Skip Headers
Oracle® Application Server Single Sign-On Administrator's Guide
10
g
Release 2 (10.1.2)
Part No. B14078-01
Home
Solution Area
Index
Next
Contents
List of Figures
List of Tables
Title and Copyright Information
Send Us Your Comments
Preface
Intended Audience
Documentation Accessibility
Structure
Related Documents
Conventions
1
Components and Processes: an Overview
1.1
Key Components in the Single Sign-On System
1.1.1
Single Sign-On Server
1.1.2
Partner Applications
1.1.3
External Applications
1.1.4
mod_osso
1.1.5
Oracle Internet Directory
1.1.6
Oracle Identity Management Infrastructure
1.2
Single Sign-On Processes
1.2.1
Accessing the Single Sign-On Server
1.2.2
Accessing a Partner Application
1.2.3
Accessing an External Application
1.2.3.1
Accessing the External Applications Portlet in OracleAS Portal
1.2.3.2
Authenticating to an External Application for the First Time
1.2.3.3
Authenticating to an External Application After the First Time
1.2.3.4
Logging Out of an External Application
1.2.4
Single Sign-Off
1.2.5
Changing Passwords
1.2.6
Global User Inactivity Timeout
1.2.7
Signing On Using the Wireless Option
2
Basic Administration
2.1
The Single Sign-On Administrator's Role
2.2
Granting Administrative Privileges
2.3
Changing the Single Sign-On Administration Group
2.4
policy.properties
2.5
Stopping and Starting Single Sign-On Components
2.5.1
Using the Application Server Control Console
2.5.2
Using the Command Line
2.5.2.1
Stopping and Starting the Oracle HTTP Server
2.5.2.2
Stopping and Starting the OC4J_SECURITY Instance
2.5.2.3
Stopping and Starting the Single Sign-On Middle Tier
2.5.2.4
Stopping and Starting All Components
2.6
Setting Browser Preferences for OracleAS Single Sign-On
2.7
Accessing the Administration Pages
2.8
Using the Edit SSO Server Page to Configure the Server
2.9
Configuring Globalization Support
2.10
Configuring the Global User Inactivity Timeout
2.11
Obtaining the Sample Files
3
Directory-Enabled Single Sign-On
3.1
Managing Users in Oracle Internet Directory
3.2
Password Policies
3.2.1
Password Rules
3.2.2
Configuring Password Life
3.2.3
Change Password Page Behavior
3.2.3.1
Password Has Expired
3.2.3.2
Password Is About to Expire
3.2.3.3
Grace Login Is in Force
3.2.3.4
Force Change Password
3.2.4
Configuring Account Lockout
3.2.5
Unlocking Users
3.2.6
Configuring Password Policies
3.3
Directory Tree for OracleAS Single Sign-On
3.4
Changing Single Sign-On Server Settings for Directory Access
3.5
Updating the Single Sign-On Server with Directory Changes
4
Configuring and Administering Partner Applications
4.1
Registering a Partner Application: What It Means
4.2
Registering mod_osso
4.2.1
Syntax and Parameters for ssoreg
4.2.2
Command Example
4.2.3
Restarting the Oracle HTTP Server
4.3
Deploying Multiple Partner Applications with a Load Balancer
4.3.1
Usage Scenario
4.3.2
Configuration Steps
4.3.2.1
Installing the Partner Applications
4.3.2.2
Configuring the Oracle HTTP Servers on the Partner Application Middle Tiers
4.3.2.3
Configuring the HTTP Load Balancer
4.3.2.4
Reregistering mod_osso on the Partner Application Middle Tiers
4.4
Configuring mod_osso with Virtual Hosts
5
Configuring and Administering External Applications
5.1
Using the Interface to Deploy and Manage External Applications
5.1.1
Adding an External Application
5.1.2
Editing an External Application
5.1.3
Storing External Application Credentials in the Single Sign-On Database
5.2
Proxy Authentication for Basic Authentication Applications
5.2.1
Configuring the Oracle HTTP Server as a Proxy for Basic Authentication
5.2.2
Configuration Requirements
5.2.3
Configuration Steps
6
Multilevel Authentication
6.1
What Is Multilevel Authentication?
