3-14 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager This application requires the integration of the OAAM .NET APIs found in the SDK package oaam_native_dot_net.zip. The content of the archive needs to be extracted to the root directory of the web application. 1. LoginPage.aspx ■ Collects the username using simple HTML form ■ Saves the login in the session ■ Redirects the user to LoginJumpPage.aspx to collect the flash finger print of the user device 2. LoginJumpPage.aspx ■ Loads the user from ARM Adaptive Risk Manager by calling AppUtil.InitUser AppUtil is included in the SDK package. If the user is not found, a new user record will be created ■ Returns HTML to load flash object bharosa_webflashbharosa.swf in the browser. The flash object calls CookieManager.aspx included in the SDK package with flash finger print details. CookieManager.aspx records the finger print in ARM and in return sets a flash cookie on the users device ■ After a brief wait to allow time to get the flash cookie from ARM, redirects the browser to LoginHandlerPage.aspx 3. LoginHandlerPage.aspx ■ Records the user login attempt with ARM by calling AppUtil.InitTracker ■ Redirects the user to PasswordPage.aspx to collect the password using OAAM authenticator 4. PasswordPage.aspx On Load: a. Sets the session authentication status to Pending in ARM b. Runs pre-authentication rules by calling the AppUtil.RunPreAuthRules c. If the pre-authentication rules return block, blocks the user login after updating ARM with this information d. If the pre-authentication rules return allow, runs another set of rules to determine the authenticator to use for this user, by calling AppUtil.RunAuthentiPadRules e. Creates appropriate authenticator by calling AppUtil.CreateAuthentiPadand renders the authenticator into HTML by using the AppUtil.getAuthentiPadHTML. The authenticator HTML would fetch the authenticator image by calling GetImage.aspx included in the SDK package f. Stores the authenticator object in the session for later use during image generation and password decode On PostBack: a. Decodes the password using the authenticator object stored in the session b. Validates the login and password information c. Updates ARM with the password validation status successwrong userwrong passworddisabled user, etc by calling AppUtil.UpdateAuthStatus Integrating Native .NET Applications 3-15 d. If the password validation fails, the user will be redirected to LoginPage.aspx with appropriate error message e. If password validation succeeds, runs post-authentication rules by calling AppUtil.RunPostAuthRules f. The user will be taken through different flows, as shown below, depending upon the action from post-authenticator rules result:

5. PersonalizationPage.aspx

■ Introduces the user to device personalization explaining the steps that would follow to create a new Security Profile for the user ■ If the post authentication rule returns RegistrationOptional, the user is allowed to skip the registration process by clicking the Skip button to proceed to the Success.aspx page directly ■ If registration is not optional, the user must register by clicking Continue to proceed to the RegisterImagePhrase.aspx page

6. RegisterImagePhrase.aspx

■ Allows the user to customize the randomly generated background image, caption and the type of security device used during authentication ■ A new background image and caption is assigned by calling AppUtil.AssignNewImageAndCaption ■ The user selected security device is assigned by calling AppUtil.SetAuthMode

7. RegisterQuestionsPage.aspx

■ Displays sets of questions which the user can choose and register the correct answer for each. ■ The sets of questions are fetched by calling proxy.getSignOnQuestions

8. ChallengeUser.aspx

■ Challenges the user by displaying a question-pad with one of the questions already registered by the user ■ The answer is validated by calling proxy.authenticateQuestion and the result is updated in ARM by calling AppUtil.UpdateAuthStatus ■ If the answer is wrong, a call to AppUtil.RunChallengeUserRules is made and based on the result of which, the user will either be allowed to re-enter the answer or be redirected to the block page after updating the block status in ARM Post-Authentication Action Target URL Block LoginPage.aspx Allow Success.aspx ChallengeUser ChallengeUser.aspx RegisterQuestions RegisterQuestionsPage.aspx RegisterUser PersonalizationPage.aspx RegisterUserOptional PersonalizationPage.aspx 3-16 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager ■ The number of attempts that a user gets to answer a question correctly is set by the rule administrator for ARM ■ On successfully answering the question correctly, the user is forwarded to the Success.aspx page 9. Success Page ■ Displays Successfully logged in message with a link for logout 10. Logout Page ■ Logs out the user session and redirects to login page

