1 Introduction to Oracle Identity and Access Management Suite Components Integration

This chapter explains integration concepts for the Oracle Identity and Access Management suite.

The chapter contains these topics:

1.1 Prerequisites to Integrating Oracle Identity Management Suite Components

Before using these procedures to integrate Identity Management components, you must install and deploy the components.

These prerequisites are explained in the following sections:

For details about installing Identity Management components, see About the Oracle Identity and Access Management Installation in Installing and Configuring Oracle Identity and Access Management.

1.1.1 Understanding the Installation Roadmap

You will take (or may already have taken) one of these paths in your IdM deployment:

  • Installation, followed by component integration, and ending with scale-out (HA)

  • Installation, followed by scale-out, and ending with integration

With scale-out, you may already have performed some of the integration procedures described here; notes in the relevant sections can help you determine whether a procedure is needed.

Using the Standard Installation Topology as a Starting Point in the Installing and Configuring Oracle Identity and Access Management contains background on the deployment procedure and describes the installation topology, prerequisites, and the installation and configuration workflow.

Oracle Identity Governance High Availability Concepts and Oracle Access Manager High Availability Concepts chapters in the Installing and Configuring Oracle Identity and Access Management explains the high availability solutions in Oracle Fusion Middleware, as well as the topologies and architecture of the various high availability options.

1.1.2 Understanding Deployment Topologies

Before starting this integration, you must also understand the identity management topology and the environment in which the components will work together.

To learn more about the topology supported in this document, see Understanding Oracle Identity Management Integration Topologies.

1.1.3 Understanding the Identity Store

Oracle Identity Governance provides the ability to integrate an LDAP-based identity store into Oracle Identity Governance architecture. You can connect and manage an LDAP-based identity store directly from Oracle Identity Governance. Using this feature, you can use advanced user management capabilities of Oracle Identity Governance, including request-based creation and management of identities, to manage the identities within the corporate identity store.

In this deployment architecture, user identity information is stored in Oracle Identity Governance database to support the relational functionality necessary for Oracle Identity Governance to function, as well as in the LDAP store. All data is kept in sync transparently without the need for provisioning actions and setting up policies and rules. Identity operations started within Oracle Identity Governance, such as user creation or modification, are run on both the stores in a manner that maintains transactional integrity. In addition, any changes in the LDAP store made outside of Oracle Identity Governance are pulled into Oracle Identity Governance and made available as a part of the identity context.

1.1.4 Understanding Integration Between LDAP Identity Store and Oracle Identity Governance

Oracle Identity Governance users and roles are stored in the Oracle Identity Governance database. However, when a user, role, or role membership change takes place in Oracle Identity Governance, this information is propagated to the LDAP identity store. If a user, role, or role membership change takes place in LDAP directly, then these changes are synchronized into Oracle Identity Governance. The synchronization involves:

  • Changes made in Oracle Identity Governance: User creation, modification, deletion, changes in enabled/disabled state and locked/unlocked states, and password changes are synchronized to LDAP.

  • Role creation, modification, and deletion actions update the LDAP groups, including membership changes.

  • Initial load of users, roles, and role memberships are synchronized.

  • Direct changes to user profile in LDAP are reconciled to Oracle Identity Governance. However, a change to a user password made in LDAP is not reconciled to Oracle Identity Governance.

  • Direct changes to roles and role memberships in LDAP are reconciled to Oracle Identity Governance.

When changes are made in the user and role data, the actual operation is performed with the help of the kernel handlers. These handlers go through an orchestration lifecycle of various stages, such as validation, preprocessing, action, and postprocessing.

Synchronization between Oracle Identity Governance and LDAP is performed by an LDAP connector library.

Figure 1-1 shows the communication between Oracle Identity Governance and LDAP.

Figure 1-1 Oracle Identity Governance and LDAP

Description of Figure 1-1 follows
Description of "Figure 1-1 Oracle Identity Governance and LDAP"
1.1.4.1 Configuring the Integration with LDAP

Configuring the integration between Oracle Identity Governance and LDAP is performed after installing Oracle Identity Governance. See Scheduled Jobs for OIG-OAM Integration.

1.1.5 Common Environment Variables

Shorthand notations are used to refer to common environment variables.

For example, the Oracle Middleware Home directory is often referred to as MW_HOME.

1.2 Understanding Oracle Identity Management Integration Topologies

Oracle Identity Management consists of a number of products, which can be used either individually or collectively.

Two basic types of topology are available in Oracle Identity Management:

  • Basic integration topology

    This topology supports integration between suite components, in an environment where each component runs on a separate node.

  • Enterprise integration topology

    This topology supports integration between suite components in an enterprise environment. Each component may run on multiple nodes.

This book is dedicated to the first type, single-node integration topology. Use the procedures described in this book when deploying Oracle Identity Management in an environment where each component runs on its own node. You can also use the procedures to understand integration tools and techniques, and to understand the effects and benefits of integrating specific identity management components.

1.2.1 About the Basic Integration Topology

Basic integration topology is where the IdM components Access Manager and Oracle Identity Governance are configured on separate Oracle WebLogic domains.

See Also:

Table 1-1 for definitions of acronyms used in this section.

Figure 1-2 Basic Integration Topology with Multiple Administration Servers



The above diagram shows a basic integration topology where the IdM components Access Manager and Oracle Identity Governance are configured on separate Oracle WebLogic domains:

Note that:

  • All IdM components, including Access Manager server (AMHOST), the Oracle Identity Governance server (OIGHOST), and Oracle Internet Directory (OID) are configured in separate WebLogic domains, and each is administered by its own administration server.

    Besides enhancing management of each component, this topology ensures you have flexibility when applying patches and upgrades. Patches for each component can be applied independently, with no version dependency on other components.

  • For simplicity, some of the OMSS topology is omitted; for example the MSAS server which resides in the DMZ is not shown in the diagram.

  • The BIP server and SOA Suite reside on the OIG domain; they are not shown in the diagram.

  • The figure shows some representative ports only.

The SOA Suite used by OIG must be installed in the same domain as OIG. However, if you use SOA Suite for other purposes, you should consider setting up a separate install of SOA Suite for running your own services, composites, and other SOA features for that purpose.

In the single-domain architecture, Oracle Access Management Access Manager, Oracle Identity Governance, and Oracle Mobile Security Access Server are configured on the same WebLogic domain. While possible, such a topology is not practical in the current context for the reasons cited above, and is not recommended for IdM integration.

See Also:

Overview of Oracle Identity Management Components Used in the Integration for an introduction to each IdM component.

1.2.1.1 About the Three Tier Architecture

This architecture can be viewed as consisting of three layers or zones:

  • The Web Tier consists of the HTTP server and handles incoming Web traffic.

  • The Application Tier contains identity management applications for managing identities and access, including Oracle Identity Management and Oracle Access Manager.

  • The Data Tier, here considered to include the directory servers, hosts LDAPs and database.

1.2.1.2 Understanding the Web Tier

The web tier is in the DMZ Public Zone. The HTTP servers are deployed in the web tier.Most Identity Management components can function without the web tier. However, the web tier is required to support enterprise level single sign-on using products such as Access Manager.

The web tier is structured as follows in the single-node topology:

  • WEBHOST has Oracle HTTP Server, WebGate (an Access Manager component), and the mod_wl_ohs plug-in module installed. The mod_wl_ohs plug-in module enables requests to be proxied from Oracle HTTP Server to a WebLogic Server running in the application tier.WebGate, an Access Manager component in Oracle HTTP Server, uses Oracle Access Protocol (OAP) to communicate with Access Manager running on OAMHOST. WebGate and Access Manager are used to perform operations such as user authentication.

1.2.1.3 Understanding the Application Tier

The application tier is the tier where Java EE applications are deployed. Products such as Oracle Identity Governance, Oracle Mobile Security Suite, Oracle Access Management Identity Federation, and Oracle Enterprise Manager Fusion Middleware Control are among key Java EE components deployed in this tier.

