Oracle® Application Server Single Sign-On Administrator's Guide 10g (9.0.4) Part Number B10851-01 |
|
This chapter explains how to enable the single sign-on server to support multiple realms within one instance of the Oracle identity management infrastructure.
The chapter contains the following topics:
Application service providers are companies that install and maintain Oracle and non-Oracle applications and make them available to their customers, typically for a fee. These companies achieve economies of scale by serving multiple sets of users within the same application instance. The application service provider may, for example, use different realms, or namespaces, within one instance of the Oracle identity management infrastructure to set and store Oracle configuration information unique to different customers.
If user IDs are the only criterion for deciding whether to deploy multiple realms, and there are no ID conflicts, Oracle recommends maintaining users in a single, default realm. The application service provider may, for example, be one who has users log in with an email ID, which is unique. In situations where user IDs conflict, separate realms may be unavoidable. Note, too, that the decision to deploy multiple realms affects how Oracle 10g middle-tier components and customer applications are deployed.
The work involved in setting up multiple realms may require resources and administrative overhead that exceed those of OracleAS Single Sign-On. Other components are involved in the process. In fact, realm configuration is a three-part process that consists of the following:
The first process is discussed in Oracle Internet Directory Administrator's Guide. The second is the subject of this chapter. The third is discussed in product-relevant documentation.
The authentication sequence for single sign-on to multiple realms is much the same as it is for single sign-on in a single, default realm. The only difference from the user's perspective is that, when the user affiliated with the first type of realm is presented the login screen (see Figure 10-1), he must enter not only his user name and password but also a new credential: the realm nickname. Note that the value entered can be case insensitive.
This section covers the following topics:
Once the user has entered his credentials, both his realm nickname and user name are mapped to entries in Oracle Internet Directory. More specifically, the single sign-on server uses directory metadata to find the realm's entry in the directory. Once it finds the realm's entry, the single sign-on server uses realm metadata to locate the user. Once the user's entry is found, his password, an attribute of his entry, is validated. And once his password is validated, he is authenticated.
Presented with two users, both with the same nickname but affiliated with different realms, a partner application requires some mechanism for distinguishing between these users. The application requires such a mechanism because it must be able to adapt content--an OracleAS Portal page with stock news and stock listings, for instance--to match the needs of the realm requesting it. Accordingly, OracleAS release 9.0.4 adds the realm nickname, realm DN, and realm GUID as attributes passed to mod_osso. Recall that mod_osso sets a cookie, storing the retrieved attributes as HTTP headers. When deciding what content to offer up, the application may use function calls to retrieve any one of these attributes from mod_osso headers.
For detailed information about mod_osso headers and the methods used to access them, see Appendix D in Oracle Application Server Single Sign-On Application Developer's Guide.
Figure 10-2 shows how applications running in mod_osso see HTTP headers for two users with the same nickname who are affiliated with two different realms. The application uses the headers that appear in bold face to distinguish between the two users. The host, or default realm, in this case is mycompany.com.
Configuring the single sign-on server for multiple realms involves creating an entry for each realm in the single sign-on schema. Every realm that you create in Oracle Internet Directory must have a corresponding entry in the single sign-on schema.
To configure the single sign-on server for multiple realms, complete the steps that follow. Steps 1, 2, and 5 must be completed only once because these steps enable the server for multiple realms. Steps 3 and 4 must be completed each time you add a realm.
Run the enblhstg.csh script using the syntax that follows. See Table 10-1 for an explanation of script parameters:
enblhstg.csh -mode sso -sc sso_schema_connect_string -ssorasso
-sw sso_ schema_password -h oid_host_name -p oid_port -d "cn=orcladmin
" -w oid_bind_ password
Here is an example:
enblhstg.csh -mode sso -sc webdbsvr2:1521:s901dev3 -ss orasso -sw orasso -h dlsun670.us.oracle.com -p 389 -d "cn=orcladmin" -w welcome123
Use the following syntax to execute the script:
addsub.csh -name realm_nickname -id realm_ID -mode sso -sc sso_schema_ connect_string -ss sso_schema_name -sw sso_schema_password -h oid_host_name -poid_port
-d oid_bind_dn -w oid_bind_dn_password-sp
sys_schema_password
Table 10-1 defines parameters for both enblhstg.csh and addsub.csh.
Parameter | Description |
---|---|
|
The value here must be |
|
The connect string for the single sign-on schema. Use the format |
|
The name of the single sign-on schema. This parameter must be |
|
The password for the single sign-on schema. See Appendix B to learn how to obtain it. |
|
The host name for the Oracle Internet Directory server. |
|
The port number for the Oracle Internet Directory server. |
|
The bind DN for the Oracle Internet Directory server. The value of this parameter is |
|
The password for the Oracle Internet Directory super user, |
|
The realm nickname. This is the value that you enter into the company field on the login page. |
|
The realm ID. Choose an integer greater than 1. The value 1 is reserved for the default realm. The single sign-on server uses realm IDs internally, as an index. |
|
The |
<!-- UNCOMMENT TO ENABLE MULTIPLE REALM SUPPORT <tr> <label> <th id="c6"><font class="OraFieldText"><%=msgBundle.getString(ServerMsgID.COMPANY_ LBL)%></font></th> <td headers="c6"> <INPUT TYPE="text" SIZE="30" MAXLENGTH="50" NAME="subscribername" value=""></td> </label> </tr> -->
Oracle Internet Directory propagates the DIT structure of the default realm across realms when it creates these realms. Note, however, that the users, groups, and privileges that exist in the DIT of the default realm are not propagated. The directory super user or realm administrator must assign, or reassign, privileges, using Oracle Directory Manager. To learn how to use the tool for this purpose, see "Granting Administrative Privileges" in Chapter 2.
|
![]() Copyright © 1996, 2003 Oracle Corporation. All Rights Reserved. |
|