Discussion on Blog: Single Sign On with External ID implemented in Ruby

Hello,
please use this Topic to discuss questions regarding the Blog <a href="/people/gregor.wolf3/blog/2006/09/30/single-sign-on-with-external-id-implemented-in-ruby">Single Sign On with External ID implemented in Ruby</a>.
Regards
Gregor

Hi Gregor:
As per your request, I am reposting my question in this forum..
Your excellent blog Single Sign on with External ID Implemented in Ruby shows how you can generate a sso cookie with the external ID mapping with the X.509 certficate.
In my scenario, the user has already logged into R/3 via SAPGUI (so no need for SNC here) and run an iView on the Portal - if I map an external ID in the table  VUSREXTID (type NT)  for each of my users then can I call the rfc SUSR_CHECK_LOGON_DATA by passing Auth_method = E and Auth_data = External ID and will this rfc return a SSO cookie?
Thanks
Venkat

Similar Messages

  • How to pass credentials/saml token access sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication

    How to pass credentials/saml token exchange to the sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication 
    Identity provider here is Oracle identity provider 
    harika kakkireni

    Hi,
    The following materials for your reference:
    Consuming List.asmx on a claims based sharepoint site
    http://social.technet.microsoft.com/Forums/sharepoint/en-US/f965c1ee-4017-4066-ad0f-a4f56cd0e8da/consuming-listasmx-on-a-claims-based-sharepoint-site?forum=sharepointcustomizationprevious
    Sharepoint Claims based authentication and Single Sign on
    http://social.technet.microsoft.com/Forums/sharepoint/en-US/2dfc1fdc-abc0-4fad-a414-302f52c1178b/sharepoint-claims-based-authentication-and-single-sign-on?forum=sharepointadminprevious
    Sharepoint Claim Based Authentication Web Service issuehttp://social.msdn.microsoft.com/Forums/office/en-US/dd4cc581-863c-439f-938f-948809dd18db/sharepoint-claim-based-authentication-web-service-issue?forum=sharepointgeneralprevious
    Best Regards
    Dennis Guo
    TechNet Community Support

  • How to integrate single sign on with third party system

    we are in the process of implementing istore application. we already have home grown isupport application to contact support personnal for any issues. Now we are wondering how do we integrate oracle applications single sign on with our third pary system. Is there any recommendation provided by oracle to achieve the same.

    We too are in the process of implementing iStore with SSO features.
    And if you believe me it seems to me as nightmare.
    In our scenerio we are intgrating this SSO with Third party access control too (AD and Siteminder). I would request you to please respond me on the following mail id , so we can share our experince which will help us in our implementation
    [email protected]
    regards and thanks in advance
    Vikas Deep

  • Setting up BusinessObjects Enterprise 3.1 for Single Sign On with Xcelsius

    Hi all
    Does anyone have any documentation and/or whitepapers that documents the setting up BusinessObjects Enterprise 3.1 for Single Sign On with Xcelsius Dashboards (xcelsius accessing BusinessObjects universe data through QAAWS and Live Office..
    Thank you for your help.
    Kind regards,
    Dean

    Based on the replies in this thread I'm guessing that there is someone out there that has gotten SSO to work with Xcelsius? If so could you please post the details of how that was achieved?
    When we purchased Xcelsius we were under the impression that it supported SSO but have never been able to get it to work and finally had SAP tell us that Xcelsius did not support SSO.
    Our understanding is that in order to bypass a login for Xcelsius you have to use QaaWS as the datasource and hardcode an enterprise id and password.
    LiveOffice supports SSO but not when it's used as a datasource within Xcelsius.

  • How enabled Single Sign-On with a System SAP WAS ABAP (Run application BSP)

    Hi.
    I need to run any application BSP from a System SAP WAS ABAP, without entering SAP user and password. Using the windows authentication and without SAP Enterprise Portal.
    What authentication methods I have to apply for enabled Single Sign-On with a System SAP WAS ABAP?.
    And How can I enabled this method?.
    Best regards.
    Luis Gomez.

    Hi Ticiano,
    SAP WebAS ABAP supports a number of authenticaiton mechanisms. See
    [http://help.sap.com/saphelp_nw04s/helpdata/en/02/d4d53aa8a9324de10000000a114084/frameset.htm]
    A number of these authentication mechanisms can be combined with Windows authentication (e.g. SNC, client certificates, ...).
    The decision what mechanism fits best depends on critieria like
    - SAP server platform
    - security requirements
    - extensibility (should same authentication mechanism be used for future SAP environments, which will be E-SOA based)
    - authentication from outside company domain
    - Use of SAP security library (SAPcryptolib)
    You may want to look at the SAP Software Solution Partner Catalog, if you look for certified SSO solution vendors for SAP.
    Best regards,
    Peter

  • How to single sign on with  webApplication with Basic Authenticated in IIS

    Dear Sir,
    Our server is EP6 SP14, we will link iview with BW URL which using basic authen in IIS. . Please kindly advise howto single sign on with  webApplication with Basic Authenticated in IIS
    Thank you and best regards,
    Vimol

    Are you sure the BW is using IIS? Most recent versions are using ABAP style authentication. What version are you running?
    You may want to investigate IISProxy - it's no longer supported, but it might help you out. It basically takes an SSO cookie and allows IIS to "know" who the user is.
    Cheers

  • Integrate Single Sign-On with Oracle E-Business Suite Release 12.

    Hi
    How to integrate oracle Single Sign-On with Oracle E-Business Suite Release 12 , give links and ideas about this ,
    Thanks
    Edited by: user12235518 on Feb 19, 2012 10:10 PM

    How to integrate Single Sign-On with Oracle E-Business Suite Release 12 , give links and ideas about this ,Integrating Oracle E-Business Suite Release 12 with Oracle Access Manager 11gR1 (11.1.1.5) using Oracle E-Business Suite AccessGate [ID 1309013.1]
    Integrating Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On 10gR3 (10.1.4.3) [ID 376811.1]
    Troubleshooting Oracle Application Server 10g SSO and OID with Oracle E-Business Suite Release 12 [ID 380487.1]
    Thanks,
    Hussein

  • Single Sign-On and External Applications Portlet

    I would like to know how complicated would be to call an External Application with SSO (like Hotmail), outside the External Applications Portlet.
    We have defined around 10 external applications with SSO,they worked fine.
    but due to look&feel issues, we would like to put them in a content area , like items that when the user clicks, takes them to the external application and performs the single sign-on.
    Any advice will be appreciated.
    tks!!

    Maria, I was experimenting with this last night, to answer your question, and I think a cool way of doing this would be the following:
    Create a custom attribute called "App ID" - make this a NUMBER type. This is where the external application id will be stored.
    Create a custom item type: "External Application"
    You have two options for the base type: either "URL" or "<None>". If you pick URL, then you can have the item contain the URL for fapp_process_login, but this is not advisable because it will require the administrator to type in this long URL every time a new application is added.
    If you select base type URL, you should use that URL to let the administrator provide a URL to the application's homepage, or a help page or something of that sort.
    Edit the newly created item to set the Attribute and Procedure properties.
    Add the "App ID" attribute - no default.
    On the Procedure tab, add the following procedures (called as HTTP), each with the App ID passed as "p_app_id":
    Login http://server.domain.com/pls/portal30_sso/portal30_sso.wwsso_app_admin.fapp_process_login
    Edit http://server.domain.com/pls/portal30_sso/portal30_sso.wwsso_app_admin.edit_fappuser
    That's it!
    Add the new custom item type to a folder, and all the administrator needs to do is set the title, and App ID for the new item.
    Excercise for the Reader
    You will notice that clicking on the Edit link will take you to the login server when you are done editing the credentials. To avoid this, pass another parameter to the edit procedure - p_done_url, and set a value for that to point to the page that you want to go to after editing credentials.

  • Single Sign-on and external applications

    Hi,
    Someone might be able to point me in the right direction about this.
    I have registered each of my applications as external applications within Oracle Portal in order to avail of single sign-on.
    This is fine to a point, but registering applications in this way still requires the user to enter a username and password once in order to login to the application the first time they use it, even though they have already logged into the Portal. As long as the user doesn't log out of the application they can close their browser and when they come back to the application they are still logged in.
    None of the applications I use are oracle partner applications.
    My problem is that I want to avoid the user having to log in to the application the first time they use it.
    Ideally they should login to Portal once and then any subsequent applications they access, they are automatically logged into them without having to enter a username and password.
    Is there a way to do this or will I have to write a custom login for each application to circumnavigate this first time using the application login issue ?
    Are there any docs that someone could point me at.
    Many thanks,

    Maria, I was experimenting with this last night, to answer your question, and I think a cool way of doing this would be the following:
    Create a custom attribute called "App ID" - make this a NUMBER type. This is where the external application id will be stored.
    Create a custom item type: "External Application"
    You have two options for the base type: either "URL" or "<None>". If you pick URL, then you can have the item contain the URL for fapp_process_login, but this is not advisable because it will require the administrator to type in this long URL every time a new application is added.
    If you select base type URL, you should use that URL to let the administrator provide a URL to the application's homepage, or a help page or something of that sort.
    Edit the newly created item to set the Attribute and Procedure properties.
    Add the "App ID" attribute - no default.
    On the Procedure tab, add the following procedures (called as HTTP), each with the App ID passed as "p_app_id":
    Login http://server.domain.com/pls/portal30_sso/portal30_sso.wwsso_app_admin.fapp_process_login
    Edit http://server.domain.com/pls/portal30_sso/portal30_sso.wwsso_app_admin.edit_fappuser
    That's it!
    Add the new custom item type to a folder, and all the administrator needs to do is set the title, and App ID for the new item.
    Excercise for the Reader
    You will notice that clicking on the Edit link will take you to the login server when you are done editing the credentials. To avoid this, pass another parameter to the edit procedure - p_done_url, and set a value for that to point to the page that you want to go to after editing credentials.

  • ADFS single sign-on with office 365 and multiple forests

    I have 2 forests with one of them (Forest A) only running Exchange / Office 365 in hybrid mode. The other forest (Forest B) has my AD accounts for everyday user login and work. Is there a way to set up ADFS between these 2 forests in order for Forest B
    to achieve single sign-on to office 365? Today users have to login with separate office 365 accounts in order to access email and sharepoint. Short of migrating Forest A into Forest B and getting down to one forest / domain, is there anything else we can do
    to achieve single sign-on?

    Hi,
    Based on my research, we can have one ADFS farm servicing multiple forests, here are some related articles below for your references:
    Multi-forest and Multi-tenant scenarios with Office 365
    http://blogs.technet.com/b/educloud/archive/2013/08/02/multi-forest-and-multi-tenant-scenarios-with-office-365.aspx
    Hybrid Deployment Prerequisites
    http://technet.microsoft.com/en-us/library/hh534377(v=exchg.150).aspx
    SupportMultipleDomain switch, when managing SSO to Office 365
    http://blogs.technet.com/b/abizerh/archive/2013/02/06/supportmultipledomain-switch-when-managing-sso-to-office-365.aspx
    For more information about Office 365, I suggest you refer to Office 365 community below:
    http://community.office365.com/en-us/f/default.aspx
    Best Regards,
    Amy

  • Single Sign-on with Multiple Servlets and JSPs

    I am in the midst of attempting to logically tie together a number of our
              web applications under a single sign-on "umbrella". What we want is the
              following: for any n applications a user may have access rights for up to n
              of them. Once signed in, she has rights to visit any app to which she has
              permissions as long as her session is valid. Unfortunately, I'm having
              trouble seeing how to make this work given the documentation that I have.
              I've read thru the newsgroup in search of a solution, but I haven't seen
              anything geared toward this specific approach.
              Currently, each "application" (servlet) has a list of valid users via ACLs
              (we've implemented a RealmExtender, so we're not going via props file
              entries), and we let the browser pop-up window enforce the sign-on. This
              has worked exactly as we wish (single sign-on, etc.), for testing, but we'd
              really rather have our own form-based sign-on for production.
              To that end, we've done the following:
              1) implemented a JSP form-based sign-on (basically ripped off from the
              example provided by BEA), which does a "ServletAuthentication.weak()" check
              to confirm identity.
              2) placed the following code (essentially) within the service() method of
              our servlet superclass, which I thought would force another check. My
              intention is to disallow the user from "jumping into" an app thru a
              shortcut, and thereby bypassing security.
              HttpSession session = request.getSession(true);
              if (session.isNew()) {
              response.sendRedirect(welcomeURL);
              However, we can't get the form-based approach to mimic the functionality of
              the default browser pop-up: the sign-in doesn't seem to "follow" the user
              the way it did with the pop-up. Instead, when I come in thru our login
              page, the browser pop-up is still appearing when I click the link for an
              app for which to which I have permissions.
              Is the default browser pop-up doing something different that I should know
              about? Seems like this should be simple to do, but it's surprisingly subtle
              (or maybe I'm just clueless).
              TIA
              

