How Does Session Count work with Impersonation Feature of Oracle Access Manager

(Doc ID 2315739.1)

Last updated on OCTOBER 11, 2017

Applies to:

Oracle Access Manager - Version 11.1.2.3.170117 and later
Information in this document applies to any platform.

Goal

When the session count in OAM settings set to 1, this enables special mode "If
a user who already has a session authenticates using another device (thereby
creating a new session), then their existing session is deleted. No error is
reported and no warning is given". This works fine for normal sessions.

But when a user logs in, impersonates another user and doesn't logout the
"special mode" is expected to be working the same way the session is created and gets deleted when the user closes the browser without doing a logout, but in case of impersonator user is presented the error
"max sessions exceeded". This is expected behaviour.

Use Case:

0. Make sure in OAM configuration Maximum Number of Sessions per User is set
to 1
1. Make sure user1 (impersonator) can impersonate user2 (impersonatee)
2. log in as user 1
3. start the impersonation of user2 with (in our case by url:
https://example.oracle.com:14101/oam/server/impersonate/start?userid=user2&success_url=https://example.oracle.com:4443/cgi-bin/printenv&failure_url=https://example.oracle.com:4443/failure.html)
4. provide the password of user2
5. you can now see by http headers you are user2
6. close the browser (do not logout)
7. open a new browser and try to login as user1
8. an error is presented -> max sessions exceeded.

 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms