How Does Session Count work with Impersonation Feature of Oracle Access Manager (Doc ID 2315739.1)

Last updated on SEPTEMBER 05, 2023

Applies to:

Goal

When the session count in OAM settings set to 1, this enables special mode "If a user who already has a session authenticates using another device (thereby creating a new session), then their existing session is deleted. No error is
reported and no warning is given". This works fine for normal sessions.

But when a user logs in, impersonates another user and doesn't logout the "special mode" is expected to be working the same way the session is created and gets deleted when the user closes the browser without doing a logout, but in case of impersonator user is presented the error "max sessions exceeded". This is expected behavior.

Use Case:

0. Make sure in OAM configuration Maximum Number of Sessions per User is set
to 1
1. Make sure user1 (impersonator) can impersonate user2 (impersonatee)
2. log in as user 1
3. start the impersonation of user2 with (in our case by url:
https://<OAM Host>:<OAM Server Port>/oam/server/impersonate/start?userid=user2&success_url=https://<Webgate Host>:<Web server port>/cgi-bin/printenv&failure_url=https://<Web-Server Host>:<web-server port>4443/failure.html)
4. Provide the password of user2
5. You can now see by http headers you are user2
6. Close the browser (do not logout)
7. Open a new browser and try to login as user1
8. An error is presented -> max sessions exceeded.

Solution

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.