Oracle Enterprise Single Sign-on Logon Manager 21014-01. How-To: Understanding the ESSO-LM Secondary Authentication API Release 11.1.1.5.0.



Similar documents
Oracle Enterprise Single Sign-on Logon Manager How-To: Configuring ESSO-LM Event Logging with Microsoft SQL Server 2005 Release

Oracle Enterprise Single Sign-on Logon Manager Best Practices: Packaging ESSO-LM for Mass Deployment Release E

Review Employee Leave Balances

Reviewing Employee History

Revenue/Expenses Balance by Fund

New Features in Primavera Contract Management 14.1

Crystal Access Guide HCM 9.1 All Sites

Oracle Enterprise Single Sign-on Logon Manager How-To: Using the Trace Controller Utility Release

Vendor Performance Summary Report

COPYRIGHT & TRADEMARKS

Oracle Enterprise Manager

Customer Order Portal Created on 9/24/ :45 PM

Approve or Reject Purchase Requistions, Contracts, and Purchase Orders

Oracle Enterprise Manager

Third Party System Management Integration Solution

P R O V I S I O N I N G O R A C L E H Y P E R I O N F I N A N C I A L M A N A G E M E N T

Bank Account Numbers for ACH Payments

Human Resources 9.1 Basic Navigation Guide

Oracle Enterprise Manager. Description. Versions Supported

Changes for Release 3.0 from Release 2.1.1

Oracle Retail MICROS Stores2 Functional Document Tax Free - Manual Receipt Number Assignment Release September 2015

Oracle VM. Paravirtual Drivers Installation Guide for Microsoft Windows for Release E May 2012

Oracle Enterprise Manager

Oracle Enterprise Manager. Description. Versions Supported

Oracle Enterprise Single Sign-on Provisioning Gateway. Administrator Guide Release E

Oracle FLEXCUBE Direct Banking Release Help Desk User Manual. Part No. E

Introduction to Virtual Datacenter

Oracle Enterprise Manager Ops Center. Introduction. Tuning Monitoring Rules and Policies 12c Release 1 ( )

Oracle Retail MICROS Stores2 Functional Document Sales - Reasons Release September 2015

Oracle Fusion Middleware. 1 Oracle Identity Management Templates

Oracle Banking Digital Experience

HYPERION SMART VIEW FOR OFFICE RELEASE NEW FEATURES CONTENTS IN BRIEF. General... 2 Essbase... 3 Planning... 4 Reporting and Analysis...

Contents Legal Notices... 2 Preface... 5 Introduction... 7 Installation Instructions... 8

About Contract Management

Crystal Reporting 9.2 LSUNO & LSUSH

New Features in Primavera P6 Professional 15.1

Oracle Enterprise Single Sign-on Logon Manager. Installation and Setup Guide Release E


Oracle Cloud. What s New for Oracle Compute Cloud Service (IaaS) Topics. July What's New for Oracle Compute Cloud Service (IaaS) Release 16.

Oracle Banking Digital Experience

Oracle WebCenter Content Service for Microsoft Exchange

Scheduler JAVA JOB Creation Oracle FLEXCUBE Investor Servicing Release [September] [2014]

New Features in Primavera P6 EPPM 16.1

Oracle Secure Payment Gateway for HIS Profit Series SQL Server Upgrade Procedures. May 2016

StorageTek Library Attach for Window Servers

Oracle Enterprise Manager. Description. Versions Supported

University of Missouri

Oracle WebLogic Server

Oracle Enterprise Manager. Description. Versions Supported

Oracle Fusion Middleware

Configuring Internet Explorer Oracle FLEXCUBE Universal Banking Release [April] [2014]

Oracle CRM On Demand Connected Mobile Sales Administration Guide. Version March 2012

Oracle Retail MICROS Stores2 Functional Document General - License Control Release September 2015

ORACLE USER PRODUCTIVITY KIT USAGE TRACKING ADMINISTRATION & REPORTING RELEASE 3.6 PART NO. E

Oracle Audit Vault Administrator s Guide Oracle Audit Vault Auditor s Guide Oracle Enterprise Manager Cloud Control Administrator s Guide