The Identity Management applications in the application tier interact with the directory tier as follows:

  • They leverage the directory tier for enterprise identity information.

  • They leverage the directory tier (and sometimes the database in the data tier) for application metadata.

  • Fusion Middleware Control Console provides administrative functions to the components in the application and directory tiers.

  • Oracle WebLogic Server has built-in web server support. If enabled, the HTTP listener exists in the application tier as well.

1.2.1.4 Understanding the Data Tier

The data tier is the deployment layer where all the LDAP services reside. This tier includes products such as Oracle Internet Directory (OIDHOST), Oracle Unified Directory, and Oracle Database (IDMDBHOST).

The data tier stores two types of information:

  • Identity Information: Information about users and groups resides in the identity store.

  • Oracle Platform Security Services (OPSS): Information about security policies and about configuration resides in the policy store.

Policy information resides in a centralized policy store that is located within a database. You may store identity information in Oracle Internet Directory or in another directory.

Note:

Oracle Access Manager uses Oracle Virtual Directory server or libOVD to access third-party directories.

1.2.2 About the Enterprise Integration Topology

Unlike single-node topologies, an enterprise integration topology takes into account such features as high availability, failover, and firewalls, and is beyond the scope of this document.

1.2.3 Integration Terminology

Definitions of terms that define the Oracle Fusion Middleware architecture.

Table 1-1 shows key terms and acronyms that are used to describe the architecture and topology of an Oracle Fusion Middleware environment:

Table 1-1 Oracle Fusion Middleware Integration Terminology

Term Definition

IdM Configuration Tool

A command-line tool to verify the status of identity management components and to perform certain integration tasks.

Oracle Access Protocol (OAP)

A secure channel for communication between Webgates and Access Manager servers during authorization.

Oracle Fusion Middleware home

A Middleware home consists of the Oracle WebLogic Server home, and, optionally, one or more Oracle homes.

A Middleware home can reside on a local file system or on a remote shared disk that is accessible through NFS.

Oracle HTTP Server (OHS)

Web server component for Oracle Fusion Middleware that provides a listener for Oracle WebLogic Server.

WebLogic Server home

A WebLogic Server home contains installed files necessary to host a WebLogic Server. The WebLogic Server home directory is a peer of other Oracle home directories underneath the Middleware home directory.

Oracle home

An Oracle home contains installed files necessary to host a specific product. For example, the Oracle Identity Management Oracle home contains a directory that contains binary and library files for Oracle Identity Management.

An Oracle home resides within the directory structure of the Middleware home. Each Oracle home can be associated with multiple Oracle instances or Oracle WebLogic Server domains.

Oracle instance

An Oracle instance contains one or more system components, such as Oracle Web Cache, Oracle HTTP Server, or Oracle Internet Directory. The system components in an Oracle instance must reside on the same machine. An Oracle instance directory contains files that can be updated, such as configuration files, log files, and temporary files.

An Oracle instance is a peer of an Oracle WebLogic Server domain. Both contain specific configurations outside of their Oracle homes.

The directory structure of an Oracle instance is separate from the directory structure of the Oracle home. It can reside anywhere; it need not be within the Middleware home directory.

Oracle WebLogic Server domain

A WebLogic Server domain is a logically related group of Java components. A WebLogic Server domain includes a special WebLogic Server instance called the Administration Server, which is the central point from which you configure and manage all resources in the domain. Usually, you configure a domain to include additional WebLogic Server instances called Managed Servers. You deploy Java components, such as Web applications, EJBs, and Web services, and other resources to the Managed Servers and use the Administration Server for configuration and management purposes only.

Managed Servers in a WebLogic Server domain can be grouped together into a cluster.

An Oracle WebLogic Server domain is a peer of an Oracle instance. Both contain specific configurations outside of their Oracle homes.

