How Does Session Count work with Impersonation Feature of Oracle Access Manager
(Doc ID 2315739.1)
Last updated on JUNE 08, 2021
Applies to:Oracle Access Manager - Version 220.127.116.11.170117 and later
Information in this document applies to any platform.
When the session count in OAM settings set to 1, this enables special mode "If a user who already has a session authenticates using another device (thereby creating a new session), then their existing session is deleted. No error is
reported and no warning is given". This works fine for normal sessions.
But when a user logs in, impersonates another user and doesn't logout the "special mode" is expected to be working the same way the session is created and gets deleted when the user closes the browser without doing a logout, but in case of impersonator user is presented the error "max sessions exceeded". This is expected behavior.
0. Make sure in OAM configuration Maximum Number of Sessions per User is set
1. Make sure user1 (impersonator) can impersonate user2 (impersonatee)
2. log in as user 1
3. start the impersonation of user2 with (in our case by url:
https://<OAM Host>:<OAM Server Port>/oam/server/impersonate/start?userid=user2&success_url=https://<Webgate Host>:<Web server port>/cgi-bin/printenv&failure_url=https://<Web-Server Host>:<web-server port>4443/failure.html)
4. Provide the password of user2
5. You can now see by http headers you are user2
6. Close the browser (do not logout)
7. Open a new browser and try to login as user1
8. An error is presented -> max sessions exceeded.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document