OAM 11g R2 Mobile Lab
Task 1 - Enabling M&S to access OAAM via Weblogic setting
Task 2 - Install Mobile Client Simulator Tool
Task 3 - Enable Mobile and Social interfaces in the Access Management Suite
Task 4 - Create Mobile Application entries
Task 5 - Configure Applications for Single Sign-On, and enable OAAM security handler
Task 6 - Register a user in OAAM
Task 7 - Using the Mobile Client Simulator Tool
Task 1 - Enabling M&S to access OAAM via Weblogic setting
Go to the weblogic console -> Services -> Data Sources
Double Click OAAM_SERVER_DS
Go to Targets and make sure that you deploy the OAAM_SERVER_DS to oaam_server_server1 and oam_server1
Task 2 - Install Mobile Client Simulator Tool
Deploy OICClientTester.war to the WebLgic Server(oam_server1)
Task 3 - Enable Mobile and Social interfaces in the Access Management Suite
OAM Console -> System Configuration -> Available Services -> Mobile and Social -> Enable
Task 4 - Create Mobile Application entries
Go to System Configuration -> Mobile and Social ->
Expand Mobile Services -> Service Domains -> Mobile Service Domain
Highlight Application Profiles -> Create (* icon)
Application Profile Configuration
Name : OICSSOApp
Description : Application responsible for mobile single sign on
Jail Breaking Detection : check
Mobile Configuration : check
Attributes Section
Mobile.clientRegHandle.baseSecret : password
Click Create
Create a new Application Profile
Application Profile Configuration
Name : BusinessApp1
Description :
Jail Breaking Detection : check
Mobile Configuration : check
Attributes Section
Mobile.clientRegHandle.baseSecret : password
Create a new Application Profile
Application Profile Configuration
Name : BusinessApp2
Description :
Jail Breaking Detection : check
Mobile Configuration : check
Attributes Section
Mobile.clientRegHandle.baseSecret : password
Task 5 - Configure Applications for Single Sign-On, and enable OAAM security handler
Next thing is to assign application participation in SSO
Go to Mobile and Social -> Mobile Services -> Service Domains -> MobileServiceDomain
Name : MoileServiceDomain
Type : Mobile Application (check) Desktop Application (uncheck)
Credentials for Registering an Application : User Password (uncheck) User Token (check)
Authentication Scheme : Mobile Service Authentication
Security Handler Plugin Name : blank
Application Profiles
Search and Select all 3 : BusinessApp1, BusinessApp2, OICSSOApp
OICSSOApp participates in SSO as an SSO agent (meaning it is responsible for storing tokens and credentials, delivering device attributes, and communicating via REST to the mobile and social server)
Set the OICSSOApp to "As an SSO Agent"
Set each of the Business applications to "As an SSO Client"
In the same screen :-
OICSSOApp -> As an SSO Agent -> Agent Priority (1)
BusinessApp1 -> As an SSO Client -> Agent Priority (blank)
BusinessApp2 -> As an SSO Client -> Agent Priority (blank)
Now change the "Security Handler Plugin Name" to OAAMSecurityHandlerPlugin
Security Handler Plugin Name : OAAMSecurityHandlerPlugin
Task 6 - Register a user in OAAM
Ready for test
Try to access OHS 1 http://oam.example.com:7777
OAAM Login Page
Continue with the registration process after the password
Once completed the user is enrolled in OAAM
Task 7 - Using the Mobile Client Simulator Tool
Access Mobile Tool /mobiletool
Select an Operation : App Profile
Service Domain : MobileServiceDomain
Service URI : http://host:14100/oic_rest/rest
Service Name : AppProfiles
App Profile Id : OICSSOApp
clientSDKVersion : 11.1.2.0.0
Service Domain Type : Mobile
OSType : iPhone OS
OSVersion : 4.0
Click Test Service
Next Step is Application Registration.
When Registering the designated single sign-on application, the registration acts as a device registration, and the registration hanle obtained must be presented for subsequent Business Application registrations and Authentication requests.
