| Oracle® Retail Predictive Application Server Installation Guide Release 14.1.2 E70811-01 |
|
 Previous |
 Next |
| Oracle® Retail Predictive Application Server Installation Guide Release 14.1.2 E70811-01 |
|
Previous |
Next |
This appendix provides a basic description of Oracle Single Sign-On (SSO) and addresses these topics:
SSO is a term for the ability to sign onto multiple Web applications through a single user ID/Password. There are many implementations of SSO. Oracle currently provides three different implementations:
Oracle SSO (OSSO)
Java SSO (with the 10.1.3.1 release of OC4J)
Oracle Access Manager (OAM 11g)
|
Note: OAM 11g provides more comprehensive user access capabilities. For additional support information, refer to Hardware and Software Requirements. |
Most, if not all, SSO technologies use a session cookie to hold encrypted data passed to each application. The SSO infrastructure has the responsibility to validate these cookies and, possibly, update this information. The user is directed to log on only if the cookie is not present or has become invalid. These session cookies are restricted to a single browser session and are never written to a file.
Another facet of SSO is how these technologies redirect a user's Web browser to various servlets. The SSO implementation determines when and where these redirects occur and what the final window shown to the user is.
Most SSO implementations are performed in an application's infrastructure and not in the application logic itself. Applications that leverage infrastructure managed authentication (such as deploying specifying Basic or Form authentication) typically have little or no code changes when adapted to work in an SSO environment.
The nexus of an Oracle SSO system is the Oracle Identity Management Infrastructure installation. This consists of the following components:
An Oracle Internet Directory (OID) LDAP server, used to store user, role, security, and other information. OID uses an Oracle database as the back-end storage of this information.
An Oracle HTTP Server 11g Release 1 as a front end to the Oracle WebLogic Server. The Oracle HTTP Server is included in the Oracle Web Tier Utilities 11g Release 1 (11.1.1).
An Oracle SSO Plug-in (OAM 11g WebGate) is used to authenticate the user and create the OSSO session cookie. This is available in the Oracle Fusion Middleware 11g Identity and Access management 11g package.
The users and group information may also be loaded or modified through standard LDAP Data Interchange Format (LDIF) scripts.
Additional administrative scripts for configuring the OSSO system and registering HTTP servers.
For more information on setting up SSO, refer to either the Classic Client or Fusion Client version of the Oracle Retail Predictive Application Server Administration Guide.
Additional WebLogic managed servers are needed to deploy the business applications leveraging the OSSO technology.
This section lists the terms and definitions used in Oracle SSO.
Authentication
Authentication is the process of establishing a user's identity. There are many types of authentication. The most common authentication process involves a user ID and password.
Identity Management Infrastructure
The Identity Management Infrastructure is the collection of product and services which provide Oracle SSO functionality. This includes the Oracle Internet Directory, an Oracle HTTP server, and the Oracle SSO services. The Oracle Application Server deployed with these components is typically referred as the Infrastructure instance.
mod_wl_ohs
mod_wl_ohs operates as a module within the HTTP server that allows requests to be proxied from the Apache HTTP server to the WebLogic server.
Oracle Internet Directory
Oracle Internet Directory (OID) is an LDAP-compliant directory service. It contains user IDs, passwords, group membership, privileges, and other attributes for users who are authenticated using Oracle SSO.
Partner Application
A partner application is an application that delegates authentication to the Oracle Identity Management Infrastructure. One such partner application is the Oracle HTTP Server (OHS) supplied with the Oracle Application Server. OHS uses the OAM 11g WebGate module to configure this functionality.
All partner applications must be registered with the Oracle Access Manager.
Realm
A Realm is a collection of users and groups (roles) managed by a single password policy. This policy controls what may be used for authentication (for example, passwords, X.509 certificates, and biometric devices). A Realm also contains an authorization policy used for controlling access to applications or resources used by one or more applications.
A single OID can contain multiple Realms. This feature can consolidate security for retailers with multiple banners or to consolidate security for multiple development and test environments.
SSO is not a user ID/password mapping technology.
However, some applications can store and retrieve user IDs and passwords for non-SSO applications within an OID LDAP server. An example of this is the Oracle Forms Web Application framework, which maps OSSO user IDs to a database logins on a per-application basis.
RPAS usernames are case sensitive. Therefore, when setting up an SSO environment, ensure that the case sensitivity is maintained.
|
Note: For additional information, refer to the chapter, ”Configuring Single Sign-On with Oracle Access Manager 11g” in the Oracle Fusion Middleware Application Security Guide. |
Figure D-1 illustrates the SSO topology.
For Oracle SSO installation, refer to the Oracle Fusion Middleware Application Security Guide 11g Release 1 (11.1.1)Part Number E10043-09.
The section, Deploying the Oracle Access Manager 11g SSO Solution (http://docs.oracle.com/cd/E21764_01/core.1111/e10043/osso_b_oam11g.htm#BABHHABA), provides information on how to implement OAM 11g with the Authentication Provider when you have applications that are (or will be) deployed in a WebLogic container.
User Management consists of displaying, creating, updating or removing user information. There are two basic methods of performing user management: LDIF scripts and the Delegate Administration Services (DAS) application.
The DAS application is a Web-based application designed for both administrators and users. A user may update their password, change their telephone number of record, or modify other user information. Users may search for other users based on partial strings of the user's name or ID. An administrator may create new users, unlock passwords, or delete users.
The DAS application is fully customizable. Administrators may define what user attributes are required, optional or even prompted for when a new user is created.
Furthermore, the DAS application is secure. Administrators may also what user attributes are displayed to other users. Administration is based on permission grants, so different users may have different capabilities for user management based on their roles within their organization.
Script based user management can be used to synchronize data between multiple LDAP servers. The standard format for these scripts is the LDAP Data Interchange Format (LDIF). OID supports LDIF script for importing and exporting user information. LDIF scripts may also be used for bulk user load operations.
The user store for Oracle SSO resides within the Oracle Internet Directory (OID) LDAP server. Oracle Retail applications may require additional information attached to a user name for application-specific purposes and may be stored in an application-specific database. Currently, there are no Oracle Retail tools for synchronizing changes in OID stored information with application-specific user stores. Implementers should plan appropriate time and resources for this process. Oracle Retail strongly suggests that you configure any Oracle Retail application using an LDAP for its user store to point to the same OID server used with Oracle SSO.
