OAM Native Password Policy Final

ATTENTION – AUDIO Options
Option 1: Voice Streaming – Computer Audio Option 2: Teleconference (Dial In)

 No need to dial in on a telephone, the  Requires telephone to dial in
Advisor Webcast can be heard through your
computer speakers or an attached headset.  Questions can be asked via the Q&A panel.
 Questions can be asked via the Q&A panel  Details

 Webinar ID: 854 060 727
 US toll dial in: 1 646 558 8656
 <2nd Country> toll dial in: +1 669 900 6833
International numbers available:

https://oracle.zoom.us/u/aeCpOlt6dD
There will be silence until the Oracle Advisor Webcast begins

Copyright 2020, Oracle and/or affiliates. All rights reserved
Upcoming Advisor Webcast Schedule
 Check out Doc ID 740966.1 for all Webcasts.
 Select your product Oracle Fusion

Middleware
 Scan through the list of Upcoming Webcast

sessions.
 Register for the session of your interest.
 For upcoming Oracle Fusion Middleware

Advisor Webcasts & archived recordings,
see Doc ID 1456204.1
There will be silence until the Oracle Advisor Webcast begins

Oracle Support Advisor Webcast
OAM Native Password Policy
Robert Gollehon
FMW Support, Identity and Access Management
June 3, 2020
Proactive Resources for Tools, Training and Social Channels
Oracle Support Training and Resources Doc ID 1959163.2 Get Proactive

Social Channels
Stay informed via:
Get Oracle My Oracle Product Oracle My Oracle Support Community here
Proactive Support Support Advisor Support Blogs here
Twitter here
Portfolio Essentials How To Videos Webcasts Accreditations
Doc ID 432.1 Doc ID 553747.2 Doc ID 603505.2 Doc ID 740966.1 Doc ID 1583898.2
Self-paced
Session playback
Live, interactive
High-level (concepts)
Deep-dive instruction
(steps)
Learning is ongoing. Select and use learning options to meet your needs.
Copyright 2020. Oracle and/or affiliates. All rights reserved.
Safe harbor statement
The following is intended to outline our general product direction. It is intended for information
purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any
material, code, or functionality, and should not be relied upon in making purchasing decisions. The
development, release, timing, and pricing of any features or functionality described for Oracle’s
products may change and remains at the sole discretion of Oracle Corporation.
OAM Native Password Policy
Robert Gollehon
FMW Support, Identity and Access Management
June 3, 2020
OAM Native Password Policy Agenda
1 Introduction to OAM Password Policy Options

2 OAM 12c Password Policy
3 OAM 12c Password REST APIs
4 OAM 11g Password Policy (Reference Only)
5 References

1 Introduction to OAM Password Policy Options

Introduction – OAM Password Policy Options
 OAM/OIG full integration

 Available starting in OAM 11.1.1.5.0
 OAM 11g Native Password Policy
 OAM 12c maintains compatibility
 OAM 12c Native Password Policy
 LDAP based password policy
 Must be implemented externally to OAM using custom pages…OAM can detect
secondary error status from LDAP during login and pass that to custom pages, but there
is no additional support internal to OAM for LDAP based policy

Introduction – OAM/OIG Integration Password
Management
 Complex setup requiring large number of script runs

 Passwords managed via OIG
 Password expiry/lockout detection performed in OAM
 Forgot password implemented via challenge/response in OIG
 Self-registration accomplished through OIG
 Enforced in OAM for only the default (primary) user identity store
 Enforced using the out of the box LDAP authentication modules (LDAP and
LDAPPlugin modules)

Introduction – OAM 11g Native Password Policy
 Relatively easy setup

 Password expiry/lockout enforced by OAM
 Password expiry/lockout toggling managed via direct LDAP manipulation
 Only one password policy can be applied across the system
 No support for Forgot Password functionality
 Password reset pages are customizable
 Enforced using the PasswordPolicyValidationModule
 Administered via the OAM Console

