Using OAM Pre Authentication Advanced Rules in OAM IdP

This article showcases how to use the OAM Authentication Advanced Rule with OAM as an IdP with the following use case:

• OAM acts as the IdP

• A specific scheme is used to challenge all the users

• The OAM Authentication Policy for that scheme is configured to have a Pre-Authentication Advanced Rule that evaluates if the browser is a desktop browser or a mobile browser

• If the user is using a desktop/laptop, then the configured Authentication Scheme is used

• Otherwise if the user is on a mobile, another scheme targeted for mobile platforms is used, which facilitates user interaction by using a mobile login page

For more information about the Pre Authentication Advanced Rules in OAM, refer to the OAM Administrator’s Guide

OAM Authentication Advanced Rules

In the 11.1.2.2.0 release of Oracle Access Manager, Advanced Rules for Authentication Policies were introduced:

• Pre Authentication Rules which allows an administrator to define a policy that evaluates when an OAM authentication operation is being performed, before the user is challenged by the Authentication Scheme. The rule can either block access

• Or instruct OAM to use a secondary Authentication Scheme to challenge the user, different than the one listed as the Authentication Scheme in the Authentication Policy

• Post Authentication rules which allows an administrator to define a policy that will be evaluated after the Authentication Scheme was executed, to block access if necessary.

The runtime data that can be evaluated by the OAM Authentication Advanced Rule is based on either the request, session or user data:

• Request data: This includes the information sent by the user’s browser as well as the protected resource being requested

• Browser data

• HTTP headers (User-Agent, Cookie…)

• Location (IP Address, Proxy address…)

• Protected resource

• Hostname

• Port

• Path

• Query String

• Session Data if the rule is a Post Authentication Rule

• User Data if the rule is a Post Authentication Rule

The OAM Administrator’s guide lists the various properties that can be used.

For example, the following Pre Authentication Rule could be used to route authentication requests for Smartphones to another OAM Authentication Scheme:

request.userAgent.lower().find('iphone') > 0 or
request.userAgent.lower().find('mobile') > 0 or
request.userAgent.lower().find('blackberry') > 0 or
request.userAgent.lower().find('android') > 0

In this next example, the Post Authentication Rule indicates to deny access for users having opened more than 2 sessions:

session.count > 2

Note: Post Authentication Rules which are evaluated as Authentication Responses after Authentication are not evaluated in a Federation SSO flow, since IdP flow does not involve any Authentication Responses. To implement some Authorization based on the user’s identity, Token Issuance Policies can be used, as discussed in this article.

Advanced Rules with IdP

Federation Authentication Policies

When configuring IdP to use a specific OAM Authentication Scheme to challenge users at runtime, an intermediary OAM Authentication Policy is created and bound to the specified OAM Authentication Scheme.

To apply Authentication Advanced Rules within an IdP flow, we need to modify those intermediary OAM Authentication Policies managed by the OAM administration modules.

Out of the box, there are four Federation Authentication Policies existing in the IAM Suite Application Domain that are used by IdP to authenticate a user at runtime:

• LocalAuthnFederationBasicScheme

• LocalAuthnFederationBasicFAScheme

• LocalAuthnFederationLDAPScheme

• LocalAuthnFederationFAAuthScheme

Description of the illustration Application_Domains.jpg

Additionally, Federation Authentication Policies is created whenever a new IdP is configured to use another Authentication Scheme to challenge users during a Federation SSO operation.

The name of the Federation Authentication Policy is based on the Authentication Scheme configured in IdP: "LocalAuthnFederation" + Name_of_the_Authentication_Scheme.

Those policies should not be modified, except to define Pre and Post Authentication Rules.

Defining an Advanced Rule for a Federation Authentication Policy

To configure an Advanced Rule for a Federation Authentication Policy, perform the following steps:

1. Go to the OAM Administration Console: http(s)://oam-admin-host:oam-adminport/oamconsole

2. Navigate to Access Manager , Application Domains

3. Click Search and select the IAM Suite Application Domain

4. Click on the Authentication Policies tab

5. Click on the Federation Authentication Policy you wish to modify

6. Click on the Advanced Rules tab in that policy

7. Define a pre authentication policy

8. Click Apply

Federation Authentication Methods

It might be required to configure IdP to map any OAM Authentication Schemes used to challenge users to a Federation Authentication Methods, even the second Authentication Scheme that might be configured in a Pre Authentication Rule.

