Best Practices from Oracle Development's A‑Team
-
Identity Management (IdM) /
Access Management,
Identity, Access Management & Security
February 14, 2014
Oracle Access Manager - What's new in PS2
Introduction
Oracle Access Manager 11gR2 - PS2 is now out! This post will cover some of the new features in PS2.
There are six new features I will discuss:
- Dynamic Authentication
- Persistent Login (Remember Me)
- Policy Evaluation Ordering
- Delegated Administration
- Unified Administration Console
- Session Management
- Granular Idle Timeout
- Client Cookie based Session
Main Article
Dynamic Authentication
Dynamic authentication is the ability to define what authentication scheme should be presented to a user base on some condition. For example, if a user is using a specific browser, say 'FireFox', then present them with a specific scheme only for Firefox users. Here are some screen shots:
Select the 'Advance Tab'
Specify the condition and define what scheme you want.
Persistent Login (Remember Me)
Persistent Login is the ability to let users login without credentials after the first-time login. This feature is disabled by default and can be set at the application domain level. Again here are some screen shots:
Policy Evaluation Ordering
The out-of-the -box algorithm is based on the "best match" algorithm for evaluating policies. In PS2 you now have the option to specify a custom order for policies for a particular application domain. Also if you are doing a migration from 10g the policy order is maintained.
Delegated Administration
Ah our old friend is back! For those of you who remember; in older versions of OAM (10g and prior) you had the ability to select users who can administer their own application domains. In PS2, there is a new role called 'Application Domain Admin Role'. These users now have full access to application domains. Also the migration from 10g will preserve the admin configuration. This is supported via the UI as well as the REST API.
Unified Administration Console
The console screen has a new look; a new single 'Launch Pad' screen with services that are enabled based on user roles. The tree navigation has been removed.
Session Management
Granular Idle Timeout
You now have the ability to set idle session timeout's at the application domain level; this will override the global settings. In this example, the idle session timeout is set to fifteeen minutes as the global setting; whereas it is set to five minutes in the application domain.
Client Cookie based Session
Cookie based sessions are more scalable such that all session data is maintain on the client side (browser). This is designed for very large deployments where server side sessions can be more expensive; making the server stateless. This is very similar to OAM 10g; however, this will not support the following:
- Session Management, session limits
- Identity Context
- Granular Timeout
- Session attribute based on authorization policies
Additional features
This is just a short list of improvements in PS2. Other enhancements include:
- Upgrade Enhancements
- Install/Patching Automation for IDM
- Multi-Data-Center Deployment. You can read more here.
- Automated Replication
- Performance Enhancements
- SHA-2 Encryption for Webgates
- IPV6 Support
- Customized Error Pages
- Complete convergence for Federation - Service Provider(SP) & Identity Provider(IDP)
I want to thank our OAM PM, Venu Shastri for providing this list of new features.