    Well, if you want to hear my personal opinion:
    better stick to the cookie specification (http://wp.netscape.com/newsref/std/cookie_spec.html) and accept the constraint that cookies will only be send to domains that tail-match the domain-constraint specified in the set-cookie http response.
    Although this specification is not an official internet standard most browsers are implementing the cookie mechanism according to this specification.
    Unfortenately there's no option to specify that a cookie should be send to a list of servers and/or sub-domains.
    However one physical server can have multiple (FQDN) hostnames. So if you intend to send the cookie to a group of servers the best approach is to create a new (DNS) (sub-)domain exclusively for those servers.
    Theoretically (and also practically) it is possible to set cookies for multiple domains (by using a webservice that will set cookies on request of a caller). But that approach is dangerous:
    (1) not the server but the http client is defining the content of the cookie (= part of the http server response)
    (2) (unintended) many servers can obtain the cookie which will be send to all servers that reside in all (tail-matching sub-)domains; although most likely only one or two servers of each domain are intended recipients
    Regards, Wolfgang

  • Ask the Experts: Single Sign-On with Cisco WebEx Meetings Server, Internet Reverse Proxy, and Enterprise License Manager Solutions

    With Arun Kumar
    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Single Sign-On (SSO) with Cisco WebEx Meetings Server (Cisco WMS), Internet Reverse Proxy (IRP), and Enterprise License Manager (ELM) solutions.
    SSO standards such as Security Assertion Markup Language (SAML) 2.0 provide secure mechanisms for passing credentials and related information between different websites that have their own authorization and authentication systems. SSO enables simplified user authentication and management.
    IRP provides public access, enabling users to host or attend meetings from the Internet and mobile devices. Although IRP is optional, Cisco encourages its use because it provides a better user experience for your mobile workforce.
    Example question topics include:
    SSO profiles and SAML 2.0 Identity providers (IdPs) supported in Cisco WMS
    Basic configuration of IdPs
    Interaction between IdPs and Cisco WMS
    Difference between the cloud client implementation and Cisco WMS
    Meeting access behavior in a split-horizon network topology with SSO
    How to enable public access to Cisco WMS
    Cisco WMS ELM operations
    Cisco WMS ELM compared to other unified communications ELM or standalone ELM and compatibility/inoperability between them
    Arun Kumar is a team lead in the San Jose Conferencing Technical Assistance Center. He has over eight years of experience in conferencing technology and specializes in Cisco Unified Meeting Place Express and Cisco WebEx Meeting Server. He joined Cisco in 2010 as an escalation engineer for the Cisco Telepresence group. Before joining Cisco he worked for the UK's third-largest internet service provider Supanet on VoIP technology and the *Nix domain. Kumar holds a master of science degree in computer science from Sikkim Manipal University in India, and he holds CCIE (Voice) and VMware Certified Professional certifications.
    Remember to use the rating system to let Arun know if you have received an adequate response.
    Arun might not be able to answer each question because of the volume expected during this event. Remember that you can continue the conversation on the Collaboration, Voice, and Video community Other Subjects subcommunity shortly after the event. This event lasts through Monday May 17, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

    Hello Mobile Service,
    CWMS and Jabber integrations:
    http://www.cisco.com/en/US/docs/voice_ip_comm/jabber/Windows/9_1/JABW_BK_E4CC9599_00_environment-configuration-guide_chapter_01.html#JABW_TK_SF2ED5E1_00
    In above link start from section: Set Up Cisco WebEx Meetings Server on Cisco Unified Presence
    then move to section: Add Cisco WebEx Meetings Server to a Profile
    Once done, move to section: Specify Conferencing Credentials in the Client side. You will see above server already listed there, just go ahead and enter your username and password (pleae make sure this user already exists on your CWMS) and accept any certificate/s if presented. Jabber Integration is done and you can start testing the same.
    Attached CWMS - AFDS integration doc.
    Please let me know if any furhter question.
    Thanks, Arun