This is done by using one of the OAM WSLT commands:

• addSPPartnerProfileAuthnMethod on an SP Partner Profile

• addSPPartnerAuthnMethod on an SP Partner

Example

Configure OAM to:

• Interact with a remote SP via the SAML 2.0 protocol

• Have the LDAPScheme as the default Authentication Scheme system wide

• Have the LocalAuthnFederationLDAPScheme Authentication Policy set up with a Pre Authentication Rule to use the BasicScheme if the client is a Smartphone

• Map the LDAPScheme to the SAML 2.0 Federation Authentication Method urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

• Map the BasicScheme to the SAML 2.0 Federation Authentication Method urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Default Scheme for IdP

First let’s configure IdP to use a default Authentication Scheme (even though that is the default scheme out of the box):

1. Enter the WLST environment by executing: $IAM_ORACLE_HOME/common/bin/wlst.sh

2. Connect to the WLS Admin server: connect()

3. Navigate to the Domain Runtime branch: domainRuntime()

4. Execute the setIdPDefaultScheme() command: setIdPDefaultScheme("LDAPScheme")

5. Exit the WLST environment: exit()

The consequence is that the LocalAuthnFederationLDAPScheme OAM Authentication Policy is used to challenge users for the remote SP partner.

OAM Advanced Pre Authentication Rule

Let’s now create the Pre Authentication Rule that indicates to OAM to use the BasicScheme for Smartphone users: the rule is based on the UserAgent HTTP header:

1. Go to the OAM Administration Console: http(s)://oam-admin-host:oam-adminport/oamconsole

2. Navigate to Access Manager , Application Domains

3. Click Search and select the IAM Suite Application Domain

4. Click on the Authentication Policies tab

5. Click on the LocalAuthnFederationLDAPScheme policy

6. Click on the Advanced Rules tab in that policy

7. Create a new Pre Authentication Rule

Description of the illustration Authentication_Policy.jpg

Perform the following actions:

1. Enter the information for the pre authentication rule:

• Rule Name: MobileUsers

• Condition: request.userAgent.lower().find('iphone') > 0 or request.userAgent.lower().find('mobile') > 0 or request.userAgent.lower().find('blackberry') > 0 or request.userAgent.lower().find('android') > 0

• Deny Access: unchecked

• Switch to Authentication Scheme: BasicScheme

  

  Description of the illustration Add_Rule.jpg

1. Click Add

2. Click Apply

Description of the illustration Rules_Added_Screen.jpg

Federation Authentication Method Mappings

Finally, let’s map the schemes that is used in our deployments to SAML 2.0 Federation Authentication Methods (even though out of the box the mapping already exists for LDAPScheme and BasicScheme).

In our environment, two schemes are used:

• LDAPScheme, configured in IdP

• BasicScheme, configured in the Pre Authentication Rule

Map both schemes to urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport at the partner profile level:

1. Enter the WLST environment by executing: $IAM_ORACLE_HOME/common/bin/wlst.sh

2. Connect to the WLS Admin server: connect()

3. Navigate to the Domain Runtime branch: domainRuntime()

4. Execute the addSPPartnerProfileAuthnMethod() command: addSPPartnerProfileAuthnMethod("saml20-sppartner-","urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport""LDAPScheme")addSPPartnerProfileAuthnMethod("saml20-sppartner-profile","urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport""BasicScheme")

5. Exit the WLST environment: exit()

Test

When performing Federation SSO from a desktop/laptop browser, IdP challenges with the LDAPScheme and the users the following login page:

Description of the illustration Access_Manager.jpg

While a Smartphone user for a Federation SSO operation with the same SP partner would see an HTTP Basic Authentication challenge:

Description of the illustration Authentication_Screen.jpg

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Using OAM Pre Authentication Advanced Rules in OAM IdP

F61888-01

September 2022

Copyright © 2002, Oracle and/or its affiliates.