Saturday, May 2, 2015

How to integrate OAM with Oracle Mobile Authenticator(OMA)

Integrate OAM 11g R2 PS2 and Oracle Mobile Authenticator

Assumptions:

-- Oracle Access Manager 11g R2 PS2 installed and configured
-- Oracle HTTP Server(OHS) installed
-- OAM WebGate for OHS 11g installed and configured

Click Here to watch testing DEMO video!!!

Steps:

-- Enable Mobile and Social Service in OAM Admin Console(If not already enabled)




-- Configure OAuth for OMA(Oracle Mobile Authenticator)














-- Edit "TOTPModule" Authentication Module settings in OAM Admin Console






-- Configure "TOTPPlugin" parameters in "Plug-ins" as shown in the below screen shots




-- Create New OTP Authentication Scheme. In this screen shot below i used existing "LDAPScheme"  and duplicated to create new OTP Authentication Scheme.









-- Update Application domain 













Oracle Mobile Authenticator Configuration with Oracle Access Manager

-- Download and Install "Oracle Mobile Authenticator" App from "Google Play" or "Apple Store"
-- Create a HTML page with below content and drop it in any web server(which you should be able to access from your mobile device where you install)

Sample


<html>
    <head>
        <title>Oracle Mobile Authenticator</titile>
    </head>
    <body>
        <a href="oraclemobileauthenticator://settings?LoginURL::=http://<<HOSTNAME>>:14100/ms_oauth/resources/userprofile/secretkey">Click Here</a>
    </body>
</html>



-- Access HTML page from mobile device browser. It will navigate to "Oracle Mobile Authenticator" and prompt to update. Click on "Accept".





-- Click "OK".


-- Now click on "Sign In" 

-- Enter valid OAM credentials and click on "Submit".


-- If everything is good and credentials are valid One-time Password will be configured as shown in the screen shot below.

Note: Multiple user accounts can be configured in same Oracle Mobile Authenticator.

Sample Screen Shot:




Testing:

-- Access OAM protected resource


-- Enter valid credentials and click "Login"


-- Get One-Time Password from Oracle Mobile Authenticator associated to the login ID "sivapokuri"



-- Enter One-Time Password got from Oracle Mobile Authenticator and click "Login"



-- Displayed welcome page.



Hope this will be useful!!

-- Siva Pokuri.



19 comments:

  1. Hi Siva,

    It is good that you are sharing knowledge and information with others via blogs.
    I will really appreciate on this.
    Please post if any new integrated applications like as below with scenarios not as routine

    OAM with JD Edwards
    OAM with Siebel CRM
    OAM with Security Tokens
    OAM with Sharepoint applications
    OAM with Oracle Retail products Integrations

    ReplyDelete
  2. Hi Siva,

    What are valid OAM credentials? It means user should be able to login OAM console?
    In our case, we have OUD configured. When we try to add account in ,the user should present in OUD or embedded Weblogic or in both?

    Please help us out.

    Thanks,
    Pooja

    ReplyDelete
  3. Hi Siva,

    What are valid OAM credentials? It means user should be able to login OAM console?
    In our case, we have OUD configured. When we try to add account in ,the user should present in OUD or embedded Weblogic or in both?

    Please help us out.

    Thanks,
    Pooja

    ReplyDelete
  4. Hi Siva,

    What are valid OAM credentials? It means user should be able to login OAM console?
    In our case, we have OUD configured. When we try to add account in ,the user should present in OUD or embedded Weblogic or in both?

    Please help us out.

    Thanks,
    Pooja

    ReplyDelete
    Replies
    1. I used weblogic embedded LDAP in this use case.

      User should be present in OAM user store.

      -- Siva Pokuri.

      Delete
  5. Hi Siva,

    I have configured now with embedded LDAP. when I am trying to add account in OMA, facing the below error.

    [2016-05-05T03:09:59.086-04:00] [oam_server1] [ERROR] [] [oracle.idaas.oauth.resourceserver] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: c7cdc23ed528d9c1:-4995642f:1547fa76e9f:-8000-0000000000000763,0] [APP: oam_server#11.1.2.0.0] Undefined HTTP METHOD in Resource Server : GET
    [2016-05-05T03:09:59.099-04:00] [oam_server1] [ERROR] [IDAAS-67011] [oracle.idaas.oauth.token] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: c7cdc23ed528d9c1:-4995642f:1547fa76e9f:-8000-0000000000000765,0] [APP: oam_server#11.1.2.0.0] Failed in authorization

    Kindly help in which part of configuration is wrong.

    ReplyDelete
    Replies
    1. I am also getting the IDAAS-67011 error. Were you able to find a resolution?

      Delete
    2. I got this error when I tried Basic Authentication flow with OMA app. After changing basicauth.allowed to true as given in http://2.bp.blogspot.com/-WE0kR16MCRA/VUUEx1w5I8I/AAAAAAAADm4/f-0ilQ5X0_M/s1600/14.jpg, it started working. By default, it is set to false so that OAuth is used instead of Basic Auth. OMA app can be configured to use OAuth flow as well.

      Delete
  6. Hi Siva,
    Can we implement this 2F authentication on Oracle CRM On Demand?
    If so do we need to buy the license seperatly for Oracle Access Manager or is it provided by Oracle?

    ReplyDelete
    Replies
    1. One time pin(OTP) is part of OAM stack(i don't think you need separate license). And yes you can integrate with Oracle CRM.

      On the licensing I would suggest to double check with your account manager from Oracle.

      -- Siva Pokuri.

      Delete
  7. I am looking for a way to generate Oracle Mobile Authenticator OTP on Linux. Oracle Mobile Authenticator is based on Google Authenticator. So I figured I should be able to use JAuth (Java based Google Authenticator Token generator app). But it seems like I am not able to initialize JAuth using the Secret generated by the Oracle Access Manager for the OTP. Any thoughts?

    ReplyDelete
  8. Hi Siva,

    Facing similar problem as below. Any inputs.

    I have configured now with embedded LDAP. when I am trying to add account in OMA, facing the below error.

    [2016-05-05T03:09:59.086-04:00] [oam_server1] [ERROR] [] [oracle.idaas.oauth.resourceserver] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: c7cdc23ed528d9c1:-4995642f:1547fa76e9f:-8000-0000000000000763,0] [APP: oam_server#11.1.2.0.0] Undefined HTTP METHOD in Resource Server : GET
    [2016-05-05T03:09:59.099-04:00] [oam_server1] [ERROR] [IDAAS-67011] [oracle.idaas.oauth.token] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: c7cdc23ed528d9c1:-4995642f:1547fa76e9f:-8000-0000000000000765,0] [APP: oam_server#11.1.2.0.0] Failed in authorization

    Kindly help in which part of configuration is wrong.

    ReplyDelete

  9. Email hello Siva Perform practiva and I could generate the key with users OUD, but when put to authenticate the TOTP solo Screen cool and not let me go in the log tosses me OAM THIS:



    [2016-10-18T17:21:41.298-05:00] [oam_server1] [NOTIFICATION] [LIBOVD-20043] [oracle.ods.virtualization.accesslog] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 0000LVPsg_t3n3WjLxuHOA1O1ddp00000y,0] [APP: oam_server#11.1.2.0.0] conn=1 op=33 SRCH base=cn=Aurelia,cn=Users,dc=sat,dc=gob,dc=mx scope=base filter=objectclass=inetorgperson requestedAttributes=[uid, mail, sn, cn, description, orclguid, givenname, telephonenumber, objectclass, displayname] sizelimit=0 timelimit=0 typesOnly=false
    [2016-10-18T17:21:41.304-05:00] [oam_server1] [NOTIFICATION] [LIBOVD-20044] [oracle.ods.virtualization.accesslog] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 0000LVPsg_t3n3WjLxuHOA1O1ddp00000y,0] [APP: oam_server#11.1.2.0.0] conn=1 op=33 RESULT err=0 tag=0 nentries=1 etime=6 dbtime=0 mem=659,506,416/1,037,959,168
    [2016-10-18T17:21:41.307-05:00] [oam_server1] [NOTIFICATION] [LIBOVD-20043] [oracle.ods.virtualization.accesslog] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 0000LVPsg_t3n3WjLxuHOA1O1ddp00000y,0] [APP: oam_server#11.1.2.0.0] conn=1 op=34 SRCH base=cn=Users,dc=sat,dc=gob,dc=mx scope=sub filter=(&(objectclass=inetorgperson)(uid=yeya)) requestedAttributes=[uid, mail, sn, cn, description, orclguid, givenname, telephonenumber, objectclass, displayname] sizelimit=0 timelimit=0 typesOnly=false
    [2016-10-18T17:21:41.339-05:00] [oam_server1] [NOTIFICATION] [LIBOVD-20044] [oracle.ods.virtualization.accesslog] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 0000LVPsg_t3n3WjLxuHOA1O1ddp00000y,0] [APP: oam_server#11.1.2.0.0] conn=1 op=34 RESULT err=0 tag=0 nentries=1 etime=32 dbtime=0 mem=658,631,856/1,037,959,168

    ReplyDelete
  10. Hi Siva,
    Can we implement 2FA(OTP + OMA) in OAM PS3?

    ReplyDelete
  11. Hi Siva

    Can we implement this using Oracle Access Manager ..or do we need oracle adaptive access manger ?

    Regards
    Ashraf TP

    ReplyDelete
  12. Is it possible to read the Mobile Authenticator OTP from OAM using a REST call?

    We are using challenge choice in OAAM, where the choices to VOICE and SMS are using custom REST calls to our custom generic service to multiple providers. I have add Mobile Authenticator option to the Challenge Choice, which will bypass authentication from OAAM and use the OAM Mobile Authenticator page, but if a user wants to select another challenge choice, it will take them back to the login page. If I had the page in OAAM and make the proper calls for validation, it will work as needed.

    ReplyDelete
  13. I admit, I have not been on this web page in a long time... however it was another joy to see It is such an important topic and ignored by so many, even professionals. I thank you to help making people more aware of possible issues. Trademark Registration

    ReplyDelete