Oracle Adaptive Access Manager Oracle Adaptive Access Manager is responsible for:

Running real-time risk analysis rules before and after authentication Navigating the user through login, challenge, registration, and self-service flows

Oracle Identity Manager Oracle Identity Manager is responsible for:

Provisioning users (to add, modify, or delete users) Managing passwords (to reset or change passwords)

Oracle Access Manager Oracle Access Manager is responsible for:

Authenticating and authorizing users Providing advanced status flags such as Reset Password, Password Expired, User Locked, and others

Oracle Unified Directory

Oracle Unified Directory is a J2SE application offering lightweight deployment OUD, together with DIP(Directory Integration Platform) and OVD (Oracle Virtual Directory), is the industrys first and only Java based unified directory solution. OUD is integrated with Oracle Fusion Middleware. OUD can be used as the identity store for Fusion Middleware, Fusion Middleware applications, and Fusion Applications.

OAM OAAM flow 1. The OAM WebGate server is in charge of protecting the URLs and redirecting the users when they are not authenticated so they can be authenticated. 2. OAAM collects the username and password for authentication. So when the OAM WebGate finds that the user is not authenticated and trying to access the protected URL, it redirects the user to the OAAM Server login page. 3. The credentials are split into two different pages: a username page and a password page. OAAM allows the user to enter his username. If he is a registered user and based on his registration status, OAAM presents the password page with his personalized image and caption. The login page can be customized to include user name and password in the same page. 4. The OAAM Server runs the pre-authentication rules and lets the user enter his password. 5. Since OAAM Server has the user's username and he has entered his password, the OAAM Server makes a NAP API call to the OAM Server for authentication.

6. Once the OAM server returns the status, which indicates whether the user has entered his username and password correctly, the OAAM Server determines whether the authentication was successful or not. 7. If the authentication was successful, the OAAM Server redirects the user to the OAM WebGate. 8. The OAM WebGate server redirects the user to his original URL. 9. The OAM WebGate allows the user to access the protected URL.

Oracle Access Manager (OAM) : is Access Management Product acquired fromOblix in 2005.

Oblix COREid (6, 7) and OAM 10g is written in C++where as OAM 11g is J2EE application deployed on Oracle WebLogic Server (10.3.3+) There are two main OAM components in OAM 10g, Access System(Access Server, WebGate and Policy Manager) and Identity System (Identity Server and WebPass). In OAM 11g there is NO Identity System Component. Identity related functions are moved to Oracle Identity Manager(OIM) 11g. (OIM is user provisioning and reconciliation product acquired from Thor Xellerate) Access Server in 10g is now called as OAM Server in 11g Policy Manager in 10g is now called as OAM Administration Console in 11g AccesssGate and WebGate in 10g are now called as OAM Agents in 11g Directory Profiles in 10g are now called as User-Identity Store in 11g In OAM 10g configurations are stored in LDAP servers whereas in OAM 11g configurations are stored in xml file (under weblogic domain) $DOMAIN_HOME/config/fmwconfig/oamconfig.xml OAM Server (Access Server in 10g) in OAM 11g is deployed on WebLogic Managed Server (oam_server1 default port 14100) In OAM 11g, OAM Administration Console(Policy Manager in 10g) is deployed on WebLogic Admin Server (default port 7001) URL for OAM Administration Console ishttp://server:7001/oamconsole (default username/password created during domain creation in weblogic) OAM 11g User Interface (UI) is based on Application Development Framework (ADF) Three type of Web Agents are supported in OAM 11g a) AccessGate/WebGate from 11g b) AccessGate/WebGate from 10g (for backward compatibility) and c) mod_osso for Oracle 10g Single Sign-On integration

Installing and Configuring Oracle Single Sign-on a) OIM Oracle Identity Manager b) OAM Oracle Access Manager c) OAAM Oracle Adaptive Access Manager High Level Steps : 1. Download Software- Database, RCU, WebLogic, SOA, Identity & Access Management 2. Install Database 11g or 10g not covered in this install series 3. Load Schema using RCU 11.1.1.2 depends on the version 4. Install WebLogic 10.3.5 5. Install Oracle SOA 11.1.1.2.0 - Required only for OIM 6. Upgrade Oracle SOA to 11.1.1.3.0 - Required only for OIM Depends on the version 7. Install Oracle IDAM 11g R1 PS2 (11.1.1.3) 8. Create WebLogic domain using config.sh 9. Configure application OIM, OAM , OAAM, OAPM & OIM Integrating OAM and OAAM 1. OAM can be integrated with OAAM using a) Basic using authentication scheme as OAAMBasic (for OAM 11.1.1.3.0) works only with 10g webgate and OSSO Agent or b) Advanced using authentication scheme as OAAMAdvanced (for 11.1.1.3.0) works with 10g WebGate or c) Advanced with TAP using authentication scheme as TAP (for 11.1.1.5)- works with 10g and 11g WebGates where TAP is Trusted Authentication Protocol. 2. Advanced with TAP is recommended option to integrate OAM with OAAM 3. With OAM-OIM-OAAM integration you additionally get password management flows using OAAM (via KBA). 4. KBA stands for Knowledge Based Authentication (functionality provided by OAAM) and with OIM-OAAM integration, KBA is used as a) Second factor authentication for change password b) First authentication for forgot password 5. When you integrate OAM , OIM, and OAAM using advanced integration, this is what happens when user try to access OIM screens (or resource protected by TAP Scheme) a) OAM checks URL is protected by TAP Scheme and as user is not authenticated yet so user is redirected to OAAM login page !