15 Flash Fingerprinting 15-1 15 Flash Fingerprinting This chapter focuses on the specifics of Flash Fingerprinting within an Oracle Adaptive Access Manager native integration. All code examples included in the chapter are outlines of calls needed to perform the tasks. They should not be considered complete implementations.

15.1 Device Fingerprinting

Oracle Adaptive Access Manager captures information about the devices that a user utilizes when accessing protected applications. This information consists of many different datapoints gathered through a variety of means. The data collected is encoded into a unique fingerprint for the device. When a device is used for an access request, Oracle Adaptive Access Manager interrogates the device for the fingerprint and uses it along with many other types of data to determine the risk associated with the specific access request. Some of the technology used to gather fingerprint data include HTTP header, secure cookie, shared flash object and behavior profiling.

15.2 Definitions of Variables and Parameters

Table 15–1 lists the parameter and response variable in the interaction between the flash movie and the application. Note: This chapter assumes that the reader is familiar with Oracle Adaptive Access Manager native integrations and APIs. Table 15–1 Flash movie Parameters and Response Variables ParameterResponse Variable Usage v Used as an HTTP request parameter sent from the flash movie to the application. It contains the generated cookie string that is used a single time by the user. This value is also returned in the HTTP response to the flash movie as v=new value. client Used as an HTTP request parameter sent from the flash movie to the application. This indicates the type of client performing the fingerprinting in this case, flash. The expected value from the flash movie is vfc. fp Used as an HTTP request parameter sent from the flash movie to the application. It contains information about the client computer accessible to the flash player. 15-2 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager

15.3 Option 1

Option 1 is the traditional implementation using a Jump Page to include the flash movie that is used for fingerprinting. In Option 1, the flash movie sends the users current flash cookie value to the server and the server responds with a new value in a single transaction.

15.3.1 Option 1 Flow

Figure 15–1 shows the flow of Option 1. Figure 15–1 Option 1 1. The user is presented with the user name page 2. The user submits the user name a. The application loads the user b. The application calls VCryptTracker.updateLog with the User and HTTP Cookie information 3. The user is taken to the jump page containing the embedded flash movie a. The flash movie makes an HTTP request triggering flash fingerprint handling i. The server retrieves the HTTP request parameter v and stores it in session ii. The server retrieves the HTTP request parameter client iii. The server retrieves the HTTP request parameter fp iv. Parse fp with VCryptServletUtil.getFlashFingerprint client, fp v. Calls VCryptTracker.updateLog with the User, HTTP Cookie, and Flash information vi. The new flash cookie returned in CookieSet from updateLog is returned to the flash movie in the HTTP response v= + cookieSet.getFlashCookie 4. The user is taken to password page after jump page wait period a. Run the Pre-Authentication Rules 5. The user submits the password