Using Passwordless Authentication with OAM

This section provides an overview of passwordless authentication and its configuration in OAM.

About Passwordless Login

OAM provides passwordless authentication, which allows you to bypass the standard web-form-based authentication when using a mobile device. Passwordless authentication allows access to the protected resouce without the need for entering the username and password everytime. However, the first time login is through the standard login form.

During the first time while accessing the protected resource, you are redirected to the standard login form. After successful login, you can enable passwordless notification-based authentication.

The next time (and subsequently) when you access the protected page and are required to login, a message is displayed (instead of the standard login page) mentioning that a push notification is sent to your mobile device. To authenticate, you must open the Oracle Mobile Authenticator (OMA) app on your registered mobile device and allow access. You are then redirected to the protected page.

OMA is a mobile app and must be installed on the mobile device, and registered with OAM. For more information about OMA, see Configuring the Oracle Mobile Authenticator.

OAM provides Adaptive Authentication Plugin, Passwordless Plugin, module, and scheme for configuring passwordless login. See Configuring Passwordless Login with OAM.

You can customize the following pages for the Passwordless Scheme and Second Factor Authentication (SFA) using the custom pages framework:

  • Login Page
  • Challenge Page
  • Challenge Choice Page
  • Challenge Answer Page
  • Waiting Page (Intermediate Page)

See, Developing Custom Pages for details.

Configuring Passwordless Login with OAM

Passwordless authentication allows you to bypass the standard web-form-based authentication when using a mobile device. You can configure passwordless authentication using OAM.

This section provides steps to configure passwordless login:

  1. Enabling Adaptive Authentication Service
  2. Configuring the Adaptive Authentication Service Plugin to support Push Notification
  3. Setting Credentials for iOS and Android and configuring certificates for Apple push notification service and OMA.
  4. Configuring Passwordless Authentication Module and Scheme
  5. Protecting Resources with Passwordless Scheme

Enabling Adaptive Authentication Service

Adaptive Autentication Service must be enabled for the features, such as, passwordless login to work.

To enable the Adaptive Authentication Service
  1. Log in to the Oracle Access Management Console
  2. From the Welcome page, click Configuration and then click Available Services
  3. Under Application Security, click Enable Service beside the Adaptive Authentication Service (or confirm that the green Status check mark displays).

    A Confirmation window is displayed.

  4. Click Enable Service.

Configuring Passwordless Authentication Module and Scheme

Configure the parameters for the passwordless authentication module and scheme. Passwordless authentication plugin is available as part of the OAM installation and is not required to be configured seperately.

This section provides details about the parameters that needs to be configured in the passwordless authentication module and scheme.

Passwordless Authentication Module

Passwordless authentication module provides UserIdentificationPlugin, UserAuthenticationPlugin, and PasswordlessPlugin as individual steps in the passwordless authentication process.

To configure the Passwordless authentication module in the Oracle Access Management Console:
  1. Log into the Oracle Access Management Console as System Administrator.
  2. From the Application Security Launch Pad, click Authentication Modules under Plug-ins.
  3. From the Authentication Modules tab, search for PaswordlessModule.
  4. Update Passwordless authentication module properties as follows:

Table -33 UserIdentification Step

Step Details Description

The name of the registered Identity Store containing the module users.

Default: The registered Default Store.

KEY_LDAP_FILTER Add the LDAP filter to the KEY_LDAP_FILTER attribute. Only standard LDAP attributes can be used when defining an LDAP search filter. For example: (uid={KEY_USERNAME})
KEY_SEARCH_BASE_URL Base URL for user searches. For example: dc=us,dc=example,dc=com

Table -34 UserAuthentication Step

Step Details Description
KEY_PROP_AUTHN_EXCEPTION Enable or disable the propagation of LDAP errors.

The name of the registered Identity Store containing the module users.

Default: The registered Default Store.

KEY_ENABLE_AUTHN_FAILOVER If the parameter is false, the userpassword is removed from the authentication context so that it cannot be used in subsequent plugins.

If set to true, the password can be used in subsequent plugins for further user authentication.

Default: false

KEY_PROP_AUTHN_LEVEL When set to a particular value, that value is set as the OAMAuthnLevelPrincipal in the subject of the authenticated user.

Table -35 Passwordless Step

Step Details Description
IdentityStoreRef The name of the registered Identity Store containing the module users.

Default value is the registered Default Store.

