Skip Headers
Oracle® Application Server Wireless Administrator's Guide
10g Release 2 (10.1.2)
B13820-02
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

11 Mobile Single Sign-On

This chapter, through the following sections, describes Single Sign-On (SSO) for OracleAS Wireless.

11.1 Overview of Mobile Single Sign-On for OracleAS Wireless

Users access the OracleAS Wireless server using mobile or wireless devices, such as personal digital assistants (PDAs) and cellular phones. As in PC-based systems, the authentication mechanism is Oracle Application Server Single Sign-On. All Oracle Application Server 10g Release 2 (10.1.2.02) components use SSO for user authentication. The Oracle Internet Directory (OID) is the single point for storing all of the user-related information. The integration of Oracle products with SSO and OID provides:

Users authenticate only once and can access any SSO partner application.

Selecting the Wireless option when installing Oracle Application Server results in the automatic registration of the OracleAS Wireless and Voice Portal gateway for mobile devices with the SSO server. For more information see the Oracle Application Server Single Sign-On Administrator's Guide and also Appendix A, "Re-Registering the OracleAS Wireless Portal Services URL Reference in OracleAS Portal".

11.1.1 Oracle Application Server Wireless Concepts and Architecture

Wireless products communicate with Oracle Application Server using either wireless markup language (WML) or HTML. Cellular phones use WML; PDAs use HTML. Because these devices request URLs using Wireless Access Protocol (WAP) and other non-HTTP protocols, hardware gateways must be used to convert messages to (and from) HTTP.

The heart of OracleAS Wireless is the Wireless and Voice Portal. It serves as a browser for interactions between the wireless device and the SSO server and for interactions between the wireless device and Oracle applications. The Wireless and Voice Portal server performs the following functions:

  • It authenticates the user directly to the SSO server.

  • It serves private pages of its own.

  • It serves as a proxy browser for external, SSO-protected applications by passing requests to these applications, which then perform SSO authentication.

  • It converts Oracle Application Server Wireless XML to the appropriate device markup language (either WML or HTML).

In the Wireless and Voice Portal framework, external applications are partner applications that are integrated with the Oracle Application Server SSO Software Development Kit (SDK). The Wireless and Voice Portal treats these applications as public applications even if they are not. A Wireless and Voice Portal instance uses an HTTP adapter to serve as a proxy browser for such applications.

11.2 Wireless Single Sign-On

The mobile user has two SSO authentication options: authenticating directly from the Wireless and Voice Portal home page, or requesting a partner application which then performs the authentication.

This section covers the following topics:

11.2.1 Authenticating Through the Wireless and Voice Portal

The mobile user authenticates from the Wireless and Voice Portal public page either by requesting a private application or by an explicit login request (identified by the URL parameter, PAlogin=true) to the SSO server.

Figure 11-1 Interactions Between Oracle Application Server Wireless and the Login Server

Description of Figure 11-1  follows
Description of "Figure 11-1 Interactions Between Oracle Application Server Wireless and the Login Server"

Figure 11-1 depicts the events from the login request to the application result returned to the user as follows:

  1. The mobile user accesses the OracleAS Wireless and Voice Portal by entering a URL of the following form:

    http://<host>:<port>/ptg/rm

    The Wireless and Voice Portal public page appears, displaying links for public and private Wireless and Voice Portal applications.

  2. The user requests a private application or selects the key icon that invokes the SSO page. (Figure 11-2 depicts the portion of this page where users enter their names.)

  3. The SSO server searches for the encrypted SSO cookie. If the cookie is present, then the server uses it to identify the user. The server then sends the single sign-on redirect form (Step 7). This occurs if the user is already authenticated by an external partner application (Section 11.2.2). If the cookie is not present, then server sends the OracleAS Wireless XML login form to Wireless and Voice Portal.

  4. Wireless and Voice Portal transforms the OracleAS Wireless XML login form to the appropriate markup language and sends the converted form to the device browser.

  5. The user submits the login form with the user name and password.

  6. The Wireless and Voice Portal forwards the login form to the SSO server.

  7. The SSO server authenticates the user. If authentication succeeds, then the server sends the Wireless and Voice Portal the SSO redirect form. If the authentication fails, then the SSO server sends a login form (Step 3).

  8. The Wireless and Voice Portal sends the user the home page or the requested URL.

Figure 11-2 The Wireless Single Sign-On Page: the User Name Field

Description of Figure 11-2  follows
Description of "Figure 11-2 The Wireless Single Sign-On Page: the User Name Field "

11.2.2 Authenticating by Requesting a Partner Application

Using the mobile device, the user may also authenticate to the SSO server by requesting URLs for other partner applications. In this case, the authentication redirection agent is not the Wireless and Voice Portal, but an application integrated with the single sign-on SDK.

The first request to the OracleAS Wireless and Voice Portal (http://<server>:<port>/ptg/rm) returns the home page of the anonymous user (a guest user), or the home page of the identified virtual user.


Note:

A virtual user is a user who accesses a OracleAS Wireless site, but does not register. When this occurs, OracleAS Wireless detects the user and creates a virtual user account for that user.

An anonymous user is a user who has not registered with OracleAS Wireless but tries the applications as a guest user. The User Manager can create an anonymous user guest account for each user group. All of the unregistered users share this account. They cannot, however, personalize applications.


