Oracle9iAS Single Sign-On
Administrator's Guide
Release 3.0.9 Part Number A88732-01 |
|
This chapter describes the Login Server and Oracle9iAS Single Sign-On, and how to you can perform various tasks using them.
This chapter contains the following topics:
This section contains the following topics:
An Oracle9iAS Single Sign-On user account is used to access multiple applications, including Oracle9iAS Portal, with a single username and password. Once you have entered the Oracle9iAS Single Sign-On username and password for one application, you can access other applications without having to log in again.
Note: The username ADMIN is reserved for a specific Login Server administrative purpose. See "Troubleshooting" in Chapter 6, "Deployment Considerations" for information about the ADMIN user. |
Login Server administrators create Oracle9iAS Single Sign-On user accounts using the Users portlet, which by default is on the Administer tab of the Oracle9iAS Portal home page.
An Oracle9iAS Portal user account establishes user details, preferences, and privileges within Oracle9iAS Portal.
Oracle9iAS Portal user accounts do not have any privileges on the database itself. However, because Oracle9iAS Portal pages are displayed by executing procedures in the database, an Oracle9iAS Portal user account must have execute privileges on those procedures. To do this, each Oracle9iAS Portal user account must be associated with an Oracle database schema that is authorized to display Oracle9iAS Portal pages.
Oracle9iAS Portal user accounts are created automatically when one of the following occurs:
Oracle9iAS Portal administrators can edit Oracle9iAS Portal user accounts using the Users portlet, which by default is on the Administer tab of the Oracle9iAS Portal home page.
An Oracle database user account, which follows rules set by the database's schema, is used to store database objects, applications, and components, and to determine a user's database privileges. Database accounts are required because Oracle9iAS Portal and Login Server are implemented using an underlying Oracle database.
Database administrators can create Oracle database schemas using SQL commands or the Schemas portlet on the Administer Database tab of the Oracle9iAS Portal home page.
When you install Oracle9iAS Portal, several user accounts and schemas are created by default, as described in Table 2-1 and Table 2-2.
:This section contains the following topics:
In the Oracle9iAS Portal environment, the Oracle9iAS Portal administrator role allows access to the Administer tab of the Oracle9iAS Portal home page.
If the administrator has also been granted privileges for the Login Server administrator role, the administrator can access the Login Server administration menus.
The Login Server administrator role allows access to the Login Server page and its configuration settings. This allows the Login Server administrator to:
To grant Login Server administrator privileges, you must be:
To grant Login Server administrator privileges to a new Oracle9iAS Single Sign-On user account, see "Creating User Accounts" in Chapter 3, "User Management".
Perform the following steps to grant Login Server administrator privileges to an existing Oracle9iAS Single Sign-On user account.
By default, the User portlet is located on the Administer tab of the Oracle9iAS Portal home page.
The Edit User page displays.
The Oracle9iAS Single Sign-On login page is used to log in to Oracle9iAS Portal.
After a you log in, you can access all of the pages, content areas, and applications available to public users, as well as pages, content areas, and applications that have been created for administrative purposes and made available through the Oracle9iAS Portal security mechanism.
Table 2-3 describes the fields in the Oracle9iAS Single Sign-On login page.
This section contains the following topics:
The Edit Login Server page is used to configure the Login Server.
Table 2-4 describes the fields in the Edit Login Server page.
:Field | Description |
---|---|
Password Policy |
|
Password Life |
Enter the number of days that the user's Oracle9iAS Single Sign-On password will remain valid. This value determines when a user's password must be changed or reset. |
Number of days before password expiration to show warning |
Enter how many days before a password expiration warning message displays to users. |
Minimum Password Length |
Enter the minimum number of characters that users can specify when choosing passwords. |
Password Case Sensitivity |
Displays whether the passwords are case-sensitive. This setting is established during installation of the Login Server and cannot be modified. |
Do not allow password to be the same as user name |
Select to prevent users from choosing a password that is the same as their username, such as |
Do not allow new password to be the same as current password |
Select to prevent users from choosing the same password when renewing an expired password. |
Require password to contain at least one numeric digit |
Select to require users to include at least one numeric character (0-9) when choosing a password. |
Require password to contain at least one character |
Select to require users to include at least one alphabetic character (A-Z) when choosing a password. |
Account Lock Policy |
|
Number of login failures allowed from any IP address |
Enter the number of failed login attempts that can made from any IP address before the user account is temporarily locked out. The duration of the lockout is set in the Global Lockout Duration field. See Also: "User Lockout" |
Number of login failures allowed from one IP address |
Enter the number of failed login attempts that can made from a single IP address before login attempts from that IP address are temporarily disabled. See Also: "User Lockout" |
Global lockout duration |
Enter the number of days that users are prevented from logging into the Login Server after exceeding the number of login failures allowed from any IP address. See Also: "User Lockout" |
Lockout duration for one IP address |
Enter the number of minutes that users are prevented from logging into the Login Server after exceeding the number of login failures allowed from one IP address. See Also: "User Lockout" |
Single Sign-On session duration |
Enter the number of hours a user can be logged into the Login Server without timing out and having to log in again. |
Verify IP addresses for requests made to the Login Server |
Select to verify that the IP address of the browser is same as the IP address in the authentication request to the Login Server. |
Logout Behavior |
|
Logout closes both the Login Server application and Single Sign-On sessions |
Select to end the sessions for the Login Server application as well as the session for Oracle9iAS Single Sign-On when the user clicks the Login Server's logout link. |
Logout closes only the Login Server application session |
Select to end only the Login Server application session, keeping the Oracle9iAS Single Sign-On session active. |
Authentication Mechanism |
Displays the authentication method used by the Login Server |
Territory Selection |
|
Enable Users to Choose Territory |
Select to allow users to specify territory, which determines localization settings such as date, currency, and decimal formats, when logging in. |
A user lockout occurs when the user submits an invalid username and password combination more times than is permitted by the Login Server. In a lockout situation, the Login Server prevents the user from accessing the Login Server even if the user submits the correct username and password combination because the incorrect combination has been submitted more times than is permitted by the Login Server.
The types of user lockout are:
An IP lockout occurs when a user is not permitted to access the Login Server from a single workstation because the user has submitted the incorrect password from that single workstation more times than is permitted by the Login Server.
A global lockout occurs when a user is not permitted to access the Login Server from any workstation because the user has submitted an incorrect password from more than one workstation for more times than is permitted by the Login Server. A global lockout remains in effect for a longer duration than local lockout because a global lockout is more likely to occur in response to a determined attacker.
The Login Server allows users to log in to Oracle9iAS Portal and to any partner or external application using a single username and password.
To configure the Login Server:
Perform the following steps to configure the Login Server:
|
Copyright © 2001 Oracle Corporation. All Rights Reserved. |
|