Skip Headers
Oracle® Application Server Single Sign-On Administrator's Guide
10g (

Part Number B15988-01
Go to Documentation Home
Go to Book List
Book List
Go to Table of Contents
Go to Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Go to next page
View PDF

3 Directory-Enabled Single Sign-On

This chapter examines those aspects of OracleAS Single Sign-On that are dependent upon Oracle Internet Directory. The directory is the repository for all single sign-on user accounts and passwords—administrative and nonadministrative. All user and group management functions are handled by the directory.


Oracle Internet Directory can be configured to authenticate to third-party repositories. To learn more, see Oracle Identity Management Integration Guide.

The chapter contains the following topics:

3.1 Managing Users in Oracle Internet Directory

Use the following tools to manage single sign-on users:

3.2 Password Policies

The single sign-on user password is stored in Oracle Internet Directory as an attribute of the user's entry. Users can change their passwords in the single sign-on UI only when their passwords are about to expire. They may use Oracle Delegated Administration Services for this purpose at any time. The directory administrator can use Oracle Directory Manager to adjust password expiry behavior to suit enterprise needs.

This section covers the following topics:

3.2.1 Password Rules

Oracle Directory Manager has fields that enable you to specify the minimum number of characters that a password requires. To learn what the defaults are, see the chapter about password policies in Oracle Internet Directory Administrator's Guide.

A password cannot contain the following characters: &, {, }, <, >, ", ', (, and ).

3.2.2 Configuring Password Life

Using either Oracle Directory Manager or LDAP command-line tools, you can configure password life and can specify when users are prompted to change their passwords. You can also configure a grace login period for users. This is a period after which users' passwords have expired. If they neglect to change their passwords within this period, they must have an administrator reset them.

3.2.3 Change Password Page Behavior

Users who try to log in when their passwords have expired or are about to expire experience the following server behavior: Password Has Expired

Users are shown the password expiry screen. They must contact the directory administrator to have the password reset. Password Is About to Expire

Users are shown an error message on the login page. They have the option of cancelling the page or changing their passwords. In either case, authentication proceeds in the same manner as it does when the change password page is not thrown. Grace Login Is in Force

If a grace login period has been configured in the directory, users are presented the change password page after their passwords have expired. They have the option of cancelling the page or changing their passwords. In either case, the authentication sequence is the same as it is for users with valid passwords. Force Change Password

This feature prompts users to change their password after it has been reset by an administrator. You enable force change password by setting the pwdMustChange attribute in the directory entry cn=pwdpolicyentry,cn=common,cn=products,cn=OracleContext,dc=default_identity_management_realm. You can use the command-line tool ldapmodify for this purpose. The value TRUE enables this feature. FALSE disables it. See the chapter about password policies in Oracle Internet Directory Administrator's Guide to learn how to run the tool.

3.2.4 Configuring Account Lockout

An account lockout occurs when users submit the incorrect user name and password combination more times than is permitted by Oracle Internet Directory. Once they are locked out, they are unable to access the single sign-on server from any number of workstations. By default, lockout occurs after 10 login attempts. Once this limit has been reached, even a valid user name and password combination fails to log a user in.

Because single sign-on user accounts are managed in the directory, the directory administrator determines account lockout policies. Oracle Directory Manager has fields for enabling and disabling lockout and for specifying lockout duration.

The default lockout duration is one day.

3.2.5 Unlocking Users

To learn how to unlock users, see the chapter about password policies in Oracle Internet Directory Administrator's Guide.

3.2.6 Configuring Password Policies

To learn how to configure password policies, see the chapter about these policies in Oracle Internet Directory Administrator's Guide.

3.3 Directory Tree for OracleAS Single Sign-On

OracleAS Single Sign-On, like other components in the OracleAS complement, has its own container in the directory information tree (DIT). This container is in the Oracle Context, an entry that serves as the root for all Oracle-specific data. In the simplified DIT shown in Figure 3-1, both the root Oracle Context and the realm-specific Oracle Context are expanded. The root Oracle Context is the repository for sitewide information—that is, information that applies to all identity management realms and products. Structurally, realm-specific Oracle Contexts are mirror images of the root context, but the information they contain pertains only to a particular realm. These realms store configuration information unique to specific users and other network entities. To learn more about realms, see Chapter 10, "Enabling Support for Application Service Providers".

In Figure 3-1, the single sign-on container is identified by the entry cn=SSO. It contains a single entry, orclApplicationCommonName=orasso_sso. This is the entry for the single sign-on server. In the illustration, the entry has been expanded to show the object classes and attributes that define the entry. For example, the orclapplicationcommonname attribute gives the default name of the single sign-on server, orasso. Note, too, that the single sign-on server has its own password, which, along with orclapplicationcommonname, the directory server uses to authenticate the single sign-on server when the latter performs user searches.

The container Common is a repository for information common to all OracleAS products. For instance, it contains attributes that enable products to identify the realm search base, or node, and the realm nickname. Realm-specific Common containers—not shown here—contain attributes that enable products to locate users within a realm subtree. In addition to expanding the SSO container, the illustration expands entries for an OracleAS user who is also an administrator.

Figure 3-1 Directory Information Tree for OracleAS Single Sign-On

Graphic of a page. A text description follows.
Description of "Figure 3-1 Directory Information Tree for OracleAS Single Sign-On"

3.4 Changing Single Sign-On Server Settings for Directory Access

The ssooconf.sql script enables you to change the following settings in the directory:

To change directory settings for the single sign-on server:

  1. Navigate to the script at ORACLE_HOME/sso/admin/plsql/sso.

  2. Log in to SQL*Plus as the schema orasso. To obtain the schema password, see Appendix B.


    You can run the script only as orasso.

  3. Run ssooconf.sql by issuing the following command:

    SQL> @ssooconf.sql

    This prompt appears:

    Enter value for new_oid_host
  4. Enter a value for the directory host name; then press Return or Enter. If, on the other hand, you do not want to change the directory host name, simply press Return or Enter to move to the next prompt.

  5. Repeat step 4 for each of the remaining three prompts, which are Enter value for new_oid_port, Enter value for new_ssoserver_password, and Enter value for new_ldapusessl. The last requires that you enter either Y (enable) or N (disable).


    An SSL connection between the single sign-on server and the directory exists by default.

  6. To apply the changes, press Return or Enter one last time.

    The script displays updated settings for the single sign-on server along with the old ones.

If you run the script and then decide not to make changes, press Return or Enter to retain existing values.

3.5 Updating the Single Sign-On Server with Directory Changes

The single sign-on server caches metadata about the Oracle Internet Directory DIT. This metadata includes the user search base, user nickname attribute, and realm-related metadata. In the event that the directory DIT changes, the cache for the single sign-on server must be refreshed. This is effected by running the ssoreoid.sql script.

  1. Navigate to the script at ORACLE_HOME/sso/admin/plsql/sso.

  2. Log in to the single sign-on schema:

    SQL> connect orasso/orasso_password

    See Appendix B to obtain the orasso schema password.


    This script cannot be run as sys.

  3. Run the script:

    SQL> @ssoreoid.sql
  4. Restart the single sign-on server.

    ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
    ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY

These are just a few of the DIT changes that require that the script be run:

To learn how realm information is changed in Oracle Internet Directory, see Oracle Internet Directory Administrator's Guide.