Oracle9iAS Single Sign-On
Administrator's Guide
Release 3.0.9 Part Number A88732-01 |
|
This chapter describes how to administer Oracle9iAS Single Sign-On user accounts and passwords.
This chapter contains the following topics:
Rules for specifying usernames are as follows:
Rules for specifying passwords are as follows:
In order to log in to Oracle9iAS Portal and access non-public information and features, a user must have both a Oracle9iAS Single Sign-On user account and an Oracle9iAS Portal user account.
You only have to create a user's Oracle9iAS Single Sign-On user account, because an Oracle9iAS Portal account is automatically created when you first edit a user's Oracle9iAS Portal settings, or when the user first logs in to Oracle9iAS Portal using the Oracle9iAS Single Sign-On account.
To create an Oracle9iAS Single Sign-On user account:
The Create User page is used to create a Oracle9iAS Single Sign-On user account for a new user.
Table 3-1 describes the fields on the Create User page.
Fields | Description |
---|---|
User Details |
|
User Name |
Enter a username for the account. See Also: "Usernames and Passwords" for rules for specifying usernames |
Password |
Enter a password for the account. The user uses this password to confirm that the user is authorized to log in using the account. See Also: "Usernames and Passwords" for rules for specifying passwords You can establish restrictions on what can be used as a password. For example you can restrict passwords to contain a minimum number of characters or to include at least one numeric character. See Also: "Configuring the Login Server" in Chapter 2, "Administrative Basics" for information about establishing password restrictions You should advise new users to change their password the first time they log in. |
Confirm Password |
Enter the password again to confirm that you entered it correctly in the Password field. |
E-mail Address |
Enter the user's e-mail address. |
Account Activation and Termination | |
Activate Account On |
Enter the date when the user can start using the account. Use the format specified to the right of the field. |
Terminate Account On |
Enter the date when the user will no longer be able to use the account. Use the format specified to the right of the field. Note: If you want the account to be available indefinitely, leave this field blank. |
Login Server Privileges |
|
Login Server Privilege Level |
Select which privileges to grant the user on the Login Server: End User: No administrative privileges Full Administrator: Login Server administrator privileges |
Perform the following steps to create a Oracle9iAS Single Sign-On user account.
By default, the User portlet is located on the Administer tab of the Oracle9iAS Portal home page.
The Create User page displays.
See Also:
"Editing User Accounts" for information about editing Oracle9iAS Single Sign-On user accounts "Deleting User Accounts" for information about deleting Oracle9iAS Single Sign-On user accounts |
The Edit User page is used to specify the properties of Oracle9iAS Single Sign-On user accounts, such as passwords, account termination dates, and Login Server privileges.
Table 3-2 describes the fields in the Edit User page.
Field | Description |
---|---|
User Details |
|
User Name |
See Also: "Usernames and Passwords" for information about specifying usernames. |
Administrator's Password |
Enter your password to confirm that you have the authority to reset user account passwords. Note: You only need to enter your password if you are resetting a user's password. |
Password |
Enter a new password for the account. The user uses this password to confirm that he or she is authorized to log in using the account. See Also: "Usernames and Passwords" for information about specifying passwords |
Confirm Password |
Enter the new password again to confirm that you entered it correctly in the Password field. |
E-mail Address |
Enter the user's e-mail address. |
Account Activation and Termination |
|
Activate Account On |
Edit the date when the user can start using the account. Use the format specified to the right of the field. |
Terminate Account On |
Edit the date when the user will no longer be able to use the account. Use the format specified to the right of the field. Note: If you want the account to be available indefinitely, leave this field blank. |
Login Server Privileges |
|
Login Server Privilege Level |
Select which privileges to grant the user on the Login Server. End User: The user has no administrative privileges on the Login Server Full Administrator: The user is a Login Server administrator and has full administrative privileges on the Login Server. |
Perform the following steps to edit an Oracle9iAS Single Sign-On user account.
By default, the User portlet is located on the Administer tab of the Oracle9iAS Portal home page.
The Edit User page displays.
