56.5 Configuring Access Manager for RSA SecurID Authentication

Users with valid Oracle Access Management Administrator credentials can enable RSA SecurID authentication.


See Installation and Configuration Requirements for installation and configuration that is outside the scope of this manual) and which must be completed before you begin SecurID integration with Access Manager.

See Also:

To set up SecurID Authentication with Access Manager

  1. In your oam-config.xml, set the OAM SecurID Sever serverRequestCacheType parameter to BASIC, as follows:

    1. Stop all WebLogic servers (OAM Servers and AdminServer).

    2. Locate oam-config.xml in the following path:

    3. Change the serverRequestCacheType from COOKIE (default) to BASIC, as follows:

      <Setting Name="serverRequestCacheType" Type="xsd:string">BASIC</Setting>
    4. Start all WebLogic Servers (OAM Servers and AdminServer).

  2. Register a Web agent from the RSA Console that will be used by Access Manager, then copy the agent configuration file (sdconf.rec) as follows:

  3. Using the Oracle Access Management Console, create a custom authentication module for RSA, as follows:

    1. Click Application Security at the top of the window.

    2. Select Create Custom Authentication Module from the Create (+) drop-down menu in the Plug-ins section.

    3. Select the General tab and enter the following:

      Name: RSA_AUTH
    4. Select the Steps tab and enter a name for the Step, then choose the RSA SecurID Plugin

      Step Name: stepRSA
      Plugin Name: RSA SecurID Plugin
    5. In the stepRSA, Step Details tab, enter and Save the Step Details shown in the next screen, which should also appear in your customhtml.properties file:

    6. Steps tab: Add the User Identification Plugin: Enter a name for the Step, then choose the RSA SecurID Plugin:

      Step Name: rsa_useridentification
      Plugin Name: UserIdentificationPlugin
    7. rsa_useridentification, Step Details: Enter and Save the following details for your environment:


      KEY_IDENTITY_STORE_REF: The registered Default Store.

      KEY_SEARCH_BASE_URL: dc=us,dc=example,dc=com

  4. Orchestrate the steps as follows: stepRSA should be first (to authenticate the user with the RSA Server); designate your User Identification Plugin for the success step.

    Initial Step: stepRSA
    Name: StepRSA
    On Success: rsa_useridentification
    On Failure: failure
    On Error: failure
    Name: rsa_useridentification
    On Success: Success
    On Failure: failure
    On Error: failure


    The On Failure and On Error fields must both be set to failure.

  5. Create a new authentication scheme (RSACredScheme, for example) that uses the custom authentication module that you just created for RSA with a custom HTML login form. Sample values are shown in the following screen:


    The authentication scheme's Context Value specifies the path to your custom HTML login form. Your custom HTML properties file must share the same name as the form (with a .properties extension) in the same directory path. This example uses customhtml.html and customhtml.properties.

    Challenge parameters specify the initial RSA command for authentication (RSA_USER_PASSCODE). The is_rsa=true parameter and value must be specified for RSA.

  6. Use this scheme in the Application Domain protecting resources requiring SecurID authentication.

  7. Ensure that your custom HTML file is present in:


    The Custom HTML for RSA Login Form requires form action set to /oam/server/auth_cred_submit, as follows:

    <form id="loginData" action="/oam/server/auth_cred_submit" method="post" name="loginData">
    <div id="oam_credentials" class="input-row"> 
    <span class="ctrl"></span>
    div class="button-row">
        <span class="ctrl"> 
    <input id="login_button" type="submit" value="Login" class="formButton" 
      onclick="this.disabled=true;document.body.style.cursor = 'wait'; 
      this.className='formButton-disabled';form.submit();return false;"/>
    <div id="oam_error_messages"></div>
  8. Ensure that your customHTML.properties file is:

    • Named as your custom HTML file with a .properties extension

    • Stored in the same path as your custom HTML file

    • Confirmed; settings match the RSA SecurID plugin configuration parameters. For example:

        passcode=Mother's maiden name 
        rsa_new_pin=RSA New Pin 
        rsa_new_pin_confirm=RSA Confirm New Pin 
        Pin=RSA Pin 
        rsa_sysgen_pin=RSA Create New Pin 
        rsa_sysgen_pin_confirm=RSA System Generated Pin 
        error1=Username not specified 
  9. Restart OAM Servers.

  10. Test your configuration by accessing the appropriate protected resource and validating the various modes.

  11. See "RSA SecurID Issues and Logs" for details if you experience problems.