OAAM Second Factor Authentication – OTP via Email or SMS

Pre-Requisite: OAAM Advanced TAP Integration with OAM
https://oraidam.wordpress.com/2018/02/14/oaam-advanced-integration-with-oam-tap-integration/

Enable OTP Anywhere Registration
Set below properties to true

bharosa.uio.default.register.userinfo.enabled
bharosa.uio.default.userpreferences.userinfo.enabled

Login to OAAM admin console, go to properties
firefox_2018-02-14_13-44-27firefox_2018-02-14_13-45-11

Setting Properties in OAAM for User Messaging Service
set below properties

bharosa.uio.default.ums.integration.webservice http://identity.oracleads.com:8001/ucs/messaging/webservice

bharosa.uio.default.ums.integration.useParlayX
false

bharosa.uio.default.ums.integration.userName
workflow.admin@oracleads.com

bharosa.uio.default.ums.integration.password
Oracle123

bharosa.uio.default.ums.integration.fromAddress
workflow.admin@oracleads.commkdir oaam_extensions

bharosa.uio.default.otp.optOut.enabled
true

SMS & Email Properties

bharosa.uio.default.challenge.type.enum.ChallengeEmail.available
true

bharosa.uio.default.userinfo.inputs.enum.email.enabled
true

bharosa.uio.default.challenge.type.enum.ChallengeSMS.otp
true

bharosa.uio.default.userinfo.inputs.enum.mobile.enabled
true

bharosa.uio.default.userinfo.inputs.enum.mobile.required
true

Configuring OTP Presentation (Optional)
If you intend to change the OTP device used for challenge change to pin pad change below property

bharosa.uio.default.ChallengeEmail.authenticator.device
DevicePinPad

Restart OAAM managed server for properties to take effect.

Configure OAAM Policy for Second Factor Authentication
Go to policies, select OAAM Post authentication Security policy
firefox_2018-02-14_15-57-18
Go to Rules, Add a new rule
firefox_2018-02-14_15-58-32
firefox_2018-02-14_15-59-08
firefox_2018-02-14_15-59-29
firefox_2018-02-14_15-59-45
Now go to OAAM Challenge group.
firefox_2018-02-14_16-01-51
Change the actions as follows
firefox_2018-02-14_16-14-51
firefox_2018-02-14_16-02-20
Now go to OAAM Challenge Policy
firefox_2018-02-14_16-03-51
In as below in Trigger Combinations tab and click on apply
firefox_2018-02-14_16-04-39

Testing
Demo: https://youtu.be/uHuhgaGmpQI

Advertisements

OAAM Strong Authentication – Knowledge Based Authentication (KBA)

Pre-Requisite: OAAM Advanced TAP Integration with OAM
https://oraidam.wordpress.com/2018/02/14/oaam-advanced-integration-with-oam-tap-integration/

KBA is a secondary authentication method. It is presented after successful primary authentication (for example, a user entering a single factor credentials, such as a user name and password) to improve authentication strength.

The KBA solution consists of securing an application using a challenge/response process where users are challenged with one or more questions to proceed with their requested sign-on, transaction, service, and so on.

Log in into OAAM admin console
Go to Policies –> OAAM Post authentication Security
2018-02-14_10-27-58
Go to Rules Tab and click on +
firefox_2018-02-14_10-29-33
Enter information as below
firefox_2018-02-14_10-31-08
Add a condition
firefox_2018-02-14_10-53-00
firefox_2018-02-14_10-50-39
Click apply
Now go to OAAM Challenge Policy –> Trigger Combinations
Change the 3rd trigger as shown below and apply
firefox_2018-02-14_10-56-43

Testing
Request the protected resource
http://identity.oracleads.com:7777
firefox_2018-02-14_11-00-19
firefox_2018-02-14_11-00-49
firefox_2018-02-14_11-01-18
firefox_2018-02-14_11-01-38

OAAM Advanced Integration with OAM (TAP integration)

In this integration OAAM Server acts as a trusted partner application. The OAAM Server uses the Trusted authentication protocol (TAP) to communicate the authenticated username to OAM Server after it performs strong authentication and risk and fraud analysis. The OAM Server then redirects the user to the protected resource.

