OAM 1. 1g Custom Authentication Plugins Collecting additional credentials. Introduction. One of the things that OAM 1. Give an edge to your career with Other Technologies certification training courses. Students can join the classes for Advanced Splunk administration training. This Oracle BI 11g R1 Create Analyses and Dashboards course for Release 11. 1. 1. 7. 0 provides stepbystep instructions for creating Oracle BI analyses and dashboards. LDAP based user authentication, based on collecting username and password from a login form. Ive seen a lot of questions from the field relating to how to handle more complex, multi step or multi factor authentication scenarios and while this post is certainly not intended to be exhaustive regarding this topic, I will go through a fairly common scenario on which most multi factor authentication processes will depend returning the user to the login page to collect additional credentials. This post is part of a larger series on Oracle Access Manager 1. Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available. Main Article. The scenario below was built and tested against the base GA release of OAM 1. R2 version 1. 1. The approaches used, though, have been available since the 1. Today I have faced issue like unable to login into OAM using admin user. Environment Details We have installed the base version of osinfra application server version. Take the Test when youre ready Buy an Exam Voucher. Purchase an exam voucher now and redeem it within 6 months its like a gift card. Buy a Voucher. OAM 1. 1G R1 PS1, provided Bundle Patch 0. The problem were trying to solve. Lets start by describing the requirement here. A user attempts to access an OAM protected resource. As usual, the Web. Gate protecting the resource redirects the user to the OAM Server for authentication, which uses the defined Authentication Policy for the resource to select a form based Authentication Scheme. This scheme starts by displaying a typical usernamepassword login form, in order to authenticate the user against the LDAP directory. OAM Server then redirects the user to a second login page, which collects an additional credential such as a one time PIN, or token value. Once the additional credential is validated, the authentication process completes and the OAM session is created. We are going to implement this flow by using a custom authentication plugin within OAM 1. By tying this custom plugin together with some of the standard plugins in a new Authentication Module, we can avoid having to rewrite existing functionality, yet can be sure that our custom step cannot be bypassed. At this point, there is some required reading, so be sure youve had a look at what the product documentation has to say about authentication plugins as I wont repeat any of that material. Also have a look at the API Reference, which youll need to refer back to as you go. The custom authentication plugin. Lets start by looking at the plugin itself, then well talk about how to configure the Authentication Module and Scheme that uses the plugin. Our plugin will look for one specific credential from the user. If it finds the credential, it performs basic validation of that credential and returns success bear in mind that the purpose of this exercise is not to talk about credential validation. If it does not find the credential, it pauses the authentication flow and redirects the user to a login page in order to collect that credential. If you think about it, this already implies that there will be at least two trips through our plugin during any authentication process. Soa Suite Installation For Weblogic 11g Authentication Of DocumentsHere is the main process method of the plugin Ive created called Further. Credential. Plugin. Ill explain what it does below. Execution. Status processAuthentication. Context authentication. Context. throws Authentication. Exception. Execution. Status status Execution. Status. SUCCESS. String credential. Name OTPin. String login.
Page. URL http oam. Further. Credentials. Credential. Param param authentication. Context. get. Credential. Paramcredential. Name. if param null. User. Context. Data otp. Soa Suite Installation For Weblogic 11g Authentication ErrorContext new User. Context. Datacredential. Name. One Time PIN, new Credential. Meta. DataPlugin. Constants. PASSWORD. User. Context. Data url. Context new User. Context. Datalogin. Page. URL, new Credential. Meta. DataURL. User. Action. Context action. Context new User. Action. Context. Context. get. Context. Data. addotp. Context. Context. get. Context. Data. addurl. Context. User. Action. Meta. Data user. Action User. Action. Meta. Data. REDIRECTGET. User. Action action new User. Actionaction. Context, user. Action. authentication. Context. set. Actionaction. Execution. Status. PAUSE. if param. Value. to. String. Let. Me. In. status Execution. Status. SUCCESS. status Execution. Status. FAILURE. return status. We start off by defining the name of the credential we want to retrieve line 3. Ive called mine OTPin. We then define the URL of the login page we want to use to collect this credential line 4 and it is this URL that the user will be redirected to if the credential is not found in the authentication context. In my case, loginget. Further. Credentials. JSP page that Ive deployed to the OAM Server. Well look at that a bit later. We then attempt to retrieve the OTPin credential from the Authentication. Context line 5 and store it in a variable called param. Our assumption is that the first time we run through this plugin, the credential will not be present, since we have not attempted to collect it from the standard login page. Remember that by the time the user hits this plugin, they have already been through the standard LDAP authentication plugins see below which will evaluate the username and password as sent by the default login page. Thus, at this stage, we expect that param will be null and we will execute the block of code from lines 7 1. That block of code is essentially responsible for telling OAM where to go next as well as what to collect. It does that by creating a User. Action object line 1. Authentication. Context by calling the set. Action method line 1. PAUSE Execution. Status line 1. 5. If we look at the constructor called in line 1. User. Action, the first being an instance of User. Action. Context, the second an instance of User. Action. Meta. Data. User. Action. Meta. Data is quite easy to understand there we simply use a constant to control how the user is sent to the login page. Weve opted here for REDIRECTGET, which is the simplest, but other options are FORWARD and REDIRECTPOST. User. Action. Context is a composite object and we add two separate User. Context. Data instances to it lines 1. The first, created in line 7, defines the credential we need to collect, named OTPin. The second line 8 sets the login page URL. Having set both of those, OAM knows where to go and what you are expecting to collect, so the user will then be redirected to the specified page. Assuming the user successfully submits the required credential, the second trip through the plugin will successfully retrieve it line 5 and thus will skip the above block and rather execute lines 1. This simply does very basic validation of the credential. If the value passed is Let. Me. In, then authentication succeeds, if not, it fails. Obviously in your real world example you will do proper validation this is just an illustration. Note that it is mandatory to define the credential you want to collect line 7 before redirecting to the login page. You need to ensure that the credential name the first parameter passed to the User. Context. Data constructor corresponds with the name of the login form field that will collect this value. If you have not defined the credential first, then even if the credential value is passed correctly from the login page, it will not be available to the plugin in the Authentication. Context credentials map. Note also that User. Action is the correct API class to use here and is the only published hence supported implementation of the Execution. Action interface. There have been previous code samples that use other implementations such as Credential. Collection. Action or Redirect. Action but these classes are not publicly exposed or documented and as such should not be used. The form that collects the credentials. Having looked at the plugin in detail, lets move on to the login page or rather, the form on the login page and see that theres really not anything too special about it. Heres some of what I have inside get. Further. Credentials. Data methodpost namelogin. Data. lt p Enter One Time PIN lt p. OTPin nameOTPin typepassword. Button onclickform. Login. lt input namelt Generic. Constants. REQUESTID typehidden valuelt req. Id. lt form There really isnt anything special about the above its pretty much the standard way you would construct a custom login form in OAM 1.