Introduction

Integrating Oracle Access Manager (OAM) with Single Sign-On (SSO) using WebGate 12c provides centralized access management for web applications. However, issues like unauthorized access or unexpected login prompts can arise if configuration steps are missed. This guide walks through the troubleshooting process to resolve unauthorized access issues for applications deployed on IIS with OAM and WebGate 12c.

Step 1: Verify WebGate Installation and Configuration

1. Check WebGate Plugin and Config Files

– Confirm that the WebGate plugin is installed on the web server hosting the application.
– Locate the `webgate.conf` and `ObAccessClient.xml` files, ensuring they have valid configurations for WebGate to communicate with OAM.

2. ObAccessClient.xml

– This file holds essential details for WebGate’s connection to the OAM server, including host, port, and security configurations.
– Ensure the file is correctly placed and contains the current OAM server address and port information.

Step 2: Verify WebGate Registration in the OAM Console

1. Access the OAM Console

– Navigate to System Configuration > Agents in the OAM Console to find the WebGate agent related to your IIS-hosted application.
– Confirm the WebGate agent is registered with correct details, like host identifiers, ports, and policies.

2. Host Identifiers

– Ensure the host identifiers match the WebGate server’s URL. Incorrect host identifiers can lead to authentication problems.

3. Associate WebGate with Policies

– Confirm that the WebGate is tied to the necessary authentication and authorization policies for your application.
– In the Policy Configuration section, ensure the application’s URLs are protected by the correct authentication scheme, typically SSO.

Step 3: Verify Communication Between WebGate and OAM

1. Network and Firewall Checks

– Ensure the WebGate server can communicate with the OAM server. No network/firewall restrictions should block the required ports (e.g., 5575 for OAM).

2. Review Logs

– Enable debug logs on both WebGate and OAM servers to troubleshoot any communication or authentication issues.
– Inspect WebGate logs (commonly in `/var/log/Oracle_WebGate`) and OAM diagnostic logs for errors.

Step 4: Confirm OAM Cookie Management

1. OAM Session Cookies

– When users access a WebGate-protected resource, OAM should generate session cookies, such as `OAMAuthnCookie` or `OAM_ID`.
– Confirm that these cookies are created and passed between WebGate and OAM, as they’re necessary for session management.

2. Inspect Cookies in Developer Tools

– Use browser developer tools to confirm that OAM session cookies are present and valid for the application’s URLs.

Step 5: Test Access to a Protected Resource

1. Access the Application URL

– Try accessing the IIS-hosted application’s URL that WebGate protects. If prompted for a login, the login page should be managed by OAM.
– If login fails or unauthorized access persists, check the HTTP headers and logs to diagnose further.

2. Session and Redirect Validation

– After successful login, verify that the WebGate redirects users to the intended resource and that no unauthorized messages appear.

Step 6: Ensure Proper Session Token Generation

1. Session Token Creation

– OAM should issue tokens (like `OAMAuthToken`) upon successful login. Ensure these tokens are valid and not interrupted during the authentication process.

2. Inspect Network Traffic

– Use tools like Wireshark or Fiddler to analyze network traffic and ensure tokens and cookies are exchanged as expected.

Step 7: Check for Compatibility and Patch Updates

1. Version Compatibility

– Verify that the WebGate version is compatible with your OAM server version and that all configuration requirements are met.

2. Check for Patches

– Look for available patches that address specific WebGate and OAM integration issues. Oracle often releases patches to resolve common problems.

Conclusion

Following these steps should help resolve unauthorized access and unexpected prompts when using OAM SSO with WebGate 12c for applications deployed on IIS. Proper configuration of WebGate, accurate registration in OAM, and secure cookie and token management are essential for seamless SSO integration.