Oracle® Application Server Single Sign-On Administrator's Guide 10g (10.1.4.0.1) Part Number B15988-01 |
|
|
View PDF |
This chapter explains how to implement federated authentication using Oracle Application Server Single Sign-On and Oracle Identity Federation. Federated single sign-on permits users to access information on different corporate Web sites while authenticating to only one of those sites. You can configure either Oracle Application Server Single Sign-On or Oracle Identity Federation to be the authentication mechanism for users who want to access resources that are protected by either product.
The chapter contains the following topics:
Note: This chapter only describes how to configure single sign-on to Oracle Identity Federation from the standpoint of the Oracle Application Server Single Sign-On product. To complete the configuration, you also need to modify settings in the Oracle Identity Federation product. See the Oracle Secure Federation Services Administration Guide for details. |
Users need a simple way to move back and forth between content that is provided on different corporate Web sites. Corporate Web sites need a way to authenticate and authorize users who are entering from different domains that use different security products. The Oracle Identity Federation product addresses these problems.When a user tries to access a protected resource on a remote Web site, the Oracle Identity Federation product at the user's site transfers information about the user to the remote site for use in authorizing the user's request. For example:
Users from an airline can access technical documentation in an airplane vendor's documentation database.
Customers of a wireless company can access a bill-paying application that is outsourced from the vendor to a third-party supplier.
Employees of an organization can access a 401(k) application through an internal HR portal that connects to the benefits provider.
Users might access a link on their own company's Web site to request access to content on a partner's Web site. The first time users request access, they are authenticated on their own site with user profile information stored in their home site's user data repository. The user's home (or Identity Provider) domain forwards the user's access request to the destination (a Service Provider) site along with the credentials that the destination site needs to authorize the user's request.
Using the integration between OracleAS Single Sign-On and Oracle Identity Federation, the following is possible:
When a user attempts to access a protected resource, the provider of the resource can send the query to Oracle Identity Federation, which can forward the query to OracleAS Single Sign-On.
Once the user is authenticated by OracleAS Single Sign-On, he or she can access resources at the destination.
When a user attempts to access a resource protected by OracleAS Single Sign-On, the request can be forwarded to Oracle Identity Federation, which can locate an appropriate Identity Provider to perform authentication.
Once a user has been authenticated by the Identity Provider, he or she can access resources protected by OracleAS Single Sign-On.
For more information on Oracle Identity Federation, see the Oracle Secure Federation Services Administration Guide, available from the Oracle Documentation page on the Oracle Technology Network. The URL is as follows:
http://www.oracle.com/technology/documentation
After completing configuration of federated single sign-on as described in this chapter, users perform a one-time authentication to both the Service Provider and the Identity Provider.
After this one-time authentication, the user only provides credentials to the Identity Provider. After authenticating, the user is able to access protected resources at the Service Provider.
When OracleAS Single Sign-On and Oracle Identity Federation perform the role of Service Provider, OracleAS Single Sign-On delegates user authentication to Oracle Identity Federation. In this scenario, you configure federated single sign-on so that Oracle Identity Federation is the intermediary that identifies an Identity Provider when users try to access resources that are protected by OracleAS Single Sign-On.
By default, the MediumHighSecurity
authentication level is used for single sign-on between OracleAS Single Sign-On and Oracle Identity Federation. If you change this authentication level, Oracle recommends that you set the level to, or above, the default authentication level for OracleAS Single Sign-On. If you use a lower level, users will be challenged when they attempt to access any protected application that uses a higher security level.
The following task overview summarizes the steps for this configuration. Detailed procedures are provided after the task overview.
Note: You must stop the OracleAS Single Sign-On server before adding modifying thepolicy.properties file and restart it when you are done. |
Task overview: Delegating authentication to an Oracle Identity Federation instance
Stop the OracleAS Single Sign-On server.
Configure Oracle Identity Federation as the authentication mechanism in the policy.properties
file.
Add applications that are protected by Oracle Identity Federation to the list of protected applications in the policy.properties
file.
Restart the Oracle Application Server Single Sign-On server.
Configure the Oracle Identity Federation to authenticate users who try to access the applications added to the policy.properties
file.
See the Oracle Secure Federation Services Administration Guide for details.
To stop the Oracle Application Server Single Sign-On Server
From the Oracle Enterprise Manager 10g Application Server Control Console, click the instance of the application server that you want to stop.
From the details page for the application server, select OC4J_SECURITY.
If you also want to stop Oracle HTTP Server, click the HTTP Server link on the details page for the application server.
Click Stop.
A confirmation page appears.
Click Yes on the confirmation page.
To delegate authentication to an Oracle Identity Federation instance
Open the following file in a text editor:
OSSO_install_dir
/sso/conf/policy.properties
Where OSSO_install_dir is the directory where Oracle Application Server Single Sign-On was installed.
Uncomment and edit the following lines:
SASSOAuthnUrl—Uncomment this line and change the host name and port to reflect the login URL for Oracle Identity Federation.
SASSOLogoutUrl—Uncomment this line and change the host name and port to reflect the logout URL for Oracle Identity Federation.
