38 Configuring Mobile Services

Mobile and Social provides a graphical user interface for configuring Mobile Services. This chapter describes how to use the Oracle Access Management Console to configure Mobile Services and contains the following topics.

Note:

Mobile Services can also be configured from the command line using WLST. For more information about the Mobile and Social WLST commands, see the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.

38.1 Navigating the Mobile Services Graphical User Interface

The Mobile Services graphical user interface (GUI) can be displayed after an administrator has successfully authenticated and received access to the Oracle Access Management Console. The Console is divided into the following parts:

  • The home area occupies the larger window on the right side of the GUI when the Console is first displayed. This page will list most of the Mobile Services configuration objects and is organized to step you through the configuration process in a logical order. The configuration objects in the home area occupy panels that can be expanded and collapsed by clicking the arrow button in the top left corner of the panel.

  • The navigation pane occupies the left portion of the GUI. This pane provides a hierarchical view of the Mobile and Social configuration objects. In most cases you can use either the home area or the navigation pane to create, edit, and delete configuration objects. (You must use the navigation pane to open the Jail-Breaking Detection Policy Configuration object, however.) Use the controls in the navigation pane to create, view, edit, and delete configuration objects.

    The navigation pane allows you to view the configuration objects in either a relationship view or a category view. Relationship view shows the configuration objects in a hierarchical order starting with Service Domains at the top. Use relationship view to view objects in several ways:

    • View the relationship between Service Profiles and Application Profiles and the Service Domains under which they fall.

    • View the relationship between Service Providers and the Service Profiles that are connected to them.

    • View Security Handler Plug-ins.

    • View the Jail-Breaking Detection Policy.

    Category view lists the configuration objects by object type using a flat structure that makes it easy to browse. Use the buttons in the menu bar at the top of the tree-view pane to toggle between the two views.

Follow this procedure to access the Mobile Services configuration page.

  1. Log in to the Oracle Access Management Console.

  2. Click the System Configuration tab at the top of the Console.

  3. Click Mobile and Social on the left side of the page.

  4. Click Mobile Services.

    The Welcome to Mobile and Social - Mobile Services page loads in the home area.

38.2 Understanding Mobile Services Configuration

The Welcome to Mobile and Social - Mobile Services configuration page displays in the home area and is divided into separate panels that can be viewed or hidden during administration. These panels define how client apps and the Mobile and Social server communicate as well as how the Mobile and Social server and the back-end Identity services (that the client apps consume) communicate. The following sections contain more information on the Mobile Services panels.

Note:

Mobile and Social includes pre-configured objects to support typical deployment scenarios. These objects are designed to help you get Mobile and Social up and running with only minor modifications required. Each section lists the pre-configured objects available after installation.

38.2.1 Understanding Service Providers

A Service Provider is defined for each back-end service that you are making available to client applications. By configuring the back-end service as a Service Provider, the Mobile and Social server knows how to communciate with it. You can configure a back-end service as one of the following Service Provider types.

  • Authentication Service Provider - Interfaces with an Identity Provider so that the back-end service can authenticate users, mobile devices, client applications, and access permissions, and issue authentication tokens accordingly. Mobile and Social supports Access Manager and JSON Web Tokens (JWT) with their own Service Provider and Service Profile configuration objects. Further, mobile client authentication and non-mobile client authentication is managed separately so each token type has a separate mobile and non-mobile Service Provider and Service Profile. The following pre-configured Authentication Service Providers are available for typical deployments.

    • OAMAuthentication - Oracle Access Manager Authentication Token Service Provider (available only if Access Manager and Mobile and Social are installed together)

    • MobileOAMAuthentication - Mobile Oracle Access Manager Authentication Token Service Provider (available only if Access Manager and Mobile and Social are installed together)

    • JWTAuthentication - JSON Web Token Authentication Service Provider

    • MobileJWTAuthentication - Mobile JSON Web Token Authentication Service Provider

    • InternetIdentityAuthentication -The Internet Identity JSON Web Token Authentication Service Provider provides pre-configured support for apps using Mobile Services to accept an authentication result from the Mobile and Social Internet Identity Services (as described in Section 37.5, "Understanding Internet Identity Services").

    See Section 38.3.1, "Defining, Modifying or Deleting an Authentication Service Provider" for instructions on how to create a custom Authentication Service Provider.

  • Authorization Service Provider - Interfaces with a back-end Identity Provider that makes authorization (access) decisions. The pre-configured OAMAuthorization Authorization Service Provider (available only if Access Manager and Mobile and Social are installed together) is provided for typical deployments. See Section 38.3.2, "Defining, Modifying or Deleting an Authorization Service Provider" for instructions on how to create a custom Authorization Service Provider.

  • User Profile Service Provider - Interfaces with a directory server to lookup and update User Profile records. The pre-configured User Profile Service Provider is provided for typical deployments. See Section 38.3.3, "Defining, Modifying or Deleting a User Profile Service Provider" for instructions on how to create a custom User Profile Service Provider.

38.2.2 Understanding Service Profiles

After defining a Service Provider, you configure one or more Service Profiles for it. A Service Profile is a logical envelope that defines a Service Endpoint URL for a Service Provider on the Mobile and Social server. You can create multiple Service Profiles for a Service Provider to define different token capabilities and service endpoints. Each Service Provider instance requires at least one corresponding Service Profile. Mobile and Social includes a pre-configured Service Profile for each pre-configured Service Provider configuration object documented in Section 38.2.1, "Understanding Service Providers."

38.2.3 Understanding Security Handler Plug-ins

A Security Handler Plug-in enhances security by consulting additional logic for trust and risk analysis. (Such additional logic may deny certain risky operations.) The Security Handler Plug-in applies the logic during Authentication Service operations, including client application registration. Using a Security Handler Plug-in is optional. The Security Handler Plug-ins provided with this version of the software are optimized for mobile applications. If used, only apply it to mobile-related Service Domains, its authentication services and client applications. Do not use a Security Handler Plug-in with a non-mobile application.

Mobile and Social invokes the Security Handler Plug-in during sensitive security operations (such as authentication) as well as during operations that involve token acquisition. Mobile and Social includes the following preconfigured Security Handler Plug-ins:

  • The OAAMSecurityHandlerPlugin enables the sophisticated device registration and risk-based strong authentication logic available in Oracle Adaptive Access Manager.

  • The Default Security Handler Plug-in offers more limited device registration logic.

38.2.4 Understanding Application Profiles

An Application Profile describes the configuration and security properties of the client application that will consume services provided by the Service Provider. An Application Profile is required either when mobile applications are used, or when a non-mobile application is used with a service that does not have secured application protection. Attributes defined include an Application Profile name, a short description of the application, a list of name-value attribute pairs, and its mobile configuration settings. (Mobile configuration settings include options such as the maximum duration in minutes that the Profile can be cached, the number of allowable authentication retries, and whether offline authentication is allowed.) You can also choose which mobile device attributes (such as phonecarriername, phonenumber, osversion, and so on) are required for the application. A single Application Profile can be assigned to multiple Service Domains.

38.2.5 Understanding Service Domains

A Service Domain is a logical grouping the serves to associate a Service Profile with an Application Profile and (optionally) a Security Hander Plug-in. A Service Domain specifies how applications are allowed to access services in Mobile and Social. Typically an organization should have one Service Domain for managing mobile apps, and a separate Service Domain for managing non-mobile apps. When creating a Service Domain you:

  • Decide whether the Service Domain is for managing mobile applications or desktop applications.

  • Choose an authentication scheme and, optionally, a Security Handler Plug-in for the Service Domain.

  • Add one or more Mobile SSO Agents and configure which agents have priority over the others.

  • Add one or more applications to the Service Domain and configure which can use a Mobile SSO Agent.

  • Choose at least one Service Profile for the Service Domain.

  • Configure security settings to protect the Service Domain services.

Mobile and Social includes the following pre-configured Service Domains:

  • The Default (Service Domain) is pre-configured for non-mobile applications.

  • The Mobile Service Domain is pre-configured for mobile applications.

Use one of these Service Domains as a template to create your own, or modify them to suit the needs of your organization. Only mobile authentication Service Profiles can be added to a mobile Service Domain.

38.3 Defining Service Providers

A Service Provider is defined for each back-end service that is available to client applications. This configures how the Mobile and Social server will interface with the defined back-end Service Provider. Depending on the services that you are providing, you may only need to configure one or two of the available Service Provider options. For example, if you are only providing authentication services, you do not need to define the User Profile Service Provider or Authorization Service Provider. This section includes the following procedures:

38.3.1 Defining, Modifying or Deleting an Authentication Service Provider

An Authentication Service Provider allows Mobile and Social to authenticate users, client applications, and access permissions using a back-end Authentication Service by way of a token exchange. Upon successful authentication and verification, a token may be returned to the client application. The following authentication types are supported.

  • When installed with Access Manager, Mobile and Social supports JSON Web Tokens (JWT) and Access Manager tokens.

  • When installed without Access Manager, only JSON Web Token (JWT) is supported.

The following sections contain more information regarding Authentication Service Providers.

38.3.1.1 Creating an Authentication Service Provider

  1. Open the Mobile Services Home Page in the Oracle Access Management Console as described in Section 38.1, "Navigating the Mobile Services Graphical User Interface."

  2. Click Create in the Service Providers panel in the home area and choose Create Authentication Service Provider.

    The Authentication Service Provider Configuration page displays.

  3. Enter values for the Authentication Service Provider properties.

    • Name - Type a unique name for this Authentication Service Provider.

    • Description - (Optional) Type a short description that will help you or another Administrator identify this service in the future.

    • Service Provider Java Class - Type the name of the Java class that implements this Authentication Service Provider.

  4. Add or delete Authentication Service Provider Attributes and their values based on either Table 38-1 (OAMAuthentication and the MobileOAMAuthentication Service Provider types) or Table 38-3 (JWTAuthentication and the MobileJWTAuthentication Service Provider types).

    Note:

    If you created a custom Authentication Service Provider, use the Attributes panel to further configure it. For the JWTAuthentication and MobileJWTAuthentication Service Providers, custom attributes are not used.

    • Table 38-1 and Table 38-2 are specific to a Mobile and Social integration with Access Manager. The values in Table 38-1 apply to both the OAMAuthentication and the MobileOAMAuthentication Service Provider types. The values in Table 38-2 configure the Webgate Agent.

      Table 38-1 Access Manager Authentication Service Provider Default Attributes

      Name Value Notes

      OAM_VERSION

      OAM_11G

      Either OAM_11G or OAM_10G, depending on the Oracle Access Manager version in use.

      DEBUG_VALUE

      0

       

      TRANSPORT_SECURITY

      OPEN

      Specify the method for encrypting messages between this AccessGate and the Access Servers. The encryption methods need to match. Valid values include:

      • OPEN

      • SIMPLE

      • CERT

      OAM_SERVER_1

      localhost:5575

      Specify the host name and port number of the primary Oracle Access Management server.

      OAM_SERVER_1_MAX_CONN

      4

      Specify the maximum number of connections that this Mobile and Social instance can establish with OAM_SERVER_1. The default value is 4.

      OAM_SERVER_2

      oam_server_2:5575

      Specify the host name and port number of the secondary Oracle Access Management server.

