Tuesday, October 18, 2016

Multi factor authentication with OAM alone !! [Part-2]

  • Now lets configure the 'AdativeAuthenticationPlugin
  • Click on 'Application Security' and  navigate to authentication plugins

  • Search for 'AdaptiveAuthenticationPlugin' and select the plugin
  • Update the below details as shown. These details will be same as what we have updated in the authentication module

  • Now click on Save to update the changes and click on 'Activation State' to make sure it is activated on the managed server.
Note: In this step, there might be issue sometimes in activating this Plugin . Reported error message would be ''Action failed due to inconsistent status of plugin in different managed servers". Refer to my other post on the fix for this issue.
  • Once the plugin is activated, Lets configure the authentication policy 
  • Navigate to 'Applciation security' -> Application domain 
  • Search for authentication policy that protected the our sample html file.
  • Click on Advanced Rules -> Post authentcation. Add the new rule 

  • This is the step where we redirect the user to additional authentication by configuring the below rule which always evaluates to true.
  • Add the rule as shown below and click on 'Add' to apply this rule.

  • Click on Apply to save this updated authentication policy.
  •  Now we have completed the configurations and lets validate the scenario.
  • Lets make sure we have a user profile in OUD with mail populated with a valid email.
  • Now access the protected url in my case it is 
    • http://OHShost:OHSPort/test/test.html  
  •  Authenticate with username and password which is initial authentication step.
  • Once initial authentication is successful, you will be redirected to OTP screen which is additional step of authentication
  •  You can select OTP-> your email address and click on OTP. This will send an OTP code to the email address that is retrieved from UserIdentity store1

  • Enter the OTP received and click on Login button

  • That's all. You are now authenticated successfully through multi factor authentication which is One Time Pin(OTP) received through email

You can also refer to following links in case of any issues mentioned in below links.

Thank you for visiting.

Multi factor authentication with OAM alone !! [Part-1]

                  In this post, We are going to look the Adaptive authentication service that was introduced in the latest version of OAM Patch Set-3. Earlier to OAM 11gR2 PS3 version, multi factor authentication/step-up authentication for an application can be configured with the help of Oracle Adaptive Access manager which is separate component from Oracle Access Management suite or by going through approach of customizing the authentication flow. But you no longer need to install OAAM or go through customization effort to achieve the requirement of multi factor authentication. In OAM PS3, Adaptive authentication service provides this second factor authentication possibilities in various ways as mentioned below.
  • One Time Pin(OTP) through Email/SMS/Mobile authenticator
  • Access request notification from mobile authenticator 
However you will have to make use of Oracle adaptive access manager(OAAM) for various other features like Risk analysis, Fraud prevention, KBA and many others. In today's post, we are going to cover the implementation steps for enabling OTP through email.   
  • OAM BP07
  • RHEL6/OL6
  • OUD
  • OHS with OAM Webgate 11.1.2
  • SOA
  • OAM installed and configured
  • Sample html page deployed on OHS is protected by OAM through OOB LDAPScheme
  • OUD is configured as authentication store for OAM
  • SOA User Messaging Server(UMS) configured with email provider
  • Login to OAM console and navigate to Configuration
  • Click on Available services
  • Click on Enable and make sure Adaptive Authentication Service is enabled
  • Go to Application security and navigate to Authentication modules  
  • Search for the 'AdaptiveAuthenticationModule' as shown

  •  Click on 'AdaptiveAuthenticationModule' and go to steps. Select the 'SecondFactorOTP' stepname
  • Make sure you update the following fields with relevant value
    • EmailMsgSubject : This would be subject of OTP email that user receives
    • EmailField: LDAP attribute name from which email value is retrieved('mail' in case OUD)
    • Email_Enabled: Set to true for enabling OTP through email communication
    • UmsClientUrl: URL of SOA UMS service which sends email to the user
    • UmsAvailable: Set to true
    • IdentityStoreRef: Name of UserIdentityStore configured in OAM as authentication repository. 
  •  Click on Save to update the configuration and then click on Apply
To be continued in Part-2...