Skip Headers
Oracle® Application Server Single Sign-On Administrator's Guide
10
g
(10.1.4.0.1)
Part Number B15988-01
Home
Book List
Index
Master Index
Contact Us
Next
View PDF
Contents
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
What's New in OracleAS Single Sign-On?
Federated Authentication
Configuring Custom (Deployment-Specific) Pages
Changes to the Syntax for Invoking OracleAS Single Sign-On
Changing the Single Sign-On Administration Group
Globalization Support
Elimination of the Database Access Descriptor (DAD)
Protecting URLs in the Absence of a Load Balancer
Information on Authentication Levels
Login Page Error Codes
Authentication URL
Configuring Single Sign-On Server for Multiple Realms
Configuring SSL for Partner Applications
Debug Log Files
URLs to Protected Resources Fail to Return the Resource
Secure Transmission of mod_osso Cookies
Obsolete Error Messages
1
About OracleAS Single Sign-On
1.1
Key Components in the Single Sign-On System
1.1.1
Single Sign-On Server
1.1.2
Partner Applications
1.1.3
External Applications
1.1.4
mod_osso
1.1.5
Oracle Internet Directory
1.1.6
Oracle Identity Management Infrastructure
1.2
Single Sign-On Processes
1.2.1
Accessing the Single Sign-On Server
1.2.2
Accessing a Partner Application
1.2.2.1
Authenticating to a Partner Application After the First Time
1.2.2.2
Logging Out of an Partner Application
1.2.3
Accessing an External Application
1.2.3.1
Accessing the External Applications Portlet in OracleAS Portal
1.2.3.2
Authenticating to an External Application for the First Time
1.2.3.3
Authenticating to an External Application After the First Time
1.2.3.4
Logging Out of an External Application
1.2.4
Limitations on URLs to Access Applications
1.2.5
Single Sign-Off
1.2.6
Changing Passwords
1.2.7
Global User Inactivity Timeout
1.2.8
Signing On Using the Wireless Option
2
Basic Administration
2.1
The Single Sign-On Administrator's Role
2.2
Granting Administrative Privileges
2.3
Changing the Single Sign-On Administration Group
2.4
policy.properties
2.5
Stopping and Starting Single Sign-On Components
2.5.1
Using the Application Server Control Console
2.5.2
Using the Command Line
2.5.2.1
Stopping and Starting the Oracle HTTP Server
2.5.2.2
Stopping and Starting the OC4J_SECURITY Instance
2.5.2.3
Stopping and Starting the Single Sign-On Middle Tier
2.5.2.4
Stopping and Starting All Components
2.5.2.5
Stopping and Starting the Database
2.6
Troubleshooting an Inaccessible Server
2.7
Setting Browser Preferences for OracleAS Single Sign-On
2.8
Accessing the Administration Pages
2.9
Using the Edit Single Sign-On Server Page to Configure the Server
2.10
Configuring Globalization Support
2.11
Configuring the Global User Inactivity Timeout
2.12
Obtaining the Sample Files
3
Directory-Enabled Single Sign-On
3.1
Managing Users in Oracle Internet Directory
3.2
Password Policies
3.2.1
Password Rules
3.2.2
Configuring Password Life
3.2.3
Change Password Page Behavior
3.2.3.1
Password Has Expired
3.2.3.2
Password Is About to Expire
3.2.3.3
Grace Login Is in Force
3.2.3.4
Force Change Password
3.2.4
Configuring Account Lockout
3.2.5
Unlocking Users
3.2.6
Configuring Password Policies
3.3
Directory Tree for OracleAS Single Sign-On
3.4
Changing Single Sign-On Server Settings for Directory Access
3.5
Updating the Single Sign-On Server with Directory Changes
4
Configuring and Administering Partner Applications
4.1
Registering a Partner Application: What It Means
4.2
Registering mod_osso
4.2.1
Syntax and Parameters for ssoreg
4.2.2
Command Example
4.2.3
Restarting the Oracle HTTP Server
4.3
Deploying Multiple Partner Applications with a Load Balancer
4.3.1
Usage Scenario
4.3.2
Configuration Steps
4.3.2.1
Installing the Partner Applications
4.3.2.2
Configuring the Oracle HTTP Servers on the Partner Application Middle Tiers
4.3.2.3
Configuring the HTTP Load Balancer
4.3.2.4
Reregistering mod_osso on the Partner Application Middle Tiers
4.4
Configuring mod_osso with Virtual Hosts (SSL and non-SSL)
5
Configuring and Administering External Applications
5.1
Using the Interface to Deploy and Manage External Applications
5.1.1
Adding an External Application
5.1.2
Editing an External Application
5.1.3
Storing External Application Credentials in the Single Sign-On Database
5.2
Proxy Authentication for Basic Authentication Applications
5.2.1
Configuring the Oracle HTTP Server as a Proxy for Basic Authentication
5.2.2
Configuration Requirements
5.2.3
Configuration Steps
6
Multilevel Authentication
6.1
What Is Multilevel Authentication?
