8Administering Single Sign-On
Administering Single Sign-On
This chapter describes how to administer Oracle CRM On Demand Desktop Single Sign-On. It contains the following topics:
Overview of Single Sign-On for Oracle CRM On Demand Desktop
Oracle CRM On Demand Desktop Single Sign-On (Oracle CRM On Demand Desktop SSO) allows you to implement single sign-on for the Oracle CRM On Demand Desktop client. It supports standard Web browser functionality, such as HTTP forms, cookies, and process redirects. It provides the following capabilities:
Supports your existing Web single sign-on feature. You can customize Oracle CRM On Demand Desktop SSO so that it works in your network topology and for mobile or remote access.
Supports your custom user interface. You can use Oracle CRM On Demand Desktop SSO, which is automated and transparent to the user. You can also use it with a custom-authentication screen that you already use, or you can include it with your company branding.
Supports typical, login name and password authentication or custom authentication, which requires more than a login name and password (multifactor authentication).
Handles single sign-on, session, and network errors in a way that is transparent to the user.
This topic describes an overview of single sign-on for Oracle CRM On Demand Desktop. It includes the following information:
Types of Authentication That You Can Use with Oracle CRM On Demand Desktop SSO
This topic describes the types of authentication that you can use with Oracle CRM On Demand Desktop SSO.
Noninteractive Authentication
Noninteractive authentication is a type of authentication in Oracle CRM On Demand Desktop SSO that reuses the login name and password from the Oracle CRM On Demand Desktop Login dialog box. Oracle CRM On Demand Desktop SSO does not display a separate CRM Desktop SSO Login dialog box in the client. Noninteractive authentication includes the following functionality:
Save password. The user can set the Save Password option on the Oracle CRM On Demand Desktop Login dialog box to one of the following values:
Include a check mark. Oracle CRM On Demand Desktop SSO stores credentials in an encrypted form in the Windows Registry. It does not prompt the user for credentials the next time that the user starts Oracle CRM On Demand Desktop.
Do not include a check mark. Oracle CRM On Demand Desktop SSO stores credentials in memory but not in the Windows Registry. It prompts the user for credentials the next time the user starts Oracle CRM On Demand Desktop. It prompts the user for credentials once for each SSO session. This behavior typically occurs during the first synchronization that occurs after the user restarts Oracle CRM On Demand Desktop.
Detect session expiration. If an Oracle CRM On Demand Desktop SSO session expires, then Oracle CRM On Demand Desktop SSO reestablishes the session without involving the user. Oracle CRM On Demand Desktop SSO requires user interaction only if the user credentials are not valid.
Use only the login name and password. Noninteractive authentication does not support multifactor authentication, such as requiring code from a security token in addition to the password.
Detect invalid user password. The SSO script can detect if the user enters an invalid password and then react accordingly.
Interactive Authentication
Interactive authentication is a type of authentication in Oracle CRM On Demand Desktop SSO that displays a separate Oracle CRM On Demand Desktop SSO Login dialog box in the client. The user must enter the login credentials in this dialog box. Interactive authentication includes the following functionality:
Ignore save password. The user can set the Save Password option on the Oracle CRM On Demand Desktop Login dialog box, but Oracle CRM On Demand Desktop SSO ignores this setting.
Detect session expiration. If an Oracle CRM On Demand Desktop SSO session expires, then Oracle CRM On Demand Desktop SSO prompts the user to provide credentials and then reestablishes the session.
Multifactor authentication. Supports more than the login name and password for authentication, such as requiring a code from a security token in addition to the password. The Oracle CRM On Demand Desktop SSO Login dialog box can include more fields, images, a list of questions which, the user must answer, ActiveX controls, and other items that your implementation requires for authentication. It can support an input field for an RSA (Rivest Shamir Adleman) token, a CAPTCHA, or other information, which only the user can provide.
Supports Internet Explorer. The Oracle CRM On Demand Desktop SSO Login dialog box is an Internet Explorer ActiveX dialog box.
Interactive authentication requires Windows Internet Explorer 7 or later to be installed on the target computer.
Single Sign-On Services that Oracle CRM On Demand Desktop Supports
Oracle CRM On Demand Desktop supports SAML Web SSO (Version 1.1 and Version 2.0) with either POST or Artifact profiles. Authentication must be browser-based (for example, form-based, HTTP Basic, HTML, and so on).
Configuring Oracle CRM On Demand Desktop SSO
Oracle CRM On Demand Desktop is packaged with an SSO installation, which is embedded in the Oracle CRM On Demand Desktop EXE file. It includes the SSO scripts for the Generic SAML Connector.
By default, SSO is disabled and must be enabled. This procedure shows you how to enable SSO in the default configuration of Oracle CRM On Demand Desktop by setting the COMPANYSSOID parameter, using the Oracle CRM On Demand Desktop installer on the command line.
[HKEY_CURRENT_USER\Software\Oracle\CRM OnDemand Desktop\Connector directory in the Microsoft Windows registry.
To configure Oracle CRM On Demand Desktop SSO
On the command line, set the COMPANYSSOID parameter, using the Oracle CRM On Demand Desktop installer:
"Oracle CRM On Demand Desktop.5.0.0.x.exe" /V"COMPANYSSOID=<SSOID>"In the command, <SSOID> is the company sign-in user ID from the Oracle CRM On Demand Company Profile page.
Select Use Single Sign-On from the Oracle CRM On Demand Desktop page to enable SSO.