This post cover key points and request flow that you must understand when integrating three Oracle Identity Management product OIM, OAM, and OAAM
a) OIM – Oracle Identity Manager
b) OAM – Oracle Access Manager
c) OAAM – Oracle Adaptive Access Manager
For an overview of features available by integrating OIM, OAM, and OAAM click here
1. OAM can be integrated with OAAM using
a) Basic – using authentication scheme as OAAMBasic (for OAM 11.1.1.3.0) – works only with 10g webgate and OSSO Agent
or
b) Advanced – using authentication scheme as OAAMAdvanced (for 11.1.1.3.0) – works with 10g WebGate
or
c) Advanced with TAP – using authentication scheme as TAP (for 11.1.1.5)- works with 10g and 11g WebGates
where TAP is Trusted Authentication Protocol.
More on various integration options between OAM & OAAM click here
2. Advanced with TAP is recommended option to integrate OAM with OAAM
3. With OAM-OIM-OAAM integration you additionally get password management flows using OAAM (via KBA).
4. KBA stands for Knowledge Based Authentication (functionality provided by OAAM) and with OIM-OAAM integration, KBA is used as
a) Second factor authentication for change password
b) First authentication for forgot password
5. When you integrate OAM , OIM, and OAAM using advanced integration, this is what happens when user try to access OIM screens (or resource protected by TAP Scheme)
a) OAM checks URL is protected by TAP Scheme and as user is not authenticated yet so user is redirected to OAAM login page
(This is because URL is protected by TAP scheme and TAP authentication scheme redirects user to OAAM server for login)
b) OAM (based on challenge URL defined in TAP scheme) forwards request to OAAM Server
c) OAAM server presents user with username page where user submits his username
d) OAAM records (fingerprints) user device and runs pre-authentication rules before showing password page to user
Note: Device fingerprint is mechanism where where OAAM recognises what device user logs in with like Desktop, Laptop, PDA, Cell Phone, web bases device, etc
e) Virtual Authenticator Device (VAD) rules are run during Authentication Pad checkpoint and decides which Virtual Authenticator device to display for password page
f) At this stage
— i) For registered user in OAAM, Password page with personalised TestPad/KeyPad is displayed
— ii) a- For unregistered users (in OAAM) password page with generic TextPad is displayed follow section for first time logon
ii b) -: For unregistered users login for first time, system presents user to reset password on first logon. System also presents user with option to set challenge question (KBA), image on virtual device , phrase on virtual device.
g) OAAM collects username/passwordand then sends NAP API call for Authentication to OAM
h) OAM makes a ldap call to OID (identity store configured with OAM). More on OAM identity store configuration (steps mentioned here are manual integration) here and here
Note: Oracle Internet Directory (OID) is LDAP compliant store from Oracle to store enterprise users.
i) After successful authentication OAM issues TAP token to OAAM
j) OAAM then executes post authentication rules
based on rule/risk could present user with second authentication (KBA or OTP)
Note: Knowledge Based Authentication (KBA) and One Time Password (OTP) are features available in OAAM. OTP by default is disabled in OAAM
k) OAAM then sets the OAM cookie and redirects user to resource requested in step a)
Related
- OAAM for beginners
- IDMConfig Tool to integrate OIM-OAM
- Step by Step installation and configuration of OIM – OAM – OAAM
- Auto Login failed in OIM-OAM integration
- Integrate OIM with OAM
Related Posts for IdM
- Oracle Identity & Access Management II
- Upgrade Oracle Internet Directory/IdM Suite to 10.1.4.2
- Oracle Launches Oracle Access Management Suite
- Installing Oracle Fusion Middleware (FMW) 11g – Identity Management Components (OID, DIP, OVD, OIF)
- Oracle Identity Management Products – OID, OVD, OAM, OIM, ORM, OWSM, OIF, eSSO, OES, OAAM
- #OracleIdM 11g webinar : Is this for OAM (Oracle Access Manager) & OIM (Oracle Identity Manager) 11g ?
- Installing Oracle Identity Management (OIM & OAM) 11g R1 PS2 (11.1.1.3) : High Level Steps
- #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN (11.1.1.3.0) – Part I : Load Schema
- Part II – Install WebLogic 10.3.3 : #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN (11.1.1.3.0)
- Part III – Install SOA 11.1.1.2 & Upgrade to 11.1.1.3 : #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN (11.1.1.3.0)
- Part IV – Install IDAM 11.1.1.3 : #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN
- Part V : Create Domain : #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN
- Part VI : Configure Identity Manager (OIM) : #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN
- Part VII : Install & Configure OIM Design Console : #OracleIdM 11g : Step by Step Installation of OAM, OIM, OAAM, OAPM, OIN
- OAM 11g / OIM 11g High Availability (Active / Active) Architecture Documentation
- Part VIII (Optional) Configure LDAP Sync with OIM 11g (OIM 11g Integration with OVD/OID)
- Looking for Technical Reviewer for Oracle Identity & Access Management Book (OIM/OAM Administration)
- My Book “Oracle Identity & Access Manager 11g for Administrators” is now available in RAW format
- Install Oracle Identity Management (OIM/IDM) 11.1.1.4 – OID / OVD / OIF : High Level Steps
- Oracle IDentity & Access Management (OAM, OIM, OAAM & OES) 11.1.1.5 is available now : 12575064
- Password Policy in OAM-OIM-OID Integration : User not locked after configured value
- IdmConfigTool : OIM/OAM/FusionApps Integration – preConfigIDStore, prepareIDStore, configOAM, configOIM
- Autologin failed in OIM/OAM Integration after password reset SSOAccessKey javax.security. auth.login. LoginException
- OIM 11.1.1.5 BP02 (13399365) and OAM 11.1.1.5 BP02 (13115859)
- Confused about Oracle IAM software version & release number ?
