Oracle Access Manager – What’s new in PS2


Oracle Access Manager 11gR2 – PS2 is now out!  This post will cover some of the new features in PS2.

There are six new features I will discuss:

  • Dynamic Authentication
  • Persistent Login (Remember Me)
  • Policy Evaluation Ordering
  • Delegated Administration
  • Unified Administration Console
  • Session Management
    • Granular Idle Timeout
    • Client Cookie based Session

Main Article

Dynamic Authentication

Dynamic authentication is the ability to define what authentication scheme should be presented to a user base on some condition.   For example, if a user is using a specific browser, say ‘FireFox’, then present them with a specific scheme only for Firefox users.  Here are some screen shots:


Select the ‘Advance Tab’



Specify the condition and define what scheme you want.


Persistent Login (Remember Me)

Persistent Login is the ability to let users login without credentials after the first-time login.  This feature is disabled by default and can be set at the application domain level.  Again here are some screen shots:











Policy Evaluation Ordering

The out-of-the -box algorithm is based on the “best match” algorithm for evaluating policies.  In PS2 you now have the option to specify a custom order for policies for a particular application domain.  Also if you are doing a migration from 10g the policy order is maintained.




Delegated Administration

Ah our old friend is back!  For those of you who remember; in older versions of OAM (10g and prior) you had the ability to select users who can administer their own application domains.  In PS2, there is a new role called ‘Application Domain Admin Role’.  These users now have full access to application domains.  Also the migration from 10g will preserve the admin configuration.  This is supported via the UI as well as the REST API.





Unified Administration Console

The console screen has a new look; a new single ‘Launch Pad’ screen with services that are enabled based on user roles.  The tree navigation has been removed.


Session Management
Granular Idle Timeout

You now have the ability to set idle session timeout’s at the application domain level; this will override the global settings.  In this example, the idle session timeout is set to fifteeen minutes as the global setting; whereas it is set to five minutes in the application domain.





Client Cookie based Session

Cookie based sessions are more scalable such that all session data is maintain on the client side (browser).  This is designed for very large deployments where server side sessions can be more expensive; making the server stateless.  This is very similar to OAM 10g; however, this will not support the following:

  • Session Management, session limits
  • Identity Context
  • Granular Timeout
  • Session attribute based on authorization policies


Additional features

This is just a short list of improvements in PS2.  Other enhancements include:

  • Upgrade Enhancements
  • Install/Patching Automation for IDM
  • Multi-Data-Center Deployment.  You can read more here.
  • Automated Replication
  • Performance Enhancements
  • SHA-2 Encryption for Webgates
  • IPV6 Support
  • Customized Error Pages
  • Complete convergence for Federation – Service Provider(SP) & Identity Provider(IDP)

I want to thank our OAM PM, Venu Shastri for providing this list of new features.


  1. Tusar Rout says:

    Hi Vinay,

    I have installed and configured FMW- (OAM, OID, OHS, WebGate, EBS Access Gate-1.2.2) with Windows Active Directory-2003. AD Users have been propagated from AD to OID (sync profile). FMW-11g is working fine with EBS-R12.1.3, OAM + WNA (Native Authentication) is also working fine. Users are able to access EBS-R12 without asking for any password.

    EBS-R12.1.3 was integrated with Discoverer: and working fine with SSO-10g (OID/SSO) before implementing FMW-11g. After FMW-11g implementation, we are unable to access Discoverer- reports through EBS-R12 (+ OAM + WNA). I have configured OSSO agent (mod_osso) with OAM- for Discoverer-11.1.13, copied osso.conf from OAM server to Discovere server ($INST_HOME/OHS/ohs1/osso), already put osso.conf path entry in mod_osso.conf file and bounced opmn processes @ DISCO, but no luck.

    Server: AIX-6.1 (64bit)

    I have few queries regarding DISCOVERER- and OAM-

    1> As I have configured WebGate for EBS and OAM, will it be creating any problem with mod_osso agent while dealing with DISCO- ?

    These are Oracle updates (SR), but trying to clarify the 2nd statement.

    ============== Oracle Updates (SR) ===============================
    Yes, you need to be on Discoverer version or higher in order to use OAM.

    Moreover, since you are using WebGate for EBS access, if you are accessing Discoverer through EBS, it could have issue.

    2> DISCOVERER- is supported till when (May, 2014???)

    3> mod_osso agent configuration is fine for Upgrade approach (SSO-10 to OAM-11g (FMW-11g)), but in my case it is a fresh FMW-11g implementation and I have followed the

    Oracle standard and suggested Practice with Web gate- and EBS Access gate-1.2.2. But I am stuck with DISCOVERER- reports through EBS.

    Is it feasible to use mod_osso (DISCO + OAM) and Web Gate (EBS + OAM) in a same environment (for different purpose)?

    Can you please update if anyone has done DISCO- configuration with OAM- and EBS-R12.1.3, to understand the issue with more clarity?

    Note: My client doesn’t want to touch (upgrade) DISCO- and raised concern that it is working fine with SSO-10g then why not with OAM-11g?


Add Your Comment