Session Management in Oracle Access Manager

This post covers key points related to Session Manager in Oracle Access Manager (OAM) 11g. For step by step installation of OAM 11g click here

OAM – Oracle Access Manager (Web Access Management and Web SSO solution from Oracle)
SME – Session Management Engine (component of OAM)

.

Key Points for Session Management in OAM 11g

1. OAM 10g was stateless application where as in OAM 11g, user session is stateful (For list of difference between OAM 10g & 11g click here ).

2. In OAM 11g User Session Data is stateful and stored at following places
a) Local In-Memory Cache of each Managed Server on which OAM is running (oam_server1 on port 14100)
b) Distributed In-Memory Cache shared by all Managed Server on which OAM is running (For OAM 11g deployment in Cluster) using Coherence
c) Optionally in Database (under schema [prefix]_OAM created using RCU). To know more about RCU here

3. During install time (while running config.sh to create WebLogic domain), you select “Oracle Access Manager with Database Policy Store” which configures Policy Store and Session Store to database.

4. In OAM 11g (by default) Policy Data & User session data is stored in single database (details under $DOMAIN_HOME/config/jdbc/oam-db-jdbc.xml) under one schema however it is possible to configure OAM Policy Data in to one database and user session data in another database.

5. To configure User Session Data to different database check steps here
This is done by editing datasource jdbc/oamds under SmeDb in $DOMAIN_HOME/config/fmwconfig/oam-config.xml


6. Default User Session Datastore used by OAM is using oamDS JDBC datastore

.
7. There are three settings which determines User Session Lifecycle  – Session Lifetime, Idle Timeout, Maximum Number of Sessions per User

These settings can be configured via http://serverName:port/oamconsole (Where Port is Admin Server Port – default 7001) -> System Configuration -> Server Instances -> Session

a) Session Lifetime : 480 minutes – User Session will expire after this period (even active user session)
b) Idle Timeout : 15 minutes – User Session will expire for any idle session for 15 minutes
c) Maximum Number of Sessions per User : 8  # User can have multiple session in OAM 11g

.

.

8. Administrator can Manage Active User Sessions (Find & Delete) from OAM Console  http://serverName:port/oamconsole (Where Port is Admin Server Port – default 7001) -> System Configuration -> System Utilitiess -> Session Management

9. User session is stored in database (if configured) under tables : OAM_SESSION, OAM_SESSION_ATTRIBUTE

If you are looking for commonly asked interview questions for Oracle Access Manager then just click below and get that in your inbox.

banner-_oam

About the Author Masroof Ahmad

Leave a Comment:

10 comments
Mahendra says September 24, 2010

Nice one, Atul.

Reply
Pal says October 13, 2011

Nice article Atul. Quick question on this topic.
If the OAM server goes down periodically or showing access error, do you think that the session lifetime, idle timeout and number of sessions per user- parameters can be the cause. After restarting the oam server the error goes away. Any thoughts on this?

Thanks.

Reply
Deepa says November 6, 2012

Thank you Atul for your very useful blogs .. which helps immensely as a quick reference guide in configuring Oracle products.

Have a doubt about “Maximum Number of Sessions per User” setting in OAM 11g.
If I set this to “1”, will it:
A) prevent User to login more than once concurrently
OR
B) terminate the previous session & consider the latest session in case of concurrent logins

I need it to work as given in B). Is there any way I can do it?

Thanks again

Reply
Antony says July 30, 2013

I am having a requiremnt in Session Management. I am having custom login page in .net. After successful authentication user will be validated for OTP which is a JSP page whether user is single factor or 2 factor. Which is protected by OAM. Before validating OTP for user I need to write a code to verify: 1.If user session already exists or not? 2.a) If session exists, user should get a page with options of, to continue with old session or new session. I. If user clicks on old session, then user will be logged out from current session and can continue old session. II. If user clicks on new session, then user old session will be terminated and continues with new session. b) If user session not exists, then user will log into App after validating otp. Can some one please give me an idea Thanks in Advance.

Reply
Antony says July 30, 2013

Hi Atul,

We had developed OTP plug-in already. We want to use the new code before OTP validation.

Reply
Antony says July 31, 2013

I have a requirement:
If an attempt is made to initiate another session (either through another browser on the same device or on a new device) when an authenticated session is active, the integrity of the initial session must be maintained and the new attempt should be denied.

May i know if there is any solution for the requirement.

Note: Iam using OAM 11.1.1.5.3

Thanks

Reply
Antony says August 3, 2014

I have an application which is protected by OAM. Where i should enter username and password to login (page1.jsp). It is JSP page.
I have 3 portals in that application. I can access these portals directly: then i get different login JSP page(page2.jsp) to enter username and password to login to the portals.
I can login and no issues.
If i login to application and click on any portal, i should login to the portal directly without asking username and password page (page2.jsp). But iam getting login page(page.jsp) to enter username and password.

Can you pls help me how i can auto submit the username and password to login to the portals.

Thanks

Reply
Jon says March 15, 2016

Is there a script where I can use to delete the user sessions?

Reply
    Atul Kumar says March 15, 2016

    @Jon , not the script that we are aware of but you can do this from OAMConsole. Do you know path or share OAM version

    Reply
Add Your Reply