  • Discoverer Single sign on with other applications

    Hello,
    I am using Oracle Discoverer 10g (will be using the Discoverer Plus) as a reporting tool and had some doubts around SSO, Application Server and Oracle Internet Directory.
    We have a .NET based front end application and we want to establish a Single Sign On between this and the Discoverer, so that when a user moves from the front end to Discoverer he doesnt have to go through the authentication process again. Has anybody implemented this before.. Any help will be greatly appreciated.
    Any help will be really valuable
    Thanks and regards,
    Sumit

    Hi
    No it does not mean that. It means that in order to use SSO and Discoverer you have to authenticate using the username and passwords as stored in the OID in the Infrastructure database.
    You can set up links from Portal to third party applications but not vice versa if that other application has its own authentication mechanism.
    Does this help?
    Best wishes
    Michael Armstrong-Smith
    URL: http://learndiscoverer.com
    Blog: http://learndiscoverer.blogspot.com

  • NTLM and Single Sign On with WebLogic 8.1

    Hi guys,
    I've only been using WebLogic for about 3 weeks now, I have developed a small web app using servlets and need to add "single sign-on" functionality to it. One of my colleagues advised me to use NTLM, but he doesnt have any experience in implementing it with WebLogic.
    Could anyone send me some instructions or directions? Sample code maybe? I dont have much experience with security.
    Thanks guys,
    Tommy

    Hi Tommy,
    I used to work for a security company that built an off-the-shelf product that did NTLM SSO (along with SPNEGO), so I feel that I can give you a little bit of advice here. If you want a quick solution, buy it from Quest. The product is called Vintela SSO. If you want to actual build this your self however, I have given a rough guide of how to start.
    Essentially, you will need to develop new Identity Assertion and Authentication provider MBeans. There are guides on how to do this in the WebLogic SSPI documentation.
    http://edocs.bea.com/wls/docs81/dvspisec/index.html
    The Authentication provider should be pretty trivial (just making mappings from autheticated users to roles), but the Identity Assertion provider is a whole other kettle of fish. You will need to do some serious reading on NTLM:
    http://davenport.sourceforge.net/ntlm.html#whatIsNtlm
    You will also need to pickup a copy of an NTLMSSP java library. You can get one called jCIFS from http://jcifs.samba.org/
    Your identity assertion provider needs to parse the NTLM credential from the WWWAuthenticate line in a HTTP Request from IE. You then need to validate the token using JCIFs. You then use JAAS to create a JAAS Login Principal that is passed to the new Authentication Provider which will match the authenticate user against groups. Then you slip to the normal SSPI role-mapping process from there.
    Once you have created the new providers, you need to wrap them in JMX MBeans so that WebLogic can use them.
    This is all going to be quite a big job to implement.

  • Problem Using Single Sign on with Deployed Applications

    I have deployed some appliciations to a standalone OC4J. I am using Identity Management for authentication and it works unless I check the Single Sign on box here:
    OC4J
    Administration ->
    Security Provider->
    Enable SSO Authentication
    I receive this error:
    499 Oracle SSO
    Oracle SSO
    (all my products are version 10.1.1.3)
    I guess I should run ssoreg and osso1013. I can't find the latter.
    I appreciate any comment.
    Regards,
    Farbod

    Dear John,
    from my point of view, we have to seperate the problem in two parts:
    1.) The automatic logon to the struts application via SSO.
    2.) The session sharing via some J2EE mechanism.
    For the SSO (1.) You have to logged on to the portal - with a cookie on the clientside. This cookie can be used for SSO by Your Struts application as long as You share the same session (same browserinstance). This is not difficult examples are available.
    The sessionsharing between a J2EE aap - Struts and an iView is an intersting point. I hope I can get some time to try this out. One trick which is not too clever is to store the session data serialized in a database and privide the sessionid in the url which calls the iView or Struts. Sessionsharing between iViews is no problem as long as You use the HTTPSession.
    Walter

Maybe you are looking for