New Features Introduced

with Oracle Access

Manager 11g

Oracle Identity Management

Infrastructure
Enables

secure, central
management of enterprise
identities.

Policy Enforcement Agents

Resides

with the relying parties and

delegate authentication and
authorization tasks to OAM Servers.

Nine Administrator languages are

supported.
Unless explicitly stated, the term
"Webgate" refers to both an out of
the box Webgate or a custom
Access Client.

Server-side components
OAM

Server (installed on a
WebLogic Managed Sever),

Console
Oracle

Access Management
Console provides access to all
services and configuration
details.

Protocols for information

exchange on the Internet
Front

channel protocols
exchanged between Agent and
Server: HTTP/HTTPS.
Back channel protocols:
Authenticated clients can perform
session operations using
enhancements in the Oracle
Access Protocol (OAP).

Proxy
Provides

support for legacy

systems
OAM Proxy supports legacy
Access Manager implementations
by acting as a legacy Access
Server.

Cryptographic keys
One

key is generated and used

per registered mod_osso or 11g
Webgate. However, one single
key is generated for all 10g
Webgates.

Keys storage
Agent

side: A per-agent key is

stored locally in the Oracle Secret
Store in a wallet file
OAM Server side:Per- agent
keys, and server keys, are stored
in the credential store on the
server side

Encryption / Decryption (The

process of converting
encrypted data back into its
original
Introducesform)
client-side
cryptography and ensures that
cryptography is performed at
both the agent and server ends

Policy Store
Database

in production
environments; file-based in
demonstration and development
environments, as described
in"Managing the Policy and
Session Database".

Applications
An

application that delegates

authentication and authorization to
Access Manager and accepts
headers from a registered Agent.
Note: External applications do not
delegate authentication. Instead,
these display HTML login forms that
ask for application user names and
passwords. For example, Yahoo!
Mail is an external application that
uses HTML login forms.

SSO Engine
Manages

the session lifecycle,

facilitates global logout across all
relying parties in the valid
session, and provides consistent
service across multiple protocols.

Session Management
Global

session specifications are

enabled for all Application
Domains and resources. In
addition, Application Domainspecific session overrides can be
configured.

Policies
Registered

agents rely on Access

Manager authentication,
authorization, and token issuance
policies to determine who gets
access to protected applications
(defined resources).

Client IP
Maintains

this client's age, and

includes it in the host-based
cookie: OAMAuthnCookie for 11g
Webgate (or ObSSOCookie for
10g Webgate)

Response token replay

prevention
IncludeRequestTime(the

timestamp just before redirect) in

obrareq.cgi and copy it to
obrar.cgi (the authentication
response string redirected from
the OAM Server to Webgate) to
prevent response token replay.

Multiple network domain

support
Access

Manager 11g supports

cross-network-domain single
sign-on out of the box.
Oracle recommends you use
Oracle Federation for this
situation.

Cookies
Host-based

authentication cookie:
11g Webgate, One per agent:
OAMAuthnCookie_host:port_random_numberse
t by Webgate using the authentication token
received from the OAM Server after successful
authentication.
11g Webgate, Transient: OAM_REQ is
scoped to the OAM Server. OAM_REQ is set or
cleared by the OAM Server if the
Authentication request context cookie is
enabled. Protected with keys known to the
OAM Server only. This cookie is configured as a
high availability option to store the state about
the user's original request to a protected
resource while his credentials are collected and
authentication is performed.

Centralized log-out
ThelogOutUrls(10g

Webgate confi
guration parameter) is preserved.
10g logout.html requires specifi
c details for Access Manager 11g.

11g Webgate parameters are

new:
Logout Redirect URL
Logout Callback URL
Logout Target URL