Tuesday, October 10, 2017

How to allow multiple login attributes in OAM/OAAM integrated environment


The requirement is to allow users to choose at login time from 2 different attributes from LDAP (e.g. uid and email address). 

Oracle solution:

Ref: How to allow multiple login attributes in OAM/OAAM integration using a custom TAP module (Doc ID 2190079.1)

For login user enters username and password on the OAAM page used when integrated with OAM (oaam_server/oamLoginPage.jsp).

Doing so, however, will imply that OAAM will have to keep two security profiles corresponding to each login attribute. When user is authenticated using a different attribute for the first time he will be seen as a new user (OAAM will create a new user record with login_id set to the new attribute value in the VCRYPT_USERS database table) so the registration process will take place again.

This will affect as well any pattern, behavior data which OAAM registers for that user (which will actually be seen by OAAM as 2 users now) so it's not recommended in case one wants to have highly accurate login and pattern data for each user.

Custom solution:

Since there is a limitation when OAAM is part of solution as mentioned in Oracle solution. Below custom solution will prevent creating duplicate OAAM security profiles for same user who login with either username or email address and no custom TAP modules need to be created in OAM.

By customizing OAAM login flow using OAAM extensions it can be achieved.

High level steps below.

  1. Copy struts config file action mapping for /login.do from oaam_server.ear to OAAM extensions WAR file struts XML file.
  2. Change the "/login.do" action mapping "success" redirect to custom action(Example: /validateUser.do)
  3. Write an action class extending struts action with below logic.
    1. Get user entered email address/username entered in OAAM login page screen from OAAM session.
    2. Write custom logic(JNDI code) to get user login attribute(uid) from user store in custom action class
    3. Update UIOSessionData instance with user login attribute(uid) retrieved from user store
    4. Recreate VcryptAuthUser with login username(uid attribute retrieved from user store) if user has already OAAM security profile already created.
    5. Send action forward to "/loginJump.do" to continue login process with username(uid attribute) even though user entered email address.
  4. Build custom action class into a custom jar file and deploy in OAAM extensions war under /WEB-INF/lib folder
Siva Pokuri.

No comments:

Post a Comment