Oracle Cloud E

Oracle Agile Product Lifecycle Management for Process

Viewing Paycheck Information Online - LSUSH Off Campus

Agile Product Lifecycle Management for Process

Oracle Utilities Meter Data Management Business Intelligence

Oracle Enterprise Manager

Viewing Paycheck Information Online - LSU Health New Orleans - On Campus

Oracle FLEXCUBE Direct Banking Android Tab Client Installation Guide Release

Oracle Communications Network Charging and Control. Release: 4.4

Copyright

NetFlow Collection and Processing Cartridge Pack User Guide Release 6.0

Oracle Enterprise Manager. Description. Versions Supported. Prerequisites

JD Edwards EnterpriseOne Tools. 1 Understanding JD Edwards EnterpriseOne Business Intelligence Integration. 1.1 Oracle Business Intelligence

PeopleSoft Enterprise Campus Solutions 9.0 Enrollment Web Services

NEW FEATURES ORACLE ESSBASE STUDIO

Oracle Cloud E

Oracle Banking Digital Experience

Oracle Enterprise Manager. 1 Introduction to SAP Monitoring with Oracle Enterprise Manager Grid Control. 1.1 Overview

Oracle Utilities Integration for Device Operations

1 Changes in this release

Oracle Applications Release Notes Release 12 for Apple Macintosh OS X version 10.4 (Doc ID )

Oracle Application Server

Report Writer's Guide Release 14.1

Oracle JRockit JDK. Supported Configurations R27.6. April 2009

IBM WebSphere Portal Reference Guide Release 9.2

Oracle Database. How To Get Started. April g Release 2 (10.2) for or IBM z/os (OS/390) B

Downloading Oracle Configuration Manager

MSS110 Approval for Expenses Training Guide

Contents Introduction... 5 Installation Instructions... 6 Uninstall the Unifier File Transfer Utility... 8 For More Information...

How To Use The Programs Of Ancient.Org

Note : It may be possible to run Test or Development instances on 32-bit systems with less memory.

Application Interface Services Server for Mobile Enterprise Applications Configuration Guide Tools Release 9.2

Oracle Hospitality Cruise Shipboard Property Management System 3M AT9000MKII Installation Guide Release

Oracle Java Micro Edition Software Development Kit

Oracle Enterprise Manager. Introduction to the Oracle Virtual Networking Plug-in. Requirements. Supported Versions

Introduction. Document Conventions. Administration. In This Section

Oracle Retail Point-of-Service with Mobile Point-of-Service

Oracle Enterprise Data Quality. 1 JMX Binding. 1.1 Examples. Java Management Extensions Configuration Release 11g R1 ( )

Oracle. Human Capital Management Cloud Using Workforce Reputation Management. Release 11. This guide also applies to on-premise implementations

Oracle Database. Products Available on the Oracle Database Examples Media. Oracle Database Examples. Examples Installation Guide 11g Release 2 (11.

Agile Product Lifecycle Management

Oracle Virtual Desktop Client. Release Notes for Version 3.0

How To Customize An Orgsync App On Anorus Mobile Security Suite On A Microsoft Ipad Oracle 2.5 (Ios) On A Pc Orca 2.2 (Iphone) On An Android Orca2 (Ip

Oracle Field Service Cloud SmartCollaboration Administration Panel. Release 4.5

Transcription:

Oracle Enterprise Single Sign-on Logon Manager How-To: Understanding the ESSO-LM Secondary Authentication API Release 11.1.1.5.0 21014-01 March 2011

Oracle Enterprise Single Sign-on Logon Manager How-To: Understanding the ESSO-LM Secondary Authentication API Release 11.1.1.5.0 21014-01 Copyright 2011, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this software or related documentation is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065. This software is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications which may create a risk of personal injury. If you use this software in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure the safe use of this software. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software in dangerous applications. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. This software and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services. 2

Table of Contents Table of Contents... 3 Introduction... 4 About This Guide... 4 Prerequisites... 4 Terms and Abbreviations... 4 Accessing ESSO-LM Documentation... 4 Understanding the ESSO-LM Secondary Authentication API... 5 Overview... 5 The SecondaryAuthKey Method... 6 The FreeSecondaryAuthKey Method... 6 Example Implementation... 7 Switching Secondary Authentication Methods... 8 Switching from Built-In Secondary Authentication to External Secondary Authentication... 8 Switching from External Secondary Authentication to Built-In Secondary Authentication... 10 Switching from One External Secondary Authentication Library to Another... 10 3

Introduction About This Guide This document describes the ESSO-LM Secondary Authentication API. The API allows you programmatically supply the passphrase answer to the MSAuth (Windows Authenticator v2) authenticator. Prerequisites Readers of this document should have a thorough understanding of software development using the Microsoft.NET framework, including the Component Object Model (COM) technology, and related concepts. Terms and Abbreviations The following table describes the terms and abbreviations used throughout this guide: Term or Abbreviation Description ESSO-LM Oracle Enterprise Single Sign-on Logon Manager Agent ESSO-LM client-side software Console ESSO-LM Administrative Console WinAuth v2 Windows Authenticator Version 2 Accessing ESSO-LM Documentation We continually strive to keep ESSO-LM documentation accurate and up to date. For the latest version of this and other ESSO-LM documents, visit http://download.oracle.com/docs/cd/e21040_01/index.htm. 4

Understanding the ESSO-LM Secondary Authentication API Overview The secondary authentication API allows a third party application to programmatically supply a passphrase to the Windows Authenticator v2 (a.k.a. MSAuth) during an authentication session. This eliminates the need for interaction with the user and automates the authentication process. The API consists of the following functions: SecondaryAuthKey allocates the passphrase answer buffer, fills the buffer with the passphrase answer, and returns a pointer to the answer buffer. FreeSecondaryAuthKey clears the answer buffer once the answer is no longer needed by third party code. Note: The custom secondary authentication library must be validated and digitally signed by Oracle; otherwise, it will not be accepted by ESSO-LM. For assistance with this process, please contact Oracle Support. 5

The SecondaryAuthKey Method This method is used to obtain the user s passphrase answer (in our example, the user s AD SID) and store it in memory at a specified address for later retrieval. BOOL SecondaryAuthKey( LPBYTE* pbanswer, LPDWORD pdwsize ) BOOL fretval = FALSE; // check for invalid parameters if ( NULL!= pbanswer ) // obtain user s SID it will be used as passphrase answer CSid sid; CString strsid( sid.sid() ); // allocate the memory buffer LPBYTE pbyte = new BYTE[strSid.GetLength() + 1]; // copy the SID to the buffer ::memcpy( pbyte, strsid.getbuffer(), strsid.getlength() ); // save the address of the buffer to the passed pointer *pbanswer = pbyte; // save the size of the buffer to the passed pointer if ( NULL!= pdwsize ) *pdwsize = strsid.getlength() + 1; // set successful return code fretval = TRUE; return fretval; The FreeSecondaryAuthKey Method This method is used to clear the passphrase answer buffer after SecondaryAuthKey has been successfully called. void FreeSecondaryAuthKey( LPBYTE pbanswer ) // free the memory buffer delete[] pbanswer; 6

Example Implementation Below is an example of using the secondary authentication API to programmatically supply the passphrase answer to the authenticator. BOOL CResetDlg::SecondaryAuth( LPCTSTR pszdllpath ) BOOL fretval = FALSE; // load SecondaryAuth.dll HMODULE hsecondaryauth = LoadLibrary( pszdllpath ); If ( NULL!= hsecondaryauth ) SECONDARYAUTHKEY pfnsecondaryauthkey = (SECONDARYAUTHKEY) GetProcAddress( hsecondaryauth, "SecondaryAuthKey" ); if ( NULL!= pfnsecondaryauthkey ) LPBYTE pbbyte = NULL; DWORD dwanswersize = 0; // call SecondaryAuthKey to get the passphrase answer BOOL banswerresult = pfnsecondaryauthkey( &pbbyte, &dwanswersize ); // use the returned answer pbbyte //... // call FreeSecondaryAuthKey to let the library free the memory FREESECONDARYAUTHKEY pfnfreesecondaryauthkey = (FREESECONDARYAUTHKEY) GetProcAddress( hsecondaryauth, "FreeSecondaryAuthKey" ); if ( NULL!= pfnfreesecondaryauthkey ) pfnfreesecondaryauthkey( pbbyte ); // set successful return code fretval = TRUE; // unload SecondaryAuth.dll FreeLibrary( hsecondaryauth ); return fretval; 7

Switching Secondary Authentication Methods You have the ability to change the method used by Windows Authenticator v2 (WinAuth v2) to verify the user s identity to another method if necessary. The following scenarios are supported: WinAuth v2 built-in secondary authentication to external secondary authentication External secondary authentication to WinAuth v2 built-in secondary authentication One external secondary authentication library to another Switching from Built-In Secondary Authentication to External Secondary Authentication To configure WinAuth v2 for recovery via custom secondary authentication library, do the following: 1. Start the ESSO-LM Administrative Console. 2. In the tree in the left pane, right-click the Global Agent Settings node and select Import From Live HKLM from the context menu. 3. Under the Live settings set, navigate to Authentication Windows v2. If you have previously configured ESSO-LM to use either the user s AD SID or a secure random key as a secondary authentication method, revert back to interactive passphrase by deselecting the check box next to the Recovery Method option. (This reverts the option to its default value, User passphrase.) 4. Create a directory named identically to the GUID of your custom library in the following directory: <oracle_install_dir>\v-go SSO\AUI\Recovery\ Note: Substitute the full path of the directory in which Oracle ESSO products are installed for <oracle_install_dir>. For example, if your library s GUID is B623C4E7-A383-4194-A719-7B17D074A70F, you would create the following directory: <oracle_install_dir>\v-go SSO\AUI\Recovery\B623C4E7-A383-4194-A719-7B17D074A70F 5. Place your custom library file in the directory you created in step 4. 8

6. Add a GUID entry to ESSO-LM s secondary authentication methods list for your custom library. a. Create a key named identically to the GUID of your custom library under the following registry location: On 32-bit systems: HKEY_LOCAL_MACHINE\Software\Passlogix\AUI\MsAuth\ RecoveryMethods\ On 64-bit systems: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Passlogix\AUI\MsAuth\ RecoveryMethods\ For example, if your library s GUID is B623C4E7-A383-4194-A719-7B17D074A70F, you will create the following key on a 32-bit system: HKEY_LOCAL_MACHINE\Software\Passlogix\AUI\MsAuth\RecoveryMethods\ B623C4E7-A383-4194-A719-7B17D074A70F b. Under the key you created in step 6a, create a string value named Path and set it to the full path and file name of your custom library. In our example, you would set it to: <oracle_install_dir>\v-go SSO\AUI\Recovery\B623C4E7-A383-4194- A719-7B17D074A70F\<MyCustomLibrary.dll> Where <oracle_install_dir> is the full path of the directory in which Oracle ESSO products are installed and <MyCustomLibrary.dll> is the file name of your custom library. 7. Set ESSO-LM s recovery method to your custom secondary authentication library. If it does not already exist, create a string value named ResetMethodGUID under HKEY_LOCAL_MACHINE\Software\Passlogix\AUI\MsAuth\RecoveryMethods\ and set it to the GUID of your custom library. 8. Reinitialize the WinAuth v2 settings with the newly selected configuration: a. Launch ESSO-LM, double-click its system tray icon, and select Settings in the left-hand pane of the window that appears. b. Select the Authentication tab, then click Change. The Setup Wizard appears. c. Follow the prompts in the wizard. When prompted to select your primary logon method, make sure that Windows Logon v2 remains selected. d. Complete the remaining steps in the wizard. 9

Switching from External Secondary Authentication to Built-In Secondary Authentication To configure WinAuth v2 for recovery via one of ESSO-LM s built-in secondary authentication methods, do the following: 1. Start the ESSO-LM Administrative Console. 2. In the tree in the left pane, right-click the Global Agent Settings node and select Import From Live HKLM from the context menu. 3. Under the Live settings set, navigate to Authentication Windows v2. 4. Select the check box next to the Recovery Method option and do one of the following: To use the interactive passphrase prompt with a user-supplied passphrase for secondary authentication, select User passphrase from the drop-down list To use silent secondary authentication using the user s AD SID as the passphrase answer, select Passphrase suppression using user s SID from the drop-down list To use silent secondary authentication with a secure random key as the passphrase answer, select Passphrase suppression using secure key from the drop-down list 5. Save your changes locally or publish them to the repository, as applicable. 6. Reinitialize the WinAuth v2 settings with the newly selected configuration: a. Launch ESSO-LM, double-click its system tray icon, and select Settings in the left-hand pane of the window that appears. b. Select the Authentication tab, then click Change. The Setup Wizard appears. c. Follow the prompts in the wizard. When prompted to select your primary logon method, make sure that Windows Logon v2 remains selected. d. Complete the remaining steps in the wizard. Switching from One External Secondary Authentication Library to Another If you are currently using one external secondary authentication library and want to switch to a different external library, repeat the steps in Switching from WinAuth v2 Built-In Passphrase Support to External Secondary Authentication. 10