6.2
How Multilevel Authentication Works
6.3
Components of a Multilevel System
6.3.1
Authentication Levels
6.3.2
Authentication Plugins
6.4
Configuring Multilevel Authentication
6.4.1
Usage Scenario
6.4.2
Configuration Steps
7
Enabling SSL
7.1
Enable SSL on the Single Sign-On Middle Tier
7.2
Reconfigure the Identity Management Infrastructure Database
7.2.1
Change Single Sign-On URLs
7.2.2
Update targets.xml
7.2.3
Configure Oracle Enterprise Manager Security
7.3
Protect Single Sign-On URLs
7.3.1
Protecting URLs in the Absence of a Load Balancing Router
7.3.2
Protecting URLs in the Presence of a Load Balancing Router
7.4
Restart the Oracle HTTP Server and the Single Sign-On Middle Tier
7.5
Caveats About Configuring SSL
7.6
Reregister Partner Applications
7.7
Secure Transmission of mod_osso Cookies
8
Signing On with Digital Certificates
8.1
How Certificate-Enabled Authentication Works
8.2
System Requirements
8.3
Configuring the Single Sign-On System for Certificates
8.3.1
Oracle HTTP Server
8.3.1.1
Setting SSL Parameters
8.3.1.2
Choosing a Certificate Authority
8.3.2
Single Sign-On Server
8.3.2.1
Configure policy.properties with the Default Authentication Plugin
8.3.2.2
Modify the Configuration File for the Authentication Plugin (Optional)
8.3.2.3
Customize the User Name Mapping Module (Optional)
8.3.2.4
Restart the Single Sign-On Middle Tier
8.3.3
Oracle Internet Directory
8.4
Maintaining a Certificate Revocation List
9
Advanced Deployment Options
9.1
Deployment Scenarios
9.1.1
One Single Sign-On Middle Tier, One Oracle Internet Directory
9.1.2
Multiple Single Sign-On Middle Tiers, One Oracle Internet Directory
9.1.2.1
To Cluster Or Not to Cluster
9.1.2.2
Usage Scenario
9.1.2.3
Configuration Steps
9.1.3
Multiple Single Sign-On Middle Tiers, Replicated Oracle Internet Directory
9.1.4
Multiple, Geographically Distributed Single Sign-On Instances
9.1.4.1
Usage Scenario
9.1.4.2
Configuration Steps
9.1.5
Other High Availability Deployments
9.1.5.1
OracleAS Cold Failover Cluster (Infrastructure)
9.1.5.2
Disaster Recovery
9.1.5.3
Backup and Recovery
9.2
Replicating the Identity Management Database
9.2.1
The Replication Mechanism
9.2.2
Configuring the Identity Management Database for Replication
9.2.3
Adding a Node to a Replication Group,
9.2.4
Deleting a Node from a Replication Group
9.3
Deploying OracleAS Single Sign-On with a Proxy Server
9.3.1
Turn Off IP Checking
9.3.2
Enable the Proxy Server
9.4
Setting Up Directory Synchronization for User Nickname Changes
10
Enabling Support for Application Service Providers
10.1
Application Service Providers: Deciding to Deploy Multiple Realms
10.2
Setting Up and Enabling Multiple Realms
10.3
How the Single Sign-On Server Enables Authentication to Multiple Realms
10.3.1
Locating Realms in Oracle Internet Directory
10.3.2
Validating Realm-Affiliated Users to Partner Applications
10.4
Configuring the Single Sign-On Server for Multiple Realms
10.5
Granting Administrative Privileges for Multiple Realms
11
Monitoring the Single Sign-On Server
11.1
Setting the Database Monitoring Password
11.2
Accessing the Monitoring Pages
11.3
Interpreting and Using the Home Page on the Standalone Console
11.4
Interpreting and Using the Details of Login Failures Page
11.5
Updating the Port Property for the Single Sign-On Monitoring Target
11.6
Using the OracleAS Web Cache Instance to Monitor the Server
11.7
Monitoring a Single Sign-On Server Enabled for SSL
12
Creating Deployment-Specific Pages
12.1
How the Single Sign-On Server Uses Deployment-Specific Pages
12.2
How to Write Deployment-Specific Pages
12.2.1
Login Page Parameters
12.2.2
Forgot My Password
12.2.3
Change Password Page Parameters
12.2.4
Single Sign-Off Page Parameters
12.2.5
External Application Login Page Parameters
12.3
Page Error Codes
12.3.1
Login Page Error Codes
12.3.2
Post-Login Messages
12.3.3
Change Password Page Error Codes
12.3.4
Change External Application Login Page Error Codes
12.4
Adding Globalization Support
12.4.1
Deciding What Language to Display the Page In
12.4.1.1
Use the Accept-Language Header to Determine the Page
12.4.1.2
Use Page Logic to Determine the Language
12.4.2
Rendering the Page
12.5
Guidelines for Deployment-Specific Pages
12.6
Installing Deployment-Specific Pages
12.6.1
Using policy.properties to Install Login, Single Sign-Off, and Change Password Pages
12.6.2
Using policy.properties to Install Wireless Login and Change Password Pages
12.6.3
Using policy.properties to Install External Application Login Pages
12.7
Examples of Deployment-Specific Pages
12.7.1
Using Custom Classes
13
Integrating with Oracle Identity Federation
13.1
How Federated Single Sign-On Works
13.1.1
Federated Single Sign-On From the User's Perspective
13.2
Configuring the Oracle Stack as the Service Provider
13.3
Configuring the Oracle Stack as the Identity Provider
13.4
Adding Federated Authentication URLs to a Web Portal
14
Integrating with Third-Party Access Management Systems
14.1
How Third-Party Access Management Works
14.1.1
Scenario 1: The user has not yet authenticated to the third-party server
14.1.2
Scenario 2: The user has already authenticated to the third-party server
14.2
Synchronizing the Third-Party Repository with Oracle Internet Directory
14.3
Third-Party Integration Modules
14.3.1
Using Vendor-Supplied Packages
14.3.2
Building Your Own Package
14.3.2.1
Guidelines for Using the Interfaces
14.3.2.2
The Classes and Interfaces
14.3.2.3
Configuration Steps
14.3.3
Logging Out of the Integrated System
14.4
Integrating with Windows Native Authentication
14.5
Integration Case Study: SSOAcme
14.5.1
Sample Integration Package
14.5.2
Migrating the Release 9.0.2 Sample Implementation to Release 10.1.3
14.5.2.1
New Authentication Interface
14.5.2.2
Get User Name from HTTP Header
14.5.2.3
Error Handling if User Name Not Present
14.5.2.4
Return User Name to Single Sign-On Server
15
Exporting and Importing Data
15.1
What's Exported and Imported?
15.2
Export and Import Script: Syntax and Parameters
15.2.1
Script Syntax
15.2.2
Script Parameters
15.3
Exporting Data from One Server to Another
15.3.1
Export and Import Scenarios and Script Examples
15.3.1.1
Export Scenarios
15.3.1.2
Import Scenarios
15.3.2
Running the Script
15.4
Verifying That Export and Import Succeeded
15.5
Consolidating Multiple Servers
15.6
Error Messages
A
Troubleshooting OracleAS Single Sign-On
A.1
Problems and Solutions for General Single Sign-On Server Errors
A.1.1
URL Exceeds Maximum Length
A.1.2
Internal Server Error
A.1.3
Unexpected Error
A.1.4
File Not Found Error
A.1.5
Authentication Failed
A.1.6
The User Name Submitted for Authentication Does Not Match the User Name Present in the Existing Single Sign-On Session
A.1.7
White Page Displayed When Accessing OracleAS Single Sign-On Administration
A.1.8
Administrator Cannot See OracleAS Single Sign-On Administration Pages
A.1.9
The "SSO Server Administration" Link is Missing from the OracleAS Single Sign-On Administration Page
A.1.10
Audit Log Insertion Exception: ORA-00018: Maximum Number of Sessions Exceeded
A.1.11
Connection Limit Exceeded
A.1.12
Failed Login Message when System has been Idle
A.1.13
Error due to Idle LDAP or Database Connection Timeouts
A.1.14
Login to Portal Fails
A.2
Problems and Solutions for Certificate Authentication Errors
A.2.1
Network Error: Connection Refused
A.2.2
The Single Sign-On Server Fails to Prompt the User for a Certificate
A.2.3
Certificate Authentication Fails - User Is Presented with the Login Page
A.2.4
User's Browser Certificate Not Found
A.2.5
Mapping Module Class Name Not Found
A.2.6
Mapping Module Instance Creation Failed
A.2.7
Cannot Create the Mapping Module Object
A.2.8
Exception in Creating Mapping Module
A.2.9
Certificate Match Failed
A.3
Problems and Solutions for Windows Native Authentication Errors
A.3.1
A User Cannot Access a URL After Authenticating in Windows
A.3.2
A User Who Is Already Authenticated in Windows Cannot Authenticate in the Browser
A.3.3
single sign-on server Fails to Start with a Credential Not Found Error
A.3.4
Single Sign-On Server Displays Internal Server Error
A.3.5
Single Sign-On Users Unable to Authenticate to KDC
A.3.6
Windows Login Dialog Appears When Accessing a Partner Application
A.4
Problems and Solutions for Password Policy Errors
A.4.1
A Disabled User Can Still Log In
A.4.2
A Disabled User Sees "Authentication Failed" Instead of "Account Disabled" Message
A.4.3
The User Receives a Password Expiration Message at Login
A.4.4
Password Expiration Message Does Not Appear on Command-Line Tools
A.5
Diagnosing OracleAS Single Sign-On Problems
A.5.1
Viewing the Log Files
A.5.2
Increasing the Debug Log Level
A.5.3
Enabling the Debug Option in the Single Sign-On Database
A.5.4
Enabling LDAP Tracing for UI Operations
A.6
Maintenance Tasks for OracleAS Single Sign-On
A.6.1
Managing Single Sign-On Audit Records
A.6.2
Refreshing the LDAP Connection Cache
A.6.3
Restarting OC4J After Modifying Oracle Internet Directory
A.7
A Word About Non-GET Authentication
A.8
Need More Help?
B
Obtaining the Single Sign-On Schema Password
B.1
Using the Command Line
B.2
Using Oracle Directory Manager
C
policy.properties
Glossary
Index