Oracle Adaptive Access Manager Proxy 6-33 login.do Phase-1 only: On receiving the request. Set userid header to the userid entered by the user. Set Login-Status header to one of the following: success, wrong_ password, invalid_user, user_ disabled, system_error. Set the OAAM ServerPhase header to one. A ? is accepted in a URL specified in a target action. In a target action URL, you would have the ? and any parameters after it Setting Login-Status to ■ success will update the session status for the user in OAAM to success and run post-authentication rules. ■ wrong_password, invalid_ user, user_disabled, system_error will update the session status in OAAM to the status passed and the user will be taken to the login page with the appropriate error messaging updateLoginStatus.do Phase-2 only: After validating the credentials entered by the user. Redirect to this URL to update the status in Oracle Adaptive Access Manager and run appropriate risk rules updateLoginStatus.do Phase-2 only: On receiving request Set Login-Status header to one of the following: success, wrong_ password, invalid_user, user_ disabled, system_error Setting Login-Status to ■ success will update the session status for the user in Oracle Adaptive Access Manager to success and run post-authentication rules. ■ wrong_password, invalid_ user, user_disabled, system_error will update session status in Oracle Adaptive Access Manager to the status passed and the user will be taken to the login page with appropriate error messaging updateLoginStatus.do challengeUser.do registerQuestions.do userPreferencesDone.do Response header Rules-Result has value allow The Oracle Adaptive Access Manager rules evaluated to permit the login. The proxy can permit access to the protected application URLs after this point. Table 6–17 Cont. OAAM Server Interface URL Condition Action 6-34 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager registerQuestions.do Response header Rules-Result has value block Either the application did not accept the login credentials or the Oracle Adaptive Access Manager rules evaluated to block the login. The proxy should log off the session in the application, if login was successful. Then a Login Blocked message should be sent to the browser. changePassword.do Response contains headers password, newpassword and confirmpassword Save the passwords from the response headers and post to the application loginFail.do To display error message in OAAM Server page, like to display login blocked message Redirect to this URL with appropriate action query parameter, like loginFail.do?action=block In most cases control is not given to the proxy via a response header in a block situation. Instead, the user is taken to the following URL with a query parameter action set to the error code block. This presents the user with the OAAM Server login page with a message stating the reason they are there. error.do?action=block Alternatively it is possible to get the same result with the following URLs. loginFail.do?action=block loginPage.jsp?action=block logout.do On completion of application session logout Redirect to this URL to log out the OAAM Server session logout.do On receiving response Redirect to application logout URL to log off the application session, if it is not already off resetPassword.do Response contains headers newpassword and confirmpassword Save the passwords from the response headers and post to the application getUserInput.do Response contains headers BH_ UserInput Save the user input and take appropriate action like post to application, etc. changeUserId.do On receiving request Add newUserId header changeUserId.do On receiving response Redirect to the appropriate application page or send back the saved application response updateForgotPasswordStatus.do Phase-2 only: After validating the forgot- password-credentials entered by the user. Redirect to this URL to update the status in Oracle Adaptive Access Manager and run appropriate risk rules. updateForgotPasswordStatus.do Phase-2 only: On receiving request Set BH_FP-Status header to one of the following: success, wrong_ password, invalid_user, user_ disabled, system_error. Table 6–17 Cont. OAAM Server Interface URL Condition Action