Oracle Access Manager Overview

Oracle Access Manager, a product from Oracle Fusion Middleware, provides integrated web access management solutions based upon certain standards for enterprises.

* Authentication Issues,
* Access policy creation and its enforcement,
* Web Reporting,
* Auditing,
* Delegated administration and
* Self-service or registration

Oracle Access Manager integrates all enterprise applications, web servers, directory servers and application servers. It couples the functionality of identity administration and access management. Using Oracle Access Manager in your enterprise would ensure you of integration of business applications, business agility and would enable regulatory compliance in organization. You can be assured of centralized and policy based authentication with the integrated architecture of Oracle Access Manager that combines both access control services and identity management.

Access Manager also helps with functionality of identity administration such as workflows or delegated administration. You can easily develop secure enterprise, web or J2EE applications with the help of Oracle Access Manager. It also ensures less administrative burdens and reduces cost and complexity in an organization.

Oracle Access Manager is also used to automate access management and identity management that helps to reduce costs you would have incurred to serve millions of online users. It is also used to improve user management by driving decisions for application or user communication. You can use Oracle Access Manager as hot pluggable with most of the platforms that makes integration an easy task. With improved authentication and flexibility, Oracle Access Manager ensures security.

Oracle Access Manager may also be used to enhance efficiency by use of

* Administrative Consoles,
* Common Workflow,
* Access and Identity Management reporting framework.

Identity administration within Oracle Access Manager deals with self-service of passwords so that very less users needs to interact with customer care thus reducing the complexity of environment. Oracle Access Manager is also used by organizations to comply with industry and common governmental regulations.

To use Oracle Access Manager you need to connect your Oracle Access Manager to the Oracle Server with SQL statements. You would require to have your user id and password to access Oracle server. You may also connect with the Oracle server using a precompiled application. You can use Oracle Access Manager to describe tables, use stored procedures, declare new procedures, and modify procedures, process error codes and messages

Single Sign-on and the OBSSOCookie

The Oracle Access System implements single-domain and multi-domain single sign-on
through an encrypted cookie called the ObSSOCookie. The WebGate sends the
ObSSOCookie to the user’s browser upon successful authentication. This cookie can
then act as an authentication mechanism for other protected resources that require the same or a lower level of authentication.

When the user requests access to a browser or another resource, the request flows to the Access Server. The user is logged in, and the ObSSOCookie is set. The Access Server generates a session token with a URL that contains the ObSSOCookie. Single sign-on works when the cookie is used for subsequent authorizations in lieu of prompting the user to supply authorization credentials.

When the cookie is generated, part of the cookie is used as an encrypted session token.

The encrypted session token contains the following information:
- The distinguished name (DN) of the authenticated user.
- The level of the authentication scheme that authenticated the user.
- The IP address of the client to which the cookie was issued.
- The time the cookie was originally issued.
- The time the cookie was last updated.

If the user has not been idle, the cookie is updated at a fixed interval to prevent the session from timing out. The update interval is one-fourth of the length of the idle session timeout parameter.

Unencrypted ObSSOCookie data includes:
- Cookie expiry time.
- The domain in which the cookie is valid.
- An optional flag that determines if the cookie can only be sent using SSL.

Security of the ObSSOCookie

The ObSSOCookie is a secure mechanism for user authentication. When the Access System generates the cookie, an MD-5 hash is taken of the session token. When the ObSSOCookie is used to authenticate a user, the MD-5 hash is compared with the original cookie contents to be sure no one has tampered with the cookie. MD-5 is a one-way hash, so it cannot be unencrypted. The Access Server does the comparison by hashing the session token again and comparing the output with the hash of the token already present in the cookie. If the two hashes do not match, the cookie is corrupt. The system relies on the fact that if someone tampers with the session token, the
hashes will not match.

More Here