Friday, July 1, 2016

OAAM 11g R2 PS3 Secondary email OTP configuration with custom challenge processor

Hello Readers,

Steps to configure secondary email as OTP:

Demo video: http://www.idmfun.com/2016/07/oaam-11g-r2-ps3-secondary-email-otp_1.html

1. Create custom challenge processor.

2. Create a class which extends "AbstractUMSOTPChallengeProcessor" as shown below.

import com.bharosa.uio.processor.challenge.AbstractUMSOTPChallengeProcessor;
import com.bharosa.uio.util.UIOSessionData;
import com.bharosa.uio.util.UIOUtil;
import java.util.ArrayList;
import java.util.List;
import oracle.ucs.messaging.ws.types.Address;
import oracle.ucs.messaging.ws.types.DeliveryType;

public class Email2ChallengeProcessor extends AbstractUMSOTPChallengeProcessor
{
   protected List<Address> getRecipients(UIOSessionData sessionData) 
   {
       String toAddress = UIOUtil.getContactInfo(sessionData, "email2");
       Address recipientAddr = getAddress(toAddress, DeliveryType.EMAIL);

       List<Address> retList = new ArrayList<Address>();
       retList.add(recipientAddr);

       return retList;
    }

}

3. Build jar file with the above java class file and place it in oracle.oaam.extensions.war lib folder.

4. Add below list of properties in oaam_custom.properties file in oracle.oaam.extensions.war

# Second Email Address Input Registration Field Properties Example
bharosa.uio.default.userinfo.inputs.enum.email2=2002
bharosa.uio.default.userinfo.inputs.enum.email2.name=Email Address 2
bharosa.uio.default.userinfo.inputs.enum.email2.description=Email Address 2
bharosa.uio.default.userinfo.inputs.enum.email2.inputname=email2
bharosa.uio.default.userinfo.inputs.enum.email2.inputtype=text
bharosa.uio.default.userinfo.inputs.enum.email2.maxlength=40
bharosa.uio.default.userinfo.inputs.enum.email2.required=true
bharosa.uio.default.userinfo.inputs.enum.email2.order=2
bharosa.uio.default.userinfo.inputs.enum.email2.enabled=true
bharosa.uio.default.userinfo.inputs.enum.email2.regex=.+@[a-zA-Z_]+?\.[a-zA-Z.]+
bharosa.uio.default.userinfo.inputs.enum.email2.errorCode=otp.invalid.email
bharosa.uio.default.userinfo.inputs.enum.email2.managerClass=com.bharosa.uio.manager.user.DefaultContactInfoManager
bharosa.uio.default.userinfo.inputs.enum.email2.verify=true
#bharosa.uio.default.userinfo.inputs.enum.email2.displaymask=.{1,2}(.*)@([a-zA-Z_]+)?\.[a-zA-Z]{2,3}

# Second Email Address Challenge OTP Field Properties Example
bharosa.uio.default.challenge.type.enum.ChallengeEmail2=2003
bharosa.uio.default.challenge.type.enum.ChallengeEmail2.available=true
bharosa.uio.default.challenge.type.enum.ChallengeEmail2.description=Challenge Email 2
bharosa.uio.default.challenge.type.enum.ChallengeEmail2.displayedInfo=email2
bharosa.uio.default.challenge.type.enum.ChallengeEmail2.enabled=true
bharosa.uio.default.challenge.type.enum.ChallengeEmail2.htmlInputType=text
bharosa.uio.default.challenge.type.enum.ChallengeEmail2.htmlLabel=Email Code
bharosa.uio.default.challenge.type.enum.ChallengeEmail2.name=Email Challenge2
bharosa.uio.default.challenge.type.enum.ChallengeEmail2.otp=true
bharosa.uio.default.challenge.type.enum.ChallengeEmail2.otpexpirytimeMs=400000
bharosa.uio.default.challenge.type.enum.ChallengeEmail2.processor=Email2ChallengeProcessor
bharosa.uio.default.challenge.type.enum.ChallengeEmail2.requiredInfo=email

# Rule action for ChallengeEmail2
rule.action.enum.ChallengeEmail2=1091
rule.action.enum.ChallengeEmail2.name=Challenge Email 2
rule.action.enum.ChallengeEmail2.description=Challenge the user using Email

rule.action.enum.ChallengeEmail2.otp=true

5. Redeploy oracle.oaam.extensions.war file in both oaam admin & oaam server managed servers.

6. Login to OAAM admin console

7. Navigate to Groups and click on "OAAM Challenge Choice" and click on "Actions" tab.

8. Add newly created action called "Challenge Email 2".

9. Now, login to TAP protected application by registering new user with 2 OTP email addresses.

10. Test login with user account who registered primary & secondary email address.

-- Siva Pokuri.

22 comments:

  1. Siva,
    In step 7, you say to modify the "OAAM Challenge Choice" group. This did not work. I did follow Oracle's Doc ID 2145483.1, where they say to modify "OAAM Challenge Email" group. This does work.

    I do have an additional question. If both email addresses are the same or one email address is null, is there a way to bypass the challenge choice page altogether? Displaying the challenge choice page would be unnecessary, since there would only be one email address.

    ReplyDelete
    Replies
    1. Good catch.

      In my scenario, I have challenge questions is one of the option to choose so used that "OAAM Challenge Choice" group. And you are correct if you just need choice with in challenge email then oracle doc is good to go with.

      And yes it's possible to configure and challenge email directly if one of the challenge email is not available. All you do is to add new challenge combination to check if the email available or not and it trigger primary email OTP directly.

      And I think OAAM should have that validation check while registering the emails. if not you have to write custom condition to check it out.

      -- Siva Pokuri.

