Using Passwordless Authentication with OAM
This section provides an overview of passwordless authentication and its configuration in OAM.
About Passwordless Login
OAM provides passwordless authentication, which allows you to bypass the standard web-form-based authentication when using a mobile device. Passwordless authentication allows access to the protected resouce without the need for entering the username and password everytime. However, the first time login is through the standard login form.
During the first time while accessing the protected resource, you are redirected to the standard login form. After successful login, you can enable passwordless notification-based authentication.
The next time (and subsequently) when you access the protected page and are required to login, a message is displayed (instead of the standard login page) mentioning that a push notification is sent to your mobile device. To authenticate, you must open the Oracle Mobile Authenticator (OMA) app on your registered mobile device and allow access. You are then redirected to the protected page.
OMA is a mobile app and must be installed on the mobile device, and registered with OAM. For more information about OMA, see Configuring the Oracle Mobile Authenticator.
OAM provides Adaptive Authentication Plugin, Passwordless Plugin, module, and scheme for configuring passwordless login. See Configuring Passwordless Login with OAM.
You can customize the following pages for the Passwordless Scheme and Second Factor Authentication (SFA) using the custom pages framework:
- Login Page
- Challenge Page
- Challenge Choice Page
- Challenge Answer Page
- Waiting Page (Intermediate Page)
See, Developing Custom Pages for details.
Configuring Passwordless Login with OAM
Passwordless authentication allows you to bypass the standard web-form-based authentication when using a mobile device. You can configure passwordless authentication using OAM.
This section provides steps to configure passwordless login:
- Enabling Adaptive Authentication Service
- Configuring the Adaptive Authentication Service Plugin to support Push Notification
- Setting Credentials for iOS and Android and configuring certificates for Apple push notification service and OMA.
- Configuring Passwordless Authentication Module and Scheme
- Protecting Resources with Passwordless Scheme
Enabling Adaptive Authentication Service
Adaptive Autentication Service must be enabled for the features, such as, passwordless login to work.
Configuring Passwordless Authentication Module and Scheme
Configure the parameters for the passwordless authentication module and scheme. Passwordless authentication plugin is available as part of the OAM installation and is not required to be configured seperately.
This section provides details about the parameters that needs to be configured in the passwordless authentication module and scheme.
Passwordless Authentication Module
Passwordless authentication module provides UserIdentificationPlugin, UserAuthenticationPlugin, and PasswordlessPlugin as individual steps in the passwordless authentication process.
- Log into the Oracle Access Management Console as System Administrator.
- From the Application Security Launch Pad, click Authentication Modules under Plug-ins.
- From the Authentication Modules tab, search for PaswordlessModule.
- Update Passwordless authentication module properties as follows:
Table -33 UserIdentification Step
| Step Details | Description |
|---|---|
| KEY_IDENTITY_STORE_REF |
The name of the registered Identity Store containing the module users. Default: The registered Default Store. |
| KEY_LDAP_FILTER | Add the LDAP filter to the KEY_LDAP_FILTER attribute. Only standard LDAP attributes can be used when defining an LDAP search filter. For example: (uid={KEY_USERNAME}) |
| KEY_SEARCH_BASE_URL | Base URL for user searches. For example: dc=us,dc=example,dc=com |
Table -34 UserAuthentication Step
| Step Details | Description |
|---|---|
| KEY_PROP_AUTHN_EXCEPTION | Enable or disable the propagation of LDAP errors. |
| KEY_IDENTITY_STORE_REF |
The name of the registered Identity Store containing the module users. Default: The registered Default Store. |
| KEY_ENABLE_AUTHN_FAILOVER | If the parameter is false, the userpassword is removed from the authentication context so that it cannot be used in subsequent plugins.
If set to Default: |
| KEY_PROP_AUTHN_LEVEL | When set to a particular value, that value is set as the OAMAuthnLevelPrincipal in the subject of the authenticated user.
|
Table -35 Passwordless Step
| Step Details | Description |
|---|---|
| IdentityStoreRef | The name of the registered Identity Store containing the module users.
