OAM 11g R2 Mobile Lab

Task 1 - Enabling M&S to access OAAM via Weblogic setting
Task 2 - Install Mobile Client Simulator Tool
Task 3 - Enable Mobile and Social interfaces in the Access Management Suite
Task 4 - Create Mobile Application entries
Task 5 - Configure Applications for Single Sign-On, and enable OAAM security handler
Task 6 - Register a user in OAAM 
Task 7 - Using the Mobile Client Simulator Tool

Task 1 - Enabling M&S to access OAAM via Weblogic setting

Go to the weblogic console -> Services -> Data Sources 
Double Click OAAM_SERVER_DS
Go to Targets and make sure that you deploy the OAAM_SERVER_DS to oaam_server_server1 and oam_server1

Task 2 - Install Mobile Client Simulator Tool

Deploy OICClientTester.war to the WebLgic Server(oam_server1)

Task 3 - Enable Mobile and Social interfaces in the Access Management Suite

OAM Console -> System Configuration -> Available Services -> Mobile and Social -> Enable

Task 4 - Create Mobile Application entries

Go to System Configuration -> Mobile and Social -> 
Expand Mobile Services -> Service Domains -> Mobile Service Domain 
Highlight Application Profiles -> Create (* icon)

Application Profile Configuration
Name : OICSSOApp
Description : Application responsible for mobile single sign on 
Jail Breaking Detection : check 
Mobile Configuration : check
Attributes Section 
Mobile.clientRegHandle.baseSecret : password

Click Create

Create a new Application Profile

Application Profile Configuration
Name : BusinessApp1
Description :  
Jail Breaking Detection : check 
Mobile Configuration : check
Attributes Section 
Mobile.clientRegHandle.baseSecret : password

Create a new Application Profile

Application Profile Configuration
Name : BusinessApp2
Description :  
Jail Breaking Detection : check 
Mobile Configuration : check
Attributes Section 
Mobile.clientRegHandle.baseSecret : password

Task 5 - Configure Applications for Single Sign-On, and enable OAAM security handler

Next thing is to assign application participation in SSO

Go to Mobile and Social -> Mobile Services -> Service Domains -> MobileServiceDomain 

Name : MoileServiceDomain 
Type : Mobile Application (check) Desktop Application (uncheck)
Credentials for Registering an Application : User Password (uncheck) User Token (check)
Authentication Scheme : Mobile Service Authentication
Security Handler Plugin Name : blank
Application Profiles
Search and Select all 3 : BusinessApp1, BusinessApp2, OICSSOApp

OICSSOApp participates in SSO as an SSO agent (meaning it is responsible for storing tokens and credentials, delivering device attributes, and communicating via REST to the mobile and social server)

Set the OICSSOApp to "As an SSO Agent"
Set each of the Business applications to "As an SSO Client"

In the same screen :-
OICSSOApp -> As an SSO Agent -> Agent Priority (1)
BusinessApp1 -> As an SSO Client -> Agent Priority (blank)
BusinessApp2 -> As an SSO Client -> Agent Priority (blank)

Now change the "Security Handler Plugin Name" to OAAMSecurityHandlerPlugin 

Security Handler Plugin Name : OAAMSecurityHandlerPlugin

Task 6 - Register a user in OAAM 

Ready for test 

Try to access OHS 1 http://oam.example.com:7777 
OAAM Login Page 
Continue with the registration process after the password
Once completed the user is enrolled in OAAM 

Task 7 - Using the Mobile Client Simulator Tool

Access Mobile Tool /mobiletool

Select an Operation : App Profile
Service Domain : MobileServiceDomain
Service URI : http://host:14100/oic_rest/rest
Service Name : AppProfiles
App Profile Id : OICSSOApp
clientSDKVersion : 11.1.2.0.0
Service Domain Type : Mobile
OSType : iPhone OS
OSVersion : 4.0

Click Test Service

Next Step is Application Registration.
When Registering the designated single sign-on application, the registration acts as a device registration, and the registration hanle obtained must be presented for subsequent Business Application registrations and Authentication requests.