Introduction – OAM 12c Native Password Policy
 Relatively easy setup

 Password expiry/lockout enforced by OAM
 Password expiry/lockout toggling managed via direct LDAP manipulation
or via Password Management REST API
 Multiple password policies based on user store or group membership
 Forgot password available via default page or via custom page with OTP
delivered using email, SMS, or Oracle Mobile Authenticator (OMA)
 Password reset pages are customizable
 Enforced using the PasswordPolicyManagementModule
 Additional policies administered using REST API

2 OAM 12c Password Policy

OAM 12c Native Password Policy
 Provides a an fairly robust option for enforcing Password Policies during
SSO login
 Only available in OAM 12.2.1.3.0 and later
 Implemented via orclIDXIPFPerson object class
 Enforced via PasswordPolicyManagementModule (out of the box) using
PasswordManagementPlugin
 Can use multiple different password policies applied based on user identity
store and group membership
 Policies are prioritized for users matching more than one policy, the
highest priority policy is applied
 If no policy matches for a user, the default policy is applied
 Allows management of Account/Password status via REST API
Implementing OAM 12c Native Password Policy
 Load LDIF file corresponding to the appropriate directory type
 Configure the default password policy using the OAM console (or
optionally using the REST API in 12c) as well as any additional policies using
the REST API
 Select Enable Password Management on the User Identity Store screen in
the OAM console => Configuration => User Identity Stores screen and
configure any attributes for use in password validation
 Configure Authentication Module and Scheme (defaults available ootb)
 If desired create a custom password change page as outlined in the OAM
Developer’s Guide
 Protect resource(s) using the configured Authentication Scheme
 Configure LDAP password policy to be less restrictive than OAM policy
Loading LDIF files
 LDIF files which define the Password Policy attributes and objectclasses are
provided in the
$ORACLE_HOME/idm/modules/oracle.idm.ipf_12.2.2/scripts/ldap/
directory
 For 12c policy, *_OracleSchema.ldif files are used (the directory also
contains files for the 11g policy)
 These can be loaded using an appropriate LDAP tool (ldapmodify, ldifde,
LDAP browsers, etc)
 LDIF files are provided for all supported LDAP user stores
 Make sure Bind DN used by OAM user store has adequate privileges to
modify user attributes (including user password)

Configuring Default Password Policy


Modify User Identity Store

Configuring Authentication Module

Configuring Authentication Module (Continued)

Plugin Parameters for PasswordManagementPlugin
 KEY_IDENTITY_STORE_REF – name of the user store to use for this plugin

(should match the other steps, defaults to default user store)
 NEW_USERPSWD_BEHAVIOR – Determines whether new users, that is,
users not already having the OAM password policy attributes set, will be
forced to change password. Values NOFORCEPASSWORDCHANGE
(default) and FORCEPASSWORDCHANGE
 URL_REDIRECT – location of the password change page, default is
/oam/pages/ipf/ipfPswd.jsp (for DCC default page, specify /oamsso-
bin/login.pl)
 URL_ACTION – Method used for retrieving password change page,
REDIRECT_POST (default), REDIRECT_GET, and FORWARD
 NEW_USERCHALLENGES_BEHAVIOR – Not used/supported
Configuring Authentication Scheme

orclIDXIPFPerson ObjectClass Attributes
 orclloginattemptsctr – number of unsuccessful attempts since last successful login

 orclpwdchangerequired – boolean numeric indicating whether user must change
password on next login (true indicating password must change)
 orclaccountenabled – boolean numeric indicating whether the account is enabled
 orcluserpwdhistory – contains a list of prior passwords (when password history enabled)
 orcluserpwdcreationdate – the date/time the current password was set (Zulu time)
 orcllastsuccessfullogindate – the date/time of the last successful login (Zulu time)
 orcllastfailedlogindate – the date/time of the last failed login attempt (Zulu time)
 orcllockouttime – the date/time the account was locked (Epoch time)
 orcluseraccountlocked – boolean numeric indicating whether the account is locked
 orcluserpwdneverexpires – boolean numeric indicating if user password exempt from
expiry
 orcllockedreason – reason code for locking of account
Password Policy Evaluation – Successful login
 User provides credentials

