MFA for Oracle Access Manager

This is an Early Access feature. To enable it, contact Okta Support.

The guide below outlines the setup process to install the Okta Multifactor Authentication (MFA) provider for Oracle Access Manager. With this feature, customers can use OAM as their Identity Provider (IdP) to applications and also use Okta for MFA to provide a strong method of authentication for applications. For version history see Okta Oracle Access Manager Plugin Version History

Note: If you are currently using theRSA SecurID agent (v. 1.1.0 or below) you should upgrade to the latest version of the On-Prem MFA agent at your earliest convenience. For the latest version and version history, see Okta On-Prem MFA Agent Version History.

Requirements and versions

The Okta MFA Provider for Oracle Access Manager has been tested against the following:

Name	Version
WebLogic Server	11g (10.3.6.0)
Oracle Access Manager	11g (11.1.2.0.0)
Operating System	Windows Server
Java Runtime	1.7.0_80 or later

Supported factors

The following MFA Factors are supported:

When integrating with Okta RADIUS, the maximum supported number of enrolled factors is dependent on the size of resulting challenge message. Okta recommends that no more than eight ( 8 ) factor be enrolled at one time.

MFA Factor	Password Authentication Protocol PAP	Extensible Authentication Protocol - Generic Token Card EAP-GTC	Extensible Authentication Protocol - Tunneled Transport Layer Security EAP-TTLS
Okta Verify (TOTP and PUSH)	Supported	Supported	Supported - as long as challenge is avoided. For example: MFA-only or password, MFA for TOTP. Push can work with primary auth + MFA as the push challenge is sent out-of-band.
Voice Call	Supported	Supported	Not supported
SMS Authentication	Supported	Supported	Not supported
Google Authenticator	Supported	Supported	Supported - as long as challenge is avoided. For example MFA only or password, MFA.
Symantec VIP	Supported	Supported	Supported
Security Question	Supported	Supported	Not supported
Custom TOTP Authentication	Supported	Supported	Not supported
Duo(Push, SMS and Passcode only)	Supported	Not supported	Not supported
YubiKey	Supported	Supported	Supported
RSA Token	Supported	Supported	Supported
Email	Supported	Supported	Not supported

Note

The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations.
For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.

Note: Only applications which support Embedded Credential Collector (ECC) WebGates are supported.

Typical workflow

Task	Description
Configure MFA factors	Within your Okta org, configure MFA factors for use with Oracle Access Manager.
Download the agent	Org admins will need to request Okta Support provide the download link for the Oracle Access Manager Plugin. For the agent version history, see Okta Oracle Access Manager Plugin Version History. Note: The downloaded plugin file must be in a location accessible from the Oracle Access Manager Console.
Install and Configure the Oracle Access Manager plugin	Install and configure the plug in for Oracle Access Manager. If required, manually activate the OAM plugin.
Deploy OktaWidget.war	Using the Oracle WebLogic Server console, deploy the Okta OktaWidget war file.
Configure Module, Scheme and Policy	Using the Oracle Access Manager console, configure module, scheme and policy to protect the OAM resources.
Enable SSL on OAM servers	[Optionallyl] Using the WebLogic Server console, enable SSL (HTTPS) on OAM servers.