Upload
trinhbao
View
242
Download
0
Embed Size (px)
Citation preview
VAM
OAM 2FA Value-Added Module (VAM) Deployment Guide
2
OAM 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
Copyright Information
©2018. SecureAuth® is a registered trademark of SecureAuth Corporation. SecureAuth’s IdP software, appliances, and other products and solutions are copyrighted products of SecureAuth Corporation.
For information on support for this module, contact your SecureAuth support or sales representative: Email: [email protected]
Phone: +1.949.777.6959 or +1-866- 859-1526 Website: https://www.secureauth.com/support https://www.secureauth.com/contact
3
OAM 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
Table of Contents
Introduction ................................................................................................................................................ 4
Prerequisites ........................................................................................................................................... 4
VAM Deployment ........................................................................................................................................ 5
Testing the Application ............................................................................................................................. 18
4
OAM 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
Introduction
This guide explains how to deploy the OAM 2FA Plug-In Value-Added Module (VAM) to connect SecureAuth IdP with Oracle Access Manager (OAM) and its supporting servers for Two-Factor Authentication (2FA).
The steps in this process are:
+ VAM Deployment
+ Testing the Application
Prerequisites
The hardware and software that must be installed before deploying the OAM 2FA Plug-In VAM includes:
+ Install and configure Oracle Server(s)
+ Make sure the latest version of Oracle Access Manager is on the Oracle server(s)
+ Install one or more SecureAuth IdP appliances with required realms
5
OAM 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
VAM Deployment In order to use this VAM, perform the following functions:
1. From SecureAuth IdP Web Admin, create a new realm or access an existing realm in which the Authentication API will be enabled. This new SecureAuth API realm handles communications between SecureAuth IdP and OAM.
The API can be included in any realm with any Post Authentication event as long as the appropriate directory is integrated, and the necessary features are configured, based on the endpoints being used.
For more information on creating an API realm, refer to the Authentication API Guide.
2. Click to select the API tab.
3. At the ‘API Key’ section, check the ‘Enable API for this realm’ box.
4. At the API Credentials subsection, click the Generate Credentials button.
The Application ID and Application Key fields are populated with the required credential.
5. Click Select & Copy to copy the contents of these fields to a text file from which they can be copied to the required header configuration.
The application ID and key values are required in the header configuration. For more on creating and using the header, refer to the Authentication API Guide.
6. Check the ‘Enable Authentication API’ box under the ‘API Permissions’ section.
FIGURE 1. API Tab Page Example
7. Fill out the rest of this page as required
8. Save changes to this page.
9. To include instructions for handling time-based passcodes and push notifications, perform the following substeps.
6
OAM 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
a. From the SecureAuth IdP Web Admin, click to select Multi-Factor Methods tab.
b. Scroll down to the ‘Time-based Passcodes (OATH)’
section. A section like Figure 2 appears.
FIGURE 2. Time-Based Passcode and Mobile Login Requests Sections
c. To specify a passcode type, in the ‘Time-based Passcodes (OATH)’ section, supply values
to the following fields.
Fields Description/Recommendations
Time-based Passcodes Select Enabled.
Passcode Length Select a preferred length for the passcode.
Default is 6 digits.
Passcode Change Interval Enter the number of seconds this passcode is valid.
Passcode Offset Enter the total number of minutes available for passcodes to be attempted (including passcode refresh) before lockout
Cache Lockout Duration Enter the number of minutes required before another passcode attempt can be attempted
7
OAM 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
d. If required, to specify parameters for push notification, scroll down to the ‘Mobile Login Requests (Push Notifications)’ section (as shown in Figure 2) and supply values to the following fields.
Fields Description/Recommendations
Request Type Select Passcode OTP + Accept/Decline
Accept Method Select User pushes “Accept” button
Login Request Timeout Enter the time this OTP is valid before timeout occurs
Login Request Content
Company Name Supply a name for the company/organization seeking the login request
Application Name Supply a name for the application that is being requested
Devices Allowed in User Profile
Max Device Count Enter the maximum devices allowed to request login at the same time. -1 = no limit.
When exceeding mass count
Select an option specifying the response that results once the maximum device count has been exceeded
In this case, select Allow to replace
Replace in order by When allowing a device to be replaced, select the option specifying the method used for that replacement
In this case, select Created Time
e. Click Save to confirm changes made to this page.
If OTP or push notification is not required, skip this step and proceed to Step 10.
NOTE: Before a designated mobile device can receive and respond to a push notification, you must first download the necessary SecureAuth mobile app to that device and enroll the
device as shown below:
8
OAM 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
10. Using a browser, download the SecureAuth.war and SaPlugin.jar files from the share file designated by your SecureAuth Account Manager once you have purchased the VAM.
11. Start the OAM server(s) on Windows. To do this:
a. Open Windows Services.
b. Scroll down to the OAM server names.
c. Right-click on each server in turn and start the service, if not already started.
FIGURE 3. Starting OAM Server Services
12. From the Windows prompt, open Command Prompt and enter the required location and
command to start these designated Oracle database components.
Oracle Database Component
From Command Prompt, enter:
Node Manager cd C:\Oracle\Middleware\oim\wlserver_10.3\server\bin
startNodeManager.cmd
WebLogic server cd C:\Oracle\Middleware\oim\user_projects\domains\oam_domain\bin\
startWebLogic.cmd
OAM server cd C:\Oracle\Middleware\oim\user_projects\domains\oam_domain\bin
startManagedWebLogic oam_server1
Policy Manager cd C:\Oracle\Middleware\oim\user_projects\domains\oam_domain\bin
startManagedWebLogic oam_policy_mgr1
9
OAM 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
An example of the Command Prompt screen is shown in Figure 4.
FIGURE 4. Command Prompt Execution Example
13. Deploy SecureAuth.war on WebLogic. To do this:
a. From the command prompt, navigate to the domain directory where the WebLogic server exists.
WebLogic is the platform onto which the OAM Console is deployed.
b. Run the server startup script: either startWebLogic.cmd (for Windows) or startWebLogic.sh (for UNIX).
c. From a browser, launch the WebLogic Server Console. When the username and password appear, enter them.
d. Click the Lock & Edit button in the ‘Change Center’ section to set the server to edit mode.
e. Click the Deployments link in the ‘Domain Structure’ section.
f. In the Summary of Deployments section, click the Install
button. The Install Application Assistant opens.
g. Click the upload your file(s) link.
h. Click the Browse button next to the Deployment Archive field. Browse to where you have the SecureAuth.war file installed, select the file, and click Open.
i. Click Next to upload the file to the Oracle WebLogic server.
j. Click the radio button next to the SecureAuth.war file, then click Next to continue the deployment.
k. Accept the default value to install the deployment as an application and click Next.
l. Accept all other default values and click Finish to start the deployment process.
10
OAM 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
A screen like Figure 5 appears.
FIGURE 5. WebLogic Install Application Assistant
14. Install SaPlugin.jar on the OAM server. To do this:
a. Open the Access Manager on the OAM server.
b. Click the Plug-ins tab.
c. Click Import Plug-in.
d. Browse to the SaPlugin.jar file and click Open.
The jar file now appears in the Plug-ins matrix as shown in Figure 6.
e. Click to select this file and the ‘Configuration Parameters’ tab page appears in the ‘Plug- in Details’ section.
f. Enter the host name as specified in SecureAuth IdP.
g. Copy the API ID and API Key you saved in Step 5 on page 5 to the ‘API ID’ and ‘API Key’ fields.
h. Enter the URL for the endpoint you specified in the SecureAuth IdP API realm in the ‘API EndPoint’ field.
i. Enter the URL for the SecureAuth IdP API realm in the ‘API Realm’ text field.
j. Specify the Fail Mode as required.
k. Save this information and exit.
11
OAM 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
An example of this screen appears in Figure 6.
FIGURE 6. OAM Plug-ins Screen Example
12
OAM 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
15. Start Oracle http server/ WebGate as shown in Figure 7.
FIGURE 7. Oracle Web Tier Instance Example
16. In a browser window, enter the URL to the Oracle Access Management Console.
17. Enter the correct user name and password.
The Access Management Console launchpad appears like Figure 8.
FIGURE 8. OAM Launchpad
13
OAM 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
18. Click to select the Available Services icon, then click the Configuration tab at the upper right, and make sure both the access manager and adaptive authentication services are enabled as shown in Figure 9.
Enable adaptive
authentication
FIGURE 9. OAM Launchpad Configuration
Once launched, the Access Management console appears.
19. Add the saPlugIn to the Authentication Module. To do this:
a. From the ‘Access Manager’ section of the Access Management console, click Authentication Modules.
b. Click the Steps tab.
c. Click the + icon to add the plug-in.
d. Select the SaPlugin entry you added to WebLogic in Step 14 on page 10.
14
OAM 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
The plug-in entry appears as shown in Figure 10.
FIGURE 10. OAM Authentication Module Steps
a. Click to select the Steps Orchestration tab and make sure this plug-in is correctly
orchestrated for appropriate response on success, on failure, and on error.
FIGURE 11. OAM Authentication Module Steps Orchestration
15
OAM 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
20. Designate the appropriate authentication scheme when this VAM is negotiating communication between SecureAuth IdP and OAM servers. To do this:
a. At the Access Manager menu, click to select Authentication
Scheme. The Authentication Scheme page appears.
b. Supply values for each field as shown in Figure 12.
FIGURE 12. Authentication Scheme
Example The fields on this page include:
Fields Description/Recommendations
Name Enter a unique name of this scheme.
Description If required, enter a description for this scheme.
Authentication Level Select a level from the drop-down list. Recommended is 2.
Default Uncheck this box since all values below are custom.
16
OAM 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
Fields Description/Recommendations
Challenge Method Select FORM from the drop-down list.
Authentication Module Select the saplug-in VAM name from the drop-down list.
Challenge URI Enter the saplugin.jsp file name.
Context Type Select customWar from the drop-down list.
Context Value Enter /SecureAuth since this represents the directory where the SecureAuth IdP software resides.
21. Specify the application domain for this authentication policy. To do this:
a. At the Access Manager menu, click to select Authentication Policy.
b. Click + to add a new policy.
c. Provide a name for this new policy, a description, and select an authentication scheme as shown in Figure 13.
FIGURE 13. Authentication Policy Page
d. Select the Advanced Rules tab, then the Post-Authentication tab
e. Click + Add to add a new rule.
17
OAM 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
The Add Rule dialog box appears like Figure 14.
FIGURE 14. Add Rule Dialog Box
a. Supply values to these fields as required.
Fields Description/Recommendations
Rule Name Enter a unique name for this rule.
Description If required, enter a description for this rule.
Condition Enter code indicating the condition under which this rule will apply.
Deny Access Check or uncheck this box to indicate whether access should be denied if this condition occurs.
If condition is true From the drop-down list, select the name of the policy created in this procedure.
22. Save changes you have made and exit.
18
OAM 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
Testing the Application Once you have deployed this VAM and configured both SecureAuth IdP and OAM servers to use it, you should test it. To do this:
1. At a browser, enter the URI for OAM.
The Oracle Access Manager appears.
If this VAM is correctly configured, the first factor, username and password, for OAM appears.
2. Enter the correct username and password, then click Login.
The first screen appears prompting for the correct authentication method:
19
OAM 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
3. Click to select the authentication method.
If you select Send Text, Send Voice, or Send Email, a screen like this appears:
If you select Send Push, you are prompted to respond to the login request sent to your mobile device.
4. Perform one of these steps:
• If a passcode is sent to your device (via text, voice, or email), enter the passcode in the ‘Enter your passcode’ text box, then click Submit.
• Once you receive a push notification at your mobile device, respond to this notification.
20
OAM 2FA Value-Added Module (VAM) Deployment Guide
SecureAuth www.secureauth.com +1 949-777-6959
The login screen should appear like this example: