Tuesday, October 18, 2016

Multi factor authentication with OAM alone !! [Part-1]

                  In this post, We are going to look the Adaptive authentication service that was introduced in the latest version of OAM Patch Set-3. Earlier to OAM 11gR2 PS3 version, multi factor authentication/step-up authentication for an application can be configured with the help of Oracle Adaptive Access manager which is separate component from Oracle Access Management suite or by going through approach of customizing the authentication flow. But you no longer need to install OAAM or go through customization effort to achieve the requirement of multi factor authentication. In OAM PS3, Adaptive authentication service provides this second factor authentication possibilities in various ways as mentioned below.
  • One Time Pin(OTP) through Email/SMS/Mobile authenticator
  • Access request notification from mobile authenticator 
However you will have to make use of Oracle adaptive access manager(OAAM) for various other features like Risk analysis, Fraud prevention, KBA and many others. In today's post, we are going to cover the implementation steps for enabling OTP through email.   
  • OAM BP07
  • RHEL6/OL6
  • OUD
  • OHS with OAM Webgate 11.1.2
  • SOA
  • OAM installed and configured
  • Sample html page deployed on OHS is protected by OAM through OOB LDAPScheme
  • OUD is configured as authentication store for OAM
  • SOA User Messaging Server(UMS) configured with email provider
  • Login to OAM console and navigate to Configuration
  • Click on Available services
  • Click on Enable and make sure Adaptive Authentication Service is enabled
  • Go to Application security and navigate to Authentication modules  
  • Search for the 'AdaptiveAuthenticationModule' as shown

  •  Click on 'AdaptiveAuthenticationModule' and go to steps. Select the 'SecondFactorOTP' stepname
  • Make sure you update the following fields with relevant value
    • EmailMsgSubject : This would be subject of OTP email that user receives
    • EmailField: LDAP attribute name from which email value is retrieved('mail' in case OUD)
    • Email_Enabled: Set to true for enabling OTP through email communication
    • UmsClientUrl: URL of SOA UMS service which sends email to the user
    • UmsAvailable: Set to true
    • IdentityStoreRef: Name of UserIdentityStore configured in OAM as authentication repository. 
  •  Click on Save to update the configuration and then click on Apply
To be continued in Part-2...