OIM-OAM-OAAM integration using TAP – Request Flow you must understand !!

This post cover key points and request flow that you must understand when integrating three Oracle Identity Management product OIM, OAM, and OAAM

a) OIM – Oracle Identity Manager
b) OAM – Oracle Access Manager
c) OAAM – Oracle Adaptive Access Manager

For an overview of features available by integrating OIM, OAM, and OAAM click here

1. OAM can be integrated with OAAM using

a) Basic – using authentication scheme as OAAMBasic (for OAM 11.1.1.3.0) – works only with 10g webgate and OSSO Agent
or
b) Advanced – using authentication scheme as OAAMAdvanced (for 11.1.1.3.0) – works with 10g WebGate
or
c) Advanced with TAP – using authentication scheme as TAP (for 11.1.1.5)- works with 10g and 11g WebGates

where TAP is Trusted Authentication Protocol.

More on various integration options between OAM & OAAM click here

2. Advanced with TAP is recommended option to integrate OAM with OAAM

3. With OAM-OIM-OAAM integration you additionally get password management flows using OAAM (via KBA).

4. KBA stands for Knowledge Based Authentication (functionality provided by OAAM) and with OIM-OAAM integration, KBA is used as
a) Second factor authentication for change password
b) First authentication for forgot password

5. When you integrate OAM , OIM, and OAAM using advanced integration, this is what happens when user try to access OIM screens (or resource protected by TAP Scheme)

a) OAM checks URL is protected by TAP Scheme and as user is not authenticated yet so user is redirected to OAAM login page

(This is because URL is protected by TAP scheme and TAP authentication scheme redirects user to OAAM server for login)

 

b) OAM (based on challenge URL defined in TAP scheme) forwards request to OAAM Server

c) OAAM server presents user with username page where user submits his username

d) OAAM records (fingerprints) user device and runs pre-authentication rules before showing password page to user

Note: Device fingerprint is mechanism where where OAAM recognises what device user logs in with like Desktop, Laptop, PDA, Cell Phone, web bases device, etc

e) Virtual Authenticator Device (VAD) rules are run during Authentication Pad checkpoint and decides which Virtual Authenticator device to display for password page

f) At this stage
— i) For registered user in OAAM, Password page with personalised TestPad/KeyPad is displayed


— ii) a- For unregistered users (in OAAM) password page with generic TextPad is displayed follow section for first time logon

 

ii b) -: For unregistered users login for first time, system presents user to reset password on first logon. System also presents user with option to set challenge question (KBA), image on virtual device , phrase on virtual device.

g) OAAM collects username/passwordand then sends NAP API call for Authentication to OAM

h) OAM makes a ldap call to OID (identity store configured with OAM). More on OAM identity store configuration (steps mentioned here are manual integration) here and here

Note: Oracle Internet Directory (OID) is LDAP compliant store from Oracle to store enterprise users.

i) After successful authentication OAM issues TAP token to OAAM

j) OAAM then executes post authentication rules

 

based on rule/risk could present user with second authentication (KBA or OTP)

Note: Knowledge Based Authentication (KBA) and One Time Password (OTP) are features available in OAAM. OTP by default is disabled in OAAM

k) OAAM then sets the OAM cookie and redirects user to resource requested in step a)

 

 

Related

Share This Post with Your Friends over Social Media!

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Oracle Gold Partner specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

20 comments
Nash says October 11, 2012

Hi Atul,

I have integrated OAM and OAAM 11gR2 but I do not see an option for change password at 1st time login. Point ii b) that you have mentioned above. Do we need to do anything extra to have that implemented ?

Reply
» OAAM Login image missing on AuthentiPad (TextPad) Login Screen oaam_images : setDomainEnv.sh Online Apps DBA: One Stop Shop for Apps DBA’s says October 11, 2012

[…] When you integrate OIM/OAM/OAAM (using Advanced Integration via TAP) more information here , username/password is collected by Oracle Adaptive Access Manager (OAAM) and then OAAM passes […]

Reply
Nash says October 12, 2012

I meant to say that for unregistered users login for first time, I do not get an option to reset the password. I just get a imageless textpad for password (which is expected), then takes me to the Registration Page for Images and phrases and from there to the application.

I do not get an option to reset the password.

Reply
» OIM 11g Challenge Questions – Everything you must know Online Apps DBA: One Stop Shop for Apps DBA’s says October 16, 2012

[…] 7. You can integrate OIM with OAAM for challenge questions so that OAAM is used as setting/validation of Challenge Questions . More on OIM-OAAM integration here and on request flow for OIM-OAM-OAAM integration here […]

Reply
Nash says October 17, 2012

Thanks Atul but it doesnt solve my query. I have OIM-OAM and OAAM integrated. I create a user in OIM and provide him access to app1. The user logs into app1 and gets a OAAM login page. he enters his uid, gets a generic blank textpad. he enters his password. He gets an option to register questions as he is a new user and once done its redirected back to the app page. I do not get an option to change the password at first login instead of haveing the pwd policy in OID enabled with the attribute “Reset Password upon Next Login” enabled

Reply
harpreet says October 17, 2012

Hi Atul,
Thanks for the blog. It is really helpful.
I need one help on OIM-OAM-OAAM integration.
I am done with integration, Now i want to reset the security question in OAAM.
I have configured urls for Reset question in OIM and oaam as in document.
But when i try to hit the link http://host:port/oaam_server/oimResetChallengeQuestions.jsp
I will redirected to OAAM TAP scheme login Page
After Succeful authentication, I can See OAAM authentication page (not TAP scheme) instead of Reset challenge question page

Reply
    Atul Kumar says October 18, 2012

    @ Harpreet,
    Let me clear on reset password – Do you mean
    a) Forgot password (user has not logged in yet)
    or
    b) Change Password (user has logged in to system OIM and would like to change password)

    Which one would you like to do ?

    Reply
Atul Kumar says October 18, 2012

@ Nash,
Change password on next logon – when integareted with OIM-OAM is controlled by OAM . There is an attribute ob****** that says that user must change password on next login.

Please confirm if OIM is also configured and user is created via OIM .

If yes then share verison of OIM.

Reply
harpreet says October 18, 2012

@atul
I am doing Reset challenge question.
I know the direct URL of reset security question:
http://host:port/oaam_server/oimResetChallengeQuestions.jsp
but It does not work directly.
I know it works fine from OIM delegation admin page.
I wanted help on if there are any webservices that can be utilized. as i want to make this happen from my portal not from OIM console

Reply
    Atul Kumar says October 18, 2012

    @ Harpreet,
    Yes, this may not work from external portal. Check with Oracle Support and see what is this URL doing when accessed from with in OIM portal.

    Reply
Nash says October 19, 2012

Thanks Atul,

Yes I have OIM,OAM and OAAM all 11g R2 integrated with OID 11.1.1.6

Reply
Deepika says November 21, 2012

Hi Atul,
Here you are using all components of same version i.e. 11gR2, but can OIM 11gR1 be integrated with OAM 11gR2 ?

Reply
    Atul Kumar says November 21, 2012

    @ Deepika,
    What components from 11gR1 and which component fro 11gR2 you wish to integarte ?

    Reply
Deepika says November 22, 2012

Hi Atul,
Things are bit changed now.
The current scenario is that we have already installed OIM 11gR1 in our environment, and we need to install OAM 11gR2 in same environment.
So I want to know that is there any necessity to upgrade OIM to R2 or can we install OAM in a different weblogic domain( I hope installing in different domain will not give any OIM-OAM version conflict issue)?

Reply
Atul Kumar says November 22, 2012

@ Deepika,
This is one of those difficult ones to answer, I am not sure what is Oracle’s standpoint on this (If you ask for production they might say NO this is not supported)

This solution (OIM 11gR1 and OAM11gr2) technically should work but suggestion would be to do end to end testing .

Why don’t you install OAM 11gR1 only what is business justification for OAM 11gR2 when OIM is 11G R1 .

Ideal world is to upgrade OIM to 11gR2 and integrate with OAM 11gR2

Atul Kumar

Reply
OIM-OAM-OAAM integration using TAP says April 8, 2013

[…] can find Atul’s post here. Filed Under: Identity Management jQuery(document).ready(function(){ […]

Reply
Pratima says April 12, 2013

Does advanced with TAP OAAM-OAM integration work in simple mode. We have a working integrationw ith 11g webgates in open mode but after changing the mode to simple, we keep getting ssl handshake error.

Reply
Pratima says April 12, 2013

Another question that I have, Is it possible to use the forgot password/change password feature when only OAM-OAAM are integrated. We dont use OIM and when we try to type in the new password in the forgot password flow, ldap call is not made to update the password in ldap.

Is it possible to use forgot password without OIM?

Reply
Pratima says April 22, 2013

Hi Atul,

Any response to the above questions? Have you implemented this before?

Reply
Sherif Arafa says October 1, 2017

Can I use the multifactor authantication of OAAM with the partners (federated resources) in Identity Provider Administration tab in OAM ? as Personalized Image&message or Challenge Questions

Reply
Add Your Reply

[index]
[index]
[523.251,1046.50]
[523.251,1046.50]
[523.251,1046.50]
[523.251,1046.50]
[i]
[i]
[index]
[index]
[523.251,1046.50]
[523.251,1046.50]