Using OAM Pre Authentication Advanced Rules in OAM IdP
This article showcases how to use the OAM Authentication Advanced Rule with OAM as an IdP with the following use case:
-
OAM acts as the IdP
-
A specific scheme is used to challenge all the users
-
The OAM Authentication Policy for that scheme is configured to have a Pre-Authentication Advanced Rule that evaluates if the browser is a desktop browser or a mobile browser
-
If the user is using a desktop/laptop, then the configured Authentication Scheme is used
-
Otherwise if the user is on a mobile, another scheme targeted for mobile platforms is used, which facilitates user interaction by using a mobile login page
For more information about the Pre Authentication Advanced Rules in OAM, refer to the OAM Administrator’s Guide
OAM Authentication Advanced Rules
In the 11.1.2.2.0 release of Oracle Access Manager, Advanced Rules for Authentication Policies were introduced:
-
Pre Authentication Rules which allows an administrator to define a policy that evaluates when an OAM authentication operation is being performed, before the user is challenged by the Authentication Scheme. The rule can either block access
-
Or instruct OAM to use a secondary Authentication Scheme to challenge the user, different than the one listed as the Authentication Scheme in the Authentication Policy
-
Post Authentication rules which allows an administrator to define a policy that will be evaluated after the Authentication Scheme was executed, to block access if necessary.
The runtime data that can be evaluated by the OAM Authentication Advanced Rule is based on either the request, session or user data:
-
Request data: This includes the information sent by the user’s browser as well as the protected resource being requested
-
Browser data
-
HTTP headers (User-Agent, Cookie…)
-
Location (IP Address, Proxy address…)
-
Protected resource
-
Hostname
-
Port
-
Path
-
Query String
-
Session Data if the rule is a Post Authentication Rule
-
User Data if the rule is a Post Authentication Rule
The OAM Administrator’s guide lists the various properties that can be used.
For example, the following Pre Authentication Rule could be used to route authentication requests for Smartphones to another OAM Authentication Scheme:
request.userAgent.lower().find('iphone') > 0 or
request.userAgent.lower().find('mobile') > 0 or
request.userAgent.lower().find('blackberry') > 0 or
request.userAgent.lower().find('android') > 0
In this next example, the Post Authentication Rule indicates to deny access for users having opened more than 2 sessions:
session.count > 2
Note: Post Authentication Rules which are evaluated as Authentication Responses after Authentication are not evaluated in a Federation SSO flow, since IdP flow does not involve any Authentication Responses. To implement some Authorization based on the user’s identity, Token Issuance Policies can be used, as discussed in this article.
Advanced Rules with IdP
Federation Authentication Policies
When configuring IdP to use a specific OAM Authentication Scheme to challenge users at runtime, an intermediary OAM Authentication Policy is created and bound to the specified OAM Authentication Scheme.
To apply Authentication Advanced Rules within an IdP flow, we need to modify those intermediary OAM Authentication Policies managed by the OAM administration modules.
Out of the box, there are four Federation Authentication Policies existing in the IAM Suite Application Domain that are used by IdP to authenticate a user at runtime:
-
LocalAuthnFederationBasicScheme
-
LocalAuthnFederationBasicFAScheme
-
LocalAuthnFederationLDAPScheme
-
LocalAuthnFederationFAAuthScheme
Description of the illustration Application_Domains.jpg
Additionally, Federation Authentication Policies is created whenever a new IdP is configured to use another Authentication Scheme to challenge users during a Federation SSO operation.
The name of the Federation Authentication Policy is based on the Authentication Scheme configured in IdP: "LocalAuthnFederation" + Name_of_the_Authentication_Scheme
.
Those policies should not be modified, except to define Pre and Post Authentication Rules.
Defining an Advanced Rule for a Federation Authentication Policy
To configure an Advanced Rule for a Federation Authentication Policy, perform the following steps:
-
Go to the OAM Administration Console:
http(s)://oam-admin-host:oam-adminport/oamconsole
-
Navigate to Access Manager , Application Domains
-
Click Search and select the IAM Suite Application Domain
-
Click on the Authentication Policies tab
-
Click on the Federation Authentication Policy you wish to modify
-
Click on the Advanced Rules tab in that policy
-
Define a pre authentication policy
-
Click Apply
Federation Authentication Methods
It might be required to configure IdP to map any OAM Authentication Schemes used to challenge users to a Federation Authentication Methods, even the second Authentication Scheme that might be configured in a Pre Authentication Rule.
