Oracle Workflow Guide
Release 2.6.2
Part Number A95265-03 |
|
Step 4 Synchronizing Workflow Directory Services with Oracle Internet Directory
If you are using the standalone version of Oracle Workflow, and you have installed Oracle9i
Release 2 or higher or Oracle9iAS Release 2 or higher, you can synchronize the user information in your Workflow directory service with Oracle Internet Directory (OID) using Lightweight Directory Access Protocol (LDAP). This integration is recommended because it enables you to manage and publish user information in a central location which various systems can reference.
Synchronization with OID enables Oracle Workflow to do the following:
- Assign ownership of work items and send notifications to users defined in OID.
- Synchronize with other external user directories that are synchronized with OID.
- Participate in single sign-on through LDAP external authentication with Oracle Portal and Oracle9iAS Single Sign-On Server, if you have installed Oracle9iAS Release 2 or higher. With single sign-on, a user who is logged into any participating Oracle9iAS component is automatically authenticated when accessing any other participating component and does not need to log in again.
Context:
You need to perform this step only once.
Oracle Internet Directory
Oracle Internet Directory is a general purpose directory service that enables fast retrieval and centralized management of information about dispersed users and network resources. It combines Lightweight Directory Access Protocol (LDAP) Version 3 with the high performance, scalability, robustness, and availability of Oracle9i
.
LDAP is a standard, extensible directory access protocol. It is a common language that LDAP clients and servers use to communicate. LDAP was conceived as an internet-ready, lightweight implementation of the International Standardization Organization (ISO) X.500 standard for directory services. It requires a minimal amount of networking software on the client side, which makes it particularly attractive for internet-based, thin client applications.
The advantages of OID include:
- Scalability - Oracle Internet Directory exploits the strengths of Oracle9i, enabling support for terabytes of directory information. In addition, such technologies as multithreaded LDAP servers and database connection pooling allow it to support thousands of concurrent clients with subsecond search response times.
- Oracle Internet Directory also provides data management tools, such as Oracle Directory Manager and a variety of command-line tools, for manipulating large volumes of LDAP data.
- High availability - Oracle Internet Directory is designed to meet the needs of a variety of important applications. For example, it supports full, multimaster replication between directory servers: If one server in a replication community becomes unavailable, then a user can access the data from another server. Information about changes made to directory data on a server is stored in special tables on the Oracle9i database. These are replicated throughout the directory environment by Oracle9i Replication, a robust replication mechanism.
- Oracle Internet Directory also takes advantage of all the availability features of Oracle9i. Because directory information is stored securely in the Oracle9i database, it is protected by Oracle's backup capabilities. Additionally, the Oracle9i database, running with large datastores and heavy loads, can recover from system failures quickly.
- Security - Oracle Internet Directory offers comprehensive and flexible access control. An administrator can grant or restrict access to a specific directory object or to an entire directory subtree. Moreover, Oracle Internet Directory implements three levels of user authentication: anonymous, password-based, and certificate-based using Secure Socket Layer (SSL) Version 3 for authenticated access and data privacy.
- Synchronization with other directories - Oracle Internet Directory includes the Oracle Directory Integration platform that enables you to synchronize with other enterprise repositories, including third-party LDAP directories.
Oracle9iAS Single Sign-On uses Oracle Internet Directory to store user entries. It maps users for any partner application to user entries in OID entries, and authenticates them by using LDAP mechanisms.
See Also
Oracle Internet Directory Administrator's Guide
Oracle9iAS Single Sign-On
Oracle9i
AS Single Sign-On is a component of Oracle9i Application Server that provides a framework for secure single sign-on, allowing users to log in to multiple Web-based applications by entering a user name and password only once.
Oracle9iAS Single Sign-On provides the following benefits:
- Ease of administration and reduced administrative costs, because user names and passwords can be stored and maintained outside of any particular application and shared across the enterprise
- Convenient login experience, because users do not need to maintain a separate username and password for each application they access
- Increased security, because when the password is only required once, users are less likely to use simple, easy-to-remember passwords or write them down
The core of the Oracle9i
AS Single Sign-On technology is the Login Server. The Login Server authenticates users and passes their identities to the partner applications that are integrated with it.
Partner applications support a single sign-on mechanism that enables them to accept a user's username and password as validated by the Login Server. A partner application delegates its authentication to the Login Server. If a partner application is registered with the Login Server, users can log into it using the single sign-on mechanism.
With mod_osso, an Oracle module that enables single sign-on, Oracle HTTP Server becomes a partner application of the Login Server. Oracle Workflow uses Oracle HTTP Server as its Web server. If you implement Oracle Internet Directory/Single Sign-On integration, Oracle Workflow participates in single sign-on by using mod_osso to authenticate access to its secured web pages.
When a user first tries to access a secured Workflow web page, the Workflow security package WFA_SEC checks the CGI environment variable REMOTE_USER for user information. If the user is not already logged in to Oracle Workflow or another Oracle9iAS Single Sign-On participating application, the user will be prompted to log in before the page appears.
Note: The WFA_SEC package must be loaded as a post-install step if you choose to implement Oracle Internet Directory/Single Sign-On integration. For more information, see your installation documentation.
To set the variable REMOTE_USER, Oracle HTTP Server internally calls to mod_osso. Acting as an Oracle9iAS Single Sign-On partner application, mod_osso transparently redirects the user to the Login Server to obtain authentication credentials, if no application cookie is present.
The Login Server performs the following steps:
- Prompts the user for the user name and password, if no login cookie is present.
- Authenticates the user by means of the user name and password, using external repository authentication that relies on an LDAP-compliant directory, specifically Oracle Internet Directory. The Login Server binds to OID and then looks up the user credentials stored in the directory.
