This is an Early Access feature. To enable it, contact Okta Support.

MFA for Oracle Access Manager

The guide below outlines the setup process to install the Okta Multifactor Authentication (MFA) provider for Oracle Access Manager. With this feature, customers can use OAM as their Identity Provider (IdP) to applications and also use Okta for MFA to provide a strong method of authentication for applications. For version history see Okta Oracle Access Manager Plugin Version History

Requirements and supported versions

Note: This table lists the versions that this plugin has been tested against.

Name Version
WebLogic Server 11g (10.3.6.0)
Oracle Access Manager 11g (11.1.2.0.0)
Operating System Windows Server
Java Runtime 1.7.0_80 or later


The following MFA Factors are supported:

 

MFA Factor Password Authentication Protocol
PAP		 Extensible Authentication Protocol - Generic Token Card
EAP-GTC		 Extensible Authentication Protocol - Tunneled Transport Layer Security
EAP-TTLS
Okta Verify (TOTP and PUSH) Supported Supported Supported - as long as challenge is avoided.
For example:
MFA-only or password, MFA for TOTP.
Push can work with primary auth + MFA as the push challenge is sent out-of-band.
Voice Call Supported Supported Not supported
SMS Authentication Supported Supported Not supported
Google Authenticator Supported Supported Supported - as long as challenge is avoided.
For example MFA only or password, MFA.
Symantec VIP Supported Supported Supported
Security Question Supported Supported Not supported
Custom TOTP Authentication Supported Supported Not supported
Duo(Push, SMS and Passcode only) Supported Supported Supported (passcode, Push)
YubiKey Supported Supported Supported

RSA Token

Supported

Supported

Supported

Email

Supported

Supported

Not supported
Info

Note

The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations.
For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.

Note: Only applications which support Embedded Credential Collector (ECC) WebGates are supported.

Note: This is an early access feature, please contact Okta Support to enabled it.

Before beginning the installation, be sure the MFA Factors to use with OAM are configured in Okta. For more information see: Multifactor Authentication

Note: This step can be ignored if multifactor enrollment was previously configured.

  1. Login to your Okta org.
  2. Navigate to Security > Multifactor.
  3. Select the Factor Types tab, then select the factors you want to enable in your org.
  4. Select the Factor Enrollment tab and set up a policy to prompt for MFA (this can be scoped to users who will need to provide MFA for OAM logins).

  1. Login into your Okta org as administrator.

  2. Navigate to Applications > Applications, then click Add Application.
  3. Search for the Oracle Access Manager (OAM) MFA application, then click Add.

  4. Enter an appropriate Application Label and the Redirect URI.

    Note: The RedirectURL should be set to the page that your test application redirects to for login.

    URI Description
    Standalone The host:port combination for your OAM server.
    For example: http://oam-server.mydomain:14100
    Cluster The host:port of the enterprise load balancer in front of your OAM servers
    For example: http://oam-lb.mydomain:7777

  5. Select the Sign On tab and note the Client ID and Client Secret.

  6. Select the Assignments tab and click either Assign > Assign to People or Assign to Groups as appropriate.
    Note: The user must also be assigned to the application.

  7. Select the Settings > Customization.

    Scroll to iFrame Embedding, click Edit, and check Allow IFrame embedding.

  8. Click Done when complete

Note: During EA, please contact Okta Support for access to the download link.

Note: The downloaded plugin file must be in a location accessible from the Oracle Access Manager Console.

  1. Login to the Oracle Access Manager Console.
  2. Navigate to Authentication Plugins and select the Plug-ins tab.
  3. Click Import Plug-in and select the file downloaded in Part 3.
    Note: After upload the plug in will be in uploaded state.
  4. Select the row containing the plug in and press the Distribute Selected
    Note: Selected rows will be blue.
    After distribution the plugin will change state to distributed.
  5. Click the Activate Selected button to activate the plug in.
    In the event of an error, follow the steps described in the section Activating the Okta OAM Plugin when standard activation fails.

 

Based on the activation status, the plugin jar can be found in the following locations. Note that DOMAIN_HOME represents the location of the WebLogic Server domain in both Windows and Linux environments. An example of An example of DOMAIN_HOME on windows might be C:\Oracle\Middleware\user_projects\domains\<domainname>.

