Integrate OAM 11g R2 PS2 and Oracle Mobile Authenticator
Assumptions:
-- Oracle Access Manager 11g R2 PS2 installed and configured
-- Oracle HTTP Server(OHS) installed
-- OAM WebGate for OHS 11g installed and configured
Click Here to watch testing DEMO video!!!
Steps:
-- Enable Mobile and Social Service in OAM Admin Console(If not already enabled)
-- Configure OAuth for OMA(Oracle Mobile Authenticator)
-- Edit "TOTPModule" Authentication Module settings in OAM Admin Console
-- Configure "TOTPPlugin" parameters in "Plug-ins" as shown in the below screen shots
-- Create New OTP Authentication Scheme. In this screen shot below i used existing "LDAPScheme" and duplicated to create new OTP Authentication Scheme.
-- Update Application domain
Oracle Mobile Authenticator Configuration with Oracle Access Manager
-- Download and Install "Oracle Mobile Authenticator" App from "Google Play" or "Apple Store"
Sample
<
html
>
<
head
>
<
title
>Oracle Mobile Authenticator</
titile
>
</
head
>
<
body
>
<
a
href="oraclemobileauthenticator://settings?
LoginURL::
=
http
://<<HOSTNAME>>:14100/ms_oauth/resources/userprofile/secretkey">Click Here</
a
>
</
body
>
</
html
>
-- Click "OK".
-- Now click on "Sign In"
-- Enter valid OAM credentials and click on "Submit".
-- If everything is good and credentials are valid One-time Password will be configured as shown in the screen shot below.
Note: Multiple user accounts can be configured in same Oracle Mobile Authenticator.
Sample Screen Shot:
Testing:
-- Access OAM protected resource
-- Enter valid credentials and click "Login"
-- Get One-Time Password from Oracle Mobile Authenticator associated to the login ID "sivapokuri"
-- Enter One-Time Password got from Oracle Mobile Authenticator and click "Login"
-- Displayed welcome page.
Hope this will be useful!!
-- Siva Pokuri.
Hi Siva,
ReplyDeleteIt is good that you are sharing knowledge and information with others via blogs.
I will really appreciate on this.
Please post if any new integrated applications like as below with scenarios not as routine
OAM with JD Edwards
OAM with Siebel CRM
OAM with Security Tokens
OAM with Sharepoint applications
OAM with Oracle Retail products Integrations
Hi Siva,
ReplyDeleteWhat are valid OAM credentials? It means user should be able to login OAM console?
In our case, we have OUD configured. When we try to add account in ,the user should present in OUD or embedded Weblogic or in both?
Please help us out.
Thanks,
Pooja
Hi Siva,
ReplyDeleteWhat are valid OAM credentials? It means user should be able to login OAM console?
In our case, we have OUD configured. When we try to add account in ,the user should present in OUD or embedded Weblogic or in both?
Please help us out.
Thanks,
Pooja
Hi Siva,
ReplyDeleteWhat are valid OAM credentials? It means user should be able to login OAM console?
In our case, we have OUD configured. When we try to add account in ,the user should present in OUD or embedded Weblogic or in both?
Please help us out.
Thanks,
Pooja
I used weblogic embedded LDAP in this use case.
DeleteUser should be present in OAM user store.
-- Siva Pokuri.
Hi Siva,
ReplyDeleteI have configured now with embedded LDAP. when I am trying to add account in OMA, facing the below error.
[2016-05-05T03:09:59.086-04:00] [oam_server1] [ERROR] [] [oracle.idaas.oauth.resourceserver] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: c7cdc23ed528d9c1:-4995642f:1547fa76e9f:-8000-0000000000000763,0] [APP: oam_server#11.1.2.0.0] Undefined HTTP METHOD in Resource Server : GET
[2016-05-05T03:09:59.099-04:00] [oam_server1] [ERROR] [IDAAS-67011] [oracle.idaas.oauth.token] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: c7cdc23ed528d9c1:-4995642f:1547fa76e9f:-8000-0000000000000765,0] [APP: oam_server#11.1.2.0.0] Failed in authorization
Kindly help in which part of configuration is wrong.
I am also getting the IDAAS-67011 error. Were you able to find a resolution?
DeleteI got this error when I tried Basic Authentication flow with OMA app. After changing basicauth.allowed to true as given in http://2.bp.blogspot.com/-WE0kR16MCRA/VUUEx1w5I8I/AAAAAAAADm4/f-0ilQ5X0_M/s1600/14.jpg, it started working. By default, it is set to false so that OAuth is used instead of Basic Auth. OMA app can be configured to use OAuth flow as well.
DeleteHi Siva,
ReplyDeleteCan we implement this 2F authentication on Oracle CRM On Demand?
If so do we need to buy the license seperatly for Oracle Access Manager or is it provided by Oracle?
One time pin(OTP) is part of OAM stack(i don't think you need separate license). And yes you can integrate with Oracle CRM.
DeleteOn the licensing I would suggest to double check with your account manager from Oracle.
-- Siva Pokuri.
I am looking for a way to generate Oracle Mobile Authenticator OTP on Linux. Oracle Mobile Authenticator is based on Google Authenticator. So I figured I should be able to use JAuth (Java based Google Authenticator Token generator app). But it seems like I am not able to initialize JAuth using the Secret generated by the Oracle Access Manager for the OTP. Any thoughts?
ReplyDeleteHi Siva,
ReplyDeleteFacing similar problem as below. Any inputs.
I have configured now with embedded LDAP. when I am trying to add account in OMA, facing the below error.
[2016-05-05T03:09:59.086-04:00] [oam_server1] [ERROR] [] [oracle.idaas.oauth.resourceserver] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: c7cdc23ed528d9c1:-4995642f:1547fa76e9f:-8000-0000000000000763,0] [APP: oam_server#11.1.2.0.0] Undefined HTTP METHOD in Resource Server : GET
[2016-05-05T03:09:59.099-04:00] [oam_server1] [ERROR] [IDAAS-67011] [oracle.idaas.oauth.token] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: c7cdc23ed528d9c1:-4995642f:1547fa76e9f:-8000-0000000000000765,0] [APP: oam_server#11.1.2.0.0] Failed in authorization
Kindly help in which part of configuration is wrong.
ReplyDeleteEmail hello Siva Perform practiva and I could generate the key with users OUD, but when put to authenticate the TOTP solo Screen cool and not let me go in the log tosses me OAM THIS:
[2016-10-18T17:21:41.298-05:00] [oam_server1] [NOTIFICATION] [LIBOVD-20043] [oracle.ods.virtualization.accesslog] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 0000LVPsg_t3n3WjLxuHOA1O1ddp00000y,0] [APP: oam_server#11.1.2.0.0] conn=1 op=33 SRCH base=cn=Aurelia,cn=Users,dc=sat,dc=gob,dc=mx scope=base filter=objectclass=inetorgperson requestedAttributes=[uid, mail, sn, cn, description, orclguid, givenname, telephonenumber, objectclass, displayname] sizelimit=0 timelimit=0 typesOnly=false
[2016-10-18T17:21:41.304-05:00] [oam_server1] [NOTIFICATION] [LIBOVD-20044] [oracle.ods.virtualization.accesslog] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 0000LVPsg_t3n3WjLxuHOA1O1ddp00000y,0] [APP: oam_server#11.1.2.0.0] conn=1 op=33 RESULT err=0 tag=0 nentries=1 etime=6 dbtime=0 mem=659,506,416/1,037,959,168
[2016-10-18T17:21:41.307-05:00] [oam_server1] [NOTIFICATION] [LIBOVD-20043] [oracle.ods.virtualization.accesslog] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 0000LVPsg_t3n3WjLxuHOA1O1ddp00000y,0] [APP: oam_server#11.1.2.0.0] conn=1 op=34 SRCH base=cn=Users,dc=sat,dc=gob,dc=mx scope=sub filter=(&(objectclass=inetorgperson)(uid=yeya)) requestedAttributes=[uid, mail, sn, cn, description, orclguid, givenname, telephonenumber, objectclass, displayname] sizelimit=0 timelimit=0 typesOnly=false
[2016-10-18T17:21:41.339-05:00] [oam_server1] [NOTIFICATION] [LIBOVD-20044] [oracle.ods.virtualization.accesslog] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 0000LVPsg_t3n3WjLxuHOA1O1ddp00000y,0] [APP: oam_server#11.1.2.0.0] conn=1 op=34 RESULT err=0 tag=0 nentries=1 etime=32 dbtime=0 mem=658,631,856/1,037,959,168
Hi Siva,
ReplyDeleteCan we implement 2FA(OTP + OMA) in OAM PS3?
yes
DeleteHi Siva
ReplyDeleteCan we implement this using Oracle Access Manager ..or do we need oracle adaptive access manger ?
Regards
Ashraf TP
You do not need OAAM
DeleteIs it possible to read the Mobile Authenticator OTP from OAM using a REST call?
ReplyDeleteWe are using challenge choice in OAAM, where the choices to VOICE and SMS are using custom REST calls to our custom generic service to multiple providers. I have add Mobile Authenticator option to the Challenge Choice, which will bypass authentication from OAAM and use the OAM Mobile Authenticator page, but if a user wants to select another challenge choice, it will take them back to the login page. If I had the page in OAAM and make the proper calls for validation, it will work as needed.
I admit, I have not been on this web page in a long time... however it was another joy to see It is such an important topic and ignored by so many, even professionals. I thank you to help making people more aware of possible issues. Trademark Registration
ReplyDelete