This issue bit me in the rear back in 2005 when I first started working with Oracle Access Manager. I was installing OAM for a 3-letter agency whose application was deployed behind a Squid-based reverse proxy. Usually proxies change the IP address that is passed to the web server. Because of this the IP address of the client won’t match the IP address that is stored as part of the cookie. Thus IP validation by the webgate will fail and cause authentication problems for your application. You can set IP Validation to “off” but Oracle recommends that in most cases you should leave this on.
IP address validation is specific to WebGates. It determines if a client’s IP address is the same as the IP address stored in the ObSSOCookie generated for single sign-on. The IPValidation parameter turns IP address validation on and off. If IPValidation is true, the IP address stored in the ObSSOCookie must match the client’s IP address, otherwise, the cookie is rejected and the user must reauthenticate. The default IPValidation setting is true.
The IPValidation parameter can cause problems with certain Web applications. For example, Web applications managed by a proxy server typically change the user’s IP address, substituting the IP address of the proxy. This prevents single sign-on using the ObSSOCookie.
The IP Validation Exceptions parameter lists IP addresses that are exceptions to this process. If IPValidation is true, the IP address can be compared to the IP Validation Exceptions list. If the address is found on the exceptions list, it does not need to match the IP address stored in the cookie. You can add as many IP addresses as needed. These addresses are the actual IP addresses of the client, not the IP addresses that are stored in the obSSOCookie. If a cookie arrives from one of the exception IP addresses, the Access System ignores the address stored in the ObSSOCookie cookie for validation. For example, the IP addresses in the IP Validation Exceptions parameter can be used when the IP address in the cookie is for a reverse proxy.
To configure single sign-on between WebGate and an access client that does not have the client IP address at authentication, the IP validation can be explicitly turned off. To do this, you set IP Validation to false. When the IP Validation parameter is set to false, the browser or client IP address is not used as a part of the ObSSOCookie. However, Oracle recommends that you keep IP validation on whenever possible.