The request flow when a user requests access is as follows:
- The user requests access to a protected resource over HTTP or HTTPS.
- The WebGate intercepts the request.
- The WebGate forwards the request to the Oracle Access Manager server over Oracle Access Protocol to determine if the resource is protected, how, and whether the user is authenticated (if not, there is a challenge).
- The Oracle Access Manager server checks the directory server for credentials such as a user ID and password, sends the information back to WebGate over Oracle Access Protocol, and generates an encrypted cookie to authenticate the user.
- Following authentication, the WebGate prompts the Oracle Access Manager server over Oracle Access Protocol and the Oracle Access Manager server looks up the appropriate security policies, compares them to the user’s identity, and determines the user’s level of authorization.
- If the access policy is valid, the user is allowed to access the desired content and/or applications.
- If the policy is false, the user is denied access and redirected to another URL determined by the organization’s administrator.