The following components are needed for the integration:
For the latest support information, see the Oracle Technology Network (OTN). You must register with OTN to view this information.
The certification matrix provides platform and version support for this integration, which includes RSA Authentication Manager v7.x and the SecurID Authentication API:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html
The following RSA components are required for integrating Access Manager and SecurID Authentication.
Residing somewhere in your network are records of users, agents, tokens, and user's PINs. Portions of these records might reside in the Authentication Manager or in LDAP directories.
During authentication, Authentication Manager compares these records to the information it receives when a user attempts to access the network. If the records and tokencode or passcode match, the user is granted access.
An RSA SecurID token is either a hardware device or software-based security token that generates and displays a random number that enables users to securely access protected resources.
The random number is called a tokencode. Before a user can authenticate with a token, the token must be recognized by Authentication Manager. RSA, or your vendor, ships a token seed file that you must import into the data store. Seeds listed in this file are assigned to tokens for generating the tokencode when an authentication request is received from an Authentication Manager agent.
During the SecurID authentication process, users must submit their username and passcode using an HTML form. The RSA Authentication Manager authenticates the identity of each user through a server that is registered with the Authentication Manager as a client (RSA Authentication Agent). One Access Server (known as the Oracle SecurID Access Server to distinguish it from other Access Servers) must be registered and set up as a client/Agent.
The RSA Authentication Manager compares the tokencode it has generated with the tokencode the user has entered. Tokencodes change at a specified interval, typically 60 seconds. Time synchronization ensures that the tokencode displayed on a user's token is the same code the Authentication Manager software has generated for that moment. Authentication is successful when the tokencodes match. Two-factor authentication provides stronger legal evidence of who performed the task. When properly configured, the Authentication Manager tracks all login requests and operations to reliably identify the user who is responsible for each logged action.
Every OAM Server must be registered as an RSA Authentication Agent host on the Authentication Manager along with the guidelines as follows:
Only one designated OAM SecurID Server can complete SecurID authentication. However, every OAM Server must be registered as an RSA Authentication Agent Host on the Authentication Manager.
Enable the OAM SecurID Server to be recognized as an Authentication Manager client.
Port 5500 (UDP) should be available for the Authentication Manager to communicate with authentication agents (OAM SecurId Server). This service receives authentication requests from Oracle SecurId Server and sends replies. For more details refer to your RSA Authentication Manager documentation.
Manage authentication requests from the client to the Authentication Manager.
Enforce two-factor authentication and block unauthorized access.
Provide automatic load balancing by detecting replica Authentication Manager response times and routing authentication requests accordingly.
Ensure that the system time on the client is correct to prevent the server and client from being out of sync.
Failover is not supported for Access Manager.
The SecurID Authentication Manager must be installed on a supported platform.
The system time must be correct to prevent the server and client from being out of sync.
The SecurID tokens or key fobs must be provisioned with the Authentication Manager by providing it with the token seed records.
Each user name must be mappable through an LDAP filter to a Distinguished Name in the directory.
An Authentication Manager slave and/or replicated Authentication Manager can provide failover if the primary Authentication Manager is down.
$ORACLE_HOME/oam/server/tools/customLoginHtml
See Also:
Developing Custom Login Pages in the Oracle Fusion Middleware Developer's Guide for Oracle Access Management