| Oracle® Access Manager Integration Guide 10g (10.1.4.0.1) Part Number B25347-01 |
|
|
View PDF |
| Oracle® Access Manager Integration Guide 10g (10.1.4.0.1) Part Number B25347-01 |
|
|
View PDF |
This chapter describes integrating with OracleAS Single Sign-On for authentication and authorization purposes. When integrating Oracle Access Manager's authorization functionality, either Oracle Access Manager or OracleAS Single Sign-On can act as the authentication engine.
This integration enables you to provide identity management functionality across Web-based applications that run on Oracle Application Servers, for example, Oracle E-Business Suite, Oracle Forms, Portals, and other Access System-protected resources.
This chapter covers the following topics:
|
Note: This chapter does not describe configuration of the Oracle Virtual Directory Server. See the Oracle Access Manager Installation Guide for details. |
This section discusses the following topics:
Oracle Access Manager provides authentication and single sign-on for OracleAS 10g. This enables you to use a single user name and password (and optionally a realm ID), to log in to all features of the Oracle Application Servers and other Web applications. The integration uses the following authentication schemes:
Form based
Basic
Custom
Integrated Windows Authentication
Microsoft .Net Passport
OracleAS 10g applications provide a similar infrastructure and a security framework for single sign-on for Oracle and other partner applications. The integration of Oracle Access Manager single sign-on with OracleAS 10g involves the following components.
OracleAS Single Sign-On Server: This enables Oracle applications to accept authentication from other applications. You can enable single sign-on between Access System-protected applications and applications protected within the OracleAS 10g single sign-on framework. You can use a single user name and password and optionally a realm ID to log in to all features of the Oracle Application server and other Web applications.
Oracle HTTP Server: This is the Web server interface for OracleAS 10g. Oracle HTTP Server is the integration point between Oracle Access Manager and OracleAS 10g. During the installation, a WebGate is installed as a module on Oracle HTTP Server. You must use the 10g (10.1.4.0.1) WebGate for Oracle HTTP Server.
Oracle Internet Directory (OID): The LDAP directory that serves as a user repository for OracleAS 10g applications. The OID can be synchronized with other connected directories.
Figure 4-1 illustrates the integration between Oracle Access Manager and Oracle Application Servers.
Process overview: Integration of Oracle Access Manager with Oracle Application Server
When a user attempts to access an Oracle Access Manager-protected application or Web resource, a WebGate intercepts the request.
WebGate requests the security policy from the Access Server to determine if the resource is protected.
When the resource is protected, WebGate prompts the user to authenticate.
The credentials entered by the user are validated against the directory for authentication.
When authentication is successful, an encrypted Oracle Access Manager single sign-on cookie is set on the user's browser.
After successful authentication, the Access System determines if the user is authorized by applying policies that have been configured for the resource.
Upon successful authorization, the Access System executes the actions that have been defined in the security policy and sets an HTTP header variable that maps to the OracleAS 10g user ID.
The OracleAS Single Sign-On Server recognizes the Oracle Access Manager HeaderVar, authenticates the user, and sets the Oracle single sign-on Cookie.
|
Note: The OID must be synchronized with the Oracle Access Manager directory to ensure that user data is up-to-date. OID performs the synchronization. |
To see the supported versions and platforms for this integration refer to Metalink, as follows.
To view information on Metalink
Go to the following URL:
Click the Certify tab.
Click View Certifications by Product.
Select the Application Server option and click Submit.
Choose Oracle Application Server and click Submit.
The following task overview lists the requirements for preparing for configuring single sign-on.
Task overview: Preparing your Environment
Install OracleAS 10g.
Install the Oracle Infrastructure.
OracleAS Infrastructure 10g includes:
Oracle Application Server Metadata Repository
OracleAS Single Sign-On Server
Oracle Internet Directory (a lightweight directory access protocol (LDAP))
|
Note: The servers where the Oracle infrastructure and Oracle Access Manager are installed must have fully qualified domain names, for example, hostname.domain.net. |
Install and set up Oracle Access Manager components.
