How to Configure Second Factor Authentication (OTP) Using DCC Scheme and Adaptive Authentication Scheme
Last updated on DECEMBER 18, 2017
Applies to:Oracle Access Manager - Version 126.96.36.199.3 and later
Information in this document applies to any platform.
The goal is to configure second factor authentication using Adaptive Authentication Plugin. For this to work, the Adaptive Authentication Scheme must be configured as a second, SWITCH TO scheme in an advanced rule created for the main authentication policy used to protect the resource.
For example, you first protect the resource with a regular scheme like LDAPScheme which is used to collect only username and password. Secondly, you configure from the authentication policy, Advanced Rules Tab a new Post-Authentication rule meant to switch to Adaptive Authentication Scheme. You can use a condition that always evaluates to TRUE in the rule so that second factor authentication will always be called (e.g. 'TRUE' == 'TRUE') or create conditions based on client IP address/login username etc.
This works well as long as both schemes are using ECC. The second factor authentication breaks when the main scheme uses a Detached Credential Collector. You will still be able to collect username and password but the flow will fail when redirected to second factor scheme Challenge URL.
The issue is caused by the fact that ECC and DCC authentication use different cookies and you cannot achieve single sign on between the two. The solution is to use OAP tunneling in order to simulate ECC login on the DCC Webgate.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms