Skip Headers
Oracle® Application Server Single Sign-On Administrator's Guide
10
g
Release 2 (10.1.2)
B14078-02
Home
Solution Area
Index
Next
Contents
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
1
Components and Processes: an Overview
1.1
Key Components in the Single Sign-On System
1.1.1
Single Sign-On Server
1.1.2
Partner Applications
1.1.3
External Applications
1.1.4
mod_osso
1.1.5
Oracle Internet Directory
1.1.6
Oracle Identity Management Infrastructure
1.2
Single Sign-On Processes
1.2.1
Accessing the Single Sign-On Server
1.2.2
Accessing a Partner Application
1.2.3
Accessing an External Application
1.2.3.1
Accessing the External Applications Portlet in OracleAS Portal
1.2.3.2
Authenticating to an External Application for the First Time
1.2.3.3
Authenticating to an External Application After the First Time
1.2.3.4
Logging Out of an External Application
1.2.4
Single Sign-Off
1.2.5
Changing Passwords
1.2.6
Global User Inactivity Timeout
1.2.7
Signing On Using the Wireless Option
2
Basic Administration
2.1
The Single Sign-On Administrator's Role
2.2
Granting Administrative Privileges
2.3
Changing the Single Sign-On Administration Group
2.4
policy.properties
2.5
Stopping and Starting Single Sign-On Components
2.5.1
Using the Application Server Control Console
2.5.2
Using the Command Line
2.5.2.1
Stopping and Starting the Oracle HTTP Server
2.5.2.2
Stopping and Starting the OC4J_SECURITY Instance
2.5.2.3
Stopping and Starting the Single Sign-On Middle Tier
2.5.2.4
Stopping and Starting All Components
2.5.2.5
Stopping and Starting the Database
2.6
Troubleshooting an Inaccessible Server
2.7
Setting Browser Preferences for OracleAS Single Sign-On
2.8
Accessing the Administration Pages
2.9
Using the Edit SSO Server Page to Configure the Server
2.10
Configuring Globalization Support
2.11
Configuring the Global User Inactivity Timeout
2.12
Obtaining the Sample Files
3
Directory-Enabled Single Sign-On
3.1
Managing Users in Oracle Internet Directory
3.2
Password Policies
3.2.1
Password Rules
3.2.2
Configuring Password Life
3.2.3
Change Password Page Behavior
3.2.3.1
Password Has Expired
3.2.3.2
Password Is About to Expire
3.2.3.3
Grace Login Is in Force
3.2.3.4
Force Change Password
3.2.4
Configuring Account Lockout
3.2.5
Unlocking Users
3.2.6
Configuring Password Policies
3.3
Directory Tree for OracleAS Single Sign-On
3.4
Changing Single Sign-On Server Settings for Directory Access
3.5
Updating the Single Sign-On Server with Directory Changes
4
Configuring and Administering Partner Applications
4.1
Registering a Partner Application: What It Means
4.2
Registering mod_osso
4.2.1
Syntax and Parameters for ssoreg
4.2.2
Command Example
4.2.3
Restarting the Oracle HTTP Server
4.3
Deploying Multiple Partner Applications with a Load Balancer
4.3.1
Usage Scenario
4.3.2
Configuration Steps
4.3.2.1
Installing the Partner Applications
4.3.2.2
Configuring the Oracle HTTP Servers on the Partner Application Middle Tiers
4.3.2.3
Configuring the HTTP Load Balancer
4.3.2.4
Reregistering mod_osso on the Partner Application Middle Tiers
4.4
Configuring mod_osso with Virtual Hosts (SSL and non-SSL)
5
Configuring and Administering External Applications
5.1
Using the Interface to Deploy and Manage External Applications
5.1.1
Adding an External Application
5.1.2
Editing an External Application
5.1.3
Storing External Application Credentials in the Single Sign-On Database
5.2
Proxy Authentication for Basic Authentication Applications
5.2.1
Configuring the Oracle HTTP Server as a Proxy for Basic Authentication
5.2.2
Configuration Requirements
5.2.3
Configuration Steps
6
Multilevel Authentication
6.1
What Is Multilevel Authentication?