See the Oracle Access Manager Installation Guide for details. Install the following:
Identity Server
WebPass
Access Server (includes Policy Manager)
On the Oracle HTTP Server, install a WebGate for use with OracleAS 10g.
See the Oracle Access Manager Installation Guide for details.
Update the Web server configuration file:
Automatic Web Server Updates: Click Yes to automatically update your Web server configuration file (Oracle HTTP Server httpd.conf) during WebGate installation, as described in the Oracle Access Manager Installation Guide.
Manual Web Server Updates: Use one of the following methods:
Either: Locate the Oracle HTTP Server httpd.conf file after WebGate installation, add the WebGate entry at the end of the file, then run the following commands on an infrastructure terminal:
Opmnctl restartproc process-type=HTTP_Server
Or: Use the Oracle Enterprise Manager Console to:
Launch the Oracle Enterprise Manager.
Select the Oracle Application Server hosting the Oracle Infrastructure.
Select the HTTP Server hosting the WebGate.
Navigate to Advanced Server Properties.
From the list of configured files, select httpd.conf for update.
Include the WebGate entry at the end of the file.
Restart the Oracle HTTP Server after the Web Server configuration file update.
Configure OracleAS Single Sign-On for external authentication.
Configure the Web browser to allow cookies.
Proceed to "Single Sign-On with OracleAS 10g" on page 4-5.
When integrating Oracle Access Manager with OracleAS 10g Application Server, each OracleAS application's configuration is provided separately. This integration requires configuring OracleAS 10g for external authentication and configuring Oracle Access Manager logout.
You complete the following procedures to set up OracleAS 10g for the integration:
Synchronizing the OID and Oracle Access Manager LDAP Directory
Implementing Global Logout from OracleAS Single Sign-On and Access Server
Task overview: Integrating Oracle Access Manager with OracleAS 10g
Set up your machines, as described in "Preparing Your Environment".
Set up the OracleAS.
Set up Oracle Access Manager, as described in "Configuring Oracle Access Manager for Integration with OracleAS 10g".
Test the integration, as described in "Testing the Integration with OracleAS" on page 4-14.
Enabling single-sign on for the integration between Oracle Access Manager and OracleAS 10g includes creating a java class and editing the policy.properties file, as discussed in the following paragraphs.
The first step in enabling single sign-on for the integration involves coding a Java class, which will look for the Header variable from Oracle Access Manager.
|
Note: This example assumes you have installed and set up the Identity System and Access System, created a policy domain in the Access System, defined an authorization action that sets a Header Variable with the ID of the user, and configured global logout. See "Protecting the Single-Sign On Login URL" and "Implementing Global Logout from OracleAS Single Sign-On and Access Server" for details. |
To code a JAVA class to look for a Oracle Access Manager HeaderVar
In the Access System, create rules to protect the following URIs:
/sso/auth/
/pls/orasso/orasso.wwsso_app_admin.ls_login
See "Protecting the Single-Sign On Login URL" for details.
Create a Java file for your package.
For help, copy the source code from the Sample Files section #SSOOblixAuth.java in the following location:
ORCLE_HOME/sso/lib
Save the file as SSOOblixAuth.java. Before it is compiled, this package directive must be added to it:
package oblix.security.ssoplugin;
Compile the file, including ORACLE_HOME/sso/lib/ipastoolkit.jar in the class path. The sample file SSOOblixAuth.java is compiled this way:
ORACLE_HOME/jdk/bin/javac -classpath ORACLE_HOME/sso/lib/ipastoolkit.jar:ORACLE_HOME/lib/servlet.jar -d ORACLE_HOME/sso/plugin SSOOblixAuth.java
Note that the colon separator (":") is appropriate for Linux. On Windows, use a semicolon (";") as the separator.