      OAM_SERVER_2_MAX_CONN

      4

      Specify the maximum number of connections that this Mobile and Social instance can establish with OAM_SERVER_2. The default value is 4.

      IDContextEnabled

      true

      Add this attribute with a value of true to enable Identity Context, as described in "Configuring Oracle Access Management Mobile and Social".


      Table 38-2 WebGate Agent for Authentication Service Provider Default Attributes

      Name Value Notes

      WebGate ID

       

      Type the WebGate agent name that identifies the WebGate instance to which you are connecting.

      Encrypted Password

      Copy and paste the encrypted password for the WebGate ID

      Locate the OAM-Domain-Directory/output/Profile-Name/ObAccessClient.xml file and copy the encrypted password value located in the element ParamName=accessClientPasswd.


    • Table 38-3 is specific to connecting a Mobile and Social server to JWT Authentication Service Providers. The configuration values in this section apply to both the JWTAuthentication and the MobileJWTAuthentication Service Provider types.

      Table 38-3 JWT Authentication Service Provider Default Attributes

      Name Value Notes

      Identity Directory Service Name

      Select from the menu the Directory Service that should be used to verify the User.

      The JWT token service verifies the user with a directory server.

      Crypto Scheme

      RS512

      The cryptographic algorithm used to sign the contents of the JWT token. The default value is RS512. (RSA encryption using SHA-512 hash algorithm.)

      Validity Period

      3600

      The length of time in seconds that the token is considered to be valid. The default value is 3600.

      Relying Party Token

      Enabled

      Select Enabled if the Service Provider should accept security tokens from an external issuer.

      Issuer

       

      If Relying Party Token is enabled, specify the Security Token Service issuer


  5. Click Create to create the Service Provider configuration object.

38.3.1.2 Editing or Deleting an Authentication Service Provider

To edit or delete an Authentication Service Provider, select the Service Provider in the panel and click Edit or Delete on the panel's tool bar.

38.3.1.3 Understanding the Pre-Configured Authentication Service Providers

Mobile and Social provides pre-configured Authentication Service Providers for the Authentication Services listed in Table 38-4.

For each token type (Access Manager and JWT), Mobile and Social provides separate "out-of-the-box" mobile and non-mobile (or desktop) Service Provider configurations. Separate configurations are provided so that you can optimize each to best meet the needs of each access mode. Mobile devices must use a mobile Service Provider, however, non-mobile devices can use either a mobile service provider or a non-mobile service provider if correct input is provided.

Mobile Service Providers use Client Registration Handles to register mobile devices, whereas non-mobile Service Providers use Client Tokens to authenticate non-mobile devices. The Client Token capability in Mobile and Social can be disabled, but the Client Registration Handle capability cannot.

Table 38-4 Pre-configured Authentication Service Providers

Authentication Service Mobile and Social Service Provider Name Description

Access Manager

OAMAuthentication

Provides pre-configured support for users using desktop devices to authenticate using Access Manager.

This Service Provider can issue a Client Token, but it cannot register mobile devices.

The following Java class implements this Service Provider:

oracle.security.idaas.rest.provider.token.OAMSDKTokenServiceProvider

Mobile Access Manager

MobileOAMAuthentication

Provides pre-configured support for users using mobile devices to authenticate using Access Manager.

This Service Provider supports registering new devices using a Client Registration Handle when the User authenticates.

The following Java class implements this Service Provider:

oracle.security.idaas.rest.provider.token.MobileOAMTokenServiceProvider

JSON Web Token

JWTAuthentication

Provides pre-configured support for users using non-mobile applications to authenticate using the JSON Web Token format. JSON Web Token is a compact token format that is suitable for space-constrained environments such as HTTP Authorization headers.

This Service Provider can issue a Client Token, but it cannot register new devices using a Client Registration Handle.

The following Java class implements this Service Provider:

oracle.security.idaas.rest.provider.token.JWTTokenServiceProvider

Mobile JSON Web Token

MobileJWTAuthentication

Provides pre-configured support for users using mobile devices to authenticate using the Mobile JSON Web Token format.

This Service Provider supports registering new devices using a Client Registration Handle.

The following Java class implements this Service Provider:

oracle.security.idaas.rest.provider.token.MobileJWTTokenServiceProvider

Internet Identity Services Web Token

InternetIdentityAuthentication

Provides pre-configured support for apps using Mobile Services to accept an authentication result from Internet Identity Services (for example, Google, Facebook, Twitter, and so on).

This Service Provider supports registering new devices using a Client Registration Handle. After the User authenticates with the Identity Provider, this Service Provider issues a User Token to the requesting client application. The User Token allows the User to obtain a Client Registration Handle for the device.

This service uses the same Java class as the JSON Web Token service, but it is configured with two additional name-value attribute pairs.

The following Java class implements this Service Provider:

oracle.security.idaas.rest.provider.token.JWTTokenServiceProvider

38.3.2 Defining, Modifying or Deleting an Authorization Service Provider

An Authorization Service Provider allows a back-end Identity service to make authorization decisions on behalf of a connected application. This section contains the following topics on Authorization Service Providers.

38.3.2.1 Creating an Authorization Service Provider

  1. Open the Mobile Services Home Page in the Oracle Access Management Console as described in Section 38.1, "Navigating the Mobile Services Graphical User Interface."

  2. Click Create in the Service Providers panel in the home area and choose Create Authorization Service Provider.

    The Authorization Service Provider Configuration page displays.

  3. Enter values for the Authorization Service Provider properties.

    • Name - Type a unique name for this Authorization Service Provider.

    • Description - (Optional) Type a short description that will help you or another Administrator identify this service in the future.

    • Service Provider Java Class - Type the name of the Java class that implements this Authorization Service Provider.

  4. Add or delete Authorization Service Provider Attributes and their values based on Table 38-5.

    Table 38-5 Access Manager Authorization Service Provider Default Attributes

    Name Value Notes

    OAM_VERSION

    OAM_11G

    Either OAM_11G or OAM_10G, depending on the Oracle Access Manager version in use.

    DEBUG_VALUE

    0

     

    TRANSPORT_SECURITY

    OPEN

    Specify the method for encrypting messages between this AccessGate and the Access Servers. The encryption methods need to match. Valid values include:

    • OPEN

    • SIMPLE

    • CERT

    OAM_SERVER_1

    localhost:5575

    Specify the host name and port number of the primary Oracle Access Management server.

    OAM_SERVER_1_MAX_CONN

    4

    Specify the maximum number of connections that this Mobile and Social instance can establish with OAM_SERVER_1. The default value is 4.

    OAM_SERVER_2

    oam_server_2:5575

    Specify the host name and port number of the secondary Oracle Access Management server.

    OAM_SERVER_2_MAX_CONN

    4

    Specify the maximum number of connections that this Mobile and Social instance can establish with OAM_SERVER_2. The default value is 4.


  5. Configure the Webgate Agent by creating new or entering values for existing as per Table 38-6. The WebGate Agent configuration values are specific to the integration between Mobile Services and Access Manager.

    Table 38-6 WebGate Agent for Authorization Service Provider Default Attributes

    Name Value Notes

    WebGate ID

     

    Type the WebGate agent name that identifies the WebGate instance to which you are connecting.

    Encrypted Password

    Copy and paste the encrypted password for the WebGate ID

    Locate the OAM-Domain-Directory/output/Profile-Name/ObAccessClient.xml file and copy the encrypted password value located in the element ParamName=accessClientPasswd.


  6. Click Create to create the Service Provider configuration object.

38.3.2.2 Editing or Deleting an Authorization Service Provider

To edit or delete an Authorization Service Provider, select the Service Provider in the panel and click Edit or Delete on the panel's tool bar.

38.3.2.3 Understanding the Pre-Configured Authorization Service Provider

Mobile and Social provides a pre-configured Authorization Service Provider for Access Manager named the OAMAuthorization Authorization Service Provider. The oracle.security.idaas.rest.provider.authorization.OAMSDKAuthZServiceProvider Java class implements the pre-configured Authorization Service Provider.

38.3.3 Defining, Modifying or Deleting a User Profile Service Provider

A User Profile Service Provider allows an application to query and update a directory server. Many LDAP compliant directory servers are supported including:

  • Microsoft Active Directory

  • Novell eDirectory

  • Oracle Directory Server Enterprise Edition

  • Oracle Internet Directory

  • Oracle Unified Directory

  • Oracle Virtual Directory (using the Oracle Internet Directory template)

  • OpenLDAP

  • IBM Tivoli Directory Server (using the OpenLDAP template)

  • WebLogic Server Embedded LDAP

Mobile and Social also includes a pre-configured User Profile Service Provider named UserProfile. The following sections contain more information.

38.3.3.1 Creating a User Profile Service Provider

  1. Open the Mobile Services Home Page in the Oracle Access Management Console as described in Section 38.1, "Navigating the Mobile Services Graphical User Interface."

  2. Click Create in the Service Providers panel in the home area and choose Create User Profile Service Provider.

    The User Profile Service Provider Configuration page displays.

  3. Enter values for the User Profile Service Provider properties.

    • Name - Type a unique name for this User Profile Service Provider.

    • Description - (Optional) Type a short description that will help you or another Administrator identify this service in the future.

  4. Add or delete User Profile Service Provider Attributes and their values based on Table 38-7.

    Note:

    LDAP attribute names are generally not case sensitive but when communicating with the Oracle Identity Governance Framework (IGF), LDAP attribute names are case sensitive.

    Table 38-7 User Profile Service Provider Default Attribute Names and Values

    Name Value Notes

    accessControl

    false

    Supported values include true or false (enable/disable, respectively) depending on whether the accessControl feature is to be disabled or enabled.

    adminGroup

    cn=Administrators,ou=groups,ou=myrealm,dc=base_domain

    If accessControl is enabled, specify the distinguished name (DN) of the adminGroup to see if the User is in it.

    selfEdit

    true

    Supported values include true or false depending on if the User can edit his or her profile for the accessControl feature. This is also one of the accessControl feature's configuration properties.

    proxyAuth

    -

    Supported values include true or false depending on if the proxyAuth feature is enabled or disabled, respectively. This attribute is required only if proxyAuth is supported and the Administrator does not want to use the proxyAuth feature.

    This attribute is not included in a new installation of Mobile and Social. An Administrator can add this property.


  5. Configure the Identity Directory Service properties to associate a directory service with the User Profile Service Provider by selecting Create New or Use Existing.

    • Name - Choose an existing Identity Directory Service connection from the drop-down menu or enter a value to create a new Identity Directory Service definition.

      • If you choose either of the default Identity Directory Services (userrole or idxuserrole) you can't view or edit the configuration values in this section.

      • If you choose an Identity Directory Service connection that you or another Administrator created, you can view and edit additional properties (after the definition has been created) as documented in Section 38.3.3.2, "Editing or Deleting a User Profile Service Provider."

    • Description - (Optional) Type a short description that will help you or another Administrator identify this service in the future.

  6. Configure the Repository properties by selecting Create New or Use Existing.

    Create New defines a new Repository object (that is, a reference to an LDAP directory server) for the Identity Directory Service connection. Click Test Connection after you have defined the values in the Repository section to verify they are correct. This option is only available when defining a new Identity Directory Service connection. Use Existing allows you to choose a previously defined Repository object by selecting it from the drop down menu.

