WNA Fallback to FORM Based Authentication Step By Step Process

-
Problem Statement: How to configure Custom Login Page instead of WNA Fallback / Popup
Product Components : OAM(11.1.2.3) , Active Directory


Note: Advanced Rules are part of the Adaptive Authentication Service for which a license is required.

If you want to go with the below process you must have the license for the “Adaptive Authentication Service“ , as per oracle document License Detail.

Detailed Problem Statement : If you have a requirement to change Challenge Method from WNA to Form based and use custom Login Page, instead of default popup for authentication you'll have to follow  below setting to achieve this.

How does it work:

  1. Initially if we are using WNA Scheme to run Kerberos Authentication. 
  2. On failure of Kerberos Token Identification, Instead of popup if we need to use our own custom login page or Oracle default login page, we can make following changes. 
  3. We have to create a customized page and save it to putty server and make changes in oam-config.xml file.
  4. User needs to click the Login button(which will invoke optOut() javascript function and redirect to your respective Application Domain) from the customized page to invoke WNA fallback to FORM-based authentication. 
  5. Now here you have to change your scheme from : Application Domain -> Scheme Name/ApplicationDomain Name -> Advanced Rules -> enter conditions -> change scheme.
  6. After below configuration is done, OAM will fallback to form authentication from WNA, when validation of SPNEGO token fails. This use case is supported only when KerberosTokenAuthenticator plugin is used.

For more details you can refer OAM Doc, this link will give you more details on how fallback works.



Steps to perform the above functionality:-

  •        Shutdown the process of Access Domain Weblogic and Admin Server.
  •        Open oam-config.xml file (Middleware_Home/OAM_Domain/config/fmwconfig/)

o   Change version of file to “+1”
<Setting Name="Version" Type="xsd:integer">5020</Setting>
                            
  •        Search for keyword “WNAO” in oam-config.xml file

Your will find
<Setting Name="WNAOptions" Type="htf:map">
<Setting Name="HandleNTLMResponse" Type="xsd:string">BASIC</Setting>
</setting>
                  Change the above setting to:-
<Setting Name="WNAOptions" Type="htf:map">
<Setting Name="HandleNTLMResponse" Type="xsd:string">FORM</Setting>
<Setting Name="IsOptOutPersistent" Type="xsd:boolean">false</Setting>
<Setting Name="CustomOptOutPage" Type="xsd:string"> <PATH OF HTML FILE> </Setting>
 </Setting>
                                     
In Step 4: You have to place a html file inside directory. I have displayed the content of the file below.

Note: If you have a clustered environment Check for the shared path to store the file and mention the same path with file name in oam-config.xml as shown above.

  •        Now search for “KerberosTokenAuthenticator” in oam-config.xml file

Under <Setting Name="initParameters" Type="htf:list"> you will see <setting Name<with count>
Add the below line before closure of initParameters tag.
<Setting Name="<last no +1>(eg: 4)" Type="htf:map">
<Setting Name="name" Type="xsd:string">KEY_FORM_FALLBACK_ENABLED</Setting>
<Setting Name="type" Type="xsd:string">string</Setting>
<Setting Name="value" Type="xsd:string"></Setting>
<Setting Name="length" Type="xsd:integer">256</Setting>
<Setting Name="globalUIOverride" Type="xsd:boolean">false</Setting>
<Setting Name="instanceOverride" Type="xsd:boolean">false</Setting>
<Setting Name="mandatory" Type="xsd:boolean">false</Setting>
</Setting>

         

The above setting line will help you with the fallback scenario to work.
  • Save oam-config.xml file and start the servers.
  • Within the OAM console navigate to the Configuration/Available Services page and enable Adaptive Authentication Service.


  • Now go to OAM Console Authentication Module Search for your Module which you have specified in the scheme. Go to Steps Tab add a new Step “stepKTA2” attach ” KerberosTokenAuthenticator plugin”.



Set the value to “True” and you can use the remaining values from your existing StepKTA which was working.
Re-align your stepOrchestration instead of “stepKTA” use “stepKTA2” otherwise fallback will not work. You may use an additional custom plugin here if you have a requirement.

In case of Webgate:-
·       Go to your respective Application Domain change Advance Rules. Add your condition which you want to use.
·       There are multiple conditions you might found here: conditions
or
you can use the default ideal condition:
str(request.requestMap[‘Cookie’]).lower().find(‘oam_wna_opt_out=true’) >= 0
·       Select the different FORM based scheme where you want to redirect your Fallback to go.
·       You can also use multiple Rules here as per your conditions.

In case of Federation:
·       You'll have to use wlst to specify the scheme for your application, as below

  •       Go to MW_HOME/Oracle_IDM1/common/bin/wlst.sh
  •       Connect to Domain with username, password and url
  •       domainRuntime()
  •       setSPPartnerDefaultScheme(partner="<application name which you have used while configuring application>",authnScheme="<SchemeName>")
·       Go to Application Domain -> IAMSuite -> Authentication Policies -> Search for the Scheme name which you specified above
·       Go to Advanced Rules add your condition which you want to use.
·       There are multiple conditions you might found here: conditions
or
you can use the default ideal condition:
str(request.requestMap[‘Cookie’]).lower().find(‘oam_wna_opt_out=true’) >= 0
·       Select the different FORM based scheme where you want to redirect your Fallback to go.
·       You can also use multiple Rules here as per your conditions.





Content of HTML File which is specified in oam-config.xml file.
<!DOCTYPE html>
<html>
<body>
<h1> Do not click Back or Refresh button. Click on Button to go to SSO Page! </h1>
<button onclick="optOut()">Click Here To Go To SSO Page</button>
</body>
</html>

Your HTML page will look like below:



The optOut() will invoke the Scheme from Advanced Rules which you have specified if conditions are met.
Note: Post clicking on login page if you want to display your custom login page, instead of OAM Default Credential Collector page you can specify the page url in the Scheme which you have used in Advanced Rules.

Comments

  1. UnknownJanuary 12, 2020 at 11:36 PM

    Hi Soham,

    Its really helpful and we got our solution for the same.
    Thanks for the update.

    ReplyDelete
  2. UnknownJanuary 12, 2020 at 11:53 PM

    This was an information worth sharing. Great help Soham 👍

    ReplyDelete
  3. UnknownJanuary 14, 2020 at 5:56 AM

    Really Nice Work Man !! Thanks for sharing.

    ReplyDelete

Post a Comment

Popular posts from this blog

How to configure OAM as an IDP and SP for Authentication

-
Image
Problem Statement: How to configure  OAM as an Identity Provider(IDP) and Service Provider(SP) Product Components : OAM(11.1.2.3) , OIF , Active Directory, Metadata of another SSO Application Detailed Problem Statement : I have 2 SSO products(Oracle and Azure) and wanted users from Oracle identity store to be authenticated using Oracle SSO and users from Azure user identity store to be authenticated via Azure SSO. However request should always be initiated by Oracle, So if I am a Azure user Oracle will act as a Service Provider and will redirect user to Azure for Authentication, post successful authentication Azure will send return attributes to Oracle and Oracle will send those returned attributes to application and user will be logged in to application. As from user point of view they won't be having any idea to which SSO they belong to so as soon as they will enter their credentials authentication will happen from respective SSO application. Note :  If ...
Read more