applications.
Security Polices Supported by MSAS – summarizes additional security policies that are supported by MSAS, but which are documented in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Security Polices Reserved for Future Use – summarizes security policies that appear in the MSAS Console, but which are reserved for future use with MSAS.
Table 1-1 summarizes the predefined MSAS security policies listed on the Access Policies page in the MSAS Console, and which are documented in this reference.
Table 1-1 Predefined MSAS Security Policies
Policy Name | Description |
---|---|
Performs user authorization based on the policy defined in Oracle Entitlements Server (OES) and provides fine-grained authorization on any operation on a web service. |
|
Internal policy that provides SKEK encryption and SKEK decryption. |
|
Injects a JWT User Token in the HTTP header when accessing back-end resources. |
|
Injects an OAM access token in the authorization header when accessing OAM protected resources. |
|
Injects an OAuth access token in the authorization header when accessing OAuth protected resources. |
|
Creates a SPNEGO token and sends it to the service in the HTTP header. |
|
Internal policy that performs HTML form based authentication. This policy can be attached to web applications (URLs). |
|
Internal policy that enables the Kerberos password authentication. |
|
Verifies if the web resource is protected via OAM, and if it is then it authenticates using OAM and establishes the Subject before allowing access to the actual web resource. |
|
Internal policy that performs OAuth2 confidential client authentication and creates OAuth and OAM tokens. This policy is attached only on internal authentication endpoints. |
|
Internal policy that performs OAuth2 mobile client authentication and creates OAuth and OAM tokens. This policy is attached only on internal authentication endpoints. |
|
Performs NTLM (NT LAN Manager) authentication with NTLM protected applications. It requires a KINIT or PKINIT-based HTTP session token. This policy can be attached to SOAP/REST services and also to web applications. |
|
Internal policy enables the Kerberos PKI authentication. |
|
Internal policy that issues a session token with the authenticated user ID. |
|
Verifies the session token including the timestamp and signature, decrypts the encrypted data and asserts the identity using the user ID from the session token. The request is rejected if the verification fails. |
|
Internal policy that enables the Time Limited Password authentication. |
|
Internal policy that injects a custom HTTP Header with the BMAX (MSAS) URL. This is required by MSM to know the MSAS URL. |
|
Internal policy that injects a custom HTTP header with the client certificate received over two-way SSL. |
|
An exactly-one policy for creating a SPNEGO, NTLM, or Bearer assertion based on a back-end service policy. |
Table 1-2 summarizes additional access policies that are supported by Mobile Security Access Server. For detailed descriptions, however, see "Predefined Policies" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Table 1-2 Predefined Security Policies Supported by MSAS
Policy Name | Description |
---|---|
oracle/http_basic_auth_over_ssl_client_policy |
Includes credentials in the HTTP header for outbound client requests and verifies that the transport protocol is HTTPS. |
oracle/http_basic_auth_over_ssl_service_policy |
Uses the credentials in the HTTP header to authenticate users against the Oracle Platform Security Services identity store. |
oracle/http_jwt_token_client_policy |
Includes a JSON Web Token (JWT) token in the HTTP header. The JWT token is created automatically. The issuer name and subject name are provided either programmatically or declaratively through the policy. You can specify the audience restriction condition for this policy. |
oracle/http_jwt_token_over_ssl_client_policy |
Includes a JWT token in the HTTP header. The JWT token is created automatically. The issuer name and subject name are provided either programmatically or declaratively through the policy. You can specify the audience restriction condition for this policy. |
oracle/http_jwt_token_over_ssl_service_policy |
Authenticates users using the username provided in the JWT token in the HTTP header. This policy also verifies that the transport protocol is HTTPS. Requests over a non-HTTPS transport protocol are refused. |
oracle/http_jwt_token_service_policy |
Authenticates users using the username provided in the JWT token in the HTTP header. |
oracle/http_saml20_token_bearer_client_policy |
Includes a SAML Bearer V2.0 token in the HTTP header. The SAML token with confirmation method Bearer is created automatically. This policy can be enforced on any HTTP-based client endpoint. |
oracle/http_saml20_token_bearer_over_ssl_client_policy |
Includes a SAML Bearer v2.0 token in the HTTP header. The SAML token with confirmation method Bearer is created automatically. The policy verifies that the transport protocol provides SSL message protection. This policy can be attached to any HTTP-based client endpoint. |
oracle/http_saml20_token_bearer_over_ssl_service_policy |
Authenticates users using credentials provided in the SAML v2.0 token with confirmation method Bearer in the HTTP header. The credentials in the SAML token are authenticated against a SAML v2.0 login module. The policy verifies that the transport protocol provides SSL message protection. This policy can be enforced on any HTTP-based endpoint. |
oracle/http_saml20_token_bearer_service_policy |
Authenticates users using credentials provided in the SAML v2.0 token with confirmation method Bearer in the HTTP header. The credentials in the SAML token are authenticated against a SAML v2.0 login module. This policy can be enforced on any HTTP-based endpoint. |
oracle/wss_http_token_client_policy |
Includes credentials in the HTTP header for outbound client requests. This policy can be enforced on any HTTP-based client. |
oracle/wss_http_token_service_policy |
Uses the credentials in the HTTP header to authenticate users against the Oracle Platform Security Services identity store. This policy can be enforced on any HTTP-based endpoint. |
Table 1-3 summarizes the predefined MSAS policies that are listed in the Access Policies page, but which are reserved for future use.