    • (Repository) Name - Enter a new unique name to create, or choose an existing one from the menu. After entering a new name, configure properties for the Identity Directory Service connection.

    • Directory Type - Select the type of directory server software hosting the Repository; for example, Microsoft Active Directory or Oracle Internet Directory. If your directory is not listed, leave this field empty. If you are not defining a new Identity Directory Service connection or creating a new repository, this field is read-only.

    • Host Information - Contains information about the host computer on which the Identity Directory Service Repository is located. Add multiple hosts if the directory server is part of a cluster. Click Add to add a new host to the table. In the Host Name column type either the IP Address or the name of the computer (or virtual computer) on which the Directory server is running. In the Port column, type the port number that the directory server is configured to use. If the hosts are part of a cluster, in the Load Distribution column type the load amount as a percentage that should be directed to each host. For multiple hosts, the amount should add up to 100%. To delete a host, select its row in the table and click Remove. If you are not defining a new Identity Directory Service connection or creating a new repository, this field is read-only.

    • Availability - Choose Failover if the cluster is configured for failover operation, or choose Load balanced if the cluster distributes the load across multiple hosts. This field is read-only if you are using an existing repository.

    • SSL - Select Enabled if the connection is configured for SSL. Otherwise clear the option box.

    • Bind DN - Type the distinguished name (DN) of the LDAP Administrator used to authenticate to the Directory server.

    • Bind Password - Type the Bind DN password used to authenticate to the Directory server.

    • Base DN - Type the base distinguished name (DN) where User and Group data is located.

  7. Configure the User properties to configure the LDAP User object in Mobile and Social User Profile services.

    Note:

    These fields are read-only if using an existing Identity Directory Service connection.

    • Object Classes - Click Add to add a custom object class that represents people in an organization as defined on your directory server.

    • Name Attribute - Type the name attribute designated for the User object on the directory server.

    • Base DN - Type the base DN (in LDAP form) for the User object on the directory server.

  8. Configure the Group properties to configure the LDAP group object in Mobile and Social User Profile services.

    • Object Classes - Click Add to add a custom object class that represents a group of people in an organization as defined on your Directory server.

    • Name Attribute - Type the name attribute designated for the Group object on the directory server.

    • Base DN - Type the base DN (in LDAP form) for the Group object on the directory server.

  9. Click Create to create the Service Provider configuration object.

38.3.3.2 Editing or Deleting a User Profile Service Provider

To edit or delete a User Profile Service Provider, select the Service Provider in the panel and click Edit or Delete on the panel's tool bar. This section describes the additional User Profile Service Provider Configuration properties for the Identity Directory Service connection as they appear when editing a User Profile Service Provider that you or another Administrator created.

  • Name - Choose an Identity Directory Service connection to associate with the User Profile Service Provider from the drop down menu.

    • If you choose either of the default Identity Directory Services (either userrole or idxuserrole) you cannot view or edit the configuration values.

    • If you choose an Identity Directory Service connection that you or another Administrator created, you can view and edit the configuration values as needed.

  • General and Repository - Use the fields under this tab to edit the Directory Service and Repository configuration values that Mobile and Social uses to connect to the Directory Service.

    • Repository Name - Choose from the menu a repository to associate with the Identity Directory Service connection. After choosing a repository, configure its properties using the following form fields.

    • Directory Type - Displays the type of Directory server software hosting the Repository, for example Microsoft Active Directory, Oracle Internet Directory, and so on. This field is read-only.

    • Host Information - Displays information about the host computer where the Identity Directory Service Repository is located. Add multiple hosts if the Directory server is part of a cluster. Click Add to add a new host to the table. In the Host Name column type either the IP Address or the name of the computer (or virtual computer) that the Directory server is running on. In the Port column, type the port number that the Directory server is configured to use. If the hosts are part of a cluster, in the Load Distribution column type the load amount as a percentage that should be directed to each host. For multiple hosts, the amount should add up to 100%. To delete a host, select its row in the table and click Remove. If you are not defining a new Identity Directory Service connection or creating a new repository, this field is read-only.

    • Availability - Choose Failover if the cluster is configured for failover operation, or choose Load balanced if the cluster distributes the load across multiple hosts. This field is read-only if you are using an existing repository.

    • SSL - Select Enabled if the connection is configured for SSL. Otherwise clear the option box.

    • Bind DN - Type the distinguished name (DN) of the LDAP Administrator used to authenticate to the Directory server.

    • Bind Password - Type the Bind DN password used to authenticate to the Directory server.

    • Base DN - Type the base distinguished name (DN) where User and Group data is located.

  • Entity Attributes - Use the fields under this tab to view or edit the attributes that Mobile and Social uses to navigate the corporate directory service schema. Click Add to add an attribute to the table or click Remove to delete an attribute.

    • Name - The attribute name.

    • Physical Attribute - The name of the corresponding physical attribute type in the underlying Repository.

    • Type - The attribute's data type.

    • Description - A brief description of the attribute.

    • Sensitive - Select to mark that the attribute contains sensitive information such as a password.

    • Read-only - Select to protect the attribute from modification.

  • Entities / User Properties - Use the fields under the User sub head to configure how Mobile and Social interacts with the User entities on the LDAP server.

    • Create Base - Specifies the base DN (the top level of the LDAP directory tree) at which Users are defined.

    • Search Base - Specifies the search base DN for Users. Only entries at or below the search base DN are considered when processing the search operation.

    • Create Object Classes - Specifies the object class under which attributes associated with a person are stored.

    • RDN Attribute - Specifies the relative distinguished name attribute, for example cn.

    • ID Attribute - Specifies the attribute that uniquely identifies the User, such as the uid attribute or the loginid attribute.

    • Filter Object Classes - Specifies the object class by which to filter.

    • Attributes Configuration - Specify the User attributes that should be available to, and searchable by, the User Profile Service Provider.

      • Used - Specifies if the attribute is used for Users in the directory service.

      • Attribute Name - Specifies the name of the attribute as defined on the Entity Attributes tab.

      • In Results - Select if the specified attribute should be returned in search results.

      • Searchable - Select if the specified attribute should be available for search operations.

      • Search Operator - Select a search operator from the menu to restrict how the specified attribute is searched.

    • Operations Configuration - Select from Create, Update, Delete, and Search to enable those operations at the User entity level. Clear the option boxes to disable them.

  • Entities / Group Properties - Use the fields under the Group sub head to configure how Mobile and Social interacts with the Group entities on the LDAP server.

    • Create Base - Specifies the base DN (the top level of the LDAP directory tree) at which Users are defined.

    • Search Base - Specifies the search base DN for Groups. Only entries at or below the search base DN are considered when processing the search operation.

    • Create Object Classes - Specifies the object class under which attributes associated with a Group are stored.

    • RDN Attribute - Specifies the relative distinguished name attribute; for example, cn.

    • ID Attribute - Specifies the LDAP attribute that uniquely identifies the Group.

    • Filter Object Classes - Specifies the object class by which to filter.

    • Attributes Configuration - Specify the Group attributes that should be available to, and searchable by, the User Profile Service Provider.

      • Used - Specifies if the attribute is used for Users in the directory service.

      • Attribute Name - Specifies the name of the attribute as defined on the Entity Attributes tab.

      • In Results - Select if the specified attribute should be returned in search results.

      • Searchable - Select if the specified attribute should be available for search operations.

      • Search Operator - Select a search operator from the menu to restrict how the specified attribute is searched.

    • Operations Configuration - Select from Create, Update, Delete, and Search to enable those operations at the Group entity level. Clear the option boxes to disable them.

  • Relationships - Use the fields under this tab to configure the relationship between attributes for this Identity Directory Service.

    • Name - The relationship name.

    • (From) Entity - Choose User to select from User attributes or choose Group to select from Group attributes in the (From) Attribute column.

    • (From) Attribute - Choose the attribute from which you are mapping.

    • Relation - Choose the menu option that describes the relationship between the specified attribute in the From column and the specified attribute in the To column.

    • (To) Entity - Choose User to select from User attributes or choose Group to select from Group attributes in the (To) Attribute column.

    • (To) Attribute - Choose the attribute to which you are mapping.

    • Recursive - Select if the relationship extends down the directory tree to include nested child entities or up the directory tree to include parent entities.

  • Relationship Configuration - Type the URI segment used to access the corresponding column in the Identity Directory Service. Use Add to add a new relationship or Remove to remove a configured relationship.

    • Access URI - Type a URI segment that will be used to access a corresponding data column in the Identity Directory service. For example, if memberOf is the Access URI, then:

      http://host:port/.../idX/memberOf
      

      would be the URI to access related entities of an entity with ID idX.

    • Identity Directory Service Relation - Choose the Directory Service relationship that is to be accessed by the Access URI segment. You can configure relationships on the Relationships tab in the Identity Directory Service configuration section provided that the Identity Directory Service is not the pre-configured UserProfile Identity Provider. (You cannot configure Identity Directory Service relationships for the UserProfile Service Provider.)

    • Entity URI Attribute - Type the JSON attribute name to be used in the URI response sent from the Mobile and Social server. For example, if person-uri is the specified entity URI attribute, the URI response would be as follows:

      { {"person-uri":uriY1, ...}, {"person-uri":uriY2, ...}, ... }
      

      where uriY1 and uriY2 are the direct URIs to access each of the related entities.

    • Scope for Requesting Recursion - Use Scope attribute values with the scope query parameter to retrieve a nested level of attributes in a relationship search. To access related entities recursively, type the value to be used. The Mobile and Social default configuration uses two scope attribute values: toTop and all. If the Scope for Requesting Recursion value is the attribute value all, then the following REST URI example is used to make the request:

      http://host:port/.../idX/reports?scope=all
      

      In this example, the URI returns the entities related to the entity with ID idX, as well as all further related entities.

38.3.3.3 Understanding the Pre-Configured User Profile Service Provider

Mobile and Social provides a pre-configured User Profile Service Provider for LDAP-compliant directory servers named UserProfile. This Service Provider allows lookup and update tasks to be performed on directory objects using Mobile and Social.

38.4 Defining Service Profiles

A Service Profile defines a Service Endpoint URL for a Service Provider on the Mobile and Social server. Each Service Provider instance requires at least one corresponding Service Profile instance. You can create multiple Service Profiles for a single Service Provider; each Service Profile will define different token capabilities and service endpoints for the Service Provider.

Note:

One Service Profile can be assigned to multiple Service Domains. In general, mobile Service Profiles should be assigned to mobile Service Domains, and non-mobile Service Profiles should be assigned to non-mobile Service Domains. See Section 38.7, "Defining Service Domains."

Create one or more Service Profiles after creating the required Service Provider(s). This section covers the following topics:

38.4.1 Defining, Modifying and Deleting an Authentication Service Profile

The following sections contain information regarding Authentication Service Profiles.

38.4.1.1 Creating an Authentication Service Profile

  1. Open the Mobile Services Home Page in the Oracle Access Management Console as described in Section 38.1, "Navigating the Mobile Services Graphical User Interface."

  2. Click Create in the Service Profiles panel in the home area and choose Create Authentication Service Profile.

    The Authentication Service Profile Configuration page displays.

