Oracle9iAS Single Sign-On Administrator's Guide
Release 3.0.9
Part Number A88732-01
Go To Documentation Library
Library 		Go To Product List
Solution Area 		Go To Table Of Contents
Contents		 Go To Index
Index

Go to previous page Go to next page

2
Administrative Basics

This chapter describes the Login Server and Oracle9iAS Single Sign-On, and how to you can perform various tasks using them.

This chapter contains the following topics:

User Accounts

This section contains the following topics:

Oracle9iAS Single Sign-On User Accounts

An Oracle9iAS Single Sign-On user account is used to access multiple applications, including Oracle9iAS Portal, with a single username and password. Once you have entered the Oracle9iAS Single Sign-On username and password for one application, you can access other applications without having to log in again.

Note:

The username ADMIN is reserved for a specific Login Server administrative purpose. See "Troubleshooting" in Chapter 6, "Deployment Considerations" for information about the ADMIN user. 

Login Server administrators create Oracle9iAS Single Sign-On user accounts using the Users portlet, which by default is on the Administer tab of the Oracle9iAS Portal home page.

Note:

To access the Administer tab of the Oracle9iAS Portal, you must also be a Oracle9iAS Portal administrator. 

Oracle9iAS Portal User Accounts

An Oracle9iAS Portal user account establishes user details, preferences, and privileges within Oracle9iAS Portal.

Oracle9iAS Portal user accounts do not have any privileges on the database itself. However, because Oracle9iAS Portal pages are displayed by executing procedures in the database, an Oracle9iAS Portal user account must have execute privileges on those procedures. To do this, each Oracle9iAS Portal user account must be associated with an Oracle database schema that is authorized to display Oracle9iAS Portal pages.

Oracle9iAS Portal user accounts are created automatically when one of the following occurs:

Oracle9iAS Portal administrators can edit Oracle9iAS Portal user accounts using the Users portlet, which by default is on the Administer tab of the Oracle9iAS Portal home page.

See Also:

"Creating User Accounts"  

Oracle Database User Accounts

An Oracle database user account, which follows rules set by the database's schema, is used to store database objects, applications, and components, and to determine a user's database privileges. Database accounts are required because Oracle9iAS Portal and Login Server are implemented using an underlying Oracle database.

Database administrators can create Oracle database schemas using SQL commands or the Schemas portlet on the Administer Database tab of the Oracle9iAS Portal home page.

Default Oracle9iAS Portal User Accounts and Schemas

When you install Oracle9iAS Portal, several user accounts and schemas are created by default, as described in Table 2-1 and Table 2-2.

Warning:

For security reasons, change all user account passwords after initial login. By default, the password is set to the username. Change the password by logging on to the Login Server and editing the appropriate user accounts. 

:
Table 2-1 Users Created by Default
User  Description 

PUBLIC 

Account created for public users, for use in unauthenticated sessions.This is the account that all sessions are associated with prior to authentication.  

SCHEMA 

Account created for the Database Administrator (DBA) with the highest privileges in Oracle9iAS Portal and the Login Server. 

SCHEMA_ADMIN 

Account created for the Oracle9iAS Portal administrator. This account is similar to the SCHEMA account, however, it does not have privileges that provide access to database administration features, such as creating and managing schemas and other database objects.  

SCHEMA_SSO 

Account created for the Login Server administrator. Since the Login Server is implemented with significant reuse of Oracle9iAS Portal infrastructure code, this user account is created as a result of this reuse. 

SCHEMA_SSO_ADMIN 

Another account created for the Login Server administrator. This user has the same set of privileges as the SCHEMA_SSO user.  
Table 2-2 Database Schemas Created by Default
Schema  Description 

SCHEMA 

The schema in which Oracle9iAS Portal is installed 

SCHEMA_PUBLIC 

The schema associated with Oracle9iAS Portal users by default to execute the procedures that display Oracle9iAS Portal pages 

SCHEMA_DEMO 

The schema that contains the demo applications shipped with Oracle9iAS Portal 

SCHEMA_SSO 

The schema in which the Login Server is installed 

SCHEMA_SSO_PUBLIC 

The schema used to execute the procedures that display Login Server pages 

SCHEMA_SSO_PS 

The schema used by Oracle9iAS Portal to access the Login Server password store 

Administrator Roles

This section contains the following topics:

Oracle9iAS Portal Administrator Role

In the Oracle9iAS Portal environment, the Oracle9iAS Portal administrator role allows access to the Administer tab of the Oracle9iAS Portal home page.

If the administrator has also been granted privileges for the Login Server administrator role, the administrator can access the Login Server administration menus.

Login Server Administrator Role

The Login Server administrator role allows access to the Login Server page and its configuration settings. This allows the Login Server administrator to:

Granting Login Server Administrator Privileges

To grant Login Server administrator privileges, you must be:

To grant Login Server administrator privileges to a new Oracle9iAS Single Sign-On user account, see "Creating User Accounts" in Chapter 3, "User Management".

Perform the following steps to grant Login Server administrator privileges to an existing Oracle9iAS Single Sign-On user account.

  1. Navigate to the Oracle9iAS Portal home page.

  2. In the User portlet, select the username of the Oracle9iAS Single Sign-On user account that you want to grant administrator privileges to from the provided list.

    By default, the User portlet is located on the Administer tab of the Oracle9iAS Portal home page.

  3. Click Edit.

    The Edit User page displays.

  4. In the Administrator's password field, enter your password to confirm that you have the authority to change user account information.

  5. In the Login Server Privilege Level field, select Full Administrator.

    Note:

    To revoke Login Server administrator privileges, select End User. 