Pre-requisites
OAM 11.1.2.3 is installed and configured
OHS server is installed and configured
OAM Webgate agent on OHS is registered with OAM

Creating the OAAM Admin Users and OAAM Groups
Log in to weblogic console
Navigate to security realms –> myrealm –> Users and Groups –> Users
Create new user, click on new
firefox_2018-02-12_21-33-11
Enter information and click ok
firefox_2018-02-12_21-43-45
Now click on newly created user
firefox_2018-02-12_21-44-20
Go to groups tab select all OAAM groups and click save
firefox_2018-02-12_21-45-15

Import the OAAM base snapshot
Base snapshot is locate in ORACLE_HOME/oaam/init
File: oaam_base_snapshot.zip
Start OAAM Admin Server and log into OAAM admin console with new user. OAAM Admin console URL is

http://oaam_managed_server_host:oaam_admin_managed_server_port/oaam_admin
http://identity.oracleads.com:14200/oaam_admin

Go to System Snapshots and click load from file.
firefox_2018-02-12_21-48-17
Select base snapshot file and click load
firefox_2018-02-12_21-49-48
image
Click restore
chrome_2018-02-12_22-23-53
image

Validate initial configuration of OAAM
Go to

http://host:port/oaam_server
http://identity.oracleads.com:14300/oaam_server

Enter any username click continue
firefox_2018-02-12_22-26-13
Enter password as “test”and click enter
firefox_2018-02-12_21-58-36
Click continue
firefox_2018-02-12_22-13-18
Click continue
firefox_2018-02-12_22-14-15
Enter security questions and answers (KBA) and click enter
firefox_2018-02-12_22-27-31firefox_2018-02-12_22-28-14
If you are not able to validate OAAM initial configuration as in above, you must fix it before proceeding further.

Register the OAAM Server as a Partner Application to OAM
If OAAM is registered with Access Manager as a partner application, OAAM will then be able to communicate with Access Manager via the Trusted Authentication Protocol (TAP) to communicate the authenticated user name to the OAM Server after it performs strong authentication, risk, and fraud analysis, and the OAM Server owns the responsibility for redirecting to the protected resource.

If authentication is successful and the user has the appropriate profile registered, Oracle Adaptive Access Manager constructs the TAP token with the user name and sends it back to Access Manager. Access Manager asserts the token sent back. After asserting the token, Access Manager creates its cookie and continues the normal single-sign on flow in which it redirects the user to the protected resource.

Create a keystore directory

export IAM_ORACLE_HOME=/app/Middleware/Oracle_IDM1
mkdir -p $IAM_ORACLE_HOME/TAP/TapKeyStore

Run wlst.sh and connect to weblogic

cd $IAM_ORACLE_HOME/common/bin
./wlst.sh

wls:/offline> connect()
Please enter your username :weblogic
Please enter your password :
Please enter your server URL [t3://localhost:7001] :t3://identity.oracleads.com:7001

Run register command
registerThirdPartyTAPPartner(partnerName = “partnerName”, keystoreLocation=
“path to keystore”, password=”keystore password”, tapTokenVersion=”v2.0″,
tapScheme=”TAPScheme”, tapRedirectUrl=”OAAM login URL”)

registerThirdPartyTAPPartner(partnerName=”OAAMTAPPartner”,keystoreLocation=”/app/Middleware/Oracle_IDM1/TAP/TapKeyStore/mykeystore.jks”,password=”Oracle123″,tapTokenVersion=”v2.0″,tapScheme=”TAPScheme”,tapRedirectUrl=”http://identity.oracleads.com:14300/oaam_server/oamLoginPage.jsp”)

image

Adding a Password to the IAMSuiteAgent Profile
This profile is used by Oracle Adaptive Access Manager when integrating with Access Manager. When the IAMSuiteAgent profile is first created, it has no password. You must set a password before the profile can be used by Oracle Adaptive Access Manager for integration.
Log into oamconsole, click on agents
firefox_2018-02-12_22-47-51
Click search, select IAMSuiteAgent, update Access Client Password and click on applyfirefox_2018-02-12_22-49-10

