7-2 Oracle Fusion Middleware Integration Guide for Oracle Access Manager Lost password management starts off from Oracle Access Manager login page but using OAAM challenge questions and synchronized to user repositories through OIM. Although other combinations are possible, integrating Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager is the recommended option and provides these features: ■ Password entry and malware protection through personalized virtual authentication devices ■ Knowledge Based Authentication KBA, secondary login authentication, used for all flows including risk-based authentication at login and password resets ■ One-Time Password OTP challenge for secondary login authentication based on risk ■ Registration flows to support password protection and KBA and OTP challenge functionality ■ User preference flows to support password protection and KBA and OTP challenge functionality ■ Password management flows Oracle Adaptive Access Manager Oracle Adaptive Access Manager is responsible for: ■ Running real-time risk analysis rules before and after authentication ■ Navigating the user through login, challenge, registration, and self-service flows Oracle Identity Manager Oracle Identity Manager is responsible for: ■ Provisioning users to add, modify, or delete users ■ Managing passwords to reset or change passwords Oracle Access Manager Oracle Access Manager is responsible for: ■ Authenticating and authorizing users ■ Providing advanced status flags such as Reset Password, Password Expired, User Locked, and others

7.2 Process Flow

In this deployment, the process flow is as follows: Resource Protection and Credential Collection Flow 1. The OAM WebGate server is in charge of protecting the URLs and redirecting the users when they are not authenticated so they can be authenticated. 2. OAAM collects the username and password for authentication. So when the OAM WebGate finds that the user is not authenticated and trying to access the protected URL, it redirects the user to the OAAM Server login page. 3. The credentials are split into two different pages: a username page and a password page. OAAM allows the user to enter his username. If he is a registered Integrating Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager 7-3 user and based on his registration status, OAAM presents the password page with his personalized image and caption. 4. The OAAM Server runs the pre-authentication rules and lets the user enter his password. 5. Since OAAM Server has the user’s username and he has entered his password, the OAAM Server makes a NAP API call to the OAM Server for authentication. 6. Once the OAM server returns the status, which indicates whether the user has entered his username and password correctly, the OAAM Server determines whether the authentication was successful or not. 7. If the authentication was successful, the OAAM Server redirects the user to the OAM WebGate. 8. The OAM WebGate server redirects the user to his original URL. 9. The OAM WebGate allows the user to access the protected URL. Reset Password Flow 1. OAAM Server communicates with the OIM server when the OAAM Server needs to call the OIM server for the password policy text that is shown when user is trying to change his password. 2. Based on the policy, OAAM Server enables the user to enter a password that meets the policy text requirements. Because the OAAM Server manages the flows, it is the one that presents the user with the pages where the user can enter his new password and old password. The text is maintained by the OAM server, but it is the OAAM server that makes the calls to get that password policy text so that it is displayed when the user tries to change his password. 3. After he finishes the task, the OAAM Server makes an API call to propagate the changes to the OAM Server. The OAM Server can persist those changes to the user directory or where the credentials are maintained. The OAM Server and OIM Server communicate with the same user directory where all the user data is maintained.

7.3 Prerequisites for the Integration