Oracle Access Manager Request Flow:
- The user tries to access an application (resource) protected by Oracle Access Manager 11gR1 using his web browser.
- The Oracle Access Manager agent intercepts the request and tries to ascertain if the user has an authenticated session. Since this is the user’s first access, the user is redirected to the Oracle Access Manager 11gR1 Access Server for authentication.
- Access Server’s credential collector component displays a Login Form as defined in authentication scheme. The user submits his credentials to the Access Server.
- OAM validates the user’s credentials against user directory and generates a security token. The user is redirected to the resource he tried to access in Step 1.
- The Oracle Access Manager agent intercepts the request and extracts the security token (cookie).
- The Oracle Access Manager agent then makes a back channel call to the Access Server (OAP over TCP) to validate the session and authorize the request.
- Oracle Access Manager authenticates the user from the LDAP repository.
- Access server verifies the user’s permissions against the configured policy for the web resource.
- Access server responds to the WebGate request indicating that access is allowed.
- The Oracle Access Manager agent allows the request to go through.
- The user is now able to access the web resource he tried to access in Step 1.
- User agents: These include web browsers, Java applications, and Web services applications. The user agents access the Access Server and the administration and configuration tools using HTTP.
- Protected resources: A protected resource is an application or web page to which access is restricted. Access to protected resources is controlled by WebGates or Custom Agents.
- Administration and configuration tools: Oracle Access Manager can be administered and configured by the Oracle Access Manager console, the Oracle Enterprise Manager Fusion Middleware Control and the Oracle Enterprise Manager Grid Control, and the WebLogic Scripting Tool (WLST).