Second htmldb as partner application in sso

Hello ,
I have 2 databases (say A and B) running each their own htmldb instance.
I have 1 sso server where already 1 htmldb partner application is defined of DB A.
Now i want to define the second instance of the htmldb on DB B also as partner application on my sso server.
In the installation guide, i read the following for value of app_name when running regapp.sql
'You must use HTML_DB as the app_name', but i already have one defined of DB A. Can I use another name or should i use the same name ? Or is it impossible to define 2 htmldb partner applications on 1 SSO.
Grtz,
Chris.

When defining my app_name with the regapp.sql, i have used
HTML_DB_TEST:servername:443 as listener_token.
As i already have a HTML_DB:servername:443.
I also used HTML_DB_TEST in the definition of the partner application.
Now I'm getting : Expecting p_company or wwv_flow_company cookie to contain security group id of application owner. when trying to run my application.
Could this be related, and if so, how can i define a second htmldb application as a partner application in sso ?
Chris.

Similar Messages

HTMLDB as Partner Application to TWO OID instances - Authentication Schemes

For reasons I won't go into here, we have TWO Oracle OID/SSO instances running - independently.
I am interested in having HTMLDB / APEX applications capable of authenticate against either one. (one at a time, but on the same engine installation)
We have done the PARTNER APPLICATION registration which works well against one of the OID instances. Records have been entered into the WWSEC_ENABLER_CONFIG_INFO$ table and everything works as expected.
What option do I have to register the HTMLDB engine with a SECOND OID/SSO as a partner application and then allow the developers the ability to choose which authentication scheme applies?
What I have observed is that the package given (custom_auth_sso) has built in
g_partner_app_name varchar2(2000) := 'HTML_DB';
Is it possible to duplicate that type of functionality, or is there something deeper ingrained into the engine that I do not understand?
Regards,
Tim

Scott,
I am working under a model similar to your case number two.
Application 1 uses OID A
Application 2 uses OID B
I am going under the assumption that if there were two records in the config_info$ table, that I would need some type of ability to inform the WWV_FLOW_CUSTOM_AUTH_SSO package to switch between them.
I guess what I am missing is the mechanics. I am trying to avoid having to re-write the WWV_FLOW_CUSTOM_AUTH_SSO package by hand. Besides the package body being compiled, I do not know how that authentication scheme is called by HTMLDB/APEX. I have been using the Oracle Application Server Single Sign-On (HTML DB Engine as Partner App) scheme. This leaves most of the Authentication scheme pretty blank with the exception of the Session Not Valid URL ( populated with PORTAL_SSO-) and the logout URL. Magically it works though.
If I had TWO schemes registered in the config_info$, how would I indicate which scheme to use?
Do I have the capability of working with what has already been provided, or am I destined to writing a custom scheme because of the decision which needs to be made?
Many thanks
--Tim

Partner Application in SSO logout does'nt synchronize

Hi All,
I've setup two separate application on different workspace and different server as partner Application. I've follow the instruction from http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html
. And everything working fine, but the "logout" seen doesn't work correctly.
Example: I'm login to Application "A" from single sign on homepage, after enter username and password, it direct me to Application "A". After that, i've click on Application "B" which also located on single sign on homepage and direct me to application "B" (that's correct). When I clicked on the "logout" link in Application "A" it work fine, but the other Application (B) doesn't log me out. I can do the normal work on Application "B" even the Application "A" already logout.

Hi Scott,
Thank you for your reply. I've read the two link above and I don't figure out how to resolve my problem yet. From the link: Logout URL for 9iAS SSO Partner App
you said:
Steve - Here's a logout URL that unsets the app's session cookie first, then goes to Single Sign-off, then back to a public page in the app:
https://host:port/pls/DAD/wwv_flow_custom_auth_std.logout_then_go_to_url?p_args=&APP_ID.:https://login.yourlogin.com/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=https://host:port/pls/DAD/f?p=&APP_ID.:PUBLIC_PAGECan set the authentication schema logout URL of application "A" something like: unsets app's session cookies first, then goes to Single Sing-off, then goes to Application "B" sign-off, and then back to a public page in the app. That way will be logout the Application "A", logout the Single Sign-On, and logout the Application "B" when i click on the "logout" link from Application "A". Am I correct?
The other question is how can i get the SSO cookie. I've used the owa_cookie.get('cookie_name') function, but it doesn't work for SSO.
Thanks,
Kevin