Table 1-3 Predefined Security Policies that Are Reserved for Future Use
Policy Name | Description |
---|---|
oracle/binding_authorization_denyall_policy |
Reserved for future use. |
oracle/binding_authorization_permitall_policy |
Reserved for future use. |
oracle/binding_oes_masking_policy |
Reserved for future use. |
oracle/binding_permission_authorization_policy |
Reserved for future use. |
oracle/component_authorization_denyall_policy |
Reserved for future use. |
oracle/component_authorization_permitall_policy |
Reserved for future use. |
oracle/component_oes_authorization_policy |
Reserved for future use. |
oracle/component_permission_authorization_policy |
Reserved for future use. |
oracle/http_jwt_token_identity_switch_client_policy |
Reserved for future use. |
oracle/http_oam_token_service_policy |
Reserved for future use. |
oracle/http_oauth2_token_client_policy |
Reserved for future use. |
oracle/http_oauth2_token_identity_switch_opc_oauth2_over_ssl_client_policy |
Reserved for future use. |
oracle/http_oauth2_token_identity_switch_over_ssl_client_policy |
Reserved for future use. |
oracle/http_oauth2_token_opc_oauth2_client_policy |
Reserved for future use. |
oracle/http_oauth2_token_opc_oauth2_over_ssl_client_policy |
Reserved for future use. |
oracle/http_oauth2_token_over_ssl_client_policy |
Reserved for future use. |
Reserved for future use. |
|
oracle/multi_token_over_ssl_rest_service_policy |
Reserved for future use. |
oracle/multi_token_rest_service_policy |
Reserved for future use. |
oracle/no_authentication_client_policy |
Reserved for future use. |
oracle/no_authentication_service_policy |
Reserved for future use. |
oracle/no_authorization_component_policy |
Reserved for future use. |
oracle/no_authorization_service_policy |
Reserved for future use. |
oracle/no_messageprotection_client_policy |
Reserved for future use. |
oracle/no_messageprotection_service_policy |
Reserved for future use. |
oracle/oauth2_config_client_policy |
Reserved for future use. |
oracle/pii_security_policy |
Reserved for future use. |
oracle/sts_trust_config_client_policy |
Reserved for future use. |
oracle/sts_trust_config_service_policy |
Reserved for future use. |
oracle/whitelist_authorization_policy |
Reserved for future use. |
oracle/wss10_message_protection_client_policy |
Reserved for future use. |
oracle/wss10_message_protection_client_policy |
Reserved for future use. |
oracle/wss10_saml20_token_client_policy |
Reserved for future use. |
oracle/wss10_saml20_token_service_policy |
Reserved for future use. |
oracle/wss10_saml20_token_with_message_protection_client_policy |
Reserved for future use. |
oracle/wss10_saml20_token_with_message_protection_service_policy |
Reserved for future use. |
oracle/wss10_saml_hok_with_message_protection_client_policy |
Reserved for future use. |
oracle/wss10_saml_hok_token_with_message_protection_service_policy |
Reserved for future use. |
oracle/wss10_saml_token_client_policy |
Reserved for future use. |
oracle/wss10_saml_token_service_policy |
Reserved for future use. |
oracle/wss10_saml_token_with_message_integrity_client_policy |
Reserved for future use. |
oracle/wss10_saml_token_with_message_integrity_service_policy |
Reserved for future use. |
oracle/wss10_saml_token_with_message_protection_client_policy |
Reserved for future use. |
oracle/wss10_saml_token_with_message_protection_service_policy |
Reserved for future use. |
oracle/wss10_saml_token_with_message_protection_ski_basic256_client_policy |
Reserved for future use. |
oracle/wss10_saml_token_with_message_protection_ski_basic256_service_policy |
Reserved for future use. |
oracle/wss10_username_id_propagation_with_msg_protection_client_policy |
Reserved for future use. |
oracle/wss10_username_id_propagation_with_msg_protection_service_policy |
Reserved for future use. |
oracle/wss10_username_token_with_message_protection_client_policy |
Reserved for future use. |
oracle/wss10_username_token_with_message_protection_service_policy |
Reserved for future use. |
oracle/wss10_username_token_with_message_protection_ski_basic256_client_policy |
Reserved for future use. |
oracle/wss10_username_token_with_message_protection_ski_basic256_service_policy |
Reserved for future use. |
oracle/wss10_x509_token_with_message_protection_client_policy |
