User Authentication

The OIPA application provides an out-of-the box user authentication mechanism as well as an ability to implement alternative authentication models like a Single Sign-On (SSO) authentication through the OIPA extensions. If the system is implemented with SSO, additional measures need to be taken to properly secure the authentication infrastructure. Depending on the implementation chosen, either an authentication server should be placed within the OIPA application server and database zone, or the call to an authentication service needs to be made via a secure connection.

Out-of-the box OIPA user authentication is performed for interactive users using web browsers to access the system, and for incoming web service calls. Interactive users are prompted on the application's login page to provide a username and password to authenticate to the server. Web services are protected with WS-Security, which requires incoming web service calls (which must be transmitted on a secure SSL connection to carry a security header with a user name and password.

Both web service and interactive user authentication are implemented through the same authentication service provided by the business logic tier of the OIPA application. The authentication service retrieves a matching user record from the OIPA database that contains basic user information and a secure digest of a password. The password digest is then compared to the digest of the incoming password and an authentication decision is made based on the result of the comparison. For certain web services, apart from user authentication, additional functional security is also enforced to control whether those services can be executed

OIPA User Authentication

 

The encrypted password digest is created by the Rules Palette when a user is created. When a new OIPA environment is created using the Rules Palette's Web Application Utility, the process allows for the configuration of the encryption parameters to be used by the encryption algorithm. The settings include the particular encryption algorithm (from the list of the supported algorithms below), and the number of iterations of the algorithm.

  • SHA-256
  • SHA-384
  • SHA-512

The number of encryption iterations is a value between 1000 and 9999. A higher number of iterations makes the password more secure, but also requires more computation to encrypt. For more information, please refer to the associated version of the Rules Palette Help System that is located on the Oracle Technology Network.