This command creates SSOOblixAuth.class and places it in the directory ORACLE_HOME/sso/plugin/oblix/security/ssoplugin.
Next you need to register the Java class for integration by editing the policy.properties file in the following location:
OracleAS_install_dir/sso/conf
Where OracleAS_install_dir is the directory where OracleAS Single Sign-On infrastructure is installed.
In the OracleAS Single Sign-On policy.properties file, replace the simple authentication plug-in with the plug-in that you created in the previous steps. In this class, navigate to the line MediumSecurity_AuthPlugin:
MediumSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOServerAuth
Comment out the existing line and add a new line to register your Java class, as follows:
MediumSecurity_AuthPlugin = oblix.security.ssoplugin.SSOOblixAuth
When editing policy.properties, take care not to insert blank space at the end of a line.
Save the file.
Restart the single sign-on middle tier, and restart the OC4J instance OC4J_SECURITY to have your changes to take effect:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Test the integrated system
The Delegated Administration Service (DAS) is part of the Oracle Identity Management, an integrated infrastructure that includes the following components:
Oracle Internet Directory—An LDAP V3-compliant directory service
Delegated Administration Service (DAS)—The Oracle Internet Directory component that provides trusted proxy-based administration of directory information by users and application administrators.
Oracle Directory Integration Service—A component of the Oracle Internet Directory that permits synchronization between the Oracle Internet Directory and other directories and user repositories.
Provisioning Integration Service—The Oracle Internet Directory component that provides automatic provisioning of services, as described in Oracle documentation.
The DAS is installed by default when you install the OracleAS 10g Infrastructure, and should integrate automatically. No additional steps are needed for a user to access DAS when Oracle Access Manager is integrated with single sign-on.
The DAS link is:
http://infra-machine-name:port/oiddas
|
Note: If you experience errors using Create/Edit user and Create/Edit groups portlets, move the DAS to the middle tier from the Infrastructure. For details, see "Integrating the Portal" on page 4-8. |
The Oracle Application Server Portal enables you to build, deploy, and maintain self-service, integrated Enterprise Information Portals (EIPs). A customized portal page can present information from different providers and can include both enterprise search and directory lookup fields.
A portal page consists of multiple portlets. Each portlet is a region of the portal page that provides dynamic access to a Web-based resource.
When Oracle Access Manager single sign-on is integrated with OracleAS 10g, users should be able to access the portal as follows:
http://midtier_home:port/pls/portal
|
Note: The Create/Edit user and Create/Edit groups portlets call the DAS from the portal. If you experience errors using Create/Edit user and Create/Edit groups portlets, you need to move the DAS to the middle tier from the Infrastructure. |
The Oracle Application Server Forms Services is a middle-tier application framework that you use to deploy complex transactional forms applications to the internet.
When you integrate Oracle Access Manager with OracleAS 10g, you need to enable single sign-on for forms. Once single sign-on is enabled for forms, Oracle Access Manager handles authentication and you should not be challenged to enter the schema user ID and password either by the single sign-on login page or by the forms.
To enable single sign-on for forms
Locate the forms90.conf file located in the following directory:
midtier_home/forms90/server
At the end of the forms90.conf file add the following lines.
<IfModule mod_osso.c>
<Location /forms90/f90servlet>
require valid-user
AuthType Basic
</Location>
</IfModule>
Restart OC4J_BI_FORMS and the forms server to have you changes take affect.
Next you create a Resource Access Descriptor (RAD) for the OID users. A RAD can be created at a global level so all users can use the same RAD to access the resource. Alternatively, the RAD can be created for each user.
Create a Resource Access Descriptor (RAD) for the OID users to map the LDAP user to the Database schema.
The next step can be done at the global level in the formsweb.cfg file (the default configuration), or at the application level to make individual applications single sign-on enabled.
Set the ssoMode to true to make the application single sign-on enabled using the Enterprise Manager to update the formsweb.cfg file.
