|Oracle® Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager
11g Release 1 (11.1.1)
Part Number E15480-08
|PDF · Mobi · ePub|
Oracle Adaptive Access Manager provides a variety of mechanisms for integrating with custom applications and custom development.
The Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager provides information to help developers integrate and customize Oracle Adaptive Access Manager, migrate 10g native applications, and manage configuration changes in integrated deployments of Oracle Adaptive Access Manager.
Information in this book is grouped into the following main parts to help developers quickly locate information:
Part I - Native integration
Part II - Universal Installation Option Proxy
Part III - Customization and extensions
Part IV - Oracle Adaptive Access Manager, Oracle Access Manager, and Oracle Identity Manager integration
Part V - Migration and lifecycle management
Part VI - Custom development
Part VII - Troubleshooting tips/FAQ
Detailed information about Oracle Adaptive Access Manager integration with Oracle Identity Manager and Oracle Access Manager is not covered in this guide. Refer to the Oracle Fusion Middleware Integration Guide for Oracle Access Manager for in-depth conceptual and procedural information.
Applications can integrate natively with Oracle Adaptive Access Manager using APIs. Oracle Adaptive Access Manager provides APIs to fingerprint devices, collect authentication and transaction logs, run security and business rules, challenge the user to provide correct answers to pre-registered questions, and generate authentication pads such as KeyPad, TextPad, or QuestionPad.
Part 1 contains information about APIs used to integrate Oracle Adaptive Access Manager.
Native Integration Guidelines
An introduction to integrating a client application with Oracle Adaptive Access Manager is presented in Chapter 2, "Natively Integrating with Oracle Adaptive Access Manager." In native integration, the application invokes Oracle Adaptive Access Manager directly and the application itself manages the authentication and challenge flows.
A Web application can communicate with Oracle Adaptive Access Manager using the OAAM Native Client API or through Web Services.
For information on these integrations, see Chapter 3, "Integrating Native .NET Applications," and Chapter 4, "Integrating Native Java Applications."
The native integrations include APIs that are wrappers of the SOAP API published by OAAM and written in the client's native application language.
The In-Proc integration is an option available for integrations using just the Java language. In this integration, there are no SOAP calls to OAAM, and, instead, the API implementation runs within the client application itself.
For information on the In-Proc integration, see Chapter 4, "Integrating Native Java Applications."
Oracle Adaptive Access Manager's Native OTP API offers a way to add another factor to a traditional user name/password authentication scheme.
For information on OTP integration, see Chapter 5, "Native API for OTP Challenge."
Oracle Adaptive Access Manager's Universal Installation Option (UIO) reverse proxy deployment option offers login risk-based multifactor authentication to Web applications without requiring any change to the application code.
Part II contains configuration instructions and guidelines for the reverse proxy deployment option in the following chapter:
Part III provides instructions and reference material for the following customizing and extending features of Oracle Adaptive Access Manager:
Customizing Oracle Adaptive Access Manager
Oracle Adaptive Access Manager can be customized by adding custom jars and files to the Oracle Adaptive Access Manager Extensions Shared Library.
For information on using the extensions shared library for customization of Oracle Adaptive Access Manager, see Chapter 7, "OAAM Extensions and Shared Library to Customize OAAM."
Customizing the OAAM Server
The user interface provided by the OAAM Server Web application can be easily customized to achieve the look and feel of the customer applications. You can configure OAAM Server to support one or more Web application authentication and user registration flows.
For information on the customization of OAAM Server, see Chapter 8, "Customizing the OAAM Server."
Customizing User Flow
OAAM supports the customization of user flow. For information, refer to Chapter 9, "Customizing User Flow and Layout."
Virtual Authentication Devices
Oracle Adaptive Access Manager includes unique functionality to protect end users while interacting with a protected web application. The virtual authentication devices hardens the process of entering and transmitting authentication credentials and provide end users with verification they are authenticating on the valid application.
Each virtual authentication device (VAD) has its own unique set of security features that make it much more than a mere image on a web page.
For information on the customization of virtual authentication devices, see Chapter 10, "Using Virtual Authentication Devices."
Oracle Adaptive Access Manager 11g provides the framework to support One Time Password (OTP) authentication with Oracle User Messaging Service (UMS) as a method of delivery out of the box.
For instructions to configure OTP to leverage UMS as a method of delivery, refer to Chapter 11, "Implementing OTP Anywhere."
Oracle Adaptive Access Manager provides Configurable Actions, a feature which allows users to create new supplementary actions that are triggered based on the result action and/or based on the risk scoring after a checkpoint execution.
Chapter 12, "Configurable Actions" describes how to integrate a Configurable Action with the Oracle Adaptive Access Manager software.
Device registration is a feature that allows a user to flag the computer he is using as a safe device. Instructions to enable the feature is provided in Chapter 13, "Device Registration."
For most typical deployments, the out-of-the-box device identification satisfies client requirements. Out-of-the-box Device Identification uses data from browser and OAAM flash movie. The following are the typical scenarios when you could consider extending device identification:
The OAAM flash movie cannot be used to obtain client details as the client side browser does not support Flash (example: iPhone, iPad, and so on)
There is a need to extract stronger device identification data from the client using a non-flash plug-in that can run inside the browser
For information on how to extend device identification in a typical deployment refer to Chapter 14, "Extending Device Identification."
Oracle Adaptive Access Manager uses device fingerprinting along with many other types of data to determine the risk associated with a specific access request. Outlines of calls needed to perform the flash fingerprinting are presented in Chapter 15, "Flash Fingerprinting."
Benefits of the Oracle Access Manager-Oracle Adaptive Access Manager-Oracle Identity Manager integration is presented in Chapter 16, "Access and Password Management Integration."
Because of the integrated deployment of Oracle Adaptive Access Manager with other applications, migration or configuration, changes in those applications might be required in Oracle Adaptive Access Manager.
For the steps involved in migrating an existing natively integrated 10.1.4.5 application that is currently using SOAP authentication to 11g, refer to Chapter 17, "Migrating Native Applications to OAAM 11g.".
For examples for handling lifecycle configuration changes, refer to Chapter 18, "Handling Lifecycle Management Changes."
Custom development instructions are in the following chapters:
Chapter 23, "FAQ/Troubleshooting" provides troubleshooting tips and answers to frequently asked questions.