List of Figures

• 1-1 Oracle Access Manager 11g Components and Services
• 1-2 Oracle Access Manager 11g Component Distribution
• 1-3 Oracle STS Architecture
• 1-4 Oracle STS Token Support
• 1-5 Token Translation at a Centralized Authority
• 1-6 Translating Tokens Behind a Firewall
• 1-7 Web Services SSO
• 3-1 Oracle Access Manager 11g Log In Page
• 3-2 Sign Out Link, Upper-right Corner
• 3-3 Oracle Access Manager Console Welcome Page
• 3-4 Sample Navigation Trees with Menu and Tool Bars
• 3-5 Menu and Tool Bar Above Common Configuration Navigation Tree
• 3-6 View Menu
• 3-7 Actions Menu
• 3-8 Tabs of Open Pages, and Page Controls
• 3-9 System Configuration Tab (Collapsed and Fully Expanded)
• 3-10 Policy Configuration, Shared Components, Collapsed Application Domains
• 4-1 Common Configuration Nodes in Navigation Tree
• 4-2 Available Services Page
• 4-3 Common Settings Page (Collapsed View)
• 4-4 Common Coherence Settings
• 4-5 OCSP/CDP Settings for Global Certificate Validation
• 4-6 Certificate Revocation List Dialog Box
• 5-1 Completed Registration for the Default Store
• 5-2 Completed Registration for System Store
• 5-3 Fresh Default Store and System Store Options
• 5-4 Default Store Designation
• 5-5 Common Settings Page: Default and System Identity Stores
• 5-6 System Store Registration with Access System Administrators Section
• 5-7 Add System Administrator Roles
• 6-1 OAM Server Registration Page with Proxy Tab Displayed
• 6-2 Coherence Page and Values for an Individual OAM Server
• 7-1 Session Data and the Role of Oracle Coherence
• 7-2 Session Details: Common Settings Page
• 7-3 Common Configuration: Session Management Page
• 8-1 Access Manager Settings
• 8-2 Access Manager Settings: Load Balancer
• 8-3 Access Manager Settings: SSO
• 8-4 Common Policy Evaluation Caches
• 8-5 Pre-configured Kerberos Authentication Module
• 8-6 Pre-Configured LDAP Authentication Module
• 8-7 Pre-Configured X509 Authentication Module
• 8-8 Custom Authentication Modules Node and General Subtab
• 8-9 Adding a Step and Associating a Plug-in
• 8-10 Custom Authentication Module Steps Subtab and Details Section
• 8-11 Custom Authentication Module Steps Orchestration Subtab
• 8-12 KerberosPlugin
• 8-13 Default KerberosPlugin Steps and Details
• 8-14 Default KerberosPlugin Steps and Orchestration
• 8-15 LDAPPlugin
• 8-16 Default LDAPPlugin Steps and Details
• 8-17 Default Orchestration of Steps for LDAPplugin
• 8-18 X509Plugin
• 8-19 X509Plugin Default Steps and Details
• 8-20 Default Orchestration for X509Plugin Steps
• 9-1 IAMSuiteAgent Configuration in the WebLogic Administration Console
• 9-2 IAMSuiteAgent Characteristics
• 9-3 Resources Protected by the IAMSuiteAgent
• 9-4 Create OAM 11g Webgate Page
• 9-5 Create OAM 10g Webgate Page
• 9-6 Confirmation Window and Expanded 11g Webgate Page with Defaults
• 9-7 Expanded OAM 10g Webgate Registration Page
• 9-8 Webgate Search Controls and Create Agent Buttons
• 9-9 Create OSSO Agent Page
• 9-10 OSSO Agent Page and Confirmation Window
• 10-1 Key Generation
• 10-2 OSSOUpdateAgentRequest.xml
• 10-3 OAM11GUpdateAgentRequest.xml
• 10-4 OAMUpdateAgentRequest.xml
• 10-5 CreatePolicyRequest.xml
• 10-6 UpdatePolicyRequest.xml
• 10-7 Remote Management Elements for Application Domains
• 11-1 Oracle Access Manager 11g Policy Model and Shared Components
• 11-2 SSO Log-in Processing with OAM Agents
• 11-3 SSO Login Processing with OSSO Agents
• 12-1 Policy Components: Relationship to an Application Domain