  3. Enter values for the Authentication Service Profile general properties.

    Table 38-8 Authentication Service Profile Default General Properties

    Name Notes

    Name

    Type a unique name for this Authentication Service Profile.

    Description

    (Optional) Type a short description that will help you or another Administrator identify this service in the future.

    Service Type

    Shows the type of Service Profile that you are creating (either a User Profile Service, an Authentication Service, or an Authorization Service).The value is read-only.

    Service Endpoint

    Create a unique uniform resource identifier (URI) address for this service by typing a string in the box; for example, localhost:5575.

    • If creating an Authentication Service Profile, the URI Category Information section shows the URIs that will be created to create, validate, manage, and delete the Profile's client, user, and Access Tokens, as well as the "Client Registration Handle" URI that is used to register devices.

    • If creating an Authorization Service Profile, the URI Category Information section shows the authorization URI category that will be created on the Service.

    • If creating a User Profile Service Profile, the URI Category Information section shows the URI categories that will be created on the Service (one URI to manage Users, and another to manage Groups).

    Service Provider

    Choose the Service Provider on which this Service Profile should be based. The contents of this list are determined by the Service Type. A Service Provider must be defined before you can create a corresponding Service Profile.

    Service Enabled

    Select the box to enable the service; clear the box to disable.


  4. Select an option under Token Support and URI Category Information to enable support for the token type on the service, or clear the option box to disable support for the token type on the service.

    Token Support applies to Authentication Service Profiles only. The corresponding uniform resource identifier (URI) is listed alongside each token type.

    Table 38-9 Token Support and URI Category Information Default Properties

    Name Notes

    Client Registration Handle

    Required for mobile token services so that the client device can register with the Mobile and Social server. The server issues a Client Registration Handle after authenticating the user. When OAAM and its Security Handler Plug-in is used in conjunction with a mobile Authentication Service, the Plug-in can run fraud detection and risk analysis policy checks, enhancing authenticity and the trust level of a client. To add an Authentication Service Profile to a mobile Service Domain, Client Registration Handle must be enabled. Client Registration Handles are not used in non-mobile Service Domains.

    Client Token

    Select to enable Client Tokens on the Service. A Client Token is a security grant issued by the Mobile and Social server to prove that a non-mobile device or client is authenticated. The server issues a Client Token after authenticating the client based on a name and password or other credentials. Client Tokens are optional in non-mobile Service Domains. They are not used in mobile Service Domains.

    User Token

    Select to enable User Tokens on the Service. A User Token is a security grant issued by the Mobile and Social server to prove that a user is authenticated. A User Token can be used to request an Access Token.

    Access Token

    Select to enable Access Tokens on the Service. An Access Token is a security grant issued by the Mobile and Social server so that a client application can access a specific protected resource. A client application can get an Access Token by presenting a User Token, provided that the user is authorized to access the resource.


  5. Click Create to create the Service Profile configuration object.

38.4.1.2 Editing or Deleting an Authentication Service Profile

To edit or delete an Authentication Service Profile, select the Service Profile in the panel and click Edit or Delete on the panel's tool bar.

38.4.2 Defining, Modifying and Deleting an Authorization Service Profile

The following sections contain information regarding Authentication Service Profiles.

38.4.2.1 Creating an Authorization Service Profile

  1. Open the Mobile Services Home Page in the Oracle Access Management Console as described in Section 38.1, "Navigating the Mobile Services Graphical User Interface."

  2. Click Create in the Service Profiles panel in the home area and choose Create Authorization Service Profile.

    The Authorization Service Profile Configuration page displays.

  3. Enter values for the Authorization Service Profile general properties.

    Table 38-10 Authorization Service Profile Default General Properties

    Name Notes

    Name

    Type a unique name for this Authorization Service Profile.

    Description

    (Optional) Type a short description that will help you or another Administrator identify this service in the future.

    Service Type

    Shows the type of Service Profile that you are creating (either a User Profile Service, an Authentication Service, or an Authorization Service).The value is read-only.

    Service Endpoint

    Create a unique uniform resource identifier (URI) address for this service by typing a string in the box; for example, localhost:5575.

    • If creating an Authentication Service Profile, the URI Category Information section shows the URIs that will be created to create, validate, manage, and delete the Profile's client, user, and Access Tokens, as well as the "Client Registration Handle" URI that is used to register devices.

    • If creating an Authorization Service Profile, the URI Category Information section shows the authorization URI category that will be created on the Service.

    • If creating a User Profile Service Profile, the URI Category Information section shows the URI categories that will be created on the Service (one URI to manage Users, and another to manage Groups).

    Service Provider

    Choose the Service Provider on which this Service Profile should be based. The contents of this list are determined by the Service Type. A Service Provider must be defined before you can create a corresponding Service Profile.

    Service Enabled

    Select the box to enable the service; clear the box to disable.


  4. Click Create to create the Service Profile configuration object.

38.4.2.2 Editing or Deleting an Authorization Service Profile

To edit or delete an Authorization Service Profile, select the Service Profile in the panel and click Edit or Delete on the panel's tool bar.

38.4.3 Defining, Modifying and Deleting a User Profile Service Profile

The following sections contain information regarding Authentication Service Profiles.

38.4.3.1 Creating a User Profile Service Profile

  1. Open the Mobile Services Home Page in the Oracle Access Management Console as described in Section 38.1, "Navigating the Mobile Services Graphical User Interface."

  2. Click Create in the Service Profiles panel in the home area and choose Create User Profile Service Profile.

    The User Profile Service Profile Configuration page displays.

  3. Enter values for the User Profile Service Profile general properties.

    Table 38-11 User Profile Service Profile Default General Properties

    Name Notes

    Name

    Type a unique name for this Authorization Service Profile.

    Description

    (Optional) Type a short description that will help you or another Administrator identify this service in the future.

    Service Type

    Shows the type of Service Profile that you are creating (either a User Profile Service, an Authentication Service, or an Authorization Service).The value is read-only.

    Service Endpoint

    Create a unique uniform resource identifier (URI) address for this service by typing a string in the box; for example, localhost:5575.

    • If creating an Authentication Service Profile, the URI Category Information section shows the URIs that will be created to create, validate, manage, and delete the Profile's client, user, and Access Tokens, as well as the "Client Registration Handle" URI that is used to register devices.

    • If creating an Authorization Service Profile, the URI Category Information section shows the authorization URI category that will be created on the Service.

    • If creating a User Profile Service Profile, the URI Category Information section shows the URI categories that will be created on the Service (one URI to manage Users, and another to manage Groups).

    Service Provider

    Choose the Service Provider on which this Service Profile should be based. The contents of this list are determined by the Service Type. A Service Provider must be defined before you can create a corresponding Service Profile.

    Service Enabled

    Select the box to enable the service; clear the box to disable.


  4. Click Create to create the Service Profile configuration object.

38.4.3.2 Editing or Deleting a User Profile Service Profile

To edit or delete a User Profile Service Profile, select the Service Profile in the panel and click Edit or Delete on the panel's tool bar.

38.5 Defining Security Handler Plug-ins

A Security Handler Plug-in enhances security by consulting additional logic for trust and risk analysis. Such additional logic may deny access based on certain risky operations. Mobile authentication invokes the Security Handler Plug-in during sensitive security operations; for example, during virtually all token acquisition operations including client application registration.

Note:

Security Plug-in usage is optional. If used, it should only be applied to mobile-related Service Domains and its authentication services and client applications.

Mobile and Social includes the following pre-configured Security Handler Plug-ins.

  • OAAMSecurityHandlerPlugin enables sophisticated device and client application registration logic as well as the advanced risk and fraud analysis logic found in OAAM.

  • Default offers very limited risk analysis logic.

The following sections contain information regarding defining Security Handler Plug-ins.

38.5.1 Creating a Security Handler Plug-in

  1. Open the Mobile Services Home Page in the Oracle Access Management Console as described in Section 38.1, "Navigating the Mobile Services Graphical User Interface."

  2. Click Create in the Security Handler Plugins panel in the home area.

    The Security Handler Plug-in Configuration page displays.

  3. Enter values for the Security Handler Plug-in general properties.

    Table 38-12 Security Handler Plug-in General Properties

    Name Notes

    Name

    Type a unique name for this Authorization Service Profile.

    Description

    (Optional) Type a short description that will help you or another Administrator identify this service in the future.

    Security Handler Class

    Choose the Java class that defines the Security Handler Plug-in that you want to use. This release of Mobile and Social supports two Security Handler Plug-ins, the DefaultSecurityHandlerPlugin and the OAAMSecurityHandlerPlugin.


  4. Enter name-value pairs for the Security Handler Plug-in Attributes.

    • For descriptions of the OaamSecurityHandlerPlugin attributes, see Section 38.9.2.6.3, "Setting Up OTP E-Mail Integration."

    • The DefaultSecurityHandlerPlugin has a single attribute setting, allowJailBrokenDevices. This specifies if jail-broken client devices should be allowed or denied access to protected resources. Set the attribute's value to false to deny access (default setting) or set it to true to allow access. The OAAMSecurityHandlerPlugin does not need to be configured for jail break enforcement. See Section 38.8.1, "Adding a New Jail Breaking Detection Policy," for more information.

  5. Click Create to create the Security Handler Plug-in configuration object.

38.5.2 Editing or Deleting a Security Handler Plug-in

To edit or delete a Security Handler Plug-in, select the definition in the panel and click Edit or Delete on the panel's tool bar.

38.5.3 Device Fingerprinting and Device Profile Attributes

When a mobile application is started, Mobile Client SDK logic in the application will attempt to detect a number of Device Profile attributes. Some Device Profile attributes are general attributes that cannot uniquely identify a device, such as OS Type, OS Version, language locale setting, network setting, and geographic location. Some attributes are hardware identifiers that can uniquely identify a device. An example of a hardware identifier is a MAC Address on a mobile device. The mobile OS type and version will dictate the kinds of Device Profile attributes that can be detected.

When a mobile application requests a token through the Mobile Client SDK, the SDK logic will send the Device Profile attributes as a part of an HTTP request. This set of Device Profile attributes enhances security by creating an audit trail for devices that assists device identification.

When the OAAM Security Plug-in is used, a particular combination of Device Profile attribute values is treated as a device finger print, known as the Digital Finger Print in the OAAM Administration Console. Each finger print is assigned a unique fingerprint number. Each OAAM session is associated with a finger print and the finger print makes it possible to log (and audit) the devices that are performing authentication and token acquisition.

38.6 Defining Application Profiles

An Application Profile defines the client application that will consume services provided by the Service Providers. A single Application Profile can be assigned to multiple Service Domains. More information can be found in the following sections.

38.6.1 Creating an Application Profile

  1. Open the Mobile Services Home Page in the Oracle Access Management Console as described in Section 38.1, "Navigating the Mobile Services Graphical User Interface."

  2. Click Create in the Application Profiles panel in the home area.

    The Application Profiles Configuration page displays.

  3. Enter values for the Application Profile general properties.

    Table 38-13 Application Profile General Properties

    Name Notes

    Name

    The value must be a unique one that distinguishes the application from all other applications on the server. This value and the application name value embedded in the client application must match.

    Description

    (Optional) Type a short description that will help you or another Administrator identify this service in the future.