Register the partner application through SSO Administer Partner Application

When should I use the "Administer Partner Applications" link on the SSO Server Administration page to register the application among the following cases?
1. sign-on SDK integrated application
2. mod_osso integrated application

Were you able to resolve the issue???
Can you pls try Rerunning ssodatan/x with the correct data. The ssodatan script is located in the directory ORACLE_HOME/portal30/admin/plsql/ssodatan.
Refer following link for more info on SSODATAN , SSODATAX and DIAGNOSTICS scripts in Portal 3.0.x:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=136138.1

BC4J, Auditing, Partner Application and SSO

I am trying to figure out how to set up a BC4J-JSP app to use "database audit trail in entity objects" within a Portal/SSO environment.
Here is the situation;
Part 1:
I am able to partially get the auditing to work on a BC4J App Module in the tester by setting the appropriate history columns in the Entity Object and then setting the jbo.security.enforce property to "Test". Upon entering the tester I am challenged for a "username/password". At this point I can enter any credentials, I can then enter some data. Visually checking the database I find that the history "date" columns (date_created) are ok but the "user" columns (created_by) are not filled in.
Part 2:
Now if I set jbo.security.enforce property to "Test". I am not sure what user credential to enter here. I have looked at OID Manager for some clues for what username/password but I'm not sure if this is even in the ballpark.
Part 3:
At some point I will deploy this app as an SSO/Partner Application which will be accessed from a Portal page. Since authentication is handled by the SSO login page, I am confused about setting up the "database audit trail in entity objects" (from Part 1) as it talks about creating * another * login page. This seems contradictory so Long postings are being truncated to ~1 kB at this time.

Part 1:
When setting jbo.security.enforce property to "Test", BC4J does not throw exception if credential is invalid. You should set it to "Must" if you really want to validate the credential. The "Test" setting does perform the authentication, a warning stating authentication fail is in the diagnostic output if the username/password is invalid. The "Test" setting is just to exercise the authentication but if it fail it does not stop the rest of the application. The "user" column (created_by) does not get fill could be cause by failed authentication or if the column is marked as Refresh on Update or Refresh on Insert, or if the client app insert null or zero length string into it.
Part 2:
BC4J default authentication uses the LoginModule from Oracle9iAS JAAS (in j2ee\home\jazn.jar). This LoginModule by default configure to use the lightweight jazn-xml. You can check this by looking "<jazn provider=..." in the j2ee\home\config\jazn.xml. If you are interested in using OID, you need to change it to <jazn provider="LDAP" location="ldap://myoid.us.oracle.com:389" />, "myoid.us.oracle.com:389" should be host address and port of your OID. There are a few predefined users in the lightweight jazn-xml if you wish to test it, there are admin/Long postings are being truncated to ~1 kB at this time.

Registering a partner application with SSO SDK

Good day
Since 2 days, I am struggling for the issue of registering a Servlet application as a partner
application using the SSO Login Server.
As per the suggested note id 182701.1 in metalink , I implement the following steps :
- Step A : Create the partner Application Schemas (Succesful & the name of the shemas is : ssopartner)
- Step B : Load Packages for the partner application (Successful)
- Step C : Obtain the registration information (Successful)
- Step D : Run the regapp.sql (successful but they forgot to mention that I should load the
SSOHash.class )
- Step E : Compile and Run
I deploy the application under 9iAS in order to test it.
I add the ssosdk307.jar the the jserv.properties file.
I invoke the SSOPartnerServlet java program by entering :
http://name of the webserver/servlet/SSOPartnerServlet
I got the message "redirecting to the login server" and I got the
login page of the SSO Server.
Once I submit the user/password , I got HTTP 400: Page cannot be
displayed.
I check the mod_jserv.log file and find out the following message :
[08/04/2002 13:54:16:949] (ERROR) ajp12: Servlet Error: POST is not
supported by this URL
Could you please advise
Your prompt feedback is highly appreciated
regards