For example, to make an individual application single sign-on enabled:
[myApp] form=myFmxs ssoMode=true
For more information, see chapter 6 in the Oracle Application Server Forms Services Deployment Guide 10g (9.0.4) for Windows and Unix, Part No. B10470-02.
Test this implementation by navigating to the following URL:
http://midtier_home:port/forms90/f90servlet?config=default
The Oracle Application Server Reports Services allow you to deploy reports to the OracleAS 10g, as described in your Oracle documentation.
Reports are single sign-on-enabled out of the box and should work without further steps when you integrate Oracle Access Manager with OracleAS 10g.
To access the protected reports page
Point your browser to the following URL:
http://machine:port/reports/rwservlet/showenv
Log in when challenged by WebGate.
Confirm that once authenticated you can view the Environment settings for Oracle Reports (an single sign-on-protected page).
For more information, see chapter 10 of the Oracle Application Server Reports Services Publishing Reports to the Web 10g (9.0.4), Part No B13673-01.
The next step in the configuration of OracleAS 10g for integration with Oracle Access Manager is to use the Oracle synchronization tool to synchronize user information between the Oracle OID and the LDAP directory server used by Oracle Access Manager.
For details about this synchronization tool and process, see your Oracle OID documentation.
|
Note: To test the integration without synchronizing the directories, you need to create an Oracle administrator (oracladmin) within Oracle Access Manager for login purposes. |
By default, the WebGate logs a user out when it receives a URL containing "logout." See the section on logout from a single domain single sign-on session in the Oracle Access Manager Access Administration Guide for details. As a result, the default single sign-on logout page does not work with OracleAS Single Sign-On. The discussion "Logout.jsp" provides a sample file you that need to configure logout.
To implement global logout from OracleAS Single Sign-On
Edit the following parameters in ORACLE_HOME/sso/conf/policy.properties. Substitute the paths to your logout page for the value shown in the following example:
#Deployment login page link loginPageUrl = /sso/pages/login.jsp logoutPageUrl = /sso/pages/logout.jsp
Restart the single sign-on server:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
In the Access System, go to the page where you configure the single sign-on logout URL.
From the Access System Console, click System Configuration, then click Server Settings, then click Configure SSO Logout URL.
On this page, configure the single sign-on logout URL to invoke the OracleAS Single Sign-On logout URL.
Add a logout URL similar to the following:
http://host:port/sso/logout
Where host is the computer where the OracleAS Single Sign-On server is installed and port is the listen port for the server. When the user clicks the Logout link in Oracle Access Manager, the logout URL removes session cookies and redirects users to a logout page. See the appendix on configuring logout in the Oracle Access Manager Access Administration Guide for details.
Go to the page where you configure the WebGate logout URL from the Access System Console by clicking Access System Configuration, then click AccessGate Configuration, then select a WebGate.
On the page that shows the WebGate details, click Modify, then provide a new logout URL similar to the following:
/access/oblix/lang/en-us/style2/oblixlogo.gif
The URL can be any gif file or Web page. This page is embedded in logout.jsp. See "Logout.jsp" for details.
Repeat the previous two steps for every WebGate-protected cookie domain.
Add a page that you want to display after the user is logged out.
Confirm that you can perform a global logout both from Oracle AS Single Sign-On Server and from the Access Server.
After installing Oracle Access Manager and installing a WebGate on the OracleAS HTTP Server, you need to create Oracle Access Manager access control policies to protect OracleAS resources.
Task overview: Setting up Oracle Access Manager for integration with OracleAS 10g includes
Install and set up the Identity System and Access System, as outlined in "Preparing Your Environment".
Navigate to the Identity System Console and create an Oracle Administrator (orcladmin) user to match the orcladmin user who already exists in the Oracle OID, as described in the Oracle Access Manager Identity and Common Administration Guide.
You need to protect the following single sign-on login URL so that the WebGate challenges the user whenever the OracleAS Single Sign-On 10g is accessed:
/sso/auth/
The following activities are required to protect the single sign-on login URLs, or any other resources, using the Access System.
