3-12 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager ■ Returns HTML to load flash object bharosa_webflashbharosa.swf in the browser. The flash object calls CookieManager.aspx included in the SDK package with flash finger print details. CookieManager.aspx records the finger print in ARM and in return sets a flash cookie on the users device ■ After a brief wait to allow time to get the flash cookie from ARM, redirects the browser to LoginHandlerPage.aspx 3. LoginHandlerPage.aspx ■ Records the user login attempt with ARM by calling AppUtil.InitTracker ■ Validates the login and password information ■ Updates ARM with the password validation status successwrong userwrong passworddisabled user, etc by calling AppUtil.UpdateAuthStatus ■ If password validation succeeds, runs post-authentication rules by calling AppUtil.RunPostAuthRules ■ If the post-authentication rules return block, blocks the user login after updating ARM with this information ■ Depending upon the validation result andor the rules result, redirects the user to either Success.aspx or to LoginPage.aspx with appropriate error message 4. Success Page ■ Displays Successfully logged in message with a link for logout 5. Logout Page ■ Logs out the user session and redirects to login page

3.5.2.3 SampleWebAppAuthTracker

This application contains the following pages that demonstrate integration of OAAM authenticator and tracker functionalities to the sample application listed above. This application collects the password using authenticators offered by OAAM. This application requires the integration of the OAAM .NET APIs found in the SDK package oaam_native_dot_net.zip. The content of the archive needs to be extracted to the root directory of the web application. 1. LoginPage.aspx ■ Collects the username using simple HTML form ■ Saves the login in the session ■ Redirects the user to LoginJumpPage.aspx to collect the flash finger print of the user device 2. LoginJumpPage.aspx ■ Loads the user from ARM Adaptive Risk Manager by calling AppUtil.InitUser AppUtil is included in the SDK package. If the user is not found, a new user record will be created ■ Returns HTML to load flash object bharosa_webflashbharosa.swf in the browser. The flash object calls CookieManager.aspx included in the SDK package with flash finger print details. CookieManager.aspx records the finger print in ARM and in return sets a flash cookie on the users device Integrating Native .NET Applications 3-13 ■ After a brief wait to allow time to get the flash cookie from ARM, redirects the browser to LoginHandlerPage.aspx 3. LoginHandlerPage.aspx ■ Records the user login attempt with ARM by calling AppUtil.InitTracker ■ Redirects the user to PasswordPage.aspx to collect the password using OAAM authenticator. 4. PasswordPage.aspx On Load: a. Sets the session authentication status to Pending in ARM b. Runs pre-authentication rules by calling the AppUtil.RunPreAuthRules c. If the pre-authentication rules return block, blocks the user login after updating ARM with this information d. If the pre-authentication rules return allow, runs another set of rules to determine the authenticator to use for this user, by calling AppUtil.RunAuthentiPadRules e. Creates appropriate authenticator by calling AppUtil.CreateAuthentiPadand renders the authenticator into HTML by using the AppUtil.getAuthentiPadHTML. The authenticator HTML would fetch the authenticator image by calling GetImage.aspx included in the SDK package f. Stores the authenticator object in the session for later use during image generation and password decode On PostBack: a. Decodes the password using the authenticator object stored in the session b. Validates the login and password information c. Updates ARM with the password validation status successwrong userwrong passworddisabled user, etc by calling AppUtil.UpdateAuthStatus d. If password validation succeeds, runs post-authentication rules by calling AppUtil.RunPostAuthRules e. If the post-authentication rules return block, blocks the user login after updating ARM with this information f. Depending upon the validation result andor the rules result, redirects the user to either Success.aspx or to LoginPage.aspx with appropriate error message 5. Success Page ■ Displays Successfully logged in message with a link for logout 6. Logout Page ■ Logs out the user session and redirects to login page

3.5.2.4 SampleKBATracker

This application contains the following pages that demonstrate integration of OAAM authenticator, tracker and KBA Knowledge Based Authentication functionalities to the sample application listed above. This application shows authentication mechanisms using password and KBA authenticators offered by OAAM.