 OAM verifies a unique user with login attribute matching provided
username exists, obtaining DN
 OAM attempts LDAP bind using the DN and provided user password
 Bind is successful. OAM resets the orclloginattemptsctr
 PasswordManagementPlugin verifies user is not locked, is enabled,
password hasn’t expired, and updates orcllastsuccessfullogindate attribute
 If password has expired, redirect to password change page
 Otherwise, session is created (assuming user is not locked/disabled)

Password Policy Evaluation – Successful login, expired
 If the password is expired, OAM will evaluate the password policies that
apply to the user and pick the highest priority policy
 The change password page will be displayed, prompting user for old and
new password based on the rules in the matching policy
 When a new password is submitted, the plugin verifies it adheres to
password rules (including complexity, history, etc)
 If password is valid OAM updates the orcluserpwdcreationdate and
orclpwdchangerequired flag
 User is redirected to success page

Password Policy Evaluation – Failed login
 User provides credentials
 OAM verifies a unique user with login attribute matching provided username
exists, obtaining DN
 If username does not exist, authentication fails at this point, obviously not
updating user LDAP attributes (as the user does not exist)
 OAM attempts LDAP bind using the DN and provided user password
 Bind fails!
 PasswordManagementPlugin increments orclloginattemptsctr and sets
orcllastfailedlogindate for user
 If orclloginattemptsctr has reached the limit, the account is locked (setting
orcllockedreason, orcllockouttime, and orcluseraccountlocked)
 User gets meaningful error dictated by configured error security mode

3 OAM 12c Password REST APIs

OAM 12c Password REST API’s
 OAM Password Policy Management REST API

 Used to manage password policies other than the default policy
 OAM Password Management REST API
 Password Reset Status
 Account Status
 Lockout Status
 Update Password
 Used for OTP Password Reset
 Used to obtain password policies applying to specific users

Using Password Policy Management REST API
 Any policies other than the default policy must be created/managed using
the OAM 12c Password Management REST API
 The REST API supports the four standard CRUD operations (Create,
Retrieve, Update, Delete)
 A Postman collection for this REST API (as well as the Password
Management REST API is available in note 2458234.1
 Accessed on the OAM managed server host/port using URI
/oam/services/rest/access/api/v1/policy/PasswordPolicies
 Fully documented in the OAM Password Policy Management REST API
Guide

Using Password Policy Management REST API (example)
 Sample creation of of a password policy with cURL:

curl -u weblogic:<password> -X POST \
-H 'content-type: application/json' \
http://oamhost.oracle.com:14100/oam/services/rest/access/api/v1/policy/PasswordPolicies \
-d '[{"passwordPolicyInfo":{"id": "5","name": "Restrictive Policy","maxLength": 40,"minLength":
20,"startsWithAlphabet": false,"firstNameDisallowed": true,"lastNameDisallowed":
true,"userIdDisallowed": true,"lockoutDuration": 5,"maxIncorrectAttempts": 3},"assignmentRule":
{"idStoreRef": "OIDStore","priority": 5,"passwordPolicyID": "5","ruleType": 2,"ruleValue":
"RestrictedGroup"}}]'
 ruleType indicates whether this is a generic policy (1) applying to all users in
the user store, or a group policy (2), applying to the group specified in the
ruleValue attribute.

Using Password Policy Management REST API (Cont’d)
 Retrieval of policies
curl -u weblogic:<password> \
http://oamhost.oracle.com:14100/oam/services/rest/access/api/v1/policy/PasswordPolicies
 Deletion of policy
curl -u weblogic:<password> -X DELETE \
http://oamhost.oracle.com:14100/oam/services/rest/access/api/v1/policy/PasswordPolicies
 Updating a policy
curl -u weblogic:<password> -X PUT -H 'content-type: application/json' –X PUT\
http://oamhost.oracle.com:14100/oam/services/rest/access/api/v1/policy/PasswordPolicies \
-d '{"passwordPolicyInfo":{"id": "5","name": "Restrictive
Policy","minLength":15},"assignmentRule":{"idStoreRef":"OIDStore","priority":5,"passwordPolicyID":"5","
ruleType":2,"ruleValue":"RestrictedGroup"}}'

