Friday, June 12, 2015

OAAM policy risk evaluation in OAM policies(OAM 11g Identity Context)

OAAM policy risk evaluation in OAM policies


Steps

Login to OAAM Admin Console


Search for DAP token version property and change to v2.1 


Update OAAM TAP Token version from v2.0 to v2.1 in oam-config.xml file. 

Note: Since I have integrated OAM + OAAM already I changed OAM DAP token version in oam-config.xml file from "v2.0" to "v2.1". Else you can provide version v2.1 directly while executing ThirdParty TAP registration command(while OAM + OAAM integration)








Create a group for to hold all the restricted IP Addresses as shown in the screen shot below.


Add IP Address to the group






Create new OAAM Policy as post authentication




Create rule and condition to determine if user login in from restricted IP Address or not.





Select IP Address Group created initially from the drop down 


Click on Results Tab and enter score as "1"



Click on "Group Linking" and select "All Users"




Login to OAM Admin Console and click on "Application Domain".


Select the "ohs_webgate". This is the OHS webgate I have already created and used OAAM TAP Authentication Schema to protect resource.


Click on "Authentication Policies"


Click on "Protected Resource Policy"


Click on "Responses"


Add response as shown in the screen shot below.

This "session_risk_level" is the session attribute that passes as part of DAP token from OAAM to OAM after policy evaluation created in the above steps. 




Click on "Authorization Policies"


Click on "Protected Resource Policy"


Click on "Conditions"


Click on "+" sign


Enter the condition details as shown in the screen shot below.




Add Condition Details as shown in the screen shot below.

This is the "session_risk_level" session attribute returned from OAAM and the attribute value that gets "1"




Click on "Rules" tab and add new rule in the "Deny Rule" list and click "Apply".



Now test the protected application from two different machines!!!

-- Siva Pokuri.

No comments:

Post a Comment