53.3 Configuring OAuth Services Settings

OAuth Services has many components that must be configured before the authorization protocol can be used.

Descriptions of the OAuth Services components and how they work together can be found in Understanding the OAuth Services Components. This section includes information on configuring the OAuth Services components using the Oracle Access Management Console only. It contains the following topics:

53.3.1 Configuring Identity Domains

See Configuring OAuth Services Components in an Identity Domain for introductory information about Identity Domains. The following section describes how to use the user interface to configure an Identity Domain. It includes the following topics:

53.3.1.1 Creating an Identity Domain

You can create an Identity Domain using single step or using a wizard flow.

To create:

  1. Access the Identity Domains page as described in Configuring OAuth Services Components in an Identity Domain.
  2. Choose one of the following:
    • To quickly create an Identity Domain with only basic information, click Create using single step (leftmost + button in the toolbar).

      The Identity Domain Configuration page opens.

      Complete the form and click Create to save your changes. You will need to provide additional configuration detail later.

    • To create an Identity Domain and configure essential Service Profile settings, click Create using wizard flow (rightmost + button in the toolbar).

      The Create OAuth Identity Domain wizard flow page opens.

      Click Back and Next to move backwards and forward through the wizard flow. Click Finish to save your changes.

53.3.1.2 Editing or Deleting an OAuth Identity Domain

You can view, edit, and delete an OAuth Identity Domain.

To edit an OAuth Identity Domain:

  1. Open the Identity Domains page as described in Configuring OAuth Services Components in an Identity Domain.
    • To view or edit an Identity Domain, click its name in the table.

    • To delete an Identity Domain, select it by clicking the column to the left of the domain name and then click the delete button in the command bar.

53.3.1.3 Identity Domain Configuration Page - Summary Tab

When you view an existing identity domain or create a new one, the Identity Domain Configuration Summary tab displays form fields such as Identity Domain, Identity Domain UUID, and Allow Multiple Resource Servers.

This section describes the form fields on the Identity Domain Configuration Summary tab when viewing an existing identity domain or creating a new one.

Identity Domain - The name of the identity domain. If creating or editing an identity domain, type a unique name without spaces.

Description - (Optional) A short description to help you or another administrator identify this identity domain in the future.

Identity Domain UUID - The identification code that uniquely identifies this identity domain on the Internet. Click Generate to populate this field with a universal unique identifier code.

Allow Multiple Resource Servers - Select this option if the identity domain supports more than one resource server.

Note:

Selecting multiple resources requires that scopes are prefixed with the Resource Server name. For example, if you add PhotoService as a Resource Server, the scopes must be prefixed with PhotoService. This is done automatically while adding scopes in the Resource Server. The prefix can be changed to something different but unique.

The fields listed below appear on the Create Identity Domain page.

Service Profile

(Service Profile) Name - The name of the identity domain's service profile. Each identity domain requires at least one service profile. See Service Profiles - Identity Federation and OAuth Services for more information.

(Service Profile) Endpoint - The URL where the OAuth authorization service for this identity domain responds to authorization requests.

User Profile Service

(User Profile Service) Name - The name of the identity domain's user profile service. A user profile service is created automatically for each identity domain. See Resource Servers - Identity Federation and OAuth Services for more information.

(User Profile Service) Endpoint - The URL where the User Profile Service receives and responds to create, read, update, and delete requests.

Consent Management Service

(Consent Management Service) Name - The name of the identity domain's consent management service. Each identity domain must have a consent management service, which stores and retrieves consent records, and performs consent validation and consent revocation operations. See Plug-Ins - Identity Federation and OAuth Services for more information.

(Consent Management Service) Endpoint - The URL where the Consent Management Service receives and responds to client and resource owner service requests.

53.3.1.4 Create Identity Domain Wizard Flow Page

You understand the form fields on the create OAuth Identity Domain Wizard Flow Page before creating Wizard Flow.

Refer to the following sections for details on the form fields available in the Create OAuth Identity Domain wizard flow page:

53.3.2 Configuring Service Profiles

You can configure a service profile using user interface.

See Service Profiles - Identity Federation and OAuth Services for introductory information about Service Profiles. The following section describes how to use the user interface to configure a Service Profile. It includes the following topics:

53.3.2.1 Creating a Service Profile

You can create a service profile using Service Profiles tab.

  1. Access the Identity Domains page as described in Configuring OAuth Services Components in an Identity Domain and click the identity domain to open it.
  2. Select the Service Profiles tab.
  3. Click Create to complete the wizard.

53.3.2.2 Editing or Deleting a Service Profile

You can edit or delete a service profile from the Service Profile tab.

  1. Open the Identity Domains page as described in Configuring OAuth Services Components in an Identity Domain and click an identity domain to open it for editing.
  2. Click the Service Profiles tab.
  3. Do the following:
    • To edit a service profile, click its name in the table.

    • To delete a service profile, select it by clicking the box to the left of the name and then click the delete button in the command bar.

53.3.2.3 Service Profile Configuration Page

Identity Domain - The name of the identity domain to which this service profile applies. (Read-only)

Name - The name of this service profile.

Description - (Optional) A short description to help you or another administrator identify this service profile in the future.

Service Enabled - Select to activate the service profile, or clear the option box to inactivate it.

Service Provider - The name of the OAuth Service Provider that corresponds with this OAuth Service Profile.

Service Endpoint - The URL where the OAuth authorization service responds to authorization requests.

User Store

User Authenticator - For user authentication, choose OAM to use the Oracle Access Management token provider, or choose IDS to use the Identity Directory Service token provider. Only choose IDS authentication if the OAM token is not used at all (for example, if only the JWT token is used). If both OAM and JWT tokens are used, choose OAM authentication to avoid duplicated authentication attempts sent by both IDS and OAM.

Identity Store Name - The name of the identity store when IDS is configured as the user authenticator.

User Profile Service

(User Profile Service) Name - The name of the identity domain's user profile service. A user profile service is created automatically for each identity domain. See User Profile Services for more information.

(User Profile Service) Endpoint - The URL where the User Profile Service receives and responds to create, read, update, and delete requests.

Consent Management Service

(Consent Management Service) Name - The name of the identity domain's consent management service. Each identity domain must have a consent management service, which stores and retrieves consent records, and performs consent validation and consent revocation operations. See Consent Management Services for more information.

(Consent Management Service) Endpoint - The URL where the Consent Management Service receives and responds to client and resource owner service requests.

Plug-Ins

Choose available plug-ins from the menus in the following categories. See Plug-Ins - Identity Federation and OAuth Services for more information.

Adaptive Access - Runs Oracle Adaptive Access Manager (OAAM) fraud detection and risk analysis policy checks, enhancing authenticity and the trust level of a user.