Password Management REST API
 Only works with 12c password policy
 Users must have 12c password policy objectclass present in LDAP entry
 Documented in REST API for Password Management in Oracle Access Manager
 Consists of four REST endpoints accessed via the OAM managed server
 /oam/services/rest/access/api/v1/pswdmanagement/UserPasswordPolicyRetriever –
used to retrieve the password policies that apply to a user
 /oam/services/rest/access/api/v1/pswdmanagement/PasswordResetRequests – Reset
user’s password (also used for OTP validated password reset)
 /oam/services/rest/access/api/v1/pswdmanagement/UserStatusChanger – Change
user status (set/unset password expiry or account status)
 /oam/services/rest/access/api/v1/pswdmanagement/PasswordValidationRequest –
Validate password adherence to policy

Password Management REST API – Policy Retriever
 Only supports GET method requests

 Sample request:
curl -u weblogic:<password>
http://oamhost.oracle.com:14100/oam/services/rest/access/api/v1/pswdmanagement/UserPassword
PolicyRetriever/user.0/OIDStore
{"id":"2","name":"OID
Policy","maxLength":30,"minLength":8,"startsWithAlphabet":false,"firstNameDisallowed":false,"lastNa
meDisallowed":false,"userIdDisallowed":false,"complexPolicy":false,"requiredChars":[],"disallowedChars
":[],"allowedChars":[],"disallowedSubstrings":[],"lockoutDuration":5,"maxIncorrectAttempts":3,"chSourc
e":0,"chDefaultQuestions":"","chAllAtOnce":true,"chAllowDuplicateResponses":true,"chSendMail":false,"
chEnabled":false}

Password Management REST API – Password Reset
 Only supports POST method requests

 Sample request:
curl -u weblogic:<password> -X POST
http://oamhost.oracle.com:14100/oam/services/rest/access/api/v1/pswdmanagement/PasswordResetRequests/us
er.0/OIDStore -H 'content-type: application/json' -d
'{"currentPassword":“OldPassword","newPassword":“NewPassword"}'
 Success response:
{"isValid":true,"messages":[]}
 Sample failure responses
{"isValid":false,"messages":[{"displayValue":"The password change operation failed while validating old password
d.","placeHolderValueStrings":[""],"resourceBundleKey":"IAM-3040012"}]}
{"isValid":false,"messages":[{"displayValue":"Password must be at least 8 character(s)
long.","placeHolderValueStrings":["8"],"resourceBundleKey":"IAM-3053056"}]}

Password Management REST API – Account Status
 Supports GET (retrieve)/PUT (update) methods

 Sample request:
curl -u weblogic:<password> -X PUT
http://oamhost.oracle.com:14100/oam/services/rest/access/api/v1/pswdmanagement/UserStatusChanger/user.0/
OIDStore -H 'content-type: application/json' -d '{"disabled":true,"forcepwdchange":true,"locked":true}'
 For the success case, an HTTP 200 OK is returned with no body.
 LDAP attributes after above command for the user:
orclaccountenabled: 0
orcllockouttime: <epoch time of command execution>
orcluseraccountlocked: 1
orclpwdchangerequired: 1

Password Management REST API – Validate Password
 Only supports POST methods

 Sample request:
curl -u weblogic:<password> -X POST
http://oamhost.oracle.com:14100/oam/services/rest/access/api/v1/pswdmanagement/PasswordValidationRequest
s/user.0/OIDStore -H 'content-type: application/json' -d '{“password”:”MyCurrentPassword”}'
 Success response:
{"isValid":true,"messages":[]}
 Failure response:
{"isValid":false,"messages":[{"displayValue":"Password must be at least 8 character(s)
long.","placeHolderValueStrings":["8"],"resourceBundleKey":"IAM-3053056"}]}