Note that the colon character (":") must be escaped by a backslash character ("\"), for example:
SASSOAuthnUrl = http\://
osfs_host.domain
\:
port
/sso/authn
SASSOLogoutUrl = http\://
osfs_host.domain
\:
port
/sso/jsp/sasso_logout_success.jsp
Uncomment the following line to set the security level for Oracle Identity Federation:
SASSOAuthLevel = MediumHighSecurity
In the policy.properties
file, uncomment the plug-in and audit level for the MediumHighSecurity
authentication level:
# MediumHighSecurity_AuthPlugin = oracle.security.sso.server.auth.SASSOAuth
Locate the keystore file (the file name is "keystore") from the installation directory of the server hosting Oracle Identity Federation:
Oracle_Identity_Federation_installdir/sso/conf
Copy the keystore to the location specified in the SASSOConfigFile parameter in the policy.properties
file. This location is the relative path from the local home directory for the OracleAS Single Sign-On server. For example:
SASSOConfigFile = /sso/conf/keystore
See the Oracle Secure Federation Services Administration Guide for details on generating the keystore.
From the Oracle Enterprise Manager 10g Application Server Control Console, click the instance of Oracle Enterprise Manager 10g that you want to modify.
Restart the Oracle HTTP Server and OC4J_SECURITY.
To add applications to be protected by the Oracle Identity Federation policies
Stop the server, as described in "To stop the Oracle Application Server Single Sign-On Server".
Edit the policy.properties file in the following location:
install_dir
/sso/conf/policy.properties
Where install_dir is the directory where Oracle Application Server Single Sign-On is installed.
In the Protected URL section of the policy.properties
file, set the host and port for one or more applications that you want to be protected, for example:
host\:port = MediumHighSecurity
Where host\:port
is the host and port of the application to be protected. The host and port are configured during or after installation. See the mid-tier documentation for details. MediumHighSecurity
is the security level configured for single sign-on with Oracle Identity Federation. (See Chapter 6, "Multilevel Authentication" for details on authentication levels.)
From the Oracle Enterprise Manager 10g Application Server Control Console, click the instance of application server that you want to start.
Restart the Oracle HTTP Server and OC4J_SECURITY.
Note: To complete the configuration, you also need to modify settings in the Oracle Identity Federation product. See the Oracle Secure Federation Services Administration Guide for details. |
When OracleAS Single Sign-On and Oracle Identity Federation perform the role of Identity Provider, Oracle Identity Federation delegates user authentication to OracleAS Single Sign-On. In this scenario, you configure federated single sign-on so that Oracle Identity Federation forwards user requests for resources to OracleAS Single Sign-On. In this case, OracleAS Single Sign-On becomes the authentication mechanism.
By default, the MediumHighSecurity
authentication level is used for single sign-on between OracleAS Single Sign-On and Oracle Identity Federation. (See Chapter 6, "Multilevel Authentication" for details.) If you change this authentication level, Oracle recommends that you set the level to, or above, the default authentication level for OracleAS Single Sign-On. If you use a lower level, users will be challenged when they attempt to access any protected application that uses a higher security level.
Note: To complete the configuration, you also need to modify settings in the Oracle Identity Federation product. See the Oracle Secure Federation Services Administration Guide for details. |
To configure federated authentication using OracleAS Single Sign-On as the authentication mechanism:
Go to the Oracle Enterprise Manager 10g Application Server Control Console.
Click the instance of the application server that you want to stop.
To prepare for stopping OC4J_SECURITY, from the details page for the application server, select OC4J_SECURITY.
To prepare for stopping Oracle HTTP Server, click the HTTP Server link on the details page for the application server.
Click Stop.
A confirmation page appears.
Click Yes on the confirmation page.
Open the following file in a text editor:
OSSO_install_dir
/sso/conf/policy.properties
Where OSSO_install_dir is the directory where Oracle Application Server Single Sign-On was installed.
Uncomment and edit the following lines:
SASSOAuthnUrl—Uncomment this line and change the host name and port to reflect the login URL for Oracle Identity Federation.
SASSOLogoutUrl—Uncomment this line and change the host name and port to reflect the logout URL for Oracle Identity Federation.
Note that the colon character (":") must be escaped by a backslash character ("\"), for example:
SASSOAuthnUrl = http\://
osfs_host.domain
\:
port
/sso/authn
SASSOLogoutUrl = http\://
osfs_host.domain
\:
port
/sso/jsp/sasso_logout_success.jsp
Locate the keystore file (the file name is "keystore") from the installation directory of the server hosting Oracle Identity Federation:
Oracle_Identity_Federation_install_dir
/sso/conf
Copy the keystore to the location specified in the SASSOConfigFile parameter in the policy.properties
file. This location is the relative path from the local home directory for the OracleAS Single Sign-On server. For example:
SASSOConfigFile = /sso/conf/keystore
See the Oracle Secure Federation Services Administration Guide for details on generating the keystore.
Restart OC4J_SECURITY and the Oracle HTTP Server.
On a Web portal page, you may want to configure links to resources that each require a different authentication mechanism. The integration between Oracle Identity Federation and OracleAS Single Sign-On enables you to configure a link on a Web page that is protected by OracleAS Single Sign-On to do the following:
Require OracleAS Single Sign-On to find an instance of Oracle Identity Federation when a user clicks the link.
Direct Oracle Identity Federation to request authentication from a specific Identity Provider.
Note: See the Oracle Secure Federation Services Administration Guide for details on configuring Identity Providers. |
To configure a federated authentication link on a Web portal page:
Set up a resource to be protected by OracleAS Single Sign-On.
In the HTML code for the portal page, provide the following link:
<
a href="
http(s)
://
<rest-of-URL>
?providerid=
xxx
">
Where:
http(s)
is the protocol (http or https) to be used.
<rest-of-URL>
is the URL to the path to the protected resource.
providerid
is the keyword that signals to OracleAS Single Sign-On that Oracle Identity Federation must be queried for the Identity Provider.
xxx
is the Identity Provider ID configured in Oracle Identity Federation.