6-34 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager registerQuestions.do Response header Rules-Result has value block Either the application did not accept the login credentials or the Oracle Adaptive Access Manager rules evaluated to block the login. The proxy should log off the session in the application, if login was successful. Then a Login Blocked message should be sent to the browser. changePassword.do Response contains headers password, newpassword and confirmpassword Save the passwords from the response headers and post to the application loginFail.do To display error message in OAAM Server page, like to display login blocked message Redirect to this URL with appropriate action query parameter, like loginFail.do?action=block In most cases control is not given to the proxy via a response header in a block situation. Instead, the user is taken to the following URL with a query parameter action set to the error code block. This presents the user with the OAAM Server login page with a message stating the reason they are there. error.do?action=block Alternatively it is possible to get the same result with the following URLs. loginFail.do?action=block loginPage.jsp?action=block logout.do On completion of application session logout Redirect to this URL to log out the OAAM Server session logout.do On receiving response Redirect to application logout URL to log off the application session, if it is not already off resetPassword.do Response contains headers newpassword and confirmpassword Save the passwords from the response headers and post to the application getUserInput.do Response contains headers BH_ UserInput Save the user input and take appropriate action like post to application, etc. changeUserId.do On receiving request Add newUserId header changeUserId.do On receiving response Redirect to the appropriate application page or send back the saved application response updateForgotPasswordStatus.do Phase-2 only: After validating the forgot- password-credentials entered by the user. Redirect to this URL to update the status in Oracle Adaptive Access Manager and run appropriate risk rules. updateForgotPasswordStatus.do Phase-2 only: On receiving request Set BH_FP-Status header to one of the following: success, wrong_ password, invalid_user, user_ disabled, system_error. Table 6–17 Cont. OAAM Server Interface URL Condition Action Oracle Adaptive Access Manager Proxy 6-35

6.7 Application Discovery

Two flags in the settings are used for application discovery. One flag instructs the proxy to ignore its configuration XML and act as a reverse-proxy only. The other flag instructs the proxy to capture all the HTTP traffic and print it to the logs. The first flag is used for application discovery to capture the HTTP traffic and analyze it. The second flag would be kept on during the configuration XML development phase to debug the configuration XML itself. Application discovery is the process of studying an existing Web application to author the proxy configuration to add multifactor authentication using the UIO Proxy. A few logins attempts to the application would be made via the proxy to capture the HTTP traffic in each attempt. The captured HTTP traffic would then be analyzed to author the proxy configuration. The UIO Proxy should be set up to dump all the HTTP traffic to a file. Then a few loginslogin attempts to the application should be made via the proxy. The captured HTTP traffic should then be analyzed to author the proxy configuration.

6.7.1 Application Information

For the application discovery process it is preferable to work with the Web application in the customers test environment, rather than the production application being used by users. If the test environment is not available, the live application can be used. The following information is needed from the client for the application discovery process: 1. URL to log in to the application. 2. Test user account credentials, including the data required in the forgot password scenario. It will be best to get as many test accounts as possible, preferably at least five accounts, for uninterrupted discovery and testing. Note that during the discovery process some accounts could become disabled, due to multiple invalid login attempts. updateForgotPasswordStatus.do challengeForgotPasswordUser.do Response header BH_FP-Rules-Result has value allow The Oracle Adaptive Access Manager rules evaluated to permit the forgot-password flow. The proxy can permit continuation to the forgot-password flow to reset the password or allow the user login, depending on the application. updateForgotPasswordStatus.do challengeForgotPasswordUser.do Response header BH_FP-Rules-Result has value block Either the application did not accept the forgot-password credentials or the Oracle Adaptive Access Manager rules evaluated to block the forgot-password flow. A login blocked message should be sent to the browser. Any request to OAAM Server page If the proxy needs to get a property value from OAAM Server. On receiving request BH_PropKeys request header should be set to list of property names separated by a comma. OAAM Server will return the values in multiple response headers, one for each property. The return response header names will be of format: BH_ Property-name Table 6–17 Cont. OAAM Server Interface URL Condition Action 6-36 Oracle Fusion Middleware Developers Guide for Oracle Adaptive Access Manager 3. Contact phone, email to enablereset test accounts

6.7.2 Setting Up the UIO ISA Proxy

The Microsoft ISA server should be set up to publish the Web application under discovery, for example, creating a Web site publishing rule with appropriate parameters. During the application discovery process, the application will be accessed via Microsoft ISA, which hosts the UIO ISA Proxy. Refer to the Microsoft ISA configuration document for details of setting up Microsoft ISA. The UIO ISA Proxy settings registry values under HKLM\SOFTWARE\Bharosa\Proxy key should be set as given in Table 6–18 for the proxy to capture the HTTP traffic to the specified file. This HTTP traffic captured will later be used for analysis to author the proxy configuration. It might be useful to capture the HTTP traffic for each scenario for example, successful login attempt, wrong password, wrong user name, disabled user, and other scenarios in separate files. TraceFilename setting should be updated to the desired filename before the start of the scenario. After application discovery is performed, the proxy settings should be set as given in Table 6–19 to restore the default UIO ISA Proxy behavior.

6.7.3 Setting Up the UIO Apache Proxy

For application discovery, the HTTP traffic needs to be captured through the proxy. Table 6–20 shows the settings in UIO_Settings.xml to enable this mode of operation. Table 6–18 Setting up the proxy Setting Value IgnoreUrlMappings 1 CaptureTraffic 1 TraceFilename filename TraceLevel 0x87 TraceToFile 1 Table 6–19 Proxy settings after application discovery Setting Value IgnoreUrlMappings CaptureTraffic TraceFilename filename TraceLevel 0x7 TraceToFile 1 Table 6–20 Settings for Capturing HTTP Settings Value IgnoreUrlMappings 1 CaptureTraffic 1 Oracle Adaptive Access Manager Proxy 6-37 The IgnoreUrlMappings setting is used to disable URL interception of the HTTP traffic through the proxy. The CaptureTraffic setting captures the HTTP traffic through the logger name HTTP set to log level of info. It might be useful to capture the HTTP traffic for each scenario like successful login attempt, wrong password, wrong user name, disabled user, and so on in separate files. The log file name setting should be updated to the desired filename before the start of the scenario. After application discovery is performed, the proxy settings should be set, as shown in Table 6–21 , to restore the default UIO Apache Proxy behavior.

6.7.4 Scenarios

Collect information for the following scenarios during the discovery process. You must create interceptors in the TestConfig.xml file that look for certain URLs and conditions in the HTTP traffic. The proxy listens to the HTTP traffic and when it sees a URL that matches a URL in its TestConfig.xml file, it evaluates the interceptors that have a URL match and it evaluates the conditions block in the interceptor. If they match, the UIO Proxy executes the filter block and condition block. Login 1. URL that starts the login process 2. URL that contains the login form 3. Names of the input fields like user name, password used to submit the credentials 4. URL to which the login form submits the credentials 5. Identifying successful login. The HTTP traffic dump needs to be studied carefully to derive this information. Here are few ways applications respond on successful login: a. by setting a specific cookie in the credential submit response b. by redirecting to a specific URL like account summary, Welcome page, and so on c. by responding with specific text 6. Identifying failure login with the reason for failure. This would often be derived by looking for certain text in the response to credential submit request. Logout 1. URL that starts the logout process 2. URL that completes the logout process. In most cases the logout completes on receiving the response to the logout start URL. Change password 1. URL that starts the change password process Table 6–21 Settings to restore default proxy behavior Settings Value IgnoreUrlMappings CaptureTraffic