1. Security Configuration Guide
  2. Enabling SSO with Security Agents
  3. OracleAS Single Sign-on

OracleAS Single Sign-on

The OracleAS Single Sign-on (OSSO) solution provides SSO access to web applications using Oracle Internet Directory (OID) as the user directory. Users use a user name and password defined in an OID to log in to Oracle Enterprise Performance Management System products.

Process Flow


Illustration of the OSSO process

The OSSO process:

  1. Using an EPM System URL, for example, http://OSSO_OHS_Server_NAME:OSSO_OHS_Server_PORT/interop/index.jsp, users access an EPM System component that is defined as an OSSO protected application.

  2. Because the URL is under OSSO protection, mod_osso, deployed on Oracle HTTP Server, intercepts the request. Using mod_osso, Oracle HTTP Server checks for a valid cookie. If a valid cookie is not available in the request, Oracle HTTP Server redirects users to the OSSO Server, which challenges users for credentials, which it authenticates against OID.

  3. OSSO Server creates the obSSOCookie and returns control to the mod_osso module on the Oracle HTTP Server, which sets the obSSOCookie in the browser. It also redirects the request to the EPM System resource through mod_wl_ohs (Oracle WebLogic Server). Before forwarding the request to an EPM System resource, Oracle HTTP Server sets the Proxy-Remote-User header, which EPM System security uses to enable SSO.

  4. The EPM System component verifies that the user whose identity is retrieved from Proxy-Remote-User is present in OID. For this process to work, the OID that is configured with the OSSO Server should be configured as an external user directory in Oracle Hyperion Shared Services.

Prerequisites

  1. A fully functional Oracle Application Server Infrastructure.

    To establish an Oracle Application Server Infrastructure, install and configure Oracle Identity Management Infrastructure 10.1.4. Ensure that OSSO is enabled. Oracle Identity Management Infrastructure 10.1.4 installation includes the following components to support OSSO.

    • Oracle 10g OSSO Server.
    • An OID, which the OSSO Server uses to validate credentials. See the following guides:
      • Oracle Fusion Middleware Installation Guide for Oracle Identity Management
      • Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory
    • Oracle HTTP Server as a frontend to the OSSO Server. This installation includes mod_osso, which allows you to define partner applications for OSSO.

      Note:

      This Oracle HTTP Server instance is a part of the OSSO infrastructure; it is not directly used for configuring OSSO for EPM System components.

      During the installation process, ensure that mod_osso is registered with the OSSO Server as a partner application.

  2. A fully functional EPM System deployment.

    When you configure the web server for EPM System components, EPM System Configurator configures mod_wl_ohs.conf on the Oracle HTTP Server to proxy requests to the WebLogic Server.