Starting single sign-on and directory service

Similar Messages

• Oracle Single Sign on and Oracle Internet Directory

  Hello Gurus,
  What is the relationship between Oracle Single Sign on and Oracle Internet Directory.
  To my understanding, OID is required to install SSO.
  If OID already exist, can we just install SSO and go on integrating it to existing OID.
  Great Thanks,
  vimal jain.
  [email protected]

  Hi Tim,
  I've been working on this and could reproduce the issue with anonymous binds. A fix will be ready in 4.2.1.
  So what I really need is the password used for login to pass to the is_member call.The P101_PASSWORD item does not save state. However, you can access the value during submit processing of the login page, for example in the post authentication function of your authentication scheme. People sometimes put code in there to query the user's groups (e.g. with apex_ldap.member_of2) and save them in an application. This item value can then be used in the authorization schemes.
  Regards,
  Christian

• Single Sign on and Protect URL step

  Hi,
  I have successfully installed Oracle Internet Directory, Identity Server, Web Pass, Policy manager, Access Server and WebGate (attached to Oracle HTTP Server from Oracle Management Infrastructure).
  My questions are:
  - How do I protect URL so the user will need to login to access certain URL?
  - How do I enable single sign on and test it?
  - What are the general steps involve to enable URL protection (so if the url is protected it will prompt for username and password) and single sign on using Oracle Internet Directory?
  Kindly help me if anyone know a solution or can point me to the right documentation. I have tried to read Oracle Access Manager - Access Administration Guide, but keep getting confused.
  Thanks.
  Regards,
  Alfonso

  Hi,
  You can follow Oracle Access Manager Integration Guide (10.1.4.0.1) B25347-01, chapter 4, to achieve this. This document will answer most of your questions.
  Regards,

• Single Sign-On and Data Visibility Rights

  Hello,
  I was wondering whether anyone has any best practices for implementing single sign on and user identification with Excelsius.
  More specifically, I need to interrogate user role, and limit certain data visibility based on that role.
  For example, a sales rep may only see certain data for their own territories, but the regional and national managers can see more.
  With the emphasis in improving enterprise integration with the new version coming up, I'm also wondering if there are any improvements included for this aspect.
  Thanks in advance.
  Derick

  Hi Derick,
  I want to make our discussion into 2 parts
  1) Sign on
  2) Viewing data based on the Heirarchy
  1)Before discussing about the Sign on i want to know which connectivity you are using ? Live offcie or QaaWS.
  2) We can make the second point possible in two ways One is with providing restriction at universe level
  and the other one is through the use of flash variables.
  Using flash variables:
  The main idea of using flash variables is reading the User ID from BO authentication and based on that we fetch the Heirarchy level of that user. Then we use some excel logic to hide the data from Low level heirarchy(Here we use Dynamic Visibility for components).
  I hope this is what you ar looking for....
  If so i have more points to acheive such scenario.
  Please provide the your BO environment details, such that it will be easy to identify the better best wat to acheve it.
  Regards,
  AnjaniKumar C.A.

• Single Sign-On and session information

  I have an Oracle Portal application with many Java Web Applications. I wish to
  provide Single Sign-On to this applications. I know how to configure Single
  Sign-On and how to get the user login in Java. I want to store session
  information such as: User First and Last Name, User Social Security Number. I
  want to get this information from the database after authentication, store it
  in session and then access this information from all my applications.

  Are you familiarized with sys_context function?
  Hope this is useful help.
  BR,
  Marcos

• Unable to start Oracle BI server and Presentation Service

  I am unable to start the Bi Server and presentation service . I start stop, options in service window is coming disabled. Please can any body help on this?

  Hi,
  Please check if you have started the Oracle BI Java host service.
  Check if the OC4j is started.
  Check the event viewer logs. Also check on what account the service is starting.
  Hope this helps ...
  Thanks,
  Anita

• OBIEE 11G with Single Sign-On and Active Directory

  Hi guys,
  Release Version: Oracle Business Intelligence 11.1.1.5.0
  Patch applied: 11.1.1.5.0 BP3 (Patch 13832750)
  OBIEE Server operating system: Windows Server 2008 SP2 (32-bits Operating System).
  We are trying to configure Single Sign-On according to TechNote_WNA_SSO_AD_V4.0.doc.
  Our krb5login.conf:
  com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  principal="[email protected]"
  keyTab=cgdkobi2.keytab
  useKeyTab=true
  storeKey=true
  debug=true
  com.sun.security.jgss.krb5.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  principal="[email protected]"
  keyTab=cgdkobi2.keytab
  useKeyTab=true
  storeKey=true
  debug=true
  We generate de keytab file:
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.24\bin\ktab.exe -k cgdkobi2.keytab -a [email protected]
  Password for [email protected]:XXXXXXX
  Done!
  Service key for [email protected] is saved in cgdkobi2.keytab
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.2-4\bin\kinit -k -t cgdkobi2.keytab cgdkobi2
  New ticket is stored in cache file C:\Users\cgdkobi2\krb5cc_cgdkobi2
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.2-4\bin\klist -k -t cgdkobi2.keytab
  Key tab: cgdkobi2.keytab, 1 entry found.
  [1] Service principal: [email protected]
  KVNO: 1
  Time stamp: Mar 15, 2013 10:34
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>klist
  Current LogonId is 0:0x406163f5
  Cached Tickets: (0)
  We re-start the services and logon into analytics web and SSO doesn't work but there's not an error. It runs successfully with and Active Directoy user and password. Seems like SSO wasn't enabled, but I checked is enabled.
  Any suggestion?
  Thanks in advanced

  Follow the posts : OBI 11.1.1.6.SSO and You are not currently signed in to Oracle BI Server" for OBIEE 11.1.1.6 SSO do the troubleshooting mentioned there.
  Also check your logs for error like the one below:
  [2012-03-09T16:42:36.000-05:00] [OBIPS] [NOTIFICATION:1] [] [saw.securitysubsystem.checkauthentication.runimpl] [ecid: 6c98b5cce1f24814:2a613331:135f95fbdff:-8000-0000000000005b7a,0:1:1] [tid: 5932] Authentication Failure.
  Odbc driver returned an error (SQLDriverConnectW).
  State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
  [nQSError: 43113] Message returned from OBIS.
  [nQSError: 13039] The impersonator does not exist in the BI Security Service. (08004)[[
  If you are getting this when you login to OBIEE :      You are not currently signed in to Oracle BI Server"
  then you need to apply this patch : 13553428 QA:BLK:DELIVER TO CORP. OID LDAP USERS FAILED WITH IMPERSONATOR DOES'NT EXIST. 11.1.1.6.0 Generic Platform (American English) General Oracle BI Suite EE Apr 5, 2012 799.4 KB
  Let us know the updates. Hope this helps. Mark if it does.!
  Thanks,
  SVS

• Active Directory, single sign-on and  SRM Users

  We are in the process of installing SRM 7.0. using the Classic Scenario. I am seeking clarification around the creation of users in that system given the following:
  - My Basis colleagues are in the process of implementing single sign-on using Active Directory for our SAP Portal, SAP Business Warehouse and SRM systems.
  - Single sign-on will not  at this point be used for our SAP ECC 6.0 system
  My questions are:
  1. If active directory is being used do we need to create actual users within the SRM system?
  2. If actual users in the SRM system are not required, does this have any impact on the creation of the Organizational structure in SRM from the SAP ECC HR hierarchy?
  Many Thanks

  Hi Claire,
  The Single Sign On work only if user exist on every systemes.
  For example :
  If you connect trough portal to access ECC and SRM, your user id must exist in ECC and SRM.
  For Active Directory you can synchronize your user table to AD by using LDAP option.
  The best way is to configure a CUA for ECC and SRM, use the UME of Portal on ECC and synchronize the CUA to Active Directory.
  Finally use the SSO certificate between Portal ECC and SRM.
  Regards,
  Gilles SEBBAG
  Sap Technical Consultant.

