Configuration Properties for OAA

11.9 Configuration Properties for OAA

OAA provides REST APIs for configuring properties for challenge factors and other settings.

Use the <PolicyUrl>/policy/config/property/v1 REST API to configure properties.

Note:

In this case remove /oaa-policy from the <PolicyUrl>, for example use https://<host>:<port>/policy/config/property/v1 not https://<host>:<port>/oaa-policy/policy/config/property/v1

For details about finding the PolicyUrl and authenticating, see OAA Admin API.

For details about the Configuration Properties REST Endpoint, see Configuration Properties REST Endpoints.

Property Name	Default Value	Description
`bharosa.uio.default.all.factor.challengecounter.expiryTime`	`1800000`	Expiry time of the challenge counter lock for the factors. This is the time duration for which the challenge remains unavailable for users, after challenge is locked due to maximum number of unsuccessful retries.
`bharosa.uio.default.all.factor.retry.count`	`10`	Maximum number of unsuccessful retries of the challenge for the factors. Beyond this count the challenge is locked.
`bharosa.uio.default.challenge.type.enum.ChallengeEmail.appName`	`OAA`	Name of the application.
`bharosa.uio.default.challenge.type.enum.ChallengeEmail.challengeText`	`Enter OTP sent to {0}.`	Prompt message to enter One Time Pin (OTP) on the end-user challenge page.
`bharosa.uio.default.challenge.type.enum.ChallengeEmail.fromAddress`	`oaa@oracle.com`	Email address of the email sending entity.
`bharosa.uio.default.challenge.type.enum.ChallengeEmail.fromName`	`OAA`	Name of the From email sending entity.
`bharosa.uio.default.challenge.type.enum.ChallengeEmail.msgIPTemplate`	`IP Address:`	Part of the email template to display message IP addres.s
`bharosa.uio.default.challenge.type.enum.ChallengeEmail.msgPinTemplate`	`Please use following one time pin to login to protected resource:`	Part of the email template to display One Time Pin (OTP).
`bharosa.uio.default.challenge.type.enum.ChallengeEmail.msgResourceURLTemplate`	`Resource URL Access:`	Part of the email template to display message resource URL.
`bharosa.uio.default.challenge.type.enum.ChallengeEmail.msgSubject`	`One Time Pin: OAA`	Subject title of the email template.
`bharosa.uio.default.challenge.type.enum.ChallengeEmail.challengeCounterExpiryTime`	`1800000`	Expiry time of the challenge counter lock. This is the time duration for which the challenge remains unavailable for users, after challenge is locked due to maximum number of unsuccessful retries. If the value is not provided then the value for `bharosa.uio.default.all.factor.challengecounter.expiryTime` is used (default is 1800000 milliseconds) .
`bharosa.uio.default.challenge.type.enum.ChallengeEmail.retrycount`		Maximum number of unsuccessful retries of the challenge. Beyond this count the challenge is locked. If the value is not provided then the value for `bharosa.uio.default.all.factor.retry.count` is used (default is 10).
`bharosa.uio.default.challenge.type.enum.ChallengeEmail.msgTimeTemplate`	`Time of Access:`	Part of the email template to display message time.
`bharosa.uio.default.challenge.type.enum.ChallengeEmail.promptmessage`	`Send OTP to {0}`	Prompt message to send One Time Pin (OTP) through email used on end-user challenge page.
`bharosa.uio.default.challenge.type.enum.ChallengeEmail.promptselectmessage`	`Please select one of following addresses to receive OTP.`	Prompt message to select addresses to send One Time Pin (OTP) to user on end-user challenge page.
`bharosa.uio.default.challenge.type.enum.ChallengeOMATOTP.challengeText`	`Enter OTP from device {1}`	Prompt message to enter time-based One Time Pin (OTP) on end-user challenge page.
