11.10 Configuring Factor Verification
OAA allows you to configure factor verification. Factor verification allows users to verify a factor in the Self-Service Portal after the factor has been added. This allows a user to check the factor is working before it is used in a user challenge. By default, factor verification is disabled.
Topics
The following topics describe how to configure factor verification:
11.10.1 Creating a Verification Integration Agent
To enable factor verification, you must create a verification integration agent.
You can create integration agents either using REST APIs or OAA Administration UI console. For details about creating integration agents using REST APIs, see REST API for Administration in Oracle Advanced Authentication.
To create a verification integration agent:
- Login to the OAA Administration console
https://<AdminUrl>
. You are redirected to the OAM login page as the console is protected by OAM OAuth. Specify your credentials and login. - Under Quick Actions select Create Other Integration Agent.
- In the Create Integration Agent window,
specify the following:
- Name: Enter a name for your integration agent, for
example
VerificationFlowAgent
.Note:
The propertyoaa.default.spui.pref.runtime.verification.agentId
is set toVerificationFlowAgent
by default. If you choose to give your agent a different name then you must configure the property to match. See Configuring Properties for Factor Verification. - Description: Add a description for the integration agent.
- Integration Agent Type: API is selected by default.
- Click Save.
- Name: Enter a name for your integration agent, for
example
11.10.2 Creating an Assurance Level for the Verification Integration Agent
Create an assurance level for the verification integration agent.
You can create assurance levels either using REST APIs or OAA Administration UI console. For details about creating integration agents using REST APIs, see REST API for Administration in Oracle Advanced Authentication.
To create an assurance level for the verification integration agent:
- In the Integration Agents window, select the verification integration agent for which you need to create the assurance level.
- Under the Assurance Levels tab, click Create.
- Specify the required details:
- Name: Specify the name for this assurance level, for
example
FactorVerificationAL
.Note:
The propertyoaa.default.spui.pref.runtime.verification.assuranceLevel
is set toFactorVerificationAL
by default. If you choose to give your assurance level a different name then you must configure the property to match. See Configuring Properties for Factor Verification - Description: Provide the description for the assurance level.
- Click Create.
- Click the Assurance Level created.
- Under Uses select the factors for which you want to
configure factor verification.
Note:
Factor verification is only supported for Oracle Mobile Authenticator, OMA Push Notification Challenge, Email Challenge, Yubico OTP Challenge, and SMS Challenge.
- Name: Specify the name for this assurance level, for
example
- Click Save.
Next steps: Configuring Properties for Factor Verification.
11.10.3 Configuring Properties for Factor Verification
To enable factor verification you must set configuration properties.
The following table lists the OAA properties that you must configure to enable factor verification.
Table 11-4 Factor Verification Properties
Property Name | Description | Default Value |
---|---|---|
oaa.default.spui.pref.runtime.verification.enabled |
This property determines if factor verification
is enabled or disabled. To enable factor verification set this
value to true |
false |
oaa.default.spui.pref.runtime.verification.agentId |
The name of the verification integration agent. If you create
a verification agent with a name other than the default
VerificationFlowAgent , you must set this
property to the name of the agent created.
|
VerificationFlowAgent |
oaa.default.spui.pref.runtime.verification.assuranceLevel |
The name of the assurance level for the verification agent.
If you create an assurance level with a name other than the
default FactorVerificationAL , you must set this
property to the name of the assurance level created.
|
FactorVerificationAL |
<PolicyUrl>/policy/config/property/v1
REST
API to configure properties.
Note:
In this case remove/oaa-policy
from the <PolicyUrl>
, for example use
https://<host>:<port>/policy/config/property/v1
not
https://<host>:<port>/oaa-policy/policy/config/property/v1
For details about finding the PolicyUrl
and
authenticating, see OAA Admin API.
For details about the Configuration Properties REST Endpoint, see Configuration Properties REST Endpoints.
Next steps: Testing Factor Verification.
11.10.4 Testing Factor Verification
To test factor verification:
- Access the Self-Service Portal by launching a browser and accessing
https://<SpuiURL>
. The user logs in to the console using their username and password set in the OAM OAuth identity store. - Under Authentication Factors select Add Authentication Factor and select an authentication factor. In this example Email Challenge is selected.
- In the Setup Security Code via Email page, enter a Friendly Name and Email address. As factor verification is enabled, two new options are shown: Verify Now and Verify Later.
If you select Verify Now you will be asked to enter the verification code. In this example the verification code will be sent to the email address. Enter the verification code from the email and select Verify and Save. If verification is successful you will be returned to the Authentication Factors screen and the authentication factor will show as Enabled.
Note:
If Verify Later is selected, the factor added will not be presented in a user challenge until it is verified.If Verify Later is selected, the factor is saved as Unverified. It can verified by selecting Verify from the factor drop down menu on the Authentication Factors screen. Once the factor is verified it will show as Enabled.
Note:
Any factors added prior to enabling factor verification will show either Enabled or Disabled and will not need to go through verification.Important Note for Upgrades
If you are upgrading from a previous release where factor verfication wasn't supported, all previously registered factors for a user will automatically be verified after upgrade. This is true for all previously enabled and disabled factors for a user. Any new factors registered for the user after upgrade, will use factor verification.