The directory structure of an WebLogic Server domain is separate from the directory structure of the WebLogic Server home. It can reside anywhere; it need not be within the Middleware home directory.

system component

A system component is a manageable process that is not WebLogic Server. For example: Oracle HTTP Server, WebCache, and Oracle Internet Directory. Includes the JSE component.

Java component

A Java component is a peer of a system component, but is managed by the application server container. Generally refers to a collection of applications and resources, with generally a 1:1 relationship with a domain extension template. For example: SOA and WebCenter Spaces.

Oracle Fusion Middleware farm

Oracle Enterprise Manager Fusion Middleware Control is a Web browser-based, graphical user interface that you can use to monitor and administer an Oracle Fusion Middleware farm.

An Oracle Fusion Middleware farm is a collection of components managed by Fusion Middleware Control. It can contain WebLogic Server domains, one or more Managed Servers and the Oracle Fusion Middleware system components that are installed, configured, and running in the domain.

Oracle Identity Management

The suite of identity and access management components in Oracle Fusion Middleware. See Overview of Oracle Identity Management Components Used in the Integration for details.

WebLogic Administration Server

The Administration Server is the central point from which you configure and manage all resources in the WebLogic domain.

WebLogic Managed Server

The Managed Server is an additional WebLogic Server instance to host business applications, application components, Web services, and their associated resources. Multiple managed servers can operate within the domain. Certain Managed Servers in the domain are created specifically to host Oracle Fusion Middleware components.

1.3 Overview of Oracle Identity Management Components Used in the Integration

This section provides a brief overview of Oracle Identity Management components whose integrations are described in this guide, and explains the benefits of integration.

Topics include:

1.3.1 Oracle Unified Directory

Oracle Unified Directory is a comprehensive next generation directory service. It is designed to address large deployments and to provide high performance in a demanding environment.

The Oracle Unified Directory server is an LDAPv3-compliant directory server written entirely in Java. The directory server provides full LDAPv3 compliance, high performance and space effective data storage, and ease of configuration and administration.

Several procedures in this book feature Oracle Unified Directory as the repository for the identity store.

1.3.2 Oracle Internet Directory

Oracle Internet Directory is a general purpose directory service that enables fast retrieval and centralized management of information about dispersed users and network resources. It combines Lightweight Directory Access Protocol (LDAP) Version 3 with the high performance, scalability, robustness, and availability of an Oracle Database.

Oracle Internet Directory can serve as the repository for the identity store, which contains user identities leveraged by identity management components and other applications.

1.3.3 Oracle Access Management Access Manager

Oracle Access Management Access Manager provides a full range of Web perimeter security functions that include Web single sign-on; authentication and authorization; policy administration; auditing, and more. All existing access technologies in the Oracle Identity Management stack converge in Access Manager.

For details about integration with Access Manager, see:

1.3.3.1 A Note About IDMDomain Agents and Webgates

By default, the IDMDomain Agent is enabled in the Oracle HTTP Server deployment. If you migrate from IDMDomain Agent to WebGate Agent, note the following:

  • The protection policies set up for IDMDomain can be reused for WebGate if your webgate uses the IDMDomain preferredHost.

  • IDMDomain and WebGate can coexist. If the IDMDomain Agent discovers a WebGate Agent in the Oracle HTTP Server deployment, IDMDomain Agent becomes dormant.

1.3.4 Oracle Identity Governance

Oracle Identity Management is a powerful and flexible enterprise identity management system that automatically manages users' access privileges within enterprise IT resources. Oracle Identity Governance is designed from the ground up to manage user access privileges across all of a firm's resources, throughout the entire identity management lifecycle—from initial creation of access privileges to dynamically adapting to changes in business requirements.

1.3.5 Oracle Access Management Identity Federation

To enhance support for federated authentication in cloud, web services, and B2B transactions, a SAML-based federation service is being introduced in a single access management server in 11g Release 2 (11.1.2). Oracle Access Management Identity Federation is an enterprise-level, carrier-grade service for secure identity information exchange between partners. Identity Federation protects existing IT investments by integrating with a wide variety of data stores, user directories, authentication providers and applications.