Updating the Domain Agent Definition
Log into weblogic console
Navigate to security realms –> myrealm –> Providers , select IAMSuiteAgentfirefox_2018-02-12_22-51-41
Go to provider specific tab, click on lock and edit. Update agent passwordfirefox_2018-02-12_22-55-13
click on save and Activate Changes, restart weblogic servers

Verifying TAP Partner Registration
Login to oamconsole, go to Authentication Schemes
Open TAPScheme, edit as below and click apply
firefox_2018-02-13_09-26-09
Launch Oracle Access Management tester

cd IAM_ORACLE_HOME/oam/server/tester/
java –jar oamtest.jar

validate as shown below
VirtualBox_2018-02-13_09-29-14

Set up TAP integration properties in OAAM
Make sure oaam managed server is running

mkdir -p temp/oaam_cli
cp –r OAAM_HOME/oaam/cli/. temp/oaam_cli

Edit temp/oaam_cli/conf/bharosa_properties/oaam_cli.properties below fields, rest fields keep as it is

oaam.adminserver.hostname=identity.oracleads.com
oaam.adminserver.port=7001
oaam.db.url=jdbc:oracle:thin:@identity.oracleads.com:1521:orcl
#keystore location entered in registerThirdPartyDAPPartner command
oaam.uio.oam.tap.keystoreFile=/app/Middleware/Oracle_IDM1/TAP/TapKeyStore/mykeystore.jks
#partnername entered in registerThirdPartyDAPPartner command
oaam.uio.oam.tap.partnername=OAAMTAPPartner
oaam.uio.oam.host=identity.oracleads.com
oaam.uio.oam.port=5575
oaam.uio.oam.webgate_id=IAMSuiteAgent
#communication security between OAAM and OAM
oaam.uio.oam.security.mode=1
oaam.csf.useMBeans=true

Save changes to oaam_cli.properties
Set Middleware home and Java home variables

export ORACLE_MW_HOME=/app/Middleware
export JAVA_HOME=/app/Middleware/jdk160_29

cd temp/oaam_cli/
chmod 777 setupOAMTapIntegration.sh

Run the OAAM setup integration script using the following command

./setupOAMTapIntegration.sh conf/bharosa_properties/oaam_cli.properties

Note: Enter the details on prompt. I have assigned all OAAM groups to default “”weblogic” user from weblogic console security realm. And used it as OAAM admin user

image
image
image
image
image
image

Configure Application Domain to use TAPScheme
Go to oam admin console, click on Application domains –> Application Domain –> Select Application Domain
Go to Authentication Policies and select Protected policy
firefox_2018-02-13_10-42-51Change the authentication scheme to TAPScheme and click on apply.
firefox_2018-02-13_10-43-40

now go to Application Domain –> IAM Suite –> Authentication Policies –> Select “Protected HigherLevel Policy”. Make sure /oamTAPAuthenticate is protected by LDAPSchemefirefox_2018-02-13_11-08-20

Testing
Make sure OHS, OAM and OAAM Managed servers are up and running.
Hit the TAPScheme protected resource
http://identity.oracleads.com:7777
Enter username click on continue
firefox_2018-02-13_11-11-54
Enter password click on enter
firefox_2018-02-13_11-12-30
Click continue for registrationfirefox_2018-02-14_08-23-01
Click continuefirefox_2018-02-14_08-23-38Enter security question and answers, click enterfirefox_2018-02-14_08-24-16firefox_2018-02-14_08-24-46

Demo: https://youtu.be/TIXXGWwM6oQ