See Also:
This section describes how to delete Oracle9iAS Single Sign-On user accounts.
When you delete a user's Oracle9iAS Single Sign-On account, the user can no longer log in to applications through Oracle9iAS Portal. The user can still log in to external applications but must use the username and password for that particular external application.
Deleting an Oracle9iAS Portal user account does not delete the corresponding Oracle9iAS Single Sign-On user account. The user can therefore still log in to other applications using the Oracle9iAS Single Sign-On user account. Also, if the user attempts to log in to Oracle9iAS Portal using the Oracle9iAS Single Sign-On user account, a new Oracle9iAS Portal user account is automatically created. To prevent a user from logging in to Oracle9iAS Portal, ensure that the user is not an authorized Oracle9iAS Single Sign-On user.
To delete a user account:
"Creating User Accounts" for information about creating Oracle9iAS Single Sign-On user accounts
"Editing User Accounts" for information about editing Oracle9iAS Single Sign-On user accounts
Oracle9iAS Portal online documentation for information about deleting Oracle9iAS Portal user accounts
See Also:
Perform the following steps to delete a Oracle9iAS Single Sign-On user account using Oracle9iAS Portal:
By default, the User portlet is located on the Administer tab of the Oracle9iAS Portal home page.
You can export Oracle9iAS Single Sign-On user accounts from a source Login Server to a target Login Server using the following scripts provided with Oracle9iAS Portal:
Before you can import applications or content areas into an instance of Oracle9iAS Portal, you must first import the Oracle9iAS Single Sign-On user accounts used by those applications and content areas to the Login Server used by that instance of Oracle9iAS Portal.
Perform the following steps to export Oracle9iAS Single Sign-On user accounts.
src/wwu
directory of the directory in which Oracle9iAS Portal is installed.
ssoexp.csh -s sso_schema [-p sso_password] [-d dump_file_name] [-c connect_string]
For Windows NT systems, enter the following:
ssoexp.cmd -s sso_schema [-p sso_password] [-d dump_file_name] [-c connect_string]
where:
Example:
ssoexp.csh -s portal30_sso -p portal30_sso -d export_sso.dmp -c orcl
A dump file with the filename you specified is created that contains all of the required data for the Oracle9iAS Single Sign-On user accounts in the source Login Server.
You can now use the dump file to import Oracle9iAS Single Sign-On user accounts into the target Login Server.
Perform the following steps to import Oracle9iAS Single Sign-On user accounts.
ssoimp.csh -s sso_schema [-p sso_password] [-o from_sso_schema] [-d dump_file_name] [-m merge_mode] [-u db_user_mode] [-c connect_string]
For Windows NT systems, enter the following:
ssoimp.cmd -s sso_schema [-p sso_password] [-o from_sso_schema] [-d dump_file_name] [-m merge_mode] [-u db_user_mode] [-c connect_string]
where:
Example:
ssoimp.csh -s newportal30_sso -p newportal30_sso -o portal30_sso -d export_ sso.dmp -m reuse -u public_user -c orcl
The passwords of all the Oracle9iAS Single Sign-On user accounts imported into the target Login Server are reset to the username of the account. You should advise users to change their passwords as soon as possible after the import.
For security purposes, the Login Server administrator specifies password expiration dates. Passwords must also be reset immediately if they are compromised or forgotten.
Changing a password in the Login Server affects access to all of the Oracle9iAS Single Sign-On applications, not just Oracle9iAS Portal. If a user's password is not changed before its expiration date, the user cannot log in until the Login Server administrator resets it for the user.
To administer passwords:
This section contains the following topics:
The Change Password page is used to change passwords.
Table 3-3 describes the fields in the Change Password page.
Field | Description |
---|---|
User Name |
Displays the username. |
Old Password |
Enter the password that you currently use to log in. |
New Password |
See Also: "Usernames and Passwords" for information about specifying passwords |
Confirm New Password |
Enter the new password again to confirm that you entered it correctly in the New Password field. |
Perform the following steps to change the Login Server administrator password.
The Edit Account Information page displays.
The Change Password page displays.