Mobile Security Manager - Gathers mobile device data from the Mobile Security Manager (MSM) component (part of Oracle Mobile Security Suite) and sends it, as well as the MSM compliance status, to the Adaptive Access Plug-in for stronger authentication checks and risk evaluation.

Custom Token Attributes - Defines security policy around the token service provider. See OAuth Services Access Tokens for more information.

Client - Delegates the following to an external security module: confidential client authentication, client authorization, and client profile reading.

Resource Server Profile - Delegates the following to an external security module: confidential resource server authentication, resource server authorization, and resource server profile reading.

Authorization & Consent Service - Defines security policy around interactions where authorization and user consent are granted. This plug-in can influence claims in a generated token as well.

Attributes

Add or delete service profile attributes and their values to further configure the OAuth service profile.

For JWT token generation and validation, configure the following parameters:

  • jwt.cert.alias

  • jwt.trusted.issuer.size

  • jwt.trusted.issuer.1

  • jwt.trusted.issuer.2

Table 53-1 OAuth Service Profile Configuration Attributes

Name Value Notes

jwt.cert.alias

 

Private key alias name for the signing certificate in the keystore. The default alias will be used if this attribute is not specified.

jwt.CryptoScheme

RS512

The cryptographic algorithm used to sign the contents of the JWT token. The default value is RS512. (RSA encryption using SHA-512 hash algorithm.)

jwt.issuer

www.oracle.example.com

This issuer of the tokens (that is, the iss claim value in the JWT token generated by OAuth Services). The default value, www.example.oracle.com,needs to be changed in the deployment.

jwt.trusted.issuer.size

2

The number of trusted issuers. The value can be any number of trusted issuers. For example, if the number is 2, the following matching params need to be specified.

jwt.trusted.issuer.1

 

The alias name for the public key of the first trusted issuer in the key store. See jwt.trusted.issuer.size for details.

jwt.trusted.issuer.2

 

The alias name for the public key of the second trusted issuer in the key store. See jwt.trusted.issuer.size for details.

createdByDefault

true

If set to true, the current OAuth Services profile is created automatically as part of domain creation. Otherwise, it's created manually.

clientPWDValidation

false

If set to true, a client ID and secret (password) can be used as credentials to interact with OAuth Services for token validation and termination requests.

If set to false, only a JWT/SAML client assertion can be used as client credentials to interact with OAuth Services for token validation and termination requests.

tokenTenantClaimName

user.tenant.name

The tenant claim name in the tokens issued by OAuth Services. By default this is set using the identity domain name.

oauthServerSelfClientId

Value to be specified

By default this is set with the value of the jwt.issuer attribute. This attribute gets used when OAuth Services generates a client assertion for itself when interacting with other services such as service-to-service interactions.

oauthServerSelfCTValidityInSec

Value in seconds to be specified

The default value is 300sec. This attribute is related to oauthServerSelfClientId (that is, the OAuth Services own client assertion validity period).

msAlwaysShowLogin

true/false

This attribute applies to mobile clients using the JWT SSO authentication mechanism. It is used with 2-legged flows only. (For 3-legged flows, the browser manages the session.)

true - The user must authenticate for each app registration. (Mobile apps are not registered using the server-side JWT user token.) OAuth Services shows a login page for the user to submit credentials.

false - Mobile apps are registered using the server-side JWT user token.

By default true.. If this attribute is not defined in the service profile, the server does not allow mobile apps to use the server-side user token to register without a user name and password. For more information see Understanding Server-Side SSO For Mobile OAuth Services 2-Legged Flows.

Mobile Service Settings

Supported Platforms - Choose iOS, Android, and/or Others:

  • iOS - The authorization server accepts requests from iOS clients if selected.

  • Android - The authorization server accepts requests from Android clients if selected.

  • Others - The authorization server accepts requests from clients other than iOS or Android if selected.

iOS Security Level - Choose Advanced or Standard:

  • Advanced - All client registrations and token acquisitions are done using both push notification and HTTP(S).

  • Standard - All client registrations and token acquisitions are done using HTTP(S)

Android Security Level - Choose Advanced or Standard:

  • Advanced - All client registrations and token acquisitions are done using both push notification and HTTP(S).

  • Standard - All client registrations and token acquisitions are done using HTTP(S)

Android Sender ID - Enter the GCM sender ID that is required for Android push notification.

Android API Key - Enter the API key required for Android push notification.

Consent Service Protection - Authorization requests are routed to the consent service, which requires the user to log in and give consent. Select OAM or Third-Party Access Management, JWT Authentication, or Social Authentication.

  • OAM or Third-Party Access Management - Use either Oracle Access Management or a third-party option for consent page protection.

  • JWT Authentication - Use the OAuth server itself for consent page protection. If using the OAuth server for consent page protection, the authentication flow is determined by the User Store setting.

  • Social Authentication - Use the Social Identity service for consent page protection.

Require User Consent for Client Registration - Select this option to require the user to give authorization before registering each Mobile OAuth application installation instance on a mobile device.

Enable Server-Side Single Sign-On - Determines if the server will provide single sign-on among multiple apps on the same device or if it is the client responsibility. Single sign-on is either achieved by storing a JWT user token or an OAM user token in the Server-Side Device Store, or by returning the user token to the client to manage. Server-side SSO applies to 2-legged Mobile OAuth flows only. If this option is selected, after registering the first app the server stores the user token and does not return it to the mobile device. If this option is not selected, the tokens are sent to the mobile device and are not stored in the Server Device Store. For more information, see Understanding Mobile OAuth Services Server-Side Single Sign-on.

Preferred Hardware IDs - Use the list to prioritize the hardware ID attributes that should be used to uniquely identify mobile devices. The first available hardware ID from the list will be used.

Mobile Client Attributes - Add or delete mobile client attributes and their values as needed if the server requires additional attributes.

Configuration Settings

Clients

Allow access to all clients - Select if all clients in the identity domain should use this service profile. Clear this option to select which clients will be able to access the service profile.

Client Table - Add to the table the clients that should be able to access the service profile. Click Browse Clients, then select the clients to add to the table. To assign a client to a different service profile, click the box to the left of the client name and click Remove.

Tokens (Token Settings)

Use this tab to configure token settings, as well as settings for custom attribute that OAuth Services should embed in access tokens.

Tokens

  • Token Name - The name of the token.

  • Expires - The length of time in minutes after which the token is no longer valid.

  • Refresh Token Enabled - Select this option to allow a refresh token to be used. A refresh token cannot be used with a client verification code or an authorization code. See About OAuth Services Tokens for more information.

  • Refresh Token Expires - The length of time in minutes after which the refresh token is no longer valid.

  • Life Cycle Enabled - Select this option if OAuth Services should cache a token and save it in the database until the token expires.

