Configuring OTP through Email using OAM Adaptive Authentication Service
This post explains the steps for configuring OTP through Email using OAM Adaptive authentication Service . The OAM Oracle Adaptive service uses SOA User Messaging Service for sending the notification. Hence you need to have SOA server configured to UMS for enabling this feature.
The overview of Adaptive Authentication Service feature in Oracle Access Manager 11g R2 PS3 is explained here .
The Adaptive Authentication Service has to be licensed and explicitly enabled in order to use it. Once the proper product license is procured you can enable the Adaptive Authentication Service using the Oracle Access Management Console.
Enable Oracle Adaptive Service
The adaptive Authentication Service can be enabled from Oracle Access Management Available Services link on the Configuration Launch Tab.
Note: The Adaptive Authentication Service has to be licensed separately to use the second factor authentication feature.
To enable the adaptive authentication service follow the below steps,
- Login in to OAM Admin Console and Click on Configuration Tab
- Navigate to Configuration -> Available Services
- Enable the Adaptive Authentication Service.
Follow the below steps to configure the Email related configurations in the Adaptive Authentication Plugin
- Login to OAM Admin Console and Click on Application Security Tab.
2. Click on Authentication Plug-ins under Plug-ins
- Search for AdaptiveAuthenticationPlugin
- Click on the AdaptiveAuthenticationPlugin
- The configuration details of AdaptiveAuthenticationPlugin will be displayed.
For configuring OTP through Email, following configuration parameters will be used. Update the parameters and save the configuration changes .
SFATypes - Types of Second factor authentication methods enabled. For sending OTP through Email, make sure that Email is added to the list. Add Email if you are not using other SFA types.
Email_Enabled - Make sure that Email_Enabled attribute is set to true
IdentiyStoreRef - Enter the user Identity store where your user details are stored and user is authenticated in First level authentication.
After the first level authentication, the adaptive authentication plug-in search for the Email (required attributes for other types of SFA). If the UserIdentityStore detail is not correct, then error page will be displayed after the First level authentication.
UMSAvailable : Set the value to true
UmsClientUrl : Enter the value for UmsClientUrl .
Note: If this attribute is not present, then follow this link to fix the issue.
Adaptive Authentication Service uses Oracle SOA User Messaging Services to send the Email notification.
You need to configure the SOA UMS service with Email server details for this. Please check this link for the steps to configure SOA User Messaging Service for Email Notification.
EmailField – Enter the value for Email Address attribute in the User Identity Store. The Adaptive Authentication plugin will fetch the value for this filed to send the email notification.
PinLength – The length of the OTP pin send via Email.
PinChars – The characters for the generating the OTP. If you want only the digits in the OTP, give only “0123456789”.
EmailMsgSubject – Email Subject for the OTP notification
EmailMsgFrom – From email address in the email notification
EmailMsgFromName – From name in the email notification
Click On Save.
Click on Application Security Tab,
Navigate to Application Security -> Plug-ins -> Authentication Modules
Search for AdaptiveAuthenticationModule
Click on AdaptiveAuthenticationModule
Click on Steps tab and validate the configuration details we entered and if update if any Email related parameter is missing.
Validate IdentityStoreRef , UmsAvaiable, UmsClientUrl, EmailField, Email_Enabled etc and update the values if required.
Configure Credentials for UMS
Adaptive Authentication Service use Oracle SOA User Messaging Service (UMS) to send Email notifications. The OAM server needs the UMS credentials to send the notifications. Follow the below steps to update the UMS credentials for OAM server.
Login to OAM EM console
Expand Weblogic Domain and then right click on <Domain_Name>and navigate to Security -> Credentials
In the Credentials page, Click on OAM_CONFIG and then click on Create Key
Enter the UMS key credentials and Save. Make sure that OAM_CONFIG is selected in Select Map and Type is selected as Password.
Click on OK to save the configurations
Note: You can also create umsKey using the wlst scipts
For this Navigate to <MiddleWare_HOME>/common/bin
Connect to weblogic server using connect() and enter the weblogic Admin server details
Protecting the resource with AdaptiveAuthenticationScheme
The adaptiveAuthentication Scheme will be used for Second factor authentication . To view the configuration details of AdaptiveAuthenticationScheme ,
Click on Application Security Tab and navigate to Access Manager -> Authentication Schemes and search for AdaptiveAuthenticationScheme
Click on AdaptiveAuthenticationScheme to view the details
Follow the below steps to enable second Factor authentication to a protected resource.
1. Create a Test Authentication Policy and Add the resource you want to protect . Configure the Authentication Schema and other details for the first Level Authentication.
2. Now Click on Advanced Rules – > Post-Authentication Tab in the created Authentication Policy and Click on Add
3. Enter the details as shown below ,
Click Add to Save
Click on Apply to Save the Authentication Policy .
Testing OTP through Email
1. Access your protected resource and Enter username /password for First level authentication and Submit.
2. The below screen will be displayed.
2. Select One Time Password through Email and select your email address
You will recieve an Email with OTP .
In the next page, enter the OTP received by Email and Click on Login
The protected Page will be displayed .