Configuring OTP through Email using OAM Adaptive Authentication Service

Configuring OTP through Email using OAM Adaptive Authentication Service

This post explains the steps for configuring OTP through Email using OAM Adaptive authentication Service . The OAM Oracle Adaptive service uses SOA User Messaging Service for sending the notification. Hence you need to have SOA server configured to UMS for enabling this feature.

The overview of Adaptive Authentication Service feature in Oracle Access Manager 11g R2 PS3 is explained here .

The Adaptive Authentication Service has to be licensed and explicitly enabled in order to use it. Once the proper product license is procured you can enable the Adaptive Authentication Service using the Oracle Access Management Console.

Enable Oracle Adaptive Service
The adaptive Authentication Service can be enabled from Oracle Access Management Available Services link on the Configuration Launch Tab.

 Note: The Adaptive Authentication Service has to be licensed separately to use the second factor authentication feature.

To enable the adaptive authentication service follow the below steps,

  1. Login in to OAM Admin Console and Click on Configuration Tab
  2. Navigate to Configuration  -> Available Services
  3. Enable the Adaptive Authentication Service.

11 1024x411 Configuring OTP through Email using OAM Adaptive Authentication Service

 

 

 

 

 

 

 

 

Configure AdaptiveAuthenticationPlugin

Follow the below steps to configure the Email related configurations in the Adaptive Authentication Plugin

  1. Login to OAM Admin Console and Click on Application Security Tab.

22 1024x715 Configuring OTP through Email using OAM Adaptive Authentication Service

 

 

 

 

 

 

 

 

 

 

 

 

 

2. Click on Authentication Plug-ins  under Plug-ins

3 300x297 Configuring OTP through Email using OAM Adaptive Authentication Service

 

 

 

 

 

 

 

 

 

  1. Search for AdaptiveAuthenticationPlugin

41 1024x449 Configuring OTP through Email using OAM Adaptive Authentication Service

 

 

 

 

 

 

 

 

  1. Click on the AdaptiveAuthenticationPlugin
  1. The configuration details of AdaptiveAuthenticationPlugin will be displayed.

For configuring OTP through Email, following configuration parameters will be used.  Update the parameters and save the configuration changes .

SFATypes   - Types of Second factor authentication methods enabled. For sending OTP through Email, make sure that Email is added to the list. Add Email if you are not using other SFA types.

Email_Enabled   - Make sure that Email_Enabled attribute is set to true

IdentiyStoreRef -   Enter the user Identity store where your user details are stored and user is authenticated in First level authentication.

After the first level authentication, the adaptive authentication plug-in search for the Email (required attributes for other types of SFA).  If the UserIdentityStore detail is not correct, then error page will be displayed after the First level authentication.

 

5 Configuring OTP through Email using OAM Adaptive Authentication Service

 

 

 

 

 

 

 

 

 

 

UMSAvailable : Set the value to true

 UmsClientUrlEnter the value for UmsClientUrl  .

Note: If this attribute is not present, then follow this link to fix the issue.

 Adaptive Authentication Service uses Oracle SOA User Messaging Services to send the Email notification.

You need to configure the SOA UMS service with Email server details for this. Please check this link for the steps to configure SOA User Messaging Service for Email Notification.

 EmailFieldEnter the value for Email Address attribute in the User Identity Store. The Adaptive Authentication plugin will fetch the value for this filed to send the email notification.

 

8 Configuring OTP through Email using OAM Adaptive Authentication Service

 

 

 

 

PinLengthThe length of the OTP pin send via Email.

 PinChars The characters for the generating the OTP. If you want only the digits in the OTP, give only “0123456789”.

EmailMsgSubjectEmail Subject for the OTP notification

EmailMsgFromFrom email address in the email notification

EmailMsgFromNameFrom name in the email notification

 

 6 Configuring OTP through Email using OAM Adaptive Authentication Service

 

 

 

Click On Save.

Configuring AdaptiveAuthenticationModule

Click on Application Security Tab,

Navigate to Application Security -> Plug-ins -> Authentication Modules

Search for AdaptiveAuthenticationModule

Click on AdaptiveAuthenticationModule

Click on Steps tab and validate the configuration details we entered and if update if any Email related parameter is missing.

