Configuring FIDO2 with Oracle Advanced Authentication

Introduction

This tutorial shows you how to configure FIDO2 with Oracle Advanced Authentication (OAA) for the purposes of multi-factor authentication.

In this tutorial a user will access an application protected via an Oracle WebGate and Oracle Access Management (OAM). Once authenticated in OAM the user is challenged to authenticate with a FIDO2 device as a second factor.

Objective

In this tutorial you will perform the following tasks:

  1. Configure FIDO2 for the OAM Integration Agent
  2. Configure FIDO2 in User Preferences
  3. Access a Protected Application using FIDO2

Prerequisites

Before starting this tutorial you must have:

Configure FIDO2 for the OAM Integration Agent

In this section you configure the OAM Integration Agent in OAA to use FIDO2.

  1. Log in to the OAA Administration console with your administrator credentials. For example, https://oaa.example.com/oaa-admin.

  2. From the left hand navigation menu select Manage Integration Agents.

  3. Click the OAM Integration Agent. For example, OAM-MFAPartner.

  4. In the Assurance Levels tab click the Assurance Level. For example, OAM MFA-Level.

  5. Under Use the Factor(s) select FIDO2 Challenge.

  6. Click Save.

    Description of the illustration fido2_factor.jpg

Configure FIDO2 in User Preferences

In this section the end user configures FIDO2 in their User Preferences.

  1. Access the OAA User Preferences console. For example, https://oaa.example.com/oaa/rui/.

  2. Log in as the end user. For example, testuser/<password>.

  3. Select Add Authentication Factor and from the drop down menu select FIDO2 Challenge.

  4. In the Add FIDO2 Device screen enter a Friendly Name. For example, My FIDO2.

  5. Click Register.

  6. You will be presented with a Security key setup page. Click OK.

    Description of the illustration add_fido2_device.jpg

  7. If you have not previously set up a PIN for your FIDO2 device you will be prompted to create one. Enter a PIN and click OK.

    Description of the illustration create_pin.jpg

  8. Once the PIN is entered you will be asked to Touch your security key (assuming a touch based FIDO2 device):

    Description of the illustration touch_device.jpg

  9. If the authentication with the FIDO2 device is successful you will be returned to the Authentication Factors screen. The FIDO2 Challenge is shown:

    Description of the illustration authentication_factors.jpg

Access a Protected Application using FIDO2

In this section you access a protected application, login to OAM and test that second factor authentication works with FIDO2.

  1. Launch a browser and access the protected application. For example, http://oam.example.com:7777/mybank. As this application is protected you should be redirected to the OAM login page. Log in as the end user for whom FIDO2 is configured. For example, testuser/<password>.

  2. If the login is successful you will be redirected to the OAA challenge choice page. Click Use FIDO Key My FIDO2.

    Description of the illustration select_fido2.jpg

  3. You will be directed to the FIDO2 screen where you are asked to enter the security key PIN for the FIDO2 device. Enter the PIN and click OK:

    Description of the illustration enter_pin.jpg

  4. Assuming a touch based FIDO2 device is used, you will be asked to touch the FIDO2 device:

    Description of the illustration touch_fido_device.jpg

  5. If the authentication is successful you should be redirected to the protected application page. For example, /mybank.

    Description of the illustration mybank.jpg

Learn More

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.