From that point, the user can access public (unsecure) applications or can explicitly log in to the secure applications, which are assigned to that user. The unauthenticated user can execute HTTP Adapter-based public applications, which point to an SSO-based partner application (such as Oracle Portal). The partner application may complete the SSO-based user authentication.

Figure 11-3 illustrates the authentication sequence:

Figure 11-3 Authenticating by Requesting a Partner Application

Description of Figure 11-3  follows
Description of "Figure 11-3 Authenticating by Requesting a Partner Application"

The authentication sequence (as depicted in Figure 11-3) is as follows:

  1. An unauthenticated user requests a partner application.

  2. The Wireless and Voice Portal sends the request to the partner application, using an HTTP adapter situated on its back end.

  3. If the URL requested is protected, then the partner application issues an HTTP redirect to the SSO server.

  4. The Wireless and Voice Portal follows the redirected URL.

  5. The SSO server looks for the encrypted SSO cookie, which is set in the Wireless and Voice Portal browser. If the cookie is present, then the server uses it to identify the user. The server then sends the SSO redirect form (Step 9). If the cookie is not present, then the server sends the mobile XML login form to Wireless and Voice Portal.

  6. The Wireless and Voice Portal converts the OracleAS Wireless XML login form to the appropriate markup language and delivers the converted form to the device browser.

  7. The user submits the login form with the user name and password.

  8. The Wireless and Voice Portal passes the login request to the SSO server.

  9. Upon successful authentication, the SSO server sends a redirect form that points to the partner application.

  10. Wireless and Voice Portal follows the redirect form. At this point, the Wireless and Voice Portal, knowing that authentication has been successful, updates the user's session.

  11. The partner application serves content in OracleAS Wireless XML.

  12. The Wireless and Voice Portal converts the OracleAS Wireless XML content to the appropriate markup language and delivers the converted content to the device browser.

11.2.3 Authenticating by mod_osso

The OracleAS Wireless Tools, which are used by developers and administrators, as well as those intended for end-users (such as the OracleAS Wireless Customization Portal), authenticate users with mod_osso, which is a module plugged into Oracle HTTP Server. All of the Web-based OracleAS Wireless applications running behind the Oracle HTTP Server are treated as a single partner application. Users can access the applications appropriate to their roles and privileges after single sign-on.

The Wireless and Voice Portal uses the value of the HTTP header OssoUser_Guid to identify the mod_osso-authenticated user.


Note:

When executing HTTP Adapter-based applications pointing to external partner applications, the mod_sso-authenticated user must be authenticated again, because the SSO cookies are stored in the PC browser for these users.

11.2.4 Authenticating Through Voice

Voice authentication is accomplished by OracleAS Wireless locally using the account number and the PIN of the user.


Note:

An authenticated user accessing external SSO partner applications from a voice device must re-authenticate (using username and password).

11.3 Wireless Single Sign-Off

OracleAS Wireless Server participates in SSO global logout for sign off. The following steps detail the interactions between OracleAS Wireless, the SSO Server and Partner Applications.

11.3.1 Logging Out from Oracle Application Server Wireless

The user clicks OracleAS Wireless Logout to sign off.

  1. The user sends a an OracleAS Wireless Logout request (identified by URL parameter PAlogoff=true).

  2. The Sign Off implementation of OracleAS Wireless sends an HTTP request to the SSO Sign-Off URL.

  3. The SSO server returns the OracleAS Wireless XML global logout page and a special HTTP header (X-Oracle-SSO-logout with value = true). The global logout page contains one image for each partner application that has the user session.

  4. OracleAS Wireless sends HTTP requests to each image link. This is done so that the user's session gets cleaned up in all the partner applications.

  5. OracleAS Wireless terminates the user's session.

  6. If Logout is accomplished through OracleAS Wireless link, then the home page of the guest user is returned.

11.3.2 Logging Out from a Partner Application

The authenticated user clicks the logout link on the page returned by the SSO-based partner application. In this case, the logout link points to the SSO sign-off URL.

  1. The user clicks on the logout link which points to the SSO sign-off URL.

  2. The SSO server returns the OracleAS Wireless XML global logout page and a special HTTP header (X-Oracle-SSO-logout with value = true). The global logout page includes one image for each partner application which was active in user session.

  3. OracleAS Wireless sends HTTP requests to each image link to clean up the user's session in all the partner applications.

  4. OracleAS Wireless terminates the user's session.

  5. OracleAS Wireless returns the user's home page if the user has logged in through the OracleAS Wireless and Voice portal. OracleAS Wireless returns the done_URL of the global logout page if the user logged in by requesting a partner application.

11.3.3 Logging Out from a Web-Based Oracle Application Server Application

Since all Web-based Oracle Application Server applications are authenticated through mod_osso, and are treated as a single partner application, logout from any application triggers global sign-off . The user cannot access any of the applications until the user signs on through mod_osso again.

11.4 The OracleAS Wireless Change Password Page

The OracleAS Wireless user can view only two SSO pages: the Login page and the Change Password page. Unlike its PC counterpart, the OracleAS Wireless Change Password page appears only when users try to log in to the SSO server with an expired password. OracleAS Wireless users have no access to the Change Password link on the SSO Administration page.