Become Oracle Apps DBA: Access Manager: WebGate Request Flow

For basics on Access Manager (earlier Oblix COREid and now Oracle Identity Management Component) follow previous links

- Access Manager Overview
-Access Manager overview II
-Installing Access Manager / COREid

WebGate is webserver plugin which communicates between user and access server (another component of Access Manager). Webgate is like communicator/plug-in which accepts users request via Web Server (Apache, Oracle HTTP or IBM Web Server) and communicates with Access Server component of COREid/Access Manager.
If request is protected by policy (already defined using Policy Manager), it sends user authentication challenge based on authentication policy defined in access server for that resource. Once user is authenticated it then checks authorization policy for that resource and depending on authorization policy access is granted or denied for that resource (URL) to user.

Typical example for that is lets assume user request for resource http://teachmeoracle.com/aboutme.html where teachmeoracle.com is webserver listening on port 80 and resource /aboutme.html is protected by policy (already defined by access server console. Coming soon in near future). As per policy only "authenticated users" and whose IP ddress is 198.16.X.X are allowed to access this resource (aboutme.html)

Assumptions:
A) You already have installed , Identity Server, WebPass, Access Server component on some servers.
B) You have configured/installed Web Gate on webserver hosting site teachmeoracle.com
C) Resource /aboutme.html is protected by policy mentioned above.

Here are steps which will happen
1. User types URL in his browser
2. Request hit to web server which is configured with webgate/accessgate 3. WebGate communicates with Access Server component of Access Manager/COREid to see if resource is protected.
4. Access Server replies to web gate with authentication and authorization policy for that resource.
5. Based on authentication scheme , web gate ask for corresponding authentication challenge (LDAP username/password or any custom form authentication)
6. Web gate accept username/password from user and (If authentication is netpoint over LDAP server) passes on t Access Server which in turn checks username/passwords with Directory server (LDAP Server) configured with this Access Server.
7. If authentication is successful go to next step, if authentication fails go to step 9
8. If authentication is successful , it checks if user is authorized to access this page or not. So if client making request is with in IP 198.16.X.X then resource is granted. If user is not from this IP range access will be denied for this resource.
9. If user authentication failed access be denied or next process will happen as defined in authentication fail action defined in policy manager.

Other autherization policy may be like
A. You can define specific users authorized for a resource.
B. A Group of users authorized for a resource.
C. Authorization based on Role
D. Based on IP address of client

You can also define time window under which that resource will be available so like Monday to Friday 9:00 AM to 5:30 PM

More on Oracle-Oblix COREid,Oracle Access Manager coming soon...
Difference between WebGate/Access Gate.
Identity Server, Web Pass, Policy Manager, Access Server

Labels: idm

We have moved to
http://onlineAppsDBA.com
kindly check onLineAppsDBA.com in future

del.icio.us ¦

Digg This ¦ My Yahoo!

My Yahoo ¦ Reddit

Reddit ¦ add to BlinkList

BlinkList ¦ Furl It

Furl It ¦

Email This ¦ Leave Your Comments

posted by Atul Kumar @ 9:03 PM

1 Comments:

At 12:44 PM, Anonymous said…

Hi Atul,

Thanks for the nice explanation.

Recently I had configured the OAM-webgate with IIS6.0. I could observe that its ISAPI filter(dll file is webgate.dll) always gets loaded with high priority. Please correct me if am wrong. But again if I configure any other ISAPI filter with same name(webgate.dll) then requests are never been served for later. Why is it so?

Thanks & Regards,
Tanuja