- Stores an encrypted login cookie on the authenticated client.
- Transparently redirects the user to the partner application, mod_osso, by using a URL with an encrypted parameter containing the user's identity.
Oracle HTTP Server with mod_osso then performs the following steps:
- Establishes its own session management (for example, determining what, if any, access privileges to grant to the user).
- Sets a partner application cookie so that subsequent user access does not require a redirect to the Login Server.
- Presents the requested application page to the user.
If, during the same session, the user again seeks access to the same or to a different partner application, the Login Server does not prompt the user for a username and password. Instead, the Login Server obtains the information from the login cookie that is already on the client browser. The login cookie provides the Login Server with the user's identity and indicates that authentication has already been performed. If there is no login cookie, the Login Server presents the user with a login page.
To guard against eavesdropping, the Login Server can send the login cookie to the client browser over an encrypted SSL channel.
The login cookie expires with the session, either at the end of a time interval specified by the administrator, or when the user exits the browser. The login cookie is never written to disk.
Note: To log out of a partner application and log in as another user, the user must also log out of the Login Server session. Otherwise, the authentication request returns the partner application to the logged in state of the previous user.
See Also
Oracle9iAS Single Sign-On Administration Guide
Oracle9iAS Single Sign-On Application Developer's Guide
Oracle Internet Directory Synchronization
Oracle Workflow provides APIs to synchronize the user information in your Workflow directory service with OID. These APIs are defined in a PL/SQL package called WF_LDAP. See: Workflow LDAP APIs
.
Note: OID integration includes only individual users, not user groups. Workflow roles are not maintained through OID.
To Synchronize Workflow Directory Services with OID
- 1. Ensure that the following PL/SQL packages required for LDAP synchronization are loaded in your database:
- DBMS_LDAP--This package contains the functions and procedures which can be used to access data from LDAP servers.
- WFA_SEC--This package contains Workflow security functions and procedures.
- For the standalone version of Oracle Workflow, installation of these packages is completed as part of the post-installation steps after you install the Oracle Workflow server.
- 2. For single sign-on integration, ensure that the Database Access Descriptor for Oracle Workflow is protected in the mod_osso configuration file. For the standalone version of Oracle Workflow, mod_osso configuration is completed as part of the post-installation steps after you install the Oracle Workflow server.
- 3. Ensure that the following global Workflow preferences are set to the appropriate information for your OID installation. See: To Set Global User Preferences.
- LDAP Changelog Base Directory
- 6. To begin the synchronization, run the WF_LDAP.Synch_all( ) API. This function retrieves all the existing user information from OID, based on the LDAP directory information specified in the Global Workflow Preferences, and raises the oracle.apps.wf.public.user.change event. The predefined subscription to this event that you enabled loads the user information into the WF_LOCAL_USERS table.
- Because Synch_all( ) retrieves information for all users stored in OID, you should use this function only once during setup. If necessary, however, you can also run Synch_all( ) as required for recovery or cleanup.
- Use the following commands to run Synch_all( ):
declare
res boolean := FALSE;
begin
wf_log_pkg.WF_DEBUG_FLAG := TRUE;
res := wf_ldap.synch_all();
if (res) then
dbms_output.put_line('succeeded');
else
dbms_output.put_line('failed ');
end if;
end;
/
- 7. Subsequently, you must maintain the synchronization between your Workflow directory service and OID by retrieving and loading only changed OID user information. It is recommended that you update the user information every ten minutes.
- You can use either WF_LDAP.Synch_changes( ) or WF_LDAP.Schedule_changes( ) to retrieve changed user information from OID. WF_LDAP.Synch_changes( ) identifies LDAP user changes in OID, including creation, modification, and deletion, by querying the LDAP change log records. The function connects to OID based on the LDAP directory information specified in the Global Workflow Preferences. If there is a change, the function retrieves the user information from OID and raises the oracle.apps.wf.public.user.change event. The predefined subscription to this event that you enabled loads the changed user information into the WF_LOCAL_USERS table. You can use WF_LDAP.Synch_changes( ) to perform a single update.
- To continue updating user information periodically, use WF_LDAP.Schedule_changes( ). This procedure submits a database job using the DBMS_JOB utility to run WF_LDAP.Synch_changes( ) repeatedly at an interval that you specify. The default interval, which is also the recommended frequency to check for updates, is ten minutes.
- You can create a script to run WF_LDAP.Schedule_changes( ). For example, to run the API at an interval of ten minutes, create a SQL file with the following commands:
declare
begin
wf_log_pkg.WF_DEBUG_FLAG := TRUE;
wf_ldap.schedule_changes(0,0,10);
end;
/
- Then run SQL*Plus and load your new script to the database.
Note: You must terminate the running of any WF_LDAP APIs before changing your LDAP setup, such as by migrating to a different LDAP server.
Attention: If you implement OID integration, you must maintain your users only through OID. You must not create ad hoc users in the WF_LOCAL_USERS table, because you risk discrepancies in your user information and unpredictable results if you use any tool other than OID to maintain users after integrating with OID. Consequently, if you implement OID integration, you must not use the CreateAdHocUser( ), SetAdHocUserStatus( ), SetAdHocUserExpiration( ), or SetAdHocUserAttr( ) APIs in the WF_DIRECTORY package.
You can still use ad hoc roles, however, since Workflow roles are not maintained through OID.
See Also
Setting Global User Preferences
Workflow LDAP APIs
User Entry Has Changed Event
Managing Job Queues, Oracle Administrator's Guide
Workflow Directory Service APIs
|
Copyright © 1996, 2002 Oracle Corporation.
All Rights Reserved.