Custom Attributes

Use this section to define custom attributes that OAuth Services embeds in the access tokens. See OAuth Services Access Tokens for more information about custom attributes.

  • Static Attributes - Attribute name and value pairs where the value is fixed at the time that you define the attribute. For example, name1=value1.

  • Dynamic Attributes - User-profile specific attributes.

Resource Servers (Custom Resource Servers)

Use this tab to choose which custom resource servers clients should have access to. A custom resource server is any resource server that is not the User Profile and Consent Management resource servers that are included with OAuth Services.

Allow clients access to all resource servers - Select to allow clients to access all resource servers configured in the identity domain. Clear this option to select which resource servers clients will be able to access.

Available Servers / Selected Servers - Use the arrows to move the resource servers that clients should be able to access from the Available Servers box to the Selected Servers box. (This option is only available if the Allow clients access to all resource servers option is not selected.)

System Resource Servers

Use this tab to configure if clients should have access to the user profile service and/or consent management service.

User Profile Services -Use the arrows to move the user profile server that clients should be able to access from the Available Servers box to the Selected Servers box. Services listed in the Selected Servers box are active services.

Consent Management Services - Use the arrows to move the consent management server that clients should be able to access from the Available Servers box to the Selected Servers box. Services listed in the Selected Servers box are active services.

Trusted Issuers

Use this tab to add certificate issuers who can be used to validate tokens. Click Add to add a record to the table; select a row and click Remove to delete a record from the table.

Certificate Alias -The alias name.

Trusted Issuer - The name of the trusted certificate issuer.

Certificate Thumb Print - x5t - The base64url encoded digest of the DER encoding of the X.509 certificate corresponding to the key used to digitally sign certificates.

Key identifier - kid - The key ID value that indicates which key is used to secure certificates.

53.3.3 Configuring Clients

See Clients - Identity Federation and OAuth Services for introductory information about OAuth Services Clients. The following section describes how to use the user interface to configure a Web client and a mobile client. It includes the following topics:

53.3.3.1 Creating a Client

You can create a client using the Clients tab.

  1. Access the Identity Domains page as described in Configuring OAuth Services Components in an Identity Domain and click the identity domain to open it.
  2. Select the Clients tab.
  3. Click Create and a Create Client tab will open as follows.
    • To create an OAuth Services Web (non-mobile) client, click the Create button located directly under the OAuth Web Clients heading.

      See Web Clients Configuration Page.

    • To create an OAuth Services Public client, click the Create button located directly under the OAuth Public Clients heading.

      See Public Clients Configuration Page.

    • To create an OAuth Services mobile client, click the Create button located directly under the OAuth Mobile Clients heading.

      See Mobile Clients Configuration Page.

  4. Enter the appropriate values in the form displayed under the Create Client tab.

53.3.3.2 Editing or Deleting a Client

You can edit or delete a client from the Clients tab.

  1. Open the Identity Domains page as described in Configuring OAuth Services Components in an Identity Domain and click an identity domain to open it for editing.
  2. Click the Clients tab.
  3. Do the following:
    • To edit a client configuration, click its name on the page.

      The client configuration page opens in a new tab.

    • To delete a client, select it by clicking the box to the left of the name and then click the delete button in the command bar.

53.3.3.3 Web Clients Configuration Page

When you view an existing Web client or create a new one, the OAuth Web Clients Configuration Page displays the form fields such as Identity Domain, Client ID, and Client Secret.

The form fields on the Web Client Configuration page are as follows:

Identity Domain - The name of the identity domain in which this OAuth Web client is registered. (Read-only)

Name - The name of this OAuth client.

Description - (Optional) A short description to help you or another administrator identify this OAuth Web client in the future.

Allow Token Attributes Retrieval - Select this option to allow custom attributes (both attribute names and values) to be shared with resource servers and the resource owner. See OAuth Services Access Tokens for more information about custom attributes.

Client ID - The unique ID that the authorization server created for this client during registration. (Read-only).

Client Secret - A secret value known to the OAuth authorization service and the client. The authorization service checks the client secret and the client ID when it receives token endpoint requests from the client.

HTTP Redirect URIs - The client URIs that the OAuth server is allowed to redirect the user-agent to once access is granted or denied.

Privileges

Bypass User Consent - If selected, the client will not ask for the user's explicit authorization to access the user's protected resources. If this option is selected, this setting overrides the resource server setting. Clear this option if the client should be subject to the resource server setting.

Allow Access to all Scopes - If selected, the client can obtain an access token regardless of scope limitations for any resource server in the identity domain. Clear this option if the client should be subject to scope limitations.

Allowed Scopes - Lists the range of access the client has to the requested resources. To grant additional access, click Add to add a row to the table, then choose from the drop-down menu the scope to be added. To restrict access, select the scope that you want to remove by clicking the table row, then click Delete to remove the highlighted row. Click OK at the prompt to confirm that you want to remove the selected scope.

Grant Types - The OAuth 2.0 specification provides several authorization grant types for different security use-cases. Before obtaining an access token, the client must obtain an authorization grant that it can exchange with the OAuth service for an access token. Client privileges determine which clients are allowed which grant types. The following grant types are supported in OAuth Services:

  • Authorization Code - This grant type is required for 3-legged flows. The resource owner logs in using the authorization server. The token endpoint exchanges the authorization code along with client credentials for an access token.

  • Resource Owner Credentials - This grant type is used for 2-legged flows. The resource owner provides the client with his or her user name and password. This is only suitable for highly trusted client applications because the client could abuse the password, or the password could unintentionally be disclosed to an attacker. Per the OAuth 2.0 specification, the authorization server and client should minimize use of this grant type and utilize other grant types whenever possible.

  • Client Credentials - This grant type is used for 2-legged flows. The client requests an access token using only its client credentials (or another supported means of authentication). This is suitable if the client is requesting access to protected resources under its control, or those of another resource owner when previously arranged with the authorization server.

In addition to the grant types defined in the OAuth 2.0 standard, the following options are also available:

  • Refresh Token - Select this option to return a refresh token together with an access token in the token response. See About OAuth Services Tokens for more information.

  • JWT Bearer - Allows a JWT assertion to be used to request an OAuth access token.

  • SAML 2 Bearer - Allows a SAML2 assertion to be used to request an OAuth access token.

  • OAM Credentials - Used to request OAM tokens, such as a master token, an access token, or an OAuth access token.

Attributes

Add or delete custom attributes that the authorization server returns to the client along with the scope settings.

Avoid using the same name when adding custom attributes to the service profile configuration and the scope configuration. If you define the same attribute name in both locations, the scope-based attribute value takes precedence.

Table 53-2 Web Client Attributes Names and Values

Name Value Notes

jwt.audience

Space separated values.

Used when the OAuth server generates a client assertion and a user assertion. The aud claim for those JWT tokens contain the defined values in this token.