I believe that this is not possible as the mod_osso realizes that the URL is below an URL that you want to protect.
The only way I see that you can do this is the following modification in the mod_osso.conf:
<Location /myApp/secure_partA>
AuthType basic
Require valid-user
</Location>
<Location /myApp/secure_partB>
AuthType basic
Require valid-user
</Location>
<Location /myApp/secure_partX>
AuthType basic
Require valid-user
</Location>
So your application /myApp/subApp will not be effected and people can just access this part. However you will have more administration in your mod_osso.conf
cu
Andreas

SSO userid for a partner application

Hi,
We have one application deployed on WebLogic Application Server this is registred as Partner application over SSO server.
On application side we have installed Oracle HTTP Server as webserver and configured mod_osso.
Now when user attempt to access any secured page SSO askes for the authentication. And on successful login user landed back to application page configured while creating Partner application.
After login we need userid of user who logged in on sso server. I have tried following and getting null.
Remote User: <%=request.getRemoteUser() %>,
     Proxy-Remote-User: <%=request.getHeader("Proxy-Remote-User") %>
     Osso-User-Dn: <%=request.getHeader("Osso-User-Dn") %>
     Osso-User-Guid: <%=request.getHeader("Osso-User-Guid") %>
     Osso-Subscriber: <%=request.getHeader("Osso-Subscriber") %>
     Osso-Subscriber-Dn: <%=request.getHeader("Osso-Subscriber-Dn") %>
     Osso-Subscriber-Guid: <%=request.getHeader("Osso-Subscriber-Guid") %>
     Accept-Language: <%=request.getHeader("Accept-Language") %>
output:
Remote User: null,
Proxy-Remote-User: null
Osso-User-Dn: null
Osso-User-Guid: null
Osso-Subscriber: null
Osso-Subscriber-Dn: null
Osso-Subscriber-Guid: null
Accept-Language: en-us,en;q=0.5
Is any one there knows, what exactly i should do?
Thanks & Regards,
Kevin Chheda

So the user has successfully authenticated and can access protected areas of the application?
Have you tried using Http headers to see values/attribute names?
Can you try this:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body>
<%@ page import = "java.util.*" %>
<h1>Headers received:</h1>
Remote user header is: <% out.println(request.getRemoteUser()); %>
<p>
<table>
<%
Enumeration headerNames = request.getHeaderNames();
while(headerNames.hasMoreElements()) {
String headerName = (String)headerNames.nextElement();
out.println("<tr><td>" + headerName);
out.println(" <td>" + request.getHeader(headerName));
%>
</table>
</body></html>

Partner application and web clipping.

Hi All,
I am trying to add an external application (say my.yahoo.com) to a webclipping and its throwing the below error in the application log.
WC-517 : SSL handshake failed with the url ...
I have checked the file ca-bundle.crt and the certificates are in place. Does anybody know how to go about debugging this problem as I am quite new to portals and at my wits end to solve it.
Also I would be greatful if anybody can suggest me the steps on adding an Apex application configured as partner application with SSO authentication to a web clipping.There seems to be little or no-documentation at all in this regard(as far as my search goes).
Thanks in advance
-Venkat

I finally got it working by VERY CAREFULLY reading the instructions in the install.txt document in the SSO SDK package. You have to set up the partner application with a new schema in the login server database, and run the regapp.sql script AFTER editing it to insert data from the Login Server Partner Application admin screen. After you register the partner app in Portal, it gives you some info (site token, listener token, encryption key, etc). You have to MANUALLY copy these and paste them into the regapp.sql script, then run the script in the partner app schema. Make sure you don't confuse capital I with numeral 1 (like I did, since Oracle so nicely uses a non-serif font where you can not tell the difference).
Also make sure you copy the exact values for these parameters into your code when you use the SSOEnabler class. The listener token was very confusing since different documents appear to disagree on whether it should include the partner app name or not. It does require the partner app name:
app-name:hostname:port
hostname and port are for the web server that is handling http requests for the login server (usually your main portal web server).
John H.

