Single Sign-On and Data Visibility Rights

Similar Messages

• Single Sign on and Protect URL step

  Hi,
  I have successfully installed Oracle Internet Directory, Identity Server, Web Pass, Policy manager, Access Server and WebGate (attached to Oracle HTTP Server from Oracle Management Infrastructure).
  My questions are:
  - How do I protect URL so the user will need to login to access certain URL?
  - How do I enable single sign on and test it?
  - What are the general steps involve to enable URL protection (so if the url is protected it will prompt for username and password) and single sign on using Oracle Internet Directory?
  Kindly help me if anyone know a solution or can point me to the right documentation. I have tried to read Oracle Access Manager - Access Administration Guide, but keep getting confused.
  Thanks.
  Regards,
  Alfonso

  Hi,
  You can follow Oracle Access Manager Integration Guide (10.1.4.0.1) B25347-01, chapter 4, to achieve this. This document will answer most of your questions.
  Regards,

• Starting single sign-on and directory service

  i am trying to install oracle 9i infrastructure on my clean win2000 box with 2.4 GHz proc and 1GB RAM.
  i am getting falilure messages for the following:
  infrastructure instance configuration assistant: failed
  oracle 9i application server randomize password: failed
  single sign on configuration assistant: failed
  infrastructure mod-osso configuration assistant: failed
  OPMN configuration assistant: failed
  log file says:
  Configuration failed for IAS
  IAS Instance creation failed
  Configuration failed for JAZN
  JAZN configuration failed: unable to establish a directory context.
  Configuration succeeded for IASProperty
  Configuration failed for IAS
  Configuration failed for JAZN
  after which single sign-on and directory service dont start. which means no connectivity :(
  can somebody please guide me about how to avoid this failure in installation or how to manually start these after installation.
  it would be a great help
  ashish

  Hi,
  we're having exactly the same problem.
  Could you tell me what the problem is with the network ?
  You say configure it properly but what do you mean ?
  It's installed on a Windows 2000 Server machine, it's own DNS.
  Thanks,
  Yuri Arts

• Oracle Single Sign on and Oracle Internet Directory

  Hello Gurus,
  What is the relationship between Oracle Single Sign on and Oracle Internet Directory.
  To my understanding, OID is required to install SSO.
  If OID already exist, can we just install SSO and go on integrating it to existing OID.
  Great Thanks,
  vimal jain.
  [email protected]

  Hi Tim,
  I've been working on this and could reproduce the issue with anonymous binds. A fix will be ready in 4.2.1.
  So what I really need is the password used for login to pass to the is_member call.The P101_PASSWORD item does not save state. However, you can access the value during submit processing of the login page, for example in the post authentication function of your authentication scheme. People sometimes put code in there to query the user's groups (e.g. with apex_ldap.member_of2) and save them in an application. This item value can then be used in the authorization schemes.
  Regards,
  Christian

• Single Sign-On and session information

  I have an Oracle Portal application with many Java Web Applications. I wish to
  provide Single Sign-On to this applications. I know how to configure Single
  Sign-On and how to get the user login in Java. I want to store session
  information such as: User First and Last Name, User Social Security Number. I
  want to get this information from the database after authentication, store it
  in session and then access this information from all my applications.

  Are you familiarized with sys_context function?
  Hope this is useful help.
  BR,
  Marcos

• How can i connect iphone to itunes.. i want to restore because my finger mistakes that click Reset all content and setting.. so iphone are empty.. all foto and data lost, right.. how can i use my iphone again..

  how can i connect iphone to itunes.. i want to restore because my finger mistakes that click Reset all content and setting.. so iphone are empty.. all foto and data lost, right.. how can i use my iphone again.

