Configuring FIDO2 with Oracle Advanced Authentication
Introduction
This tutorial shows you how to configure FIDO2 with Oracle Advanced Authentication (OAA) for the purposes of multi-factor authentication.
In this tutorial a user will access an application protected via an Oracle WebGate and Oracle Access Management (OAM). Once authenticated in OAM the user is challenged to authenticate with a FIDO2 device as a second factor.
Objective
In this tutorial you will perform the following tasks:
- Configure FIDO2 for the OAM Integration Agent
- Configure FIDO2 in User Preferences
- Access a Protected Application using FIDO2
Prerequisites
Before starting this tutorial you must have:
- A FIDO2 compatible device. For the purposes of this tutorial a Yubikey Series 5 Nano is used as the FIDO2 device.
- Followed the tutorial Integrate Oracle Access Management with Oracle Advanced Authentication
Configure FIDO2 for the OAM Integration Agent
In this section you configure the OAM Integration Agent in OAA to use FIDO2.
-
Log in to the OAA Administration console with your administrator credentials. For example,
https://oaa.example.com/oaa-admin
. -
From the left hand navigation menu select Manage Integration Agents.
-
Click the OAM Integration Agent. For example,
OAM-MFAPartner
. -
In the Assurance Levels tab click the Assurance Level. For example,
OAM MFA-Level
. -
Under Use the Factor(s) select FIDO2 Challenge.
-
Click Save.
Configure FIDO2 in User Preferences
In this section the end user configures FIDO2 in their User Preferences.
-
Access the OAA User Preferences console. For example,
https://oaa.example.com/oaa/rui/
. -
Log in as the end user. For example,
testuser/<password>
. -
Select Add Authentication Factor and from the drop down menu select FIDO2 Challenge.
-
In the Add FIDO2 Device screen enter a Friendly Name. For example,
My FIDO2
. -
Click Register.
-
You will be presented with a
Security key setup
page. Click OK. -
If you have not previously set up a PIN for your FIDO2 device you will be prompted to create one. Enter a PIN and click OK.
-
Once the PIN is entered you will be asked to
Touch your security key
(assuming a touch based FIDO2 device): -
If the authentication with the FIDO2 device is successful you will be returned to the Authentication Factors screen. The FIDO2 Challenge is shown:
Access a Protected Application using FIDO2
In this section you access a protected application, login to OAM and test that second factor authentication works with FIDO2.
-
Launch a browser and access the protected application. For example,
http://oam.example.com:7777/mybank
. As this application is protected you should be redirected to the OAM login page. Log in as the end user for whom FIDO2 is configured. For example,testuser/<password>
. -
If the login is successful you will be redirected to the OAA challenge choice page. Click Use FIDO Key My FIDO2.
-
You will be directed to the FIDO2 screen where you are asked to enter the security key PIN for the FIDO2 device. Enter the PIN and click OK:
-
Assuming a touch based FIDO2 device is used, you will be asked to touch the FIDO2 device:
-
If the authentication is successful you should be redirected to the protected application page. For example,
/mybank
.
Learn More
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Configuring FIDO2 with Oracle Advanced Authentication
F55485-01
March 2022
Copyright © 2022, Oracle and/or its affiliates.