Select an Operation : Register
Service Domain : MobileServiceDomain
Service URI : http://host:14100/oic_rest/rest
Service Name : mobileoamauthentication
Service Category Name : register
Mobile Service App Type : Security App (check) Business App (uncheck)
App Profile Id : OICSSOApp
HTTP Body : Request Payload Information
X-Idaas_Rest-New_Token-Type-To-Create : CLIENTREGHANDLE
X-Idaas_Rest-Subject-Type : USERCREDENTIAL
X-Idaas_Rest-Subject-Username : Username
X-Idaas_Rest-Subject-Password : Password
Click Test Service
Several fields in Handles section will appear
you will get a 401 , Response = "Challenge Action is triggered" along with KBA question
Go to Handles
Click "Cope OAAM Session"
Click "Copy OAAM Device"
Click "multiStepAuthnSessionHandle"
In the answerStr , type in the answer for the question presented
Click Test Service again
You will get a 200 ok
Also now you have a Client Registration Handle for the OICSSOApp security application
This handle will be required for subsequent operations
Now register a business application
We are using a dedicated SSO application, but the same functionality could be built into the business application itself
Change the "Mobile Servie App Type" from "Security App" to "Business App"
App Profile Id : BusinessApp1
Ensure the "SSO Agent App ID" : OICSSOApp
Click "Cope SSO AGENT ID & CRH" to insert the Client Registration Handle for OICSSOApp obtained in the previous step
Test Service
You will get HTTP Response 200 and obtain a new ClientRegHandle for BusinessApp1
This handle is used by the business app each time it makes a request from the mobile and social server (routed through the OICSecurityApp)
Now we will test Authenticate and obtain an OAM User Token
Select an Operation : Authenticate
Service Domain : MobileServiceDomain
Service URI : http://host:14100/oic_rest/rest
Service Name : mobileoamauthentication
Service Category Name : authenticate
Service Domain Type : Mobile (check) , Desktop (uncheck)
Token Type : Client Token (uncehck) , User Token (check)
SSO Agent App ID : OICSSOApp
SSO Agent CRH : Click "COPY SSO AGENT ID & CRH"
HTTP Body : Request Payload Information
X-Idaas_Rest-New_Token-Type-To-Create : USERTOKEN
X-Idaas_Rest-Subject-Username : Username
X-Idaas_Rest-Subject-Password : Password
Click Test Service
You will receive HTTP Response of 200
also you will see a USERTOKEN of type OAM_11G was obtained
Finally we Test "Access"
Select an Operation : Access
Service Domain : MobileServiceDomain
Service URI : http://host:14100/oic_rest/rest
Service Name : mobileoamauthentication
Service Category Name : access
Service Domain Type : Mobile (check) , Desktop (uncheck)
SSO Agent App ID : OICSSOApp
SSO Agent CRH : Click "COPY SSO AGENT ID & CRH"
HTTP Body : Request Payload Information
X-Idaas_Rest-New_Token-Type-To-Create : USERTOKEN
X-Idaas_Rest-Subject-Username : Username
X-Idaas_Rest-Subject-Password : Password
Scroll down and Click "Copy UT" UT -> UserToken
X-Idaas-Rest-Subject-Value = Long Value
Click "COPY UT"
X-Idaas-Rest-Application-Resource = http://oam.example.com:7777/welcome-index.html
X-Idaas-Rest-Application-Context (Blank if OAM Token Provider) : blank
You will receive the 200 response ok
The token should be "ACCESSTOKEN" and provider type is "OAM_11G"
The access token is provided; this is the token that the app developer would receive and present as par of the request for an OAM-protected resource.
The webgate would see that the token is valid, and will not redirect for authentication, instead passing the request through to the protected resource.
Task 2 - Install Mobile Client Simulator Tool
Task 3 - Enable Mobile and Social interfaces in the Access Management Suite
Task 4 - Create Mobile Application entries
Task 5 - Configure Applications for Single Sign-On, and enable OAAM security handler
Task 6 - Register a user in OAAM
Task 7 - Using the Mobile Client Simulator Tool
Task 1 - Enabling M&S to access OAAM via Weblogic setting
Go to the weblogic console -> Services -> Data Sources
Double Click OAAM_SERVER_DS
Go to Targets and make sure that you deploy the OAAM_SERVER_DS to oaam_server_server1 and oam_server1
Task 2 - Install Mobile Client Simulator Tool
Deploy OICClientTester.war to the WebLgic Server(oam_server1)
Task 3 - Enable Mobile and Social interfaces in the Access Management Suite
OAM Console -> System Configuration -> Available Services -> Mobile and Social -> Enable
Task 4 - Create Mobile Application entries
Go to System Configuration -> Mobile and Social ->
Expand Mobile Services -> Service Domains -> Mobile Service Domain
Highlight Application Profiles -> Create (* icon)
Application Profile Configuration
Name : OICSSOApp
Description : Application responsible for mobile single sign on
Jail Breaking Detection : check
Mobile Configuration : check
Attributes Section
Mobile.clientRegHandle.baseSecret : password
Click Create
Create a new Application Profile
Application Profile Configuration
Name : BusinessApp1
Description :
Jail Breaking Detection : check
Mobile Configuration : check
Attributes Section
Mobile.clientRegHandle.baseSecret : password
Create a new Application Profile
Application Profile Configuration
Name : BusinessApp2
Description :
Jail Breaking Detection : check
Mobile Configuration : check
Attributes Section
Mobile.clientRegHandle.baseSecret : password
Task 5 - Configure Applications for Single Sign-On, and enable OAAM security handler
Next thing is to assign application participation in SSO
Go to Mobile and Social -> Mobile Services -> Service Domains -> MobileServiceDomain
Name : MoileServiceDomain
Type : Mobile Application (check) Desktop Application (uncheck)
Credentials for Registering an Application : User Password (uncheck) User Token (check)
Authentication Scheme : Mobile Service Authentication
Security Handler Plugin Name : blank
Application Profiles
Search and Select all 3 : BusinessApp1, BusinessApp2, OICSSOApp
OICSSOApp participates in SSO as an SSO agent (meaning it is responsible for storing tokens and credentials, delivering device attributes, and communicating via REST to the mobile and social server)
Set the OICSSOApp to "As an SSO Agent"
Set each of the Business applications to "As an SSO Client"
In the same screen :-
OICSSOApp -> As an SSO Agent -> Agent Priority (1)
BusinessApp1 -> As an SSO Client -> Agent Priority (blank)
BusinessApp2 -> As an SSO Client -> Agent Priority (blank)
Now change the "Security Handler Plugin Name" to OAAMSecurityHandlerPlugin
Security Handler Plugin Name : OAAMSecurityHandlerPlugin
Task 6 - Register a user in OAAM
Ready for test
Try to access OHS 1 http://oam.example.com:7777
OAAM Login Page
Continue with the registration process after the password
Once completed the user is enrolled in OAAM
Task 7 - Using the Mobile Client Simulator Tool
Access Mobile Tool /mobiletool
Select an Operation : App Profile
Service Domain : MobileServiceDomain
Service URI : http://host:14100/oic_rest/rest
Service Name : AppProfiles
App Profile Id : OICSSOApp
clientSDKVersion : 11.1.2.0.0
Service Domain Type : Mobile
OSType : iPhone OS
OSVersion : 4.0
Click Test Service
Next Step is Application Registration.