53.3.3.4 Public Clients Configuration Page

When you view an existing Web client or create a new one, the Web Client Configuration page displays the form fields such as Identity Domain, Client ID, and HTTP Redirect URIs.

The form fields on the Web Client Configuration page are as follows:

Identity Domain - The name of the identity domain in which this OAuth Web client is registered. (Read-only)

Name - The name of this OAuth client.

Description - (Optional) A short description to help you or another administrator identify this OAuth Web client in the future.

Allow Token Attributes Retrieval - Select this option to allow custom attributes (both attribute names and values) to be shared with resource servers and the resource owner. See OAuth Services Access Tokens for more information about custom attributes.

Client ID - The unique ID that the authorization server created for this client during registration. (Read-only).

HTTP Redirect URIs - The client URIs that the OAuth server is allowed to redirect the user-agent to once access is granted or denied.

Privileges

Bypass User Consent - If selected, the client will not ask for the user's explicit authorization to access the user's protected resources. If this option is selected, this setting overrides the resource server setting. Clear this option if the client should be subject to the resource server setting.

Allow Access to all Scopes - If selected, the client can obtain an access token regardless of scope limitations for any resource server in the identity domain. Clear this option if the client should be subject to scope limitations.

Allowed Scopes - Lists the range of access the client has to the requested resources. To grant additional access, click Add to add a row to the table, then choose from the drop-down menu the scope to be added. To restrict access, select the scope that you want to remove by clicking the table row, then click Delete to remove the highlighted row. Click OK at the prompt to confirm that you want to remove the selected scope.

Grant Types - The OAuth 2.0 specification provides several authorization grant types for different security use-cases. Before obtaining an access token, the client must obtain an authorization grant that it can exchange with the OAuth service for an access token. Client privileges determine which clients are allowed which grant types. The following grant types are supported in OAuth Services:

  • Authorization Code - This grant type is required for 3-legged flows. The resource owner logs in using the authorization server. The token endpoint exchanges the authorization code along with client credentials for an access token.

  • Implicit - This grant type is used for 2-legged flows. The resource owner provides the client with his or her user name and password. This is only suitable for highly trusted client applications because the client could abuse the password, or the password could unintentionally be disclosed to an attacker. Per the OAuth 2.0 specification, the authorization server and client should minimize use of this grant type and utilize other grant types whenever possible.

Attributes

Add or delete custom attributes that the authorization server returns to the client along with the scope settings.

Avoid using the same name when adding custom attributes to the service profile configuration and the scope configuration. If you define the same attribute name in both locations, the scope-based attribute value takes precedence.

53.3.3.5 Mobile Clients Configuration Page

When you view an existing Mobile client or creating a new one, the Mobile Client Configuration page displays form fields such as Identity Domain, Client ID, and Jailbreaking Detection.

This section describes the form fields on the Mobile Client Configuration page when viewing an existing Mobile client or creating a new one. The OAuth Web Client Configuration page is described in the previous section.

Identity Domain - The name of the identity domain in which this OAuth mobile client is registered. (Read-only)

Name - The name of this OAuth client.

Description - (Optional) A short description to help you or another administrator identify this OAuth mobile client in the future.

Allow Token Attributes Retrieval - Select this option to allow custom attributes (both attribute names and values) to be shared with resource servers and the resource owner. See OAuth Services Access Tokens for more information about custom attributes.

Client ID - The unique ID that the authorization server created for this client during registration. (Read-only).

Jailbreaking Detection - Select to enable jail breaking detection for mobile devices. See Jailbreak Detection Policy - OAuth Services for more information.

Mobile Redirect URIs - The client URIs that the OAuth server is allowed to redirect the user-agent to once access is granted or denied.

Privileges

Bypass User Consent - If selected, the client will not ask for the user's explicit authorization to access the user's protected resources. If this option is selected, this setting overrides the resource server setting. Clear this option if the client should be subject to the resource server setting.

Allow Access to all Scopes - If selected, the client can obtain an access token regardless of scope limitations for any resource server in the identity domain. Clear this option if the client should be subject to scope limitations.

Allowed Scopes - Lists the range of access the client has to the requested resources. To grant additional access, click Add to add a row to the table, then choose from the drop-down menu the scope to be added. To restrict access, select the scope that you want to remove by clicking the table row, then click Delete to remove the highlighted row. Click OK at the prompt to confirm that you want to remove the selected scope.

Grant Types - The OAuth 2.0 specification provides several authorization grant types for different security use-cases. Before obtaining an access token, the client must obtain an authorization grant that it can exchange with OAuth Services for an access token. Client privileges determine which clients are allowed which grant types. The following grant types are supported in OAuth Services:

  • Authorization Code - This grant type is required for 3-legged flows. The resource owner logs in using the authorization server. The token endpoint exchanges the authorization code along with client credentials for an access token.

  • Resource Owner Credentials - This grant type is used for 2-legged flows. The resource owner provides the client with his or her user name and password. This is only suitable for highly trusted client applications because the client could abuse the password, or the password could unintentionally be disclosed to an attacker. Per the OAuth 2.0 specification, the authorization server and client should minimize use of this grant type and utilize other grant types whenever possible.

  • Client Credentials - This grant type is used for 2-legged flows. The client requests an access token using only its client credentials (or another supported means of authentication). This is suitable if the client is requesting access to protected resources under its control, or those of another resource owner when previously arranged with the authorization server.

  • Refresh Token - Select this option to return a refresh token together with an access token in the token response. See About OAuth Services Tokens for more information.

  • JWT Bearer - Allows a JWT assertion to be used to request an OAuth access token.

  • SAML 2 Bearer - Allows a SAML2 assertion to be used to request an OAuth access token.

  • OAM Credentials - Used to request OAM tokens, such as a master token, an access token, or an OAuth access token.

  • Client Verification Code - Used by mobile clients to request a pre-verification code from OAuth server, which subsequently gets used mobile client flows.

Apple Push Notification

Applies to iOS devices only. The OAuth authorization server can restrict token delivery to a specific app installed on a specific mobile device by sending part of the client registration handle through HTTPS, and sending the other part through push notification using the Apple Push Notification Service (APNS). Use the following fields to configure how the OAuth server connects to APNS for this specific client app.

Connection Settings - Select Enabled to send a portion of security codes and tokens to the mobile client app using APNS. (The portions not sent using APNS are sent using HTTPS.) Clear this option if you do not want to use APNS for this mobile client app.

Minimum Connection Pool Size - Specifies the minimum number of connections in the connection pool.

Maximum Connection Pool Size - Specifies the maximum number of connections in the connection pool.

Keep Alive - The Apple Push Notification keep alive value in seconds.

Certificate for APNS Communication Setup - Choose Development to use the Apple development environment for initial development and testing of the application; choose Production to use Apple's production environment.

SSL/TLS Certificate for Development - Click Browse to navigate to the development SSL/TLS certificate issued by Apple for the Apple Push Notification Service.

Development Certificate Password - Type the development password for the Apple Push Notification certificate.

SSL/TLS Certificate for Production - Click Browse to navigate to the production SSL/TLS certificate issued by Apple for the Apple Push Notification Service.

Production Certificate Password - Type the production password for the Apple Push Notification certificate.

Google Application Settings

Applies to Android devices only. The OAuth authorization server can restrict token delivery to a specific app installed on a specific mobile device by sending part of the client registration handle through HTTPS, and sending the other part through push notification using Google Cloud Messaging (GCM) for Android. Use the following fields to configure how the OAuth server connects to the GCM service for this specific client app.

Restricted Package Name - The Google restricted package name.

Mobile Service Settings

Override the default settings - By enabling Override the default settings in a Mobile Client profile, an administrator can set the security level and enable server-side single sign on at the client level. When set, these client settings over ride same settings at the OAuth Services Service Profile mobile configuration setting. This can be used if a particular client in an identity domain needs a behavior that is different from what is defined in the OAuth Services Service Profile.

Configuration Settings

Device Claim Attributes - Specifies the device attributes that the system should collect for device fingerprinting. If empty, the system collects every attribute in the SDK.

Mobile Custom Attributes - Specifies key-value pairs that should be sent to mobile applications using app profiles. (Mobile applications request app profiles that contain server-side settings, including endpoints, jail break detection policies, and security level details.

Attributes

Add or delete custom attributes that the authorization server returns to the client along with the scope settings.

Avoid using the same name when adding custom attributes to the service profile configuration and the scope configuration. If you define the same attribute name in both locations, the scope-based attribute value takes precedence.

53.3.4 Configuring the Service Provider

See Service Providers - Identity Federation and OAuth Services for introductory information about Service Providers. The following section describes how to use the user interface to configure a Service Provider. It includes the following topics:

Note:

Only one Service Provider can be configured at a time.

53.3.4.1 Editing or Deleting the Service Provider

You can edit or delete a Service provider from the Service Providers tab.

  1. Access the Identity Domains page as described in Configuring OAuth Services Components in an Identity Domain and click the identity domain to open it for editing.
  2. Select the Service Providers tab.
  3. Do the following:
    • To edit a service provider, click its name in the table.

    • To delete a service provider, select it by clicking the box to the left of the name and then click the delete button in the command bar.

53.3.4.2 Service Provider Configuration Page

Following are the form fields on the Service Provider Configuration page:

Identity Domain - The name of the identity domain with which this Service Provider is registered. (Read-only)

Name - The name of this service provider.

Description - (Optional) A short description to help you or another administrator identify this service provider.

Service Provider Java Class - The Java class that implements this service provider.

Attributes

Use the attribute settings in Table 53-3 to configure the Service Provider connection with Access Manager.

Table 53-3 OAuth Service Provider Attributes for Access Manager

Name Value Notes

oam.OAM_VERSION

OAM_11G

Either OAM_11G or OAM_10G, depending on the Oracle Access Manager version in use.

oam.Webgate_ID

accessgate-oic

 

oam.ENCRYPTED_PASSWORD

   

oam.DEBUG_VALUE

0

 

oam.TRANSPORT_SECURITY

OPEN

Specify the method for encrypting messages between this AccessGate and the Access Servers. The encryption methods need to match. Valid values include:

  • OPEN

  • SIMPLE

  • CERT

To update these settings, see Configuring Mobile and Social Services to Work With Access Manager in Simple and Certificate Mode.

oam.OAM_SERVER_1

localhost:5575

Specify the host name and port number of the primary Oracle Access Management server.

oam.OAM_SERVER_1_MAX_CONN

4

Specify the maximum number of connections that this Mobile and Social instance can establish with OAM_SERVER_1. The default value is 4.

oam.OAM_SERVER_2

oam_server_2:5575

Specify the host name and port number of the secondary Oracle Access Management server.

oam.OAM_SERVER_2_MAX_CONN

4

Specify the maximum number of connections that this Mobile and Social instance can establish with OAM_SERVER_2. The default value is 4.

oam.AuthNURLForUID

wl_authen://sample_ldap_no_pwd_protected_res

 

oam.OAM_LOCAL_MODE

true

Specifies if Mobile and Social should use "local mode" or "remote mode" to communicate with the OAM server. If the attribute value is set to false, Mobile and Social communicates with OAM over TCP/IP. If set to true (or if this attribute is undefined), Mobile and Social uses a direct connection to communicate with OAM.

Prior to version 11.1.2.3, Mobile and Social only communicated with OAM using TCP/IP (that is, remote mode). Now communication defaults to local, which is faster.

To configure Mobile and Social to communicate with OAM 10g, set the OAM_LOCAL_MODE attribute to false.

53.3.5 Configuring Custom Resource Servers

You can configure a Resource Server using the user interface.

See Resource Servers - Identity Federation and OAuth Services for introductory information about Resource Servers. The following section describes how to use the user interface to configure a Resource Server. It includes the following topics:

OAuth Services provides two out-of-the-box services modeled as Resource Servers and protected with an Access Token. For configuration information on the User Profile Services and Consent Management Services Resource Servers, see Configuring User Profile Services and Configuring Consent Management Services respectively.

53.3.5.1 Creating a Custom Resource Server

You can create a Custom Resource Server from the Resource Servers tab.

  1. Access the Identity Domains page as described in Configuring OAuth Services Components in an Identity Domain and click the identity domain to open it.
  2. Select the Resource Servers tab.
  3. To define a new resource server for use with OAuth Services, click the Create button in the Custom Resource Servers section.

    The Custom Resource Server Configuration page opens.

53.3.5.2 Editing or Deleting a Resource Server

You can edit and delete a Resource Server from the Resource Servers tab.

  1. Access the Identity Domains page as described in Configuring OAuth Services Components in an Identity Domain and click the identity domain to open it for editing.
  2. Click the Resource Servers tab.
  3. To open a configured custom Resource Server for editing, click its name in the Custom Resource Servers table.

    The Custom Resource Server Configuration page opens.

53.3.5.3 Custom Resource Servers Configuration Page

The tabs and form fields in the Custom Resource Servers Configuration Page are discussed here.

Identity Domain - The name of the identity domain to which this resource server applies. (Read-only)

Name - The name of this resource server (or resource service).

Description - (Optional) A short description to help you or another administrator identify this resource server in the future.

Allow Token Attributes Retrieval - Select this option to allow custom attributes (both attribute names and values) to be shared with clients and the resource owner. See OAuth Services Access Tokens for more information about custom attributes.