  Yes, try to restore your iPhone from iTunes or iCloud backup.
  iOS: How to back up and restore your content
  http://support.apple.com/kb/HT1766
  Tell us the result if you will try.
  <Link Edited By Host>

• Single Sign-on and PORTAL30 DAD

  What I've done:
  1) Setup up PORTAL30 DAD with Single Sign-on
  2) Created schema called JOHN with "hello world" procedure call TEST
  3) Grant execute on TEST to PORTAL30
  4) Goto http://<servername>/pls/portal30/john.test
  5) Receive "Procedure Doesn't Exist" error
  6) Change DAD from single sign-on to Basic authentication
  7) Repeat Step 4 with no problems

  Hi Derick,
  I want to make our discussion into 2 parts
  1) Sign on
  2) Viewing data based on the Heirarchy
  1)Before discussing about the Sign on i want to know which connectivity you are using ? Live offcie or QaaWS.
  2) We can make the second point possible in two ways One is with providing restriction at universe level
  and the other one is through the use of flash variables.
  Using flash variables:
  The main idea of using flash variables is reading the User ID from BO authentication and based on that we fetch the Heirarchy level of that user. Then we use some excel logic to hide the data from Low level heirarchy(Here we use Dynamic Visibility for components).
  I hope this is what you ar looking for....
  If so i have more points to acheive such scenario.
  Please provide the your BO environment details, such that it will be easy to identify the better best wat to acheve it.
  Regards,
  AnjaniKumar C.A.

• Single Sign on and Macintosh

  Hello,
  we realized single sign on on our mac machines. It runs great. Now i want to combine it with our SAP logon groups. There's an error that he cannot find the KDC. Where's the problem? Is it nit possible to combine groups with using snc?
  We set the followign connection string:
  SAP Prod: conn=/M/sapmachine.firma.de/S/1234/G/example_group&sncon=true&sncname=p:[email protected]&sncqop=9

  Hi Derick,
  I want to make our discussion into 2 parts
  1) Sign on
  2) Viewing data based on the Heirarchy
  1)Before discussing about the Sign on i want to know which connectivity you are using ? Live offcie or QaaWS.
  2) We can make the second point possible in two ways One is with providing restriction at universe level
  and the other one is through the use of flash variables.
  Using flash variables:
  The main idea of using flash variables is reading the User ID from BO authentication and based on that we fetch the Heirarchy level of that user. Then we use some excel logic to hide the data from Low level heirarchy(Here we use Dynamic Visibility for components).
  I hope this is what you ar looking for....
  If so i have more points to acheive such scenario.
  Please provide the your BO environment details, such that it will be easy to identify the better best wat to acheve it.
  Regards,
  AnjaniKumar C.A.

• Single Sign-On and VPDs

  Hi - we're trying to implement a VPD on our company database at the moment and were wondering if a single sign-on architecture on our middle tier could be successfully tied to a VPD on the database tier. We have a number of clients, both internal and external, who will be accessing the database via the web and we need to control who sees what. Could you advise on the feasibility of this approach? Thanks

  Hi Derick,
  I want to make our discussion into 2 parts
  1) Sign on
  2) Viewing data based on the Heirarchy
  1)Before discussing about the Sign on i want to know which connectivity you are using ? Live offcie or QaaWS.
  2) We can make the second point possible in two ways One is with providing restriction at universe level
  and the other one is through the use of flash variables.
  Using flash variables:
  The main idea of using flash variables is reading the User ID from BO authentication and based on that we fetch the Heirarchy level of that user. Then we use some excel logic to hide the data from Low level heirarchy(Here we use Dynamic Visibility for components).
  I hope this is what you ar looking for....
  If so i have more points to acheive such scenario.
  Please provide the your BO environment details, such that it will be easy to identify the better best wat to acheve it.
  Regards,
  AnjaniKumar C.A.

• Single Sign-on and SSL problems

  We are using WebLogic Portal and Server (version 8.1 SP3). We want to have a single sign-on when entering the portal, so that users do not need to reauthenticate each time they access an application via an applet in the portal. We also want to protect the username/password authentication and all other connection information using SSL. We have applications in multiple domains.
  When not using SSL, SSO works okay. We are challenged for username/password exactly once, whether we access the Portal, or an application directly. As soon as we enable SSL, we are challenged repeatedly, and in some cases cannot access the applications at all, as the challenge always fails.
  We suspect that there is a Session cookie problem and that something is clobering the cookie and thus breaking the session. Does anyone have any idea on what might be causing the problem?

