ACE 4710 breaks single sign-on on IE

Similar Messages

• Single Sign-on and SSL problems

  We are using WebLogic Portal and Server (version 8.1 SP3). We want to have a single sign-on when entering the portal, so that users do not need to reauthenticate each time they access an application via an applet in the portal. We also want to protect the username/password authentication and all other connection information using SSL. We have applications in multiple domains.
  When not using SSL, SSO works okay. We are challenged for username/password exactly once, whether we access the Portal, or an application directly. As soon as we enable SSL, we are challenged repeatedly, and in some cases cannot access the applications at all, as the challenge always fails.
  We suspect that there is a Session cookie problem and that something is clobering the cookie and thus breaking the session. Does anyone have any idea on what might be causing the problem?

  Hi Derick,
  I want to make our discussion into 2 parts
  1) Sign on
  2) Viewing data based on the Heirarchy
  1)Before discussing about the Sign on i want to know which connectivity you are using ? Live offcie or QaaWS.
  2) We can make the second point possible in two ways One is with providing restriction at universe level
  and the other one is through the use of flash variables.
  Using flash variables:
  The main idea of using flash variables is reading the User ID from BO authentication and based on that we fetch the Heirarchy level of that user. Then we use some excel logic to hide the data from Low level heirarchy(Here we use Dynamic Visibility for components).
  I hope this is what you ar looking for....
  If so i have more points to acheive such scenario.
  Please provide the your BO environment details, such that it will be easy to identify the better best wat to acheve it.
  Regards,
  AnjaniKumar C.A.

• ACE 4710: Possible to allow a user to clear counters but nothing else?

  Hello all,
  Using an ACE 4710 we have a user setup with the Network-Monitor role which allows the user to view config, interface status, etc.  We would also like to allow this user to clear the interface error counters as well, but nothing else.  Is this possible?
  Thanks!

  Hello Brandon-
  Network-Monitor only lets you browse outputs, it is a not a role that allows a user to make any changes including clearing stats.  You can create custom roles and domains to get closer to what you want, but you cannot zero in on a single command like that.
  i.e.
  ACE# conif t
  ACE(config)# role MyRole
  ACE(config-role)# rule 1 permit modify feature ?
    AAA             AAA related commands
    access-list     ACL related commands
    connection      TCP/UDP related commands
    fault-tolerant  Fault tolerance related commands
    inspect         Appln inspection related commands
    interface       Interface related commands
    loadbalance     Loadbalancing policy and class commands
    pki             PKI related commands
    probe           Health probe related commands
    rserver         Real server related commands
    serverfarm      Serverfarm related commands
    ssl             SSL related commands
    sticky          Sticky related commands
    vip             Virtual server related commands
  You can create a permit or deny rule, within that, create/debug/modify/monitor each feature seperately.
  Domains allow you to create containers for objects.  You can place specific rservers, serverfarms, etc. into it - then apply it to a role so that the user assigned to it can only touch those objects.
  Regards,
  Chris Higgins

• Can't install ACE 4710 license

  Hi,
  I've tried to installed the license, but is not successful, below are the steps which i've taken to installed the license, with error messages. pls. assist.
  CBJ6-LBDMZ2/Admin# copy tftp://10.2.18.66/ACE20090909090659371.lic disk0:
  Enter the destination filename[]? [ACE20090909090659371.lic]
  Trying to connect to tftp server......
  TFTP get operation was successful
  685 bytes copied
  CBJ6-LBDMZ2/Admin# license install disk0:ACE20090909090659371.lic
  Installing license... failed: Can't install this license with the current count

  CBJ6-LBDMZ2/Admin# show licen
  ACE20090727112500202.lic:
  SERVER this_host ANY
  VENDOR cisco
  INCREMENT ACE-AP-01-LIC cisco 1.0 permanent 1 \
          VENDOR_STRING=1 HOSTID=ANY \
          NOTICE="200907271125002021 \
          1211J5CB363" SIGN=F2E3AFA69526
  I think you have an HW appliance (code: ACE-4710-K9) with one a la carte license ( ACE-AP-01-LIC).
  You bought a Bundle upgrade license, and  this is not compatibly with you current license ( a la carte license).
  To use the  ACE-4710-BUN-UP2= ( 1G Bundle to 2G Bundle Upgrade License) you need to have a bundle product like the
  ACE-4710-1F-K9.
  Check this:
  Table 1     ACE Licensing Bundles
  License Model Description Upgrade Path
  ACE-4710-0.5F-K9
  This license bundle includes the following items:
  •ACE 4710 appliance
  •0.5-Gbps throughput license (ACE-AP-500M-LIC)
  •100-Mbps compression license (ACE-AP-C-100-LIC)
  •100 SSL transactions per second (TPS) license (ACE-AP-SSL-100-K9)
  •5 virtual contexts license (ACE-AP-VIRT-5)
  •Application acceleration license (50 connections) (ACE-AP-OPT-50-K9)
  You have the option to upgrade to the 1-Gbps, 2-Gbps, or 4-Gbps bundle.
  Start the upgrade with ACE-4710-BUN-UP1=.
  ACE-4710-1F-K9
  This license bundle includes the following items:
  •ACE 4710 appliance
  •1-Gbps throughput license (ACE-AP-01-LIC)
  •500-Mbps compression license (ACE-AP-C-500-LIC)
  •5000 SSL TPS license (ACE-AP-SSL-05K-K9)
  •5 virtual contexts license (ACE-AP-VIRT-5)
  •Application acceleration license (50 connections) (ACE-AP-OPT-50-K9)
  You have the option to upgrade to the 2-Gbps or 4-Gbps bundle.
  Start the upgrade with ACE-4710-BUN-UP2=.
  ACE-4710-BAS-2PAK
  This license bundle includes the following items:
  •Two ACE 4710 appliances
  •1-Gbps throughput license (ACE-AP-01-LIC)
  ACE-4710-BAS-2PAK also includes the following default options:
  •1000 SSL TPS
  •100-Mbps compression
  •5 virtual contexts
  •Application acceleration (50 connections)
  You have the option to upgrade to the 2-Gbps or 4-Gbps bundle.
  Start the upgrade with ACE-4710-BUN-UP2=. Two upgrade licenses are  required for upgrading two units of the ACE-4710-BAS-2PAK bundle.
  ACE-4710-2F-K9
  This license bundle includes the following items:
  •ACE 4710 appliance
  •2-Gbps throughput license (ACE-AP-02-LIC)
  •1-Gbps compression license (ACE-AP-C-1000-LIC)
  •7500 SSL TPS license (ACE-AP-SSL-07K-K9)