3.5.3 Setting Up the Environment

Source code for each application is placed in a directory of its own. Visual Studio Solution files for each of these applications can be found in the root directory. The four applications could either be run using Visual Studio 2005 or be deployed on Microsoft IIS 6.0 on Windows Server 2003. Solutions file SampleWebApps can be used to load and view all applications together using Visual Studio. Instuctions to set up the environment to successfully run the sample applications are provided in this section. After all the following have been applied, you should be able to run these sample applications and see how they integrates with OAAM 11g in different scenarios.

3.5.3.1 Modifying the web.config File

Ensure that Soap URL to access OAAM server is set correctly in web.config file of the application, as per your deployment configuration. An example is shown as follows: appSettings add key=BharosaSOAPURL value=http:localhost:14300oaam_serverservices appSettings appSettings

3.5.3.2 Setting Properties for Images

For sample applications integrating with OAAM 11g, set bharosa.image.dirlist in bharosa_app.properties to the path where oaam_images folder could be found. The oaam_images foloder is located at: {ORACLE_ HOME}oaamdistoaam_dist_finaloracle.oaam.oaam_images. The folder name could be changed but then the path should be modified accordingly. For example, if all the files obtained from the path above is stored in a folder named oaam_images and this folder is put under the root directory of the web application. The path should be: {Application_HOME}oaam_images Make sure lookup.properties is contained in bharosa_properties folder, which lists all the properties files that need to be read. It could be obtained from: {ORACLE_HOME}oaamappsoaam_nativeoverridesconfbharosa_ properties Find and comment out the bharosa.authentipad.image.url property. Integrating Native .NET Applications 3-17

3.5.3.3 Running the Application

For developers who have access to Microsoft Visual Studio 2005 to test the web applications, simply build the solution after making all the above changes and click Debug-Start Debugging in Visual Studio 2005. For deployment of these applications, here are some tips to follow: ■ System: Windows Server 2003 ■ Application server should be installed using -Control Panel-Add or Remove Programs-AddRemove Windows Components. IIS and ASP.NET should be enabled; ■ Create new website using IIS manager by running inetmgr in command window; ■ Make sure ASP.NET version is set to v2.0 through ASP.NET tab in websites Properties; ■ Make sure that ASP.NET v2.0 is set to allowed in IIS manager. If there is no ASP.NET v2.0 extension, add a new web service extension manually. Go to C:\WINDOWS\Microsoft.NET\Framework, there should be some folder named v2.0.50727 or similar if ASP.NET v2.0 is installed. Add v2.0.50727aspnet_isapi.dll as a new web service extension; ■ In IIS Manager-Local Computer-Application Pools, open Properties-Identity, simply select Local System on the right of Predefined option if you come across probelm accessing C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files when opening web application pages.

3.5.4 Example: Enable Transaction Logging and Rule Processing

The following pages demonstrate how to enable transaction logging and rule processing in OARM using the ASP.NET sample applications. Prerequisites: ■ Transaction definitions in Sample_Transaction_Defs.zip need to be available in OARM. Use Admin Transactions Import Transactions to import the transaction definitions. ■ Transaction models defined in models.zip should be available in OARM ■ Following properties must exist in bharosa_app.properties at the OARM and the .NET client side: tracker.transaction.status.enum=Enum for transaction status tracker.transaction.status.enum.success=0 tracker.transaction.status.enum.success.name=Success tracker.transaction.status.enum.success.description=Success tracker.transaction.status.enum.block=1 tracker.transaction.status.enum.block.name=Block tracker.transaction.status.enum.block.description=Block tracker.transaction.status.enum.reject=2 tracker.transaction.status.enum.reject.name=Reject tracker.transaction.status.enum.reject.description=Reject tracker.transaction.status.enum.pending=3 tracker.transaction.status.enum.pending.name=Pending tracker.transaction.status.enum.pending.description=Pending profile.type.enum.pretransaction=70