25.14 Adding and Managing Policy Responses for SSO

Policies and responses enable single sign-on and can override other directives.

Before starting activities in this section, be sure to review the "Introduction to Policy Responses for SSO".

Unless explicitly stated, information in this section applies equally to authentication and authorization responses.

25.14.1 Adding a Policy Response for SSO

Users with valid Administrator credentials can add a policy response for authentication or authorization to the Protected Resource Policy.

For example, you can collect the DN of the realm that is created when Oracle Internet Directory is installed. Optionally, you can also configure the global user ID of the subscriber in Oracle Internet Directory or a subscriber name rather than the default company as shown in Table 25-31.

Table 25-31 Fresh OSSO Installation: Protected Policy Response (Header)

Response Parameter Collect Realm DN when OID is Installed Configure GUID of Subscriber IN OID to Different Company Configure GUID of Subscriber IN OID to Default Company

Name

osso-subscriber-dn (lowercase)

osso-subscriber (optional)

osso-subscriber-guid (optional)

Type

Header

Header

Header

Value

dc=country,dc=example,dc=com

dc=country_or_region,dc=com

,dc=default_company,dc=com

Go to the subscriber DN (in Oracle Internal Directory for example) and find the value (of orclguid for the DN, for example).

Prerequisites

Analyze desired conditions before crafting authorization responses to ensure the appropriate actions are taken by the response. You need an Application Domain with an existing authentication or authorization policy.

See Also:

"Introduction to Policy Responses for SSO"

To add a policy Response

  1. Locate the desired domain as described in "Searching for an Authorization Policy".
  2. In the individual policy page, click the Responses tab, then click the Add button and:

    • In the Name field, enter a unique name for this response.

    • From the Type list, choose a response type (Session or Header or Cookie).

    • In the Value field, enter a value for this response. For example: $namespace1.var1

      See Also:

      "Namespace and Variable Names for Policy Responses"

    • Repeat as needed.

  3. Click Apply, then close the Confirmation window.
  4. Close the page when you finish.
  5. Verify the Responses based on your definitions.

25.14.2 Viewing, Editing, or Deleting a Policy Response for SSO

Users with valid Administrator credentials can view or edit a policy response for authentication or authorization.

Prerequisites

You must have an Application Domain with an existing authentication or authorization policy.

See Also:

"Introduction to Policy Responses for SSO"

To view, modify, or delete a policy response

  1. Locate the desired domain as described in "Searching for an Existing Application Domain".
  2. Click the Authentication (or Authorization) Policies tab, then click the desired policy name.
  3. On the individual policy page, click the Responses tab and proceed as needed:

    • Add: See "Adding a Policy Response for SSO"

    • Edit: Click the desired Response Name, Type, or Value, edit as needed, and click Apply.

    • Delete: Click the desired response, then click the Delete button for the Response table.

  4. Close the Confirmation window.
  5. Close the page when you finish.
  6. Verify Responses based on your definitions for:

    • Header

    • Session

    • Cookie: Use a browser plug-in tool or turn on the browser "show cookies" settings.

    • Assertion Claim