Oracle Adaptive Access Manager Proxy 6-37 The IgnoreUrlMappings setting is used to disable URL interception of the HTTP traffic through the proxy. The CaptureTraffic setting captures the HTTP traffic through the logger name HTTP set to log level of info. It might be useful to capture the HTTP traffic for each scenario like successful login attempt, wrong password, wrong user name, disabled user, and so on in separate files. The log file name setting should be updated to the desired filename before the start of the scenario. After application discovery is performed, the proxy settings should be set, as shown in Table 6–21 , to restore the default UIO Apache Proxy behavior.

6.7.4 Scenarios

Collect information for the following scenarios during the discovery process. You must create interceptors in the TestConfig.xml file that look for certain URLs and conditions in the HTTP traffic. The proxy listens to the HTTP traffic and when it sees a URL that matches a URL in its TestConfig.xml file, it evaluates the interceptors that have a URL match and it evaluates the conditions block in the interceptor. If they match, the UIO Proxy executes the filter block and condition block. Login 1. URL that starts the login process 2. URL that contains the login form 3. Names of the input fields like user name, password used to submit the credentials 4. URL to which the login form submits the credentials 5. Identifying successful login. The HTTP traffic dump needs to be studied carefully to derive this information. Here are few ways applications respond on successful login: a. by setting a specific cookie in the credential submit response b. by redirecting to a specific URL like account summary, Welcome page, and so on c. by responding with specific text 6. Identifying failure login with the reason for failure. This would often be derived by looking for certain text in the response to credential submit request. Logout 1. URL that starts the logout process 2. URL that completes the logout process. In most cases the logout completes on receiving the response to the logout start URL. Change password 1. URL that starts the change password process Table 6–21 Settings to restore default proxy behavior Settings Value IgnoreUrlMappings CaptureTraffic 6-38 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager 2. URL that contains the change password form 3. Names of the input fields like password, new-password, confirm-password used to submit the change password request 4. URL to which the change password form submits the passwords 5. Identifying the status successfailure of the change password request. This would often be derived by looking for certain text in the response. Reset password Follows the same process as Change password. Change LoginId 1. URL to which the login-id change is posted to the application 2. Names of the input fields like new-login used to submit the change password request. 3. Identifying the status successfailure of the change login-id request. On successful change login-id request, the changeUserId.do page in OAAM Server should be called to update the login-id in the Oracle Adaptive Access Manager database. Forgot password Forgot-password options provided by the application must be reviewed for understanding. Most applications ask for alternate ways to identity the user account numberPIN, SSNPIN, questionanswer, and other ways; some applications provide more than one option. Some applications let the user reset the password after successfully entering alternate credentials; others send a new password to the user by mailemail; and some other applications would require the user to call customer care. For each of the supported scenarios, the following data should be captured: 1. URL that starts the forgot-password process 2. URL that contains the forgot-password form 3. Names of the input fields and URLs to submit the forgot-password request 4. Identifying the status successfailure of the forgot-password request.

6.8 Samples

The proxy configuration to add multifactor authentication to the BigBank Web application is shown below. The BigBank web application is a sample application which shows a login flow. The example will demonstrate the integration of the UIO Proxy into the login flow of an application. For ISA proxy use: ?xml version=1.0 encoding=utf-8? BharosaProxyConfig xmlns=http:bharosa.com xmlns:xsi=http:www.w3.org2001XMLSchema-instance xsi:schemaLocation=http:bharosa.com BharosaProxy.xsd For Apache proxy use: ?xml version=1.0 encoding=utf-8? BharosaProxyConfig xmlns=http:bharosa.com RequestInterceptor id=AddAppIdToOAAMServerRequests-BigBank