  •5 virtual contexts license (ACE-AP-VIRT-5)
  •Application acceleration license (50 connections) (ACE-AP-OPT-50-K9)
  You have the option to upgrade to the 4-Gbps bundle.
  Start the upgrade with ACE-4710-BUN-UP3=.
  ACE-4710-4F-K9
  This license bundle includes the following items:
  •ACE 4710 appliance
  •4-Gbps throughput license (ACE-AP-04-LIC)
  •2-Gbps compression license (ACE-AP-C-2000-LIC)
  •7500 SSL TPS license (ACE-AP-SSL-07K-K9)
  •5 virtual contexts license (ACE-AP-VIRT-5)
  •Application acceleration license (50 connections) (ACE-AP-OPT-50-K9)
  This is the highest value bundle.
  ACE-4710-BUN-UP1
  0.5 to 1-Gbps throughput bundle upgrade license
  See the Upgrade Path outlined above.
  ACE-4710-BUN-UP2
  1 to 2-Gbps throughput bundle upgrade license
  See the Upgrade Path outlined above.
  ACE-4710-BUN-UP3
  2 to 4-Gbps throughput bundle upgrade license
  See the Upgrade Path outlined above.
  Table 2     ACE Licensing Options
  Feature License Model Description
  Performance Throughput
  Default
  1-Gbps throughput.
  ACE-AP-500M-LIC
  0.5-Gbps throughput.
  ACE-AP-01-LIC
  1-Gbps throughput.
  ACE-AP-02-LIC
  2-Gbps throughput.
  ACE-AP-04-LIC
  4-Gbps throughput.
  ACE-AP-02-UP1
  Upgrade from 1-Gbps to 2-Gbps throughput.
  ACE-AP-04-UP1
  Upgrade from 1-Gbps to 4-Gbps throughput.
  ACE-AP-04-UP2
  Upgrade from 2-Gbps to 4-Gbps throughput.
  Virtualization
  Default
  1 admin/5 user contexts.
  ACE-AP-VIRT-020
  1 admin/20 user contexts.
  SSL
  Default
  100 TPS.
  ACE-AP-SSL-05K-K9
  5000 TPS.
  ACE-AP-SSL-07K-K9
  7500 TPS.
  ACE-AP-SSL-UP1-K9
  Upgrade from 5000 TPS to 7500 TPS.
  HTTP Compression
  Default
  100-Mbps.
  ACE-AP-C-500-LIC
  500-Mbps.
  ACE-AP-C-1000-LIC
  1-Gbps.
  ACE-AP-C-2000-LIC
  2-Gbps.
  ACE-AP-C-UP1
  Upgrade from 500-Mbps to 1 Gbps.
  ACE-AP-C-UP2
  Upgrade from 500-Mbps to 2 Gbps.
  ACE-AP-C-UP3
  Upgrade from 1 Gbps to 2 Gbps.
  Application Acceleration Feature Pack License
  ACE-AP-OPT-LIC-K9
  Application acceleration and optimization. By default, the ACE performs  up to 50 concurrent connections. With the application acceleration and  optimization software feature pack installed, the ACE can provide  greater than 50 concurrent connections.
  This license increases the operating capabilities of the following features:
  •Delta optimization
  •Adaptive dynamic caching
  •FlashForward
  •Dynamic Etag
  ACE-AP-02-LIC=
  Upgrade Performance License 2   Gbps Spare

