Oracle has two solutions for web-based single sign-on. One solution is to use the legacy Oracle single sign-on product which is integrated in the Oracle Application Server. Another solution is to use the Oracle Access Manager product, previously known as Oblix Access, with Identity Server. The following major components comprise the Oracle Access System:
Provides user management and delegated administration functionality and workflows.
Provides a web-based interface where administrators can create and manage access policies. The Policy Manager communicates with the directory server to write policy data, and communicates with the Access Server over the Oracle Access Protocol (OAP) to update the Access Server when certain policy modifications are made.
Provides centralized authentication, authorization, and auditing to enable single sign-on and secure access control across enterprise resources.
An Oracle Access Manager web server plug-in (NSAPI filter). Web Pass passes information back and forth between a web server and the Identity Server. Depending upon its configuration, the Identity Server processes a request as either an XML or HTML file.
A web server plug-in access client analogous to Sun OpenSSO Enterprise Policy Agent. WebGate intercepts HTTP requests for Web resources and forwards them to the Access Server for authentication and authorization.
The Access Server generates a session token with a URL that contains the ObSSOCookie. When the cookie is generated, part of the cookie is used as an encrypted session token. The encrypted session token contains the following:
Distinguished name (DN) of the user
Level of the authentication scheme
IP address of the client to which the cookie was issued
Time the cookie was originally issued
Time the cookie was last updated
If the user has not been idle, the cookie is updated at a fixed interval to prevent the session from logout. The update interval is 1/4th of idle the session timeout parameter.
Unencrypted ObSSOCookie data includes the following:
Cookie expiration time
Domain in which the cookie is valid
Optional flag that determines if the cookie can only be sent over SSL
The ObSSOCookie is a secure mechanism for user authentication. When the Access System generates the cookie, an MD-5 hash is taken of the session token. When ObSSOCookie is used to authenticate a user, the MD-5 hash is compared with the original cookie contents to be sure no one has tampered with the cookie. MD-5 is a one-way hash, so it cannot be unencrypted. The Access Server does the comparison by hashing the session token again and comparing the output with the hash of the token already present in the Oracle Access Server cookie. If the two hashes do not match, the cookie is corrupt. The system relies on the fact that if someone tampers with the session token, the hashes will not match.