PushProxyProtocol Proxy protocol.
PushProxyHost Name of the proxy host if notifications are sent to the server using a proxy.
PushProxyPort Proxy port if notifications are sent to the server using a proxy.
PushTitleMsg Title for the message sent to the user’s OMA application on user’s device.
PushExpiryTimeMs Time after which the push notification is considered expired, from the time the push notification is sent to the server.

Default value is 60000, in milliseconds.

PushAPNsProdServer If set to true, the APNS production server is used to send notifications.

Default value is false.

URL_ACTION The type of servlet action needed for redirecting the user to the specific password page for expiry and warning pages.

Value can be one of the following:


Default is FORWARD.

URL_REDIRECT The url to be redirected to, for showing the user the passwordless waiting page.

This field is required for the passwordless pages customizations.

Default value is /oam/pages/passwordless.jsp

PasswordlessGroup The passwordless feature can be restricted to certain groups of users. This field can be used to restrict only certain users to be able to use the passwordless feature.

Multiple groups can be specified separated using , (comma- the default value for the PasswordlessGroupDelimiter) or any PasswordlessGroupDelimiter as configured.

Default is empty. It means that all the users in the configured idstore have passwordless feature enabled.

PasswordlessGroupDelimiter The delimiter used to specify multiple groups for PasswordlessGroups.

Default value is comma (,).

DenyDisabledLockedUsers When this value is set to true, users who are in disabled and locked states cannot use passwordless feature.

These users will be moved to password-based authentication always.

Default value is false.

This is required when a user has been using passwordless-based authentication and is suddenly disabled using OAM password management module, because of which authentication is denied for that user.

CookieMaxAge The maximum age of the cookie related to passwordless related cookie.

After this time (since last passwordless login), the user is required to login again with the password.

Default value is 8640000, in seconds.

CookieName Name of the passwordless cookie that gets set for passwordless authentication.

Default value is ORA_OAM_BTHGOES

CookieValidateBrowserFP Controls whether the passwordless cookie is validated for the browser’s user agent string.

Default value is true.

CookieValidateIpAddress Specifies whether the passwordless cookie is validated for the ipaddress where it was initially set.

Default value is true.

CookieIssuedExpiration Time, after which, when the cookie is configured as invalid, from the time the cookie is considered expired.

Default value is 7776000000, in milliseconds.

CookieRefreshExpiration Time between, when the cookie is refreshed and then the time when cookie is considered expired.

Default value is 864000000, in milliseconds.

This value is set as part of the cookie value, and cannot be changed from the browser's side.

CookieDomain The domain, which is used while constructing the passwordless cookie. This is used for extra security.

Default value is Empty String.

PushPurgeExpiredRequest Allows the server to purge the expired push notification requests so as to maintain the storage for push notifications and not have expired requests that are not required.

Default value is false.

PushPollTimeMs The time that the browser uses to wait till it again sends a request to OAM server to check if the notification has been acted upon.
HandleFailedCounter Enables the server to handle notifications that are rejected consistently, for added security.

When enabled, the OAM server keeps track of notifications that have been rejected and if it is more than MaxFailureCounter, then the user is forced to do a normal password based authentication.

Default value is false.

EnableFailedCounterOnExpiry Optional. When the notification goes unanswered, a failure counter can be enabled.

Once enabled, the counter keeps track on number of times the notification has gone unanswered.

When it has gone unanswered more than the MaxFailureCounter, then the user needs to do a authentication using their actual password.

Default value is false.
MaxFailureCounter Maximum number of times the notification can be failed or unanswered, before which a password based authentication is re-triggered.

Default value is 5.

ForceBiometric Not Used.
Passwordless Authentication Scheme

Set the challenge parameters in the passwordless authentication scheme to bypass the login form.

The passwordless authentication scheme is available with all the necessary configurations required for the passwordless login to work. There are no additional configurations required.

However, to customize the passwordless waiting page and the first-page-before-authentication, you must update the following parameters of the passwordless authentication scheme:

  • Challenge URL
  • Context value
  • Context Type

Ensure the initial_command is set to NONE under the challenge parameters to bypass the login form.

For details on all the parameters in the authentication scheme, see Authentication Schemes and Pages

Protecting Resources with Passwordless Scheme

Complete the configuration for passwordless login by assigning the passwordless authentication scheme to the protected resource policy.

  1. From the Application Security Launch Pad, select Application Domains under Access Manager.
  2. Search and open the required Application Domain.
  3. Open the Authentication Policy tab and click Protected Resource Policy.
  4. Select the PasswordlessScheme from the Authentication Scheme dropdown list and click Apply.