• Single Sign-on and HTTP Server not started

  I have installed oracle9iAS on SuSE Linux Enterprise Server 8 (SLES 8) which is certified by Oracle to run oracle9iAS. Everything was working propely after installation but when I restarted the server, the listener, the iasdb instance, and the EM started properly but when I went to http://servername:1810 and clicked on start all i got them all started but the HTTP Server and the Single Sign-on. When I tried to start the HTTP Server individually i got the following error:
  oracle.sysman.emSDK.util.jdk.EMException: The opmn request has failed. From opmn: HTTP/1.1 204 No Content Content-Length: 0 Content-Type: text/html Response: 0 of 1 processes started. Check opmn log files such as ipm.log and ons.log for detailed.
  I checked the log and its showing the following:
  03/10/25 16:44:23 Connection 0,192.168.10.11,6200 message missing 'Content-Lengt
  h'
  GET /dms0/Spy?recurse=all&format=xml&operation=get&value=false&units=true&descri
  ption=true&name=%2F HTTP/1.1
  Host: linux2.future:6200
  Connection: Keep-Alive, TE
  TE: trailers, deflate, gzip, compress
  User-Agent: RPT-HTTPClient/0.3-3
  Cache-Control: no-cache
  Pragma: no-cache
  Accept-Encoding: deflate, gzip, x-gzip, compress, x-compress
  I tried to start it from command line with the command
  $dcmctl start -ct ohs
  and it returned ADMN-906025
  Anyone can help me solving this problem??

  This error Can be caused by a syntax error in your httpd.conf file, check it / correct it try reloading OHS.
  Ensure that emctl is not running when you run any dcmctl commands! If you have already run any dcmctl commands with emctl running that can cause your problem - if so to fix it solution is really to re-install.

• Single sign on and microsoft active directory

  Hi,
  I have EBS 12.1.3 on linux. I know that I can implement single sign on to login to EBS. Now the question is: can I integrate this single sign on with my existing Microsoft Active Directory? Can you send me some links or documentation?

  Self-reply:
  http://blogs.oracle.com/stevenChan/2006/05/indepth_using_thirdparty_ident.html
  Thanks

• Certificates, Keychain and Directory Services

  Starting with 10.4.3 iChat now generates X.509 certificates for all .Mac chat addresses to allow encrypted chats.
  Those certificates can also be used to sign and encrypt all e-mails for your .Mac address in Mail.app. By default both sides need to send each other a signed e-mail to they get the other's certificate onto their keychains before they can exchange encrypted e-mails.
  But Keychain.app allows you to query .Mac for any subscriber's certificate so you get a copy of the public key without the need to exchange messages first. Just turn on
  [x] Search .Mac for Certificates
  in Keychain Access' Preferences. This works just fine, you can even look at all your friends with .Mac addresses in your Address Book to see which ones already have a working certificate.
  Now the second option in Keychain Access
  [x] Search Directory Services for Certificates
  makes me curious: How do I generate and store my own certificates for all my users in Directory Services? I haven't found any documentation on that so far and would really like to use this asap.
  When I can generate all X.509 certificates for my domain and store them in Directory Services this would make life a lot easier.
  So far we used some free CA authority but users tend to forget to renew their certs when the expiration warnings come in and sooner or later half of them can no longer sign or encrypt their e-mail. When I can do the renewal myself and distribute them this way this'll be a big improvement.
  Norbert

  Matthew -
  thanks for your reply. Unfortunately this AFP548 article explains a lot about rolling your own CA, but it does not give any hints how to store the certificate data on the directory.
  Marcel Bresink, author of several excellent books about Mac OS X (Server), gave me the hint that the following keys can be stored in an LDAP domain (information from "man DirectoryServiceAttributes"):
  UserCertificate
  Attribute containing the binary of the user's certificate.
  Usually found in user records. The certificate is data which identifies a user.
  This data is attested to by a known party, and can be independently verified
  by a third party.
  UserSMIMECertificate
  Attribute containing the binary of the user's SMIME certificate.
  Usually found in user records. The certificate is data which identifies a user.
  This data is attested to by a known party, and can be independently verified
  by a third party. SMIME certificates are often used for signed or encrypted emails.
  UserPKCS12Data
  Attribute containing binary data in PKCS #12 format.
  Usually found in user records. The value can contain keys, certificates, and
  other related information and is encrypted with a passphrase.
  Perhaps someone else has already managed to fill those keys so Keychain Access on connected clients can retrieve the Certificates.
  - Norbert

