Access Manager: WebGate Request Flow

For basics on Access Manager (earlier Oblix COREid and now Oracle Identity Management Component) follow previous links

Access Manager Overview
Access Manager overview II
Installing Access Manager / COREid

WebGate is webserver plugin which communicates between user and access server (another component of Access Manager). Webgate is like communicator/plug-in which accepts users request via Web Server (Apache, Oracle HTTP or IBM Web Server) and communicates with Access Server component of COREid/Access Manager.
If request is protected by policy (already defined using Policy Manager), it sends user authentication challenge based on authentication policy defined in access server for that resource. Once user is authenticated it then checks authorization policy for that resource and depending on authorization policy access is granted or denied for that resource (URL) to user.

Typical example for that is lets assume user request for resource http://teachmeoracle.com/aboutme.html where teachmeoracle.com is webserver listening on port 80 and resource /aboutme.html is protected by policy (already defined by access server console. Coming soon in near future). As per policy only “authenticated users” and whose IP ddress is 198.16.X.X are allowed to access this resource (aboutme.html)

Assumptions:
A) You already have installed , Identity Server, WebPass, Access Server component on some servers.
B) You have configured/installed Web Gate on webserver hosting site teachmeoracle.com
C) Resource /aboutme.html is protected by policy mentioned above.

Here are steps which will happen
1. User types URL in his browser
2. Request hit to web server which is configured with webgate/accessgate 3. WebGate communicates with Access Server component of Access Manager/COREid to see if resource is protected.
4. Access Server replies to web gate with authentication and authorization policy for that resource.
5. Based on authentication scheme , web gate ask for corresponding authentication challenge (LDAP username/password or any custom form authentication)
6. Web gate accept username/password from user and (If authentication is netpoint over LDAP server) passes on t Access Server which in turn checks username/passwords with Directory server (LDAP Server) configured with this Access Server.
7. If authentication is successful go to next step, if authentication fails go to step 9
8. If authentication is successful , it checks if user is authorized to access this page or not. So if client making request is with in IP 198.16.X.X then resource is granted. If user is not from this IP range access will be denied for this resource.
9. If user authentication failed access be denied or next process will happen as defined in authentication fail action defined in policy manager.

Other autherization policy may be like
A. You can define specific users authorized for a resource.
B. A Group of users authorized for a resource.
C. Authorization based on Role
D. Based on IP address of client

You can also define time window under which that resource will be available so like Monday to Friday 9:00 AM to 5:30 PMMore on Oracle-Oblix COREid,Oracle Access Manager coming soon…
Difference between WebGate/Access Gate.
Identity Server, Web Pass, Policy Manager, Access Server

http://teachMeOracle.com/forum

About the Author Masroof Ahmad

Leave a Comment:

15 comments
vasavi says November 13, 2008

HI Atul,

Can you tell me that which version of Apache will support to install the webgate.which webgate i have to install.

Thanks in Advance

Vasavi

Reply
Atul Kumar says November 13, 2008

First identify which webgate version is compatible with your access manager and then identify what Apache version’s that webgate support. Check in certification matrix in metalink

WebGate Installation check

Webgate overview

Reply
molete K says November 27, 2008

hi there, I’m a newbie on oracle access manager. I have encountered an error message which says “Bad Oracle Access Manager Request”. this is after I have done form-based authentication…can sum1 please help and tell me which step did I miss or misconfigure…

Reply
molete K says November 27, 2008

hi there, I’m a newbie on oracle access manager. I have encountered an error message which says “Bad Oracle Access Manager Request”. this is after I have done form-based authentication…can sum1 please help and tell me which step did I miss or misconfigured…

Reply
Rajesh Chaware says January 13, 2009

Hi, Atul.

Can you please suggest me the webgate for OAM that I should install on the web server IBM HTTP Server 6.1 on Windows 2003 Server Release-2? And please suggest the exact file name and disk which I should download from the URL that would provided by you? I need your urgent help.

Thanks and Regards.

Rajesh

Reply
ranjithregulla says May 6, 2009

Hi,

I am in need of httpd.conf file for the reverse proxy implementation between apache and weblogic.Could you please provide me.

Thanks
Regulla

Reply
amman says April 21, 2011

Hi there

I am having some problem with webgate redirecting request to client browser.

the client enter a url
goes to css and webserver/webgate
client see a white blank page.
CLient closes his sessiona nd try again it work.

Reply
OAM 11g Agent Registration | sandeepb4u says May 16, 2011

[…] on Authentication Policy set for resource.  For Request flow for WebGate check my earlier post here . For overview of Agents in OAM 11g (OAM Agents & OSSO Agent) click […]

Reply
VJK says December 6, 2011

Hi All,

I am new to UCM but I really need some help from the experts

My problem is when

When attempting to open a document (e.g. pdf) in Document List task flow in a custom portal application,
the following error occurs.

oracle.adf.controller.AdfcIllegalArgumentException: oracle.adf.controller.ControllerException: ADFC-0618: View ID ‘oracle/webcenter/portalapp/pages/knowledgeCenter/knowledgeCenter.jspx’ is invalid.

Any thoughts of what I may be doing wrong?

Reply
sinraj72 says April 8, 2012

Is “forgot password” feature available in Oracle Access Management suite? Is it under policy confuguration for authentication tab? Kindly respond

Reply
    Atul Kumar says April 8, 2012

    @ sinraj72,
    No, forgot password feature is not part of OAM 11g. If you want forgot password feature in OAM 11g then you must integrate OAM 11g with OIM 11g. After integration of OAM with OIM, you will see forgot password link in OAM 11g logon page which will redirect users to OIM screen. On clicking this link users are redirected to OIM page where they can reset password by answering security question (set during account creation)

    Reply
sinraj72 says April 8, 2012

where does OAM hold password file for users and how it is stored i.e clear text or encrpted and whether its sharing with othere applications is required or not. In case it is required is there any mechanism to ensure that only enrypted password is shared with the applications.

Reply
    Atul Kumar says April 8, 2012

    @ sinraj72, OAM does not store username or password. Username and password are stored in LDAP server like OID, AD or embedded ldap server. OAM simply connect to ldap server and compare username/password entered by user against one stored in ldap server. Passwords in OID are stored in encrypted format.

    Reply
sinraj72 says April 9, 2012

Hi Atul,

For a very low user base around 800, where client is ready to maintain User ID Lifecycle in thier A/D, do we need to OIM with OAM or do we need OIP to synchronise/provision IDs inot Siebel local Id Sotres.
In case of any clarity retuired, plesae let me know

Reply
sinraj72 says April 18, 2012

Hi Atul,

I would like to know is there any mechanism available whereby I can intergrate “Forgotten Password” feature with Oracle Access Manager 11G without using Oracle Identity Manager 11g?

A prompt reply will support me a lot

Reply
Add Your Reply