Authorization & Consent Service Plug-in - From the menu, choose an authorization plug-in for the resource server. This plug-in type defines security policy around interactions where authorization and user consent are granted. It can influence claims in a generated token as well. See Plug-Ins - Identity Federation and OAuth Services for plug-in descriptions.

Audience Claim - Identifies the audiences for which the OAuth token is intended. Each principal intended to process the OAuth token must identify itself with a value in Audience Claim.

Resource Server ID - The unique ID created for this resource server during registration. (Once the resource server configuration is saved, this field cannot be changed.)

Scopes

Click Add to add a new row to the scopes table. Click to select a row, then click Delete to remove it.

Name - Type a scope definition. Use dot notation, for example: photo.read

Description - Type a short note that describes the scope.

Require User Consent - Select to require the authorization server to display a user consent form so that the user can approve (or deny) the access request.

Offline Scope - Allows client applications to request a refresh token that can be used to obtain an access token even when the user is offline or not present. Client applications use the refresh token to get a new access token to access resources. See About OAuth Services Tokens for more information.

Token Settings

Override the default settings - Select this option if the token settings defined on the resource server configuration page should override the default token settings defined on the OAuth Services profile page.

Token Name - The name of the token.

Expires - The length of time in minutes after which the token is no longer valid.

Refresh Token Expires - The length of time in minutes after which the refresh token is no longer valid.

Custom Attributes

Use this section to define custom attributes that OAuth Services embeds in the access tokens. See OAuth Services Access Tokens for more information about custom attributes.

  • Static Attributes - Attribute name and value pairs where the value is fixed at the time that you define the attribute. For example, name1=value1.

  • Dynamic Attributes - User-profile specific attributes.

53.3.6 Configuring User Profile Services

You can configure an instance for the User Profile Services using the console.

See User Profile Services for introductory information about the User Profile Services. The following section describes how to use the console to configure an instance for the User Profile Services.

53.3.6.1 Creating a New User Profile Service

You can create a New User Profile Service from the Resource Servers tab.

  1. Open the Identity Domains page as described in Configuring OAuth Services Components in an Identity Domain and click the identity domain to open it.
  2. Click the Resource Servers tab.
  3. Click the Create button in the User Profile Services section.

    The User Profile Services Configuration page opens.

53.3.6.2 Editing the User Profile Service

You can edit the User Profile Service from the Resource Servers tab.

  1. Open the Identity Domains page as described in Configuring OAuth Services Components in an Identity Domain and click the identity domain to open it for editing.
  2. Click the Resource Servers tab.
  3. In the User Profile Services section, click the service name to edit it.

    The User Profile Services Configuration page opens.

53.3.6.3 User Profile Services Configuration Page

You can configure the User Profile Service from the User Profile Services Configuration Page.

Use this page to configure the User Profile Service. This service supports OAuth 2.0 authorization and allows clients to interact with a back-end directory server and perform User Profile REST operations on Person, Group, and Relationship entities.

Identity Domain - The name of the identity domain to which this service profile applies. (Read-only)

Name - The name of this service profile.

Description - (Optional) A short description to help you or another administrator identify this service profile in the future.

Service Enabled - Select to enable the service, or clear the option box to disable it.

Allow Token Attributes Retrieval - Select this option to allow custom attributes (both attribute names and values) to be shared with clients. If enabled, the user consent form notifies the user that user-profile-specific details will be shared with the client. See OAuth Services Access Tokens for more information about custom attributes.

Audience Claim - Identifies the audiences that the OAuth token is intended for. Each principal intended to process the OAuth token must identify itself with a value in audience claim.

Resource Server ID - The unique ID that OAuth Services created for this User Profile resource server. (Read-only)

Service Endpoint - The URI where the service receives and responds to create, read, update, and delete user profile service requests. Create a unique uniform resource identifier (URI) address for this service; for example, localhost:5575

Authorization & Consent Service Plug-in - From the menu, choose an authorization plug-in for the service. This plug-in type defines security policy around interactions where authorization and user consent are granted. It can influence claims in a generated token as well. See Plug-Ins - Identity Federation and OAuth Services for plug-in descriptions.

Protected by OAuth Service Profile - From the menu, choose the OAuth service profile that protects the user profile service.

Identity Store Name - The name of the identity store that contains the user records.

Scopes

Security Protection

Configure individual permission settings for person, relationship, and group entities. Click Add to add a record to the table; select a row and click Delete to remove the record. The service uses the following default entity names:

URI - The URI segment for which the scope is defined.

  • /me - Designates operations that apply to the user logged in to the client

  • /users - Designates operations that apply to other users

  • /groups - Designates operations that apply to groups

  • /secretkey - Designates operations that apply to secret key management

Service Enabled - Select to enable the service for this scope.

Allow Read - Select to allow read operations for this scope.

Allow Write - Select to allow write operations for this scope.

Unprotected - Select this option if you do not want to limit access, or clear this option to limit access by scope.

OAuth Scope - Type a scope definition. Use dot notation, for example: UserProfile.me.write

Description - Type a short note that describes the scope.

Require User Consent - Select to require the authorization server to display a user consent form so that the user can approve (or deny) the access request.

Identity Attributes of the Selected Scope - Click an entity row in the Security Protection table to view the Attribute table for that entity. Click Add to add a record to the table; select a row and click Delete to remove the record.

Offline Scope - Allows client applications to request a refresh token that can be used to obtain an access token even when the user is offline or not present. Client applications use the refresh token to get a new access token to access resources. See About OAuth Services Tokens for more information.

Token Settings

Override the default settings - Select this option if the token settings defined on the resource server configuration page should override the default token settings defined on the OAuth Services profile page.

Token Name - The name of the token.

Expires - The length of time in minutes after which the token is no longer valid.

Refresh Token Expires - The length of time in minutes after which the refresh token is no longer valid.

Proxy Authentication

Select Proxy Authentication to allow the identity of a user using a web application (also known as a "proxy") to be passed through the application to the database server. Oracle Unified Directory (OUD) and Active Directory (AD) support proxy authentication. The Access Control option is simply to provide Proxy Authentication support for directory servers that do not have it built in. See Proxy Authentication for more details.

Attributes

Use this section to define user-profile specific (dynamic) attributes.

Table 53-4 User Profile Service Attributes

Name Value

accessControl

false

adminGroup

cn=Administrators,ou=groups,ou=myrealm,dc=base_domain

selfEdit

true

Resource URIs

Use this section to enable or disable the /me, /users, /groups, /secretkey services, and define the service endpoint URIs and provider implementation class paths for these services.

Service Endpoint - The URI where the service receives and responds to service requests. Create a unique uniform resource identifier (URI) address for this service; for example, localhost:5575

Entities

Use the fields in this section to configure entity relationships.

  • Name - The name of the defined entity relationship.