6.2
How Multilevel Authentication Works
6.3
Components of a Multilevel System
6.3.1
Authentication Levels
6.3.2
Authentication Plugins
6.4
Configuring Multilevel Authentication
6.4.1
Usage Scenario
6.4.2
Configuration Steps
7
Enabling SSL
7.1
Enable SSL on the Single Sign-On Middle Tier
7.2
Reconfigure the Identity Management Infrastructure Database
7.2.1
Change Single Sign-On URLs
7.2.2
Update targets.xml
7.2.3
Configure Oracle Enterprise Manager Security
7.3
Protect Single Sign-On URLs
7.3.1
Protecting URLs in the Absence of a Load Balancing Router
7.3.2
Protecting URLs in the Presence of a Load Balancing Router
7.4
Restart the Oracle HTTP Server and the Single Sign-On Middle Tier
7.5
Reregister Partner Applications
8
Signing On with Digital Certificates
8.1
How Certificate-Enabled Authentication Works
8.2
System Requirements
8.3
Configuring the Single Sign-On System for Certificates
8.3.1
Oracle HTTP Server
8.3.1.1
Setting SSL Parameters
8.3.1.2
Choosing a Certificate Authority
8.3.2
Single Sign-On Server
8.3.2.1
Configure policy.properties with the Default Authentication Plugin
8.3.2.2
Modify the Configuration File for the Authentication Plugin (Optional)
8.3.2.3
Customize the User Name Mapping Module (Optional)
8.3.2.4
Restart the Single Sign-On Middle Tier
8.3.3
Oracle Internet Directory
8.4
Maintaining a Certificate Revocation List
9
Advanced Deployment Options
9.1
Deployment Scenarios
9.1.1
One Single Sign-On Middle Tier, One Oracle Internet Directory
9.1.2
Multiple Single Sign-On Middle Tiers, One Oracle Internet Directory
9.1.2.1
To Cluster Or Not to Cluster
9.1.2.2
Usage Scenario
9.1.2.3
Configuration Steps
9.1.3
Multiple Single Sign-On Middle Tiers, Replicated Oracle Internet Directory
9.1.4
Multiple, Geographically Distributed Single Sign-On Instances
9.1.4.1
Usage Scenario
9.1.4.2
Configuration Steps
9.1.5
Other High Availability Deployments
9.1.5.1
OracleAS Cold Failover Cluster (Infrastructure)
9.1.5.2
Disaster Recovery
9.1.5.3
Backup and Recovery
9.2
Replicating the Identity Management Database
9.2.1
The Replication Mechanism
9.2.2
Configuring the Identity Management Database for Replication
9.2.3
Adding a Node to a Replication Group,
9.2.4
Deleting a Node from a Replication Group
9.3
Deploying OracleAS Single Sign-On with a Proxy Server
9.3.1
Turn Off IP Checking
9.3.2
Enable the Proxy Server
9.4
Setting Up Directory Synchronization for User Nickname Changes
10
Enabling Support for Application Service Providers
10.1
Application Service Providers: Deciding to Deploy Multiple Realms
10.2
Setting Up and Enabling Multiple Realms
10.3
How the Single Sign-On Server Enables Authentication to Multiple Realms
10.3.1
Locating Realms in Oracle Internet Directory
10.3.2
Validating Realm-Affiliated Users to Partner Applications
10.4
Configuring the Single Sign-On Server for Multiple Realms
10.5
Granting Administrative Privileges for Multiple Realms
11
Monitoring the Single Sign-On Server
11.1
Accessing the Monitoring Pages
11.2
Interpreting and Using the Home Page on the Standalone Console
11.3
Interpreting and Using the Details of Login Failures Page
11.4
Updating the Port Property for the Single Sign-On Monitoring Target
11.5
Using the OracleAS Web Cache Instance to Monitor the Server
11.6
Monitoring a Single Sign-On Server Enabled for SSL
12
Creating Deployment-Specific Pages
12.1
How the Single Sign-On Server Uses Deployment-Specific Pages
12.2
How to Write Deployment-Specific Pages
12.2.1
Login Page Parameters
12.2.2
Forgot My Password
12.2.3
Change Password Page Parameters
12.2.4
Single Sign-Off Page Parameters
12.3
Page Error Codes
12.3.1
Login Page Error Codes
12.3.2
Change Password Page Error Codes
12.4
Adding Globalization Support
12.4.1
Deciding What Language to Display the Page In
12.4.1.1
Use the Accept-Language Header to Determine the Page
12.4.1.2
Use Page Logic to Determine the Language
12.4.2
Rendering the Page
12.5
Guidelines for Deployment-Specific Pages
12.6
Installing Deployment-Specific Pages
12.6.1
Using policy.properties to Install Login and Change Password Pages
12.6.2
Using policy.properties to Install Wireless Login and Change Password Pages
12.6.3
Using WWSSO_LS_CONFIGURATION$ to Install the Single Sign-Off Page
12.7
Examples of Deployment-Specific Pages
12.7.1
Using Custom Classes
13
Integrating with Third-Party Access Management Systems
13.1
How Third-Party Access Management Works
13.1.1
Scenario 1: The user has not yet authenticated to the third-party server
13.1.2
Scenario 2: The user has already authenticated to the third-party server
13.2
Synchronizing the Third-Party Repository with Oracle Internet Directory
13.3
Third-Party Integration Modules
13.3.1
Using Vendor-Supplied Packages
13.3.2
Building Your Own Package
13.3.2.1
Guidelines for Using the Interfaces
13.3.2.2
The Classes and Interfaces
13.3.2.3
Configuration Steps
13.3.3
Logging Out of the Integrated System
13.4
Integration Case Study: SSOAcme
13.4.1
Sample Integration Package
13.4.2
Migrating the Release 9.0.2 Sample Implementation to Release 10.1.2
13.4.2.1
New Authentication Interface
13.4.2.2
Get User Name from HTTP Header
13.4.2.3
Error Handling if User Name Not Present
13.4.2.4
Return User Name to Single Sign-On Server
14
Exporting and Importing Data
14.1
What's Exported and Imported?