Register external application as partner application on OSSO

Hi All,
I am using OracleAS Single Sign-On. I want to integrate Stellent Universal Content Management(UCM) with OracleAS Single Sign-On.
Can someone please let me know how to achieve this?
Also I would like to know, how can I register external application as a partner application in OracleAS Single Sign-on?
Thanks & Regards,
Yash Shah

Hi,
Thanks for your quick response. I have gone through the document which you suggested. the document says to register through sooreg.sh script. I would like to register partner application using SSO Administration UI.
When I log in to OSSO server, I have a option of registering the partner application, there in UI I have to specify, Home URL, Success URL and Logout URL.
For me, my sso server and my application server resides on the different servers (systems). Please let me know which URLs I shoudl specify to register my partner application using UI.
I mean, I want to know what should I specify in Home URL, Success URL and Logout URL
Thanks & Regards,
Yash Shah

HTMLDB -SSO- Partner application

Hi,
I have installed a database 10g/HTMLDB 1.5 and iAS 10g on two different boxes.
Refered & successfully completed the steps from
http://www.oracle.com/technology/products/database/htmldb/howtos/sso_partner_app.html
to Configure an HTML DB Application as a Partner Application in Oracle AS Single Sign-On
(TWICE From the Scratch)
But, Getting error like
"Error Error in portal_sso_redirect: missing application registration information:
p_partner_app_name:g_listener_token:HTML_DB:indl097ba.idc.oracle.com:7777
Please register this application as described in the installation guide."
Please let me know what would be wrong in doing this.
Feel free to ask for any further specific details or parameter values.
As its @ customer's site, need to know the resolution very urgently.
Thanks in advance.
Regards,
Nagadeep.

Hi Scott,
I am doing it from scratch now.
Details are like this:
C:\SSO_SDK\ssosdk307_032101\packages\oracle\security\sso>path
PATH=D:\oracle\product\10.1.0\Db_1\BIN;D:\OraHomeOWB\bin;D:\OraHomeOWB\jre\1.4.2
\bin\client;D:\OraHomeOWB\jre\1.4.2\bin;D:\oracle\product\10.1.0\Htmldb\bin;D:\o
racle\product\10.1.0\Htmldb\jre\1.1.8\bin;D:\oracle\product\10.1.0\Htmldb\jre\1.
4.2\bin\client;D:\oracle\product\10.1.0\Htmldb\jre\1.4.2\bin;D:\oracle\product\1
0.1.0\Db_1\bin;D:\oracle\product\10.1.0\Db_1\jre\1.4.2\bin\client;D:\oracle\prod
uct\10.1.0\Db_1\jre\1.4.2\bin;C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;
C:\Program Files\Symantec\pcAnywhere\
C:\SSO_SDK\ssosdk307_032101\packages\oracle\security\sso>loadjava -user FLOWS_01
0500/welcome1@orcl SSOHash.class
C:\SSO_SDK\ssosdk307_032101\packages\oracle\security\sso>
@ the Database Schema:
SQL*Plus: Release 10.1.0.2.0 - Production on Wed May 18 20:49:33 2005
Copyright (c) 1982, 2004, Oracle. All rights reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.1.0.2.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL> conn flows_010500/welcome1
Connected.
SQL> @C:\SSO_SDK\ssosdk307_032101\packages\loadsdk.sql
Package created.
No errors.
Package body created.
No errors.
Type created.
Table created.
Sequence created.
Sequence created.
Table created.
No errors.
Procedure created.
No errors.
Package created.
No errors.
Package body created.
No errors.
Package created.
No errors.
Package created.
No errors.
Package body created.
No errors.
Package body created.
No errors.
Package created.
No errors.
Package body created.
No errors.
SQL>
Now, at the iAS10g registering HTMLDB application as a partner application.
Let me know whether I have to create any DAD to specify in HOME URL?
Regards,
Nagadeep.

