3 Creating Custom Authentication Plug-ins 3-1 3 Creating Custom Authentication Plug-ins The OAM Server uses both authentication and authorization controls to limit access to the resources that it protects. Authentication is governed by specific authenticating schemes, which rely on one or more plug-ins that test the credentials provided by a user when he or she tries to access a resource. The plug-ins can be taken from a standard set provided with OAM Server installation, or custom plug-ins created by your own Java developers. This chapter provides the following sections: ■ Section 3.1, Introduction to Authentication Plug-ins, ■ Section 3.2, Introduction to Plug-in Interfaces ■ Section 3.3, Sample Code: Custom Database User Authentication Plug-in ■ Section 3.4, Developing an Authentication Plug-in ■ Section 3.5, Adding Custom Plug-ins ■ Section 3.6, Creating a Custom Authentication Module for Custom Plug-ins ■ Section 3.7, Creating Authentication Schemes with Custom Authentication Modules ■ Section 3.8, Configuring Logging for Custom Plug-ins

3.1 Introduction to Authentication Plug-ins

Oracle Access Manager 11g provides authentication modules for immediate use out-of-the-box, as well as the following: ■ Provides authentication plug-in interfaces and SDK tooling to build customized authentication modules plug-ins to bridge the out-of-the-box features with individual requirements. The new interfaces and SDK tooling: – Provide backward compatibility to support custom Oracle Access Manager 10g plug-ins. – Include a deterministic method to orchestrate custom plug-ins within an authentication module. ■ Provides a mechanism that enables quick deployment of customized authentication plug-ins into Oracle Access Manager 11g ■ Maintains the complete plug-in State lifecycle of Managed Server and the same to be propagated to AdminServer The creation of custom plug-ins for credential collection is supported for authentication steps you can orchestrate. 3-2 Developers Guide for Oracle Access Manager and Oracle Security Token Service Figure 3–1 provides an overview of the tasks involved in custom plug-in deployment. Figure 3–1 Custom Plug-in Deployment Workflow The following overview identifies the tasks involved in custom plug-in deployment. Task overview: Deploying a custom plug-in requirements 1. Planning : Identify the business requirements for this plug-in and consider the authentication flow when a user requests a resource, as described in Section 3.1.2, About Planning, the Authentication Model, and Plug-ins on page 3-4. The security architect knows how Oracle Access Manager 11g is used and knows the customers user base. System architects can identify points of improvement in a customers implementation.

2. Development

: The developer translates what a security architect has designed into the actual plug-in using common libraries to interface custom authentication modules. a. Write the plug-in. b. Write the metadata XML for the custom module. c. Prepare the manifest. d. Add the following jar files to the class path: felix.jar, identitystore.jar, oam-plugin.jar, utilities.jar.

3. Deployment

: See Also: About the Plug-in Interfaces on page 3-6 Creating Custom Authentication Plug-ins 3-3 Oracle Access Manager administrators deploy and orchestrate multiple plug-ins to work together in an authentication module and also tests and monitors plug-ins. a. Adding Custom Plug-ins , which includes configuring the plug-in data source or domain, distributing, and activating the plug-in. b. Creating a Custom Authentication Module for Custom Plug-ins , which includes adding and orchestrating steps and outcomes OnSuccess, OnFailure, and OnError. c. Creating Authentication Schemes with Custom Authentication Modules . d. Configuring Logging for Custom Plug-ins . e. Test the plug-in using the Oracle Access Manager Access Tester as described in Oracle Fusion Middleware Administrators Guide for Oracle Access Manager with Oracle Security Token Service f. Monitor the plug in and provide feedback to the security or system architects to allow for any revisions to the business requirements and architecture.

3.1.1 About the Custom Plug-in Life Cycle

The life cycle of a plug-in centers around the ability to add plug-ins to the OAM Server and use the plug-in to create more features. This allows users to build features and work flows based on the standard out-of-the-box plug-ins and user-added plug-ins that act as extension features to the server. The following list outlines a typical plug-in life cycle: ■ Planning ■ Plug-in development time, includes generating the plug-in metadata artifact ■ Load and lifecycle of the plug-in – Import: Upload the plug-in into Oracle Access Manager and use it without restarting servers – Distribute: Propagate the plug-in jar from one local AdminServer file system to all manage servers in a cluster, without server downtime – Activate: Load the plug-in implementation at run time when this plug-in is used in any Authentication module flow – Use the start-up parameters or configuration for the Plug-in – Push and pull plug-in configuration data into oam-config.xml – Maintain complete State life-cycle of Managed Server and the same to be propagated to AdminServer ■ State of the deployed plug-in ■ Monitoring and auditing the plug-in – Collect the matrix data of time taken to execute a plug-in and the number of times the plug-in is executed – Collect the matrix data of plug-in input and output – Collect the matrix data of plug-in execution start time and end time – Audit the plug-in life-cycle methods code When a new plug-in JAR is available, the deployer can import it to AdminServer DOMAIN_HOMEoamplugins from the Oracle Access Suite Import action.