In this initial release Identity Federation is limited to Service Provider mode. Identity Provider mode still requires an Oracle Identity Federation 11gR1 installation.

For details about using the Identity Federation service with Access Manager, see Integrating with Identity Federation.

1.4 Oracle Identity Management Integration Quick Links

Links to integration procedures.

Table 1-2 provides links to the integration procedures described here.

Table 1-2 Links to Integration Procedures in This Guide

Components to Integrate Link

Access Manager and Oracle Identity Governance

Integrating Oracle Identity Governance and Oracle Access Manager Using LDAP Connectors

Access Manager and Identity Federation

Integrating with Identity Federation

Multi-Directory identity store

Configuring an Identity Store with Multiple Directories

Table 1-3 lists key integration procedures that appear in other Oracle Identity Management documents:

Table 1-3 Links to Integration Procedures in Other Guides

Components to Integrate Link

Oracle Privileged Account Manager (OPAM) and Oracle Identity Governance (OIG)

Integrating with Oracle Identity Governance in Administering Oracle Privileged Account Manager

OPAM and OAM

Integrating with Oracle Access Management Access Manager in Administering Oracle Privileged Account Manager

OIG and Oracle Identity Analytics (OIA)

Integrating with Identity Analytics in Administering Oracle Identity Governance

1.5 About Password Management Scenarios

Common management scenarios supported by these deployment modes include:

1.5.1 About Access Manager Integrated with Oracle Identity Governance

Figure 1-3 shows how password management is achieved when Access Manager and Oracle Identity Governance are integrated.

Figure 1-3 Integrating Access Manager and Oracle Identity Governance for Password Management

Integration flow OAM-OAAM-OIG

The flow of interactions between the components is as follows:

  1. A user tries to access a resource protected by Access Manager.

  2. The Oracle Access Management WebGate intercepts the (unauthenticated) request.

  3. WebGate redirects the user to the Access Manager login service, which performs validation checks.

  4. If Access Manager finds any password management trigger conditions, such as password expiry, it redirects users to Oracle Identity Governance.

  5. Oracle Identity Governance interacts with the user to establish the user's identity and carry out the appropriate action, such as resetting the password.

  6. Access Manager logs the user in by means of auto-login, and redirects the user to the Access Manager-protected resource which the user was trying to access in Step 1.

1.5.2 About Self-Registration

In this scenario, the user does not have an account but tries to access an Access Manager-protected resource. An Oracle Access Management 11g WebGate intercepts the request, detects that the user is not authenticated, and redirects the user to the Oracle Access Management Credential Collector (or 10g authenticating WebGate), which shows the Access Manager Login page containing a Register New Account link.

On selecting this link, the user is securely redirected to the Oracle Identity Governance Self Registration URL. Oracle Identity Governance interacts with the user to provision his account.

The Welcome Page is an unprotected page from which the self-registration/account creation can be initiated. This page contains two links, in addition to any introductory text or branding information. The links are:

  • Register New Account - This is an unprotected URL to the corresponding application's registration wizard

  • Login - This is a protected URL which serves as the landing page to which the user is directed after successfully completing the login.

Note:

Any application protected by a single sign-on system with the self-registration requirement is expected to support a self-registration page. The options are:

  • Self-registration using the default self-registration page or a customized version of the page.

    This is the most common option and is covered here.

  • Self-registration using anonymous pages in other applications.

    If the application dictates that the user be automatically logged in at the end of the registration process, it can implement this by using the Oracle Platform Security Services APIs.

The account creation flow is as follows:

  1. The user (using his browser) accesses the application's welcome page, which contains a Register New Account link.

  2. The user clicks the Register New Account link, which takes the user to a self-registration page provided by the application.