  4. Enter name-value pairs for the attributes used by the Mobile and Social server to perform server functions for this application; for example, creating a Client Registration Handle.

    • Mobile.clientRegHandle.baseSecret is a mandatory attribute used by the server as a private secret to sign each Client Registration Handle for this application.

    • userId4BasicAuth is the user ID attribute used by the server and the application to perform HTTP Basic authentication. For more information see Section 37.4.1, "Protecting the Mobile Client Registration Endpoint."

    • sharedSecret4BasicAuth is the shared secret attribute used by the server and application to perform HTTP Basic authentication.

  5. Define the Mobile Application Profile properties.

    • Jail Breaking Detection - Select the Enabled box to activate Jail Breaking Detection for this application, or clear the box to disable it. If Jail Breaking Detection is grayed out, the Jail Breaking Detection Policy is disabled in Mobile and Social. For more information, see Section 38.8, "Using the Jail Breaking Detection Policy."

    • Mobile Configuration - Select this option to expose additional mobile configuration settings on the Application Profile Configuration page.

  6. Click Create to create the Application Profile configuration object.

    See Section 38.6.2, "Editing or Deleting an Application Profile" for information on properties that can be configured only after the Application Profile is created.

38.6.2 Editing or Deleting an Application Profile

To edit or delete an Application Profile, select the definition in the panel and click Edit or Delete on the panel's tool bar. This section describes additional Application Profile properties as they appear when editing a User Profile Service Provider that you or another Administrator previously created.

  • Configuration Settings

    • Profile Cache Duration - The maximum amount of time that the Application Profile details cached on the mobile device will remain valid. If the time is elapsed when the mobile client application requests the Application Profile, the cached Profile is replaced with a freshly downloaded version. If the time is not elapsed, the cached Profile is used.

    • Authentication Retry Count - The maximum number of retries that a User is allowed if invalid credentials are provided during registration/authentication. This setting is not honored in the iOS Mobile SDK.

    • Offline Authentication - Select the Allowed box to allow users to log in and authenticate to the application locally. Clear the box to block users from authenticating locally.

    • Claim Attributes - The set of attributes that will be fetched from the device and passed to the server during registration/authentication.

    • Internet Identity Services WebView - Choose Embedded if users should be presented with the Mobile and Social login page inside the application using the embedded WebView class, or choose External if the login page should be presented in an external browser.

  • Platform Specific Settings

    • URL Scheme - Type the URL scheme that is used to invoke this mobile client application, as configured in the application itself.

    • Apple iOS Bundle ID - Type the unique Bundle ID that is configured in the mobile client application. Each iOS mobile application has a unique Bundle ID.

    • Android Package

    • Android Application Signature

  • Custom Settings / Mobile Custom Attributes - Configure attributes or properties specific to the mobile client application. Mobile Custom Attributes are returned by the server to the mobile application as part of the Application Profile

38.7 Defining Service Domains

Create a Service Domain to associate Service Profiles with Application Profiles and the corresponding configuration settings. When the Create Service Domain page is displayed, you can:

  • Choose if the Service Domain is for managing mobile applications or desktop applications.

  • Choose an authentication scheme and, optionally, a Security Handler Plug-in for the Service Domain.

  • Add one or more Mobile SSO Agents to the Service Domain and configure which agents have priority over others.

  • Add one or more applications to the Service Domain and configure which applications can use a Mobile SSO Agent.

  • Choose at least one Service Profile for the Service Domain.

  • Configure security settings to protect the Service Domain's selected services.

More information can be found in the following sections.

38.7.1 Creating a Service Domain

  1. Open the Mobile Services Home Page in the Oracle Access Management Console as described in Section 38.1, "Navigating the Mobile Services Graphical User Interface."

  2. Click Create in the Service Domains panel in the home area.

    The Create Service Domain Configuration page displays.

  3. Enter values for the Service Domain general properties.

    Table 38-14 Service Domain General Properties

    Name Notes

    Name

    Type a unique name for this Service Domain.

    Description

    (Optional) Type a short description that will help you or another Administrator identify this service in the future.

    Type

    Choose Mobile Application or Desktop Application. A mobile application is an application that runs on a mobile operating system, such as the iOS mobile operating system from Apple. A desktop application is an application that runs on a non-mobile operating system.

    Credential for Registering an Application

    If configuring a mobile Service Domain, choose the minimum credential level required to register an application. If you choose User Password, the server will prompt the User for a user name and password every time an application is registered, even if a mobile single sign-on agent is installed on the device. If you choose User Token, the server asks the mobile SSO agent to provide the User name and password. Subsequent application registrations on that device then will use the User Token issued to the mobile SSO agent for that purpose. User Password provides added security around the application registration process. User Token makes the application registration process more convenient for the User.

    Authentication Scheme

    If configuring a mobile Service Domain, choose Mobile Service Authentication or Internet Identity Authentication. If you choose Mobile Service Authentication, the client will prompt the User for a User name and password. If you choose, Internet Identity Authentication, the client will redirect to the Mobile and Social server and the User will use Internet Identity Services to authenticate with an Identity Provider, for example Google or Facebook. This selection determines which Authentication Service Profiles you can choose on the Service Profile Selection configuration screen.

    Security Handler Plug-in Name

    Security Handler Plug-in Name - If configuring a mobile Service Domain, choose the Security Handler Plug-in to use. For information about the available Security Handler Plug-ins, see Section 38.2.3, "Understanding Security Handler Plug-ins."


  4. Use one or all of the following options to add or select Application Profiles.

    If configuring a mobile domain, only mobile apps can be selected. Similarly, if configuring a non-mobile domain, only desktop apps can be selected

    1. Click Browse Application Profiles (under Application Profile Selection) to open a Search window from which you can search for one or more previously configured Application Profiles to add to the Service Domain. Select the Profiles to add and click Select.

    2. Alternately, if you know the exact name of the Application Profile, click Add and type the name directly into the table.

    Table 38-15 Application Profile Selection Properties

    Name Notes

    Application Profile Name

    The name that uniquely identifies the client application to Mobile and Social.

    Mobile Single Sign-on (SSO) Configuration

    If configuring a mobile Service Domain, choose if each application should participate in mobile single sign-on as an SSO Agent, as an SSO Client, or not at all (None).

    • Choose None if this application does not want to participate in mobile SSO and instead wants to perform User authentication with the Mobile and Social server directly.

    • Choose As an SSO Agent if the application is a mobile single sign-on agent that can accept authentication requests from other apps. For details about creating a custom mobile SSO agent, refer to the iOS SDK information in the Developer's Guide for Oracle Access Management.

    • Choose As an SSO Client if the application is configured to work with mobile single sign-on and it delegates user authentication and user session management responsibilities to a mobile SSO agent.

    Agent Priority

    Displays the numerical ranking for applications that are configured as mobile SSO Agents. When multiple agent apps are installed on the device, the Agent application with highest priority (smallest numerical rank) acts as the Agent application for all other Agent apps. If that Agent is deleted from the device, the Agent with the next highest ranking becomes the active Agent. Click Move Up and Move Down to reorder the agents by priority..

    Description

    (Optional) Type a short description that will help you or another Administrator identify this service in the future.


  5. Click Next to select a Service Profile.

    The Service Profile page displays.

  6. Use one or both of the following options to add at least one Service Profile to the Service Domain.

    For a mobile Service Domain, you can add one Service Profile for each authentication, authorization, and User Profile Services Service Provider. For a non-mobile Service Domain, you can add multiple Service Profiles for each authentication, authorization, and User Profile Services Service Provider.

    1. Click Select to open a Search window from which you can search for a previously configured Service Profile. If configuring a mobile Domain, you can only select a mobile-compatible Authentication Service Profile. Similarly, if configuring a non-mobile domain, you can only select a desktop-compatible Authentication Service Profile. Select the Profile to assign and click Select. If you know the exact name of the Service Profile, click Add and type the name directly into the table.

    2. Click Create to create a new Service Profile.

      Table 38-16 Service Profile Selection Properties

      Name Notes

      Authentication Service

      (Optional) Displays the name of the Authentication Service Profile configured for this Service Domain and the corresponding Service Endpoint. If creating a new Service Profile, see Section 38.4.1, "Defining, Modifying and Deleting an Authentication Service Profile."

      Authorization Service

      (Optional) Displays the name of the Authorization Service Profile configured for this Service Domain and the corresponding Service Endpoint. If creating a new Service Profile, see Section 38.4.2, "Defining, Modifying and Deleting an Authorization Service Profile."

      User Profile Service

      (Optional) Displays the name of the User Profile Service Profile configured for this Service Domain and the corresponding Service Endpoint. If creating a new Service Profile, see Section 38.4.3, "Defining, Modifying and Deleting a User Profile Service Profile."


  7. Click Next to configure Service Protection (authentication).

    The Service Protection page displays.

  8. Configure authentication for the Service Profile using one of the following options.

    1. If you previously selected a User Profile Service for this Service Domain, configure the security settings to protect it.

      Table 38-17 User Profile Service Protection Properties

      Name Notes

      Authentication

      Choose from the menu the Authentication Service Profile configured for this Service Domain, with which you would like to protect this User Profile service.

      Secured Application

      Select to require the client application to authenticate, either by presenting a Client Resource Handle or a Client Token.

      Secured User

      Select to require a User to authenticate, either by presenting a User Token or an Access Token, where the access token is previously acquired with a User Token.

      Allow Read

      Select to allow users to view User Profile data.

      Allow Write

      Select to allow users to update User Profile data.


    2. If you previously selected an Authorization Service for this Service Domain, configure the security settings to protect it.

      Table 38-18 Authorization Service Protection Properties

      Name Notes

      Authentication

      Choose the Authentication Service Profile configured for this Service Domain, with which you would like to protect this Authorization service.

      Secured Application

      Select to require the client application to authenticate, either by presenting a Client Resource Handle or a Client Token.

      Secured User

      Select to require a User to authenticate, either by presenting a User Token or an Access Token, where the access token is previously acquired with a User Token.


  9. Click Next to verify your selections.

  10. Click Finish to create the Service Domain.

38.7.2 Editing or Deleting a Service Domain

To edit or delete an Service Domain, select the definition in the panel and click Edit or Delete on the panel's tool bar. This section describes additional Service Domain properties as they appear when editing a Service Domain that you or another Administrator previously created.

  • Application Profiles Tab

    • Profile Cache Duration - The maximum amount of time that the Application Profile details cached on the mobile device will remain valid. If the time is elapsed when the mobile client application requests the Application Profile, the cached Profile is replaced with a freshly downloaded version. If the time is not elapsed, the cached Profile is used.

    • Authentication Retry Count - The maximum number of retries that a User is allowed if invalid credentials are provided during registration/authentication. This setting is not honored in the iOS Mobile SDK.

    • Offline Authentication - Select the Allowed box to allow users to log in and authenticate to the application locally. Clear the box to block users from authenticating locally.

    • Claim Attributes - The set of attributes that will be fetched from the device and passed to the server during registration/authentication.

    • Internet Identity Services WebView - Choose Embedded if users should be presented with the Mobile and Social login page inside the application using the embedded WebView class, or choose External if the login page should be presented in an external browser.