Each step in the following task list is a full procedure. For complete details, see the related chapters in this guide.
Task overview: Protecting resources with Oracle Access Manager
Define an authentication scheme using the Access System Console.
For example:
Access System Console, Access System Configuration, Authentication Management, Add
Create a policy domain using the Policy Manager.
For example:
Policy Manager, Create Policy Domain
Add a resource to your policy domain using the Policy Manager.
For example:
Policy Manager, Create Policy Domain, Resources
Define rules for your policy domain using the Policy Manager.
For example:
Policy Manager, Create Policy Domain, Default Rules
Define an Authorization action that sets a Header Variable with the ID of the user.
For example:
Policy Manager, Create Policy Domain, Default Rules, Authorization Expressions, Actions
Authorization Success
Return
Type: HeaderVar
Name: XXX_REMOTE_USER
Return Attribute: loginAttribute
where XXX is any prefix (used because "REMOTE_USER" is often an internal header for HTTP servers) and where loginAttribute is the attribute configured as the Login semantic type in the Identity System. This name must map to the login name of the user stored in the OracleAS single sign-on repository. Some people have used the "EMPLID" attribute, which will pass the Employee ID of logged in user.
Upon successful authorization, the value of loginAttribute is passed on to the OracleAS 10g server.
|
Note: To use a HeaderVar that is different fromXXX_REMOTE_USER, you need to replace XXX_REMOTE_USER with the desired variable in two locations: Access System Console, Authorization Rule, Actions, and in the OracleAS Java class. See "Creating the Java Class for Integration" for details. |
In the Authorization rule, allow access to Anyone.
For example:
Policy Manager, Create Policy Domain, Authorization Rules, Name, Allow Access, Any one
Enable the Authorization rule.
For example:
Policy Manager, Create Policy Domain, Authorization Rules, Name,
Enable the Policy Domain.
For example:
Policy Manager, My Policy Domains, Name, Modify, Enabled
The single sign-on configuration is now complete.
Test your policy domain, as described in the section on using Access Tester in the Oracle Access Manager Access Administration Guide.
By default, the WebGate component of Oracle Access Manager intercepts all URLs, and the Access System authenticates the users who invoked the URLs. However, if you want to use OracleAS Single Sign-On to provide the authentication functionality for application login, you can configure the OHS Web server to pass authentication requests to mod_osso. This enables OracleAS Single Sign-On to continue to authenticate the user. Additionally, you can configure OracleAS Single Sign-On to pass the user's information to Oracle Access Manager for authorization.
This section describes how to implement Access System-based authorization for OracleAS Single Sign-On-protected HTTP resources.
The rest of this section discusses the following topics:
About Authorization of OracleAS Single Sign-On-Protected Applications
Configuring Authorization Support for OracleAS Single Sign-On-Protected Resources
In this type of integration, it is assumed that you have configured user authentication for various applications using OracleAS Single Sign-On. See the Oracle Application Server Single Sign-On Administrator's Guide for details.
After OracleAS Single Sign-On authenticates a user, Oracle Access Manager applies an external authentication scheme that looks for a REMOTE_USER header variable and maps it to an Oracle Access Manager user. If Oracle Access Manager can authenticate the user, the Access System performs user authorization. During authorization, the WebGate checks for the REMOTE_USER header variable. If it is set, the WebGate performs authorization according to polices that are defined in the Access System.
This section assumes that you have installed OracleAS Single Sign-On, configured the middle tier applications to use OracleAS Single Sign-On authentication, and installed the WebGate on the middle-tier OHS. See the information on configuring the middle tier in the Oracle Application Server Single Sign-On Administrator's Guide and the section on "Preparing Your Environment" in this chapter for details.
The following procedure describes configuring OracleAS Single Sign-On authentication with Oracle Access Manager authorization.