  • Identity Directory Service Relation - Choose the directory service relationship that is to be accessed by the relationship End Point segment.

  • End Point - Type an entity relationship URI segment that will be used to access a corresponding data column in the Identity Directory service. For example, if memberOf is the End Point URI, then:

    http://<host>:<port>/.../idX/memberOf
    

    would be the URI to access related entities of an entity with ID idX.

  • Source Entity URI - The URI (or URL) of the source entity.

  • Destination Entity URI - The URI (or URL) of the destination entity.

  • Scope for Requesting Recursion - Use Scope attribute values with the scope query parameter to retrieve a nested level of attributes in a relationship search. To access related entities recursively, type the value to be used. The default configuration uses two scope attribute values: toTop and all. If the Scope for Requesting Recursion value is the attribute value all, then the following REST URI example is used to make the request:

    http://host:port/.../idX/reports?scope=all
    

    In this example, the URI returns the entities related to the entity with ID idX, as well as all further related entities.

Attributes

Use this section to define user-profile entity specific (dynamic) attributes.

53.3.7 Configuring Consent Management Services

You can configure the Consent Management Services using the user interface.

See Consent Management Services for introductory information about the Consent Management Services. The following section describes how to use the user interface to configure the Consent Management Services.

53.3.7.1 Creating a New Consent Management Service

You can create a New Consent Management Service from the Resource Servers tab.

  1. Access the Identity Domains page as described in Configuring OAuth Services Components in an Identity Domain and click the identity domain to open it.
  2. Click the Resource Servers tab.
  3. Click the Create button in the Consent Management Services section.

    The Consent Management Service Configuration page opens.

53.3.7.2 Editing an Existing Consent Management Service

You can edit an Existing Consent Management Service from the Resource Servers tab.

  1. Access the Identity Domains page as described in Configuring OAuth Services Components in an Identity Domain and click the identity domain to open it for editing.
  2. Click the Resource Servers tab.
  3. In the Consent Management Services section, click the service name to edit it.

    The Consent Management Service Configuration page opens.

53.3.7.3 Consent Management Services Configuration

The Consent Management Services handle consent storage, retrieval, revocation, and consent validation operations. You can configure the Consent Management Services.

Following are the form fields in the Consent Management Services configuration page:

Identity Domain - The name of the identity domain to which this consent management service applies. (Read-only)

Name - The name of this consent management service.

Description - (Optional) A short description to help you or another administrator identify this service in the future.

Service Enabled - Select to enable the service, or clear the option box to disable it.

Allow Token Attributes Retrieval - Select this option to allow custom attributes (both attribute names and values) to be shared with clients, resource servers, and the resource owner.

Audience Claim - Identifies the audiences that the OAuth token is intended for. Each principal intended to process the OAuth token must identify itself with a value in audience claim.

Resource Server ID- The unique ID that the authorization server created for this resource server during registration. (Read-only)

Service Endpoint - The URL where the Consent Management Service receives and responds to client and resource owner service requests.

Authorization & Consent Service Plug-in - From the menu, choose an authorization plug-in for the service. This plug-in type defines security policy around interactions where authorization and user consent are granted. It can influence claims in a generated token as well. See Plug-Ins - Identity Federation and OAuth Services for plug-in descriptions.

Protected by OAuth Service Profile - From the menu, choose the OAuth service profile that protects the consent management service.

Scopes

Security Protection

Configure individual permission settings. Click Add to add a record to the table; select a row and click Delete to remove the record. The service uses the following default entity names:

URI - The URI segment for which the scope is defined.

  • /retrieve

  • /grant

  • /revoke

Allow Read - Select to allow read operations for this scope.

Allow Write - Select to allow write operations for this scope.

Unprotected - Select this option if you do not want to limit access, or clear this option to limit access by scope.

OAuth Scope - Type a scope definition. Use dot notation, for example: UserProfile.me.write

Description - Type a short note that describes the scope.

Require User Consent - Select to require the authorization server to display a user consent form so that the user can approve (or deny) the access request.

Offline Scope - Allows client applications to request a refresh token that can be used to obtain an access token even when the user is offline or not present. Client applications use the refresh token to get a new access token to access resources. See About OAuth Services Tokens for more information.

Token Settings

Override the default settings - Select this option if the token settings defined on the resource server configuration page should override the default token settings defined on the OAuth service profile page.

Token Name - The name of the token.

Expires - The length of time in minutes after which the token is no longer valid.

Refresh Token Expires - The length of time in minutes after which the refresh token is no longer valid.

Attributes

Use this section to define custom attributes

Resources URIs

Use this section to enable or disable the retrieve, grant, and revoke services. You can also define the service endpoint URIs and provider implementation class paths for these services.

Service Endpoint - The URI where the service receives and responds to requests. Create a unique URI address for this service.

Service Enabled - Select to enable the service, or clear the option box to disable it.

Attributes

Use this section to define consent management entity-specific (dynamic) attributes.

53.3.8 Configuring Plug-Ins

You can configure security plug-ins.

See Plug-Ins - Identity Federation and OAuth Services for plug-in descriptions.

53.3.8.1 Creating a New Plug-in

You can create a new plug-in from the Plug-ins tab.

  1. Access the Identity Domains page as described in Configuring OAuth Services Components in an Identity Domain and click the identity domain to open it.
  2. Click the Plug-ins tab.
  3. Click the Create button in one of the plug-in category sections.

    The Plug-in Configuration page opens.

53.3.8.2 Plug-in Configuration Page

You can add a plug-in to an Identity Domain or edit an existing plug-in configuration from the Plug-in Configuration Page.

Only some of the fields listed below will apply to the plug-in you are configuring.

Identity Domain - The name of the identity domain where the plug-in is located.

Name - The name of the plug-in.

Description - (Optional) A short description to help you or another administrator identify this plug-in in the future.

Implementation Class - Choose the class from the menu that implements the plug-in interface. Applies to the Mobile Client Plug-in Configuration page, the Mobile Resource Server Plug-in Configuration page, and the Mobile Authorization & Consent Service Plug-in Configuration page. See the Oracle Fusion Middleware Developer's Guide for Oracle Access Management for details.

Interface Class - Lists the interface class for this plug-in. Applies to the Mobile Client Plug-in Configuration page, the Mobile Resource Server Plug-in Configuration page, and the Mobile Authorization & Consent Service Plug-in Configuration page.

Security Handler Class - Choose the Java class that defines the Security Handler Plug-in. Applies to the Mobile Adaptive Access Plug-in Configuration page and the Mobile Custom Token Attributes Plug-in Configuration page.

Mobile Security Manager Plug-in Class - Choose the Java class that defines the Mobile Security Manager Plug-in. Applies to the Mobile Security Manager Plug-in Configuration page only.