  3. The user interacts with the application to self-register.

  4. On completion, the application performs an auto-login for the user.

The protected application is expected to send an SPML request to Oracle Identity Governance to create the user. After this, the application could choose to do one of the following:

  • The application may choose not to auto-login the user. The application redirects the user to the protected landing page URL. Access Manager then shows the login page and takes the user through the login flow.

  • If there is no approval associated with the request, the application can make use of the Oracle Platform Security Services (OPSS) APIs to conduct an auto-login to the specific landing page URL and respond with a redirect request with that URL (along with the SSO cookie). This takes the user directly to the landing page without bringing up the login page.

  • Auto-login cannot be done if approval is needed. The application determines which profile to use at the time of SPML request. The application needs to respond with an appropriate page indicating that the request has been submitted.

1.5.3 About Password Change

The Change Password flow enables users to change their password.

In the Change Password flow with Access Manager and Oracle Identity Governance, the user successfully logs into Access Manager but is required to immediately change the password. The user is not authorized to access protected resources until the password is changed and challenges have been set up.

On successful login, Access Manager detects if the triggering condition is in effect and redirects the user to the Oracle Identity Governance Change Password URL. Oracle Identity Governance facilitates the user password change or challenge set-up and resets the triggering condition.

On completion, Oracle Identity Governance redirects the user to the protected resource.

This situation is triggered in the following cases:

  • The Change Password upon Login flag is on. This occurs:

    • when a new user is created

    • when the administrator resets a user's password

  • The password has expired.

This flow describes the situation where a user logs in to an Access Manager-protected application for the first time, and is required to change password before proceeding.

The following describes the Change Password flow:

  1. Using a browser, the user tries to access an application URL that is protected by Access Manager.

  2. Oracle Access Management WebGate (SSO Agent) intercepts the request and redirects the user to the Access Manager Login Page.

  3. The user submits credentials, which are validated by Access Manager.

  4. Access Manager next determines if any of the First Login trigger conditions are valid. If so, Access Manager redirects the user to the Oracle Identity Governance Change Password URL.

  5. Oracle Access Management WebGate (SSO Agent) intercepts the request, determines that Oracle Identity Governance is protected by the Anonymous Authentication Policy, and allows the user request to proceed.

  6. Oracle Identity Governance interacts with the user to enable the user to change his password. On completion, Oracle Identity Governance updates the attributes that triggered the First Login flow. Oracle Identity Governance then performs a user auto-login.

  7. Oracle Identity Governance notifies Access Manager of the successful first login.

  8. Oracle Identity Governance redirects the user to the application URL the user tried to access in step 1.

1.5.4 About Forgot Password

The Forgot Password flow allows users to reset their password after successfully answering all challenge questions.

In this scenario, the user is at the Access Manager Login page and clicks the Forgot Password link. Access Manager redirects the user to the Oracle Identity Management Forgot Password URL, and passes the destination URL to which Oracle Identity Governance must redirect upon a successful password change as a query parameter (backURL).

Oracle Identity Management asks the user the challenge questions. Upon providing the correct responses, the user is allowed to specify a new password.

On completion, Oracle Identity Management redirects the user to the protected resource.

The Forgot Password flow is as follows:

  1. Using a browser, the user tries to access an application URL that is protected by Access Manager.

  2. The Oracle Access Management WebGate (SSO Agent) intercepts the request and redirects the user to the Access Manager Login Page.

  3. The user clicks on the Forgot Password link on the Access Manager Login page, which sends the user to the Oracle Identity Governance Forgot Password URL.

  4. Oracle Identity Governance interacts with the user to enable the user to reset the password. On completion, Oracle Identity Governance performs a user auto-login.

  5. Oracle Identity Governance redirects the user to the application URL to which access was attempted in step 1.

1.5.5 About Account Lock and Unlock

Access Manager keeps track of login attempts and locks the account when the count exceeds the established limit in the password policy.

After the user account is locked, Access Manager displays the Help Desk contact information and Forgot Password link, or similar for any login attempt made. The information provided about the account unlocking process will need to be customized to reflect the process that is followed by your organization.