SSO to partner application running under IIS

Hi,
We have a complete set-up for 9iAS Release2 where some applications are running. In parallell we have an application running under IIS, and would now like to enable the IIS application as a partner application to 9iAS letting the 9iAS SSO server handle the authentication.
In the documentation of Oracle Proxy Plug-in I read that this proxy plug-in can be used to proxy requests from IIS to Oracle http server (OHS) and also in this way enable SSO.
My question is if this can be done only for applications running under 9iAS but having IIS as web server, or if it is also possible like in our case to enable SSO via the proxy plug-in to applications runnind under IIS?
If this is not supported is the only available solution to use the SSO SDK in my IIS application?
Thanks and regards,
Rikard

Here's a DIY answer.
See Metalink Note 269820.1 which shows you how to use Perl to overwrite the host name in the HTTP header and remove the port number.

HOW TO SET UP PARTNER APPLICATION TO USE SSO OUTSIDE OF PORTAL

If anyone knows how Portal switches context to run as the db user mapped to the lightweight schema and how it knows the db schema password please let me know.
Should you have any queries please do not hesitate to contact me on 07775 896738.
From document Oracle Portal Security Overview on PortalStudio.oracle.com:
In Single Sign On mode (EnableSSO=Yes in the DAD), mod_plsql determines the name of the light-weight user and mapped database schema by calling
WPG_SESSION_PRIVATE.GET_LW_USER and WPG_SESSION_PRIVATE.GET_DB_USER respectively.
** These calls are done using the Portal Schema (PORTAL30) and Portal schema password **
mod_plsql then executes the procedure in the requested URL by using the N-Tier Authentication feature to connect to the database as the user returned from
WPG_SESSION_PRIVATE.GET_DB_USER. ..... Note that N-Tier Authentication requires all schemas to be used for Portal user mappings to be granted 'connect
through' privleges to the Portal schema (PORTAL30).
The WWCTX packages are also used.
So this is how it works with standard Portal
- the document states that the WPG_SESSION_PRIVATE package is only accessible to the Portal schema
- but I checked and it is also available to PORTAL30_SSO
SQL> desc WPG_SESSION_PRIVATE
PROCEDURE CREATE_SESSION
Argument Name Type In/Out Default?
P_COOKIE_NAME VARCHAR2 IN
FUNCTION GET_DB_USER RETURNS VARCHAR2
FUNCTION GET_LW_USER RETURNS VARCHAR2
PROCEDURE GET_SESSION_INFO
Argument Name Type In/Out Default?
NUM_PARAMS NUMBER OUT
PARAM_NAMES TABLE OF VARCHAR2(32000) OUT
PARAM_VALUES TABLE OF VARCHAR2(32000) OUT
PROCEDURE RESET_SESSION
Argument Name Type In/Out Default?
P_COOKIE_NAME VARCHAR2 IN
In my case only the Login Server (PORTAL30_SSO) is going to be used/installed
- the SAMPLE_SSO_PAPP application will only work if the DAD used to access is it set to use Basic authentication, i.e. the actual integration with the Login Server
is done in the sample application code calls, stored in the database
- when a DAD has enableSSO=yes it automatically accesses Portal (PORTAL30) packages to implement N-Tier authentication
I'm currently testing:
1. Configuring the SAMPLE_SSO_PAPP sample as documented with a DAD with Basic authentication
2. Amending the ssoapp procedure to set context to another (db) user on successful authentication:
wwctx_api.set_context (
p_user_name => 'SCOTT',
p_password => 'TIGER' );
3. If this works then set_context with get_lw_user instead
I have now amended the ssoapp procedure as follows to print out
1. The userid entered when the login box is presented
2. The Database user which the Portal Lightweight user is mapped to
3. The Lightweight user Portal has used for authentication
Amendments to papp.pkb:
(ssoapp procedure, declare db_user_info and lw_user_info as VARCHAR2 in declare section)
htp.p('Congratulations! It is working!<br>');
db_user_info := wwctx_api.get_db_user;
lw_user_info := wwctx_api.get_user;
htp.p('User Information:' || l_user_info || '<br>');
htp.p('DB User Information:' || db_user_info || '<br>');
htp.p('LW User Information:' || lw_user_info || '<br>');
The following shows the interesting results from my testing:
- if the user owning the sample_sso_papp package is PORTAL30_SSO then the call to wwctx_api.get_db_user succeeds
- if the user owning the sample_sso_papp package is a non-portal schema e.g. SSOAPP below the call to wwctx_api.get_db_user generates a User Defined exception
Steps to test:
Created new schema SSOAPP on the database
- edited it in Portal and checked the use this schema for Portal users checkbox
- created new Lightweight user SSO_LW in Portal, mapped it to SSOAPP schema
- created new Lightweight user SSO_SCOTT in Portal, mapped to SCOTT schema
- loadjava -user ssoapp/ssoapp@portal30 SSOHash.class
- sqlplus portal30/portal30@portal30
@provsyns ssoapp
- sqlplus ssoapp/ssoapp@portal30
@loadsdk.sql
@loadpapp.sql
Created DAD with basic authentication SAMPLE_SSO_PAPP
- username: ssoapp
- default home page: sample_sso_papp.ssoapp
Registered the Sample SSO Partner Application with the Login Server and ran regapp.sql
Commented out the calls to get_db_user in papp.pkb to avoid exception
- called http://<server>/pls/sample_sso_papp
- logged on as SSO_LW/sso_lw
- got output:
Congratulations! It is working!
User Information: SSO_LW
LW User Information: PUBLIC
So the Portal lightweight user is not returned as SSO_LW
if anyone knows why the Lightweight User in my test is returned as PUBLIC not SSO_LW
Best Regards
MIchael