Default value is the registered Default Store. |
| PushProxyProtocol | Proxy protocol. |
| PushProxyHost | Name of the proxy host if notifications are sent to the server using a proxy. |
| PushProxyPort | Proxy port if notifications are sent to the server using a proxy. |
| PushTitleMsg | Title for the message sent to the user’s OMA application on user’s device. |
| PushExpiryTimeMs | Time after which the push notification is considered expired, from the time the push notification is sent to the server.
Default value is |
| PushAPNsProdServer | If set to true, the APNS production server is used to send notifications.
Default value is |
| URL_ACTION | The type of servlet action needed for redirecting the user to the specific password page for expiry and warning pages.
Value can be one of the following:
Default is |
| URL_REDIRECT | The url to be redirected to, for showing the user the passwordless waiting page.
This field is required for the passwordless pages customizations. Default value is |
| PasswordlessGroup | The passwordless feature can be restricted to certain groups of users. This field can be used to restrict only certain users to be able to use the passwordless feature.
Multiple groups can be specified separated using Default is empty. It means that all the users in the configured idstore have passwordless feature enabled. |
| PasswordlessGroupDelimiter | The delimiter used to specify multiple groups for PasswordlessGroups.
Default value is comma ( |
| DenyDisabledLockedUsers | When this value is set to true, users who are in disabled and locked states cannot use passwordless feature.
These users will be moved to password-based authentication always. Default value is This is required when a user has been using passwordless-based authentication and is suddenly disabled using OAM password management module, because of which authentication is denied for that user. |
| CookieMaxAge | The maximum age of the cookie related to passwordless related cookie.
After this time (since last passwordless login), the user is required to login again with the password. Default value is |
| CookieName | Name of the passwordless cookie that gets set for passwordless authentication.
Default value is |
| CookieValidateBrowserFP | Controls whether the passwordless cookie is validated for the browser’s user agent string.
Default value is |
| CookieValidateIpAddress | Specifies whether the passwordless cookie is validated for the ipaddress where it was initially set.
Default value is |
| CookieIssuedExpiration | Time, after which, when the cookie is configured as invalid, from the time the cookie is considered expired.
Default value is |
| CookieRefreshExpiration | Time between, when the cookie is refreshed and then the time when cookie is considered expired.
Default value is This value is set as part of the cookie value, and cannot be changed from the browser's side. |
| CookieDomain | The domain, which is used while constructing the passwordless cookie. This is used for extra security.
Default value is Empty String. |
| PushPurgeExpiredRequest | Allows the server to purge the expired push notification requests so as to maintain the storage for push notifications and not have expired requests that are not required.
Default value is |
| PushPollTimeMs | The time that the browser uses to wait till it again sends a request to OAM server to check if the notification has been acted upon. |
| HandleFailedCounter | Enables the server to handle notifications that are rejected consistently, for added security.
When enabled, the OAM server keeps track of notifications that have been rejected and if it is more than Default value is |
| EnableFailedCounterOnExpiry | Optional. When the notification goes unanswered, a failure counter can be enabled.
Once enabled, the counter keeps track on number of times the notification has gone unanswered. When it has gone unanswered more than the false.
|
| MaxFailureCounter | Maximum number of times the notification can be failed or unanswered, before which a password based authentication is re-triggered.
Default value is |
| ForceBiometric | Not Used. |
Passwordless Authentication Scheme
Set the challenge parameters in the passwordless authentication scheme to bypass the login form.
The passwordless authentication scheme is available with all the necessary configurations required for the passwordless login to work. There are no additional configurations required.
However, to customize the passwordless waiting page and the first-page-before-authentication, you must update the following parameters of the passwordless authentication scheme:
Challenge URLContext valueContext Type
Ensure the initial_command is set to NONE under the challenge parameters to bypass the login form.
For details on all the parameters in the authentication scheme, see Authentication Schemes and Pages
Protecting Resources with Passwordless Scheme
Complete the configuration for passwordless login by assigning the passwordless authentication scheme to the protected resource policy.
- From the Application Security Launch Pad, select Application Domains under Access Manager.
- Search and open the required Application Domain.
- Open the Authentication Policy tab and click Protected Resource Policy.
- Select the PasswordlessScheme from the Authentication Scheme dropdown list and click Apply.