To configure authentication using OracleAS Single Sign-On and authorization using Oracle Access Manager
On the computer that hosts the OHS Web server, comment following lines in the WebGate section in the file ORACLE_HOME/Apache/Apache/conf/httpd.conf:
<LocationMatch "/*"> AuthType Oblix require valid-user </LocationMatch>
On Linux, locate the WebGate-specific section in the httpd.conf file.
This section is enclosed by the following lines:
#*** BEGIN WebGate Specific **** #*** END WebGate Specific ****
Move this section before the line that contains the include statement for mod_osso.conf.
Restart the Web server for this WebGate.
Protect your resources on the middle-tier OHS with OracleAS Single Sign-On using static pattern rules.
See the Oracle Identity Management Application Developer's Guide for details. This is required to use OracleAS Single Sign-On authentication features, for example, Windows Native Authentication.
To define an external authentication scheme in Oracle Access Manager
From the Oracle Access Manager landing page, click Access System Console, click Authentication Management, and click Add.
Define an authentication scheme similar to the following on the General tab for the authentication scheme:
Name: External auth scheme
Challenge Method: Ext
Challenge Parameter: creds:REMOTE_USER
On the Plug-ins tab for the authentication scheme, add a credential mapping plug-in that uses the REMOTE_USER header variable, for example:
obMappingBase="dc=us,dc=mycompany,dc=com",obMappingFilter="(&(& (objectclass=inetorgperson)(uid=%REMOTE_USER%))(|(!(obuseraccountcontrol=*)) (obuseraccountcontrol=ACTIVATED)))"
When implementing this plug-in, substitute values for obMappingBase and the person object class that are appropriate for your environment.
To define the policies to protect the middle-tier application URLs
From the landing page for Oracle Access Manager, click Policy Manager.
Click Create Policy Domain.
Define policies to protect any middle-tier application URL.
Configure the polices using the external authentication scheme that you configured in the previous procedure. See the Oracle Access Manager Access Administration Guide for details.
If a WebPass and Policy Manager are installed on the same Web server as the WebGate, configure OracleAS Single Sign-On to authenticate users who try to access the Identity and Access Systems.
Add two static URL patterns to the OracleAS Single Sign-On http.conf file:
<LocationMatch "/identity/oblix"> AuthType Basic require valid-user </LocationMatch> <LocationMatch "/access/oblix"> AuthType Basic require valid-user </LocationMatch>
These rules enable OracleAS Single Sign-On to perform authentication for the Identity System and Policy Manager.
Also, if a WebPass and Policy Manager are installed on the same Web server as the WebGate, ensure that the external authentication scheme that you configured in the previous procedure is protecting the Identity and Access domains.
See the Oracle Access Manager Access Administration Guide for details.
To configure logout for the integration
After you set up OracleAS and Oracle Access Manager for integration, test to ensure that the integration is successful.
To test Oracle Access Manager single sign-on for OracleAS
Enter the following URL in the browser:
http://machinename:port/sso/
where machinename is the machine where the OracleAS Server is installed and port is the port number of the machine.
You should be presented with a login page. After you have successfully authenticated, the OracleAS Web resource page appears.
You can try to access various applications as the same user.
If Oracle Access Manager single sign-on is successful, you will be allowed access to the page without being challenged for authentication.
You an also try to test different authorization rules in the Access System.
For example, if there are time conditions set for login, you may try logging in at different times.
When you are ready to log out, click the Logout link.
If Oracle Access Manager single sign-on is successful, you will be logged out of all Oracle Access Manager-protected resources.
The following two sample files can be customized to meet your requirements:
package oblix.security.ssoplugin;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import oracle.security.sso.ias904.toolkit.IPASAuthInterface;
import oracle.security.sso.ias904.toolkit.IPASAuthException;
import oracle.security.sso.ias904.toolkit.IPASUserInfo;
import oracle.security.sso.ias904.toolkit.IPASInsufficientCredException;
import java.net.URL;
import java.util.*;
public class SSOOblixAuth implements IPASAuthInterface
{
private static String OBLIX_USER_HEADER = "XXX_REMOTE_USER";
private static String CLASS_NAME = "SSOOblixAuth";
public SSOOblixAuth()
{
System.out.println("Inside SSOOblixAuth constructor.....");
}
public IPASUserInfo authenticate(HttpServletRequest request)
throws IPASAuthException, IPASInsufficientCredException {
String OblixUserName = null;
try
{
System.out.println(".............Getting Header Variable............");
OblixUserName = request.getHeader(OBLIX_USER_HEADER);
System.out.println("The Header name............."+OblixUserName);
}
catch (Exception e)
{
throw new IPASInsufficientCredException("No Oblix Header");
}
if (OblixUserName == null)
throw new IPASInsufficientCredException("No Oblix Header");
IPASUserInfo authUser = new IPASUserInfo(OblixUserName);
System.out.println("The IPASUserInfo Class............"+authUser);
return authUser;
}
public URL getUserCredentialPage(HttpServletRequest request,String msg) {
System.out.println("Inside Get User Crediential Page ..........Should not come here>......");
URL errorURL=null;
try
{
errorURL=new URL(new String(request.getRequestURL()));
}
catch(Exception ee){};
return errorURL;
}
}
You can use the following sample file as discussed in "Implementing Global Logout from OracleAS Single Sign-On and Access Server".
<!-- Copyright (c) 1999, 2003, Oracle. All rights reserved. -->
<%@page autoFlush="true" session="false"%>
<%
// Declare English Message Strings
String msg1 = "Single Sign-Off";
String msg2 = "Application Name";
String msg3 = "Logout Status";
String msg4 = "ERROR: The return URL value not found.";
String msg5 = "ERROR: Logout URL for partner applications not found.";
// Get the user language preference
String userLocaleParam = null;
java.util.Locale myLocale = null;
// Get the user locale preference sent by the SSO server
try
{
userLocaleParam = request.getParameterValues("locale")[0];
}
catch(Exception e)
{
userLocaleParam = null;
}
if( (userLocaleParam == null) || userLocaleParam.equals("") )
{
myLocale = request.getLocale();
}
else
{
if(userLocaleParam.indexOf("-") > 0 )
{
// SSO server sent the language and territory value (e.g. en-us)
myLocale = new java.util.Locale(userLocaleParam.substring(0, 2), userLocaleParam.substring(3, 5));
}
else
{
// SSO server sent only the language value (e.g. en)
myLocale = new java.util.Locale(userLocaleParam, "");
}
}
// The following two lines will be used only for the Multilingual support with
// proper resource bundle class supplied
// java.util.ResourceBundle myMsgBundle
// = java.util.ResourceBundle.getBundle("MyMsgBundleClassName", myLocale);
// Get the message string in the appropriate language using the message key.
// Use this string to display the message in this page.
// String mesg = myMsgBundle.getString("mesg_key");
%>
<html>
<body bgcolor="#FFFFFF">
<h1><%=msg1%></h1>
<%
String done_url = null;
int i = 0;
// Get the return URL value
try
{
done_url = request.getParameterValues("p_done_url")[0];
}
catch(Exception e)
{
done_url = "";
}
// Get the application name and logout URL for each partner application
try
{
%>
<b> <%=msg2%> <%=msg3%> </b>
<br>
// Substitute an actual host, domain, and port for myhost.us.mydomain.com:7777
// that points to the WebGate.
<img src="http://myhost.us.mydomain.com:7777/access/oblix/lang/en-us/style2/oblixlogo.gif">
<%
for(;;)
{
i++;
String app_name = request.getParameterValues("p_app_name"+i)[0];
String url_name = request.getParameterValues("p_app_logout_url"+i)[0];
%>
<%=app_name%>
<img src="<%=url_name%>">
<br>
<%
}
}
catch(Exception e)
{
if(done_url == null)
{
%>
<%=msg4%> <br>
<%
}
if(i>1)
{
%>
<br> <a href="<%=done_url%>">Return</a>
<%
}
else
{
%>
<%=msg5%><br>
<%
}
}
%>
</body>
</html>
The following are troubleshooting tips for the Oracle 10g integration.
