Oracle9iAS Single Sign-On
Administrator's Guide
Release 3.0.9 Part Number A88732-01 |
|
This section explains how to customize the Login and Change Password pages to match the look and feel of your portal or product. It also describes how to configure the Login Server for LDAP authentication.
This section contains the following topics:
The Single Sign-On login page and Change Password page can be customized to match the look and feel of your portal or product.
Any type of Web page can be customized: PL/SQL stored procedures, CGI scripts, or Java Server Pages. Although there is no restriction on the type of page, customized pages must support certain parameters and error codes in order to function properly.
This section contains the following topics:
This section contains the following sections:
The authentication model contains logic that calls a PL/SQL stored procedure to create the Single Sign-On login page. The Login Server recognizes the user's request to bring up the login screen and makes a PL/SQL call to create the screen. The screen submits a form to the appropriate Login Server routine, which is the same as the original calling routine, and the user's credentials are processed.
The process is as follows:
WWSSO_APP_ADMIN.LS_LOGIN
to authenticate the user.
LS_LOGIN
calls WWSSO_LOGIN.DRAW_LOGIN_PAGE
to display the standard login page.
DRAW_LOGIN_PAGE
submits a form to WWSSO_APP_ADMIN.LS_LOGIN
to process the credentials.
LS_LOGIN
redirects to the application's success URL, which then redirects to the requested application page.
The customized solution provides the option of redirecting to a separate URL to create the login page, instead of making a PL/SQL call to WWSSO_LOGIN.DRAW_LOGIN_PAGE
. The URL can point to a Java Server Page, a CGI script, or other type of page. The page should process the name of the routine to submit the login form to, such as WWSSO_APP_ADMIN.LS_LOGIN
, and submit the form appropriately.
The flow of logic is as follows:
WWSSO_APP_ADMIN.LS_LOGIN
to authenticate the user.
LOGIN_URL
column for displaying the login page, LS_LOGIN
redirects to that URL.
If a URL is not specified in the LOGIN_URL
column, LS_LOGIN
calls WWSSO_LOGIN.DRAW_LOGIN_PAGE
to draw the standard login page.
WWSSO_APP_ADMIN.LS_LOGIN
to process the credentials.
LS_LOGIN
redirects to the requested application page. The Login Server uses the LOGIN_URL
column of the WWSSO_LS_CONFIGURATION_INFO$
table to store the URL for the customized login page.
The URL for the Login page must accept the parameters listed in Table 5-1.
The customized login page must conform to the wwsso_app_admin.ls_login
procedure in the same manner as the standard login page; passing the parameters listed in Table 5-2 to the p_submit_url routine
:
The customized login page must have at least two fields: a text field with the parameter name ssousername
and a password field with the parameter name password
. The values are submitted to the p_submit_url
routine. The login page must also submit the site2pstoretoken
value as a hidden parameter.
In addition to submitting these parameters, the login page is responsible for displaying appropriate error messages, as specified by the p_error_code
parameter, redirecting to p_cancel
if the user clicks Cancel and populating the ssousername
text field with the given parameter value in the case of a login error.
If the customized login page requires additional fields, you can include them. Ensure that additional fields are appropriately wrapped to conform to the above convention for integration with the Login Server.
The customized login page must process the error codes listed in Table 5-3.
This section contains the following sections:
The Change Password page is created by the PL/SQL routine WWSSO_APP_USER_MGR.CHANGE_PASSWORD
. This routine renders the screen and commits the form through an API to the database.
The process is as follows:
WWSSO_APP_USER_MGR.CHANGE_PASSWORD
routine.
CHANGE_PASSWORD
displays the Change Password page, which displays the username and has fields for the old password, the new password, and the password confirmation. It also has OK and Cancel buttons.
CHANGE_PASSWORD
processes the new password.
CHANGE_PASSWORD
saves the new password and redirects to the appropriate application page.
To accommodate a customized Change Password page, the logic for the Change Password page has been modified as follows:
WWSSO_APP_USER_MGR.CHANGE_PASSWORD
to display the Change Password page.
CHANGE_PASSWORD
redirects to that URL.
If no separate URL is specified, CHANGE_PASSWORD
calls WWSSO_APP_USER_MGR.DRAW_CHANGE_PASSWORD_PAGE
to display the standard Change Password page.
WWSSO_APP_USER_MGR.SAVE_NEW_PASSWORD
to process and save the new password.
SAVE_NEW_PASSWORD
saves the new password and redirects to the appropriate Oracle9iAS Portal page.
The LOGIN_URL
column of the WWSSO_LS_CONFIGURATION_INFO$
table stores the URL for the customized Change Password page. The CHANGE_PASSWORD
routine queries the value of the LOGIN_URL
column to determine how to proceed. This column contains URLs for the Login and Change Password pages, separated by a space.
The Change Password page is also displayed immediately following a user login if the user's password has expired or will be expiring soon. If the password has expired, the Change Password page appears with the appropriate message and the following process occurs:
WWSSO_APP_ADMIN.LS_LOGIN
calls WWSSO_APP_USER_MGR.CHANGE_PASSWORD
to display the Change Password page.