MSM Device Inventory Attributes Precedence - When enabled, if both the Mobile Security Manager (MSM) component and the Mobile OAuth server supply a value for the same device attribute, the value supplied by the Mobile Security Manager is used. If the attribute value from the MSM component is not available, the value from the Mobile OAuth server is used instead.

MSM Attributes - Lists the attributes that the Mobile Security Manager plug-in harvests from mobile devices. The first column lists the mobile device attributes that the Mobile Security Manager component collects. The second column lists the mobile device attributes that the Mobile OAuth server collects during mobile app requests. If the same device attribute is available from both the MSM component and the server, both are listed in the same row. (For example, the MSM attribute "imei" appears in column one, and the matching server attribute "oracle:idm:claims:client:imei" appears in column two of the same row.) For a list of the device attributes that the Mobile OAuth server collects during app requests, open the OAuth Mobile Client Configuration page and locate the Device Claim Attributes list in the Configuration Settings section. To add additional attributes, click Add to add a row at the bottom of the table, and enter the attribute name. (Enter attributes sourced from Mobile Security Manager in the first column, and attributes from the Mobile OAuth server in the second column. Enter attributes one per row unless the attributes are equivalent and should be mapped to one another.)

Attributes - Use this section to define custom plug-in attributes.

53.3.9 Server Settings

You can configure general server settings for the identity domain named using the Server Settings Configuration page.

Use the Server Settings Configuration page to configure general server settings for the identity domain named.

Note:

See Deployment Constraints for Mobile and Social for information about deploying Mobile and Social with a WebGate.

Identity Domain - The name of the identity domain to which the settings on this configuration page apply. (Read-only)

HTTP Proxy Settings

Configure the following settings if a proxy server is in place between the OAuth Token Service (the Push Service) and the Apple Push Notification Service (APNS) or Google Cloud Messaging (GCM) service.

Proxy URL - Choose the protocol to use to connect to the proxy server (HTTP or HTTPS), then type the proxy server host name and port number.

Proxy Authentication - Type the user name and password required to authenticate with the proxy server.

Apple Push Notification

Configure the default values that should be used for this identity domain. Use the OAuth Mobile Client Configuration page to customize these settings on an app by app basis.

Minimum Connection Pool Size - Specifies the minimum number of connections in the connection pool.

Maximum Connection Pool Size - Specifies the maximum number of connections in the connection pool.

Keep Alive - The Apple Push Notification keep alive value in seconds.

Token Life Cycle Management

Maximum Search Results - Specify the maximum number of token entry search results that should be returned on the Token Life Cycle Management page.

Attributes

Attributes - Use this section to define custom attributes.

Table 53-5 OAuth Server Settings Attributes

Name Value Notes

wgAuthnUserHeader

OAM_REMOTE_USER

This attribute usage is optional. If an OAM Webgate is front ending/proxying requests to an OAuth server, set this attribute. The OAM Webgate sets the OAM_REMOTE_USER header to identify the authenticated user. If a deployment uses another header name instead of OAM_REMOTE_USER, then this attribute needs to be set with that header name.

53.3.10 Jailbreak Detection Policy

You can configure the Jailbreak Detection Policy using the user interface.

See Jailbreak Detection Policy - OAuth Services for introductory information about the jail breaking detection policy. The following section describes how to use the user interface to configure the policy.

Jailbreak Detection - Select Enabled to turn the Jailbreaking Detection Policy on, or clear this option to turn it off for all client application instances. If you enable the Jailbreaking Detection Policy here, you can disable it on an application by application basis. If you disable the Policy here, you cannot enable or disable the feature on an application by application basis.

Policy Statements

Use the buttons in the menu to add, delete, and re-order policy statements.

Order - The sequential row number assigned to each row in the table.

Enabled - Select this option to activate the policy statement condition.

Minimum OS Version - The minimum iOS version to which the policy applies. If the value is 1.0, the policy will apply to iOS devices running at least version 1.0 of iOS.

Maximum OS Version - The maximum iOS version to which the policy applies. If the value is empty, a maximum iOS version number is not checked so the policy applies to any iOS version higher than the value specified for Min OS Version. Once set you cannot remove the value and leave this field empty.

Minimum Client SDK Version - The minimum Mobile and Social Client SDK version number. For example, 11.1.2.0.0.

Maximum Client SDK Version - The maximum Mobile and Social Client SDK version number. For example, 11.1.2.3.0.

Details - Additional details about the Jailbreak Detection Policy policy statement. Hover the mouse over the info icon to view the details in a pop-up.

Policy Statement Conditions

Click to select a row in the table to view or edit its values in this section. See the previous section (Policy Statements) for field descriptions.

Policy Statement Detection Logic

Policy Expiration Duration - Type the length of time in seconds that the SDK on the mobile client device should wait before expiring the local copy of the policy and retrieving a newer version.

Auto Check Period - Type the interval of time in minutes that the client device should wait before executing the Jailbreaking Detection Policy statements again.

Detection Location - The iOS client device uses a logical-OR operator to evaluate Policy statements. Add a Detection Location as follows:

  • File Path - Type the absolute path to the file or directory on the device for which the Detection Policy should search.

  • Action - Select Exists which instructs the Detection Policy to evaluate whether it can access a file path.

  • Success - Select if the Policy should flag the device as jail broken if the specified files or directories are found on the device. Use this option if the policy is checking for unauthorized files or directories. Clear this option if the Policy should flag the device as jail broken if the specified files or directories are not found. (Use this option if checking for required files or directories.)

53.3.11 Token Life Cycle Management

You can use the Token Life Cycle Management page to search for and revoke tokens that have been issued.

You can search for tokens using criteria such as user ID, client ID/name, client IP address, service profile, assertion token category, and token creation/expiration time. Enter your criteria and click Search. The maximum number of token entry search results returned is determined by the Maximum Search Results setting on the OAuth Server Settings page.

Search Criteria

Identity Domain - The name of the identity domain that you are searching for tokens. (Read only)

User - Specify an LDAP UID (john.smith) or an LDAP Fully Qualified DN (cn=jane.smith,dc=example,dc=com) to search by.

Client - Specify a client ID to search for tokens by.

Client IP Address - Specify a client IP address (for example, 192.168.100.1) to search for tokens by

Service Profile - Choose a profile from the menu, or leave this selection empty.

Assertion Token Category - Choose a category from the menu, or leave this selection empty.

Token Issued - Search for tokens by the date and time that they were issued.

Token Expiring at - Search for tokens by the date and time that they expire.

Mobile Device Claim Attributes

IMEI - Specify the unique 15-digit IMEI (International Mobile Equipment Identity) code to search by. The IMEI can be displayed on most mobile handsets by dialing *#06#.

MAC Address - Specify the unique MAC (Media Access Control) address to search by.

Phone Number - Specify a phone number to search by.