In a layman terms Oracle Access Manager provides a single, secure point of entry to an Enterprise’s Web Applications where the user’s identity can be verified and access to enterprise resources can be managed.
OAM primarily performs three tasks:
- Providing authentication services
- Managing sessions and SSO for the Web tier
- Asserting identities to the application tier
Above figure provides a simple overview of Access Manager.
1) The enforcement of access policies at runtime is achieved by deployment of WebGates (also called “agents”) on Web servers. These WebGates, which act as Policy Enforcement Points (PEPs), front-end protected enterprise resources.
2) WebGates intercept site traffic and verify that the user is authenticated and authorized to access the resource.
3) The first time the user tries to access a resource, if the user isn’t yet authenticated, the WebGate redirects the user to a login page.
4) The login page then validates the user’s credentials against a user repository, such as a corporate directory service. If successfully authenticated, a session gets established on the Access Manager server and a cookie gets created in the user’s browser that facilitates access for all subsequent requests in that session.
5) The WebGates communicate with the Access Manager server using the secure Oracle Access Protocol (OAP).
6) Policies are created and maintained by administrators through the Oracle Access Management console, which acts as the central Policy Administration Point (PAP). These policies are stored in the Policy Store, using an Oracle database.
7) As an authenticated user tries to access different applications and resources, the runtime Access Manager server acts as Policy Decision Point (PDP) evaluating whether the user is authorized to access a particular resource. It then conveys that
information back to the WebGate for enforcement.
8) Every action gets logged for audit purposes.