This content has been marked as final. Show 6 replies
In my organization we are doing this quite a bit. What we are doing in our applications is checking to see what groups a user is a member of. If they are not a member of a particular group they don't get access to that application.
So a user can attempt to login to any application and as long as they have a valid account they get authenticated. If the application then discovers that they are not in a necessary group the authorization fails and they get a message saying they are unauthorized.
The ways to implement this will vary wildly across the technologies you may be using. In a Java web application you would just have to set up your security roles in the web.xml.
Thanks for the quick response. My question is "For SSO, how can i do only authentication at OAM level but autherization at application level ?"
That is , how to avoid authrization at OAM level and how session management work for SSO as we are avoiding autherization at OAM level so Agent do not have information on session if i am not worng.
User session lifecycle settings are part of the OAM Common Settings.
Following parameters are available in the OAM Common Settings
Session Lifetime, Max no of sessions per user, Idle Timeout
Following is from docs about Session Lifetime
"The amount of time, in minutes, that a user's authentication session remains valid. When the lifetime is reached, the session expires.
Default = 480 minutes
A value of 0 disables this timeout setting. Any value between -2147483648 and 2147483647 is allowed."
This is for 11gR1 but should be true for R2 as well. If not then someone can comment. This session lifetime, is based on the user authentication. So this would satisfy your requirement for controlling session lifetime via user authentication.
Hope this helps. If your requirement is different let us know.