Oracle Access Management 11g R2 PS3 Authentication Plugin

Oracle Access Management Suite Plus 11g R2 PS3 Bootcamp
Lab 10
Oracle Access Management -

Access Manager 11g R2 PS3
OAM Authentication Plug-in
Following servers needs to be running before you start this Lab (start if not running - refer to
Lab 0 for more details on starting/stopping servers):
 OUD Server (startOUD.sh)
 Admin server (startAdmin.sh)
 OAM Server (startOAM.sh)
You may have to start/stop/restart additional servers as per instructions in this lab.
All passwords used during this Lab are Oracle123 unless otherwise specified
Disclaimer : The Virtual Machine (or hosted) Image and other software are provided for use only
during the workshop. Please note that you are responsible for deleting them from your
computers before you leave. If you would like to try out any of the Oracle products, you may
download them from the Oracle Technology Network
(http://www.oracle.com/technology/index.html) or the Oracle E-Delivery Web Site
(http://edelivery.oracle.com)
Oracle Access Management Access Manager 11g R2 PS3

Lab 10 - 1 | P a g e
Contents
Lab Introduction ......................................................................................................................... 3

Exercise 1 – Plug-in Development .................................................................................................. 3
Exercise 2 – Deploying the Plug-In ................................................................................................. 5
Exercise 3 – Create Authentication Module................................................................................... 10
Exercise 4 – Deploy the Custom Login Page WAR ........................................................................... 14
Exercise 5 – Create an ECC Authentication Scheme ........................................................................ 15
Exercise 6 – Testing the Plug-in using ECC webgate ........................................................................ 18
Exercise 7 – Configuring the Sample WAR for DCC Authentication Scheme ........................................ 20
Exercise 8 – Create a Authentication Scheme for DCC Webgate ....................................................... 24
Exercise 9 – Update the Authentication Policy ............................................................................... 28
Exercise 10 – Test the DCC Webgate ............................................................................................ 31

Lab 10 - 2 | P a g e
Lab Introduction
In this lab we will go through how to develop and deploy the OAM authentication plug-in. We
will use the custom authentication plug-in with both ECC and DCC webgates.
This lab is based on the sample code found on OTN at
http://www.oracle.com/technetwork/indexes/samplecode/id-mgmt-1884959.html
Note: You need to complete Lab1 before proceeding with this lab.
Exercise 1 – Plug-in Development

Introduction – Two plugins have been developed for demonstrating the MFA use cases and au-
thentication, including error code and secondary error message propagation.
MFASamplePlugin
This plugin demonstrates the MFA uses cases. On the login page, if either username or pas s-
word is not submitted, this plugin returns a PAUSE status and forwards or redirects back for
credential collection.
This also shows how error/client plugin responses can be sent to the error/login page.
Plugin Configuration Parameters:
actiontype: This plugin configuration parameter indicates how the plugin wants to direct to
the login page to collect credentials. It determines if the plugin wants to perform a forward or a
redirect to the login page.
Possible values: FORWARD, REDIRECT_GET, REDIRECT_POST
FORWARD: Plugin assumes that in the case of ECC, the sample login WAR is deployed within
the same container as the OAM managed server and hence the plugin forwards to the login
page.The MFASamplePlugin uses UserAction to forward to the login page.
REDIRECT_GET: Plugin assumes that in the case of DCC, the sample login WAR is deployed in
an external container and hence the plugin redirects to the login page. The MFASamplePlugin
uses UserAction to redirect (with a GET operation) to the login page.

