Glossary

account lockout

Occurs when a single sign-on user submits an account and password combination from any number of workstations more times than is permitted by Oracle Internet Directory. The default lockout period is 24 hours.

application service provider

Company that installs and maintains Web applications and makes them available to its customers, typically for a fee.

authentication level

Parameter that enables you to specify a particular authentication behavior for an application. You can link this parameter with a specific authentication plugin.

authentication plugin

An implementation of a specific authentication method. OracleAS Single Sign-On has Java plugins for password authentication, digital certificates, Windows native authentication, and third-party access management.

basic authentication

An authentication method whereby login credentials are submitted in the application URL, which is protected by HTTP basic authentication.

certificate revocation list

A list of users whose X.509 certificates have been revoked. An application uses this list to determine who gains access to the application.

dads.conf

The file on the Oracle HTTP Server that is used to configure a database access descriptor (DAD).

database access descriptor (DAD)

Database connection information for a particular OracleAS component such as the single sign-on schema.

digital certificate

In asymmetric encryption, a data structure that vouches for the identity of a public key owner. A certificate is issued by a trusted third party called a certificate authority. As such in provides assurance that the public key may be safely used to encrypt messages to the key owner.

directory information tree (DIT)

The hierarchical collection of entries that constitute an LDAP directory.

distinguished name

A name that identifies the location of an entry in an LDAP-compliant directory. Also known as a DN. The distinguished name of the user in the example that follows consists of his name and parent entries in ascending order, from left to right.

cn=jsmith,cn=users,cn=defaultsubscribers,cn=acme,cn=com

external application

Applications that do not delegate authentication to the single sign-on server. Instead, they display HTML login forms that ask for application user names and passwords. At the first login, users can choose to have the single sign-on server retrieve these credentials for them. Thereafter, they are logged in to these applications transparently.

forced authentication

The act of forcing a user to reauthenticate if he or she has been idle for a preconfigured amount of time. OracleAS Single Sign-On enables you to specify a global user inactivity timeout. This feature is intended for installations that have sensitive applications.

GET

An authentication method whereby login credentials are submitted as part of the login URL.

global user inactivity timeout

An optional feature that forces single sign-on users to reauthenticate if they have been idle for a preconfigured amount of time. The global user inactivity timeout is much shorter than the single sign-out session timeout.

globalization support

Multilanguage support for graphical user interfaces. OracleAS Single Sign-On supports 29 languages.

globally unique user ID

A numeric string that uniquely identifies a user. A person may change or add user names, passwords, and distinguished names, but her globally unique user ID always remains the same.

httpd.conf

The file used to configure the Oracle HTTP Server.

identity management realm

Discrete namespace, or DIT, within a single instance of the Oracle Identity Management infrastructure.

iASAdmins

The administrative group responsible for user and group management functions in OracleAS. The single sign-on administrator is a member of the group iASAdmins.

identity management infrastructure database

The database that contains OracleAS Single Sign-On and Oracle Internet Directory.

infrastructure

The OracleAS components responsible for identity management. These components are OracleAS Single Sign-On, Oracle Delegated Administration Services, and Oracle Internet Directory.

LDAP connection cache

To improve throughput, the single sign-on server caches and then reuses connections to Oracle Internet Directory.

legacy application

Older application that cannot be modified to delegate authentication to the single sign-on server. Also known as an external application.

load balancer

Hardware devices and software that balance connection requests between two or more single sign-on servers, either because of heavy load or as failover. BigIP, Alteon, or Local Director are all popular hardware devices. OracleAS Web Cache is an example of load balancing software.

middle tier

That portion of a single sign-on instance that consists of the Oracle HTTP Server and OC4J. The single sign-on middle tier is situated between the identity management infrastructure database and the client.

mod_ossl

The SSL module on the Oracle HTTP Server.

mod_osso

A module on the Oracle HTTP Server that enables applications protected by OracleAS Single Sign-On to accept HTTP headers in lieu of a user name and password once the user has logged into the single sign-on server. The values for these headers are stored in the mod_osso cookie.

mod_osso cookie

User data stored on the HTTP server. The cookie is created when a user authenticates. When the same user requests another application, the Web server uses the information in the mod_osso cookie to log the user in to the application. This feature speeds server response time.

mod_proxy

A module on the Oracle HTTP Server that makes it possible to use mod_osso to enable legacy, or external, applications.

OC4J (Oracle Containers for J2EE)

A lightweight, scalable container for Java2 Enterprise Edition.

Oracle Delegated Administration Services

A Web service of Oracle Internet Directory that performs user and group management functions.

Oracle Directory Integration and Provisioning

A feature of Oracle Internet Directory that enables an enterprise to use an external user repository to authenticate to Oracle products.

Oracle Directory Manager

A Java-based GUI for managing most functions in Oracle Internet Directory. It is used to create members of the group iASAdmins. It is also used to manage password policies.

Oracle Enterprise Manager

The GUI that monitors server load and user activity on the single sign-on server. Oracle Enterprise Manager monitors other OracleAS components as well.

Oracle HTTP Server

Software that processes Web transactions that use the Hypertext Transfer Protocol (HTTP). Oracle uses HTTP software developed by the Apache Group.

OracleAS Portal

A single sign-on partner application that provides a mechanism for integrating files, images, applications, and Web sites. The External Applications portlet provides access to external applications.

partner application

An OracleAS application or non-Oracle application that delegates the authentication function to the single sign-on server. This type of application spares you from reauthenticating by accepting mod_osso headers.

policy.properties

Multipurpose configuration file for OracleAS Single Sign-On. Contains basic parameters required by the single sign-on server. Also used to configure advanced features such as multilevel authentication.

POST

An authentication method whereby login credentials are submitted within the body of the login form.

proxy server

A server that proxies for the real server, or host. In OracleAS Single Sign-On, proxies are used for load balancing and as an extra layer of security. See load balancer.

SSL (Secure Sockets Layer)

A widely used security protocol that uses public-key cryptography to secure communications between a client and server. The client uses a public key provided by the server to conduct a secret key exchange.

single sign-on SDK

The APIs that enable partner applications for single sign-on. The SDK consists of PL/SQL and Java APIs as well as sample code that demonstrates how these APIs are implemented. Now deprecated.

single sign-on server

Program logic that enables users to log in securely to single sign-on applications such as expense reports, mail, and benefits.

single sign-off

The process by which you terminate a single sign-on session and log out of all active partner applications simultaneously. You can do this by logging out of the application that you are working in.

success URL

The URL to the routine responsible for establishing the session and session cookies for an application.

third-party access management system

Non-Oracle single sign-on system that can be modified to use OracleAS Single Sign-On to gain access to OracleAS applications.

URLC token

The code that passes authenticated user information to the partner application. The partner application uses this information to construct the session cookie.

user name mapping module

A Java module that maps a user certificate to the user's nickname. The nickname is then passed to an authentication module, which uses this nickname to retrieve the user's certificate from the directory.

virtual host

A server that proxies for the real server or servers. In the case of OracleAS Single Sign-On, virtual hosts are used for load balancing between two or more single sign-on servers. They also provide an extra layer of security.