Fusion Apps User Authentication

  1. User requests resource https://fusion.appsdbatraining.com/homePage
  2. The DNS server resolves host (fusion.appsdbatraining.com) IP Address –https://appsdbatraining.com:443
  3. The load balancer device monitors incoming IP & Port and load balances between one of two available Fusion Applications Web Servers (OHS – Oracle HTTP Server).
    1. FA Web Host 1 – fawebhost01-i.appsdbatraining.com:10614 (10.nnn.nn.nnn)
    2. FA Web Host 2 – fawebhost02-i.appsdbatraining.com:10616 (10.nnn.nn.nnn)
  4. The webgate plug-in running on the FA Web Host(s) will intercept the resource request and verify with Access Manager (OAM) if the requested resource is protected. The webgate plug-in communicates with one of two available Access Managers over an OAP protocol which allows it to maintain the state of the http request while at the same time being able to communicate with Access Manager. The communication over OAP does not make use of the Load Balancer device
    1. OAM Server 1 – oamhost01-i.appsdbatraining.com:5575 (10.nnn.nn.nnn)
    2. OAM Server 2 – oamhost02-i.appsdbatraining.com:5575 (10.nnn.nn.nnn)
  5. Access Manager (OAM) evaluates the configured policies to check if fusion.appsdbatraining.com:443 is a protected resource, this is done within the OAM configuration. This resource is configured as being protected
  6. Access Manager (OAM) checks for an existing valid cookie. On the first logon attempt no valid OAM cookie would exist
  7. Access Manager (OAM) logs and returns the request to the webgate plug-in (Resource Protected=Yes, Valid Cookie=No)
  8. Webgate plug-in sets cookie to track the requested resourcehttps://fusion.appsdbatraining.com/homePage
  9. Webgate has been configured to make use of a DCC (Detached Credential Collector) which is a login page provided by the webgate plug-in running on one of the two available IDM (Identity Management) web servers. The webgate plug-in instructs the browser to re-direct to the login page (DCC)http://sso.appsdbatraining.com:7778/oam/server/obrareq.cgi?wh%3Dfusion.appsdbatraining.com%3A443%20wu%3D%2FhomePage%2FadfAuthentication%3F_afrLoop%3D463312116418076%26_afrWindowMode%3D0%26_adf.authenticate%3Dtrue%20wo%3D1%20rh%3Dhttps%3A%2F%2Ffusion.appsdbatraining.com%20ru%3D%252FhomePage%252FadfAuthentication%20rq%3D_afrLoop%253D463312116418076%2526_afrWindowMode%253D0%2526_adf.authenticate%253Dtrue%20lang%3Den
  10. The browser follows the re-direct request
  11. The DNS server resolves host (sso.appsdbatraining.com) IP Address –http://appsdbatraining.com:7778
  12. The load balancer device monitors incoming IP & Port and load balances between one of two available IDM (Identity Management) Web Servers (OHS – Oracle HTTP Server)
    1. IDM Web Host 1 – webhost01-i.appsdbatraining.com:7778 (10.nnn.nn.nn)
    2. IDM Web Host 2 – webhost02-i.appsdbatraining.com:7778 (10.nnn.nn.nn)
  13. The DCC (login page) is rendered by the webgate plug-in on the IDM Web Server(s)
  14. The user enters his/her credentials and hits the logon button
  15. The DNS server resolves host (sso.appsdbatraining.com) IP Address –http://appsdbatraining.com:7778
  16. The load balancer device monitors incoming IP & Port and load balances between one of two available IDM (Identity Management) Web Servers (OHS – Oracle HTTP Server). Persistency is enabled on the load balancer device
    1. IDM Web Host 1 – webhost01-i.appsdbatraining.com:7778 (10.nnn.nn.nn)
    2. IDM Web Host 2 – webhost02-i.appsdbatraining.com:7778 (10.nnn.nn.nn)
  17. The webgate plug-in forwards the credentials to one of the two available Access Managers (OAM). This communication does not make use of the Load Balancer device.
    1. OAM Server 1 – oamhost01-i.appsdbatraining.com:5575 (10.nnn.nn.nnn)
    2. OAM Server 2 – oamhost02-i.appsdbatraining.com:5575 (10.nnn.nn.nnn)
  18. Access Manager (OAM) validates/authenticates the user credentials on the designated OVD store. Access Manager (OAM) is configured to make use of the load balancer device for this authentication using the following host name ldap://idstore-i.appsdbatraining.com:6051
  19. The internal DNS or /etc/hosts specific to the Fusion Applications instance resolves the host (idstore-i.appsdbatraining.com) IP (10.nnn.nn.nnn)
  20. The load balancer device monitors incoming IP Address + Port, load balancing between one of two OVD Servers (Oracle Virtual Directory). Persistency is enabled on the load balancer device.
    1. OVD Host 1 – ovdhost01-i.appsdbatraining.com:6051 (10.nnn.nn.nn)
    2. OVD Host 2 – ovdhost02-i.appsdbatraining.com:6051 (10.nnn.nn.nn)
  21. OIM IDStore virtual directory used to authenticate user credentials
  22. Access Manager (OAM) sets OAM session cookie
  23. The webgate plug-in on the IDM Web Host(s) sets the authentication cookie
    1. IDM Web Host 1 – webhost01-i.appsdbatraining.com:7778 (10.nnn.nn.nn)
    2. IDM Web Host 2 – webhost02-i.appsdbatraining.com:7778 (10.nnn.nn.nn)
  24. The webgate plug-in re-directs the request appending an encrypted string
  25. The browser follows the re-direct requesthttps://fusion.appsdbatraining.com/homePage/adfAuthentication?_afrLoop=463312116418076&_afrWindowMode=0&_adf.authenticate=true
  26. The DNS server resolves the host (fusion.appsdbatraining.com) IP Address (10.nnn.nn.nn)
  27. The load balancer device monitors incoming IP & Port and load balances between one of two available Fusion Applications Web Servers (OHS – Oracle HTTP Server). Persistency is enabled on the load balancer device
    1. FA Web Host 1 – fawebhost01-i.appsdbatraining.com:10614 (10.nnn.nn.nnn)
    2. FA Web Host 2 – fawebhost02-i.appsdbatraining.com:10616 (10.nnn.nn.nnn)
  28. The webgate plug-in running on the FA Web Host(s) will intercept the resource request and verify with Access Manager (OAM) if the requested resource is protected. The webgate plug-in communicates with one of two available Access Managers over an OAP protocol which allows it to maintain the state of the http request while at the same time being able to communicate with Access Manager. The communication over OAP does not make use of the load balancer device
    1. OAM Server 1 – oamhost01-i.appsdbatraining.com:5575 (10.nnn.nn.nnn)
    2. OAM Server 2 – oamhost02-i.appsdbatraining.com:5575 (10.nnn.nn.nnn)
  29. Access Manager (OAM) evaluates the configured policies to check if fusion.appsdbatraining.com:443 is a protected resource, this is done within the OAM configuration. This resource is configured as being protected
  30. Access Manager (OAM) checks for an existing valid cookie. The user was authenticated during the previous steps and the OAM cookie now exists and is valid
  31. Access Manager (OAM) logs and returns the request to the webgate plug-in (Resource Protected=Yes, Valid Cookie=Yes)
  32. The webgate plug-in reads previously set cookie to track the original requested resource https://fusion.appsdbatraining.com/homePage and allows access to the requested resource
  33. The user is permitted to access the resource from the browser

Nagulu Polagani

"We are all apprentices in a craft where no one ever becomes a master."