• Authentication between Single Sign-On and Web based applications

  Hi everyone,
  I need to create a way in Portal 10g (10.1.2.0.2) that allow me to do the following:
  Once the user is logged on Portal (against Single Sign-On - SSO) he doesn't need to retype his username/password when he access a web based application throught the portal, in my case, an ASP application (not .NET, just ASP).
  I made a test creating a External Application in SSO and after publishing this portlet (external application) inside portal.
  It worked, BUT I was prompted to inform username/password to log on the aplication.
  So, the user end up entering his password twice.
  Does anybody know a way to acomplish this task?
  The documentation I'm researching is:
  Oracle Application Server Single Sign-On
  Administrator's Guide
  10g Release 2 (10.1.2)
  B14078-02
  Oracle Application Server Single Sign-On
  Security Guide
  10g Release 2 (10.1.2)
  B13999-03
  Thank you very much,
  Diogo Santos.

  have figured out how to secure any HTML, ASP, PHP, CFM, etc. web page again Portal / OID using the PDK toolkit.
  Using AJAX (Asynchronous JavaScript and XML) and one Oracle Stored Procedure just adding a simple Javascript call to any HTML, ASP, PHP, etc. web page can secure it via Oracle SSO (OID). Access to any secured web page will require that it to be linked from an authenticated Portal session or a page opened in an authenticated Portal session.
  This process can be easily modified to add in group security etc. This is just my starting point.
  1) Create a stored procedure
  # Make sure it has access to portal.wwctx_api.is_logged_on
  CREATE OR REPLACE PROCEDURE login_ajax_check (
  display_error IN number default NULL) AS
  BEGIN NULL;
  If portal.wwctx_api.is_logged_on = false then
  htp.prn('DENY');
  ELSE
  htp.prn('ALLOW');
  END IF;
  Exception when others then htp.p('DENY');
  END;
  2) Use this Javascript in any page you wish to secure.
  <-- Begin Paste Here -->
  <script>
  var allowgo=2
  function ajaxCallRemotePage(url)
  if (window.XMLHttpRequest)
  // Non-IE browsers
  req = new XMLHttpRequest();
  req.onreadystatechange = processStateChange;
  req.open("GET", url, false);
  req.setRequestHeader("If-Modified-Since", "Sat, 1 Jan 2000 00:00:00 GMT");
  req.send(null);
  else if (window.ActiveXObject)
  // IE
  req = new ActiveXObject("Msxml2.XMLHTTP");
  req.onreadystatechange = processStateChange;
  req.open("GET", url, false);
  req.setRequestHeader("If-Modified-Since", "Sat, 1 Jan 2000 00:00:00 GMT");
  req.send();
  else
  return; // Navigateur non compatible
  // process the return of the "ajaxCallRemotePage"
  function CheckPortal()
  ajaxCallRemotePage('[Your page calling the procedure from above]');
  function processStateChange()
  if (req.readyState == 4)
  if (req.status == 200)
  if (req.responseText.substring(0,4) == 'ALLO')
  allowgo = 0;
  else
  allowgo = 1;
  function doPage()
  if (allowgo==1)
  window.location='[Your login or error page]';
  CheckPortal();
  doPage();
  </script>
  <-- End Paste Here -->
  That's it!!! Super easy. It works great too.
  Larry Schenavar
  [email protected]