  • Platform Specific Settings

    • URL Scheme - Type the URL scheme that is used to invoke this mobile client application, as configured in the application itself.

    • Apple iOS Bundle ID - Type the unique Bundle ID that is configured in the mobile client application. Each iOS mobile application has a unique Bundle ID.

    • Android Package

    • Android Application Signature

  • Custom Settings / Mobile Custom Attributes - Configure attributes or properties specific to the mobile client application. Mobile Custom Attributes are returned by the server to the mobile application as part of the Application Profile

38.8 Using the Jail Breaking Detection Policy

Jail breaking is the process of removing or circumventing the limitations that manufacturers impose on their mobile devices. While legal, jail breaking can present a heightened security risk to protected resources. To counter this risk, Mobile and Social provides a preconfigured Jail Breaking Detection Policy for iOS devices.

The Jail Breaking Detection Policy consists of one or more statements that instruct a client application (built using the Mobile and Social SDK for iOS) to search for files that may indicate the device is jail broken. The Mobile and Social server sends the Policy statements to the iOS client application. The client device then returns a true (jail breaking is detected) or false value back to the Mobile and Social server. This value is forwarded to the Security Handler Plug-in and, depending on the security policies of the Security Handler Plug-in in use, Mobile and Social can allow access, deny access, or wipeout any Mobile and Social specific data from the application.

  • If the Default Security Handler Plug-in is active and the policy logic says the device is jail broken, the Plug-in can ALLOW or DENY access to the client device depending on how the allowJailBrokenDevices Plug-in attribute is set.

  • If the Oaam Security Handler Plug-in is active and the policy logic says the device is jail broken, the Plug-in can ALLOW or BLOCK access to the client device depending on how the OAAM policy rules are configured. (Refer to the Administrator's Guide for Oracle Adaptive Access Manager for information on the policy rules as in, for example, the Jail broken Mobile Device rule under the "OAAM Post-Authentication Security" policy.)

    Additionally, if a device is blacklisted, lost or stolen, this Plug-in can send a WIPEOUT command that will delete any Mobile and Social specific data from the device and block the device from future requests. If the user recovers the missing device, the device can be reset in OAAM.

See Section 38.5, "Defining Security Handler Plug-ins" for more information.

Note:

OAAM's BLOCK and Mobile and Social's DENY mean the same thing.

The following sections contain more information.

38.8.1 Adding a New Jail Breaking Detection Policy

If you choose to create a new Jail Breaking Detection Policy using XML, click the Load button to overwrite the default Policy completely. A schema file is available from customer support.

Use the following procedure to create a new Jail Breaking Detection Policy with the Oracle Access Management Console.

  1. Open the Mobile Services Home Page in the Oracle Access Management Console as described in Section 38.1, "Navigating the Mobile Services Graphical User Interface."

  2. Click JailBreaking Detection Policy in the navigation pane.

    The JailBreaking Detection Policy page displays.

  3. Click Add to configure the Conditions and Detection Logic properties for a new JailBreaking Detection Policy.

    • Jail Breaking Detection - Select Enabled to turn the Jail Breaking Detection policy on, or clear this option to turn it off for all client Application instances. If you enable the Jail Breaking Detection Policy here, you can disable it on an application by application basis. If you disable the Policy here, you can not enable or disable the feature on an application by application basis.

    • Min OS Version - The minimum iOS version to which the policy applies. If the value is 1.0, the policy will apply to iOS devices running at least version 1.0 of iOS.

    • Max OS Version - The maximum iOS version to which the policy applies. If the value is empty, a maximum iOS version number is not checked so the policy applies to any iOS version higher than the value specified for Min OS Version.

    • Min Client SDK Version - The minimum Mobile and Social Client SDK version number. For example, 11.1.2.0.0.

    • Max Client SDK Version - The maximum Mobile and Social Client SDK version number. For example, 11.1.2.0.0.

    • Policy Expiration Duration - Type the length of time in seconds that the SDK on the iOS client device should wait before expiring the local copy of the policy and retrieving a newer version.

    • Auto Check Period - Type the interval of time in minutes that the iOS client device should wait before executing the Jail Breaking Detection Policy statements again.

    • Detection Location - The iOS client device uses a logical-OR operator to evaluate Policy statements. Add a Detection Location as follows:

      • File Path - Type the absolute path to the file or directory on the device for which the Detection Policy should search.

      • Action - Select Exists which instructs the Detection Policy to evaluate whether it can access a file path.

      • Success - Select if the Policy should flag the device as jail broken if the specified files or directories are found on the device. Use this option if the policy is checking for unauthorized files or directories. Clear this option if the Policy should flag the device as jail broken if the specified files or directories are not found. (Use this option if checking for required files or directories.)

38.8.2 Editing the Jail Breaking Detection Policy

In most cases you can use the Policy Statements editor on the Jail Breaking Detection Policy Configuration page to change a Jail Breaking Detection Policy.

  1. Open the Mobile Services Home Page in the Oracle Access Management Console as described in Section 38.1, "Navigating the Mobile Services Graphical User Interface."

  2. Click JailBreaking Detection Policy in the navigation pane and choose one of the following options:

    • To append changes to the Jail Breaking Detection Policy, click Load in the tool bar, browse to the XML file that contains the Jail Breaking Detection Policy statements that you want to append, choose Append after existing policy statements, and click OK. A schema file is available from customer support.

    • To overwrite the Jail Breaking Detection Policy, click Load in the tool bar, browse to the XML file that contains the Jail-Breaking Detection Policy statements that you want to load, choose Overwrite existing policy statements, and click OK. A schema file is available from customer support.

    • To edit the Jail Breaking Detection Policy, select it in the Policy Statements table to display its properties, make changes (as per Section 38.8.1, "Adding a New Jail Breaking Detection Policy") and click Apply.

38.9 Configuring Mobile Services with Other Oracle Products

The following sections contain information on configuring Mobile and Social with other Oracle products.

38.9.1 Configuring Mobile Services for Access Manager

The following sections describe how to configure Mobile and Social to work with different versions of Access Manager.

Note:

During installation, the Oracle Fusion Middleware Configuration Wizard generates a domain that supports both Mobile and Social and Access Manager. For more information, see the "Configuring Mobile and Social" chapter in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

38.9.1.1 Configuring Mobile Services to Work With Access Manager in Simple and Certificate Mode

Use the following procedure to configure Mobile Services to work with Access Manager if Access Manager is configured in Simple Mode.

  1. Open the Oracle Access Management Administration Console.

  2. Select the System Configuration tab and choose Common Configuration > Server Instances > oam_server1.

  3. Click the Open button.

  4. From the Mode menu, choose Simple and click Apply.

    The system creates the webgate-ssl directory under the ~/oam-domain/output directory and generates the following files:

    • oamclient-keystore.jks

    • oamclient-truststore.jks

  5. Copy the .jks files to the ~/oam-domain/config/fmwconfig directory.

  6. Go to ~/oam-domain/output/accessgate-oic and open password.xml.

  7. Copy the passwd value from the file.

  8. In the navigation pane of the Administration Console, select the System Configuration tab.

  9. Expand Mobile and Social and choose Mobile Services > Service Providers > Authentication Service Providers > OAMAuthentication.

  10. Add the following name-value pairs to the Attributes table.

    Table 38-19 Required Attributes for Access Manager Simple Mode Configuration

    Name Value

    PASSPHRASE

    The passwd value from step 4.

    KEYSTORE

    <fully qualified path>/oam-domain/config/fmwconfig/oamclient-keystore.jks

    TRUSTSTORE

    <fully qualified path>/oam-domain/config/fmwconfig/oamclient-truststore.jks


  11. In the Attributes table, locate TRANSPORT_SECURITY and change the value from OPEN to SIMPLE or CERT and click Save.

  12. In the navigation pane of the Administration Console, under the System Configuration tab, click to expand the Access Manager section, and choose SSO Agents.

  13. Double-click OAM Agents to open it.

  14. In the Search box, type accessgate-oic in the Name field and click Search.

  15. Click accessgate-oic in the Search results to open its profile page.

  16. Change the Security setting from Open to Simple or Cert and click Apply.

  17. Restart the Oracle Access Management server.

38.9.1.2 Configuring Authentication Service Provider for Remote Oracle Access Manager Server 10g

The following procedure documents how to configure an Authentication Service Provider to work with a remote instance of the Oracle Access Manager 10g server.

  1. Log in to the 10g Console and create the WG Profile.

    The OAM 10g Access Management Service must be turned on.

  2. Navigate through the Mobile and Social Console to Mobile Services > Service Providers > Authentication Service Providers.

  3. Click New to create a new Authentication Service Provider configuration.

  4. Enter the appropriate values for the parameters.

    1. Change OAM_VERSION to OAM_10G from OAM_11G.

    2. Change WEBGATE_ID to the name you previously used to create the WG profile.

    3. Change OAM_SERVER_1 to the hostname:port# of the machine hosting the OAM 10G server.

    4. Add a new parameter named AuthNURL and populate it with the URL for any protected resource; for example, http://server1.domain.com/index.html.

  5. Save the Authentication Service Provider configuration.

  6. Navigate through the Mobile and Social console to Mobile Services > Service Profiles > Authentication Services > OAMAuthentication.

  7. From the Service Provider drop down menu, select the Authentication Service Provider just created; for example, 10GOAMAuthentication.

  8. Check the Client Token checkbox.

  9. Uncheck the Access Token checkbox.

  10. Save the OAMAuthentication configuration.

If Mobile and Social is configured to work with a remote instance of the Oracle Access Manager 10g server, you must also do either of the following:

  • Define a uid attribute in the directory DN entry for user records in the Oracle Access Manager UserStore.

  • Define a unique directory user entry attribute that can be used to identify the directory user entry in Mobile and Social.

Note:

Mobile and Social can dynamically obtain the unique directory user attribute name from Oracle Access Manager version 11g but the earlier 10g release requires that you specify the attribute to use when configuring Mobile and Social. If this attribute is not set, Client Token validation will fail in Mobile and Social.

The following procedure demonstrates setting the value to CN. Set the value to a unique user entry as configured on your directory server; uid or loginid may also be possible choices. Before beginning, confirm that the Oracle Access Manager DN for UserStore does not include a uid attribute for the Application Profile profileid1, and that the DN is as follows:

"CN=profileid1 profileid1, OU=Test, ..."

Complete the next steps upon confirming that both are true.

  1. Open the Application Profile Configuration page for profileid1 in Mobile and Social as documented in Section 38.6, "Defining Application Profiles."

  2. In the Attributes section, add the following name-value pair and click Apply.

    Name: userPrincipalAttrValue

    Value: CN

  3. Open the Service Provider Configuration page for your Oracle Access Manager 10g Authentication Service Provider as documented in Section 38.3.1, "Defining, Modifying or Deleting an Authentication Service Provider."

  4. In the Attributes section, add the following name-value pair and click Apply.

    Name: userPrincipalAttrName

    Value: CN

38.9.1.3 Configuring Authentication Service Provider for Remote Access Manager 11gR2 or Oracle Access Manager 11gR1 PS1

The following procedure documents how to configure an Authentication Service Provider to work with releases 11gR2 and 11gR1 PS1. The differences for the 11gR1 PS1 release console are documented in notes within each 11gR2 step.

