Duo's plug-in for Oracle Access Manager supports Oracle Access Manager 11g and later. The plugin supports FORM and COOKIE RequestCacheType configurations.
Before you install Duo for OAM, determine a Redirect URL to which the Duo plugin should redirect back to after successful two-factor authentication, which usually is the embedded credential endpoint for your OAM instance. An example URL example for ECC basic authentication flow would be
https://<<oam-server-host>>:<<port>>/oam/server/auth_cred_submit. The redirect URL must use
https and specify the server by hostname, not by IP address, with a maximum length of 1024 characters.
This application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article.
If you already have a previous version of the Duo OAM plugin installed, you must remove it before installing the v2 Universal plugin. See the steps in the Update the Duo Plugin section for more information..
Previously, the Client ID was called the "Integration key" and the Client secret was called the "Secret key".
The security of your Duo application is tied to the security of your client secret. Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!
The new Universal Prompt provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements.
|Universal Prompt||Traditional Prompt|
Migration to Universal Prompt for your Oracle Access Manager application is a three-step process:
Before you activate the Universal Prompt for your application, it's a good idea to read the Universal Prompt Update Guide for more information about the update process and the new login experience for users.
When you install the latest version of Duo for OAM you're ready to use the Universal Prompt. If you're configuring Oracle Access Manager now, proceed with the installation instructions in this document.
The "Universal Prompt" area of the application details page shows that this application is "New Prompt Ready", with these activation control options:
Duo for OAM needs a software update installed to support the Universal Prompt. The "Universal Prompt" section of your existing Oracle Access Manager application reflects this status as "App Update Ready". To update Duo for OAM application to a newer version, follow the update directions below.
Once a user authenticates to Duo for OAM via the updated Duo plugin, the "Universal Prompt" section of the Oracle Access Manager application page reflects this status as "New Prompt Ready", with these activation control options:
In addition, the "Integration key" and "Secret key" property labels for the application update to "Client ID" and "Client secret" respectively. The values for these properties remain the same.
Activation of the Universal Prompt is a per-application change. Activating it for one application does not change the login experience for your other Duo applications.
Enable the Universal Prompt experience by selecting Show new Universal Prompt, and then scrolling to the bottom of the page to click Save.
Once you activate the Universal Prompt, the application's Universal Prompt status shows "Update Complete" here and on the Universal Prompt Update Progress report.
Should you ever want to roll back to the traditional prompt, you can return to this setting and change it back to Show traditional prompt.
Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications in-scope for Universal Prompt support. You can also activate the new prompt experience for multiple supported applications from the report page instead of visiting the individual details pages for each application.
Sign into your Oracle Access Manager administrative console on your OAM server and click Application Security in the top right-hand corner.
On the launch pad page click Authentication Plug-ins located under "Plug-ins".
On the "Plug-ins" page click Import Plug-in....
Browse to and select the DuoUniversalPlugin.jar file you downloaded earlier. Click Import to import the Duo JAR file.
Click the refresh button on the "Plug-ins" page to reload the plug-ins.
Scroll through the listed plug-ins and select DuoUniversalPlugin. It will show an "Activation Status" of Uploaded.
Fill out the Client ID, Client Secret, API hostname, Redirect URL, and Fail mode fields located under "Plug-in Details: DuoUniversalPlugin"
||Your Client ID or Integration key from the OAM application in the Duo Admin Panel.|
||Your Client secret or Secret key from the OAM application in the Duo Admin Panel.|
||Your API hostname from the OAM application in the Duo Admin Panel.|
The embedded credential endpoint URL for your OAM instance (example:
Either safe or secure:
||Optional. If you'd like to use a different user identity store from the default system store, enter the name of the store here. Enter the store name exactly as shown in the "OAM ID Stores" table on the "User Identity Stores" configuration page.|
When all the fields have been populated click Save.
Once you've successfully saved the settings click the Distribute Selected button at the top of "Plug-ins" section. Click the refresh button to refresh the plug-ins page. The "Activation Status" will change to Distributed.
With the "DuoUniversalPlugin" selected click Activate Selected. Wait a moment for the page to reload and then click the refresh button. It will show an "Activation Status" of Activated.
Once the Duo plug-in has been uploaded and activated, add Duo to an existing authentication module and tell the plug-in how to respond during logins.
While logged into the administrative console for Oracle Access Manager click Application Security in the top right-hand corner of the screen.
On the launch pad page click Authentication Modules located under "Plug-ins".
On the "Authentication Modules" page click on the authentication module to which you want to add Duo as an authentication step.
Click on the "Steps" tab. Click the + button to open the "Add new step" wizard.
Type Duo Universal for Step Name.
Leave the Description field blank.
Select DuoUniversalPlugin from the drop-down for Plug-in Name and click OK to add the new Duo step.
Click on the "Steps Orchestration" tab. You should see the Duo Universal as the last step in the list.
For the step immediately preceding Duo, change the On Success selection to Duo Universal using the drop-down. This means that if that step succeeds, the next step should invoke Duo authentication.
For the "Duo Universal" step, set On Success to success using the drop-down.
Set both the On Failure and On Error for the "Duo Universal" step to failure using the drop-down.
Click the Apply button. The page reloads confirming the module update.
You can repeat these steps to add Duo Universal 2FA to other authentication modules.
The Duo plug-in requires that the Oracle Access Manager must be restarted before the plug-in can be used. There are two different methods for restarting Oracle Access Manager.
Restart Oracle Access Manager through the WebLogic console.
Sign into your WebLogic administrative console on your OAM server.
On the WebLogic administrative console click Environment in the left-hand side menu.
Click Servers on the "Summary of Environment" page.
On the "Summary of Servers" page click the Control tab.
Locate your Oracle Access Manager server and click the checkbox next to it. Click the Shutdown button and choose between the shutdown options.
Once the server is completely shut down click Start.
Restart Oracle Access Managers through scripts
While signed into the Oracle Access Manager server locally with a terminal open or through SSH, navigate to the bin directory of your Oracle Access Manager server.
Shutdown the Oracle Access Manager server by running the command below. Replace MANAGED_SERVER_NAME with the name of your Oracle Access Manager server, in this example it is oam_server. Replace ADMIN_SERVER_URL with the URL of your Oracle Access Manager console, an example would be https://oam.yourcompany.com:7001.
./stopManagedWebLogic.sh MANAGED_SERVER_NAME ADMIN_SERVER_URL
Once the server has shut down, run the following command to start up the server using the same values from the last step.
./startManagedWebLogic.sh MANAGED_SERVER_NAME ADMIN_SERVER_URL
Note: If you are running WebLogic and Oracle Access Manager on Windows instead of Linux replace
Once your Oracle Access Manager server has been successfully restarted, log into an Application Domain protected with Duo. Enter your primary directory logon information, approve Duo two-factor authentication, and get redirected to your site after authenticating.
*Universal Prompt experience shown.
Congratulations! Oracle Access Manager is now protected with Duo two-factor authentication.
Duo for Oracle Access Manager logs are saved within the normal Oracle Access Manager log files located at $ORACLE_HOME/user_projects/domains/your_domain_name/servers/your_oam_server/logs/.
There is no direct update path from v1 of the Duo OAM plugin to v2. If you need to update from to v2 you should completely remove the existing v1 plugin and configuration from your OAM server, and then download the v2 plugin JAR and follow the rest of the installation steps.
To remove the v1 Duo plugin from OAM: