Skip Headers

Oracle Workflow Administrator's Guide
Release 2.6.3.5

Part Number B12160-02
Previous Next       Contents Index Glossary
         Previous  Next          Contents  Index  Glossary

Step 4 Synchronizing Workflow Directory Services with Oracle Internet Directory

If you are using the standalone version of Oracle Workflow, you can synchronize the user information in your Workflow directory service with Oracle Internet Directory (OID) using Lightweight Directory Access Protocol (LDAP). This integration is recommended because it enables you to manage and publish user information in a central location which various systems can reference.

Synchronization with OID enables Oracle Workflow to do the following:

Attention: To implement single sign-on integration, you must install Oracle Workflow with Oracle Application Server, and you must use a version of the Oracle Database that is certified with your version of Oracle Application Server.

For more information about leveraging the Oracle Identity Management infrastructure, see: Oracle Workflow Security.

Context: You need to perform this step only once.

Oracle Internet Directory

Oracle Internet Directory is a general purpose directory service that enables fast retrieval and centralized management of information about dispersed users and network resources. It combines Lightweight Directory Access Protocol (LDAP) Version 3 with the high performance, scalability, robustness, and availability of the Oracle Database.

LDAP is a standard, extensible directory access protocol. It is a common language that LDAP clients and servers use to communicate. LDAP was conceived as an internet-ready, lightweight implementation of the International Standardization Organization (ISO) X.500 standard for directory services. It requires a minimal amount of networking software on the client side, which makes it particularly attractive for internet-based, thin client applications.

The advantages of OID include:

Oracle Application Server Single Sign-On uses Oracle Internet Directory to store user entries. It maps users for any partner application to user entries in OID entries, and authenticates them by using LDAP mechanisms.

See Also

Oracle Internet Directory Administrator's Guide

Oracle Application Server Single Sign-On

Oracle Application Server Single Sign-On is a component of Oracle Application Server that provides a framework for secure single sign-on, allowing users to log in to multiple Web-based applications by entering a user name and password only once.

Attention: To implement single sign-on integration for Oracle Workflow, you must install Oracle Workflow with Oracle Application Server, and you must use a version of the Oracle Database that is certified with your version of Oracle Application Server.

Oracle Application Server Single Sign-On provides the following benefits:

The core of the Oracle Application Server Single Sign-On technology is the Login Server. The Login Server authenticates users and passes their identities to the partner applications that are integrated with it.

Partner applications support a single sign-on mechanism that enables them to accept a user's username and password as validated by the Login Server. A partner application delegates its authentication to the Login Server. If a partner application is registered with the Login Server, users can log into it using the single sign-on mechanism.

With mod_osso, an Oracle module that enables single sign-on, Oracle HTTP Server becomes a partner application of the Login Server. Oracle Workflow uses Oracle HTTP Server as its Web server. If you implement Oracle Internet Directory/Single Sign-On integration, Oracle Workflow participates in single sign-on by using mod_osso to authenticate access to its secured web pages.

When a user first tries to access a secured Workflow web page, the Workflow security package WFA_SEC checks the CGI environment variable REMOTE_USER for user information. If the user is not already logged in to Oracle Workflow or another Oracle Application Server Single Sign-On participating application, the user will be prompted to log in before the page appears.

Note: The WFA_SEC package must be loaded as a post-install step if you choose to implement Oracle Internet Directory/Single Sign-On integration. For more information, see your installation documentation.

To set the variable REMOTE_USER, Oracle HTTP Server internally calls to mod_osso. Acting as an Oracle Application Server Single Sign-On partner application, mod_osso transparently redirects the user to the Login Server to obtain authentication credentials, if no application cookie is present.

The Login Server performs the following steps:

Oracle HTTP Server with mod_osso then performs the following steps:

If, during the same session, the user again seeks access to the same or to a different partner application, the Login Server does not prompt the user for a username and password. Instead, the Login Server obtains the information from the login cookie that is already on the client browser. The login cookie provides the Login Server with the user's identity and indicates that authentication has already been performed. If there is no login cookie, the Login Server presents the user with a login page.

To guard against eavesdropping, the Login Server can send the login cookie to the client browser over an encrypted SSL channel.

The login cookie expires with the session, either at the end of a time interval specified by the administrator, or when the user exits the browser. The login cookie is never written to disk.

Note: To log out of a partner application and log in as another user, the user must also log out of the Login Server session. Otherwise, the authentication request returns the partner application to the logged in state of the previous user.

See Also

Oracle Application Server Single Sign-On Administrator's Guide

Oracle Identity Management Application Developer's Guide

Oracle Internet Directory Synchronization

Oracle Workflow provides APIs to synchronize the user information in your Workflow directory service with OID. These APIs are defined in a PL/SQL package called WF_LDAP. See: Workflow LDAP APIs, Oracle Workflow API Reference.

Note: OID integration includes only individual users, not user groups. Workflow roles are not maintained through OID.

arrow icon   To Synchronize Workflow Directory Services with OID

Note: If you choose to integrate with OID during installation, Workflow directory service views that support this integration are automatically implemented for you. See: Integrating Oracle Workflow Directory Services with Oracle Internet Directory.

Attention: To implement single sign-on integration, you must install Oracle Workflow with Oracle Application Server, and you must use a version of the Oracle Database that is certified with your version of Oracle Application Server.

		declare
begin
wf_ldap.schedule_changes(0,0,10);
end;
/

Note: You must terminate the running of any WF_LDAP APIs before changing your LDAP setup, such as by migrating to a different LDAP server.

Attention: If you implement OID integration, you must maintain your users only through OID. You must not create ad hoc users in the WF_LOCAL_ROLES table, because you risk discrepancies in your user information and unpredictable results if you use any tool other than OID to maintain users after integrating with OID. Consequently, if you implement OID integration, you must not use the CreateAdHocUser( ), SetAdHocUserStatus( ), SetAdHocUserExpiration( ), or SetAdHocUserAttr( ) APIs in the WF_DIRECTORY package.

You can still use ad hoc roles, however, since Workflow roles are not maintained through OID.

See Also

Setting Global User Preferences

Workflow LDAP APIs, Oracle Workflow API Reference

User Entry Has Changed Event, Oracle Workflow Developer's Guide

Managing Job Queues, Oracle Administrator's Guide

Workflow Directory Service APIs, Oracle Workflow API Reference


         Previous  Next          Contents  Index  Glossary



Oracle Logo
Copyright © 2003, 2004, Oracle. All rights reserved.