The next time you log in, use the new password.
Perform the following steps to reset a user's password.
By default, the User portlet is located on the Administer tab of the Oracle9iAS Portal home page.
You should advise new users to change their password the first time they log in.
See Also:
"Configuring the Login Server" in Chapter 2, "Administrative Basics", for information about establishing restrictions on passwords |
Sometimes users forget their passwords and must have them reset. The Login Server offers a feature that resets a user's password to a random value and then notifies the user of the new password.
This feature can present a security risk, because the user is not authenticated when requesting a reset password for a particular user account. For this reason, the password reset feature is not enabled by default and must be installed.
Perform the following steps to install the password reset feature.
sqlplus portal30_sso/portal30_sso
@ssoreset
The ssoreset
script creates the WWSSO_APP_ACCOUNT
package in the Login Server schema and grants execute privileges on the WWSSO_APP_ACCOUNT
package to PUBLIC.
WWSSO_APP_ACCOUNT
contains a single procedure, reset_password
, that resets a password to a random value.
reset_password
procedure calls the WWSSO_ALERT.password_reset_notification
procedure.
The WWSSO_ALERT.password_reset_notification
procedure informs the user of the new password. If you do not enable the password reset feature, the WWSSO_ALERT.password_reset_notification
procedure does not inform the user of the change.
The WWSSO_ALERT
package specification is as follows:
CREATE OR REPLACE PACKAGE wwsso_alert IS /* General failure exception. This will be used * by the UI to alert the user that the notification * failed */ NOTIFICATION_FAILURE EXCEPTION; PROCEDURE password_reset_notification ( p_user VARCHAR2, p_password VARCHAR2, p_email VARCHAR2 DEFAULT NULL ); END wwsso_alert;
See Also:
"WWSSO_ALERT Package Body Example" for an example of a package body that sends the newly assigned password through e-mail. |
reset_password
procedure to allows users to reset their passwords.
The following is an example of how to design a page for resetting a user's password.
<HTML> <HEAD> <TITLE="Reset password"> </HEAD> <BODY> <H1>Reset password</H1> <FORM ACTION="http://server.domain[:port]/pls/dad/ schema.WWSSO_APP_ACCOUNT.RESET_PASSWORD"> <B>User Name: </B> <INPUT TYPE="TEXT" NAME="p_user"> <BR><BR> <INPUT TYPE="HIDDEN" NAME="p_back_url" VALUE="http://server.domain[:port]/pls/dad/schema.home"> <INPUT TYPE="HIDDEN" NAME="p_error_url" VALUE="http://server.domain[:port]/pls/dad/schema.error"> <INPUT TYPE="SUBMIT" VALUE="Reset Password"> <FORM> </BODY> </HTML>
The following is an example of how you might implement the WWSSO_ALERT
package body for informing a user of the new password after resetting it.
set define ON set verify OFF CREATE or REPLACE PACKAGE BODY wwsso_alert IS PROCEDURE send_mail ( p_sender IN VARCHAR2, p_recipient IN VARCHAR2, p_message IN VARCHAR2 ) IS mailhost VARCHAR2(80) := '&smtp_server'; mail_conn utl_smtp.connection; BEGIN mail_conn := utl_smtp.open_connection(mailhost, 25); utl_smtp.helo(mail_conn, mailhost); utl_smtp.mail(mail_conn, p_sender); utl_smtp.rcpt(mail_conn, p_recipient); utl_smtp.data(mail_conn, p_message); utl_smtp.quit(mail_conn); END; PROCEDURE password_reset_notification ( p_user VARCHAR2, p_password VARCHAR2, p_email VARCHAR2 DEFAULT NULL ) IS BEGIN send_mail ( p_sender => '&password_administrator', p_recipient => p_email, p_message => p_user || 'Your new password is ' || p_password ); EXCEPTION when OTHERS then raise NOTIFICATION_FAILURE; END; END wwsso_alert; / show errors PACKAGE BODY wwsso_alert
|
Copyright © 2001 Oracle Corporation. All Rights Reserved. |
|