http://support.mozilla.com/en-US/kb/Changing+the+e-mail+program+used+by+Firefox

SSO for partner applications

Hi All,
I have installed 10g AS Release 2 on a system. I also have Application Express(formerly HTML DB) installed on the same system. I registered one of the HTML DB applications as partner applications and have put SSO authentication for it.
When I try to login the AS looks at the OID installed on the system(which I gave during installation). I want it to look at the Oracle gmldap.oraclecorp.com server OID so that only Oracle employees login.
Can anybody tell me how to change the OID and what are the entries to be give to configure it to gmldap.oraclecorp.com server??
Thanks,
Swaroop

See Task 3 in the Section 9.4 of the Oracle Application Server Administrator's Guide:
http://download-west.oracle.com/docs/cd/B14099_17/core.1012/b13995/chginfra.htm#i1014978
See the following for information about what to specify on each page.
http://download-west.oracle.com/docs/cd/B14099_17/core.1012/b13995/reconfig.htm#i1013341

SSO requires double login for partner application

I'm having some trouble with SSO partner applications, when I login to a SSO protected application, the login works fine, but when I try to navigate to another application I'm presented with the login page again, the sso cookie seems to be working since clicking on the login button without entering the user credentials works. For example, I log in to portal and from there I navigate to a forms application that is on the same server and the same port (portal: https://apps.mydomain.com:4444/pls/portal --> forms: https://apps.mydomain.com/forms/frmservlet?config=app) I am presented with the login page and after clicking on the login button without entering any information everything works fine. This is happening for all the middle tiers that are connected to the same OID. Any ideas on what can be wrong on my configuration?

Hi Andrey,
The problem sounds really wierd.
Can you check your SSO settings for your Portal ECC system? I mean, please check the User Management/Administration properties in your System Adminstration of Portal System that points to ECC.
Regards
<i><b>Raja Sekhar</b></i>

Sso session timeout per partner application

Hello,
I was just wondering if it is possible to configure SSO session timeouts per partner application? I'm looking to log out users of a particular application after 15 minutes, but don't want this change to affect any of my other SSO enabled applications. Is this possible?
Thanks,

Hi,
I do not think so, you can not specify specail parameter for one application in SSO.
Why because SSO is one component (within your Infra) through which you logon different apps.
Another solution may be it will expensive is that you 'll need to use different infra for this specific application.
Regards,
Hamdy

Second htmldb as partner application in sso

Similar Messages

Maybe you are looking for