Oracle® Application Server Single Sign-On Administrator's Guide 10g (9.0.4) Part Number B10851-01 |
|
This document explains how to configure a single sign-on system that assigns different authentication levels to different partner applications. Such a system enables the administrator to tailor authentication behavior to the security level of the application requested.
The document contains the following topics:
OracleAS Single Sign-On enables you to assign different authentication levels to the applications that it protects. You can then map these authentication levels to specific authentication plugins. You might, for example, configure a highly sensitive application to require a user certificate and a less sensitive application to require a user name and password.
Figure 6-1 illustrates how multilevel authentication works.
The following topics are key to understanding how multilevel authentication works:
Authentication levels are parameters that enable you to specify a particular authentication behavior for an application. You use the policy.properties file to configure the authentication level names and values that make up these parameters. This file is in $ORACLE_HOME/sso/conf. A copy of it appears in Appendix C.
Table 6-1 provides examples of authentication levels. You can customize these to suit your deployment requirements and can provide additional ones.
Authentication Level Names | Authentication Level Values |
---|---|
LowSecurity |
20 |
LowMediumSecurity |
30 |
MediumSecurity |
40 |
MediumHighSecurity |
50 |
HighSecurity |
60 |
The authentication level names must be unique. For example, a system that includes both NoSecurity=10
and NoSecurity=20
is unacceptable. The lower the numeric value of a level, the lower the level of security.
Users who log in at a high level such as MediumHighSecurity
and then attempt to access a lower-level application are not rechallenged for credentials. Conversely, users who log in at a low-level application such as LowMediumSecurity
and then attempt to access a higher-level one are challenged with the required level.
An authentication plugin is an implementation of a specific authentication method. This method collects a user's credentials and authenticates him.
You can pair one of the authentication levels introduced in the preceding section with one of the authentication methods described in the bulleted list that follows. The authentication level that an authentication plugin maps to is deployment specific. You use policy.properties to achieve the pairing.
This is the default, standard method.
See Chapter 7 for a discussion of certificate authentication.
See Chapter 8 to learn about this type of authentication.
See Chapter 13.
Applications not configured for a specific authentication level default to password authentication and are assigned an authentication level of MediumSecurity
. If you require a different authentication level, you must modify policy.properties. Use the configuration scenario that follows for guidance.
This usage scenario explains how two hypothetical partner applications are configured to use different authentication levels and plugins. It assumes these conditions:
Modify policy.properties with the following configurations.
pa1.mydomain.com\:7777 = HighSecurity pa2.mydomain.com\:7777 = MediumSecurity
HighSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOX509CertAuth MediumSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOServerAuth
Note that the authentication plugin name is a combination of the authentication level name that you assigned in step 1 and the suffix _AuthPlugin
.
|
![]() Copyright © 1996, 2003 Oracle Corporation. All Rights Reserved. |
|