Validate IdentityStoreRef , UmsAvaiable, UmsClientUrl, EmailField, Email_Enabled etc and update the values if required.

Configure Credentials for UMS

Adaptive Authentication Service use Oracle SOA User Messaging Service (UMS) to send Email notifications. The OAM server needs the UMS credentials to send the notifications. Follow the below steps to update the UMS credentials for OAM server.

Login to OAM EM console

Expand Weblogic Domain and then right click on <Domain_Name>and navigate to Security -> Credentials

13 Configuring OTP through Email using OAM Adaptive Authentication Service

 

 

 

 

 

 

 

 

 

 

 

In the Credentials page, Click on OAM_CONFIG and then click on Create Key

Enter the UMS key credentials and Save.  Make sure that OAM_CONFIG is selected in Select Map and Type is selected as Password.

Click on OK to save the configurations

15 Configuring OTP through Email using OAM Adaptive Authentication Service

 

 

 

 

 

 

 

 

 

 

 

Note: You can also create umsKey using the wlst scipts

For this Navigate to <MiddleWare_HOME>/common/bin

Execute ./wlst.sh

Connect to weblogic server using connect() and enter the weblogic Admin server details

createCred(map=”OAM_CONFIG”,key=”umsKey”,user=”weblogic”,password=”welcome1″ )

14 1024x294 Configuring OTP through Email using OAM Adaptive Authentication Service

 

 

 

 

 

 

Protecting the resource with AdaptiveAuthenticationScheme

 

The adaptiveAuthentication Scheme will be used for Second factor authentication . To view the configuration details of AdaptiveAuthenticationScheme ,

Click on Application Security Tab and navigate to Access Manager -> Authentication Schemes and search for AdaptiveAuthenticationScheme

16 1024x431 Configuring OTP through Email using OAM Adaptive Authentication Service

 

 

 

 

 

 

 

 

 

Click on AdaptiveAuthenticationScheme to view the details

 

17 1024x631 Configuring OTP through Email using OAM Adaptive Authentication Service

 

 

 

 

 

 

 

 

 

 

 

Follow the below steps to enable second Factor authentication to a protected resource.

1. Create a Test Authentication Policy and Add the resource you want to protect .  Configure the Authentication Schema and other details for the first Level Authentication.

 

19 1024x525 Configuring OTP through Email using OAM Adaptive Authentication Service

 

 

 

 

 

 

 

 

 

2. Now Click on Advanced Rules – > Post-Authentication Tab in the created Authentication Policy and Click on Add

 

30 Configuring OTP through Email using OAM Adaptive Authentication Service

 

 

 

 

 

3. Enter the details as shown below ,

 

 

18 Configuring OTP through Email using OAM Adaptive Authentication Service

 

 

 

 

 

 

 

 

 

 

 

Click Add to Save

 

 

31 Configuring OTP through Email using OAM Adaptive Authentication Service

 

 

 

 

 

Click on Apply to Save the Authentication Policy .

 

Testing OTP through Email

1. Access your protected resource and  Enter username /password for First level authentication and Submit.

2. The below screen will be displayed.

 

211 1024x269 Configuring OTP through Email using OAM Adaptive Authentication Service

 

 

 

 

 

2. Select One Time Password through Email and select your email address

 

22 Change required Configuring OTP through Email using OAM Adaptive Authentication Service

 

 

 

 

 

 

 

Click OK

 

You will recieve an Email with OTP .

 

23 Configuring OTP through Email using OAM Adaptive Authentication Service

 

 

 

 

 

 

 

 

In the next page, enter the OTP received by Email and Click on Login

 

 

33 Configuring OTP through Email using OAM Adaptive Authentication Service

 

 

 

 

 

 

 

 

 

The protected Page will be displayed .

 

1 Response

  1. Swagat Mohanty /

    Excellent Note Jay. It will secuerly help to do the setup.

Leave a Reply to Swagat Mohanty Cancel reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>