Single Sign On (SSO) Server
Configuration for Oracle 10gAS Application Server
Rampant Author Ben Prusinski
What is the best way to configure and
manage Oracle 10gAS Single Sign On (SSO) with Portal? Compared
to the complex nature of OID and SSL, Single Sign On is fairly
straight forward and simple to configure and administer. This
article will provide a summary of how SSO works within 10gAS and
Portal and then some exercises to configure, administer and
monitor its operations with Oracle 10gAS (10.1.2.0.2) on Linux
How Does Single
Sign On Work?
Single Sign On (SSO) is part of the
Oracle 10gAS identity management (IdM) technology that is stored
within the Oracle 10g Application Server database repository
called the Infrastructure. The way it works is based on the
concept of web browser cookies which are authenticated by the
Oracle 10gAS server and reciprocated to partner and external
applications on the end user web browser. Partner applications
are internal web based applications such as Oracle 10g Portal,
Forms and Reports within the Oracle 10gAS application server
environment. In other words, users accessing applications within
Oracle Application Server must be authenticated by the Oracle
10gAS Single Sign On Server. External applications are third
party external web based applications that can be included in
the 10gAS environment in terms of authentication via single sign
on. Single Sign On (SSO) is based on the
mod_osso module of the
OHS (Oracle HTTP Server ie: Apache 1.3.x) within the Oracle
10gAS application server. Getting back to the difference between
partner applications and external applications in terms of how
SSO behaves is that external applications retain their usernames
and passwords without delegating responsibility for
authentication to the SSO server.
mod_osso and SSO
The mod_osso module is contained within the OHS (Oracle HTTP
Server) and transmits simple header values to Oracle 10g
Application Server applications as part of user validation and
authentication procedures. These header values include the
- user DN (distinguished name) used with OID
(Oracle Internet Directory)
The SSO server issues a
challenge to the application and once the user and application
have been authenticated, the redirect occurs back to the user
browser which sets the SSO cookie in the user's browser with the
authorization token. Now that we have given the summary on SSO
concepts, lets examine how to setup, configure and administer a
basic SSO environment with Oracle 10gAS (10.1.2.0.2) and Portal
on Linux (OEL 5.3) platform.
Configure Single Sign On Server
Single Sign On server (SSO) is composed of
the OHS module mod_osso which provides a database access
descriptor (DAD) that is stored as metadata configuration
information in the Oracle 10gAS infrastructure database. SSO
interfaces with OC4J (Oracle Container for Java) and OHS (Oracle
HTTP Server or Oracle's implementation of Apache 1.3) to provide
the mechanism for single user and password access to Portal and
other Oracle 10g Application Server applications.
Single Sign On Concepts
Single Sign On (SSO) Server provides the mechanism
for users to logon to Oracle Portal and Oracle Application
Server applications by using a single username and password
which is stored in the user's browser via a SSO cookie that has
been authenticated against the SSO server. The components of
Single Sign On (SSO) for Oracle 10gAS are the mod_osso module
based in the OHS (Oracle HTTP Server) which is Oracle's version
of the popular Apache 1.3 web server as well as metadata in the
Oracle 10gAS infrastructure database.
How to Configure Single Sign On
Server (SSO) for Oracle 10g Application Server
Our examples will user Oracle 10gAS (10.1.2.0.2) release on
Linux (OEL 5.3) platform.
Single Sign On Server provides many customization options
for both partner and external applications. Partner applications
are authenticated directly from within Oracle 10gAS while
external applications have their own username and password
authentication which are registered to the SSO server. Portal is
a partner application for example.
Next, lets examine how to
configure SSO Server settings for Oracle 10gAS. This
allows us to change settings for Single Sign On session duration
as well as an additional session
policy setting that requires
us to verify IP addresses for requests made to the SSO server.
For managing applications with Single Sign On (SSO)
Server, we can access the link to Partner and External
Applications.For example, if we wish to
modify configuration for exiting Portal applications, we can
select the edit Partner application.
We have a plethora of configuration options for our
Portal based applications for Oracle 10g Application Server with
SSO.We can configure our URL settings as well as login
timeframe details as well as application administrator account
information. Now let's examine how to add and manage external
applications with Single Sign On Server (SSO) for Oracle 10gAS.
Of particular interest to us is the login URL, username and
password field name as well as the next subheading for
Authentication Method for SSO with the external application. We
have a few options here: POST, GET or BASIC AUTHENTICATION.
Let's offer a brief explanation of these three methods below.
-POST allows data to
be posted to the Single Sign On (SSO) server and submits login
credentials within the body of the application form.
GET presents the page
request to the server and submits the login credentials in the
application part of the URL
submits the login credentials within the application's
protected by HTTP basic authentication.
How to Access SSO Server from
During installation for a
midtier application server instance with Portal, Oracle
automatically adds Portal as one of the new partner applications
for SSO. We can access SSO server from Portal. Of note is to choose the second main section that shows Edit
SSO Server Administration.
Single Sign On is simple to
configure and administer. It is easier to manage and setup than
the far more complex items within Oracle Identity Manage such
as OID and SSL which require far more steps. To monitor SSO
server components from the operating system, we can use the OPMN
(Oracle Process Monitor and Notification) facility. The command
to obtain a status check for all of the Oracle 10gAS components
is to run opmnctl status
as shown in the following example.
Here we want to make sure that OC4J_SECURITY, OID,
OC4J_Portal, and OID are in Alive status or SSO Server will not
function correctly. We will provide future discussions on Oracle
Fusion Middleware topics for Troubleshooting Oracle 10gAS,
Webcache, Performance tuning and additional topics on Identity
Management as well as coverage of the newest member of the
Oracle Application Server family: Weblogic.