Select an Operation : Register
Service Domain : MobileServiceDomain
Service URI : http://host:14100/oic_rest/rest
Service Name : mobileoamauthentication
Service Category Name : register
Mobile Service App Type : Security App (check) Business App (uncheck)
App Profile Id : OICSSOApp
HTTP Body : Request Payload Information 
X-Idaas_Rest-New_Token-Type-To-Create : CLIENTREGHANDLE
X-Idaas_Rest-Subject-Type : USERCREDENTIAL
X-Idaas_Rest-Subject-Username : Username
X-Idaas_Rest-Subject-Password : Password

Click Test Service

Several fields in Handles section will appear

you will get a 401 , Response = "Challenge Action is triggered" along with KBA question 

Go to Handles 
Click "Cope OAAM Session"
Click "Copy OAAM Device"
Click "multiStepAuthnSessionHandle"
In the answerStr , type in the answer for the question presented

Click Test Service again 
You will get a 200 ok 
Also now you have a Client Registration Handle for the OICSSOApp security application
This handle will be required for subsequent operations

Now register a business application
We are using a dedicated SSO application, but the same functionality could be built into the business application itself

Change the "Mobile Servie App Type"  from "Security App" to "Business App"
App Profile Id : BusinessApp1

Ensure the "SSO Agent App ID" : OICSSOApp
Click "Cope SSO AGENT ID & CRH" to insert the Client Registration Handle for OICSSOApp obtained in the previous step 
Test Service 

You will get HTTP Response 200 and obtain a new ClientRegHandle for BusinessApp1
This handle is used by the business app each time it makes a request from the mobile and social server (routed through the OICSecurityApp)

Now we will test Authenticate and obtain an OAM User Token 

Select an Operation : Authenticate
Service Domain : MobileServiceDomain
Service URI : http://host:14100/oic_rest/rest
Service Name : mobileoamauthentication
Service Category Name : authenticate
Service Domain Type : Mobile (check) , Desktop (uncheck)
Token Type : Client Token (uncehck) , User Token (check)
SSO Agent App ID : OICSSOApp
SSO Agent CRH : Click "COPY SSO AGENT ID & CRH"

HTTP Body : Request Payload Information 
X-Idaas_Rest-New_Token-Type-To-Create : USERTOKEN
X-Idaas_Rest-Subject-Username : Username
X-Idaas_Rest-Subject-Password : Password

Click Test Service

You will receive HTTP Response of 200 
also you will see a USERTOKEN of type OAM_11G was obtained 

Finally we Test "Access"

Select an Operation : Access
Service Domain : MobileServiceDomain
Service URI : http://host:14100/oic_rest/rest
Service Name : mobileoamauthentication
Service Category Name : access
Service Domain Type : Mobile (check) , Desktop (uncheck)
SSO Agent App ID : OICSSOApp
SSO Agent CRH : Click "COPY SSO AGENT ID & CRH"

HTTP Body : Request Payload Information 
X-Idaas_Rest-New_Token-Type-To-Create : USERTOKEN
X-Idaas_Rest-Subject-Username : Username
X-Idaas_Rest-Subject-Password : Password

Scroll down and Click "Copy UT"  UT -> UserToken 

X-Idaas-Rest-Subject-Value = Long Value
Click "COPY UT" 

X-Idaas-Rest-Application-Resource = http://oam.example.com:7777/welcome-index.html

X-Idaas-Rest-Application-Context (Blank if OAM Token Provider) : blank

You will receive the 200 response ok 

The token should be "ACCESSTOKEN" and provider type is "OAM_11G"
The access token is provided; this is the token that the app developer would receive and present as par of the request for an OAM-protected resource.
The webgate would see that the token is valid, and will not redirect for authentication, instead passing the request through to the protected resource.

Comments

Popular posts from this blog

OIM 11g R2 PS2 : SOA Approval Workflow Sample

OHS 12c (12.1.3) webgate deployment and configuration

Oracle Identity Manager (OIM) Interview Questions