• Implement Single Sign-On

  Hi
  What is the best way of implementing a single sign on in a clustered web based client server solution.
  Thanks,
  AA

  I am looking for a seamless login to applications using windows credentials. So ESSO which is like a password vault is not a desired solution. ESSO saves the user id/ password to applications and retrieves them whenever the application needs login. The login information saved by ESSO Logon Manager is protected by windows login credentials.
  I have tried to implement Windows Native Authentication as described in http://www.oracle.com/technology/obe/obe_as_10g/im/wna/wna.htm
  It apparently requires the policy.properties to be modified to set MediumSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOKerbeAuth. But the current applications require that it be set to 'SSOOblixAuth', i.e
  MediumSecurity_AuthPlugin = SSOOblixAuth. Changing it to SSOKerbeAuth will break the applications on the server. Is there a work around?

• ACE 4710 using SAML Tokens

  reposted from another forum:
  Am using an ACE 4710 and am converting incoming WSS username tokens to SAML Tokens - authenicating against Tivoli directory.
  The receiving web service is attempting to validate the SAML token but fails on digest verification. i.e. calculates the digest value over the SAML token and fails when comparing to the digest in the Xml Signature block.
  Is anybody else using SAML tokens?
  Has anyone else seen a similar problem?

  You are right we are using transport encryption (SSL) to protect the WSS Password.
  We then use LDAP to authenticate the username/password and create a SAML token using attributes from LDAP. The ACE Xml Gateway creates this SAML token, signs it and inserts into the SOAP header that is forwarded to our service.
  At our service we are trying to verify the signed SAML token. The error we are seeing is the Xml signature digest created by the ACE XML Gateway is wrong.
  With XML signature some Xml referenced by an ID is canonicalised, hashed (digest created) and then this digest is encrypted using the private key of some certificate.
  On receipt we repeat the process, canonicalise and hash the Xml referenced and compare our computed digest to the one created by the ACE device. This is where we get the error. We are using the standard canonicalisation and hashing algorithms (c14n and SHA1 respectively). Our code can successfully verify SAML tokens from other sources.

• Partner application single sign-on and Oc4j

  hello,
  I'm trying to test portal's partner application single sign-on, following the examples inside the "Oracle9 iAS Single Sign-On Application Developers Guide":
  With Tomcat as jsp engine everything works fine, but with Oc4j when I try to enter the protected jsp page i have this exception:
  oracle.security.sso.enabler.SSOEnablerException: java.lang.IllegalStateException: OutputStream already retrieved
       at SSOEnablerBean.getSSOUserInfo(SSOEnablerBean.java:153)
       at SSOEnablerJspBean.getSSOUserInfo(SSOEnablerJspBean.java:57)
       at /protetta.jsp._jspService(/protetta.jsp.java:37) (JSP page line 4)
  Any suggestion?
  Thanks in advance.

  I get the same problem with my partner application. It runs fine on JServer but I get the following problem on oc4j:
  oracle.security.sso.enabler.SSOEnablerException: java.lang.IllegalStateException: OutputStream already retrieved     
  at oracle.br.aerochain.sso.SSOEnablerBean.getSSOUserInfo(SSOEnablerBean.java, Compiled Code)     
  at oracle.br.aerochain.sso.SSOEnablerJspBean.getSSOUserInfo(SSOEnablerJspBean.java, Compiled Code)     
  at /jsp/papp.jsp._jspService(/jsp/papp.jsp.java, Compiled Code)     
  at com.orionserver[Oracle9iAS (9.0.2.0.0) Containers for J2EE].http.OrionHttpJspPage.service(OrionHttpJspPage.java, Compiled Code)     
  at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpApplication.serviceJSP(HttpApplication.java, Compiled Code)     
  at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.JSPServlet.service(JSPServlet.java, Compiled Code)     
  at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java, Compiled Code)     
  at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java, Compiled Code)     
  at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java, Compiled Code)     at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpRequestHandler.run(HttpRequestHandler.java, Compiled Code)     
  at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].util.ThreadPoolThread.run(ThreadPoolThread.java, Compiled Code)
  Did anyone get a solution for this?
  TIA

• Configuring JCo3 Connection Pool with single sign on on non SAP Java server

  Hi Everyone,
  i have configured a connection pool on JBoss as per JCo3 Documentation and is working great.
  Now I need help to configure this connection pool with single sign on so that RFc on SAP ECC systems are executed using end users credential rather than using single user name password used to configure JCo connection pool.
  On SAP Java stack I am sure its possible within Java WebDynpro    and i assume using JCA resource adapter. But what if we don't want to use SAP Java App server.
  Any help will be appreciated.
  Thanks,
  Divyakumar Jain

  Eason, 你好！
  I have exactly the same problem.  Did you find a solution to this problem?  If so, please let me know!

• How to pass credentials/saml token access sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication

  How to pass credentials/saml token exchange to the sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication 
  Identity provider here is Oracle identity provider 
  harika kakkireni

  Hi,
  The following materials for your reference:
  Consuming List.asmx on a claims based sharepoint site
  http://social.technet.microsoft.com/Forums/sharepoint/en-US/f965c1ee-4017-4066-ad0f-a4f56cd0e8da/consuming-listasmx-on-a-claims-based-sharepoint-site?forum=sharepointcustomizationprevious
  Sharepoint Claims based authentication and Single Sign on
  http://social.technet.microsoft.com/Forums/sharepoint/en-US/2dfc1fdc-abc0-4fad-a414-302f52c1178b/sharepoint-claims-based-authentication-and-single-sign-on?forum=sharepointadminprevious
  Sharepoint Claim Based Authentication Web Service issuehttp://social.msdn.microsoft.com/Forums/office/en-US/dd4cc581-863c-439f-938f-948809dd18db/sharepoint-claim-based-authentication-web-service-issue?forum=sharepointgeneralprevious
  Best Regards
  Dennis Guo
  TechNet Community Support