      Delete
    2. Siva,
      Thanks for the response.

      A little background on our setup. We have made a few customizations. We currently are using using Challenge Questions, but we will be turning this off once OTP is working. So, in the environment I am working in, I only have OTP Email. In the future we will be adding SMS.

      We are not reading/writing OTP information from OAAM. This information is stored in LDAP and I created a custom class to override the DefaultContactInfoManager class. Also, in registerUserInfo.jsp, we do not prompt for OTP information, only terms & conditions and device registration. We have a separate UI to handle user profile information.

      When you say add a new challenge combination, are you referring about creating a new Trigger Combination in the OAAM Challenge Policy?

      Scott

      Delete
    3. How to configure Step Up authentication in OAAM, I tried to call /oaam_server/authJump.do as the callenge URL in OAM Authentication scheme which is going to Infinite loop while emailing the same OTP code every time.. tried OAAM Condition Sub String Header validation even though no luck

      Delete
    4. Did you tried OAM + OAAM TAP integration?

      Delete
    5. Yes, OAM + OAAM Tap Integration is done

      Delete
    6. If you have OAM + OAAM TAP integration done. you shouldn't give that "/oaam_server/authJump.do". There is default TAP Authentication schema available in OAM authentication schemes you can use it or else you can use similar to authentication schema. Check it out.

      Siva Pokuri.

      Delete
    7. •Protected sample application (https://oam.example.com:7777/app/index.html) with TAP Scheme, which is working fine via OAAM authentication (OAAM will send a OTP in the event if the user is coming from private location/device)
      •The above application have a link for sensitive URL (https://oam.example.com:7777/apublic/sensitive.html)
      •Cloned TAPScheme as a new scheme and called STAP with challenge parametes as TAPPartnerId=OAAMTAPPartner, SERVER_HOST_ALIAS=HOST_ALIAS_1, MatchLDAPAttribute=uid, oam_requested_url=http://oam.example.com:7777/public/sensitive.htm, and Challenge URL : /oaam_server/authJump.do
      •Protected the Sensitive URL with MTAP Scheme with Authentication level as 3
      •When I try to access the sensitive URL after OAAM authentication, I am being prompted by OAAM for OTP. Here is the challenge which I am facing, OAAM is sending the same OTP which is sent for private location/device while authenticating first time

      Delete
    8. •If I choose the Challenge URL in STAP as /oaam_server/oamLoginPage.jsp, it’s not prompting for second OTP.

      Delete
    9. What do you mean by second OTP?

      Please explain your scenario. If you are trying to implement the scenario i discussed in this post you should get option to select primary or secondary email(you already registered) to send OTP.

      -- Siva Pokuri.

      Delete
    10. We need to do stepup authentication in OAAM, forcing user to enter OTP deliverd by OAAM for high ly protected area.

      Which means user will get the first OTP at the time of login
      second OTP in the event if he tries to access Sensitive area of the application

      Delete
    11. You need to have transaction based OAAM policies and you need to use OAAM API's i think to achieve that.

      -- Siva Pokuri.

      Delete
    12. Would like to get a sample to override DefaultContactInfoManager class so that we can use email address stored in LDAP to send OTP instead of asking the user to enter email address again during OAAM user registration.

      Delete
  2. Siva,
    Thank-you for your example with the secondary email address. I was able to get it to work. One thing we did was to store the 2 email addresses in LDAP, because that is where the inforation is stored for users in a full OAM-OAAM-OIM-OUD integration. The only draw back I see is when only one email address is populated, the challenge choice page is displayed. I would of expected it to completely bypass this page with one challenge choice.

    I do have another question relating to SMS. We want to send the OTP SMS to a separate internal system using REST Client. From this internal system, we will send the SMS message. The reason is because our bank uses many products and we one to funnel all OTP through this system. Is it possible to override an OAAM class or create a custom driver to do this? Or, is there another way?

    Thanks,
    Scott

    ReplyDelete
    Replies

    1. I think you can extend the class com.bharosa.uio.processor.challenge.AbstractOTPChallengeProcessor and implement the SMS OTP with your own REST client logic.

      Please take a look at this link: https://docs.oracle.com/cd/E23943_01/dev.1111/e15480/igotp.htm#AADEV4359


      -- Siva Pokuri.

      Delete
  3. I have a questions about creating a new EmailChallengeProcessor, with dependencies. When I create this new jar and no matter whether I include the dependencies within the JAR or WAR, the EmailChallengeProcessor does not see the dependencies. Is there a solution to this?

    Thanks,
    Scott

    ReplyDelete
    Replies
    1. In general, we will drop those dependency jar files in Middleware lib folder then when you restart the services server will pickup them.

      -- Siva Pokuri.

      Delete
    2. Siva,
      I was able to send the SMS OTP making a REST call. In fact, I have 2 phone numbers, which can be a mixture of SMS and VOICE and it works fine.

      I did run across something interesting. On my secondary VOICE processor, I forgot to build the processor in a JAR file and include it in the WAR file. But, the class was included in the WAR. The secondary VOICE still worked.

      Do all processors need to be in their own JAR and then included in the WAR?
      Or, only certain ones that go through UMS?
      Scott

      Delete
    3. Not necessarily. As long as compiled class files in the application class path it will work. I think it's same case with you.

      -- Siva Pokuri

      Delete
  4. Nice codes to send OTP SMS which is highly secure by this code. and get information of Bulk SMS Service Provider in India for sending bulk sms.

    ReplyDelete
  5. How to send OTP code to a user based on user OID/LDAP group membership.

    ReplyDelete
  6. Why does the processor need to be in a JAR file, then included in the WAR? Can't the processor class just be included in the WAR?

    ReplyDelete