Here are the steps explaining what happens while a user tries to access a web-application resource which is protected by Oracle Access Manager (OAM) server. I have included few OAM components as well while explaining the flow. In this example. Have considered custom login page placed at application's end. The diagram has the pictorial view of all the steps explained below.
- A user trying to access an application's web-resource protected by OAM server. Web server intercepts the request.
- Web server forwards the request to OAM server.
- OAM server checks if user's session is alive if not, OAM server checks the authentication policy.
- If the resource is defined as protected in OAM server and required authentication then OAM responds back to a web server with a challenge redirect URL which is configured in OAM server's authentication scheme. The challenge redirect URL is a login page for the user to enter credentials.
- The web server responds to the browser with challenge redirect URL sent by OAM, browser redirects the user to this URL.
- This request from the browser will again be intercepted by the web server.
- Web server forwards the request to challenge redirects resource to OAM server.
- Challenge redirect URL is always configured public (unprotected) in OAM server. So, OAM server responds back with a success to the web server.
- The web server will request the application for challenge redirect URL's HTML content.
- The application responds back to the web server with HTML content.
- Web server forwards HTML response to browser and browser then presents the login page to the user.
- The user enters the credentials and press submit/login button.
- The application sends the credentials in POST request through the credential collector URL of OAM server (which is /oam/server/auth_cred_submit). In case Distributed Credential Collector (DCC) is implemented through SSO Agent at web server level, the credentials will be first collected by the web server. This way web server acts as an additional security layer between the browser and OAM server in the login process.
- Web server forwards the login request to OAM server.
- OAM server checks the authentication policy and sends the credentials to user store, configured in OAM server. Generally, user store is a LDAP flavored server, like, eDirectory, OID, AD, OUD etc.
- User store validates user's credentials and responds back to OAM server with a success or failure. In case of failure, OAM server responds back with an OAM error code through the HTTP headers.
- In case of success, OAM server creates user's session in its memory and executes the authorization policy and checks if the user falls under the authorization rules. If the user does fall under the rule, OAM server responds back with an OAM success code back through the HTTP headers.
- The web server receives the success status from OAM server and request application to send the HTML content of home page.
- The application responds back with the HTML content.
- The web server responds back to the browser with the cookie information and the HTML content.
- The browser stores the cookies and display user with the application's home page.
Authored By - Pankaj Kashyap
TCS Cyber Security Practice