Oracle® Application Server Single Sign-On Administrator's Guide
10g Release 2 (10.1.2) B14078-02 |
|
Previous |
Next |
OracleAS Single Sign-On enables you to use a single user name and password and, optionally, realm ID, to log in to all features of OracleAS as well as to other Web applications.
OracleAS Single Sign-On provides the following benefits:
Reduced administrative costs
The single sign-on server eliminates the need to support multiple accounts and passwords.
Convenient login
Users do not have to maintain a separate user name and password for each application that they access.
Increased security
When a password is required only once, users are less likely to use simple, easily exposed passwords or to write these passwords down.
This chapter contains the following topics:
OracleAS Single Sign-On interacts with the following components:
The single sign-on server consists of program logic in the OracleAS database, Oracle HTTP Server, and OC4J server that enables you to log in securely to applications such as expense reports, mail, and benefits. These applications take two forms: partner applications and external applications. In both cases, you gain access to several applications by authenticating only once.
OracleAS applications delegate the authentication function to the single sign-on server. For this reason, they are called partner applications. An authentication module called mod_osso enables these applications to accept authenticated user information instead of a user name and password once you have logged in to the single sign-on server.
A partner application is responsible for determining whether a user authenticated by OracleAS Single Sign-On is authorized to use the application.
Examples of partner applications include OracleAS Portal, OracleAS Discoverer, and Oracle Delegated Administration Services.
External applications do not delegate authentication to the single sign-on server. Instead, they display HTML login forms that ask for application user names and passwords. Each external application may require a unique user name and password. Yahoo! Mail is an example of an external application that uses HTML login forms.
You can configure the single sign-on server to provide user names and passwords to external applications on users' behalf once they have logged in to the single sign-on server. Users have the option of storing application credentials in the single sign-on database. The server uses the single sign-on user name to locate and retrieve application names and passwords and to log the user in. To save these credentials, the user selects the Remember My Login Information For This Application check box when first logging in.
mod_osso is an Oracle HTTP Server module that provides authentication to OracleAS applications. It replaces the single sign-on SDK, used in earlier releases of OracleAS Single Sign-On to integrate partner applications. Located on the application server, mod_osso simplifies the authentication process by serving as the sole partner application to the single sign-on server. In this way, mod_osso renders authentication transparent to OracleAS applications. The administrator for these applications is spared the burden of integrating them with an SDK.
After authenticating a user, mod_osso transmits the simple header values that applications may use to authorize the user:
User name
User GUID
Language and territory
To learn more about the attributes that the single sign-on server passes to mod_osso, see the chapter about mod_osso in Oracle Identity Management Application Developer's Guide. This chapter explains how to develop applications for single sign-on.
mod_osso works only with the Oracle HTTP listener. You can use OracleAS SSO Plug-in to protect applications that work with third-party listeners such as Sun One and IIS. To learn how to use OracleAS SSO Plug-in, see the appendix about this tool in Oracle HTTP Server Administrator's Guide.
Oracle Internet Directory is the repository for all single sign-on user accounts and passwords—administrative and nonadministrative. The single sign-on server authenticates users against their entries in the directory. At the same time, it retrieves user attributes from the directory that enable applications to validate users.
OracleAS Single Sign-On is just one link in an integrated infrastructure that also includes Oracle Internet Directory, Oracle Directory Integration and Provisioning, Oracle Delegated Administration Services, and OracleAS Certificate Authority. Working together, these components, called the Oracle Identity Management infrastructure, manage the security life cycle of users and other network entities in an efficient, cost-effective way.
To learn more about the benefits of Oracle Identity Management, see Oracle Identity Management Concepts and Deployment Planning Guide.
This section describes the following processes:
Nonadministrative users first gain access to the single sign-on server by entering the URL of a partner application such as OracleAS Portal. Entering such a URL invokes the single sign-on login screen. Once they have entered the correct user name and password, users gain access to other partner applications and to external applications without having to provide credentials again.
Administrative users can access the administration home page for single sign-on by typing a URL of this form:
http://host:port/pls/orasso
where host
is the computer where the single sign-on server is located, port
is the port number of the server, and orasso
is the database access descriptor for the single sign-on schema. If the server is enabled for SSL, https
must be substituted for http
. If the port number is 80
or 443
(SSL), it may be omitted from the URL. These numbers are the defaults.
