6 Replies Latest reply: May 18, 2013 11:11 PM by 991448 RSS

    Can I do only authentication at OAM level ?

    941300
      Hi,

      For SSO, how can i do only authentication at OAM level but autherization at application level ?

      That is , how to avoid authrization at OAM level and how session management ll work for SSO as we are avoiding autherization at OAM level so Agent do not have information on session if i am not worng.

      Any thought/suggestion please

      Edited by: IgnitedMind on May 1, 2013 12:17 AM
        • 1. Re: Can I do only authentication at OAM level ?
          Aaron Cirillo
          In my organization we are doing this quite a bit. What we are doing in our applications is checking to see what groups a user is a member of. If they are not a member of a particular group they don't get access to that application.

          So a user can attempt to login to any application and as long as they have a valid account they get authenticated. If the application then discovers that they are not in a necessary group the authorization fails and they get a message saying they are unauthorized.

          The ways to implement this will vary wildly across the technologies you may be using. In a Java web application you would just have to set up your security roles in the web.xml.
          • 2. Re: Can I do only authentication at OAM level ?
            941300
            Aaron,

            Thanks for the quick response. My question is "For SSO, how can i do only authentication at OAM level but autherization at application level ?"

            That is , how to avoid authrization at OAM level and how session management work for SSO as we are avoiding autherization at OAM level so Agent do not have information on session if i am not worng.
            • 3. Re: Can I do only authentication at OAM level ?
              Aaron Cirillo
              All you have to do to avoid authorization in OAM is to leave your authorization policy blank. That will cause OAM not to do any authorization, but it will still do authentication.
              • 4. Re: Can I do only authentication at OAM level ?
                941300
                Hi,

                Without OAM authrization policy, how SSO will work or handle session management ?
                • 5. Re: Can I do only authentication at OAM level ?
                  986632
                  User session lifecycle settings are part of the OAM Common Settings.
                  Following parameters are available in the OAM Common Settings
                  Session Lifetime, Max no of sessions per user, Idle Timeout

                  Following is from docs about Session Lifetime

                  "The amount of time, in minutes, that a user's authentication session remains valid. When the lifetime is reached, the session expires.
                  Default = 480 minutes
                  A value of 0 disables this timeout setting. Any value between -2147483648 and 2147483647 is allowed."

                  This is for 11gR1 but should be true for R2 as well. If not then someone can comment. This session lifetime, is based on the user authentication. So this would satisfy your requirement for controlling session lifetime via user authentication.
                  Hope this helps. If your requirement is different let us know.
                  • 6. Re: Can I do only authentication at OAM level ?
                    991448
                    you can use public authorization policy, and use anonymous scheme for authorization.