4 OAM 11g Password Policy

OAM 11g Native Password Policy
 Initially introduced as a lighter weight alternative to OIM where only

password management with SSO was desired
 Still available in 12c for backward comapatibility
 Implemented via oblixorgperson and oblixpersonpwdpolicy LDAP object
classes
 Enforced via Password Policy Validation Module (out of the box) using
UserPasswordPolicyPlugin
 Only applies the default password policy in 12c (in 11gR2, there was only a
single policy that could be defined)
 No internal option for constraining policy application to specific
users/groups

Implementing OAM 11g Native Password Policy
 Load LDIF file corresponding to the appropriate directory type

 Configure the default password policy in the OAM console (or optionally
using the REST API in 12c)
 Select Enable Password Management on the User Identity Store screen in
the OAM console => Configuration => User Identity Stores screen and
configure any attributes for use in password validation
 Configure Authentication Module and Scheme
 If desired create a custom password change page as outlined in the OAM
Developer’s Guide
 Protect resource(s) using the configured Authentication Scheme

Loading LDIF files
 LDIF files which define the 11g Password Policy attributes are provided in
the $ORACLE_HOME/idm/oam/server/pswdservice/ldif/ directory
 These can be loaded using an appropriate LDAP tool (ldapmodify, ldifde,
LDAP browsers, etc)
 LDIF files are provided for all supported LDAP user stores



Modify User Identity Store

ObjectClass Attributes
 oblogintrycount – number of unsuccessful attempts since last successful login

 obpasswordchangeflag – Boolean indicating whether user must change password on next
login (true indicating password must change)
 obuseraccountcontrol – indicates whether the account is enabled
 obpasswordhistory – contains a list of prior passwords (when password history enabled)
 obpasswordcreationdate – the date/time the current password was set (Zulu time)
 oblastsuccessfullogin – the date/time of the last successful login (Zulu time)
 oblastfailedlogin – the date/time of the last failed login attempt (Zulu time)
 oblockouttime – the date/time the account was locked (Epoch time)
 obpasswordexpirydate – not actually used

UserPasswordPolicyPlugIn Parameters
 CHALLENGES_SUPPORTED – false (OAM native password policy does not presently support
challenges, so this must always be false)
 NEW_USERPSWD_BEHAVIOR - determines whether "new" users are forced to change
password...new means no existing password policy attributes
 OBJECTCLASS_EXTENSION_SUPPORTED – Default FALSE - Determines whether users without
password policy objects will automatically have them added at first login
 PLUGIN_EXECUTION_MODE
 PSWDONLY - default…apply password policy only
 AUTHWITHPSWD - perform authentication and apply password policy
 AUTHONLY - only do authentication, which is kind of pointless
 POLICY_SCHEMA – Only OAM10g is supported
 URL_ACTION - The type of servlet action needed for redirecting the user to the specific password
page for expiry and warning pages.
 DISABLED_STATUS_SUPPORT - Specifies whether the disabled status is to be supported and acted
upon in this password service. Valid values are either True or False.
 KEY_IDENTITY_STORE_REF – The user store to perform the password validation against
5 References

OAM Native Password Policy References
 Note 2458234.1 – OAM 12c Password Policy Implementation including Postman Collection
for Password Policy Management REST API
 Note 2494596.1 – OAM 12c Custom Forgot Password Page Example (Perl)
 Note 2465058.1 – OAM 12c Default Forgot Password Page Configuration
 OAM 12c Administrator’s Guide Password Policy Chapter
 OAM 12c Password Policy Management REST API
 OAM 12c Password Management REST API
 OAM 12c Developer’s Guide – Understanding Custom Password Pages

Oracle Support Advisor Webcast Program
Locating Current Schedule & Archived Recordings
 Access Advisor Webcasts information for

all Oracle products from Doc ID 740966.1
 Directly access upcoming and prior

webcasts for Oracle Fusion Middleware
from Doc ID 14562041.1
 Under Prior Webcast Recording tab access

recordings and webcast slides (.pdf)
 Use Community link to ask webcast

related questions
 Recording available within 48 hours
Copyright 2020. Oracle and/or affiliates. All rights reserved.