Figure 1-1 shows what happens when the user requests the URL of a partner application that is protected by mod_osso.
Users try to access a partner application.
Users are redirected to the single sign-on server. The server challenges them for their credentials. After verifying these credentials in Oracle Internet Directory, the server passes these credentials on to the partner application.
The application serves up the requested content.
External applications are available through OracleAS Portal, a single sign-on partner application.
This section contains these topics:
Accessing the External Applications Portlet in OracleAS Portal
Authenticating to an External Application for the First Time
Authenticating to an External Application After the First Time
To gain access to an external application, you select the External Applications portlet on the OracleAS Portal home page; then, from the list of external applications that appears, you select an application.
Selecting an application in the External Applications portlet initiates the external application login procedure. The following occurs if you are accessing the application for the first time:
The external application login procedure checks the single sign-on password store for your credentials. If it finds no credentials, the single sign-on server prompts you for them.
You enter your user name and password. You can save these credentials in the password store by selecting the Remember My Login Information check box on the application login screen.
If you elect to save your credentials in the password store, the server uses these credentials to construct a login form to submit to the login processing routine of the application. This routine has been preconfigured by the administrator and is associated with the requested application.
The server sends the form to the client browser, with a directive to post it immediately to the external application.
The client posts the form to the external application and logs you in.
If you decline to save your credentials in the password store, you must enter a user name and password each time that you log in.
If you saved your credentials when accessing an external application for the first time, the single sign-on server retrieves your credentials for you during subsequent logins. The process works like this:
You click one of the links in the External Applications portlet of OracleAS Portal.
The external application login procedure checks the password store for your credentials.
The single sign-on server finds your credentials and uses them to construct a login form to submit to the login processing routine of the application. This routine has been preconfigured by the administrator and is associated with the requested application.
The server sends the form to the client browser, with a directive to post it immediately to the external application.
The client posts the form to the external application and logs you in.
You can terminate a single sign-on session and log out of all active partner applications simultaneously by logging out of whatever application you are working in. Clicking Logout in a partner application takes you to the single sign-off page, where logout occurs.
If you signed off successfully, each of the applications listed on the single sign-off page has a check mark next to the application name. A broken image next to an application name denotes an unsuccessful logout.
Once all of the application names activated in a session have a check mark, you can click Return to go to the application from which you initiated logout.
The change password screen appears only when your password is about to expire and you fall within a grace login period. If the password is still valid, you can click Cancel on this screen and proceed with the login.
To change or reset a password under other circumstances, the nonadministrative user must go to Oracle Delegated Administration Services, a service of Oracle Internet Directory that performs user and group management functions.
The Oracle Delegated Administration Services home page is found at a URL of the following form:
http://host:port/oiddas/
where host
is the name of the computer where Oracle Delegated Administration Services is located, and port
is the port number of this server. Oracle Delegated Administration Services and OracleAS Single Sign-On generally have the same host name. If the Oracle HTTP Server hosting Oracle Delegated Administration Services and OracleAS Single Sign-On is enabled for SSL, https
must be substituted for http
. The port number may be omitted if it is 80
or 443
(SSL) because these numbers are the defaults.
Note: Unlike single sign-on user names, single sign-on passwords are case sensitive and must conform to the Oracle Internet Directory realms that users belong to. |
The global user inactivity timeout is a feature that enables applications to force you to reauthenticate if you have been idle for a preconfigured amount of time. This timeout is a useful feature for sensitive applications that require a shorter user inactivity timeout than the single sign-out session timeout.
When you exceed the global user inactivity timeout limit and try to access the application, the application sends the single sign-on server an authentication request as usual. The server, ascertaining that you have exceeded the timeout limit, prompts you to log in. If you have not exceeded the limit, the server uses the session cookie to authenticate you.
Note: You may have a valid single sign-on session, but if you have exceeded the global timeout limit, the server prompts you for credentials. |
You can use mobile, or wireless, devices such as personal digital assistants, cellular phones, and voice recognition systems to access OracleAS applications. As in PC-based systems, the authentication mechanism is OracleAS Single Sign-On. You can select the wireless option when installing OracleAS. If you do, Portal-to-Go, the gateway for mobile devices, is registered with the single sign-on server automatically.
To learn more about OracleAS Wireless see Oracle Application Server Wireless Administrator's Guide and Oracle Application Server Wireless Developer's Guide.