  1. Log in to the Oracle Access Management Console and register a Webgate (OAM Agent) for Mobile and Social.

    Be sure to enable the following options.

    • Allow Management Operations

    • Allow Token Scope Operations

    • Allow Master Token Retrieval

    • Allow Credential Collector Operations

    Note:

    If using an OAM 11.1.1.5 release console, enable Allow Management Operations.

  2. Navigate through the Mobile and Social Console to Mobile Services > Service Providers > Authentication Service Providers.

  3. Click New to create a new Authentication Service Provider configuration.

  4. When using an OAM 11.1.2 release console, enter the following values.

    1. Keep the default value of OAM_VERSION as OAM_11G.

    2. Change WEBGATE_ID to the name you previously used to create the WG profile.

    3. Change OAM_SERVER_1 to the hostname:port# of the machine hosting the OAM 11G server.

    Note:

    If using an OAM 11.1.1.5 release console:

    1. Change the default value of OAM_VERSION to OAM_10G.

    2. Change WEBGATE_ID to the name you previously used to create the WG profile.

    3. Change OAM_SERVER_1 to the hostname:port# of the machine hosting the OAM 11.1.1.5 server.

    4. Add a new parameter named AuthNURL and populate it with the URL for any protected resource; for example, http://server1.domain.com/index.html.

  5. Save the Authentication Service Provider configuration.

  6. Navigate through the Mobile and Social Console to Mobile Services > Service Profiles > Authentication Services > OAMAuthentication.

  7. From the Service Provider drop down menu, select the Authentication Service Provider just created; for example, 10GOAMAuthentication.

  8. Check the Client Token checkbox.

  9. Uncheck the Access Token checkbox only if using OAM 11g R1 PS1.

  10. Save the OAMAuthentication configuration.

  11. Merge the CSF wallet files.

    OAM 11G generates the cwallet.sso file when the administrator creates the WG profile for Mobile and Social. To communicate with this WG profile, the administrator must merge the secret value in cwallet.sso into the Mobile and Social wallet.

    Note:

    Use the following command to display the wallet before and after the merge for verification that the merge has been successful.

    orapki wallet display -wallet wallet_location

    1. Copy cwallet.sso from OAM (~/domain-home/output) to the Mobile and Social host machine directory, /tmp/oam.

    2. Copy cwallet.sso from the Mobile and Social host machine directory (~/config/fmwconfig) to the Mobile and Social host machine directory, /tmp/oic.

    3. Download merge-creds.xml to the Mobile and Social host machine directory, /tmp.

      Example 38-1 is a sample merge-creds.xml file.

      Example 38-1 Sample merge-creds.xml

      <?xml version="1.0" encoding="UTF-8" standalone='yes'?>
      <jpsConfig xmlns="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" 
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
       xsi:schemaLocation=
        "http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd"  
       schema-major-version="11" schema-minor-version="1">
       
      <serviceProviders>
      <serviceProvider 
       class="oracle.security.jps.internal.credstore.ssp.SspCredentialStoreProvider" 
       name="credstoressp" type="CREDENTIAL_STORE">
      <description>File-based credential provider</description>
      </serviceProvider>
      </serviceProviders>
       
      <serviceInstances>
      <!-- Source file-based credential store instance -->
      <serviceInstance location="/tmp/oam" provider="credstoressp" 
       name="credential.file.source">
      </serviceInstance>
       
      <!-- Destination file-based credential store instance -->
      <serviceInstance location="/tmp/oic" provider="credstoressp" 
       name="credential.file.destination">
      </serviceInstance>
      </serviceInstances>
       
      <jpsContexts>
      <jpsContext name="FileSourceContext">
      <serviceInstanceRef ref="credential.file.source"/>
      </jpsContext>
       
      <jpsContext name="FileDestinationContext">
      <serviceInstanceRef ref="credential.file.destination"/>
      </jpsContext>
      </jpsContexts>
      </jpsConfig>
      
    4. Set the PATH variable to include ~/oracle_common/bin:~/oracle_common/common/bin:~

    5. Initialize the WebLogic Scripting Tool by running wlst.sh on the command line.

    6. Run the migrateSecurityStore WLST command.

      Following is sample syntax for the WLST command.

      $ wlst.sh
      
      wls:/offline> connect("weblogic", "weblogic-passwd", "localhost:<port>")
      wls:/WLS_IDM/serverConfig> 
      migrateSecurityStore(type="credStore",configFile="/tmp/merge-creds.xml",
       src="FileSourceContext",dst="FileDestinationContext")
      
  12. Restart the Mobile and Social server.

38.9.2 Configuring Mobile Services for Oracle Adaptive Access Manager

To configure a Service Domain to use the Oracle Adaptive Access Manager (OAAM) device registration functionality, open the Service Domain Configuration page and choose the OAAMSecurityHandlerPlugin option from the Security Handler Plugin Name list. See Section 38.7.1, "Creating a Service Domain."

Note:

During installation, the Oracle Fusion Middleware Configuration Wizard can generate a domain that supports both Mobile and Social and Oracle Adaptive Access Manager. Mobile and Social requires at least Oracle Adaptive Access Manager version 11g Release 2. For more information, see the "Configuring Mobile and Social" chapter in the Fusion Middleware Installation Guide for Oracle Identity and Access Management.

The following sections describe how to configure the required policies, conditions, rules, and actions to complete integration between Mobile and Social and OAAM.

Note:

See the Administrator's Guide for Oracle Adaptive Access Manager for information on how to set up OAAM rule and policy ordering.

38.9.2.1 Understanding OAAM Support in Mobile and Social

Mobile and Social supports the OAAM policies listed (by OAAM checkpoint) in Table 38-20.

Table 38-20 OAAM Policies Supported By Mobile and Social

Checkpoint Supported Policies

Post-Authentication


OAAM Post-Authentication Security
OAAM User vs Themselves
OAAM User vs. All Users
OAAM Does User Have Profile
OAAM Predictive Analysis Policy

Challenge


OAAM Challenge Policy

Device Identification


OAAM Device ID Policy
OAAM System Deep Analysis Flash Policy
OAAM System Deep Analysis No Flash Policy

Mobile and Social and OAAM also use similar terminology to describe the security actions that can be taken to respond to authentication and authorization events. Table 38-21 maps the the Mobile and Social term to the OAAM term.

Table 38-21 Mapping Terms Between OAAM and Mobile and Social

OAAM Action Groups Mobile and Social Actions

OAAM Allow

ALLOW

OAAM Block

DENIED

OAAM Challenge

CHALLENGE

OAAM Black-Listed Mobile Device

WIPE_OUT

OAAM Lost Device

WIPE_OUT


38.9.2.2 Configuring the WebLogic Administration Domain

Before configuring OAAM policies, complete the steps in this section.

38.9.2.2.1 Creating an Administrator for OAAM Administration
  1. Log in to the Oracle WebLogic Administration Console for your WebLogic administration domain.

  2. In the Domain Structure tab on the left side of the page, select Security Realms.

  3. On the Summary of Security Realms page, select the realm that you are configuring; for example, myrealm.

  4. Click New and provide the required information to create a User in the security realm: Name (for example, user1), Description (optional), Provider (enter DefaultAuthenticator), Password, and Confirm Password.

  5. Click to select the new created User.

  6. Click the Groups tab.

  7. Assign to the User all groups with an OAAM prefix.

  8. Click Save.

38.9.2.2.2 Adding Oracle Access Management Server as Target of OAAM Data Source
  1. Log in to the Oracle WebLogic Administration Console for your WebLogic administration domain.

  2. In the Domain Structure tab on the left side of the page, select Services.

  3. On the Summary of Services page, select Data Sources.

  4. Open OAAM_SERVER_DS in the Data Sources table.

  5. Click the Targets tab.

  6. Select oam_server1.

  7. Click Save.

38.9.2.3 Setting up a Lost or Stolen Device Rule

Users should report lost or stolen devices to the support department so that the missing device can be added to the OAAM Lost or Stolen Device group. Then if an authentication attempt comes from the missing device, OAAM can send Mobile and Social a DENY or WIPE_OUT action to wipe out the application's data associated with the Mobile and Social server. If a User recovers a missing device, the device status can be reset in OAAM. The following procedure documents how to create a Lost or Stolen Device Rule for each device reported as missing by adding the Device ID to the OAAM Lost or Stolen Devices device group.

  1. Log in to the OAAM Administration Console.

  2. Double-click Sessions in the Navigation pane.

    The Sessions Search page displays.

  3. Search by User Name, Client Application name, Device ID or similar to find the lost or stolen device.

  4. Click the Session ID in the Search Results table.

    The Session Details page opens.

  5. Click Add to Group.

    The Add to Group pop-up window opens.

  6. In the Choose Data Type to Add section, choose Device and click Next.

  7. Select the OAAM Lost or Stolen Devices Group and click Next.

  8. Verify your selection and click Finish.

  9. Click OK.

    For information about managing the Lost Devices policy and group, see the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

38.9.2.4 Configuring Blacklisted Devices and Applications

Rules can be configured to block access to specific devices or applications. The following sections contain more information.

38.9.2.4.1 Setting up a Blacklisted Device Rule

Create a Blacklisted Device Rule for each device to which you want to block access. The following procedure documents how to create a Blacklisted Device Rule by adding the Device ID to the OAAM Black-listed Mobile Devices group.

  1. Log in to the OAAM Administration Console.

  2. Double-click Sessions in the Navigation pane.

    The Sessions Search page displays.

  3. Use the Search page to find the device to block. For example, search by a User Name, a Client Application name, a Device ID, and so on.

  4. Click the Session ID in the Search Results table.

    The Session Details page opens.

  5. Click Add to Group.

    The Add to Group pop-up window opens.

  6. In the Choose Data Type to Add section, choose Device and click Next.

  7. Select the OAAM Black-listed mobile devices Group and click Next.

  8. Verify your selection and click Finish.

  9. Click OK.

38.9.2.4.2 Setting up a Blacklisted Application Rule

The task of adding a Blacklisted Application Rule is broken into the following procedures. Follow them (in order) to add the application to the OAAM Blacklisted Mobile Devices group.

38.9.2.4.3 Creating a New Alert Group
  1. Log in to the OAAM Administration Console.

  2. Double-click Groups in the Navigation pane.

    The Groups Search page displays.

  3. Click New Group.

    The Create Group pop-up window opens.

  4. Complete the form as follows and click Create:

    • Group Name - Type OAAM Blacklisted mobile application used. (This is the name of the mobile application to be blacklisted.)

    • Group Type - Choose Alerts from the menu.

    • Cache Policy - Choose Full Cache from the menu.

    • Description - Type Session coming from a blacklisted mobile application.

  5. Click the Alerts tab.

  6. Click the Add member to this group button.

    The Add Alerts pop-up window opens.

  7. In the Options to add a new element section, choose Create new Alerts.

    Complete the form as follows and click Add:

    • Alert Type - Choose Fraud from the menu.

    • Alert Level - Choose Medium from the menu.

    • Alert Message - Type Session coming from a blacklisted mobile application.

    The Add Alerts window displays a message confirming that the new element was created successfully.

38.9.2.4.4 Creating a Generic Strings Group to Store Blacklisted Application Names
  1. Double-click Groups in the Navigation pane.