`bharosa.uio.default.challenge.type.enum.ChallengeOMATOTP.promptselectmessage`	`Please select one of following channels`	Prompt message to select channels to send time-based One Time Pin (OTP) to user on end-user challenge page.
`bharosa.uio.default.challenge.type.enum.ChallengeOMATOTP.challengeCounterExpiryTime`	`1800000`	Expiry time of the challenge counter lock. This is the time duration for which the challenge remains unavailable for users, after challenge is locked due to maximum number of unsuccessful retries. If the value is not provided then the value for `bharosa.uio.default.all.factor.challengecounter.expiryTime` is used (default is 1800000 milliseconds).
`bharosa.uio.default.challenge.type.enum.ChallengeOMATOTP.retrycount`		Maximum number of unsuccessful retries of the challenge. Beyond this count the challenge is locked. If the value is not provided then the value specified for `bharosa.uio.default.all.factor.retry.count` is used (default is 10).
`bharosa.uio.default.challenge.type.enum.ChallengeOMATOTP.registration.showSecretKeyText`	`true`	Displays a secret key in the Self-Service Portal, for use with Oracle Mobile Authenticator, Google Authenticator, or Microsoft Authenticator. If the value is set to `false`, the secret key isn't displayed.
`bharosa.uio.default.challenge.type.enum.ChallengeOMATOTP.registration.showQrcode`	`true`	Displays a QR code in the Self-Service Portal, for use with Oracle Mobile Authenticator, Google Authenticator, or Microsoft Authenticator. If the value is set to `false`, the QR code isn't displayed.
`bharosa.uio.default.challenge.type.enum.ChallengeOMATOTP.keyExpiryEnabled`	`false`	A boolean value that indicates whether or not secret key expiration is enabled. When enabled, the Time-based One Time Passcode (TOTP) secret key expiration time is checked during the challenge flow. If the key has expired, the challenge flow fails and the key is deleted. If the key has not expired, the challenge flow will continue as usual.
`bharosa.uio.default.challenge.type.enum.ChallengeOMATOTP.keyExpiryTimeMinutes`	`60`	Specifies the key's expiration time in minutes. This must be a positive whole number.
`bharosa.uio.default.challenge.type.enum.ChallengeOMATOTP.registration.otpexpirytimeMs`	`300000`	Specifies the timeout in millisecond for the Time-based One Time Passcode (TOTP) generated registration URL.
`bharosa.uio.default.challenge.type.enum.ChallengeOMATOTP.registration.oma.config`	`oraclemobileauthenticator://settings?ServiceName::=%deviceName%&ServiceType::=SharedSecret&SharedSecretAuthServerType::=HTTPBasicAuthentication&LoginURL::=%totpRegistrationEndpoint%/oaa/rui/totpPreferences/v1` Note: If the value of `totpRegistrationEndpoint` is not provided, then it's value is computed based on the kubernetes cluster/pod setup.
`database.cache.type.enum.factor.expiryTime`	Value must be greater than equal to `bharosa.uio.default.challenge.type.enum.ChallengeOMATOTP.registration.otpexpirytimeMs.` If not specified default value is `600` seconds.	Specifies the cache timeout in seconds.
`bharosa.uio.default.challenge.type.enum.ChallengeSMS.challengeCounterExpiryTime`	`1800000`	Expiry time of the challenge counter lock. This is the time duration for which the challenge remains unavailable for users, after challenge is locked due to maximum number of unsuccessful retries. If the value is not provided then the value for `bharosa.uio.default.all.factor.challengecounter.expiryTime` is used (default is 1800000 milliseconds).
`bharosa.uio.default.challenge.type.enum.ChallengeSMS.retrycount`		Maximum number of unsuccessful retries of the challenge. Beyond this count the challenge is locked. If the value is not provided then the value specified for `bharosa.uio.default.all.factor.retry.count` is used (default is 10).
`bharosa.uio.default.challenge.type.enum.ChallengeSMS.appName`	`OAA`	Name of the application.
`bharosa.uio.default.challenge.type.enum.ChallengeSMS.challengeText`	`Enter OTP sent to {0}.`	Prompt message to enter One Time Pin (OTP) on end-user challenge page.
`bharosa.uio.default.challenge.type.enum.ChallengeSMS.fromAddress`	`oaa@oracle.com`	Mobile number of the SMS sending entity.
`bharosa.uio.default.challenge.type.enum.ChallengeSMS.fromName`	`OAA`	Name of the From SMS sending entity.
`bharosa.uio.default.challenge.type.enum.ChallengeSMS.msgIPTemplate`	`IP Address:`	Part of the SMS template to display message IP address.
`bharosa.uio.default.challenge.type.enum.ChallengeSMS.msgPinTemplate`	`Please use following one time pin to login to protected resource:`	Part of the SMS template to display One Time Pin (OTP).
`bharosa.uio.default.challenge.type.enum.ChallengeSMS.msgResourceURLTemplate`	`Resource URL Access:`	Part of the SMS template to display message resource URL.
`bharosa.uio.default.challenge.type.enum.ChallengeSMS.msgSubject`	`One Time Pin: OAA`	Subject title of the SMS template.
`bharosa.uio.default.challenge.type.enum.ChallengeSMS.msgTimeTemplate`	`Time of Access:`	Part of the SMS template to display message time.
`bharosa.uio.default.challenge.type.enum.ChallengeSMS.promptmessage`	`Send OTP to phone {0}`	Prompt message to send One Time Pin (OTP) through SMS used on end-user challenge page.
`bharosa.uio.default.challenge.type.enum.ChallengeSMS.promptselectmessage`	`Please select one of following numbers to receive OTP.`	Prompt message to select addresses to send One Time Pin (OTP) to user on end-user challenge page.
`bharosa.uio.default.challenge.type.enum.ChallengeTOTP.promptmessage`	`Enter OTP from registered phone`	Prompt message to send time-based One Time Pin (OTP) used on end-user challenge page.
`bharosa.uio.default.challenge.type.enum.ChallengeYubicoOTP.challengeCounterExpiryTime`	`1800000`	Expiry time of the challenge counter lock. This is the time duration for which the challenge remains unavailable for users, after challenge is locked due to maximum number of unsuccessful retries. If the value is not provided then the value for `bharosa.uio.default.all.factor.challengecounter.expiryTime` is used (default is 1800000 milliseconds).
`bharosa.uio.default.challenge.type.enum.ChallengeYubicoOTP.retrycount`		Maximum number of unsuccessful retries of the challenge. Beyond this count the challenge is locked. If the value is not provided then the value specified for `bharosa.uio.default.all.factor.retry.count` is used (default is 10).
`bharosa.uio.default.challenge.type.enum.ChallengeFIDO2.challengeCounterExpiryTime`	`1800000`	Expiry time of the challenge counter lock. This is the time duration for which the challenge remains unavailable for users, after challenge is locked due to maximum number of unsuccessful retries. If the value is not provided then the value for `bharosa.uio.default.all.factor.challengecounter.expiryTime` is used (default is 1800000 milliseconds).
`bharosa.uio.default.challenge.type.enum.ChallengeFIDO2.retrycount`		Maximum number of unsuccessful retries of the challenge. Beyond this count the challenge is locked. If the value is not provided then the value specified for `bharosa.uio.default.all.factor.retry.count` is used (default is 10).
`oracle.security.oaa.kba.challenge.number`	`1`	Number of security questions that the user will be asked to answer during the challenge flow. This should be set to a value no larger than the maximum number of active questions answered by the user during security question registration. Note: This property should be used in conjunction with the `oracle.security.oaa.kba.challenge.separator` property described in the row below.
`oracle.security.oaa.kba.challenge.separator`	`\|`	If `oracle.security.oaa.kba.challenge.number` is set to a value greater than 1, the generated challenge will contain the multiple challenges as a string, separated by the value of `oracle.security.oaa.kba.challenge.separator`. For example: `What is your name?\|What is your age?\|What is your birthplace?` . When the response to the challenge is presented to the OAA server, the response is also expected to be seperated by the same separator. By default the value is `"\|"`. If you anticipate any of the questions or answers could contain the value `"\|"` then you must change this parameter to use a seperator that is is not contained in the question or answer. To override this value set `oracle.security.oaa.kba.challenge.separator` to a character or combination of characters of your choice. Note: Changing the separator may impact in flight KBA authentications, Hence, perform updates to this configuration when the KBA service is offline.
`oaa.user.auth.question.authn.counter.enabled`	`true`	If this property is `true`, the risk counters are incremented.
`oaa.user.auth.question.next.seq`	`false`	If this property is `false`, `oaam.kba.questions.randomorder` is `true`, and `oracle.security.oaa.kba.challenge.number` is 1, the questions selected from picklist are at random. Else, the user is challenged by questions from the picklist in sequential order.
`oaam.kba.questions.randomorder`	`false`	If this property is `true`, `oaa.user.auth.question.next.seq` is `false`, and `oracle.security.oaa.kba.challenge.number` is 1, questions selected from picklist are at random. Else, the user is challenged by questions from the picklist in sequential order.
`bharosa.kba.questions.trim.answers.for.matching`	`true`	If this property is set to `true`, the answer and the matched value are trimmed before matching.
`oaa.browser.cookie.domain`		In case of an OAA-OARM install this must be set to the OAA host domain to collect the device cookie properly. For example, if the OAA is accessible on `https://oaa.example.com`, then set the value to `oaa.example.com`.
`oaa.risk.integration.postauth.cp`	`postauth`	Defines the default risk assurance level for OAA assurance level. The default value is `postauth` and should not be changed. Note: This property is related to OAA-OARM integration.
`oaa.policy.assurance.level.default.action`	`Challenge`	Defines the default action associated with the OAA assurance level. Note: This property is related to OAA-OARM integration.
`profile.type.enum.<AssuranceLevelKey>.riskcheckpoint`		Checkpoint associated with the existing assurance level. Note: This property is related to OAA-OARM integration.
`profile.type.enum.<AssuranceLevelKey>.defaultaction`		Default action associated with the existing assurance level. Acceptable values are `Allow`, `Block`, and `Challenge`. For instance: `[ { "name": "profile.type.enum.ChallengeMFA.defaultaction", "value": "<Allow/Block/Challenge>", "source": "database" } ]` Note: This property is related to OAA-OARM integration.
`rule.action.enum.<actionName>.priority`		Defines the priority of the action. It can be a integer value or string "max" to identify the highest priority. For instance: `[ { "name": "rule.action.enum.Block.priority", "value": "max", "source": "database" } ]` Note: This property is related to OAA-OARM integration.
`default.all.factor.bypassChallenge.durationInMinutes`		Specifies the duration for which the user is no longer challenged after a successful login. Note: You can set the property to a negative value to disable this feature.

Configuration Properties for OUA

All the properties below, except bharosa.uio.default.challenge.type.enum.ChallengeOMAPUSH.retrycount (which uses the <PolicyUrl> endpoint), should be set using the <DRSS>/oaa-drss/oua/property/v1 REST API endpoint.

Note:

For details on the <DRSS> endpoint and the username and password, see Printing Deployment Details.

Property Name	Default Value	Description
General Parameters
`echo.elapsed.time`	`2`	This property is required to determine the count for an unreachable device. The default value '2' means that if a device does not send an echo/heartbeat for 2 hours it will be recognized as an unreachable device.
`oua.drss.lcm.heartbeatFrequency`	`1800000`	Specifies the time frequency between device heartbeat calls in milliseconds.
`oua.drss.lcm.pollingFrequency`	`43200000`	Specifies the time frequency between checking for new Oracle Universal Authenticator client software versions in milliseconds.
`oua.drss.lcm.monitoringFrequency`	`10000`	Specifies the time frequency in milliseconds used by the monitoring agent to check and restart (if required) OUADesktopHelper and OUAUpgradeAgent processes.
`oua.drss.ssoLoginUrl`		Specifies the value of the OAM endpoint. By default this value is not set and should only be set if the OAM login URL is different to the value specified for `oua.oamRuntimeEndpoint` in the `installOAA.properties`. See, Oracle Universal Authenticator Configuration. A sample value is `<http(s)>://<loginurl_host>:<Port>`.
`oua.drss.cookieParameter`	`path=/; secure; HttpOnly`	Specifies the cookie parameters for the OAM_ID cookie set by the OUA client and SSO Browser extension. This value can be changed based on your organization's security and privacy policies. For example, `secure;partitioned`. See Set-Cookie for options.
`bharosa.uio.default.challenge.type.enum.ChallengeOMAPUSH.retrycount`	`10`	Specifies the maximum number of unsuccessful retries of the challenge. Beyond this count the challenge is locked. This value must be set to 50 if using OMA Push Notification Challenge with Oracle Universal Authenticator.
Password Management Parameters
`oua.drss.password.reset.forgoturl`		Specifies the URL where users can initiate the "Forgot Password" process. Through this URL, users will be guided to reset their password by answering security questions or utilizing other recovery mechanisms configured for their account. See Password Management.
`oua.drss.password.reset.url`		Defines the URL where users can reset their password. Accessing this URL allows users to verify their identity, through such actions as answering security questions, and proceed to create a new password for their account. See Password Management.
`oua.drss.password.reset.supportedBrowsers`	chrome, firefox	Outlines the browsers supported by the system. When a forgot URL or reset URL is called from within OUA, a browser is opened. Note: In this release, only Google Chrome and Mozilla Firefox are supported. If both browsers are installed, the system will prioritize using Chrome for optimal functionality. These browsers are required for the proper execution of this feature. See Password Management.
Configurable Challenges Parameters
`oua.drss.skipPrimaryAuthDurationWithLastFullAuth`	1800 seconds (30 minutes)	Specifies the time duration from the last full OAM login. If the last full OAM login is within this time duration, the user will not be prompted for their OAM password, and will be allowed to authenticate using only the second factor. Once the duration elapses, the user will be prompted to enter their full OAM credentials, followed by a second factor.
`oua.drss.skipPrimaryAuthDurationWithLastMFAOnlyAuth`	600 seconds (10 minutes)	Specifies the time duration from the last successful second factor only login time. If the user performed a second factor only login within this time duration, the user will not be prompted for their OAM password, and will be allowed to authenticate using only the second factor. When their duration elapses, the user will be prompted for their OAM credentials, followed by a second factor.
`oua.drss.skipPrimaryAuthFactorTrustLevel`	3	Specifies the trust level value for skip password rule evaluation. The trust level determines which factors are allowed to perform a passwordless login within the `oua.drss.skipPrimaryAuthDurationWithLastFullAuth` and `oua.drss.skipPrimaryAuthDurationWithLastMFAOnlyAuth` time periods. The default trust levels are as follows: Trust Level 1 = SMS Challenge Trust Level 2 = Yubico Yubikey TOTP, OMA TOTP Trust Level 3 = Email Challenge Trust Level 4 = Push Notification Challenge For example, if TrustLevel=3, then all those factor assigned level 3 or higher are allowed to perform passwordless login. Administrators can change the trust level for individual factors using the `bharosa.uio.default.challenge.type.enum.{FACTOR_KEY}.oua.trustLevel` parameters outlined in the rows below. Note: FIDO2 and Security Question challenge is not currently supported with Oracle Universal Authenticator.
`bharosa.uio.default.challenge.type.enum.ChallengeSMS.oua.trustLevel`	1	Sets the trust level for the SMS Challenge.
`bharosa.uio.default.challenge.type.enum.ChallengeOMATOTP.oua.trustLevel`	2	Sets the trust level for the OMA TOTP Challenge.
`bharosa.uio.default.challenge.type.enum.ChallengeYubicoOTP.oua.trustLevel`	2	Sets the trust level for the Yubikey Yubico OTP Challenge.
`bharosa.uio.default.challenge.type.enum.ChallengeEmail.oua.trustLevel`	3	Sets the trust level for the Email Challenge.
`bharosa.uio.default.challenge.type.enum.ChallengeOMAPUSH.oua.trustLevel`	4	Sets the trust level for the OMA Push Challenge.
`oua.drss.allowPrimaryAuthDuringMFAOnly`	true	Determines whether the user is given the option to login with their OAM password during a second factor only login.

Configuration Properties For Customizing the User Interfaces

To configure properties to customize the user interface (UI) for the OAA Administration Console, Self-Service Portal, and Runtime UI, see Customizing the OAA User Interface.

Configuration Properties For Factor Verification

To configure properties for Factor Verification, see Configuring Factor Verification.