Friday, June 12, 2015

OAAM policy risk evaluation in OAM policies(OAM 11g Identity Context)

OAAM policy risk evaluation in OAM policies


Steps

Login to OAAM Admin Console


Search for DAP token version property and change to v2.1 


Update OAAM TAP Token version from v2.0 to v2.1 in oam-config.xml file. 

Note: Since I have integrated OAM + OAAM already I changed OAM DAP token version in oam-config.xml file from "v2.0" to "v2.1". Else you can provide version v2.1 directly while executing ThirdParty TAP registration command(while OAM + OAAM integration)








Create a group for to hold all the restricted IP Addresses as shown in the screen shot below.


Add IP Address to the group






Create new OAAM Policy as post authentication




Create rule and condition to determine if user login in from restricted IP Address or not.





Select IP Address Group created initially from the drop down 


Click on Results Tab and enter score as "1"



Click on "Group Linking" and select "All Users"




Login to OAM Admin Console and click on "Application Domain".


Select the "ohs_webgate". This is the OHS webgate I have already created and used OAAM TAP Authentication Schema to protect resource.


Click on "Authentication Policies"


Click on "Protected Resource Policy"


Click on "Responses"


Add response as shown in the screen shot below.

This "session_risk_level" is the session attribute that passes as part of DAP token from OAAM to OAM after policy evaluation created in the above steps. 




Click on "Authorization Policies"


Click on "Protected Resource Policy"


Click on "Conditions"


Click on "+" sign


Enter the condition details as shown in the screen shot below.




Add Condition Details as shown in the screen shot below.

This is the "session_risk_level" session attribute returned from OAAM and the attribute value that gets "1"




Click on "Rules" tab and add new rule in the "Deny Rule" list and click "Apply".



Now test the protected application from two different machines!!!

-- Siva Pokuri.

Remove/Disable Authentication Pad's from OAAM 11g Login Pages

There are ways to remove/disable OAAM Authentication pads from login pages, one way is by modifying OAAM AuthenticationPad Policy trigger combinations as shown in the below screen shot.

-- Login to OAAM Admin console

-- Navigate to policies and click on "OAAM AuthenticationPad Policy" and click on "Trigger Combinations" tab.

-- Modify the trigger combinations as shown in the below screen shot and click "Apply".

-- Then try login and test the functionality



Hope this helps some one out there!!

-- Siva Pokuri.