Oracle® Application Server Single Sign-On Administrator's Guide
10g Release 2 (10.1.2)
This chapter examines those aspects of OracleAS Single Sign-On that are dependent upon Oracle Internet Directory. The directory is the repository for all single sign-on user accounts and passwords—administrative and nonadministrative. All user and group management functions are handled by the directory.
Note:Oracle Internet Directory can be configured to authenticate to third-party repositories. To learn more, see Oracle Identity Management Integration Guide.
The chapter contains the following topics:
Use the following tools to manage single sign-on users:
Oracle Delegated Administration Services is a self-service application that enables administrators to manage users and groups. For example, you can create and delete users and change passwords.
You can access Oracle Delegated Administration Services with a URL of this form:
host is the name of the computer on which the Oracle Delegated Administration Services server is located, and
port is the port number of the server. In a typical infrastructure installation, Oracle Delegated Administration Services and OracleAS Single Sign-On have the same host name.
Oracle Directory Manager is a Java-based tool for managing most functions in Oracle Internet Directory. Use it to configure password policies.
You can use command-line tools like
ldapmodify in place of Oracle Delegated Administration Services and Oracle Directory Manager. These tools operate on text files. They take arguments that use the Lightweight Directory Interchange format.
The single sign-on user password is stored in Oracle Internet Directory as an attribute of the user's entry. Users can change their passwords in the single sign-on UI only when their passwords are about the expire. They may use Oracle Delegated Administration Services for this purpose at any time. The directory administrator can use Oracle Directory Manager to adjust password expiry behavior to suit enterprise needs.
This section covers the following topics:
Oracle Directory Manager has fields that enable you to specify the minimum number of characters that a password requires. To learn what the defaults are, see the chapter about password policies in Oracle Internet Directory Administrator's Guide.
Using either Oracle Directory Manager or LDAP command-line tools, you can configure password life and can specify when users are prompted to change their passwords. You can also configure a grace login period for users. This is a period after which users' passwords have expired. If they neglect to change their passwords within this period, they must have an administrator reset them.
Users who try to log in when their passwords have expired or are about to expire experience the following server behavior:
Users are shown an error message on the login page. They have the option of cancelling the page or changing their passwords. In either case, authentication proceeds in the same manner as it does when the change password page is not thrown.
If a grace login period has been configured in the directory, users are presented the change password page after their passwords have expired. They have the option of cancelling the page or changing their passwords. In either case, the authentication sequence is the same as it is for users with valid passwords.
This feature prompts users to change their password after it has been reset by an administrator. You enable force change password by setting the
pwdMustChange attribute in the directory entry
default_identity_management_realm. You can use the command-line tool
ldapmodify for this purpose. The value
TRUE enables this feature.
FALSE disables it. See the chapter about password policies in Oracle Internet Directory Administrator's Guide to learn how to run the tool.
An account lockout occurs when users submit the incorrect user name and password combination more times than is permitted by Oracle Internet Directory. Once they are locked out, they are unable to access the single sign-on server from any number of workstations. By default, lockout occurs after 10 login attempts. Once this limit has been reached, even a valid user name and password combination fails to log a user in.
Because single sign-on user accounts are managed in the directory, the directory administrator determines account lockout policies. Oracle Directory Manager has fields for enabling and disabling lockout and for specifying lockout duration.
The default lockout duration is one day.
To learn how to unlock users, see the chapter about password policies in Oracle Internet Directory Administrator's Guide.
To learn how to configure password policies, see the chapter about these policies in Oracle Internet Directory Administrator's Guide.
OracleAS Single Sign-On, like other components in the OracleAS complement, has its own "container" within the directory information tree (DIT). This container is found within the Oracle Context, an entry that serves as the root for all Oracle-specific data. In the simplified DIT shown in Figure 3-1, both the root Oracle Context and the realm-specific Oracle Context are expanded. The root Oracle Context is the repository for sitewide information—that is, information that applies to all identity management realms and products. Structurally, realm-specific Oracle Contexts are mirror images of the root context, but the information they contain pertains only to a particular realm. These realms store configuration information unique to specific users and other network entities. To learn more about realms, see Chapter 10, "Enabling Support for Application Service Providers".
In Figure 3-1, the single sign-on container is identified by the entry
cn=SSO. It contains a single entry,
orclApplicationCommonName=orasso_sso. This is the entry for the single sign-on server. In the illustration, the entry has been expanded to show the object classes and attributes that define the entry. For example, the
orclapplicationcommonname attribute gives the default name of the single sign-on server,
orasso. Note, too, that the single sign-on server has its own password, which, along with
orclapplicationcommonname, the directory server uses to authenticate the single sign-on server when the latter performs user searches.
Common is a repository for information common to all OracleAS products. For instance, it contains attributes that enable products to identify the realm search base, or node, and the realm nickname. Realm-specific
Common containers—not shown here—contain attributes that enable products to locate users within a realm subtree. In addition to expanding the
SSO container, the illustration expands entries for an OracleAS user who is also an administrator.
ssooconf.sql script enables you to change the following settings in the directory:
directory host name
password for single sign-on server
SSL connections to the directory
Note:You can change the host name and port number only if the new instance of Oracle Internet Directory is a replicated instance.
To change directory settings for the single sign-on server:
Navigate to the script at
Log in to
SQL*Plus as the schema
orasso. To obtain the schema password, see Appendix B.
Note:You can run the script only as
ssooconf.sql by issuing the following command:
This prompt appears:
Enter value for new_oid_host
Enter a value for the directory host name; then press Return or Enter. If, on the other hand, you do not want to change the directory host name, simply press Return or Enter to move to the next prompt.
Repeat step 4 for each of the remaining three prompts, which are
Enter value for new_oid_port,
Enter value for new_ssoserver_password, and
Enter value for new_ldapusessl. The last requires that you enter either
Y (enable) or
Note:An SSL connection between the single sign-on server and the directory exists by default.
To apply the changes, press Return or Enter one last time.
The script displays updated settings for the single sign-on server along with the old ones.
If you run the script and then decide not to make changes, press Return or Enter to retain existing values.
The single sign-on server caches metadata about the Oracle Internet Directory DIT. This metadata includes the user search base, user nickname attribute, and realm-related metadata. In the event that the directory DIT changes, the cache for the single sign-on server must be refreshed. This is effected by running the
Navigate to the script at
Log in to the single sign-on schema:
SQL> connect orasso/orasso_password
See Appendix B to obtain the
orasso schema password.
Note:This script cannot be run as
Run the script:
Restart the single sign-on server.
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
These are just a few of the DIT changes that require that the script be run:
The default realm name or realm DN changes or both change
A new default realm is created
To learn how realm information is changed in Oracle Internet Directory, see Oracle Internet Directory Administrator's Guide.