MFA for Oracle Access Manager

The following MFA Factors are supported:

• Okta Verify
• Voice Call
• Duo
• OnPremMFA(RSA)
• Email
• SMS Authentication
• Google Authenticator
• YubiKey
• Symantec VIP
• Security Question
• Custom TOTP Authentication

Note:Inline enrollment is not supported.

Before beginning the installation, be sure the MFA Factors to use with OAM are configured in Okta. For more information see: Multifactor Authentication

Note: This step can be ignored if multifactor enrollment was previously configured.

1. Login to your Okta orgThe Okta container that represents a real-world organization..
2. Navigate to Security > Multifactor.
3. Select the Factor Types tab, then select the factors you want to enable in your org.
   
4. Select the Factor Enrollment tab and set up a policy to prompt for MFA (this can be scoped to users who will need to provide MFA for OAM logins).

   

1. Login into your Okta org as administrator.

2. Navigate to Applications > Applications, then click Add Application.
2. Search for the Oracle Access Manager (OAM) MFA application, then click Add.

   

3. Enter an appropriate Application Label and the Redirect URI.

   

   Note: The RedirectURL should be set to the page that your test application redirects to for login.
   

   URI	Description
   Standalone	The host:port combination for your OAM server. For example: http://oam-server.mydomain:14100
   ClusterA group of computer instances (physical or virtual) within a given infrastructure used together for a single purpose.	The host:port of the enterprise load balancer in front of your OAM servers For example: http://oam-lb.mydomain:7777

4. Select the Sign On tab and note the ClientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. ID and Client Secret.

   

5. Select the Assignments tab and click either Assign > Assign to People or Assign to GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. as appropriate.
   Note: The user must also be assigned to the application.

   

6. Select the Settings > Customization.

   Scroll to iFrame Embedding, click Edit, and check Allow IFrame embedding.

   

7. Click Done when complete

1. Login to the Oracle Access Manager Console.
2. Navigate to Authentication Plugins and select the Plug-ins tab.
3. Click Import Plug-in and select the file downloaded in Part 3.
   Note: After upload the plug in will be in uploaded state.
4. Select the row containing the plug in and press the Distribute Selected
   Note: Selected rows will be blue.
   After distribution the plugin will change state to distributed.
5. Click the Activate Selected button to activate the plug in.
   In the event of an error, follow the steps described in the section Activating the Okta OAM Plugin when standard activation fails.

Based on the activation status, the plugin jar can be found in the following locations. Note that DOMAINA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https)._HOME represents the location of the WebLogic Server domain in both Windows and Linux environments. An example of An example of DOMAIN_HOME on windows might be C:\Oracle\Middleware\user_projects\domains\<domainname>.

The clientId, clientSecret and url that the plugin communicates using must be configured. To configure the plugin:

1. Navigate to Authentication Plugins and select the Plug-ins tab.
2. Select the row containing Okta OAM plugin, installed in the previous section.
3. In the Configuration Parameters section configure the clientID, clientSecret and url.
   

   Note: clientID and clientSecret are those from when the OAM application was added into your org. In addition URL should be the based on URL of your org. For example: https://<orgname>.okta.com.

4. Click Save.

1. Login to the WebLogic Server Administration Console.
2. In the Domain Structure pane expand Domain > Deployments.
3. In Change Center, click Lock & Edit.
   Note: If the WebLogic Server Console preference Automatically Acquire Lock and Activate changes is not set then you will not need to click Lock & Edit.
4. In the Deployments pane click Install.
5. Navigate to the directory where OktaWidget.war is located and choose open.
6. Target the Okta Widget web application to both the Administration server and all OAM servers.
   Ensure that copy to target location is selected.
7. Click Deploy.
8. In Change Center, click Activate Changes.

1. Login to the Oracle Access Manager Console.
2. Create an Authentication Module.
1. Click Authentication Module > Create.
2. On the General tab enter an appropriate Name and Description and click Create.
   
3. For the new authentication module select the Steps tab.
4. Create a new step which references the plugin and configure the step details as shown.
   
5. Select the Steps Orchestration tab
6. Select the previously created step as the Initial Step as shown.
   Note: Configure state success as On Success and failure for both On Failure and On Error.
   
7. Click Apply when complete.
3. Create an Authentication Scheme.
1. Click Authentication Scheme > Create.
2. Configure the scheme as shown:
   Note: Authentication Module field should be set to the module created in the previous step.
   
3. Click Apply when complete..
4. Ensure services are enabled.
1. Navigate to Configuration > Available Services.
2. Ensure Access Manager and Adaptive Authentication Service are both enabled.
   
5. Create Authentication Policy which references the new Authentication Scheme
1. Navigate to Application Domain > WebGateTest > Authentication Policies > Protected Resource Policy > Advanced Rules.
   
2. Under Advanced Rules select the Post-Authentication tab.
3. Click Add and add a rule as shown below.
   Note: All fields should be as shown, however Switch Authentication Schememust be set to the name of the scheme created
   
4. Click Apply when complete.

Enabling SSL on OAM Servers

If you wish to use HTTPS to access OAM servers, the SSL must be enabled.
To enable SSL options for OAM servers:

1. Login to the WebLogic Server Administration Console.
2. In the Domain Structure pane expand DomainName > Environment >Servers.
3. Select a server.
4. In Change Center, click Lock & Edit.
   >Note: If the WebLogic Server Console preference Automatically Acquire Lock and Activate changes is not set then you will not need to click Lock & Edit.
   
5. Select Configuration > SSL
6. Expand the Advanced section.
7. From Hostname Verification select None.
8. Check Use JSSE SSL.
9. Click Save.
10. In Change Center click Activate Changes.
11. Restart the server instance.

To manually activate the Okta OAM plugin follow the steps below:

Manually activate the plugin

1. Shutdown all running Managed WebLogic Server instances.
2. Shutdown the Administration server instance.
3. Using a text editor open the file oam-config.xml found in ${DomainHome}/{domain}/config/fmwconfig.
   For example: /appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in./oracle/product/mw/config/domains/IAMDomain/config/fmwconfig.
4. Search for <Setting Name="Version" Type="xsd:integer">202</Setting> and increase the version number by 1.
   

   Note: There may be multiple Version settings tags. The value which must be changed should be the first child of the NGAMConfiguration element. See how to correctly make manual edits to an oam config for more information.

5. Search for the Okta plugin, identified by <Setting Name"=AdaptiveAuthenticationPlugin> and change its the Status setting for the value entry to to activated.
   Note: AdaptiveAuthenticationPlugin represents the name given to the plugin when originally deployed and may differ.
   
6. Restart the administration server.