Wednesday, August 13, 2008

How To: Setting up Oracle Access Manger for Multiple Authentication Types

David Abramowicz, a Senior Sales Consultant for Oracle in Sweden, put together a how to for setting up OAM with multiple authentication types while maintaining the originally requested URL.

Thanks David!


Frequently customers want their users to choose between multiple different authentication types, but still be redirected back to the originally requested URL after authentication. This requires setting up an authentication scheme to broker authentication mechanisms, and some redirect manipulation as described in this document.

Basically a forms based authentication is set up, which is a list of URLs protected with different authentication mechanisms. After a user selects one of the URLs, that particular authentication is executed. The user is then redirected back to the originally requested URL.

In order to set this up, you need to execute the following steps:
  • Set up new authentication mechanism: “Authentication Selection”
  • Set up redirection script on action URL of “Authentication Selection”
  • Make a list of Authentication URLs for choosing “Authentication Selection”
  • Create a policy domain for Authentication URLs

End-User Flow

1. User accesses URL protected with “Authentication Selection”
2. User gets redirected to “Authentication Selection” form URL
3. User chooses between authentication mechanisms
4. User authenticates successfully
5. User gets redirected to action URL of “Authentication Selection”
6. User gets redirected to originally requested URL

Set up new authentication mechanism: “Authentication Selection”

  • Create a “Form” authentication mechansism, call it “Authentication Selection Level 1”
  • Make sure that the mechanism has passthrough:yes, to have access to originally requested URL

It is important to ensure that users can’t actually authenticate using this mechanism, as seen below in the credential_mapping:

Set up redirection script on action URL of “Authentication Selection”

On the action URL of “Authentication Selection”, redirect to originally requested URL by parsing the obFormLoginCookie:

<--code snippet for parsing obFormLoginCookie-->

<%@ page import="java.util.*" %>

//Get Redirect URL from ObFormLoginCookie, and redirect
Cookie[] cookies = request.getCookies();
String cookieValue = null;
for(int i = 0; i < cookies.length; i++) {
if (cookies[i].getName().equalsIgnoreCase("ObFormLoginCookie")) {
cookieValue = cookies[i].getValue();

cookieValue =;

String relativeURL = null, host = null, redirectURL = null;

StringTokenizer tokenizer = new StringTokenizer(cookieValue);
relativeURL = tokenizer.nextToken();
relativeURL = tokenizer.nextToken();
relativeURL = relativeURL.substring(relativeURL.indexOf("=") + 1);

host = tokenizer.nextToken();
host = tokenizer.nextToken();
host = host.substring(host.indexOf("=") + 1);

redirectURL = host + relativeURL;


<--code snippet-->

Make a list of Authentication URLs for choosing “Authentication Selection”
  • Create a web page with a list of two or more authentication mechanisms.
  • Every list item should point to a web page that redirects to the action URL of “Authentication Selection”
  • Please make sure you don’t use the same action URL for “Authentication Selection” as for any of the real forms-based authentication mechanisms, as this could overwrite the obFormLoginCookie OAM uses for redirection

Create a policy domain for Authentication URLs

  • Create a policy domain that protects this list.

  • The authorization rule for all URLs in the list should be “Allow all”
  • For each authentication mechanism in the URL list, create a policy domain

  • The authentication rules needs to be set up for each URL/policy, where every URL/policy is protected with the appropriate authentication mechanism

That's it! You should be all set to go. You can also set this up to work with multiple authentication levels.

Authentication Selection with Levels
  • Create another “Form” based authentication as above called “Authentication Selection Level 2”,
  • Point the form URL to a new list of authentication mechanisms, where all mechanisms match authentication level 2.

No comments: