How Oracle Universal Authenticator Works?

The following shows a typical scenario on how Oracle Universal Authenticator works for device authentication.

  1. After starting or unlocking the Microsoft Windows device, the user is prompted to sign in to Windows using Oracle Universal Authenticator (OUA). The user enters their Oracle Access Management (OAM) username and password. If this is the first time the user has logged into this device with OUA they will also be prompted to enter their Windows credentials.

    Note:

    Entering Windows credentials is not required for subsequent logins. It is for first time device registration only.
  2. The user credentials are passed to the Oracle Universal Authenticator microservice (DRSS). DRSS validates the user’s Oracle Access Management (OAM) credentials, and logs the user into OAM. If this is the first time this user has logged on from this device, the device is registered.
  3. The user will be asked to authenticate with a second factor. If the user has multiple authentication methods configured, they can select any option available. Multi-Factor Authentication (MFA) options include:
    • TOTP (Time-based One Time Passcode) with a Mobile Authenticator application
    • Push Notifications with Oracle Mobile Authenticator
    • One Time Passcode (OTP) with SMS, Email, and Yubico YubiKey
  4. If the credentials and second factor are successfully verified by Oracle Universal Authenticator, the end user is successfully logged into Windows.
  5. The end user accesses an on-premises or cloud based application that is protected using OAM. As the user is already authenticated using Oracle Universal Authenticator, the end user gains access seamlessly without the need to enter any further credentials.

    Note:

    If the application is protected further using Oracle Advanced Authentication with MFA, users must provide an additional factor for access.
  6. For any subsequent Windows logins, as the device is registered, the end user will only need to enter their Oracle Access Management credentials and any additional second factor credentials. Windows credentials are no longer required. After successful verification of OAM credentials and second factor, the user is automatically logged into Windows using the end user's Windows credentials.

    Note:

    An end user can login without entering their OAM password, using only a second factor, if the end user attempts to login again during a specified time window. This is called passwordless login. See Configuring Passwordless Login using Configurable Challenges.

For more information on the above use cases, see Use Cases.