OAM: Basics

What is OAM

Everyone knows that OAM is an access management tool which provides centralised control over Authentication and Authorization. Yes, that is the main purpose of OAM but its stability and flexibility to incorporate most of the security standards with easy debugging and auditing makes it stand out of the rest of available products in the market. I do agree Oracle documentation is not that great and if you don't know what you are looking for then it will give you a hard time.

Everything that I am going to discuss in this blog series is documented in oracle documentation and I have learned it through hit and try method. I would suggest you to go through the oracle documentation first as it is the official reference. The technology will change and my blog will be outdated (I will try my best to keep it updated but it's a side project). For new folks I would suggest you to start with the OAM student guide and then Admin Guide and once you are comfortable with oam take a deep dive with Dev guide. Most of the difficulty configuring OAM happens when you are following wrong documentations. So make sure you use the correct documentation for the particular version of OAM because minor steps and configuration change will make or break things.


How it works

In layman OAM works similar to a receptionist in an Office. When a new user arrives OAM asks Who are you and whom you want to meet. Based on the predefined rules and logic it decides if the user is allowed to access the resource or not.

In our digital world there are lot of notorious guys who want to sneak in silently for that reason OAM has an army of webgates (which are similar to a security guard in office). So, it doesn't matter which resource you want to access a webgate will intercept you make a call to OAM to check if the resource is public or protected and based on the OAM response it takes further actions.

P.S. I explained the same thing to my brother and he started comparing it to Matrix. No, we are still not that technologically advance and no webgate is not like agent smith.

How does OAM setup looks like?

Let's say Agent Smith tries to access App1, his requested is routed through a webserver(OHS) proxying the resource. The webgate1 which is deployed in OHS1 will intercept the request and check with OAM if Agent smith is allowed to access the request. As this is the first time for Agent smith oam will ask for credentials and once authenticated, it verifies the authorization policies. If all the checks are success then OAM will redirect the request to webgate with the permission to access the resource.

Now, Agent smith tries to access App2. Wegate2 will make a call to OAM and OAM will check if Agent smith is already authenticated or not. As the Agent smith is already authenticated The OAM will evaluate authorization policies and then only the access will be allowed.

Communication between webgate and OAM happens over Oracle Access Protocol (OAP) and the redirection of happens over http/s.

I will cover this in more details in my next post.

Thank you for reading.