    The Groups Search page displays.

  2. Click New Group.

    The Create Group pop-up window opens.

  3. Complete the form as follows and click Create:

    • Group Name - Type OAAM blacklisted mobile application.

    • Group Type - Choose Generic Strings from the menu.

    • Cache Policy - Choose Full Cache from the menu.

    • Description - Type OAAM blacklisted mobile application.

  4. Click the Generic Strings tab, then click the Add member to this group button.

  5. Type the name of the app.

    The Add Generic Strings window displays a message confirming that the new element was created successfully.

    Click OK.

38.9.2.4.5 Creating a New Blacklisted Application Rule
  1. Double-click Policies in the Navigation pane.

    The Policies Search page displays.

  2. Choose Post authentication from the Checkpoint menu, then click Search.

  3. Click OAAM Post-Authentication Security.

    The OAAM Post-Authentication Security page opens.

  4. Click the Rules tab.

  5. Click the Add Rule button.

    Complete the form as follows and click Add:

    • Rule Name - Type Check for blacklisted mobile applications.

    • Rule Status - Choose Active from the menu.

    • Rule Notes - Type Check if application is in the Oaam blacklisted mobile application group.

  6. Click the Conditions tab.

  7. Click Add Conditions.

    The Add Condition pop-up window opens.

  8. Complete the form as follows and click Search:

    • Condition Name - Type Check Current Session

    • Type - Choose In Session from the menu.

  9. In the table of results, click Session: Check Current Session using the filter conditions.

    The filter condition details display.

  10. Do the following and click Save:

    1. Under Check if select Client Application.

    2. Select in as the operator.

    3. Select Group as the Target Type.

    4. Select Generic Strings as the Group Type.

    5. Select OAAM blacklisted mobile application as the Group Name.

    In English the condition reads as "Check if the Client Application is in the "OAAM blacklisted mobile application" group."

  11. Click the Results tab.

  12. Choose OAAM Block from the Action Group menu.

  13. Choose OAAM Blacklisted application used from the Alert Group menu.

  14. Click Apply.

38.9.2.5 Understanding the OAAM Sessions for Mobile Applications

The OAAM Session is a commonly used conceptual entity in OAAM rule execution. A rule can use a session attribute as input (for example, Client App Name and OAAM Device ID) and affect the status of the session at the output (that is, changing the status to "Blocked").

When OAAM is used in a non-mobile environment such as a web browser, there is a one-to-one relationship between a user authentication session (an OAM session, for example) and the OAAM session. For example, each OAAM session contains data associated with the following fields:

  • User ID

  • Client IP Address

  • OAAM Device ID and Fingerprint

  • (Auth) Status: Success, Pending, Blocked, and so on

  • Client Application Name

In a mobile application environment, different apps running on the same device used by the same user are expected to have different OAAM sessions, even in a mobile SSO scenario. For example, assume the following apps are installed on a mobile device:

  • SSO Security Agent App

  • White Pages App

  • Expense Report App

These apps are listed together as participants of the same Service Domain and they all participate in single sign-on. A user just needs to log in once using the mobile SSO agent app. This means that there will only be a single User Authentication session (that is, a single Access Manager session) shared by multiple apps on the same device. On the other hand, if the user uses all three apps simultaneously within the same Access Manager session, each mobile application will have its own OAAM session entry and three OAAM sessions will be seen in the OAAM Admin Console.

The reason to have separate OAAM sessions for each mobile application is to allow rules to take the mobile client application into account. The same rule can block sessions from some apps, while letting sessions from other apps succeed. (The Blacklisted Application Rule in Section 38.9.2.4.2 is an example of this.) A more sophisticated rule can consider multiple factors from a session; for example an Expense Report application might rate as security sensitive while a "White Pages" (directory look-up) application might rate as less sensitive. The same Risky-IP rule may block sessions from the Expense Report application but not the White Pages app, even if the sessions come from the same medium-risky IP address.

38.9.2.6 Registering Users for OAAM Authentication

OAAM provides strong authentication features, such as Knowledge-Based Authentication and One-Time Password. One-Time Password delivers a password using e-mail or a mobile text message. These features require end users to register a security profile which may contain security questions, mobile phone numbers, and e-mail addresses.

Note:

For more information, see the Administrator's Guide for Oracle Adaptive Access Manager.

The following sections contain information on setting up these authentication processes.

38.9.2.6.1 Setting up OAAM Knowledge-Based Authentication

Mobile and Social provides support for Knowledge-Based Authentication (KBA) if OAAM is installed; KBA is the default option for Strong Authentication in OAAM. Administrators do not need to perform extra configuration for KBA to work. Users should use the OAAM Managed Server Console to record their KBA questions in their User Profile registration. For more information about KBA, see the Administrator's Guide for Oracle Adaptive Access Manager.

38.9.2.6.2 Setting up OAAM One Time Password

Mobile and Social provides One Time Password (OTP) support if OAAM is installed. OTP allows end users to authenticate themselves by entering a server generated one-time-password that might be received by either SMS or e-mail. Because the one-time-password is sent out-of-band, the risk is reduced that someone other than the valid user could obtain access to it. The following sections contain more information.

38.9.2.6.3 Setting Up OTP E-Mail Integration

Mobile and Social can send e-mail in either of the following ways.

  • Using the included SMTP client.

  • Using the Oracle User Messaging Service (UMS).

This section contains a procedure for each of these integrations. Choose either Setting Up SMTP for E-mail or Setting Up UMS for E-mail to begin.

Note:

Configure either SMTP or UMS. Do not configure both.

After configuring the SMTP or UMS attribute values, enable the Challenge Types on the OAAM server as documented in this section's third procedure, Enable "Challenge Types" on the OAAM Server for E-mail.

Setting Up SMTP for E-mail

  1. Open the Mobile Services Home Page in the Oracle Access Management Console as described in Section 38.1, "Navigating the Mobile Services Graphical User Interface."

  2. In the Security Handler Plugins section on the right side of the screen, click OaamSecurityHandlerPlugin and click Edit in the tool bar.

  3. In the Attributes section provide values for the following attribute names and click Apply.

    mail.smtp.host - The SMTP server host.

    mail.smtp.port - The SMTP server port.

    mail.smtp.security.type - The SMTP security type. Either SSL or TLS.

    mail.smtp.user - The user name to log on to the SMTP server.

    mail.smtp.fromadd - The Mobile and Social "From" address, for example: mobileadmin@example.com

    mail.smtp.password - The password for the mail.smtp.user account.

    mail.smtp.truststore.location - The file name with the location of the trust store to be used to validate the server identity.

    mail.smtp.keystore.location - The file name of the key store containing the client certificate.

    mail.smtp.keystore.password - The key store password.

    mail.smtp.truststore.password - The trust store password.

  4. Complete the steps in Enable "Challenge Types" on the OAAM Server for E-mail.

Setting Up UMS for E-mail

  1. Open the Mobile Services Home Page in the Oracle Access Management Console as described in Section 38.1, "Navigating the Mobile Services Graphical User Interface."

  2. In the Security Handler Plugins section on the right side of the screen, click OaamSecurityHandlerPlugin and click Edit in the tool bar.

  3. In the Attributes section provide values for the following attribute names and click Apply.

    ums.service.uri - The UMS server Web service URL, for example:

    http://<UMS Server URL>:<UMS Port>/ucs/messaging/webservice

    ums.username - The user name for the UMS server.

    ums.password - The password for the UMS server.

    ums.from.address - The Mobile and Social "From" address, for example: mobileadmin@example.com

    ums.from.name - The Mobile and Social "From" name.

    ums.email.enabled - Set to true.

  4. Complete the steps in Enable "Challenge Types" on the OAAM Server for E-mail.

Enable "Challenge Types" on the OAAM Server for E-mail

  1. Log in to the OAAM Administration Console.

  2. Choose Environment > Properties in the Navigation pane and double-click Properties.

    The Properties Search page displays.

  3. In the Search box, type bharosa.uio.default.register.userinfo.enabled in the Name field and click Search.

    Click to select the record in the Search Results section, change the value to true, and click Save.

  4. In the Search box, type bharosa.uio.default.userinfo.inputs.enum.email.enabled in the Name field and click Search.

    Click to select the record in the Search Results section, change the value to true, and click Save.

  5. In the Search box, type bharosa.uio.default.challenge.type.enum.ChallengeEmail.available in the Name field and click Search.

    Click to select the record in the Search Results section, change the value to true, and click Save.

38.9.2.6.4 Setting Up OTP Integration for SMS Messages

Mobile and Social sends SMS messages using the Oracle UMS. Complete Setting Up SMS Using UMS and then Enable "Challenge Types" on the OAAM Server for SMS.

Setting Up SMS Using UMS

  1. Open the Mobile Services Home Page in the Oracle Access Management Console as described in Section 38.1, "Navigating the Mobile Services Graphical User Interface."

  2. In the Security Handler Plugins section on the right side of the screen, click OaamSecurityHandlerPlugin and click Edit in the tool bar.

  3. In the Attributes section provide values for the following attribute names and click Apply.

    ums.service.uri - The UMS server Web service URL, for example:

    http://<UMS Server URL>:<UMS Port>/ucs/messaging/webservice

    ums.username - The user name for the UMS server.

    ums.password - The password for the UMS server.

    ums.from.address - The Mobile and Social "From" address, for example: mobileadmin@example.com

    ums.from.name - The Mobile and Social "From" name.

    ums.email.enabled - Set to true.

  4. Complete the steps in the Enable "Challenge Types" on the OAAM Server for SMS.

Enable "Challenge Types" on the OAAM Server for SMS

  1. Log in to the OAAM Administration Console.

  2. Choose Environment > Properties in the Navigation pane and double-click Properties.

    The Properties Search page displays.

  3. In the Search box, type bharosa.uio.default.register.userinfo.enabled in the Name field and click Search.

    Click to select the record in the Search Results section, change the value to true, and click Save.

  4. In the Search box, type bharosa.uio.default.challenge.type.enum.ChallengeSMS.available in the Name field and click Search.

    Click to select the record in the Search Results section, change the value to true, and click Save.

38.9.2.6.5 Changing the OAAM Challenge Policy Trigger Combination

OAAM evaluates the Challenge policy when an event triggers the Challenge action. If KBA is active for a User, the system challenges the User with questions from the OAAM Challenge Question Action Group. If the User fails the OAAM challenge questions three times, the system starts the OAAM SMS Challenge Action group.

You can reorder the Action Group using OAAM Challenge Policy trigger combinations. So other Challenge Action Groups, such as the OAAM Challenge E-Mail group or the OAAM Challenge SMS group, will take precedence over the OAAM Challenge question. The following procedure documents how to change the OAAM Challenge Policy Trigger Combination.

  1. Log in to the OAAM Administration Console.

  2. Double-click Policies in the Navigation pane.

    The Policies Search page displays.

  3. Choose Challenge from the Checkpoint menu, then click Search.

  4. Click to select OAAM Challenge Policy in the Search Results table.

  5. Click the Trigger Combinations tab.

  6. Click Reorder.

    The Reorder Trigger Combinations pop-up window opens.

  7. Use the controls to move trigger combinations to higher or lower positions.