Implementation of DUO and SAML in E-business suite 12-2

This blog covers steps on how to implement Multi Factor Authentication (MFA) for E-business suite, and Security Assertion Markup Language (SAML). MFA is used for authenticating the identity of a user requiring a user to present two or more pieces of evidence, or factors, for authentication.

Security Assertion Markup Language consists of two parties including:

• Identity Provider — > Performs authentication and passes the user's identity and authorization level to the service provider.
• Service Provider — > Trusts the identity provider and authorizes the given user to access the requested resource.

SAML works through exchange of information between the two above trusted entities.

Requirements

To begin with, users need to login to Duo portal or duo dashboard once. Once on the portal. the user can directly click on the E-business icon, without requiring any user-id or password authentication. Client might have a different portal, but in this example, I am working on the Duo central portal. All applications as highlighted in the following snapshot, do not require the user login.

After you click on Oracle EBS icon, a page will be displayed with responsibilities.

We can implement above requirement with Security Assertion Markup Language (SAML) 

Pre-requisites for Implementing Duo:

We have one working E-business suite integrated with Access Manager. Oracle unified Directory used as back-end user directory.  OAM managed server should be running in SSL mode.

Steps for implementing Multi Factor Authentication for EBS 12.2 using Duo setup:

• You need to first download DuoUniversalPlugin.jar from the following URL to a local desktop. [Download Link: https://github.com/duosecurity/duo_universal_oam/releases/latest/download/DuoUniversalPlugin.jar)]
• Log in to OAM Console (URL is just an example) [Localhost Link] http://localhost.domain.com:8001/oamconsole)
• Under Authentication Plugins, once the page is loaded click on 'Import Plug-in'....
• Browse the file DuoUniversalPlugin.jar which is downloaded and click on 'import'.
• Once uploaded, select DuoUniversalPlugin which should be in the uploaded status.
• Client ID, Client Secret, Client Secret values are provided by duo admin team.
• Redirect URL: OAM instance ( https://<<oam-server-host>>:<<port>>/oam/server/auth_cred_submit)
• Fail Mode: Open
• User Store: OIDIdentityStore

 

• Save after entering the values.

• At the top of plugin, it will show as "Distribute Selected", you need to click on it and refresh to change the "Activation Status" to Distributed.
• Then click on activate to change "Activation Status" to Activated
• Once the plugin  is activated, you need to create a custom authentication module.
• In the next step, you need to Modify Plugins, the *UserIdentificationPlugIn* and *UserAuthenticationPlugIn* 
• for parameter -  KEY_IDENTITY_STORE_REF to OIDIdentityStore 

• In Oracle Access manager Console, click on “Authentication Modules”, under "Plug-ins"
• Select Custom Authentication module, give name as LDAP_DUO (u can name any)

 

• Click on the tab steps to add the following lines with step name and plugin name.

• In the steps Orchestration tab, you need to add three steps with Duonuiversal, uid and uid2. Ideally, we are specifying what needs to be done by OAM in case of a successful and failed login.

• Once the Authentication Moule is created, you need to change EBsauthscehme to LDAP_DUO from LDAP_EBS by navigating to Launchpad >Authentication scheme >
• EBsauthscehme is the scheme which gets created while registration with OAM and is used by default for authentication which needs to be changed.
• By completing the above steps, we have successfully implemented the multifactor Duo authentication, and once you login, the following window pops up.

 

Implementing SAML to enable single click  Authentication from Duo Central
=================================================================

In duo portal, icons created by duo admin team and in Access manager we perform the following steps: 

Step 1: Enable the Federation Services 

In OAM console click on Federation.
-Click on the "Available Services" button    
-Click the "Enable Service" button in the Identity Federation row
-Complete the following steps using wlst.sh

- Connect to the AdminServer as the weblogic administrator user using the connect() command.

- Switch to the runtime context using the domainRuntime() command.

- Enable the Federation SP service using the command configureFederationService("sp","true")

- Optionally, enable the Federation IdP service using the command

configureFederationService("idp","true") (**)

- Enable the Federation SP Test Engine (Web Page that allows testing with IdP partners without use of protected resources) using the command configureTestSPEngine("true")  

Following are examples of the commands

Command was successful.

 
Command was successful.

 

Step 2 : Create Identity Provider

You need to request metadata of Duo portal as xml file from Duo admin team that can be imported by completing the following steps.

Once received, create Identity Provider Partner by completing the following steps.

• In the OAM console, navigate to the "Federation" section of the console using the buttons at the upper right corner of the page (*)
• or click the Service Provider Management link (*)
• Click Create Identity Provider Partner
• Provide a Name for your partner.  
• Optionally, provide a description
• Provide the Service Information by uploading the metadata file provided by Duo admin team.
• Specify a User Identity Store to map the federated user ,in OAM we need to select as OIDidentity store.
• Specify a User Search Base to search for user entries 
• Map assertion Name Id to User ID Store attribute to use the value of the Name ID field of the assertion to search the user store for user with a matching value in the specified attribute, here we are using mail.
• Select an Attribute Mapping profile as an IDP attribute profile.
• Click Save
• After saving, a new screen will be displayed.  Click the "Create Authentication Scheme and Module" as shown in the following snapshot

Refer to the following screenshots

 Step 3: Send OAM federation metadata to Duo Admin Team

- In the OAM Console > Click on Configuration >Settings>click on Federation

- Click on Export SAML 2.0 Metadata and send the xml to duo admin team. The duo team will import in DUO central portal.

Following are the important values which will be in the xml file.
1.  entityID 
2. Assertion Consumer Service (ACS) URL 
3. Single Logout URL

Step 4:  Testing of federation configuration

You can test the federation using URL:

https://<OAM_HOST_NAME>:<OAM_MANAGED_SERVER_PORT>/oamfed/user/testspsso

 

In partner drop down list (screen above), you will have the custom authentication scheme value that we created in the previous steps.

Select the value and click to Start SSO.

You will get the Duo login prompt indicating that the federation is successful, and you will be able to login with credentials of IDP.

Step 5:  Configure OAM to protect resources using your federated IDP partner

- In the OAM console, navigate to Application Security >Application Domains >search for the Application Domain 

- Application domain will be generally with SID+hostname+port

- select Domain >Click on Authentication Policies >Protected Resource Policy >Change Authentication Scheme to

<partner name>FederationScheme which is <partner name>FederationScheme .

Once all above steps are done, the E-business suite will be launched from duo central without passwords.

Conclusion

SAML improves user experience in login process for several applications as a user need to sign in only once. SAML leads to increased security because authentication process ensures that credentials are only sent to identity provider directly.