Using OAM 11g 18.104.22.168 to protect resources in custom app build upon Oracle FMW 22.214.171.124 (WebCenter, Spaces). The app works properly. Single sign is implemented.
Microsoft Server 2008 Active Directory is used as LDAP server that hosts users and groups for the app.
When logging in with a valid user name and invalid password for the account, the user exceeds the allowed number of invalid logins (MaxRetry = 5)
So on five attemps we get OAM-2 coming back from OAM server.
On the fifth attempt the user gets OAM-5 and the redirect set in OAM Policy to Failed URL kicks in, which is fine.
However the concern is that the user is not locked in the Active Directory server, so the user can still log in to the site with the correct username and password.
This is expected behaviour - the MaxRetryLimit controls the maximum number of failed attempts in a browser session, it does not lockout users. If you want to lock users out in these circumatances, you either need to integrate with OIM, or use OAM's own password policy (available in OAM 11.1.2).