Integrating Oracle Access Manager 11.1.2.2.0 with Oracle Mobile Authenticator

The following assumes a vanilla install of Oracle Access Manager 11.1.2.2.0, with all the default port values. No further customization has been made. The Admin Server is to be the only service running during the configuration, otherwise the changes being made will occur in real time and you will be locked out of the OAM Console.

Configure Oracle Access Manager

Enable the Mobile and Social Service

  1. Log into OAM Admin Console. Open a web broswer to http://<servername>:7001/oamconsole/ and when presented with the Forms Credential Collector enter the credentials for the weblogic user.
  2. From the Launch Pad tab select Available Services under the configuration panel.
  3. Enable the Mobile and Social Service by clicking the Enable button next door to the Mobile and Social entry.
  4. Once enabled, close the Available Services tab to return to the Launch Pad.

Configure OAuth for Oracle Mobile Authenticator

  1. From the Launch Pad select the OAuth Service link within the Mobile and Social panel.
  2. The OAuth Identity Domains tab should now be visible.
  3. Select the Default Domain link within the OAuth Identity Domains table.
  4. The Default Domain tab should now be visible.
  5. Select the Resource Servers tab.
  6. Within the User Profile Services panel select the UserProfile link.
  7. The UserProfile tab should now be visible.
  8. Expand the Resources URIs panel at the bottom of the page.
  9. The /secretkey tab should know be visible in the Resource URIs panel.
  10. Select the /secretkey tab.
  11. Expand the Attributes panel within the /secretkey tab
  12. Update the following attributes to the following
    basicauth.allowed true
    keyAttributeName mobile
  13. Click the Apply button to save the changes.
  14. Once successful you should have a Confirmation saying that the changes were saved successfully.
  15. Close the following tabs UserProfile. DefaultDomain. OAuth Identity Domains.

Create Instance of TOTPModule

  1. From the Launch Pad select the Authentication Modules link within the Access Manager panel.
  2. The Authentication Modules tab should now be visible.
  3. In the Search panel, enter TOTPModule in the Name field and click the Search Button.
  4. In the Search Results panel click on TOTPModule link.
  5. The TOTPModule tab should now be visible.
  6. In the Authentication Module panel click the Steps tab.
  7. Select the OTPAuthentication Step and update the following values in the Step Details panel.
    KEY_OTP_SECRETKEY_ATTRIBUTE mobile
    KEY_IDENTITY_STORE_REF UserIdentityStore1
  8. Click the Save button in the Step Details panel.
  9. Click the Apply button in the Authentication Model panel.
  10. Once successful you should have a Confirmation saying that the changes were saved successfully.
  11. Close the following tabs. TOTPModule. Authentication Modules.

Configure TOTP Plugin parameters

  1. From the Launch Pad select the Plug-ins link within the Access Manager panel.
  2. The Plug-ins tab should now be visible.
  3. Select the TOTPPlugin link within the Plug-ins table and update the following values in the Plug-in Details: TOTPPlugIn panel.
    KEY_OTP_SECRETKEY_ATTRIBUTE mobile
    KEY_IDENTITY_STORE_REF UserIdentityStore1
  4. Click the Save button within the Plug-in Details: TOTPPlugIn panel.
  5. There is no notification saying if the change was successful, so try clicking on another plugin and then back to the TOTPlugin to see if the details have been saved.
  6. Close the Plug-ins tab.

Create OTP Authentication Scheme

  1. From the Launch Pad select the Authentication Schemes link within the Access Manager panel.
  2. The Authentication Schemes tab should now be visible.
  3. In the Search panel, enter LDAPScheme in the Name field and click the Search Button.
  4. In the Search Results panel click on LDAPScheme link.
  5. The LDAPScheme tab should now be visible.
  6. Click the Duplicate button within the Authentication Scheme panel.
  7. Another tab titled LDAPScheme should now be visible.
  8. In the second LDAPScheme tab update the following details
    Name TOTPScheme
    Authentication Module TOTPModule
    Challenge URL /pages/getOTP.jsp
  9. In the Authentication Scheme panel click the Apply button.
  10. Once successful you should have a Confirmation saying that the changes were saved successfully.
  11. Close the following tabs. TOTPScheme. LDAPScheme. Authentication Scheme.

Update IAMSuite Application Domain

  1. From the Launch Pad select the Application Domains link within the Access Manager panel.
  2. The Application Domains tab should now be visible.
  3. In the Search panel, enter IAM Suite in the Name field and click the Search Button.
  4. In the Search Results panel click on IAM Suite link.
  5. The IAM Suite tab should now be visible.
  6. In the Application Domains panel click the Authentication Policies tab.
  7. In the Authentication Policies table click on the OAM Admin Console Policy link
  8. The IAM Suite: OAM Admin Con... tab should now be visible.
  9. Select the Advanced Rules tab within the Authentication Policy panel.
  10. The Advanced Rules tab should now be visible within the Authentication Policy panel.
  11. The Post-Authentication tab should now be visible within the Advance Rules tab.
  12. Select the Post-Authentication tab.
  13. In the Post-Authentication panel click the + button.
  14. The Add Rule model should now be visible and you can provide the following values
    Rule Name OTP
    Condition 'true'=='true'
    If condition is true TOTPScheme
  15. Click the Add button.
  16. The Rule Name should now appear in the table.
  17. Click the Apply button within the Authentication Policy panel.
  18. Once successful you should have a Confirmation saying that the changes were saved successfully.
  19. Close the following tabs IAM Suite: OAM Admin Con.... IAM Suite. Application Domain.

Start Oracle Access Manager Managed Instance

  1. Log into WebLogicAdmin Console. Open a web broswer to http://<servername>:7001/console/ and when presented with the Forms Credential Collector enter the credentials for the weblogic user.
  2. In the Home Page panel under Domain Configurations, select the Servers link.
  3. The Summary of Servers panel should now be visible.
  4. Select the Control tab to bring up the list of servers available.
  5. Select the oam_server1 checkbox and click the Start button.
  6. Wait for the oam_server1 instance to start.

 

Configure Oracle Mobile Authenticator configuration page

In order for a user to have a One Time Pin generated their device needs to be registered with Oracle Access Manager via the Mobile and Social Oauth service. To do this a special link needs to be added to a web page that configures the Oracle Mobile Authenticator to add user accounts. Once the user has added the OMA client to their device (through one of the following links Android or IOS) they can click the special link to configure the device with their account. The format of the link is

oraclemobileauthenticator://settings? LoginURL::=http://<servername>:14100 /ms_oauth/resources/userprofile/secretkey

 Create HTML Page with link

  1. Create a HTML file called oma.html
  2. Set it contents to [code lang="html" title="oma.html"]</pre> <html> <head> <title>OMA Configuration</titile> </head> <body> <a href="oraclemobileauthenticator://settings?LoginURL::=http://<servername>:14100/ms_oauth/resources/userprofile/secretkey">Open Me</a> </body> </html> [/code]
  3. Upload the file to a webserver.

Configure Oracle Mobile Authenticator

  1. Install the Oracle Mobile Authenticator application via Android or IOS
  2. Open a Web Browser on the device and enter the URL where oma.html was uploaded. http://<servername>:<port>/oma.html
  3. The Oracle Mobile Authenticator will open informing that App configuration is about to be updated.
  4. The user will click the Accept button to continue
  5. Next the user will be asked to provide their credentials to log into the Oracle Access Manager.
  6. Once succesfull the account will be shown with the current One Time Pin.

Access Oracle Access Manager Admin Console

Now that the One Time Pin configuration has been complete, it is possible to test the service by connecting to the Oracle Access Manager Admin Console. By doing this the user should first be prompted for Credentials via Forms, and then upon successful credentials validation be prompted to supply a One Time Pin which is generated on the Oracle Mobile Authenticator application.

Connect to the OAM Admin Console

  1. Log into OAM Admin Console. Open a web broswer to http://<servername>:7001/oamconsole/ and when presented with the Forms Credential Collector enter the credentials for the weblogic user.
  2. The next screen should contain a single field One Time Pin:
  3. Open the Oracle Mobile Authenticator application and the One Time Pin for the weblogic user should be shown, with an indicator for when it is going to change. Try and select one that is not going to be expiring shortly and enter this value in the One Time Pin: field and press the Login button.
  4. If successful the Oracle Access Manager Admin Console should be presented.

Conclusion

I have tried my best to simplify the process and clean up some of the documentation mistakes that are present. For example it took me a while to figure out that I needed to update the keyAttributeName field to reflect my attribute in LDAP, as other wise I was getting an secret key is already present error message when trying to register an account with the Oracle Mobile Authenticator.

I also have not covered how to enable the TOTPPlugin with the Google Authenticator and this will be for another article. Next steps is to automate this via WLST and update with images to help guide the reader.

Any questions feel free to leave a comment and I will try my best to answer them as quickly as possible.

 

 

 

 

Loading Google+ Comments ...