Skip navigation
Documentation

Duo for Oracle Access Manager

Duo integrates with Oracle Access Manager to add two-factor authentication to your single sign-on logins, complete with inline self-service enrollment and authentication prompt.

Duo for Oracle Access Manager has been tested on Oracle Access Manager 11.1.2.3.0 running with WebLogic 10.3.6.0.

First Steps

  1. Sign up for a Duo account.

  2. Log in to the Duo Admin Panel and navigate to Applications.

  3. Click Protect an Application and locate Oracle Access Manager in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. (See Getting Started for help.)

  4. Download the DuoOAMPlugin.zip package and uncompress it.

Deploying Duo WAR file

This step uploads and activates the DuoLogin.war file to your WebLogic server.

  1. Sign into your WebLogic administrative console on your OAM server.

  2. On the WebLogic administrative console click Deployments in the left-hand side menu.

  3. On the "Deployments" page click the Install button.

  4. On the "Install Application Assistant" page click upload your file(s). You will be taken to a new page.

  5. Locate the DuoLogin.war file from the ZIP file you uncompressed earlier. Upload the WAR file in the Deployment Archive section. Click Next.

    Upload WAR file to WebLogic

  6. You will be returned to the main "Install Application Assistant" page with DuoLogin.war selected as the "Current Location". Click Next.

    Confirm WAR file to WebLogic

  7. On the "Choose targeting style" page select Install this deployment as an application and click Next.

  8. On the "Select deployment targets" page check the box next to your OAM server. In our example we will use "oam_server" and click Next.

    Select deployment target for WAR file

  9. On the "Optional Settings" page leave all settings at their default and click Next.

  10. On the "Review your choices and click Finish" page click Finish.

    Review uploaded WAR file

  11. On the "Settings for DuoLogin" review the information. You can now log out of WebLogic administrative console.

Enabling Adaptive Authentication Service

Before the Duo plug-in can be used Adaptive Authentication must be enabled.

  1. Sign into your Oracle Access Manager administrative console on your OAM server.

  2. Click Configuration in the top right-hand corner of the screen.

  3. On the "Configuration" launch pad page click Available Services.

  4. On the "Available Services" page locate Adaptive Authentication Service and click Enable Service if it is not already enabled.

    Enabling Adaptive Authentication in OAM

Deploying the Duo JAR file

  1. While logged into the administrative console for Oracle Access Manager click Application Security in the top right-hand corner of the screen.

  2. On the launch pad page click Authentication Plug-ins located under "Plug-ins".

  3. On the "Plug-ins" page click Import Plug-in....

  4. Locate the DuoPlugin.jar file from the ZIP file you uncompressed earlier. On the "Import Plug-in" screen upload the JAR file next to Plug-in File (*.jar) and click Import. The pop-up screen will disappear.

  5. Click the refresh button on the "Plug-ins" page to reload the plug-ins.

  6. Scroll through the listed plug-ins and select Duo-Plugin. It will show an "Activation Status" of Uploaded.

  7. Fill out the ikey, skey, host, and Fail mode fields located under "Plug-in Details: DuoPlugin"

    ikey Your integration key (i.e. DIXXXXXXXXXXXXXXXXXX)
    skey Your secret key
    host Your API hostname (i.e. api-XXXXXXXX.duosecurity.com)
    Fail mode Either safe or secure:
    failmode Description
    safe In the event that Duo's service cannot be contacted, users' authentication attempts will be permitted if primary authentication succeeds. (Default)
    secure In the event that Duo's service cannot be contacted, all users' authentication attempts will be rejected.

    When all the fields have been populated click Save.

    Upload DuoPlugin JAR file to OAM

  8. Once you've successfully saved the settings click the Distribute Selected button at the top of "Plug-ins" section. Click the refresh button to refresh the plug-ins page. The "Activation Status" will change to Distributed.

  9. With the "DuoPlugin" selected click Activate Selected. Wait a moment for the page to reload and then click the refresh button. It will show an "Activation Status" of Activated.

    Activated DuoPlugin JAR file to OAM

Create an Authentication Module

Once the Duo plug-in has been uploaded and activated, you have to create an authentication module to tell the plugin how to respond during logins.

  1. While logged into the administrative console for Oracle Access Manager click Application Security in the top right-hand corner of the screen.

  2. On the launch pad page click Authentication Modules located under "Plug-ins".

  3. On the "Authentication Modules" page click the Create Authentication Module button on the right-hand side, from the drop-down select Create Custom Authentication Module. You will be taken to a new page.

  4. On the "General" tab type Duo into the Name field.

    Create an authentication module

  5. Leave the Description field blank.

  6. Click on the "Steps" tab. Click the + button to open the "Add new step" wizard.

  7. Type Duo 2FA for Step Name.

  8. Leave the Description field blank.

  9. Select DuoPlugin from the drop-down for Plug-in Name and click OK. You will see "Duo 2FA" appear under "Step Name".

    Create a new step in the authentication module

  10. Click on the "Steps Orchestration" tab. Select Duo 2FA from the Initial Step drop-down.

  11. In the table under On Success select success from the drop-down.

  12. In the table under On Failure select failure from the drop-down.

  13. In the table under On Error select failure from the drop-down.

  14. Click the Apply button. The page will reload confirming the module has been created.

    Configure the authentication module

Create an Authentication Scheme

Creating a new authentication scheme will allow the Duo plug-in and DuoLogin WAR file to communicate with each other.

  1. While logged into the administrative console for Oracle Access Manager click Application Security in the top right-hand corner of the screen.

  2. On the launch pad page click Authentication Schemes located under "Access Manager".

  3. On the "Authentication Schemes" page click the Create Authentication Scheme button on the right-hand side. You will be taken to a new page.

  4. On the "Create Authentication Scheme" page type Duo into the Name field.

  5. Leave the Description field blank.

  6. Set Authentication Level to 2.

  7. Leave the Default option unchecked.

  8. Select FORM from the Challenge Method drop-down.

  9. Type /oam/server into the Challenge Redirect URL field.

  10. Select Duo from the Authentication Module drop-down.

  11. Type /pages/DuoLogin.jsp into the Challenge URL field.

  12. Select customWar from the Context Type drop-down.

  13. Type /DuoLogin into the Context Value field.

  14. Leave the Challenge Parameters field blank.

  15. Click the Apply button. The page will reload confirming the authentication scheme has been created.

    Configure the authentication scheme

Protect an Application Domain with Duo

You can now apply the Duo authentication scheme to any Application Domain you'd like to protect with Duo 2FA.

  1. While logged into the administrative console for Oracle Access Manager click Application Security in the top right-hand corner of the screen.

  2. On the launch pad page click Application Domains located under "Access Manager".

  3. On the "Search Application Domains" page select the application domain you would like to protect with Duo and click Edit. A new page will appear.

  4. On the application page click the Authentication Policies tab. Click on Protected Resource Policy and click Edit. A new page will appear.

  5. On the "Protected Sources Policy" page click the Advanced Rules tab and then click the Post-Authentication tab. Click + Add and a new screen will pop-up.

  6. On the "Add Rule" pop-up type Duo 2FA into the Rule Name field.

  7. Leave the Description field blank.

  8. In the Condition field type 'true' == 'true'.

  9. Select Duo from the Switch Authentication Scheme to drop-down.

  10. Click Save. The pop-up window will close.

    Protect an Application Domain with Duo 2FA

  11. You should now see Duo 2FA listed under "Post-Authentication". Click the Apply button at the top of the screen. You will receive a confirmation message at the top of the screen saying the policy was successfully modified.

  12. Repeat these steps on as many Application Domains as you'd like to protect with Duo 2FA.

Restart Oracle Access Manager

The Duo plug-in requires that the Oracle Access Manager must be restarted before the plug-in can be used. There are two different methods for restarting Oracle Access Manager.

Method One

Restart Oracle Access Manager through the WebLogic console.

  1. Sign into your WebLogic administrative console on your OAM server.

  2. On the WebLogic administrative console click Environment in the left-hand side menu.

  3. Click Servers on the "Summary of Environment" page.

  4. On the "Summary of Servers" page click the Control tab.

  5. Locate your Oracle Access Manager server and click the checkbox next to it. Click the Shutdown button and choose between the shutdown options.

  6. Once the server is completely shut down click Start.

    Protect an Application Domain with Duo 2FA

Method Two

Restart Oracle Access Managers through scripts

  1. While signed into the Oracle Access Manager server locally with a terminal open or through SSH, navigate to the bin directory of your Oracle Access Manager server.

    Example: $ORACLE_HOME/user_projects/domains/your_domain_name/bin

  2. Shutdown the Oracle Access Manager server by running the command below. Replace MANAGED_SERVER_NAME with the name of your Oracle Access Manager server, in this example it is oam_server. Replace ADMIN_SERVER_URL with the URL of your Oracle Access Manager console, an example would be https://oam.yourcompany.com:7001.

    ./stopManagedWebLogic.sh MANAGED_SERVER_NAME ADMIN_SERVER_URL

  3. Once the server has shut down, run the following command to start up the server using the same values from the last step.

    ./startManagedWebLogic.sh MANAGED_SERVER_NAME ADMIN_SERVER_URL

    Note: If you are running WebLogic and Oracle Access Manager on Windows instead of Linux replace stopManagedWebLogic.sh with stopManagedWebLogic.cmd and startManagedWebLogic.sh with startManagedWebLogic.cmd.

OAM DCC Additional Steps

The Detached Credential Collector (DCC) web server needs to reach the Duo plugin web content. Specific steps for setting this up will depend on your DCC architecture.

One possible scenario, if using OHS and Weblogic, is follow these Oracle Fusion Middleware instructions to set up OHS to proxy requests to /DuoLogin to your OAM server. Alternatively, you can deploy the Duo WAR onto the DCC server in addition to the OAM server.

The Duo plugin web content itself also needs to be excluded from OAM protection. In the relevant Application Domain(s) corresponding to your DCC WebGates, create a Resource entry for "/DuoLogin/**" with the Excluded type.

Test Duo 2FA

Once your Oracle Access Manager server has been successfully restarted, log into an Application Domain protected with Duo. Enter your primary directory logon information, approve Duo two-factor authentication, and get redirected to your site after authenticating.

Duo Prompt in OAM

Congratulations! Your Oracle Access Manager is now protected with Duo two-factor authentication.

Logging

Duo for Oracle Access Manager logs are saved within the normal Oracle Access Manager log files located at $ORACLE_HOME/user_projects/domains/your_domain_name/servers/your_oam_server/logs/.

Troubleshooting

Need some help? Take a look at our OAM Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free