21 Oracle Application Server Single Sign-On

This chapter describes issues associated with Oracle Application Server Single Sign-On (OracleAS Single Sign-On). It includes the following topic:

Section 21.1, "Configuration Issues and Workarounds"

21.1 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds for Oracle Application Server Single Sign-On. It includes the following topic:

Section 21.1.1, "Additional High Availability Configuration Instructions"

21.1.1 Additional High Availability Configuration Instructions

Additional configuration steps are required after OracleAS Infrastructure is installed with the "OracleAS Cluster (Identity Management)" option. There are two sets of instructions to follow:

The first set of instructions, in Section 21.1.1.1, "Update the mod_rewrite Entry for SSO", must be followed in all cases.
The second set of instructions, Section 21.1.1.2, "Update targets.xml", are needed in only one installation case as described in that section.

21.1.1.1 Update the mod_rewrite Entry for SSO

Take the following steps:

Back up the sso_apache.conf file:

cp ORACLE_HOME/sso/conf/sso_apache.conf   
    ORACLE_HOME/sso/conf/sso_apache.conf.BACKUP

Edit the file. Locate the mod_rewrite entry that contains the following text:

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^/pls/orasso/orasso.wwsso_app_admin.ls_login$ /sso/auth [PT]
</IfModule>

Add the following line:

RewriteRule ^/pls/orasso/orasso.home$ PROTOCOL:
    //LBR_HOST:LBR_PORT/pls/orasso/orasso.home [R,L]

replacing the placeholders in italics with the following values:

Replace LBR_HOST with the full hostname for the HTTP load balancer.
Replace LBR_PORT with the SSL listening port. If SSL is enabled, enter the SSL port value. If using the default ports of 80 or 443, do not specify a port value.

Replace PROTOCOL with either HTTPS (if using the SSL port) or HTTP (if using the non-SSL port).

For example, the entry might look like this when using a nondefault SSL port:

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^/pls/orasso/orasso.wwsso_app_admin.ls_login$
        /sso/auth [PT]
    RewriteRule ^/pls/orasso/orasso.home$ https:
        //lbr.mydomain.com:4443/pls/orasso/orasso.home [R,L]
</IfModule>

As another example, the entry might look like this when using a default SSL port:

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^/pls/orasso/orasso.wwsso_app_admin.ls_login$ 
        /sso/auth [PT]
    RewriteRule ^/pls/orasso/orasso.home$ https:
        //lbr.mydomain.com/pls/orasso/orasso.home [R,L]
</IfModule>

Save and close the file.
Restart Oracle HTTP Server.

21.1.1.2 Update targets.xml

The following configuration steps are needed only in the installation scenario where communications between clients and the load balancer use HTTPS, and communications between the load balancer and Oracle HTTP Server also use HTTPS:

Client ---[HTTPS]---> Load Balancer ---[HTTPS]---> Oracle HTTP Server

In this case the oracle_sso_server entry in the targets.xml file, on each physical host of the cluster, must be reconfigured to monitor the local SSL port.

Note:

Keep in mind that the hostname should remain the same. Do not change the hostname.

Perform the following steps to update targets.xml on each node of the cluster:

Back up the targets.xml file:

cp ORACLE_HOME/sysman/emd/targets.xml 
    ORACLE_HOME/sysman/emd/targets.xml.BACKUP

Open the file and find the oracle_sso_server target type. Within this target entry, locate and edit the following two attributes:
- HTTPPort - the server SSL port number
- HTTPProtocol - the server protocol, which in this case is HTTPS
  
  For example, you could update the two attributes this way:
```
<Property NAME="HTTPPort" VALUE="4443"/>
<Property NAME="HTTPProtocol" VALUE="HTTPS"/>
```
Save and close the file.
Reload the OracleAS console:

ORACLE_HOME/bin/emctl reload