This is done by using one of the OAM WSLT commands:
-
addSPPartnerProfileAuthnMethod
on an SP Partner Profile -
addSPPartnerAuthnMethod
on an SP Partner
Example
Configure OAM to:
-
Interact with a remote SP via the SAML 2.0 protocol
-
Have the
LDAPScheme
as the default Authentication Scheme system wide -
Have the
LocalAuthnFederationLDAPScheme
Authentication Policy set up with a Pre Authentication Rule to use theBasicScheme
if the client is a Smartphone -
Map the
LDAPScheme
to the SAML 2.0 Federation Authentication Method urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport -
Map the
BasicScheme
to the SAML 2.0 Federation Authentication Method urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Default Scheme for IdP
First let’s configure IdP to use a default Authentication Scheme (even though that is the default scheme out of the box):
-
Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
-
Connect to the WLS Admin server:
connect()
-
Navigate to the Domain Runtime branch:
domainRuntime()
-
Execute the
setIdPDefaultScheme()
command:setIdPDefaultScheme("LDAPScheme")
-
Exit the WLST environment:
exit()
The consequence is that the LocalAuthnFederationLDAPScheme
OAM Authentication Policy is used to challenge users for the remote SP partner.
OAM Advanced Pre Authentication Rule
Let’s now create the Pre Authentication Rule that indicates to OAM to use the BasicScheme
for Smartphone users: the rule is based on the UserAgent HTTP header:
-
Go to the OAM Administration Console:
http(s)://oam-admin-host:oam-adminport/oamconsole
-
Navigate to Access Manager , Application Domains
-
Click Search and select the IAM Suite Application Domain
-
Click on the Authentication Policies tab
-
Click on the
LocalAuthnFederationLDAPScheme
policy -
Click on the Advanced Rules tab in that policy
-
Create a new Pre Authentication Rule
Description of the illustration Authentication_Policy.jpg
Perform the following actions:
- Enter the information for the pre authentication rule:
-
Rule Name:
MobileUsers
-
Condition:
request.userAgent.lower().find('iphone') > 0
orrequest.userAgent.lower().find('mobile') > 0
orrequest.userAgent.lower().find('blackberry') > 0
orrequest.userAgent.lower().find('android') > 0
-
Deny Access: unchecked
-
Switch to Authentication Scheme:
BasicScheme
-
Click Add
-
Click Apply
Description of the illustration Rules_Added_Screen.jpg
Federation Authentication Method Mappings
Finally, let’s map the schemes that is used in our deployments to SAML 2.0 Federation Authentication Methods (even though out of the box the mapping already exists for LDAPScheme
and BasicScheme
).
In our environment, two schemes are used:
-
LDAPScheme
, configured in IdP -
BasicScheme
, configured in the Pre Authentication Rule
Map both schemes to urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
at the partner profile level:
-
Enter the WLST environment by executing:
$IAM_ORACLE_HOME/common/bin/wlst.sh
-
Connect to the WLS Admin server:
connect()
-
Navigate to the Domain Runtime branch:
domainRuntime()
-
Execute the
addSPPartnerProfileAuthnMethod()
command:addSPPartnerProfileAuthnMethod("saml20-sppartner-","urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport""LDAPScheme")addSPPartnerProfileAuthnMethod("saml20-sppartner-profile","urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport""BasicScheme")
-
Exit the WLST environment:
exit()
Test
When performing Federation SSO from a desktop/laptop browser, IdP challenges with the LDAPScheme
and the users the following login page:
Description of the illustration Access_Manager.jpg
While a Smartphone user for a Federation SSO operation with the same SP partner would see an HTTP Basic Authentication challenge:
Description of the illustration Authentication_Screen.jpg
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Using OAM Pre Authentication Advanced Rules in OAM IdP
F61888-01
September 2022
Copyright © 2002, Oracle and/or its affiliates.