When Registering the designated single sign-on application, the registration acts as a device registration, and the registration hanle obtained must be presented for subsequent Business Application registrations and Authentication requests.
Select an Operation : Register
Service Domain : MobileServiceDomain
Service URI : http://host:14100/oic_rest/rest
Service Name : mobileoamauthentication
Service Category Name : register
Mobile Service App Type : Security App (check) Business App (uncheck)
App Profile Id : OICSSOApp
HTTP Body : Request Payload Information
X-Idaas_Rest-New_Token-Type-To-Create : CLIENTREGHANDLE
X-Idaas_Rest-Subject-Type : USERCREDENTIAL
X-Idaas_Rest-Subject-Username : Username
X-Idaas_Rest-Subject-Password : Password
Click Test Service
Several fields in Handles section will appear
you will get a 401 , Response = "Challenge Action is triggered" along with KBA question
Go to Handles
Click "Cope OAAM Session"
Click "Copy OAAM Device"
Click "multiStepAuthnSessionHandle"
In the answerStr , type in the answer for the question presented
Click Test Service again
You will get a 200 ok
Also now you have a Client Registration Handle for the OICSSOApp security application
This handle will be required for subsequent operations
Now register a business application
We are using a dedicated SSO application, but the same functionality could be built into the business application itself
Change the "Mobile Servie App Type" from "Security App" to "Business App"
App Profile Id : BusinessApp1
Ensure the "SSO Agent App ID" : OICSSOApp
Click "Cope SSO AGENT ID & CRH" to insert the Client Registration Handle for OICSSOApp obtained in the previous step
Test Service
You will get HTTP Response 200 and obtain a new ClientRegHandle for BusinessApp1
This handle is used by the business app each time it makes a request from the mobile and social server (routed through the OICSecurityApp)
Now we will test Authenticate and obtain an OAM User Token
Select an Operation : Authenticate
Service Domain : MobileServiceDomain
Service URI : http://host:14100/oic_rest/rest
Service Name : mobileoamauthentication
Service Category Name : authenticate
Service Domain Type : Mobile (check) , Desktop (uncheck)
Token Type : Client Token (uncehck) , User Token (check)
SSO Agent App ID : OICSSOApp
SSO Agent CRH : Click "COPY SSO AGENT ID & CRH"
HTTP Body : Request Payload Information
X-Idaas_Rest-New_Token-Type-To-Create : USERTOKEN
X-Idaas_Rest-Subject-Username : Username
X-Idaas_Rest-Subject-Password : Password
Click Test Service
You will receive HTTP Response of 200
also you will see a USERTOKEN of type OAM_11G was obtained
Finally we Test "Access"
Select an Operation : Access
Service Domain : MobileServiceDomain
Service URI : http://host:14100/oic_rest/rest
Service Name : mobileoamauthentication
Service Category Name : access
Service Domain Type : Mobile (check) , Desktop (uncheck)
SSO Agent App ID : OICSSOApp
SSO Agent CRH : Click "COPY SSO AGENT ID & CRH"
HTTP Body : Request Payload Information
X-Idaas_Rest-New_Token-Type-To-Create : USERTOKEN
X-Idaas_Rest-Subject-Username : Username
X-Idaas_Rest-Subject-Password : Password
Scroll down and Click "Copy UT" UT -> UserToken
X-Idaas-Rest-Subject-Value = Long Value
Click "COPY UT"
X-Idaas-Rest-Application-Resource = http://oam.example.com:7777/welcome-index.html
X-Idaas-Rest-Application-Context (Blank if OAM Token Provider) : blank
You will receive the 200 response ok
The token should be "ACCESSTOKEN" and provider type is "OAM_11G"
The access token is provided; this is the token that the app developer would receive and present as par of the request for an OAM-protected resource.
The webgate would see that the token is valid, and will not redirect for authentication, instead passing the request through to the protected resource.
Comments
Post a Comment