Thursday, January 7, 2010

Cookie less SSO with OAM











The cookieless single sign-on session support with OAM can be provided by placing the Oracle WebCache between user's browser and web server as depicted in above figure.
End-user can either use separate WebCache instances for each backend web server, or use the common WebCache instance which will be shared by multiple backend web servers. 
The Web Cache component provides cookie management, using the SSL session Id as key. The SSL sessions are mandatory for this solution, and they are established between the user’s browser and the OHS servers.    
The Single Domain single sign-on flow will be very similar to the cookie-based solution.  The main difference will be when the Oracle Access Manager WebGate sets a cookie, the cookie will be cached in the Web Cache instance, keyed using the SSL session ID.  When the user accesses the servers again later on, Web Cache retrieves the relevant cookies tied to this SSL session ID, and makes them available to the downstream servers and applications. 
Note that in this solution, the cookies are never made available to the end-user’s browser.  Assuming the Web Cache instances are protected by a firewall, then the cookies never need to go outside the protection of the firewall.
During logout, Oracle Access Manager WebGate will clean up their respective cookies by setting the obssocookie to “loggedoutcontinue”The Web Cache, when received such requests, removes the cookies from its cookie cache.

4 comments:

  1. Hi Mahendra,

    Would you happen to have tested it between OAM 10g and Web Cache 11g?

    Regards,
    Yann

    ReplyDelete
  2. Do you know if Post-Data preservation can be achieved on OAM 11g with
    (WebCache10g + WebGate10g + OAM11g)?

    ReplyDelete
  3. Hello Anonymous,

    I am not sure if this is supported with OAM 11g. Can you please check the OAM 11g integration guide? For 10g, you can check the chapter 4 http://download.oracle.com/docs/cd/E15217_01/doc.1014/e12492.pdf

    Hope this helps.

    -Mahendra.

    ReplyDelete
  4. Hi Yann,

    I presume that OAM 10g will work with Web-Cache 11g though I have not tested it personally.

    -Mahendra.

    ReplyDelete