Contents

List of Figures

List of Tables

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documents
• Conventions

1 Components and Processes: an Overview

• 1.1 Key Components in the Single Sign-On System
• 1.1.1 Single Sign-On Server
• 1.1.2 Partner Applications
• 1.1.3 External Applications
• 1.1.4 mod_osso
• 1.1.5 Oracle Internet Directory
• 1.1.6 Oracle Identity Management Infrastructure
• 1.2 Single Sign-On Processes
• 1.2.1 Accessing the Single Sign-On Server
• 1.2.2 Accessing a Partner Application
• 1.2.3 Accessing an External Application
• 1.2.3.1 Accessing the External Applications Portlet in OracleAS Portal
• 1.2.3.2 Authenticating to an External Application for the First Time
• 1.2.3.3 Authenticating to an External Application After the First Time
• 1.2.3.4 Logging Out of an External Application
• 1.2.4 Single Sign-Off
• 1.2.5 Changing Passwords
• 1.2.6 Global User Inactivity Timeout
• 1.2.7 Signing On Using the Wireless Option

2 Basic Administration

• 2.1 The Single Sign-On Administrator's Role
• 2.2 Granting Administrative Privileges
• 2.3 Changing the Single Sign-On Administration Group
• 2.4 policy.properties
• 2.5 Stopping and Starting Single Sign-On Components
• 2.5.1 Using the Application Server Control Console
• 2.5.2 Using the Command Line
• 2.5.2.1 Stopping and Starting the Oracle HTTP Server
• 2.5.2.2 Stopping and Starting the OC4J_SECURITY Instance
• 2.5.2.3 Stopping and Starting the Single Sign-On Middle Tier
• 2.5.2.4 Stopping and Starting All Components
• 2.5.2.5 Stopping and Starting the Database
• 2.6 Troubleshooting an Inaccessible Server
• 2.7 Setting Browser Preferences for OracleAS Single Sign-On
• 2.8 Accessing the Administration Pages
• 2.9 Using the Edit SSO Server Page to Configure the Server
• 2.10 Configuring Globalization Support
• 2.11 Configuring the Global User Inactivity Timeout
• 2.12 Obtaining the Sample Files

3 Directory-Enabled Single Sign-On

• 3.1 Managing Users in Oracle Internet Directory
• 3.2 Password Policies
• 3.2.1 Password Rules
• 3.2.2 Configuring Password Life
• 3.2.3 Change Password Page Behavior
• 3.2.3.1 Password Has Expired
• 3.2.3.2 Password Is About to Expire
• 3.2.3.3 Grace Login Is in Force
• 3.2.3.4 Force Change Password
• 3.2.4 Configuring Account Lockout
• 3.2.5 Unlocking Users
• 3.2.6 Configuring Password Policies
• 3.3 Directory Tree for OracleAS Single Sign-On
• 3.4 Changing Single Sign-On Server Settings for Directory Access
• 3.5 Updating the Single Sign-On Server with Directory Changes

4 Configuring and Administering Partner Applications

• 4.1 Registering a Partner Application: What It Means
• 4.2 Registering mod_osso
• 4.2.1 Syntax and Parameters for ssoreg
• 4.2.2 Command Example
• 4.2.3 Restarting the Oracle HTTP Server
• 4.3 Deploying Multiple Partner Applications with a Load Balancer
• 4.3.1 Usage Scenario
• 4.3.2 Configuration Steps
• 4.3.2.1 Installing the Partner Applications
• 4.3.2.2 Configuring the Oracle HTTP Servers on the Partner Application Middle Tiers
• 4.3.2.3 Configuring the HTTP Load Balancer
• 4.3.2.4 Reregistering mod_osso on the Partner Application Middle Tiers
• 4.4 Configuring mod_osso with Virtual Hosts (SSL and non-SSL)

5 Configuring and Administering External Applications

• 5.1 Using the Interface to Deploy and Manage External Applications
• 5.1.1 Adding an External Application
• 5.1.2 Editing an External Application
• 5.1.3 Storing External Application Credentials in the Single Sign-On Database
• 5.2 Proxy Authentication for Basic Authentication Applications
• 5.2.1 Configuring the Oracle HTTP Server as a Proxy for Basic Authentication
• 5.2.2 Configuration Requirements
• 5.2.3 Configuration Steps

6 Multilevel Authentication

• 6.1 What Is Multilevel Authentication?
• 6.2 How Multilevel Authentication Works
• 6.3 Components of a Multilevel System
• 6.3.1 Authentication Levels
• 6.3.2 Authentication Plugins
• 6.4 Configuring Multilevel Authentication
• 6.4.1 Usage Scenario
• 6.4.2 Configuration Steps

7 Enabling SSL

• 7.1 Enable SSL on the Single Sign-On Middle Tier
• 7.2 Reconfigure the Identity Management Infrastructure Database
• 7.2.1 Change Single Sign-On URLs
• 7.2.2 Update targets.xml
• 7.2.3 Configure Oracle Enterprise Manager Security
• 7.3 Protect Single Sign-On URLs
• 7.3.1 Protecting URLs in the Absence of a Load Balancing Router
• 7.3.2 Protecting URLs in the Presence of a Load Balancing Router
• 7.4 Restart the Oracle HTTP Server and the Single Sign-On Middle Tier
• 7.5 Reregister Partner Applications

8 Signing On with Digital Certificates

• 8.1 How Certificate-Enabled Authentication Works
• 8.2 System Requirements
• 8.3 Configuring the Single Sign-On System for Certificates
• 8.3.1 Oracle HTTP Server
• 8.3.1.1 Setting SSL Parameters
• 8.3.1.2 Choosing a Certificate Authority
• 8.3.2 Single Sign-On Server
• 8.3.2.1 Configure policy.properties with the Default Authentication Plugin
• 8.3.2.2 Modify the Configuration File for the Authentication Plugin (Optional)
• 8.3.2.3 Customize the User Name Mapping Module (Optional)
• 8.3.2.4 Restart the Single Sign-On Middle Tier
• 8.3.3 Oracle Internet Directory
• 8.4 Maintaining a Certificate Revocation List

9 Advanced Deployment Options

• 9.1 Deployment Scenarios
• 9.1.1 One Single Sign-On Middle Tier, One Oracle Internet Directory
• 9.1.2 Multiple Single Sign-On Middle Tiers, One Oracle Internet Directory
• 9.1.2.1 To Cluster Or Not to Cluster
• 9.1.2.2 Usage Scenario
• 9.1.2.3 Configuration Steps
• 9.1.3 Multiple Single Sign-On Middle Tiers, Replicated Oracle Internet Directory
• 9.1.4 Multiple, Geographically Distributed Single Sign-On Instances
• 9.1.4.1 Usage Scenario
• 9.1.4.2 Configuration Steps
• 9.1.5 Other High Availability Deployments
• 9.1.5.1 OracleAS Cold Failover Cluster (Infrastructure)
• 9.1.5.2 Disaster Recovery
• 9.1.5.3 Backup and Recovery
• 9.2 Replicating the Identity Management Database
• 9.2.1 The Replication Mechanism
• 9.2.2 Configuring the Identity Management Database for Replication
• 9.2.3 Adding a Node to a Replication Group,
• 9.2.4 Deleting a Node from a Replication Group
• 9.3 Deploying OracleAS Single Sign-On with a Proxy Server
• 9.3.1 Turn Off IP Checking
• 9.3.2 Enable the Proxy Server
• 9.4 Setting Up Directory Synchronization for User Nickname Changes

10 Enabling Support for Application Service Providers

• 10.1 Application Service Providers: Deciding to Deploy Multiple Realms
• 10.2 Setting Up and Enabling Multiple Realms
• 10.3 How the Single Sign-On Server Enables Authentication to Multiple Realms
• 10.3.1 Locating Realms in Oracle Internet Directory
• 10.3.2 Validating Realm-Affiliated Users to Partner Applications
• 10.4 Configuring the Single Sign-On Server for Multiple Realms
• 10.5 Granting Administrative Privileges for Multiple Realms

11 Monitoring the Single Sign-On Server

• 11.1 Accessing the Monitoring Pages
• 11.2 Interpreting and Using the Home Page on the Standalone Console
• 11.3 Interpreting and Using the Details of Login Failures Page
• 11.4 Updating the Port Property for the Single Sign-On Monitoring Target
• 11.5 Using the OracleAS Web Cache Instance to Monitor the Server
• 11.6 Monitoring a Single Sign-On Server Enabled for SSL

12 Creating Deployment-Specific Pages

• 12.1 How the Single Sign-On Server Uses Deployment-Specific Pages
• 12.2 How to Write Deployment-Specific Pages
• 12.2.1 Login Page Parameters
• 12.2.2 Forgot My Password
• 12.2.3 Change Password Page Parameters
• 12.2.4 Single Sign-Off Page Parameters
• 12.3 Page Error Codes
• 12.3.1 Login Page Error Codes
• 12.3.2 Change Password Page Error Codes
• 12.4 Adding Globalization Support
• 12.4.1 Deciding What Language to Display the Page In
• 12.4.1.1 Use the Accept-Language Header to Determine the Page
• 12.4.1.2 Use Page Logic to Determine the Language
• 12.4.2 Rendering the Page
• 12.5 Guidelines for Deployment-Specific Pages
• 12.6 Installing Deployment-Specific Pages
• 12.6.1 Using policy.properties to Install Login and Change Password Pages
• 12.6.2 Using policy.properties to Install Wireless Login and Change Password Pages
• 12.6.3 Using WWSSO_LS_CONFIGURATION$ to Install the Single Sign-Off Page
• 12.7 Examples of Deployment-Specific Pages
• 12.7.1 Using Custom Classes