• 12-2 Default wl_authen Resource Type Definition
• 12-3 TokenServiceRP
• 12-4 Host Identifier Page
• 12-5 Default LDAPScheme Page
• 13-1 Application-Specific Components of the OAM Policy Model
• 13-2 New Application Domain Generated During Agent Registration
• 13-3 Default Resource Definition in a Generated Application Domain
• 13-4 Default Authentication Policy for Protected Resources
• 13-5 Default Authorization Policy for Protecting Resources
• 13-6 Fresh Application Domains General Page
• 13-7 Application Domains Navigation Tree
• 13-8 Resources Page in an Application Domain
• 13-9 Searching for Resource Definitions within an Application Domain
• 13-10 Search Results Table for Resource Definitions in an Application Domain
• 13-11 Authentication Policy: IAM Suite Application Domain
• 13-12 Authorization Policy Page: IAM Suite Application Domain
• 13-13 Authorization Policy Response in the Console
• 13-14 Simple Response Samples
• 13-15 Sample Complex Responses
• 13-16 Authorization Policy Page, General Details
• 13-17 Add Constraint Window
• 13-18 Constraint Containers on the Authorization Policy Page
• 13-19 Identity Class Constraint Details: Selected User and Groups Table
• 13-20 Identity Class Add User Population Entries Window
• 13-21 Selected User and Groups Window
• 13-22 IP4Range Class Constraints
• 13-23 Temporal Constraint Class Details Page
• 13-24 OAM Admin Console Policy, Scheme, and Resources
• 13-25 Protected HigherLevel Policy, LDAP Scheme, and Resources
• 13-26 Protected LowerLevel Policy, Autentication Scheme, and Resources
• 13-27 Public Policy, Anonymous Scheme, and Resources
• 13-28 IAM Suite Authorization Policy
• 13-29 IAM Suite Token Issuance Policy and Resource URLs
• 14-1 OAM Agent (PEP) and OAM Server (PDP) Inter-operability
• 14-2 User Interactions with the Access Tester
• 14-3 Access Tester Console
• 14-4 Server Connection Panel in the Access Tester
• 14-5 Protected Resource URI Panel in the Access Tester
• 14-6 Access Tester User Identity Panel
• 14-7 Test Case Workflow
• 16-1 Typical Token Ecosystem
• 16-2 Identity Propagation with the OAM Token
• 16-3 Process Flow During Identity Propagation
• 16-4 Identity Propagation Deployment
• 16-5 Identity Propagation Processing
• 16-6 Required v1.0 WebLogic Server Identity Assertion Providers
• 16-7 IAP-OSTS Details
• 16-8 LDAP Provider: IAP-DSEE
• 16-9 Default Identity Store Defined in Oracle Access Manager
• 16-10 Token Issuance Policy for Identity Propagation
• 16-11 Authentication Policy for Identity Assertion by Webgate
• 16-12 /wssuser Endpoint for Identity Assertion
• 16-13 Default Identity Store Defined in Oracle Access Manager
• 16-14 Token Issuance Policy for Identity Propagation
• 16-15 /wss11user Endpoint for Identity Assertion
• 17-1 Default Endpoints, Policies, and Validation Templates
• 17-2 WS-Security 1.0 and 1.1 Policies
• 17-3 Oracle Access Manager with Oracle Security Token Service Enabled
• 17-4 Security Token Service Settings Page
• 19-1 Validation Templates Search Controls
• 19-2 Issuance Template Search Controls
• 19-3 Issuance Template: General Details and Defaults
• 19-4 Issuance Properties: Username Token Type
• 19-5 Issuance Properties: SAML Token Types
• 19-6 Security Details: SAML Tokens
• 19-7 New Validation Template page: General Page Defaults
• 19-8 New Validation Template: General Authentication Details
• 19-9 Token Mapping: SAML2 WS-Security Validation Template
• 19-10 Token Mapping, username-wstrust-validation-template
