Protecting Forms applications with Single Sign-On

Oracle Forms applications are configured using a central configuration file, the formsweb.cfg file in the $DOMAIN_HOME/config/fmwconfig/servers/WLS_FORMS/applications/formsapp_14.1.2/config directory. The recommended method of managing formsweb.cfg file is using Fusion Middleware Control.

The following parameters defined in Oracle Forms Services configuration file formsweb.cfg is necessary for the users to enable Single Sign-On in individual or collective Forms applications. It is recommended that this file should be managed using the Fusion Middleware Control.

Table -28 Parameters used to enable single Sign-On

Parameter Name Valid values Default Value
ssoMode

true

webgate

false

 false
ssoProxyConnect

yes

no

 yes
ssoDynamicResourceCreate

true

false

 true
ssoErrorUrl String URL  
ssoCancelUrl String URL  

Note:

A detailed description of these parameters along with their possible values are discussed below.

These Oracle Forms parameters in the formsweb.cfg file are set in the User Parameter section, which define the behavior for all Forms applications run by the server. These parameters can also be set in a Named Configuration, which define the settings for a particular application only. A single sign-on parameter set in a Named Configuration section overrides the same parameter set in the User Parameter section.

To enable single sign-on for an application:

  1. Start Fusion Middleware Control.
  2. Select Web Configuration from the Forms menu.
  3. Select the row that lists the configuration section for your application.
  4. In the Section region, select sso in the Show drop down list.
  5. In the Section region, select the row containing ssoMode.
  6. In the Value field, enter webgate or TRUE.
  7. Click Apply to update the formsweb.cfg file.

Single sign-on is now enabled for the selected application.

To disable single sign-on for an application:

  1. Select Web Configuration from the Forms menu.
  2. Select the row that lists the configuration section for your application.
  3. In the Section region, select sso in the Show drop down list.
  4. In the Section region, select the row containing ssoMode.
  5. In the Value column, enter FALSE.
  6. Click Apply.
Single sign-on is now disabled for the selected application.

ssoMode

The ssoMode parameter enables a Oracle Forms Services application to connect to an authentication server. Following are the values that the single sign-on parameter, ssoMode can assume:

  • ssoMode, when set to TRUE or webgate indicates that the application requires authentication by OAM Server using webgate as the access client. Webgate must be manually configured.

  • ssoMode, when set to FALSE indicates that the application does not require authentication with an authentication server.

By default, Oracle Forms applications are not configured to run in single sign-on mode. The ssoMode parameter can be set in two places in the formsweb.cfg file:

  • By setting ssoMode in the default section of formsweb.cfg with a value of true or webgate which allows all applications to run in single sign-on mode by this Oracle Forms Services instance

  • By setting the ssoMode parameter in a named configuration of an Oracle Forms application which enables or disables single sign-on only for this particular application, for example:

    [myApp]

    form=myFmx

    ssoMode=true

ssoProxyConnect

The ssoProxyConnect parameter enables a user to control when Oracle Forms should use a proxy connection to the database and when it should not. The ssoProxyConnect parameter can be set in two ways:

  • By setting ssoProxyConnect in the default section of formsweb.cfg with a value of yes which allows all applications to run in single sign-on mode by this Oracle Forms Services instance

  • By passing the ssoProxyConnect parameter in the URL at runtime, for example http://<host>:<port>/?config=myapp&……&ssoProxyConnect=yes

ssoDynamicResourceCreate

The ssoDynamicResourceCreate parameter is set to true by default which allows the user to create a Resource Access Descriptor (RAD) entry in OPSS (depending on how you have configured) to run the application if this resource entry does not exist.

Allowing dynamic resource creation simplifies administration because there is no longer the need for an administrator to create user RAD information in advance. The ssoDynamicResourceCreate parameter can be set as a system parameter in the formsweb.cfg file or as a parameter of a named configuration. Because the default is set to true, this parameter may be used in a named configuration for a specific application to handle a missing RAD entry differently from the default.

Notice that enabling an application for single sign-on with the value of the ssoDynamicResourceCreate parameter set to false, while not specifying a value for the ssoErrorURL, causes Oracle Forms to show an error message if no RAD resource exists for the authenticated user and this application.

Since not all administrators want their users to create resources for themselves these parameters allow administrators to control Forms Identity Store resource creation. Although the default behavior is to direct users to an HTML form that allows them to create the resource, the administrator can change the setting and redirect the user to a custom URL.

For the configuration section for the Forms application, you need to set these parameters:

[myApp]

form=myFmx

ssoMode=true

ssoDynamicResourceCreate=false

For information about setting these parameters through Enterprise Manager Fusion Middleware Control, see Managing Parameters.

ssoErrorURL

The ssoErrorURL parameter allows an administrator to specify a redirection URL that handles the case where a user RAD entry is missing for a particular application. This parameter has effect only if the ssoDynamicResourceCreate parameter is set to false, which disables the dynamic resource creation behavior. The ssoErrorURL parameter can be defined in the default section and as a parameter in a named configuration section. The URL can be of any kind of application, a static HTML file, or a custom Servlet (JSP) application handling the RAD creation, as in the example below. 

[myApp]
form=myFmx
ssoMode=true
ssoDynamicResourceCreate=false
ssoErrorURL=http://example.com:7779/servlet/handleCustomRADcreation.jsp
…

ssoCancelUrl

The ssoCancelURL parameter is used in combination with the dynamic RAD creation feature (ssoDynamicResourceCreate= true) and defines the URL that a user is redirected to if the user presses the cancel button in the HTML form that is used to dynamically create the RAD entry for the requested application.

Accessing Single Sign-on Information From Forms

Optionally, if you need to work with authentication server to authenticate information in a Forms application, the GET_APPLICATION_PROPERTY() Built-in you can use to retrieve the following login information: single sign-on user ID, the user distinguished name (dn), and the subscriber distinguished name (subscriber dn)

authenticated_username := get_application_property(SSO_USERID);
userDistinguishedName := get_application_property(SSO_USRDN);
subscriberName := get_application_property(SSO_SUBDN);
config := get_application_property(CONFIG).

The Forms application developer can obtain the SSO information such as single sign-on user ID, subscriber distinguished name (subscriber dn), and user distinguished name (dn) in SSO mode with either OracleAS Single Sign-On server or Oracle Access Manager when using webgate as the access client.

When using Oracle Platform Security Services (OPSS) as the Forms Identity Store and if SSO_USERDN or SSO_SUBDN parameter is passed to get_application_property built-in, it will return an empty String. These parameters are valid only when running with Oracle Internet Directory as the Forms Identity store.

Note:

config can be obtained even in non-SSO mode.