Cookie less SSO with OAM

The cookieless single sign-on session support with OAM can be provided by placing the Oracle WebCache between user’s browser and web server as depicted in above figure.
End-user can either use separate WebCache instances for each backend web server, or use the common WebCache instance which will be shared by multiple backend web servers.
The Web Cache component provides cookie management, using the SSL session Id as key. The SSL sessions are mandatory for this solution, and they are established between the user’s browser and the OHS servers.
The Single Domain single sign-on flow will be very similar to the cookie-based solution.  The main difference will be when the Oracle Access Manager WebGate sets a cookie, the cookie will be cached in the Web Cache instance, keyed using the SSL session ID.  When the user accesses the servers again later on, Web Cache retrieves the relevant cookies tied to this SSL session ID, and makes them available to the downstream servers and applications.
Note that in this solution, the cookies are never made available to the end-user’s browser.  Assuming the Web Cache instances are protected by a firewall, then the cookies never need to go outside the protection of the firewall.
During logout, Oracle Access Manager WebGate will clean up their respective cookies by setting the obssocookie to “loggedoutcontinue”The Web Cache, when received such requests, removes the cookies from its cookie cache.

Architecture

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment: