OAM 2FA Value-Added Module (VAM) Deployment Guide · Start Oracle http server/ WebGate as shown in Figure 7. FIGURE 7. Oracle Web Tier Instance Example 16. In a browser window, enter

VAM

OAM 2FA Value-Added Module (VAM) Deployment Guide

2


SecureAuth www.secureauth.com +1 949-777-6959

Copyright Information

©2018. SecureAuth® is a registered trademark of SecureAuth Corporation. SecureAuth’s IdP software, appliances, and other products and solutions are copyrighted products of SecureAuth Corporation.

For information on support for this module, contact your SecureAuth support or sales representative: Email: [email protected]

[email protected]

Phone: +1.949.777.6959 or +1-866- 859-1526 Website: https://www.secureauth.com/support https://www.secureauth.com/contact

http://www.secureauth.com/

mailto:[email protected]

https://www.secureauth.com/Contact-Us.aspx

https://www.secureauth.com/support

https://www.secureauth.com/contact

3



Table of Contents

Introduction ................................................................................................................................................ 4

Prerequisites ........................................................................................................................................... 4

VAM Deployment ........................................................................................................................................ 5

Testing the Application ............................................................................................................................. 18


4



Introduction

This guide explains how to deploy the OAM 2FA Plug-In Value-Added Module (VAM) to connect SecureAuth IdP with Oracle Access Manager (OAM) and its supporting servers for Two-Factor Authentication (2FA).

The steps in this process are:

+ VAM Deployment

+ Testing the Application

Prerequisites

The hardware and software that must be installed before deploying the OAM 2FA Plug-In VAM includes:

+ Install and configure Oracle Server(s)

+ Make sure the latest version of Oracle Access Manager is on the Oracle server(s)

+ Install one or more SecureAuth IdP appliances with required realms


5



VAM Deployment In order to use this VAM, perform the following functions:

1. From SecureAuth IdP Web Admin, create a new realm or access an existing realm in which the Authentication API will be enabled. This new SecureAuth API realm handles communications between SecureAuth IdP and OAM.

The API can be included in any realm with any Post Authentication event as long as the appropriate directory is integrated, and the necessary features are configured, based on the endpoints being used.

For more information on creating an API realm, refer to the Authentication API Guide.

2. Click to select the API tab.

3. At the ‘API Key’ section, check the ‘Enable API for this realm’ box.

4. At the API Credentials subsection, click the Generate Credentials button.

The Application ID and Application Key fields are populated with the required credential.

5. Click Select & Copy to copy the contents of these fields to a text file from which they can be copied to the required header configuration.

The application ID and key values are required in the header configuration. For more on creating and using the header, refer to the Authentication API Guide.

6. Check the ‘Enable Authentication API’ box under the ‘API Permissions’ section.

FIGURE 1. API Tab Page Example

7. Fill out the rest of this page as required

8. Save changes to this page.

9. To include instructions for handling time-based passcodes and push notifications, perform the following substeps.


https://docs.secureauth.com/pages/viewpage.action?pageId=44833624

https://docs.secureauth.com/display/91docs/Authentication%2BAPI%2BGuide

6



a. From the SecureAuth IdP Web Admin, click to select Multi-Factor Methods tab.

b. Scroll down to the ‘Time-based Passcodes (OATH)’

section. A section like Figure 2 appears.

FIGURE 2. Time-Based Passcode and Mobile Login Requests Sections

c. To specify a passcode type, in the ‘Time-based Passcodes (OATH)’ section, supply values

to the following fields.

Fields Description/Recommendations

Time-based Passcodes Select Enabled.

Passcode Length Select a preferred length for the passcode.

Default is 6 digits.

Passcode Change Interval Enter the number of seconds this passcode is valid.

Passcode Offset Enter the total number of minutes available for passcodes to be attempted (including passcode refresh) before lockout

Cache Lockout Duration Enter the number of minutes required before another passcode attempt can be attempted


7



d. If required, to specify parameters for push notification, scroll down to the ‘Mobile Login Requests (Push Notifications)’ section (as shown in Figure 2) and supply values to the following fields.