  6. Click OK.

    See Also:

    "Login Server Administrator Role"  

Logging In Using Oracle9iAS Single Sign-On

The Oracle9iAS Single Sign-On login page is used to log in to Oracle9iAS Portal.

After a you log in, you can access all of the pages, content areas, and applications available to public users, as well as pages, content areas, and applications that have been created for administrative purposes and made available through the Oracle9iAS Portal security mechanism.

Note:

If you try to log in with an incorrect password too many times, the account becomes inaccessible for a certain period of time, depending upon the configuration. 

See Also:

"Administering Passwords" in Chapter 3, "User Management" 

Table 2-3 describes the fields in the Oracle9iAS Single Sign-On login page.

Table 2-3 Oracle9iAS Single Sign-On Login Page
Field  Description 

User Name 

Enter your username. Usernames are always case-insensitive; that is, Portal30_admin is the same as PORTAL30_ADMIN. 

Password 

Enter your password. Depending upon the installation options, passwords are either case-sensitive or case-insensitive. 

Configuring the Login Server

This section contains the following topics:

Edit Login Server Page

The Edit Login Server page is used to configure the Login Server.

Table 2-4 describes the fields in the Edit Login Server page.

:
Table 2-4 Edit Login Server Page
Field  Description 
Password Policy 

 

Password Life 

Enter the number of days that the user's Oracle9iAS Single Sign-On password will remain valid. This value determines when a user's password must be changed or reset. 

Number of days before password expiration to show warning 

Enter how many days before a password expiration warning message displays to users. 

Minimum Password Length 

Enter the minimum number of characters that users can specify when choosing passwords. 

Password Case Sensitivity 

Displays whether the passwords are case-sensitive. This setting is established during installation of the Login Server and cannot be modified. 

Do not allow password to be the same as user name 

Select to prevent users from choosing a password that is the same as their username, such as janedoe/janedoe

Do not allow new password to be the same as current password 

Select to prevent users from choosing the same password when renewing an expired password. 

Require password to contain at least one numeric digit 

Select to require users to include at least one numeric character (0-9) when choosing a password. 

Require password to contain at least one character 

Select to require users to include at least one alphabetic character (A-Z) when choosing a password. 
Account Lock Policy 

 

Number of login failures allowed from any IP address 

Enter the number of failed login attempts that can made from any IP address before the user account is temporarily locked out. The duration of the lockout is set in the Global Lockout Duration field. See Also: "User Lockout" 

Number of login failures allowed from one IP address 

Enter the number of failed login attempts that can made from a single IP address before login attempts from that IP address are temporarily disabled. See Also: "User Lockout" 

Global lockout duration 

Enter the number of days that users are prevented from logging into the Login Server after exceeding the number of login failures allowed from any IP address. See Also: "User Lockout" 

Lockout duration for one IP address 

Enter the number of minutes that users are prevented from logging into the Login Server after exceeding the number of login failures allowed from one IP address. See Also: "User Lockout" 

Single Sign-On session duration 

Enter the number of hours a user can be logged into the Login Server without timing out and having to log in again. 

Verify IP addresses for requests made to the Login Server 

Select to verify that the IP address of the browser is same as the IP address in the authentication request to the Login Server.  
Logout Behavior 

 

Logout closes both the Login Server application and Single Sign-On sessions 

Select to end the sessions for the Login Server application as well as the session for Oracle9iAS Single Sign-On when the user clicks the Login Server's logout link. 

Logout closes only the Login Server application session 

Select to end only the Login Server application session, keeping the Oracle9iAS Single Sign-On session active.  
Authentication Mechanism 

Displays the authentication method used by the Login Server 
Territory Selection 

 

Enable Users to Choose Territory 

Select to allow users to specify territory, which determines localization settings such as date, currency, and decimal formats, when logging in. 

User Lockout

A user lockout occurs when the user submits an invalid username and password combination more times than is permitted by the Login Server. In a lockout situation, the Login Server prevents the user from accessing the Login Server even if the user submits the correct username and password combination because the incorrect combination has been submitted more times than is permitted by the Login Server.

The types of user lockout are:

IP Lockout

An IP lockout occurs when a user is not permitted to access the Login Server from a single workstation because the user has submitted the incorrect password from that single workstation more times than is permitted by the Login Server.

Global Lockout

A global lockout occurs when a user is not permitted to access the Login Server from any workstation because the user has submitted an incorrect password from more than one workstation for more times than is permitted by the Login Server. A global lockout remains in effect for a longer duration than local lockout because a global lockout is more likely to occur in response to a determined attacker.

Login Server Configuration Procedure

The Login Server allows users to log in to Oracle9iAS Portal and to any partner or external application using a single username and password.

To configure the Login Server:

Perform the following steps to configure the Login Server:

  1. Select the Administer tab on the Oracle9iAS Portal home page.

  2. In the Login Server Administration portlet, select Edit Login Server Configuration.

  3. The Edit Login Server page displays.

  4. In the Password Policy section, choose options that set the rules for selecting a valid password.

  5. In the Account Lock Policy section, choose options that set the rules for locking out users from the Login Server after unsuccessful login attempts.

  6. In the Logout Behavior section, choose whether users log out of both the Login Server and the Oracle9iAS Single Sign-On session after clicking the Logout link, or whether they log out of the Login Server only.

  7. Click OK.

Go to previous page Go to next page
Oracle
Copyright © 2001 Oracle Corporation.
All Rights Reserved.
Go To Documentation Library
Library 		Go To Product List
Solution Area 		Go To Table Of Contents
Contents		 Go To Index
Index