  Hi Derick,
  I want to make our discussion into 2 parts
  1) Sign on
  2) Viewing data based on the Heirarchy
  1)Before discussing about the Sign on i want to know which connectivity you are using ? Live offcie or QaaWS.
  2) We can make the second point possible in two ways One is with providing restriction at universe level
  and the other one is through the use of flash variables.
  Using flash variables:
  The main idea of using flash variables is reading the User ID from BO authentication and based on that we fetch the Heirarchy level of that user. Then we use some excel logic to hide the data from Low level heirarchy(Here we use Dynamic Visibility for components).
  I hope this is what you ar looking for....
  If so i have more points to acheive such scenario.
  Please provide the your BO environment details, such that it will be easy to identify the better best wat to acheve it.
  Regards,
  AnjaniKumar C.A.

• Single Sign On and user security with IS

  We have installed Information Steward 4.1 SP1 Patch 1 with Data Services 4.1 SP1 Patch 2 on Information Platform Services 4.0 SP 5 patch 6.  The Information Steward system is installed on it's own server.  We are connecting IS to our SAP Netweaver 7.3 system. 
  I have set up Single Sign On using Windows AD authentication.  The connection to the SAP system uses a service account. 
  Because the SAP system has our payroll information on it, we want to restrict Information Steward users based on their SAP security profiles.  We don't want to have to maintain security settings in both SAP and Information Steward. 
  Does anyone know if there's a way to set up Single Sign On so it passes the user credentials from SAP to Information Steward?  Then restrict the users on Information Steward based on their SAP security settings?
  Any advice would be appreciated!

  Hi,
  You can use Windows AD or SAP Authentication and configure it with SSO. However this should be done in the BI/IPS plaftorm and not IS. See the BI admin guide (http://help.sap.com/bobip40) section "Authentication options in BI platform". Please let me know if that's what you wanted.
  thanks

• Single Sign-On and Context Propogation

  I would like to implement single sign-on to my Web Container and have
  the LoginContext propogated to the EJB Container.
  Can anyone point me to resources / documentation on this topic?
  thanks,
  tom~

  How did you solve this ? Can you point to me the right resource ?
  Thanx
  [email protected] (Thomas Hunt) wrote:
  I would like to implement single sign-on to my Web Container and have
  the LoginContext propogated to the EJB Container.
  Can anyone point me to resources / documentation on this topic?
  thanks,
  tom~

• Single sign-on and custom DBLoginModule

  Hi,
  I need help in making sso work. I have Application Server version 10.1.3.1.0, I've developed application in JDeveloper 10.1.3.3. that uses form based login and when deployed to server I can normally login/logout. Now I want to enable single sign on, so I've changed security provider of javasso to the one I'm using in my application (oracle.sample.dbloginmodule.DBProcLM.DBProcOraDataSourceLoginModule) and started javasso, added my application to participating applications, and restarted the instance.
  When I try to access my application, login page of javasso is shown but I cannot login, always get incorrect username/password. The strange thing is that logs are empty, so i guess that dblogin module is never fired.
  Also I've changed my login method so it supports identity callback, like described in here .
  This Re: Custom Login Module and JavaSSO said that orion-application.xml of my application and javasso should be the same, I haven't figured out what should I do with javasso orion-application.xml and how sould it look like.
  this is orion-application.xml of my application
  <?xml version = '1.0' encoding = 'windows-1250'?>
  <orion-application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd">
  <library path="./adf"></library>
  <jazn location="./jazn-data.xml" provider="XML"/>
      <data-sources path="./data-sources.xml"/>
  <jazn-loginconfig>
       <application>
            <name>secure-web-app</name>
            <login-modules>
                 <login-module>
                      <class>oracle.sample.dbloginmodule.DBProcLM.DBProcOraDataSourceLoginModule</class>
                      <control-flag>required</control-flag>
                      <options>
                           <option>
                                <name>data_source_name</name>
                                <value>jdbc/WMSPortalDS</value>
                           </option>
                           <option>
                                <name>debug</name>
                                <value>true</value>
                           </option>
                           <option>
                                <name>plsql_procedure</name>
                                <value>PK_SECURITY.GET_USER_AUTHENTICATION</value>
                           </option>
                           <option>
                                <name>log_level</name>
                                <value>ALL</value>
                           </option>
                      </options>
                 </login-module>
            </login-modules>
       </application>
  </jazn-loginconfig>        
  </orion-application>this is orion-application.xml of javasso
  <?xml version = '1.0' encoding = 'utf-8'?>
  <orion-application
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd"
      schema-major-version="10"
      schema-minor-version="0"
      component-classification="internal">
  <security-role-mapping name="{{PUBLIC}}">
      <group name="{{PUBLIC}}" />
  </security-role-mapping>
  <jazn provider="XML">
  </jazn>
  </orion-application>Please help, this is very urgent to me, all advices and guide lines are more than welcome.
  Thanks in advance,
  Tomislav.