Problem: With a form-based authentication scheme, while accessing OIDDAS/Form application/ externally deployed J2EE applications, the OracleAS single sign-on login page is displayed after the Oracle Access Manager Form login page.
Solution: This happens if mod_osso uses a POST based redirection method instead of GET to call the single sign-on server. The redirection method used is based on value of OssoRedirectByForm directive. To use GET method, this directive needs to be set to false. In Oracle 10g Application Server, this value is set to false by default.
To verify that this directive is set to false
Verify the value of OssoRedirectByForm directive.
Launch the Oracle Enterprise Manager.
Select the Oracle Application Server instance where the Oracle Infrastructure is installed.
Select the HTTP Server where WebGate is installed and navigate to Advanced Server Properties.
From the list of configured files, select the mod_osso.conf file.
Check if OssoRedirectByForm is set to true.
By default the values is false.
If the default directive value is not used, set it to false as shown in the following example:
<IfModule mod_osso.c> OssoIpCheck off OssoIdleTimeout off OssoConfigFile /private1/iasinst/install_set1/904infra/Apache/Apache/conf/osso/osso.conf OssoRedirectByForm off </IfModule>
Click Apply.
Restart the OracleAS HTTP Server.
Problem: How do I find ORASSO and Portal schema passwords?
Solution: Complete the following procedure.
To find these database schema passwords
Login to Oracle Directory Manager as the super user orcladmin.
Expand the tree on the left hand side, as follows:
Cn= OracleContext
Cn=Products
Cn=IAS
Cn=IAS Infrastructure Databases
OrclReferenceName=<global database name>
OrclResourceName=ORASSO
Click the ORASSO entry and look for the value for attribute orclpasswordattribute (the Password for ORASSO schema).
|
Note: Similarly you can click the OrclResourceName=PORTAL for the portal schema password. |
Problem: How do I check the single sign-on logs?
Solution: You can view the single sign-on logs from Enterprise Manager (EM).
Log in to EM.
Click the Logs link at the bottom of the page.
A search screen appears.
From the Available Components list select Single Sign-on:orasso and move it to the Selected Components.
Perform the search to view the single sign-on logs.
Problem: How do I create a default RAD?
Solution: Complete the following steps to create a default RAD:
Access OIDDAS Console, Configuration, Preference, as usual.
Scroll to the bottom of the page to display Resource Access Information.
Click Create to create a new resource file.
Enter a Resource Name:
For example, for a default configuration you can use:
default
|
Note: Resource name created over here should be the same as the configuration present in formsweb.cfg file. |
Click Next, fill in the user ID and password and the connect string for the database, and click Submit.
The user ID is a valid DB user. Database refers to the DB used. For example, if a schema named "Scott" is used and a Database "asdb'", the test entries are:
Username: scott
Password: tiger
Database: asdb
Problem: How do I create a user-specific RAD?
Solution: Complete the following steps to create a user-specific RAD:
Access the OIDDAS console, as usual.
Select the Directory tab found at the top right hand corner of the page.
Click Create to create a new user.
Select a user name, for example, ssotest with a password of ssotest1.
You can choose to add all other details.
Scroll to the bottom of the page to Resource Access Information.
Click Create to create a new resource file.
Enter a Resource Name, for example, ssotest_db.
Click Next, fill in the user ID, password, and connect string for the database, then click Submit.
The user ID here is a valid DB user. For testing purposes, the default Scott schema can be used. Database is the DB used, with a default value of asdb. For example, the test entries could be:
Username: scott
Password: tiger
Database: asdb
