56.3 Components Required for SecurID Authentication

The following components are needed for the integration:

• Supported Versions and Platforms

• Required RSA Components

• Installation and Configuration Requirements

56.3.1 Supported Versions and Platforms

For the latest support information, see the Oracle Technology Network (OTN). You must register with OTN to view this information.

The certification matrix provides platform and version support for this integration, which includes RSA Authentication Manager v7.x and the SecurID Authentication API:

http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html

56.3.2 Required RSA Components

The following RSA components are required for integrating Access Manager and SecurID Authentication.

• RSA Authentication Manager

• RSA SecurID Tokens

56.3.2.1 RSA Authentication Manager

Residing somewhere in your network are records of users, agents, tokens, and user's PINs. Portions of these records might reside in the Authentication Manager or in LDAP directories.

During authentication, Authentication Manager compares these records to the information it receives when a user attempts to access the network. If the records and tokencode or passcode match, the user is granted access.

56.3.2.2 RSA SecurID Tokens

An RSA SecurID token is either a hardware device or software-based security token that generates and displays a random number that enables users to securely access protected resources.

The random number is called a tokencode. Before a user can authenticate with a token, the token must be recognized by Authentication Manager. RSA, or your vendor, ships a token seed file that you must import into the data store. Seeds listed in this file are assigned to tokens for generating the tokencode when an authentication request is received from an Authentication Manager agent.

During the SecurID authentication process, users must submit their username and passcode using an HTML form. The RSA Authentication Manager authenticates the identity of each user through a server that is registered with the Authentication Manager as a client (RSA Authentication Agent). One Access Server (known as the Oracle SecurID Access Server to distinguish it from other Access Servers) must be registered and set up as a client/Agent.

The RSA Authentication Manager compares the tokencode it has generated with the tokencode the user has entered. Tokencodes change at a specified interval, typically 60 seconds. Time synchronization ensures that the tokencode displayed on a user's token is the same code the Authentication Manager software has generated for that moment. Authentication is successful when the tokencodes match. Two-factor authentication provides stronger legal evidence of who performed the task. When properly configured, the Authentication Manager tracks all login requests and operations to reliably identify the user who is responsible for each logged action.

56.3.3 Installation and Configuration Requirements

SecurID requires affinity between the OAM Server and the RSA Authentication Manager for a user interaction. Therefore, the authentication dialog between the user and OAM Server must be sticky (this constraint is a security feature of SecurID authentication). In a cluster environment, if a load balancer is used to route requests to multiple managed server, ensure that stickiness is set between the load balancer and OAM Server. The SecurID Authentication API is bundled with Access Manager and installed on all OAM Servers. The SecurID Authentication API provides the connection functionality that eliminates the need for an Authentication Agent to be installed on the OAM Server. In other words, the API is the agent.

Every OAM Server must be registered as an RSA Authentication Agent host on the Authentication Manager along with the guidelines as follows:

• Only one designated OAM SecurID Server can complete SecurID authentication. However, every OAM Server must be registered as an RSA Authentication Agent Host on the Authentication Manager.

• Enable the OAM SecurID Server to be recognized as an Authentication Manager client.

• Port 5500 (UDP) should be available for the Authentication Manager to communicate with authentication agents (OAM SecurId Server). This service receives authentication requests from Oracle SecurId Server and sends replies. For more details refer to your RSA Authentication Manager documentation.

• Manage authentication requests from the client to the Authentication Manager.

• Enforce two-factor authentication and block unauthorized access.

• Provide automatic load balancing by detecting replica Authentication Manager response times and routing authentication requests accordingly.

• Ensure that the system time on the client is correct to prevent the server and client from being out of sync.

• Failover is not supported for Access Manager.

• The SecurID Authentication Manager must be installed on a supported platform.

• The system time must be correct to prevent the server and client from being out of sync.

• The SecurID tokens or key fobs must be provisioned with the Authentication Manager by providing it with the token seed records.

• Each user name must be mappable through an LDAP filter to a Distinguished Name in the directory.

• An Authentication Manager slave and/or replicated Authentication Manager can provide failover if the primary Authentication Manager is down.

• This integration requires a custom HTML login form and a properties file. Sample Oracle-provided custom html and custom html properties files can be found in:

  $ORACLE_HOME/oam/server/tools/customLoginHtml
  

  See Also:

  • Developing Custom Login Pages in the Oracle Fusion Middleware Developer's Guide for Oracle Access Management

  • "Configuring Access Manager for RSA SecurID Authentication"