14.2
Export and Import Script: Syntax and Parameters
14.2.1
Script Syntax
14.2.2
Script Parameters
14.3
Exporting Data from One Server to Another
14.3.1
Export and Import Scenarios and Script Examples
14.3.1.1
Export Scenarios
14.3.1.2
Import Scenarios
14.3.2
Running the Script
14.4
Verifying That Export and Import Succeeded
14.5
Consolidating Multiple Servers
14.6
Error Messages
A
Troubleshooting OracleAS Single Sign-On
A.1
Problems and Solutions for General Single Sign-On Server Errors
A.1.1
Internal Server Error
A.1.2
Unexpected Error
A.1.3
File Not Found Error
A.1.4
Authentication Failed
A.1.5
The User Name Submitted for Authentication Does Not Match the User Name Present in the Existing Single Sign-On Session
A.1.6
Forbidden Error When Accessing OracleAS Single Sign-On Administration
A.1.7
White Page Displayed When Accessing OracleAS Single Sign-On Administration
A.1.8
Administrator Cannot See OracleAS Single Sign-On Administration Pages
A.1.9
The "SSO Server Administration" Link is Missing from the OracleAS Single Sign-On Administration Page
A.1.10
Audit Log Insertion Exception: ORA-00018: Maximum Number of Sessions Exceeded
A.1.11
Connection Limit Exceeded
A.1.12
Failed Login Message when System has been Idle
A.1.13
Error due to Idle LDAP Connection Timeouts
A.1.14
Login to Portal Fails
A.2
Problems and Solutions for Type 41400 Errors
A.2.1
The site2pstoretoken Value Is Missing
A.2.2
The site2pstoretoken Value Is Blank ("")
A.2.3
Login Parameters Are Lost During Redirection to a Third-Party Server
A.2.4
The site2pstoretoken Has an Incorrect Site ID
A.2.5
The Site ID Is Obsolete
A.2.6
A Virtual Host Is Incorrectly Configured
A.3
Problems and Solutions for Certificate Authentication Errors
A.3.1
Network Error: Connection Refused
A.3.2
The Single Sign-On Server Fails to Prompt the User for a Certificate
A.3.3
Certificate Authentication Fails - User Is Presented with the Login Page
A.3.4
User's Browser Certificate Not Found
A.3.5
Mapping Module Class Name Not Found
A.3.6
Mapping Module Instance Creation Failed
A.3.7
Cannot Create the Mapping Module Object
A.3.8
Exception in Creating Mapping Module
A.3.9
Certificate Match Failed
A.4
Problems and Solutions for Windows Native Authentication Errors
A.4.1
A User Cannot Access a URL After Authenticating in Windows
A.4.2
A User Who Is Already Authenticated in Windows Cannot Authenticate in the Browser
A.4.3
single sign-on server Fails to Start with a Credential Not Found Error
A.4.4
Single Sign-On Server Displays Internal Server Error
A.4.5
Single Sign-On Users Unable to Authenticate to KDC
A.4.6
Windows Login Dialog Appears When Accessing a Partner Application
A.5
Problems and Solutions for Password Policy Errors
A.5.1
A Disabled User Can Still Log In
A.5.2
A Disabled User Sees "Authentication Failed" Instead of "Account Disabled" Message
A.5.3
The User Receives a Password Expiration Message at Login
A.5.4
Password Expiration Message Does Not Appear on Command-Line Tools
A.6
Diagnosing OracleAS Single Sign-On Problems
A.6.1
Viewing the Log Files
A.6.2
Increasing the Debug Level
A.6.3
Enabling the Debug Option in the Single Sign-On Database
A.6.4
Enabling LDAP Tracing for UI Operations
A.7
Maintenance Tasks for OracleAS Single Sign-On
A.7.1
Managing Single Sign-On Audit Records
A.7.2
Refreshing the LDAP Connection Cache
A.7.3
Restarting OC4J After Modifying Oracle Internet Directory
A.8
A Word About Non-GET Authentication
A.9
Need More Help?
B
Obtaining the Single Sign-On Schema Password
B.1
Using the Command Line
B.2
Using Oracle Directory Manager
C
policy.properties
Glossary
Index