Request Type Select Passcode OTP + Accept/Decline

Accept Method Select User pushes “Accept” button

Login Request Timeout Enter the time this OTP is valid before timeout occurs

Login Request Content

Company Name Supply a name for the company/organization seeking the login request

Application Name Supply a name for the application that is being requested

Devices Allowed in User Profile

Max Device Count Enter the maximum devices allowed to request login at the same time. -1 = no limit.

When exceeding mass count

Select an option specifying the response that results once the maximum device count has been exceeded

In this case, select Allow to replace

Replace in order by When allowing a device to be replaced, select the option specifying the method used for that replacement

In this case, select Created Time

e. Click Save to confirm changes made to this page.

If OTP or push notification is not required, skip this step and proceed to Step 10.

NOTE: Before a designated mobile device can receive and respond to a push notification, you must first download the necessary SecureAuth mobile app to that device and enroll the

device as shown below:


8



10. Using a browser, download the SecureAuth.war and SaPlugin.jar files from the share file designated by your SecureAuth Account Manager once you have purchased the VAM.

11. Start the OAM server(s) on Windows. To do this:

a. Open Windows Services.

b. Scroll down to the OAM server names.

c. Right-click on each server in turn and start the service, if not already started.

FIGURE 3. Starting OAM Server Services

12. From the Windows prompt, open Command Prompt and enter the required location and

command to start these designated Oracle database components.

Oracle Database Component

From Command Prompt, enter:

Node Manager cd C:\Oracle\Middleware\oim\wlserver_10.3\server\bin

startNodeManager.cmd

WebLogic server cd C:\Oracle\Middleware\oim\user_projects\domains\oam_domain\bin\

startWebLogic.cmd

OAM server cd C:\Oracle\Middleware\oim\user_projects\domains\oam_domain\bin

startManagedWebLogic oam_server1

Policy Manager cd C:\Oracle\Middleware\oim\user_projects\domains\oam_domain\bin

startManagedWebLogic oam_policy_mgr1


9



An example of the Command Prompt screen is shown in Figure 4.

FIGURE 4. Command Prompt Execution Example

13. Deploy SecureAuth.war on WebLogic. To do this:

a. From the command prompt, navigate to the domain directory where the WebLogic server exists.

WebLogic is the platform onto which the OAM Console is deployed.

b. Run the server startup script: either startWebLogic.cmd (for Windows) or startWebLogic.sh (for UNIX).

c. From a browser, launch the WebLogic Server Console. When the username and password appear, enter them.

d. Click the Lock & Edit button in the ‘Change Center’ section to set the server to edit mode.

e. Click the Deployments link in the ‘Domain Structure’ section.

f. In the Summary of Deployments section, click the Install

button. The Install Application Assistant opens.

g. Click the upload your file(s) link.

h. Click the Browse button next to the Deployment Archive field. Browse to where you have the SecureAuth.war file installed, select the file, and click Open.

i. Click Next to upload the file to the Oracle WebLogic server.

j. Click the radio button next to the SecureAuth.war file, then click Next to continue the deployment.

k. Accept the default value to install the deployment as an application and click Next.

l. Accept all other default values and click Finish to start the deployment process.


10



A screen like Figure 5 appears.

FIGURE 5. WebLogic Install Application Assistant

14. Install SaPlugin.jar on the OAM server. To do this:

a. Open the Access Manager on the OAM server.

b. Click the Plug-ins tab.

c. Click Import Plug-in.

d. Browse to the SaPlugin.jar file and click Open.

The jar file now appears in the Plug-ins matrix as shown in Figure 6.

e. Click to select this file and the ‘Configuration Parameters’ tab page appears in the ‘Plug- in Details’ section.

f. Enter the host name as specified in SecureAuth IdP.

g. Copy the API ID and API Key you saved in Step 5 on page 5 to the ‘API ID’ and ‘API Key’ fields.

h. Enter the URL for the endpoint you specified in the SecureAuth IdP API realm in the ‘API EndPoint’ field.

i. Enter the URL for the SecureAuth IdP API realm in the ‘API Realm’ text field.

j. Specify the Fail Mode as required.

k. Save this information and exit.


11



An example of this screen appears in Figure 6.

FIGURE 6. OAM Plug-ins Screen Example


12



15. Start Oracle http server/ WebGate as shown in Figure 7.

FIGURE 7. Oracle Web Tier Instance Example

16. In a browser window, enter the URL to the Oracle Access Management Console.

17. Enter the correct user name and password.

The Access Management Console launchpad appears like Figure 8.

FIGURE 8. OAM Launchpad


13



18. Click to select the Available Services icon, then click the Configuration tab at the upper right, and make sure both the access manager and adaptive authentication services are enabled as shown in Figure 9.

Enable adaptive

authentication

FIGURE 9. OAM Launchpad Configuration

Once launched, the Access Management console appears.

19. Add the saPlugIn to the Authentication Module. To do this:

a. From the ‘Access Manager’ section of the Access Management console, click Authentication Modules.

b. Click the Steps tab.

c. Click the + icon to add the plug-in.

d. Select the SaPlugin entry you added to WebLogic in Step 14 on page 10.


14



The plug-in entry appears as shown in Figure 10.

FIGURE 10. OAM Authentication Module Steps

a. Click to select the Steps Orchestration tab and make sure this plug-in is correctly

orchestrated for appropriate response on success, on failure, and on error.

FIGURE 11. OAM Authentication Module Steps Orchestration


15



20. Designate the appropriate authentication scheme when this VAM is negotiating communication between SecureAuth IdP and OAM servers. To do this:

a. At the Access Manager menu, click to select Authentication

Scheme. The Authentication Scheme page appears.

b. Supply values for each field as shown in Figure 12.

FIGURE 12. Authentication Scheme

Example The fields on this page include:


Name Enter a unique name of this scheme.

Description If required, enter a description for this scheme.

Authentication Level Select a level from the drop-down list. Recommended is 2.

Default Uncheck this box since all values below are custom.


16




Challenge Method Select FORM from the drop-down list.

Authentication Module Select the saplug-in VAM name from the drop-down list.

Challenge URI Enter the saplugin.jsp file name.

Context Type Select customWar from the drop-down list.

Context Value Enter /SecureAuth since this represents the directory where the SecureAuth IdP software resides.

21. Specify the application domain for this authentication policy. To do this:

a. At the Access Manager menu, click to select Authentication Policy.

b. Click + to add a new policy.

c. Provide a name for this new policy, a description, and select an authentication scheme as shown in Figure 13.

FIGURE 13. Authentication Policy Page

d. Select the Advanced Rules tab, then the Post-Authentication tab

e. Click + Add to add a new rule.


17



The Add Rule dialog box appears like Figure 14.

FIGURE 14. Add Rule Dialog Box

a. Supply values to these fields as required.


Rule Name Enter a unique name for this rule.

Description If required, enter a description for this rule.

Condition Enter code indicating the condition under which this rule will apply.

Deny Access Check or uncheck this box to indicate whether access should be denied if this condition occurs.

If condition is true From the drop-down list, select the name of the policy created in this procedure.

22. Save changes you have made and exit.


18



Testing the Application Once you have deployed this VAM and configured both SecureAuth IdP and OAM servers to use it, you should test it. To do this:

1. At a browser, enter the URI for OAM.

The Oracle Access Manager appears.

If this VAM is correctly configured, the first factor, username and password, for OAM appears.

2. Enter the correct username and password, then click Login.

The first screen appears prompting for the correct authentication method:


19



3. Click to select the authentication method.

If you select Send Text, Send Voice, or Send Email, a screen like this appears:

If you select Send Push, you are prompted to respond to the login request sent to your mobile device.

4. Perform one of these steps:

• If a passcode is sent to your device (via text, voice, or email), enter the passcode in the ‘Enter your passcode’ text box, then click Submit.

• Once you receive a push notification at your mobile device, respond to this notification.


20



The login screen should appear like this example:


Documents

OAM 2FA Value-Added Module (VAM) Deployment Guide · Start Oracle http server/ WebGate as shown in Figure 7. FIGURE 7. Oracle Web Tier Instance Example 16. In a browser window, enter