Adaptive Authentication Service for Second Factor Authentication in OAM11gR2 PS3

This posts explains the Adaptive Authentication Service feature in Oracle Access Manager 11g R2 PS3 .

Overview of Adaptive Authentication Service

Oracle Access Manager 11g R2 PS3 offers the Adaptive Authentication Service for multi-factor or second factor authentication. This feature can be enabled for applications that require additional security in addition to the normal user name and password type authentication.

The Adaptive Authentication Service provides ability to add multiple steps for OAM authentication process. The Adaptive Authentication service provides the multi factor authentication by One Time Pin (OTP) or an Access Request (Push Notification) Notification.

The following options are available in Adaptive Authentication Service for second factor authentication.

  1. OTP through SMS
  2. OTP through Email
  3. OTP from Oracle Mobile Authenticator
  4. Access Request Notification from Oracle Mobile Authenticator 

After the successful first level authentication, below screen will be displayed to the user. User selects the OTP option and enters the OTP to access the protected resource.

 

Adaptive Authentication Service 1024x394 Adaptive Authentication Service for Second Factor Authentication in OAM11gR2 PS3

 

 

 

 

 

 

 

OTP through SMS

After the successful first level authentication, if OTP through SMS option is selected, user will receive the OTP through SMS to the mobile number registered in the system. After entering the OTP in the login page, user will be redirected to the requested page. The mobile number attribute in the user identity store will be configured in the Adaptive Authentication Service to fetch the user mobile number to send the OTP.

Note: The Adaptive plugin needs SOA User Message Service to send the notifications. So you need to install SOA, configure UMS to enable the OTP through SMS option.

 

Adaptive Authentication Service1 Adaptive Authentication Service for Second Factor Authentication in OAM11gR2 PS3

 

 

 

 

 

 

OTP through Email

After the successful first level authentication, if OTP through Email option is selected, user will receive the OTP to the email address registered in the system. After entering the OTP in the login page, user will be redirected to the requested page.

The email address attribute in the user identity store will be configured in the Adaptive Authentication Service to fetch the user email Address to send the OTP.

Note: The Adaptive plugin needs SOA User Message Service to send the notifications. So you need to install SOA, configure UMS to enable the OTP through Email option.

 

Adaptive Authentication Service2 Adaptive Authentication Service for Second Factor Authentication in OAM11gR2 PS3

 

 

 

 

OTP from Oracle Mobile Authenticator

For using this option, user needs to download the Oracle Mobile Authenticator app to the mobile device and configure it twith OAM o generate the OTP for second factor authentication.  Oracle Mobile Authenticator use Time-based One Time Password (TOTP) to authenticate users.

A unique secret key is shared between Access Manager and the user.  This secret key is used to generate the OTP for authentication.

In this scenario, after the successful first level authentication, user selects OTP from OMA and enter the the OTP generated in the OMA App.  If the OTP is valid, user will be redirected to the requested resource.

 

 

 

Adaptive Authentication Service3 Adaptive Authentication Service for Second Factor Authentication in OAM11gR2 PS3

 

 

 

 

 

 

 

Access Request Notification from Oracle Mobile Authenticator

The Access Manager sends an Access Request Notification to the notification server which is then pushed to the user’s configured device.

After the first level authentication, user selects the Access Request Notification, OAM sends an access request notification to Apple push notification server or Google Notification Server based on the device configured by the user. The notification is then pushed to the user’s mobile device by the notification server. If the user approves the requests, the user will be redirected to the requested resource.

In the next posts ,  I will explain the steps to configure OTP through Email and Oracle Mobile Authenticator.

 

1 Response

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>