Reserved for future use. |
oracle/wss10_x509_token_with_message_protection_service_policy |
Reserved for future use. |
oracle/wss11_kerberos_token_client_policy |
Reserved for future use. |
oracle/wss11_kerberos_token_service_policy |
Reserved for future use. |
oracle/wss11_kerberos_token_with_message_protection_basic128_client_policy |
Reserved for future use. |
oracle/wss11_kerberos_token_with_message_protection_basic128__service_policy |
Reserved for future use. |
oracle/wss11_kerberos_token_with_message_protection_client_policy |
Reserved for future use. |
oracle/wss11_kerberos_token_with_message_protection_service_policy |
Reserved for future use. |
oracle/wss11_message_protection_client_policy |
Reserved for future use. |
oracle/wss11_message_protection_client_policy |
Reserved for future use. |
oracle/wss11_saml20_token_with_message_protection_client_policy |
Reserved for future use. |
oracle/wss11_saml20_token_with_message_protection_service_policy |
Reserved for future use. |
oracle/wss11_saml_or_username_token_with_message_protection_service_policy |
Reserved for future use. |
oracle/wss11_saml_token_with_identity_switch_message_protection_client_policy |
Reserved for future use. |
oracle/wss11_saml_token_with_message_protection_client_policy |
Reserved for future use. |
oracle/wss11_saml_token_with_message_protection_service_policy |
Reserved for future use. |
oracle/wss11_sts_issued_saml_hok_with_message_protection_client_policy |
Reserved for future use. |
oracle/wss11_sts_issued_saml_hok_with_message_protection_service_policy |
Reserved for future use. |
oracle/wss11_sts_issued_saml_with_message_protection_client_policy |
Reserved for future use. |
oracle/wss11_username_token_with_message_protection_client_policy |
Reserved for future use. |
oracle/wss11_username_token_with_message_protection_service_policy |
Reserved for future use. |
oracle/wss11_x509_token_with_message_protection_client_policy |
Reserved for future use. |
oracle/wss11_x509_token_with_message_protection_service_policy |
Reserved for future use. |
oracle/wss_http_token_over_ssl_client_policy |
Reserved for future use. |
oracle/wss_http_token_over_ssl_service_policy |
Reserved for future use. |
oracle/wss_saml20_token_bearer_over_ssl_client_policy |
Reserved for future use. |
oracle/wss_saml20_token_bearer_over_ssl_service_policy |
Reserved for future use. |
oracle/wss_saml20_token_over_ssl_client_tpolicy |
Reserved for future use. |
oracle/wss_saml20_token_over_ssl_service_policy |
Reserved for future use. |
oracle/wss_saml_bearer_or_username_token_service_policy |
Reserved for future use. |
oracle/wss_saml_or_username_token_over_ssl_service_policy |
Reserved for future use. |
oracle/wss_saml_or_username_token_service_policy |
Reserved for future use. |
oracle/wss_saml_token_bearer_client_policy |
Reserved for future use. |
oracle/wss_saml_token_bearer_identity_switch_client_policy |
Reserved for future use. |
oracle/wss_saml_token_bearer_over_ssl_client_policy |
Reserved for future use. |
oracle/wss_saml_token_bearer_over_ssl_service_policy |
Reserved for future use. |
oracle/wss_saml_token_over_ssl_client_policy |
Reserved for future use. |
oracle/wss_saml_token_over_ssl_service_policy |
Reserved for future use. |
oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_policy |
Reserved for future use. |
oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy |
Reserved for future use. |
oracle/wss_username_token_client_policy |
Reserved for future use. |
oracle/wss_username_token_service_policy |
Reserved for future use. |
oracle/wss_username_token_over_ssl_client_policy |
Reserved for future use. |
oracle/wss_username_token_over_ssl_service_policy |
Reserved for future use. |
Display Name: Fine-grained authorization using Oracle Entitlements Server
Category: Security
This policy performs user authorization based on the policy defined in Oracle Entitlements Server (OES) and provides fine-grained authorization on any operation on a web service. Authorization is based on attributes, current authenticated subject, and web service actions invoked by the client. This policy should follow an authentication policy where the subject is established, and can be attached to any SOAP-based or REST-based endpoint.
