2-16 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager

2.2.1.14 Check Answers to Challenge C3

This stage involves validating the users input to the challenge: ■ For KBA, calling Oracle Adaptive Access Manager Server to determine whether the answer the user has supplied matches the registered reply. ■ For OTP, validating the entered value to the OTP generated and sent to the user. Table 2–15 lists the APIs used to validate a challenge. Table 2–14 Challenge User APIs Module APIs Description Server VCryptAuth::getSecretQuestion VCryptTracker::generateOTP Oracle Adaptive Access Manager Sample Challenge.jsp Determine type of challenge to use. BharosaHelper::runChallengeRules If challenge type returned is KBA ChallengeQuestion then get user question with VCryptAuth:getUserQuestion If challenge type is OTP ChallengeSMS, ChallengeEmail, ... then generate, store, and send OTP code. ■ BharosaHelper::generateOTP ■ BharosaHelper::sendCode Use authentication pad rules to determine authentipad to display to the user. See Section 2.2.1.4, Run Virtual Authentication Device Rules R2. . Submits the answer to handleChallenge.jps handleChallenge.jsp collects user input and calls BharosaHelper::validateAnswer - used to validate user answer for challenge same as question challenge BharosaHelper BharosaHelper:: createPersonalizedAuthentiPad BharosaHelper::createAuthentiPad BharosaHelper::generateOTP BharosaHelper::sendCode BharosaHelper::getUserQuestion Client AuthentiPad::getHTML Natively Integrating with Oracle Adaptive Access Manager 2-17

2.2.1.15 Lock Out Page S2

The Lock Out page is the page to which the user is redirected when the post-authorization rules return Block.

2.2.1.16 Landing or Splash Page S3

This page is the page to which the user is redirected after a successful login, that is, when the post-authorization rules return Allow.

2.2.2 Integrating with Knowledge-Based Authentication

This scenario is a subset of the scenario described in Section 2.2.1, Integrating with Virtual Authentication Devices and Knowledge-Based Authentication. This scenario does not have a split login flow and does not include personalizations or virtual authentication devices. Figure 2–7 illustrates a flow of authentication that uses this solution. For details about the stages of this flow, see the following sections:

2.2.2.1 UserPassword S1

The UserPassword Page is the existing page currently used by the client. It contains the text box for both the username and password. There are no changes required for Table 2–15 Validate Answer to a Challenge Module APIs Description Server VCryptAuth::authenticateQuestion VCryptRulesEngine::processRules VCryptTracker::updateAuthStatus For method details, see Section 4.6.1, processRules, and Section 4.5.9, updateAuthStatus. Oracle Adaptive Access Manager Sample handleChallenge.jsp Calls BharosaHelper::validateAnswer If that method returns BharosaEnumChallengeResult.SUCCESS, status is updated to success and the user is allowed to move forward; otherwise if BharosaEnumChallengeResult.WRONG_ ANSWER is returned then challenge rules are run again to determine the next step. BharosaHelper BharosaHelper:: validateAnswer If the type of challenge being validated is KBA ChallengeQuestion, then VCryptAuth::authenticateQuestion is called to validate the users input against the registered answer for the question presented. If the type of challenge being validated is OTP ChallengeSMS, ChallengeEmail, and so on, then the users input is compared to the value stored when OTP code was generated. If the answer is correct, the OTP challenge counter is reset by calling BharosaHelper::resetOTPCounter. Otherwise if the answer is incorrect, the OTP challenge counter is incremented BharosaHelper::incrementOTPCounter. Method returns a BharosaEnumAuthStatus of either BharosaEnumAuthStatus.SUCCESS or BharosaEnumAuthStatus.WRONG_ANSWER