Lab 10 - 3 | P a g e
REDIRECT_POST: Plugin assumes that in the case of DCC, the sample login WAR is deployed
in an external container and hence the plugin redirects (with a POST operation) to the login
page.
Note: The same UserAction class is used to forward or redirect to the login page. The
actiontype Parameter is used to determine the action (forward vs. redirect).
loginPageURL: This plugin parameter is the URL to redirect/forward to collect credentials. In

case of actiontype=REDIRECT_GET or REDIRECT_POST, this URL value should be a fully
qualified URL. In case actiontype=FORWARD, this should be a relative URL.
SampleAuthPlugin
This plugin demonstrates the authentication use case. It also shows examples of how primary
error codes and secondary error messages can be sent to the login/error page. This plugin uses
the username and password that were collected by the MFAPlugin. This plugin also demon-
strates how tokens, query string parameters, headers, etc. can be received from the request.
Plugin Development in JDeveloper

For the plugin development, four JARs are required from OAM. The following JARs can be o b-
tained from $ORACLE_HOME/Oracle_IDM1/oam/server/lib/plugin and need to be copied into
the “lib” folder under each of the JDeveloper project folders.
felix.jar
identity-provider.jar
oam-plugin.jar
utilities.jar
Note: You can open the project in JDeveloper by loading SamplePlugin.jws which is supplied as
part of the sample.
Summary – This section discusses about the plug-in development and functionality of supplied
sample. The sample is located in /app/dummydata/Lab10. The sample is also available on OTN
using the link mentioned in the introduction section of this lab.

Lab 10 - 4 | P a g e
Exercise 2 – Deploying the Plug-In

Introduction – In this section we will import the already developed plug-in and distribute the
plug-in to OAM Server.
Steps
1. Access the OAM console http://identity.oracleads.com:7001/oamconsole and login as

DCRANE/Oracle123
2. Click on Authentication Plug-ins under Plug-ins
3. Click on Import Plug-in
4. Click on Browse

Lab 10 - 5 | P a g e
5. Select the MFASamplePlugin.jar located at

/app/dummydata/Lab10/OAM_R2_Plugin_Sample/MFASamplePlugin/deploy . Click Open
to open the plugin.
6. Click on Import to import the plug-in

Lab 10 - 6 | P a g e
7. Now let’s import the second plug-in. Click on Import Plug-in again
8. Browse and select SampleAuthPlugin.jar located at

/app/dummydata/Lab10/OAM_R2_Plugin_Sample/SampleAuthPlugin/deploy . Click
Open.
9. Click Import to import the plug-in

Lab 10 - 7 | P a g e
10. Now we need to Activate and Distribute the plug-in. Search for MFA in the search box.
11. Highlight the MFASamplePlugin and click on Distribute Selected
12. Now Click on Refresh , You should see the status as Distributed
Note: If you don’t see the plug-in scroll down to end, refresh again and drag the scroll bar
again to see the imported plug-ins.
13. Scroll down and notice the parameter Action Type and Login Page. We will be deploying the
custom WAR for login page later.

Lab 10 - 8 | P a g e
14. Now highlight the plug-in again and click on Activate Selected.
15. Click on Refresh again and make sure that the status is Activated
16. Now we need to distribute and active the second plug-in. Search for Sample
17. Select the plug-in and click on Distribute Selected

Lab 10 - 9 | P a g e
18. Click on Refresh. The status should be now Distributed. Select the plug-in again and click on
Activate Selected
19. Refresh again and make sure that the status is Activated
Summary – In this section we have imported the custom authentication plug-ins , Distributed
and activated the plug-ins.
Exercise 3 – Create Authentication Module

Introduction – We will now create a authentication module and use the 2 plug-ins we have
deployed earlier.

Lab 10 - 10 | P a g e
Steps
1. In the OAM Console navigate back to Launch Pad and select Authentication Modules under
Plug-ins
2. Click on Create Custom Authentication Module
3. Provide the name as MFAAuthModule. Click Apply to create the module

Lab 10 - 11 | P a g e
4. Now let’s add the Plug-ins . Click on tab Steps then on +
5. Specify the name as MFAStep and select MFASamplePlugin. Click OK
6. Click on + again to add second plug-in.