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
To configure the policy:
Override the configuration properties defined in Table 2-5, "binding_oes_authorization_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.
Display Name: HTTP Action Security Policy
Category: Security
This internal policy provides SKEK encryption and SKEK decryption.
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
To configure the policy:
Override the configuration properties defined in Table 2-7, "http_action_over_ssl_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.
Display Name: HTTP BMAX JWT User Token Client Policy
Category: Security
This policy injects a JWT User Token in the HTTP header when accessing back-end resources.
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
To configure the policy:
Override the configuration properties defined in Table 2-8, "http_bmax_jwt_user_token_client_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.
Display Name: HTTP BMAX OAM Token Client Policy
Category: Security
This policy injects an OAM access token in the authorization header when accessing OAM protected resources.
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
To configure the policy:
Override the configuration properties defined in Table 2-9, "http_bmax_oam_client_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.
Display Name: HTTP BMAX OAUTH Client Policy
Category: Security
This policy injects an OAuth access token in the authorization header when accessing OAuth protected resources.
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
To configure the policy:
Override the configuration properties defined in Table 2-10, "http_bmax_oauth_client_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.
Display Name: HTTP BMAX SPNEGO Client Policy
Category: Security
This policy creates a SPNEGO token and sends it to the service in the HTTP header.
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
To configure the policy:
Override the configuration properties defined in Table 2-11, "http_bmax_spnego_client_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.
Display Name: HTTP Form Based Authentication Service Policy
Category: Security
This internal policy performs HTML form based authentication. This policy can be attached to web applications (URLs).
This internal policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
To configure the policy:
Override the configuration properties defined in Table 2-13, "http_form_based_auth_over_ssl_service_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.
Display Name: HTTP Kerberos Password Authentication Service Policy
Category: Security
This internal policy enables the Kerberos password authentication.
This internal policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
To configure the policy:
Override the configuration properties defined in Table 2-15, "http_kinit_over_ssl_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.
Display Name: HTTP OAM Access Service Policy
Category: Security
This policy verifies if the web resource is protected via OAM, and if it is then it authenticates using OAM and establishes the Subject before allowing access to the actual web resource.
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
To configure the policy:
Override the configuration properties defined in Table 2-18, "http_oam_authentication_service_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.
Display Name: HTTP OAuth2 Confidential Client Over SSL Policy
Category: Security
This internal policy performs OAuth2 confidential client authentication and creates OAuth and OAM tokens. This policy is attached only on internal authentication endpoints.
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
To configure the policy:
Override the configuration properties defined in Table 2-20, "http_oauth2_confidential_client_over_ssl_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.
Display Name: HTTP OAuth2 Mobile Client Token Over SSL Service Policy
Category: Security
This internal policy performs OAuth2 mobile client authentication and creates OAuth and OAM tokens. This policy is attached only on internal authentication endpoints.
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
To configure the policy:
Override the configuration properties defined in Table 2-22, "http_oauth2_mobile_client_over_ssl_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.
Display Name: HTTP NTLM Authentication Client Policy
Category: Security
This policy performs NTLM (NT LAN Manager) authentication with NTLM protected applications. It requires a KINIT or PKINIT-based HTTP session token. This policy can be attached to SOAP/REST services and also to web applications.
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
To configure the policy:
Override the configuration properties defined in Table 2-16, "http_ntlm_token_client_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.