• 19-11 Token Mapping: x509-wss-validation-template
• 19-12 Endpoints Page
• 19-13 IAM Suite Token Issuance Policy and Resource URLs
• 19-14 Token Issuance Policies and Constraints
• 19-15 Pre-defined Resource Type: TokenServiceRP
• 19-16 Search: Resource Type TokenServiceRP in Application Domain
• 20-1 New Requester Partner Page
• 20-2 Defined Requester Partner
• 20-3 Partner Search Controls
• 20-4 Requester Profile: General
• 20-5 Requester Profile: Token and Attributes
• 20-6 Relying Party Profile Token and Attributes
• 20-7 Token and Attributes: Issuing Authority
• 20-8 Issuing Authority Profile: Token Mapping Tab
• 20-9 Search Profiles Page: Requester
• 23-1 Log-Level Activation in the Default Log Configuration File
• 24-1 Audit to Database Architecture
• 24-2 Common Settings: Auditing Configuration
• 25-1 Server Processes Overview Page
• 25-2 Session Operations Monitoring Page
• 25-3 Server Operations Monitoring Page
• 25-4 OAM Agents Monitoring Page
• 25-5 OAM Agent Monitoring Characteristics
• 25-6 Detached OAM 10g Agent Connection Table
• 25-7 Detached OAM 10g Agent Operations Overview Table
• 25-8 Detached OAM 10g Agent Operations Detail Table
• 25-9 Detached OAM 10g Agent Information Table
• 25-10 OSSO 10g Agent Monitoring Page with Operation Details
• 25-11 OSSO 10g Agent Monitoring Process Overview Table Detached
• 25-12 OSSO 10g Agent Information Table Detached
• 26-1 Fusion Middleware Control (AS-Control) Deployment Architecture
• 26-2 Fusion Middleware Control Login Page with Help Topics
• 26-3 OAM Farm Page in Fusion Middleware Control
• 26-4 Farm Navigation Tree in Fusion Middleware Control
• 26-5 Node Information Page in Fusion Middleware Control
• 26-6 Application Deployment Summary for the Selected Internal Application
• 26-7 Application Deployment Menu
• 26-8 WebLogic Server Domain Summary with Context Menu Exposed
• 26-9 Oracle Access Manager Cluster Page
• 26-10 Key Metrics for Oracle Access Manager Server Pages
• 26-11 Aggregated Access Manager Component Metrics for the Cluster
• 26-12 Access Manager Component Metrics for a Single OAM Server Instance
• 26-13 Aggregated STS Component Metrics for the Cluster
• 26-14 STS Component Metrics for an Individual OAM Server Instance
• 26-15 Performance Summary Command
• 26-16 Performance Summary Page with Metric Palette
• 26-17 Oracle Access Manager Log Levels on the Log Configuration Tab
• 26-18 Log Levels for Oracle Security Token Service
• 26-19 Log Files Configuration Page
• 26-20 Typical Log Messages Page in Fusion Middleware Control
• 26-21 System MBean Browser and Attributes Tab
• 26-22 Routing Topology with Context Menu
• A-1 Pre-Upgrade OSSO 10g Topology
• A-2 Pre-Upgrade Sample OSSO 10g with Front-End Proxy
• A-3 Post-Upgrade OSSO 10g Topology
• A-4 mod_wl Replaces mod_oc4j on the Proxy Server
• A-5 Typical Topology Without Proxy Server
• A-6 Co-existence Processing
• A-7 Co-existence and OSSO 10g Authentication
• A-8 OSSO Agent Configuration Named for One Application
• A-9 OSSO Agent Configuration Named for the Second Application
• A-10 OSSO Agent Configuration Named for the Third Application
• A-11 Host Identifier for migratedSSOPartners
• A-12 Resources in the migratedSSOPartners Application Domain
• A-13 Authentication Policy for the Application Domain migratedSSOPartners
• B-1 Source and Target processing
• B-2 Dependency Tree for Each Application Domain
• E-1 Communication Channels for OAM Servers and Webgates
• G-1 IPv6 with OAM 11g and Challenge Redirect