6.2
How Multilevel Authentication Works
6.3
Components of a Multilevel System
6.3.1
Authentication Levels
6.3.2
Authentication Plugins
6.4
Configuring Multilevel Authentication
6.4.1
Usage Scenario
6.4.2
Configuration Steps
7
Signing On with Digital Certificates
7.1
How Certificate-Enabled Authentication Works
7.2
System Requirements
7.3
Configuring the Single Sign-On System for Certificates
7.3.1
Oracle HTTP Server
7.3.1.1
Setting SSL Parameters
7.3.1.2
Choosing a Certificate Authority
7.3.2
Single Sign-On Server
7.3.2.1
Configure policy.properties with the Default Authentication Plugin
7.3.2.2
Modify the Configuration File for the Authentication Plugin (Optional)
7.3.2.3
Customize the User Name Mapping Module (Optional)
7.3.2.4
Restart the Single Sign-On Middle Tier
7.3.3
Oracle Internet Directory
7.4
Maintaining a Certificate Revocation List
8
Advanced Deployment Options
8.1
Enabling SSL
8.1.1
Enable SSL on the Single Sign-On Middle Tier
8.1.2
Reconfigure the Identity Management Infrastructure Database
8.1.2.1
Change Single Sign-On URLs
8.1.2.2
Update targets.xml
8.1.3
Protect Single Sign-On URLs
8.1.4
Restart the Oracle HTTP Server and the Single Sign-On Middle Tier
8.1.5
Reregister Partner Applications
8.2
Deployment Scenarios
8.2.1
One Single Sign-On Middle Tier, One Oracle Internet Directory
8.2.2
Multiple Single Sign-On Middle Tiers, One Oracle Internet Directory
8.2.2.1
Usage Scenario
8.2.2.2
Configuration Steps
8.2.3
Multiple Single Sign-On Middle Tiers, Replicated Oracle Internet Directory
8.2.4
Multiple, Geographically Distributed Single Sign-On Instances
8.2.4.1
Usage Scenario
8.2.4.2
Configuration Steps
8.2.5
Other High Availability Deployments
8.2.5.1
OracleAS Cold Failover Cluster (Infrastructure)
8.2.5.2
Disaster Recovery
8.2.5.3
Backup and Recovery
8.3
Replicating the Identity Management Database
8.3.1
The Replication Mechanism
8.3.2
Configuring the Identity Management Database for Replication
8.3.3
Adding a Node to a Replication Group,
8.3.4
Deleting a Node from a Replication Group
8.4
Deploying OracleAS Single Sign-On with a Proxy Server
8.4.1
Turn Off IP Checking
8.4.2
Enable the Proxy Server
8.5
Setting Up Directory Synchronization for User Nickname Changes
9
Enabling Support for Application Service Providers
9.1
Application Service Providers: Deciding to Deploy Multiple Realms
9.2
Setting Up and Enabling Multiple Realms
9.3
How the Single Sign-On Server Enables Authentication to Multiple Realms
9.3.1
Locating Realms in Oracle Internet Directory
9.3.2
Validating Realm-Affiliated Users to Partner Applications
9.4
Configuring the Single Sign-On Server for Multiple Realms
9.5
Granting Administrative Privileges for Multiple Realms
10
Monitoring the Single Sign-On Server
10.1
Accessing the Monitoring Pages
10.2
Interpreting and Using the Home Page on the Standalone Console
10.3
Interpreting and Using the Details of Login Failures Page
10.4
Updating the Port Property for the Single Sign-On Monitoring Target
10.5
Using the OracleAS Web Cache Instance to Monitor the Server
10.6
Monitoring a Single Sign-On Server Enabled for SSL
11
Creating Deployment-Specific Pages
11.1
How the Single Sign-On Server Uses Deployment-Specific Pages
11.2
How to Write Deployment-Specific Pages
11.2.1
Login Page Parameters
11.2.2
Forgot My Password
11.2.3
Change Password Page Parameters
11.2.4
Single Sign-Off Page Parameters
11.3
Page Error Codes
11.3.1
Login Page Error Codes
11.3.2
Change Password Page Error Codes
11.4
Adding Globalization Support
11.4.1
Deciding What Language to Display the Page In
11.4.1.1
Use the Accept-Language Header to Determine the Page
11.4.1.2
Use Page Logic to Determine the Language
11.4.2
Rendering the Page
11.5
Guidelines for Deployment-Specific Pages
11.6
Installing Deployment-Specific Pages
11.6.1
Using policy.properties to Install Login and Change Password Pages
11.6.2
Using policy.properties to Install Wireless Login and Change Password Pages
11.6.3
Using WWSSO_LS_CONFIGURATION$ to Install the Single Sign-Off Page
11.7
Examples of Deployment-Specific Pages
12
Integrating with Third-Party Access Management Systems
12.1
How Third-Party Access Management Works
12.1.1
Scenario 1: The user has not yet authenticated to the third-party server
12.1.2
Scenario 2: The user has already authenticated to the third-party server
12.2
Synchronizing the Third-Party Repository with Oracle Internet Directory
12.3
Third-Party Integration Modules
12.3.1
Using Vendor-Supplied Packages
12.3.2
Building Your Own Package
12.3.2.1
Guidelines for Using the Interfaces
12.3.2.2
The Interfaces
12.3.2.3
Configuration Steps
12.3.3
Logging Out of the Integrated System
12.4
Integration Case Study: SSOAcme
12.4.1
Sample Integration Package
12.4.2
Migrating the Release 9.0.2 Sample Implementation to Release 10.1.2
12.4.2.1
New Authentication Interface
12.4.2.2
Get User Name from HTTP Header
12.4.2.3
Error Handling if User Name Not Present
12.4.2.4
Return User Name to Single Sign-On Server
13
Exporting and Importing Data
13.1
What's Exported and Imported?
13.2
Export and Import Script: Syntax and Parameters
13.2.1
Script Syntax
13.2.2
Script Parameters
13.3
Exporting Data from One Server to Another
13.3.1
Export and Import Scenarios and Script Examples
13.3.1.1
Export Scenarios
13.3.1.2
Import Scenarios
13.3.2
Running the Script
13.4
Verifying That Export and Import Succeeded
13.5
Consolidating Multiple Servers
13.6
Error Messages
A
Troubleshooting
A.1
Log Files
A.2
Error Messages and Other Problems
A.2.1
Basic Error Messages and Problems
A.2.2
Certificate Authentication
A.2.2.1
Debugging Certificate Sign-On
A.2.2.2
Error Messages
A.2.3
Password Policies
A.2.4
Type 41400 Errors
A.3
Increasing the Debug Level
A.4
Enabling the Debug Option in the Single Sign-On Database
A.5
Enabling LDAP Tracing for UI Operations
A.6
Managing Single Sign-On Audit Records
A.7
Refreshing the LDAP Connection Cache
A.8
Restarting OC4J After Modifying Oracle Internet Directory
A.9
Troubleshooting Replication
A.9.1
Verifying Oracle9
i
Advanced Replication Configuration
A.9.2
Verifying and Rectifying Oracle9
i
Advanced Replication Configuration
A.10
A Word About Non-GET Authentication
A.11
Need More Help?
B
Obtaining the Single Sign-On Schema Password
B.1
Using the Command Line
B.2
Using Oracle Directory Manager
C
policy.properties
Glossary
Index