The following describes the account locking/unlocking flow:

  1. Using a browser, a user tries to access an application URL that is protected by Access Manager.

  2. Oracle Access Management WebGate (SSO Agent) intercepts the request and redirects the user to the Access Manager login page.

  3. The user submits credentials that fail Access Manager validation. Access Manager renders the login page and asks the user to resubmit his or her credentials.

  4. The user's unsuccessful login attempts exceed the limit specified by the policy. Access Manager locks the user account and redirects the user to the Access Manager Account Lockout URL. The resulting page displays the Help Desk contact information and Forgot Password link.

  5. If the user contacts the Help Desk over the telephone and asks an administrator to unlock the account, then:

    1. The Help Desk unlocks the account using the Oracle Identity Governance administration console.

    2. Oracle Identity Governance notifies Access Manager of the account unlock event.

    3. The user attempts to access an application URL and this event triggers the normal Oracle Access Management single sign-on flow.

  6. If the user uses the Forgot Password link, the user is sent to the Oracle Identity Governance Forgot Password URL, then:

    1. Oracle Identity Governance interacts with the user to enable the user to reset the password. On completion, Oracle Identity Governance performs a user auto-login.

    2. Oracle Identity Governance redirects the user to the application URL.

    Note:

    The user would be able to self-unlock the account by going through the Oracle Identity Governance Forgot Password flow, only once the user status is locked in Oracle Identity Governance. The user locked status is synchronized from the LDAP provider to Oracle Identity Governance only when the "SSO User Incremental Reconciliation" or "SSO User Full Reconciliation" scheduled job is run.

1.5.6 About Challenge Setup

The Challenge Setup enables users to register challenge questions and answers.

When such redirection happens, Oracle Identity Management checks if the challenge questions are set. If not, it asks the user to set up challenge questions in addition to resetting the password.

Access Manager detects and redirects on password trigger conditions:

  • Password Policy is updated to increase the required number of challenges.

  • Password Policy is updated to require challenges

The following describes the flow:

Note:

The flow assumes First Login is not required.

  1. Using a browser, the user tries to access an application URL that is protected by Access Manager.

  2. Oracle Access Management WebGate (SSO agent) intercepts the request and redirects the user to the Access Manager Login Page.

  3. The user submits credentials, which are validated by Access Manager. If a password triggering condition is detected, Access Manager redirects the user to the Oracle Identity Governance change password URL.

  4. The Oracle Access Management WebGate (SSO agent) intercepts the request, determines that Oracle Identity Governance is protected by the anonymous authentication policy, and allows the user request to proceed.

  5. Oracle Identity Governance interacts with the user to set up the challenges. On completion, Oracle Identity Governance updates the attributes that triggered the set challenges flow.

  6. Oracle Identity Governance redirects the user to the application URL that the user attempted to access in Step 1.

1.6 System Requirements and Certification

Refer to the system compatibility, requirements and certification documentation for information about hardware and software requirements, platforms, databases, and other information.

The compatibility documentation describes compatibility and interoperability considerations that may arise when you install, patch, or upgrade Oracle Fusion Middleware 11g components. For details, see Understanding Interoperability and Compatibility.

The system requirements document covers information such as hardware and software requirements, minimum disk space and memory requirements, and required system libraries, packages, or patches.

The certification document covers supported installation types, platforms, operating systems, databases, JDKs, directory servers, and third-party products.

For the latest requirements and certification documentation refer to the table "Oracle Fusion Middleware Certification Matrices" in the Understanding Interoperability and Compatibility.

1.7 Using My Oracle Support for Additional Troubleshooting Information

You can use My Oracle Support (formerly MetaLink) to help resolve Oracle Fusion Middleware problems.

My Oracle Support contains several useful troubleshooting resources, such as:

  • Knowledge base articles

  • Community forums and discussions

  • Patches and upgrades

  • Certification information

Note:

You can also use My Oracle Support to log a service request.

You can access My Oracle Support at https://support.oracle.com.