Activation Status Location
Uploaded

Administration Server

  • Linux - ${DOMAIN_HOME}/oam/plugins
  • Windows -%DOMAIN_HOME%\oam\plugins
Distributed

OAM Server(s)

  • Linux - ${DOMAIN_HOME}/config/fmwconfig/oam/plugins
  • Windows - %DOMAIN_HOME%\config\fmwconfig\oam\plugins

The clientId, clientSecret and url that the plugin communicates using must be configured. To configure the plugin:

  1. Navigate to Authentication Plugins and select the Plug-ins tab.
  2. Select the row containing Okta OAM plugin, installed in the previous section.
  3. In the Configuration Parameters section configure the clientID, clientSecret and url.

    Note: clientID and clientSecret are those from when the OAM application was added into your org. In addition URL should be the based on URL of your org. For example: https://<orgname>.okta.com.

  4. Click Save.
  1. Login to the WebLogic Server Administration Console.
  2. In the Domain Structure pane expand Domain > Deployments.
  3. In Change Center, click Lock & Edit.
    Note: If the WebLogic Server Console preference Automatically Acquire Lock and Activate changes is not set then you will not need to click Lock & Edit.
  4. In the Deployments pane click Install.
  5. Navigate to the directory where OktaWidget.war is located and choose open.
  6. Target the Okta Widget web application to both the Administration server and all OAM servers.
    Ensure that copy to target location is selected.
  7. Click Deploy.
  8. In Change Center, click Activate Changes.
  1. Login to the Oracle Access Manager Console.
  2. Create an Authentication Module.
    1. Click Authentication Module > Create.
    2. On the General tab enter an appropriate Name and Description and click Create.
    3. For the new authentication module select the Steps tab.
    4. Create a new step which references the plugin and configure the step details as shown.
    5. Select the Steps Orchestration tab
    6. Select the previously created step as the Initial Step as shown.
      Note: Configure state success as On Success and failure for both On Failure and On Error.
    7. Click Apply when complete.
  3. Create an Authentication Scheme.
    1. Click Authentication Scheme > Create.
    2. Configure the scheme as shown:
      Note: Authentication Module field should be set to the module created in the previous step.
    3. Click Apply when complete..
  4. Ensure services are enabled.
    1. Navigate to Configuration > Available Services.
    2. Ensure Access Manager and Adaptive Authentication Service are both enabled.
  5. Create Authentication Policy which references the new Authentication Scheme
    1. Navigate to Application Domain > WebGateTest > Authentication Policies > Protected Resource Policy > Advanced Rules.
    2. Under Advanced Rules select the Post-Authentication tab.
    3. Click Add and add a rule as shown below.
      Note: All fields should be as shown, however Switch Authentication Schememust be set to the name of the scheme created
    4. Click Apply when complete.

Enabling SSL on OAM Servers

If you wish to use HTTPS to access OAM servers, the SSL must be enabled.
To enable SSL options for OAM servers:

  1. Login to the WebLogic Server Administration Console.
  2. In the Domain Structure pane expand DomainName > Environment >Servers.
  3. Select a server.
  4. In Change Center, click Lock & Edit.
    >Note: If the WebLogic Server Console preference Automatically Acquire Lock and Activate changes is not set then you will not need to click Lock & Edit.
  5. Select Configuration > SSL
  6. Expand the Advanced section.
  7. From Hostname Verification select None.
  8. Check Use JSSE SSL.
  9. Click Save.
  10. In Change Center click Activate Changes.
  11. Restart the server instance.

To manually activate the Okta OAM plugin follow the steps below:

Manually activate the plugin

  1. Shutdown all running Managed WebLogic Server instances.
  2. Shutdown the Administration server instance.
  3. Using a text editor open the file oam-config.xml found in ${DomainHome}/{domain}/config/fmwconfig.
    For example: /app/oracle/product/mw/config/domains/IAMDomain/config/fmwconfig.
  4. Search for <Setting Name="Version" Type="xsd:integer">202</Setting> and increase the version number by 1.

    Note: There may be multiple Version settings tags. The value which must be changed should be the first child of the NGAMConfiguration element. See how to correctly make manual edits to an oam config for more information.

  5. Search for the Okta plugin, identified by <Setting Name"=AdaptiveAuthenticationPlugin> and change its the Status setting for the value entry to to activated.
    Note: AdaptiveAuthenticationPlugin represents the name given to the plugin when originally deployed and may differ.
  6. Restart the administration server.