Lab 10 - 12 | P a g e
7. Specify the name as AuthStep and select SampleAuthPlugin. Click Ok
8. You should see the plug-ins as shown. Click on Steps Orchestration tab
9. Specify the Initial Step as MFAStep. The success result of MFA Step should be AuthStep.
Also update the other status as shown.
Click on Apply to save the change

Lab 10 - 13 | P a g e
10. You should see a confirmation
Summary – In this section we have configured an authentication module used for performing
authentication later in this lab.
Exercise 4 – Deploy the Custom Login Page

WAR
Introduction – Next let’s deploy the custom login page WAR file. For this sample we need to
deploy the WAR to OAM managed server.
Steps
11. Access the WLS console http://identity.oracleads.com:7001/console and login as

weblogic/Oracle123
12. Click on Deployments -> Install
13. Select the SampleLoginWAR.war located at /app/dummydata/Lab10/OAM_R2_Plugin-

Sample/SampleLoginWAR/deploy directory.
Click Next

Lab 10 - 14 | P a g e
14. Click Next

15. Select oam_server as the target. Click Next
16. Click Finish to deploy the WAR.

17. You should see the confirmation
Summary – In this section we have deployed the custom login page application (WAR)
Exercise 5 – Create an ECC Authentication

Scheme
Lab 10 - 15 | P a g e
Introduction – Now we will create an Authentication scheme for using with ECC webgate. This
authentication scheme will use the authentication module we created earlier.
Steps
18. Login to OAM console http://identity.oracleads.com:7001/oamconsole as

DCRANE/Oracle123
19. Click on Authentication Schemes under Access Manager
20. Click on Create to create a new Scheme
21. Provide the following parameters
Name: ECCMFAAuthScheme
Auth Level : 2
Challenge Method : Form
Authentication Module: MFAAuthModule
Challenge URL : /pages/MFALogin.jsp
Challenge Redirect URL : /oam/server
Context Type : customWAR
Context Value : /SampleLoginWAR
Challenge Parameters: initial_command=NONE

Lab 10 - 16 | P a g e
Now click on Apply to create the Authentication Scheme.
Note: The challenge parameter is needed so that the auth scheme can indicate what all crede n-
tials are required to be collected. In this example, the MFASample Plugin looks for
“form_username” and “form_password” parameters. Normally for FORM based mechanisms,
the framework expects "username" and "password" to be submitted from the login page.
In case the auth scheme needs different form fields to be collected from the login page, it needs
to set this challenge parameter, so that instead of directly going to the login page, the control
first comes to the plugin. The plugin can decide that name of parameters it wants to collect
from the login page and appropriately forward or redirect to the page.
22. Make sure that you see the confirmation message
23. Now let’s associate this authentication scheme with Authentication Policy. Navigate back to
Launh Pad and click on Authentication Domains under Access Manager

Lab 10 - 17 | P a g e
24. Search for domains and click on webgate_1 to open it. We are using the ECC webgate for
this sample.
25. Navigate to Authentication Policies tab and Open the Protected Resource Policy.
26. Change the Authentication scheme to ECCMFAAuthScheme . Click Apply to save the change.
Summary – In this section we have configured the authentication scheme and updated the
resources to use the newly created authentication scheme.
Exercise 6 – Testing the Plug-in using ECC

webgate
Introduction – Now that we have configured all the components required to test the plug-in,
Lets test the configuration.
Steps
27. Start the OHS server using ./startOHS.sh

28. Access the protected page http://identity.oracleads.com:7777
29. You should see a challenge page. Notice the Custom Login Page CUSTOM LOGIN WELCOME

Lab 10 - 18 | P a g e
30. Enter the credentials JKRAUSE/Oracle123 and Login
Note: If you have completed the Lab1, you might have changed the password of user
JKRAUSE. You can reset the password to Oracle123 using an LDAP browser or use the
updated password.
31. You should be able to see the page
32. Scroll the terminal from which OAM server has started, you can see the messages from plug-
in

Lab 10 - 19 | P a g e
Summary – In this section we have tested the plug-in using the ECC web gate.
Exercise 7 – Configuring the Sample WAR

for DCC Authentication Scheme
Introduction – In the last use case we have used the ECC webgate for our sample custom login
application. In the next use case we will use a DCC webgate. For DCC web gate its assumed that
the custom login page is hosted in a separate container. Also in web.xml the value of the
parameter “serverPostURL” should be modified to the fully qualified URL of the DCC –OHS as
“http://DCC-OHShost:port/oam/server/auth_cred_submit”. So we need to update the sample
WAR file and re deploy the WAR file to Admin Server. (In a production deployment you will
deploy it to a separate container al together)
The “SampleLogin” WAR file consists of an MFALogin.jsp and MFAError.jsp pages.

 web.xml entry - a parameter called “serverPostURL” has been added in the web.xml file.
This indicates the server URL that login application posts the data to. Possible values for
this attribute differ for ECC and DCC mode.
 ECC mode - “/oam/server/auth_cred_submit”. This is the OAM server end point the log-
in app posts the data to.

Lab 10 - 20 | P a g e
 DCC mode - ”http://DCC-OHS host:port/oam/server/auth_cred_submit “. The creden-
tials are submitted to the DCC end point, which then communicates them to the OAM
server.
Steps
1. Open a terminal and navigate to

/app/dummydata/Lab10/OAM_R2_Plugin_Sample/SampleLoginWAR/deploy
2. Unzip the War file SampleLoginWAR.war
unzip SampleLoginWAR.war
3. Navigate to WEB-INF
cd WEB-INF
4. Open the web.xml file
gedit web.xml
5. Change the serverPostURL to
http://identity.oracleads.com:7778/oam/server/auth_credit_submit
Note: we will be providing the Host and Port of DCC Webgate.

6. Save and Close the file.
7. Now navigate back to
/app/dummydata/Lab10/OAM_R2_Plugin_Sample/SampleLoginWAR/deploy
8. Remove the current WAR file
rm SampleLoginWAR.war
9. Create a new WAR file
jar -cvf SampleLoginWAR.war *
10. Now lets deploy the new WAR file to Admin Server. Login to WLS console
http://identity.oracleads.com:7001/console as weblogic/Oracle123
11. Locate the already deployed WAR file and click on Stop -> Force Stop Now

Lab 10 - 21 | P a g e
12. Click again on SampleLoginWAR and click Delete to delete the deployment
13. Now click on the Install button to install the WAR again
14. Pick the SampleLoginWAR and click Next

Lab 10 - 22 | P a g e
15. Choose the default. Click Next
16. Choose Admin Server as the target , Click Next
17. Click Finish to complete the install.

Lab 10 - 23 | P a g e
18. Now let’s update the OHS server with mod weblogic entry so that DCC OHS can redirect the
request to OAM. In a terminal navigate to
/app/Middleware/Oracle_WT1/instances/instance2/config/OHS/ohs1/moduleconf
19. Create a file oam.conf
touch oam.conf
20. Open the file using gedit and add the following. Save and close the file
gedit oam.conf
<Location /oam>
SetHandler weblogic-handler
WebLogicCluster identity.oracleads.com:14100
</Location>
<Location /mybank>
SetHandler weblogic-handler
WebLogicCluster identity.oracleads.com:14100
</Location>
Summary – In this section we have updated the War file for using with DCC webgate and we
have also updated the module conf in OHS so that it can direct the requests to OAM.
Exercise 8 – Create a Authentication Scheme

for DCC Webgate
Introduction – Lets create a new authentication scheme for DCC webgate.

