I have observed a problem while using Form Based authentication for a resource protected by Oracle Access Manager. We have set Actions in Authentication Rule in the Policy Domain which are found to be not set in http headers. In addition, the authentication actions are getting executed if we use Basic Over LDAP instead of Form based scheme. However, it works fine if we define the actions in Authorization Rules. Hence it is always recommended to define actions to be executed in Authorization Rules.
After the OAM authenticates the user and before the user is served the requested resource, OAM executes the Authentication Actions that are defined. In case of Form based authentication, users are redirected to a form when they request a protected resource. Now, when users authenticate and redirect to the requested resource, the ObSSOCookie will have already been set. The presence of the ObSSOCookie usually indicates that authentication actions have already been performed and should be bypassed.
The workaround for this is to include a key called ObTriggerAuthentication (OTA) in both Form based authentication scheme and Policy Domain.
In the Form based authentication scheme, add a new challenge parameter as shown below.
OTA:true
In the Policy domain, goto the Authentication Actions, add a new field as shown below.
The type is cookie.
The Name is NoExecuteOTA.
The Return Value is true.
The way it works is as shown below:
The NoExecuteOTA cookie set to true along with OTA set to true in a policy domain means that the authentication actions will not be performed for the resource protected by the policy domain.
The NoExecuteOTA cookie set to false along with OTA key set to true means that the authentication actions will be performed for the resource and the OBSSOCookie will be reset.
By default NoExecuteOTA is set to false.
Useful Docs:
Metalink Note: 472353.1
I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com