• Single Sign On and user security with IS

  We have installed Information Steward 4.1 SP1 Patch 1 with Data Services 4.1 SP1 Patch 2 on Information Platform Services 4.0 SP 5 patch 6.  The Information Steward system is installed on it's own server.  We are connecting IS to our SAP Netweaver 7.3 system. 
  I have set up Single Sign On using Windows AD authentication.  The connection to the SAP system uses a service account. 
  Because the SAP system has our payroll information on it, we want to restrict Information Steward users based on their SAP security profiles.  We don't want to have to maintain security settings in both SAP and Information Steward. 
  Does anyone know if there's a way to set up Single Sign On so it passes the user credentials from SAP to Information Steward?  Then restrict the users on Information Steward based on their SAP security settings?
  Any advice would be appreciated!

  Hi,
  You can use Windows AD or SAP Authentication and configure it with SSO. However this should be done in the BI/IPS plaftorm and not IS. See the BI admin guide (http://help.sap.com/bobip40) section "Authentication options in BI platform". Please let me know if that's what you wanted.
  thanks

• Single sign-on and different usernames and passwords

  Hello,
  I am building a Portal with WLPS 3.5 and WLS 6.0. I tried to get
  information about the background of single sign-on.
  I understand, that I need a Realm (i.e. LDAP Realm) to authenticate the
  user for the first login to the portal (with username and password).
  Now I would like to integrate my webmail-programm (to get emails from
  Lotus Notes via Internet) as a portlet.
  For my understanding the user has to authorizate to get access to webmail.
  Therefore I create a ACL for webmail and this ACL is assigned to my
  security Realm.
  I would like the portlet to show after login the number of mails for the
  specific user. But where are the username and password for webmail stored
  and how are they received and forwarded?
  I understand that my ACL included all users that have access to webmail
  (i.e. all users). But I only want emails for the specific user.
  Does WLS get all usernames and passwords while the first login? Do I have to
  implement a algorithmen to get the specific username and password for the
  requested resource in my portlet?
  Has anyone solved a similar problem or can tell me where I can get more
  information. I read the WebLogic Security document but I cant find a
  answer to my questions.
  Thanks
  Lydia

  Lydia,
  I'm not an expert in this area, but I can give you a start.
  As for single sign-on, there are different levels. For single sign-on across web-apps,
  the servlet spec requires this (section 12.6 of th 2.3 spec) and therefore Weblogic
  does this.
  What you are talking about is single sign-on across back-end applications through
  a web-app. BEA has partnered with Securant (just acquired by RSA) to provide this
  kind of functionality. Browse to http://www.rsasecurity.com/products/ and look
  at the ClearTrust product. BEA has also partnered with Netegrity (www.netegrity.com)
  with their SiteMinder product. Neither is included in the Weblogic license. I'm
  sure either vendor would be excited to explain how their product will solve your
  problem if you give them a call.
  As for where the username and passwords are stored, that is up to the realm. If
  you are using the default WLPS RDBMSRealm, the username and encrypted password
  are stored in the WLCS_USER table. If you are using LDAPRealm, they are stored
  in your LDAP server.
  Hope this was useful!
  PJL
  [email protected] wrote:
  Hello,
  I am using PersonalizationServer 3.5 and WLS 6.0 SP 2.
  Now I try to unterstand the functionality of Single sign-on when a user
  has different usernames and passwords for different applications.
  Can someone explain where the usernames and passwords for a user are
  stored (all in the LDAP-realm or a RDBMS-realm?) When a user access the
  application how username and passwords are mapped? Or usernames and
  passwords for all applications are the same and will be equalized?
  Precisely I would like to get access to a mail-account for a specific
  user
  (webmail from Lotus Notes).
  Thanks for any help
  Lydia

• Single sign on and TimeMachine?

  I finally sorted out a typo with my AFP server that was interferring with single sign on for clients, only to find that it appears TimeMachine still requires a username and password to do network backups. Is this true, or am I missing something? I was hoping single sign on would solve my user password issues around expiry time, but now I'm starting to fear that's not the case.
  May have to look for an easier to manage agent based solution of some sort. Any suggestions (that aren't Retrospect)?

  bump?