Display Name: HTTP Kerberos PKI Authentication Service Policy
Category: Security
This internal policy enables the Kerberos PKI authentication.
This internal policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
To configure the policy:
Override the configuration properties defined in Table 2-24, "http_pkinit_over_ssl_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.
Display Name: HTTP Session Token Issue Policy
Category: Security
This policy issues a session token with the authenticated user ID.
This internal policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
To configure the policy:
Override the configuration properties defined in Table 2-26, "http_session_token_issue_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.
Display Name: HTTP Session Token Verify Policy
Category: Security
This policy verifies the session token including the timestamp and signature, decrypts the encrypted data and asserts the identity using the user ID from the session token. The request is rejected if the verification fails.
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
oracle/http_session_token_verify_template
Note: The assert.stoken.identity
property's default value is false
in the http_session_token_verify_template
. For authorization policy scenarios, this property must be set to true
.
To configure the policy:
Override the configuration properties defined in Table 2-28, "http_session_token_verify_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.
Display Name: HTTP TLP Authentication Service Policy
Category: Security
This internal policy enables the Time Limited Password authentication.
This internal policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
To configure the policy:
Override the configuration properties defined in Table 2-30, "http_tlp_over_ssl_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.
Display Name: Inject Header with BMAX (MSAS) URL
Category: Security
This internal policy injects a custom HTTP header with the BMAX (MSAS) URL. This is required by MSM to know the MSAS URL.
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
To configure the policy:
Override the configuration properties defined in Table 2-31, "inject_header_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.
Display Name: Inject Header with Client Certificate Policy
Category: Security
This internal policy injects a custom HTTP header with the client certificate received over two-way SSL.
This policy contains an assertion that is based on the following assertion template, which defines the settings and configuration properties for the policy:
To configure the policy:
Override the configuration properties defined in Table 2-31, "inject_header_template Configuration Properties". For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.
Display Name: Multitoken Client Policy for SPNEGO, NTLM, OAM, and OAuth2
Category: Security
This policy is an exactly-one policy for enforcing one of the following authentication policies based on a back-end service policy using transport security.
SPNEGO over HTTP security—Extracts Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) token from the HTTP header.
NTLM over HTTP token—Performs NT LAN Manager authentication with NTLM protected applications.
BMAX OAM Client Policy for OAuth2 authentication SSO—Accesses OAM protected resources.
BMAX OAuth2 Client Policy for OAuth2 authentication SSO—Accesses OAuth2 protected resources.
This policy contains assertions that are based on the following assertion templates as an OR group—meaning any one of the tokens can be sent by the client:
"oracle/http_spnego_token_client_template" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
To configure the policy:
Override the configuration properties defined in one of the following sections, based on the token sent by the client. For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.
"http_spnego_token_client_template Configuration Properties" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services
Table 2-16, "http_ntlm_token_client_template Configuration Properties"
Table 2-9, "http_bmax_oam_client_template Configuration Properties"
Table 2-10, "http_bmax_oauth_client_template Configuration Properties"
Display Name: Multitoken Client Policy for SPNEGO, NTLM, OAM, and OAuth2 Using Transport Security
Category: Security
Note:
This policy is reserved for future use.Reserved for future use.
This policy is an exactly-one policy for enforcing one of the following authentication policies based on a back-end service policy using transport security.
SPNEGO over HTTP security—Extracts Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) token from the HTTP header.
NTLM over HTTP token—Performs NT LAN Manager authentication with NTLM protected applications.
BMAX OAM Client Policy for OAuth2 authentication SSO—Accesses OAM protected resources.
BMAX OAuth2 Client Policy for OAuth2 authentication SSO—Accesses OAuth2 protected resources.
This policy contains assertions that are based on the following assertion templates as an OR group—meaning any one of the tokens can be sent by the client:
"oracle/http_spnego_token_client_template" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
To configure the policy:
Override the configuration properties defined in one of the following sections, based on the token sent by the client. For more information, see "Configuring Policy Overrides" in Administering Mobile Security Access Server.
"http_spnego_token_client_template Configuration Properties" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services
Table 2-16, "http_ntlm_token_client_template Configuration Properties"
Table 2-9, "http_bmax_oam_client_template Configuration Properties"
Table 2-10, "http_bmax_oauth_client_template Configuration Properties"
This section describes the Oracle Mobile Security Access Server (MSAS) predefined management policies.
Note:
This section is reserved for future use.