Q&A
 To ask a question use Q&A panel
 Your question will be read aloud in the
order received
 Questions can also be asked after the
session within in My Oracle Support
Communities, thread:
https://community.oracle.com/thread/4321401

Thank you
Robert Gollehon

OAM Native Password Policy Final

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OAM Native Password Policy Final

Uploaded by

Copyright:

Available Formats

ATTENTION – AUDIO Options

Option 1: Voice Streaming – Computer Audio Option 2: Teleconference (Dial In)

 Questions can be asked via the Q&A panel  Details

International numbers available:

There will be silence until the Oracle Advisor Webcast begins

 Check out Doc ID 740966.1 for all Webcasts.

 Select your product Oracle Fusion

 Scan through the list of Upcoming Webcast

 Register for the session of your interest.

 For upcoming Oracle Fusion Middleware

There will be silence until the Oracle Advisor Webcast begins

Oracle Support Training and Resources Doc ID 1959163.2 Get Proactive

1 Introduction to OAM Password Policy Options

Copyright 2020, Oracle and/or affiliates. All rights reserved

1 Introduction to OAM Password Policy Options

Copyright 2020, Oracle and/or affiliates. All rights reserved

 OAM/OIG full integration

Copyright 2020, Oracle and/or affiliates. All rights reserved

 Complex setup requiring large number of script runs

Copyright 2020, Oracle and/or affiliates. All rights reserved

 Relatively easy setup

Copyright 2020, Oracle and/or affiliates. All rights reserved

 Relatively easy setup

Copyright 2020, Oracle and/or affiliates. All rights reserved

2 OAM 12c Password Policy

Copyright 2020, Oracle and/or affiliates. All rights reserved

Copyright 2020, Oracle and/or affiliates. All rights reserved

Copyright 2020, Oracle and/or affiliates. All rights reserved

Copyright 2020, Oracle and/or affiliates. All rights reserved

Copyright 2020, Oracle and/or affiliates. All rights reserved

Copyright 2020, Oracle and/or affiliates. All rights reserved

Copyright 2020, Oracle and/or affiliates. All rights reserved

 KEY_IDENTITY_STORE_REF – name of the user store to use for this plugin

Copyright 2020, Oracle and/or affiliates. All rights reserved

 orclloginattemptsctr – number of unsuccessful attempts since last successful login

 User provides credentials

Copyright 2020, Oracle and/or affiliates. All rights reserved

Copyright 2020, Oracle and/or affiliates. All rights reserved

Copyright 2020, Oracle and/or affiliates. All rights reserved

3 OAM 12c Password REST APIs

Copyright 2020, Oracle and/or affiliates. All rights reserved

 OAM Password Policy Management REST API

Copyright 2020, Oracle and/or affiliates. All rights reserved

Copyright 2020, Oracle and/or affiliates. All rights reserved

 Sample creation of of a password policy with cURL:

Copyright 2020, Oracle and/or affiliates. All rights reserved

Copyright 2020, Oracle and/or affiliates. All rights reserved

Copyright 2020, Oracle and/or affiliates. All rights reserved

 Only supports GET method requests

Copyright 2020, Oracle and/or affiliates. All rights reserved

 Only supports POST method requests

Copyright 2020, Oracle and/or affiliates. All rights reserved

 Supports GET (retrieve)/PUT (update) methods

Copyright 2020, Oracle and/or affiliates. All rights reserved

 Only supports POST methods

Copyright 2020, Oracle and/or affiliates. All rights reserved

4 OAM 11g Password Policy

Copyright 2020, Oracle and/or affiliates. All rights reserved

 Initially introduced as a lighter weight alternative to OIM where only

Copyright 2020, Oracle and/or affiliates. All rights reserved

 Load LDIF file corresponding to the appropriate directory type

Copyright 2020, Oracle and/or affiliates. All rights reserved

Copyright 2020, Oracle and/or affiliates. All rights reserved