CHANGE_PASSWORD
redirects to that URL.
If a separate URL is not specified, CHANGE_PASSWORD
calls WWSSO_APP_USER_MGR.DRAW_CHANGE_PASSWORD_PAGE
and displays the standard Change Password page.
WWSSO_APP_USER_MGR.SAVE_NEW_PASSWORD
to process and save the new password.
SAVE_NEW_PASSWORD
saves the new password and returns control to WWSSO_APP_ADMIN.LS_LOGIN
to perform the necessary login steps.
SAVE_NEW_PASSWORD
calls CHANGE_PASSWORD
and redisplays the Change Password page. This process repeats until the user changes the password successfully.
If the user's password is about to expire, the Change Password page appears with the appropriate message and the following process occurs:
WWSSO_APP_ADMIN.LS_LOGIN
calls WWSSO_APP_USER_MGR.CHANGE_PASSWORD
to display the Change Password page.
CHANGE_PASSWORD
redirects to the separate URL.
If no separate URL is specified, CHANGE_PASSWORD
calls WWSSO_APP_USER_MGR.DRAW_CHANGE_PASSWORD_PAGE
to display the standard Change Password page.
WWSSO_APP_USER_MGR.SAVE_NEW_PASSWORD
to process and save the new password.
SAVE_NEW_PASSWORD
saves the new password and returns control to WWSSO_APP_ADMIN.LS_LOGIN
to perform the necessary login steps.
SAVE_NEW_PASSWORD
calls CHANGE_PASSWORD
and redisplays the Change Password page.
SAVE_NEW_PASSWORD
does not save the new password but returns control to WWSSO_APP_ADMIN.LS_LOGIN
to perform the login steps using the current password.
The URL for the Change Password page must accept the parameters listed in Table 5-4.
The customized Change Password page must pass the parameters listed in Table 5-5 to the p_submit_url
routine.
The Change Password page must have at least three password fields with the following parameter names:
The Change Password page should submit these fields to the p_submit_url parameter
.
The Change Password page should also submit the p_done_url
parameter, as a hidden parameter, to the p_submit_url
parameter, and should appropriately display any error messages according to the value of p_error_code
.
It must also submit the following parameters, as hidden parameters, to the standard HTML login form presented to the external application from the Login Server
The customized Change Password page must process the error codes listed in Table 5-6.
The reset password page can encounter errors, which generates one of the following error codes, which is passed to the p_error_url page
in the p_error_code
argument.
The WWSSO_LS_CONFIGURATION_INFO$
table in the Login Server schema contains the LOGIN_URL
column, which is used to enable customized Login and Change Password pages.
The LOGIN_URL
column contains two values separated by a space. The first value specifies the URL for the Login page, and the second value specifies the URL for the Change Password page.
By default, the LOGIN_URL
column contains the values UNUSED UNUSED
, which specifies that the Login and Change Password pages use the standard Login Server pages.
Perform the following steps to install customized Single Sign-On Login and Change Password pages.
sqlplus portal30_sso/portal30_sso
LOGIN_URL
column.
To replace just the Login page with the customized page, update the first value in the LOGIN_URL
column, as in the following example:
UPDATE WWSSO_LS_CONFIGURATION_INFO$ SET LOGIN_URL='http://server.domain[:port]/login.jsp UNUSED';
To replace just the Change Password page with a customized page, update the second value in the LOGIN_URL
column, as in the following example:
UPDATE WWSSO_LS_CONFIGURATION_INFO$ SET LOGIN_URL='UNUSED http://server.domain[:port]/change_password.jsp';
To replace both pages, update both values in the LOGIN_URL
column, as in the following example:
UPDATE WWSSO_LS_CONFIGURATION_INFO$ SET LOGIN_URL='http://server.domain[:port]/login.jsp http://server.domain[:port]/change_password.jsp';
UPDATE WWSSO_LS_CONFIGURATION_INFO$ SET LOGIN_URL='UNUSED UNUSED';
If the users for whom you are granting access to Oracle9iAS Portal and other Oracle9iAS Single Sign-On applications are already listed in an LDAP directory, you can use the LDAP directory to authenticate users, instead of creating each user again in the Login Server.
The Login Server provides the ssoldap.sql, ssooid.sql,
and ssoldif.sql
scripts to configure the Login Server for LDAP user authentication.
If you use LDAP for user authentication, you cannot create new Oracle9iAS Single Sign-On users through the Login Server. Instead, you create new users with the LDAP directory using tools such as Oracle Directory Manager.
You must be the administrator of the LDAP directory to configure the Login Server for LDAP user authentication.
To create an LDIF file using the ssoldif.sql
script, the initialization parameter file must be set up to allow you to write files to a directory.
This section contains the following topics:
You can configure the Login Server for LDAP user authentication using either the DBMS_LDAP
package implemented in ssoxoid.pkb
, or by using the external procedure listener, implemented in ssoxldap.pkb
. Oracle Corporation recommends that you use the ssoxoid.pkb
package if you are using Oracle 8i Release 3 (8.1.7) or later.
