Oracle® Identity and Access Management Introduction 10g (10.1.4.0.1) Part Number B31291-01 |
|
|
View PDF |
Oracle Application Server (OracleAS) Single Sign-On enables you to use a single user name, password, and optionally a realm ID to log in to all features of OracleAS as well as to other Web applications.
Oracle components delegate the login function to the OracleAS Single Sign-On server. When a user first logs into an Oracle component, the component redirects the login to the OracleAS Single Sign-On server. The OracleAS Single Sign-On server authenticates the user by verifying the credentials entered by the user against those stored in Oracle Internet Directory. After authenticating the user, and throughout the rest of the session, the OracleAS Single Sign-On server grants the user access to all the components the user both seeks and is authorized to use.
See Also: Oracle Application Server Single Sign-On Administrator's Guide for information about OracleAS Single Sign-On. |
This chapter contains the following topics:
OracleAS Single Sign-On provides the following benefits:
Reduced administrative costs—The single sign-on server eliminates the need to support multiple accounts and passwords.
Convenient login—Users do not have to maintain a separate user name and password for each application that they access.
Increased security—When a password is required only once, users are less likely to use simple, easily exposed passwords or to write these passwords down.
Oracle Application Server Single Sign-On provides the following features:
Federated Authentication—You can implement federated authentication using Oracle Application Server Single Sign-On and Oracle Identity Federation. Federated single sign-on permits users to access information on different corporate Web sites while authenticating to only one of those sites. You can configure either Oracle Application Server Single Sign-Onor Oracle Identity Federation to be the authentication mechanism for users who want to access resources that are protected by either product.
Identity Management Grid Control Plug-in—As of Oracle Application Server 10g (10.1.4.0.1), you can manage Oracle Directory Integration Platform with Identity Management Grid Control Plug-in, which uses the features of Oracle Enterprise Manager 10g Grid Control.
See Also: The "Identity Management Grid Control Plug-in" chapter in Oracle Identity Management Infrastructure Administrator's Guide. |
Global User Inactivity Timeout—The global user inactivity timeout is a feature that enables applications to force you to reauthenticate if you have been idle for a preconfigured amount of time. This timeout is a useful feature for sensitive applications that require a shorter user inactivity timeout than the single sign-out session timeout.
Wireless Option—You can use mobile, or wireless, devices such as personal digital assistants, cellular phones, and voice recognition systems to access OracleAS applications. If you select the wireless option when installing OracleAS, Portal-to-Go, the gateway for mobile devices, is registered with the single sign-on server automatically.
See Also:
for more information about Oracle Application Server Wireless. |
Single Sign-Off—You can terminate a single sign-on session and log out of all active partner applications simultaneously. Clicking Logout in a partner application takes you to the single sign-off page, where logout occurs.
Changing Passwords—When a your password is about to expire, Oracle Application Server Single Sign-On presents the change password screen. To change or reset a password under other circumstances, a nonadministrative user can use Oracle Delegated Administration Services.
This section contains the following topics:
OracleAS Single Sign-On interacts with several components. They include:
Single Sign-On Server—The single sign-on server consists of program logic that enables users to log in securely to single sign-on applications such as expense reports, mail, and benefits. The single sign-on server program logic resides in the Oracle Application Server database, Oracle HTTP Server, and OC4J server.
Partner Application—an Oracle Application Server application or non-Oracle application that delegates the authentication function to the OracleAS Single Sign-On server. This type of application spares users from reauthenticating by accepting headers from an authentication module named mod_osso. Examples of partner applications include OracleAS Portal, OracleAS Discoverer, and Oracle Delegated Administration Services.
External Application—a non-Oracle application that displays an HTML login forms that ask for application user names and passwords. At the first login, a user can select the Remember My Login Information For This Application check box. On subsequent logins, the server uses the single sign-on user name to locate and retrieve application names and passwords and to log the user in without requiring the user to authenticate.
mod_osso—an Oracle HTTP Server module that provides authentication to OracleAS applications. Mod_osso works only with the Oracle HTTP listener. You can use OracleAS SSO Plug-in to protect applications that work with third-party listeners such as Sun One and IIS.
See Also: Oracle Identity Management Application Developer's Guide for more information about mod_osso. |
Oracle Internet Directory—the repository for all single sign-on user accounts and passwords, both administrative and nonadministrative. The single sign-on server authenticates users against their entries in the directory. At the same time, it retrieves user attributes from the directory that enable applications to validate users.
Nonadministrative users first gain access to the single sign-on server by entering the URL of a partner application such as OracleAS Portal. Entering such a URL invokes the single sign-on login screen. Once they have entered the correct user name and password, users gain access to other partner applications and to external applications without having to provide credentials again.
Administrative users can access the administration home page for single sign-on by typing a URL of this form:
http://host:port/sso
where host
is the computer where the single sign-on server is located and port
is the port number of the server. If the server is enabled for SSL, https
must be substituted for http
. If the port number is 80
or 443
(SSL), it may be omitted from the URL. These numbers are the defaults.
Figure 8-1 shows what happens when the user requests the URL of a partner application that is protected by mod_osso. This illustration shows the single sign-on server and the partner application server residing on separate computers, one placed above the other. To the left of the partner application server is the browser. Attached to the single sign-on server is a box that represents Oracle Internet Directory. Arrows show the browser requesting an application, being redirected to the single sign-on server, and, finally, being redirected back to the partner application.
The user tries to access a partner application.
The user is redirected to the single sign-on server. The server challenges the user for credentials. After verifying the credentials in Oracle Internet Directory, the server sets the SSO session cookie and passes an authentication token to the partner application.
The application serves up the requested content.
Requesting access to a partner application initiates the partner application login process. The following occurs if you are accessing a new partner application after having already logged in to the Single Sign-On server:
The user tries to access a partner application.
The user is redirected to the single sign-on server. The server does not challenge the user for authentication credentials. The SSO session cookie is used to validate the user identity.
The server passes an authentication token to the partner application.
The application serves the requested content.
External applications are available through OracleAS Portal, a single sign-on partner application.
This section contains these topics:
Accessing the External Applications Portlet in OracleAS Portal
Authenticating to an External Application for the First Time
Authenticating to an External Application After the First Time
To gain access to an external application, you select the External Applications portlet on the OracleAS Portal home page; then, from the list of external applications that appears, you select an application.
Selecting an application in the External Applications portlet initiates the external application login procedure. The following occurs if you are accessing the application for the first time:
The external application login procedure checks the single sign-on password store for your credentials. If it finds no credentials, the single sign-on server prompts you for them.
You enter your user name and password. You can save these credentials in the password store by selecting the Remember My Login Information check box on the application login screen.
If you elect to save your credentials in the password store, the server uses these credentials to construct a login form to submit to the login processing routine of the application. This routine has been preconfigured by the administrator and is associated with the requested application.
The server sends the form to the client browser, with a directive to post it immediately to the external application.
The client posts the form to the external application and logs you in.
If you decline to save your credentials in the password store, you must enter a user name and password each time that you log in.
If you saved your credentials when accessing an external application for the first time, the single sign-on server retrieves your credentials for you during subsequent logins. The process works like this:
You click one of the links in the External Applications portlet of OracleAS Portal.
The external application login procedure checks the password store for your credentials.
The single sign-on server finds your credentials and uses them to construct a login form to submit to the login processing routine of the application. This routine has been preconfigured by the administrator and is associated with the requested application.
The server sends the form to the client browser, with a directive to post it immediately to the external application.
The client posts the form to the external application and logs you in.
Unlike partner applications, external applications do not cede logout control to the single sign-on server. It is the user's responsibility to log out of each of these applications.