- Oracle Identity Management 11g R2 #oracleidm : Webcast
- Oracle Identity Management 11g R2 documentation now available
- Oracle Identity & Access Management 11gR2 Software is now available to download
- Oracle Identity & Access Management 11gR2 : Installation & Configuration in 12 Steps
- OIM-OAM-OAAM integration using TAP – Request Flow you must understand !!
- Account Lock in OIM OAM OAAM, OID & WebLogic 11g because of Failed Login Attempts
- User not synced from OID (LDAP) to OIM (LDAPsync) : Account Locked in OAM is not locked in OIM
Oracle WebLogic Administrator [USD 399]- 03rd Dec, 2011
Good hands-on exercises (installation, patching, cloning), very experienced trainer worth every penny 
19 users commented in " OIM-OAM-OAAM integration using TAP – Request Flow you must understand !! "
Follow-up comment rss or Leave a TrackbackHi Atul,
I have integrated OAM and OAAM 11gR2 but I do not see an option for change password at 1st time login. Point ii b) that you have mentioned above. Do we need to do anything extra to have that implemented ?
[...] When you integrate OIM/OAM/OAAM (using Advanced Integration via TAP) more information here , username/password is collected by Oracle Adaptive Access Manager (OAAM) and then OAAM passes [...]
I meant to say that for unregistered users login for first time, I do not get an option to reset the password. I just get a imageless textpad for password (which is expected), then takes me to the Registration Page for Images and phrases and from there to the application.
I do not get an option to reset the password.
[...] 7. You can integrate OIM with OAAM for challenge questions so that OAAM is used as setting/validation of Challenge Questions . More on OIM-OAAM integration here and on request flow for OIM-OAM-OAAM integration here [...]
Thanks Atul but it doesnt solve my query. I have OIM-OAM and OAAM integrated. I create a user in OIM and provide him access to app1. The user logs into app1 and gets a OAAM login page. he enters his uid, gets a generic blank textpad. he enters his password. He gets an option to register questions as he is a new user and once done its redirected back to the app page. I do not get an option to change the password at first login instead of haveing the pwd policy in OID enabled with the attribute “Reset Password upon Next Login” enabled
Hi Atul,
Thanks for the blog. It is really helpful.
I need one help on OIM-OAM-OAAM integration.
I am done with integration, Now i want to reset the security question in OAAM.
I have configured urls for Reset question in OIM and oaam as in document.
But when i try to hit the link http://host:port/oaam_server/oimResetChallengeQuestions.jsp
I will redirected to OAAM TAP scheme login Page
After Succeful authentication, I can See OAAM authentication page (not TAP scheme) instead of Reset challenge question page
@ Harpreet,
Let me clear on reset password – Do you mean
a) Forgot password (user has not logged in yet)
or
b) Change Password (user has logged in to system OIM and would like to change password)
Which one would you like to do ?
@ Nash,
Change password on next logon – when integareted with OIM-OAM is controlled by OAM . There is an attribute ob****** that says that user must change password on next login.
Please confirm if OIM is also configured and user is created via OIM .
If yes then share verison of OIM.
@atul
I am doing Reset challenge question.
I know the direct URL of reset security question:
http://host:port/oaam_server/oimResetChallengeQuestions.jsp
but It does not work directly.
I know it works fine from OIM delegation admin page.
I wanted help on if there are any webservices that can be utilized. as i want to make this happen from my portal not from OIM console
@ Harpreet,
Yes, this may not work from external portal. Check with Oracle Support and see what is this URL doing when accessed from with in OIM portal.
Thanks Atul,
Yes I have OIM,OAM and OAAM all 11g R2 integrated with OID 11.1.1.6
Hi Atul,
Here you are using all components of same version i.e. 11gR2, but can OIM 11gR1 be integrated with OAM 11gR2 ?
@ Deepika,
What components from 11gR1 and which component fro 11gR2 you wish to integarte ?
Hi Atul,
Things are bit changed now.
The current scenario is that we have already installed OIM 11gR1 in our environment, and we need to install OAM 11gR2 in same environment.
So I want to know that is there any necessity to upgrade OIM to R2 or can we install OAM in a different weblogic domain( I hope installing in different domain will not give any OIM-OAM version conflict issue)?
@ Deepika,
This is one of those difficult ones to answer, I am not sure what is Oracle’s standpoint on this (If you ask for production they might say NO this is not supported)
This solution (OIM 11gR1 and OAM11gr2) technically should work but suggestion would be to do end to end testing .
Why don’t you install OAM 11gR1 only what is business justification for OAM 11gR2 when OIM is 11G R1 .
Ideal world is to upgrade OIM to 11gR2 and integrate with OAM 11gR2
Atul Kumar
[...] can find Atul’s post here. Filed Under: Identity Management jQuery(document).ready(function(){ [...]
Does advanced with TAP OAAM-OAM integration work in simple mode. We have a working integrationw ith 11g webgates in open mode but after changing the mode to simple, we keep getting ssl handshake error.
Another question that I have, Is it possible to use the forgot password/change password feature when only OAM-OAAM are integrated. We dont use OIM and when we try to type in the new password in the forgot password flow, ldap call is not made to update the password in ldap.
Is it possible to use forgot password without OIM?
Hi Atul,
Any response to the above questions? Have you implemented this before?
Leave A Reply