  To be clear maybe someone will help.
  I have a cluster topology, with one application server and 3 oc4j instances.
  I've done following steps and without success, on my test instance:
  1. Deployed application with custom DBLogin (I'm using: oracle.sample.dbloginmodule.DBProcLM.DBProcOraDataSourceLoginModule)
  2. Sucessfully login / logout -> so I guess DBLogin is working fine
  3. Stopped the java sso application
  4. Changed the javasso Security Provider to my custom DBLogin with following parameters:
  class: oracle.sample.dbloginmodule.DBProcLM.DBProcOraDataSourceLoginModule
  data_source_name - jdbc/WMSPortalDS
  log_level - ALL
  plsql_procedure - PK_SECURITY.GET_USER_AUTHENTICATION
  debug - true
  5. Added Connection Pool and Data Source in javasso Administration -> JDBC -> tested connections and it was sucessful
  6. Started javasso application
  7. Then I went to Java SSO Configuration -> Participating applications -> checked my application
  8. Restarted instance
  9. Try to login -> invalid username / password
  In enerprise manager Log files -> javasso -> there are only messages regarding starting and stopping application
  Questions:
  1. orion-application.xml for javasso -> what exactly needs to be specified inside, currently I have following:
  <?xml version="1.0"?>
  <orion-application  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd"  deployment-version="10.1.3.1.0" default-data-source="jdbc/OracleDS" component-classification="internal"
    schema-major-version="10" schema-minor-version="0" >
          <web-module id="javasso-web" path="javasso-web.war" />
          <security-role-mapping name="{{PUBLIC}}">
                  <group name="{{PUBLIC}}" />
          </security-role-mapping>
          <persistence path="persistence" />
          <jazn provider="XML">
                  <property name="custom.loginmodule.provider" value="true" />
                  <property name="role.mapping.dynamic" value="true" />
          </jazn>
          <log>
                  <file path="application.log" />
          </log>
          <data-sources path="./data-sources.xml" />
  </orion-application>2. orion-application.xml for my application
  <?xml version="1.0"?>
  <orion-application  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd"  deployment-version="10.1.3.1.0" default-data-source="jdbc/OracleDS" see-parent-data-sources="false" component-classification="external"
    schema-major-version="10" schema-minor-version="0" >
          <web-module id="Portal" path="Portal.war" />
          <persistence path="persistence" />
          <library path="./adf" />
          <jazn provider="XML" location="jazn-data.xml" default-realm="jazn.com" >
                  <property name="custom.loginmodule.provider" value="true" />
                  <property name="role.mapping.dynamic" value="true" />
                  <jazn-web-app auth-method="CUSTOM_AUTH" />
          </jazn>
          <log>
                  <file path="application.log" />
          </log>
          <data-sources path="./data-sources.xml" />
  </orion-application>3. How to get any information into logs, I cannot find out what I'm doing wrong since there's no output in logs for javasso and my application.
  Please help, I'm really stuck and I have to resolve this as soon as possible.
  Thanks in advance,
  Tomislav.

• Single Sign-on and external applications

  Hi,
  Someone might be able to point me in the right direction about this.
  I have registered each of my applications as external applications within Oracle Portal in order to avail of single sign-on.
  This is fine to a point, but registering applications in this way still requires the user to enter a username and password once in order to login to the application the first time they use it, even though they have already logged into the Portal. As long as the user doesn't log out of the application they can close their browser and when they come back to the application they are still logged in.
  None of the applications I use are oracle partner applications.
  My problem is that I want to avoid the user having to log in to the application the first time they use it.
  Ideally they should login to Portal once and then any subsequent applications they access, they are automatically logged into them without having to enter a username and password.
  Is there a way to do this or will I have to write a custom login for each application to circumnavigate this first time using the application login issue ?
  Are there any docs that someone could point me at.
  Many thanks,

  Maria, I was experimenting with this last night, to answer your question, and I think a cool way of doing this would be the following:
  Create a custom attribute called "App ID" - make this a NUMBER type. This is where the external application id will be stored.
  Create a custom item type: "External Application"
  You have two options for the base type: either "URL" or "<None>". If you pick URL, then you can have the item contain the URL for fapp_process_login, but this is not advisable because it will require the administrator to type in this long URL every time a new application is added.
  If you select base type URL, you should use that URL to let the administrator provide a URL to the application's homepage, or a help page or something of that sort.
  Edit the newly created item to set the Attribute and Procedure properties.
  Add the "App ID" attribute - no default.
  On the Procedure tab, add the following procedures (called as HTTP), each with the App ID passed as "p_app_id":
  Login http://server.domain.com/pls/portal30_sso/portal30_sso.wwsso_app_admin.fapp_process_login
  Edit http://server.domain.com/pls/portal30_sso/portal30_sso.wwsso_app_admin.edit_fappuser
  That's it!
  Add the new custom item type to a folder, and all the administrator needs to do is set the title, and App ID for the new item.
  Excercise for the Reader
  You will notice that clicking on the Edit link will take you to the login server when you are done editing the credentials. To avoid this, pass another parameter to the edit procedure - p_done_url, and set a value for that to point to the page that you want to go to after editing credentials.

• OBIEE 11G with Single Sign-On and Active Directory

  Hi guys,
  Release Version: Oracle Business Intelligence 11.1.1.5.0
  Patch applied: 11.1.1.5.0 BP3 (Patch 13832750)
  OBIEE Server operating system: Windows Server 2008 SP2 (32-bits Operating System).
  We are trying to configure Single Sign-On according to TechNote_WNA_SSO_AD_V4.0.doc.
  Our krb5login.conf:
  com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  principal="[email protected]"
  keyTab=cgdkobi2.keytab
  useKeyTab=true
  storeKey=true
  debug=true
  com.sun.security.jgss.krb5.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  principal="[email protected]"
  keyTab=cgdkobi2.keytab
  useKeyTab=true
  storeKey=true
  debug=true
  We generate de keytab file:
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.24\bin\ktab.exe -k cgdkobi2.keytab -a [email protected]
  Password for [email protected]:XXXXXXX
  Done!
  Service key for [email protected] is saved in cgdkobi2.keytab
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.2-4\bin\kinit -k -t cgdkobi2.keytab cgdkobi2
  New ticket is stored in cache file C:\Users\cgdkobi2\krb5cc_cgdkobi2
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.2-4\bin\klist -k -t cgdkobi2.keytab
  Key tab: cgdkobi2.keytab, 1 entry found.
  [1] Service principal: [email protected]
  KVNO: 1
  Time stamp: Mar 15, 2013 10:34
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>klist
  Current LogonId is 0:0x406163f5
  Cached Tickets: (0)
  We re-start the services and logon into analytics web and SSO doesn't work but there's not an error. It runs successfully with and Active Directoy user and password. Seems like SSO wasn't enabled, but I checked is enabled.
  Any suggestion?
  Thanks in advanced

  Follow the posts : OBI 11.1.1.6.SSO and You are not currently signed in to Oracle BI Server" for OBIEE 11.1.1.6 SSO do the troubleshooting mentioned there.
  Also check your logs for error like the one below:
  [2012-03-09T16:42:36.000-05:00] [OBIPS] [NOTIFICATION:1] [] [saw.securitysubsystem.checkauthentication.runimpl] [ecid: 6c98b5cce1f24814:2a613331:135f95fbdff:-8000-0000000000005b7a,0:1:1] [tid: 5932] Authentication Failure.
  Odbc driver returned an error (SQLDriverConnectW).
  State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
  [nQSError: 43113] Message returned from OBIS.
  [nQSError: 13039] The impersonator does not exist in the BI Security Service. (08004)[[
  If you are getting this when you login to OBIEE :      You are not currently signed in to Oracle BI Server"
  then you need to apply this patch : 13553428 QA:BLK:DELIVER TO CORP. OID LDAP USERS FAILED WITH IMPERSONATOR DOES'NT EXIST. 11.1.1.6.0 Generic Platform (American English) General Oracle BI Suite EE Apr 5, 2012 799.4 KB
  Let us know the updates. Hope this helps. Mark if it does.!
  Thanks,
  SVS