Lab 10 - 24 | P a g e
Steps
1. Login to OAM Console http://identity.oracleads.com:7001/oamconsole as

DCRANE/Oracle123
2. Click on Authentication Schemes
3. Click on Create
4. Create the authentication scheme with following
Name: DCCMFAAuthScheme
Auth Level : 2
Challenge Method : Form
Authentication Module: MFAAuthModule
Challenge URL :
http://identity.oracleads.com:7001/SampleLoginWAR/pages/MFALogin.jsp
Challenge Redirect URL : http://identity.oracleads.com:7778
Context Type : external
Challenge Parameters: extracreds=cookie:DCCTestCookie
creds=form_username form_password

Lab 10 - 25 | P a g e
Click Apply to save the change.
Note: The “creds” indicate the mandatory parameter that the DCC needs to collect from
the login page. When the login page posts to the DCC URL, the DCC checks if the manda
tory parameters are available and then passes them to the server.
The “extracreds” specifies all the optional parameters that the DCC needs to set. This
cookie name is given, since the SampleAuthPlugin looks for a cookie “DCCTestCookie”.
The DCC checks if this cookie is set and if so, it makes it available to the plugin. This is not
a mandatory parameter, and is used only because the plugin reads this cookie.
5. Next we need to update the parameters of Authentication Module MFAAuthModule for DCC
webgate.
Navigate back to Launch Pad and click on Authentication Modules

Lab 10 - 26 | P a g e
6. Search for MFA and open it
7. Click on the tab Steps

8. Update the following
LoginPageURL : http://identity.oracleads.com:7001/SampleLoginWAR/pages/MFALogin.jsp
Action type: REDIRECT_GET
Click on Save to save the changes.
9. Click on Apply. You should get confirmation of update

Lab 10 - 27 | P a g e
Summary – Summarize what you just accomplished in this exercise.
Exercise 9 – Update the Authentication Policy

Introduction – Now we will update the authentication policy to use the DCC Authentication
scheme & we will also exclude the OAM URL’s.
Steps
1. Navigate back to Launch Pad and click on Application Domains
2. Search and open the domain webgate_2

3. Open the Protected Resource Policy under Authentication Policies

Lab 10 - 28 | P a g e
4. Update the following.
Authentication Scheme to DCCMFAAuthScheme

Failure URL to http://identity.oracleads.com:7001/SampleLoginWAR/pages/MFAError.jsp
Click Apply
Note: We are redirecting the User to Error defined in Sample WAR file when
authentication error happens.
5. Now we need to define OAM Server resources as excluded resources. Click on the Resources
tab and click on Create

Lab 10 - 29 | P a g e
6. Define the /oamsso/ as excluded resource as shown
Note: We are using the DCC web gate which is installed on 7778. The host identifier is
webgate_2
7. Follow the same procedure and define the following resources as excluded resources.

Lab 10 - 30 | P a g e
/oamsso/…/*
/oamsso-bin/login.pl
/favicon.ico
/SampleLoginWAR/.../*
Note: if any of the resource is already defined, ignore that from the above list. Some of
these might have defined in Lab1.
Summary – In this section we have updated the authentication policy to use newly created
authentication scheme and we have also defined resources that needs to be excluded.
Exercise 10 – Test the DCC Webgate

Introduction – Now let’s test the DCC webgate invoking the sample WAR file we have deployed.
Steps
1. Stop the OHS running on 7777 by using Desktop/Stop_Scripts/stopOHS.sh
2. Start the DCC webgate OHS using startDCCOHS.sh
3. Now open a browser and access the mybank application

http://identity.oracleads.com:7778/mybank/testheaders.jsp
4. You should see the login page coming from Login App Deployed on Admin Server (7001).
Login as JKRAUSE/Oracle123

Lab 10 - 31 | P a g e
5. It should take you to the successful snoop page. Scroll down and observe that the Cookie set
as part of the Authentication scheme (Under Challenge Parameters:
extracreds=cookie:DCCTestCookie) is propagated to this page after successful login
6. Close the browser.

7. Now let’s test the error propagation on the login page. The plug-in logic is written in such a
way that if the user who is logging in has a mobile phone number less than 5 digits the login
page will throw the error. Use an ldap browser and update the JKRUSE user with mobile
number like 1234

Lab 10 - 32 | P a g e
8. Now open the browser and access the app

http://identity.oracleads.com:7778/mybank/testheaders.jsp. Try to login as
JKRAUSE/Oracle123
9. You should see the error in the page propagated by the plug-in
10. Update the mobile number to 5 or more digits and you should be able to login.
Summary – In this section we have tested the DCC webgate with custom login page .We have
also seen the custom error getting propagated to login page through the plug-in.

Lab 10 - 33 | P a g e

Oracle Access Management 11g R2 PS3 Authentication Plugin

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Oracle Access Management 11g R2 PS3 Authentication Plugin

Uploaded by

Copyright:

Available Formats

Oracle Access Management Suite Plus 11g R2 PS3 Bootcamp

Oracle Access Management -

 OUD Server (startOUD.sh)

 Admin server (startAdmin.sh)

 OAM Server (startOAM.sh)

Oracle Access Management Access Manager 11g R2 PS3

Lab Introduction ......................................................................................................................... 3

Oracle Access Management Access Manager 11g R2 PS3

Exercise 1 – Plug-in Development

Possible values: FORWARD, REDIRECT_GET, REDIRECT_POST

Oracle Access Management Access Manager 11g R2 PS3

loginPageURL: This plugin parameter is the URL to redirect/forward to collect credentials. In

Plugin Development in JDeveloper

Oracle Access Management Access Manager 11g R2 PS3

Exercise 2 – Deploying the Plug-In

1. Access the OAM console http://identity.oracleads.com:7001/oamconsole and login as

3. Click on Import Plug-in

Oracle Access Management Access Manager 11g R2 PS3

5. Select the MFASamplePlugin.jar located at

6. Click on Import to import the plug-in

Oracle Access Management Access Manager 11g R2 PS3

8. Browse and select SampleAuthPlugin.jar located at

9. Click Import to import the plug-in

Oracle Access Management Access Manager 11g R2 PS3

11. Highlight the MFASamplePlugin and click on Distribute Selected

Oracle Access Management Access Manager 11g R2 PS3

17. Select the plug-in and click on Distribute Selected

Oracle Access Management Access Manager 11g R2 PS3

Exercise 3 – Create Authentication Module

Oracle Access Management Access Manager 11g R2 PS3

2. Click on Create Custom Authentication Module

3. Provide the name as MFAAuthModule. Click Apply to create the module

Oracle Access Management Access Manager 11g R2 PS3

4. Now let’s add the Plug-ins . Click on tab Steps then on +

5. Specify the name as MFAStep and select MFASamplePlugin. Click OK

6. Click on + again to add second plug-in.

Oracle Access Management Access Manager 11g R2 PS3

Click on Apply to save the change

Oracle Access Management Access Manager 11g R2 PS3

10. You should see a confirmation

Exercise 4 – Deploy the Custom Login Page

11. Access the WLS console http://identity.oracleads.com:7001/console and login as

12. Click on Deployments -> Install

13. Select the SampleLoginWAR.war located at /app/dummydata/Lab10/OAM_R2_Plugin-

Oracle Access Management Access Manager 11g R2 PS3

14. Click Next

16. Click Finish to deploy the WAR.

Exercise 5 – Create an ECC Authentication

18. Login to OAM console http://identity.oracleads.com:7001/oamconsole as

20. Click on Create to create a new Scheme

21. Provide the following parameters

Oracle Access Management Access Manager 11g R2 PS3

22. Make sure that you see the confirmation message

Oracle Access Management Access Manager 11g R2 PS3

Exercise 6 – Testing the Plug-in using ECC

27. Start the OHS server using ./startOHS.sh

Oracle Access Management Access Manager 11g R2 PS3

30. Enter the credentials JKRAUSE/Oracle123 and Login

Oracle Access Management Access Manager 11g R2 PS3

Exercise 7 – Configuring the Sample WAR

The “SampleLogin” WAR file consists of an MFALogin.jsp and MFAError.jsp pages.

Oracle Access Management Access Manager 11g R2 PS3

1. Open a terminal and navigate to