Oracle® Application Server Single Sign-On Administrator's Guide 10g (10.1.4.0.1) Part Number B15988-01 |
|
|
View PDF |
This document explains how to configure a single sign-on system that assigns different authentication levels to different partner applications. Such a system enables the administrator to tailor authentication behavior to the security level of the application requested.
The document contains the following topics:
OracleAS Single Sign-On enables you to assign different authentication levels to the applications that it protects. You can then map these authentication levels to specific authentication plugins. You may, for example, configure a highly sensitive application to require a user certificate and a less sensitive application to require a user name and password.
Figure 6-1 illustrates how multilevel authentication works.
Figure 6-1 Multilevel Authentication Flow
The user has already authenticated to Application A. He or she now goes to Application B.
Application B redirects the user to the single sign-on server.
Because Application B has a higher authentication level than Application A, the single sign-on server forces the user to authenticate again, this time with a higher credential.
Note: In release 10.1.4, authentication is at the root level of a partner application. You cannot assign authentication levels to URLs under the root. |
The following topics are key to understanding how multilevel authentication works:
Authentication levels are parameters that enable you to define different authentication behaviors for different applications. There are six authentication levels defined in the ORACLE_HOME
/sso/conf
/policy.properties
file. This file contains authentication level names and values. A copy of this file appears in Appendix C.
Table 6-1 provides examples of authentication levels. You can customize these levels and create new ones.
Table 6-1 Default Authentication Levels
Authentication Level Names | Authentication Level Values | Description |
---|---|---|
LowSecurity |
20 |
The default value is used for weak authentication. |
LowMediumSecurity |
30 |
This value is typically used for custom authentication modules. |
MediumSecurity |
40 |
The default value for MediumSecurity indicates user name and password authentication. |
MediumHighSecurity |
50 |
The default value indicates that certificate authentication is required. |
HighSecurity |
60 |
This value is typically used for custom authentication modules. |
Each security level has an associated name, a java class that contains the plug-in parameters for the security level being implemented, and a hostname and port for each application protected by this security level.
The authentication level name can be any name. Names must be unique, and any change to a name must be reflected in all relevant locations in policy.properties
. For example, you cannot specify NoSecurity=10
and NoSecurity=20
. The lower the numeric value of a level, the lower the level of security. Values must be positive integers. These values are used when comparing the current authentication level and checking if a higher level of authentication is required.
The security level provides the authentication method. It is represented as a URL to the java class that contains the plug-in parameters.
For example, if you want to enforce user name and password authentication for most partner applications, but you want certificate authentication for a particular partner, you can add the following to policy.properties
:
partner_application_host.example_company.com\:7777 = MediumHighSecurity MediumHighSecurity=oracle.security.soo.auth.SSOX509CertAuth
Users who log in at a higher level and then attempt to access a lower-level application are not rechallenged for credentials. Users who log in at a lower-level application and then attempt to access a higher-level one are challenged using the authentication method set at the higher level. For example, a user who has logged in with MediumSecurity
can access an application that requires LowSecurity
, but a user who has logged in with LowSecurity must authenticate to access an application that requires MediumSecurity.
An authentication plugin is an implementation of a specific authentication method. This method collects credentials from users and authenticates them.
You can pair one of the authentication levels introduced in the preceding section with one of the authentication methods described in the bulleted list that follows. The authentication level that an authentication plugin maps to is deployment specific. You use policy.properties
to achieve the pairing.
Password authentication
This is the default, standard method.
Digital certificates
See Chapter 8 for a discussion of certificate authentication.
Windows native authentication
See the chapter about integrating with Microsoft Active Directory in Oracle Identity Management Integration Guide.
If you do not configure an authentication level for an application, the DefaultAuthLevel
parameter in the policy.properties
file determines the default level that is used for authentication.
The default plug-in for authentication is the one that is associated with the default level. For example, if the value of DefaultAuthLevel
is MediumSecurity
, the application uses the plug-in that is provided in the definition of MediumSecurity
in the policy.properties
file.
This usage scenario explains how two hypothetical partner applications are configured to use different authentication levels and plugins. It assumes these conditions:
Application pa1 is deployed on host pa1.mydomain.com
. It listens on port 7777
.
pa1 is already registered with the single sign-on server.
pa1 must use certificate authentication.
Application pa2 is deployed on host pa2.mydomain.com
. It listens on port 7777
.
pa2 is already registered with the single sign-on server.
pa2 must use password authentication.
Modify policy.properties
with the following configurations.
Choose the name of the authentication level from policy.properties
. If necessary, add a new authentication level and corresponding name to the file.
Assign authentication levels to the root URLs of the two partner applications:
pa1.mydomain.com\:7777 = HighSecurity pa2.mydomain.com\:7777 = MediumSecurity
Note: Be sure to include the backslash after the domain name. |
Assign authentication plugins to the authentication level names that you assigned in step 1:
HighSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOX509CertAuth MediumSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOServerAuth
Note that the authentication plugin name is a combination of the authentication level name that you assigned in step 1 and the suffix _AuthPlugin
.
Save policy.properties
; then restart the single sign-on middle-tier.
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Test the partner applications.