13 Integrating with Third-Party Access Management Systems

• 13.1 How Third-Party Access Management Works
• 13.1.1 Scenario 1: The user has not yet authenticated to the third-party server
• 13.1.2 Scenario 2: The user has already authenticated to the third-party server
• 13.2 Synchronizing the Third-Party Repository with Oracle Internet Directory
• 13.3 Third-Party Integration Modules
• 13.3.1 Using Vendor-Supplied Packages
• 13.3.2 Building Your Own Package
• 13.3.2.1 Guidelines for Using the Interfaces
• 13.3.2.2 The Classes and Interfaces
• 13.3.2.3 Configuration Steps
• 13.3.3 Logging Out of the Integrated System
• 13.4 Integration Case Study: SSOAcme
• 13.4.1 Sample Integration Package
• 13.4.2 Migrating the Release 9.0.2 Sample Implementation to Release 10.1.2
• 13.4.2.1 New Authentication Interface
• 13.4.2.2 Get User Name from HTTP Header
• 13.4.2.3 Error Handling if User Name Not Present
• 13.4.2.4 Return User Name to Single Sign-On Server

14 Exporting and Importing Data

• 14.1 What's Exported and Imported?
• 14.2 Export and Import Script: Syntax and Parameters
• 14.2.1 Script Syntax
• 14.2.2 Script Parameters
• 14.3 Exporting Data from One Server to Another
• 14.3.1 Export and Import Scenarios and Script Examples
• 14.3.1.1 Export Scenarios
• 14.3.1.2 Import Scenarios
• 14.3.2 Running the Script
• 14.4 Verifying That Export and Import Succeeded
• 14.5 Consolidating Multiple Servers
• 14.6 Error Messages

A Troubleshooting OracleAS Single Sign-On

• A.1 Problems and Solutions for General Single Sign-On Server Errors
• A.1.1 Internal Server Error
• A.1.2 Unexpected Error
• A.1.3 File Not Found Error
• A.1.4 Authentication Failed
• A.1.5 The User Name Submitted for Authentication Does Not Match the User Name Present in the Existing Single Sign-On Session
• A.1.6 Forbidden Error When Accessing OracleAS Single Sign-On Administration
• A.1.7 White Page Displayed When Accessing OracleAS Single Sign-On Administration
• A.1.8 Administrator Cannot See OracleAS Single Sign-On Administration Pages
• A.1.9 The "SSO Server Administration" Link is Missing from the OracleAS Single Sign-On Administration Page
• A.1.10 Audit Log Insertion Exception: ORA-00018: Maximum Number of Sessions Exceeded
• A.1.11 Connection Limit Exceeded
• A.1.12 Failed Login Message when System has been Idle
• A.1.13 Error due to Idle LDAP Connection Timeouts
• A.1.14 Login to Portal Fails
• A.2 Problems and Solutions for Type 41400 Errors
• A.2.1 The site2pstoretoken Value Is Missing
• A.2.2 The site2pstoretoken Value Is Blank ("")
• A.2.3 Login Parameters Are Lost During Redirection to a Third-Party Server
• A.2.4 The site2pstoretoken Has an Incorrect Site ID
• A.2.5 The Site ID Is Obsolete
• A.2.6 A Virtual Host Is Incorrectly Configured
• A.3 Problems and Solutions for Certificate Authentication Errors
• A.3.1 Network Error: Connection Refused
• A.3.2 The Single Sign-On Server Fails to Prompt the User for a Certificate
• A.3.3 Certificate Authentication Fails - User Is Presented with the Login Page
• A.3.4 User's Browser Certificate Not Found
• A.3.5 Mapping Module Class Name Not Found
• A.3.6 Mapping Module Instance Creation Failed
• A.3.7 Cannot Create the Mapping Module Object
• A.3.8 Exception in Creating Mapping Module
• A.3.9 Certificate Match Failed
• A.4 Problems and Solutions for Windows Native Authentication Errors
• A.4.1 A User Cannot Access a URL After Authenticating in Windows
• A.4.2 A User Who Is Already Authenticated in Windows Cannot Authenticate in the Browser
• A.4.3 single sign-on server Fails to Start with a Credential Not Found Error
• A.4.4 Single Sign-On Server Displays Internal Server Error
• A.4.5 Single Sign-On Users Unable to Authenticate to KDC
• A.4.6 Windows Login Dialog Appears When Accessing a Partner Application
• A.5 Problems and Solutions for Password Policy Errors
• A.5.1 A Disabled User Can Still Log In
• A.5.2 A Disabled User Sees "Authentication Failed" Instead of "Account Disabled" Message
• A.5.3 The User Receives a Password Expiration Message at Login
• A.5.4 Password Expiration Message Does Not Appear on Command-Line Tools
• A.6 Diagnosing OracleAS Single Sign-On Problems
• A.6.1 Viewing the Log Files
• A.6.2 Increasing the Debug Level
• A.6.3 Enabling the Debug Option in the Single Sign-On Database
• A.6.4 Enabling LDAP Tracing for UI Operations
• A.7 Maintenance Tasks for OracleAS Single Sign-On
• A.7.1 Managing Single Sign-On Audit Records
• A.7.2 Refreshing the LDAP Connection Cache
• A.7.3 Restarting OC4J After Modifying Oracle Internet Directory
• A.8 A Word About Non-GET Authentication
• A.9 Need More Help?

B Obtaining the Single Sign-On Schema Password

• B.1 Using the Command Line
• B.2 Using Oracle Directory Manager

C policy.properties

Glossary

Index