To complete the configuration, you run the ssoldap.sql
or ssooid.sql
scripts and the ssoldif
script and copy the information in the generated LDIF file to the LDAP server.
This section contains these topics:
Perform the following steps to configure the Login Server for LDAP user authentication using the DBMS_LDAP
package ssoxoid.pkb
.
rdbms/admin
directory.
sqlplus sys/change_on_install
@catldap.sql
The catldap.sql
script installs the required LDAP packages.
src/sso
directory to exit.
sqlplus portal30_sso/portal30_sso
ssoxoid.pkb
:
@ssooid
Perform the following steps to configure the Login Server for LDAP user authentication using the external listener procedure ssoxldap.pkb
:
src/sso
directory to the appropriate directory on the Login Server:
ssoxldap.dll
library file from the Oracle9iAS Portal src\sso
directory to the %ORACLE_HOME%\bin
directory on the Login Server machine.
ssoxldap.so
library file from the Oracle9iAS Portal src/sso
to the $ORACLE_HOME/lib
directory on the Login Server machine.
sqlplus portal30_sso/portal30_sso
create or replace library auth_ext as 'library_file_name'; / commit;
where library_file_name
is the full path and file name of the library file in Step 1.
If the Login Server is installed on a Windows NT machine, enter the following:
create or replace library auth_ext as 'c:\oracle
\ora81
\bin
\s
soxldap.dll'
; / commit;
where oracle
\ora81
\bin
is the path to the %oracle_home%\bin
.
If the Login Server is installed on a UNIX machine, enter the following:
create or replace library auth_ext as '/u01
/app/oracle
/product
/816prod
/lib
/ssoxldap.so'; / commit;
where u01
/app/oracle
/product
/816prod
/lib
is the path to the $oracle_home/bin.
ssoxldap.pkb
:
@ssoldap
The ssooid
or ssoldap
script prompts you to enter configuration information. The prompts are described in Table 5-8.
To enable users to log in to Oracle9iAS Portal with default user accounts using LDAP authentication, you must migrate the Oracle9iAS Single Sign-On accounts created during Oracle9iAS Portal installation to the LDAP directory.
You should still be logged on to SQL*Plus as the Login Server schema.
@ssoldif
This creates an LDIF file, users.ldif
, which contains the Oracle9iAS Single Sign-On user accounts created during the installation of Oracle9iAS Portal. For an example of what the LDIF file might look like, see "LDIF File Example".
For example, to add the LDIF file to the Oracle Internet Directory LDAP server, you can use the following ldapadd
command provided with the Oracle database:
ldapadd -h <Host> -p <Port> -D <Bind_DN> -w <Bind_Password> -f users.ldif
Note:
|
The Login Server is now fully configured to authenticate users with the LDAP directory.
When a user is added to the LDAP directory, Oracle9iAS Portal automatically creates a profile for the user when first logging in.
To delete a user, remove both the user's Oracle9iAS Portal profile and the user's LDAP entry. If the LDAP entry alone is removed, the user will not be able to login to the Oracle9iAS Portal, but the profile information will remain.
To remove LDAP integration with the Login Server, use SQL*Plus to run the ORACLE_HOME/portal30/admin/plsql/sso/ssolocal.sql
script when you are logged in as the Login Server schema owner.
The following is an example of the LDIF file created by the ssoldif.sql
script when configuring the Login Server for LDAP user authentication.
The example shows the LDIF file that would be created if Oracle9iAS Portal was installed in a schema named portal30
.
dn: cn=Login Server (portal30_sso) cn: Login Server (portal30_sso) description: Central Authentication Authority objectClass: top objectClass: applicationProcess dn: cn=PORTAL30_SSO, cn=Login Server (portal30_sso) sn: PORTAL30_SSO cn: PORTAL30_SSO userPassword: portal30_sso objectClass: top objectClass: person dn: cn=PORTAL30_SSO_ADMIN, cn=Login Server (portal30_sso) sn: PORTAL30_SSO_ADMIN cn: PORTAL30_SSO_ADMIN userPassword: portal30_sso_admin objectClass: top objectClass: person dn: cn=PORTAL30, cn=Login Server (portal30_sso) sn: PORTAL30 cn: PORTAL30 userPassword: portal30 objectClass: top objectClass: person dn: cn=PORTAL30_ADMIN, cn=Login Server (portal30_sso) sn: PORTAL30_ADMIN cn: PORTAL30_ADMIN userPassword: portal30_admin objectClass: top objectClass: person dn: cn=PUBLIC, cn=Login Server (portal30_sso) sn: PUBLIC cn: PUBLIC userPassword: public objectClass: top objectClass: person
The ssoldif.sql
script produces the above code example by default. If you already have a set of user entries and a Directory Information Tree (DIT) organization defined in the LDAP directory, you can modify the script to produce the necessary format. You can also manually create entries in the LDAP directory of the appropriate object class so that users portal_schema and portal_schema_ADMIN
can log in.
|
Copyright © 2001 Oracle Corporation. All Rights Reserved. |
|