• ApEx 2.1.0.00.39 as Partner Application in Oracle AS Single Sign-On

  Hi,
  I've installed the last Application Express 2.1.0.00.39 (oracle-xe-10.2.0.1-1.0.i386.rpm and oracle-xe-univ-10.2.0.1-1.0.i386.rpm) but, when I try to "create an authentication scheme" for configure an ApEx application to use SSO under
  Home>Application Builder>Application xxx>Shared Components>Authentication Schemes>Create Authentication Scheme
  in the second step of the procedure I don't find the choice "Oracle Application Server Single Sign-On (Application Express engine as Partner App)".
  I found only these:
  - Show Built-In Login Page and Use Open Door Credentials
  - Show Login Page and Use Application Express Account Credentials
  - Show Login Page and Use Database Account Credentials
  - Show Login Page and Use LDAP Directory Credentials
  - No Authentication (using DAD)
  even if under the help voice "V Information" the others two are describes:
  Oracle Application Server Single Sign-On (Application Express engine as Partner App) delegates authentication to the Oracle Application Server Single Sign-On (SSO) Server. This Application Express site must have already been registered as a partner application with the SSO server. For more information, contact your administrator.
  Oracle Application Server Single Sign-On (My application as Partner App) delegates authentication to the SSO server. In this case, you must register an application with SSO as a partner application. See the next page for more details.
  Does Someone know how to resolve it?
  Thanks
  Emanuele

  Thanks for all your help Scott
  I've added the -PORTAL_SSO- .....
  After this I've had a new problem same to this: Re: SSO Authentication Not Working
  "get the error below and it then directs me to http://hostx/htmldb/f? and the "p=" is missing"
  But after a lot of tests I discovered where was the problem: "The apache configuration for the proxy!!"
  This an extract from the installation doc :
  SetEnv force-proxy-request-1.0 1
  ProxyPass /htmldb http://127.0.0.1:8080/htmldb
  ProxyPassReverse /htmldb http://127.0.0.1:8080/htmldb
  ProxyPass /i http://127.0.0.1:8080/i
  ProxyPassReverse /i http://127.0.0.1:8080/i
  ProxyPass /sys http://127.0.0.1:8080/sys
  ProxyPassReverse /sys http://127.0.0.1:8080/sys
  where you replace 127.0.0.1 with the name OR ip address of your XE installation. 8080 is the default http port of your XE installation. "
  Well, I used the IP ADDRESS and in the @regapp > listener_token the NAME!!! (HTML_DB:servername.domain:80)
  I changed the IP ADDRESS with the NAME, restarted the httpd service and now all works fine.
  Emanuele

• Single Sign on using SAML between JWS application and Web Application

  Hi,
  We have two applications one is swing based Java Web Start application and other is a normal web application. We are trying to enable single sign on between both the applications. Can SAML be used to enable single sign on? If yes, can some one let us know how to do this?
  Thanks,
  Rama

  Thanks. But it is based on two WEB applications deployed on two different weblogic domains. What I am looking for is one application which is launched using Java Web Start(JNLP) and other a web application. The Java Web Start application uses its proprietary authentication implementation and the web application used DefaultAuthenticator of weblogic. Hope this detail will help you to answer my question better. I should have given this information earlier.
  Thanks.
  Rama

• OBIEE 11G with Single Sign-On and Active Directory

  Hi guys,
  Release Version: Oracle Business Intelligence 11.1.1.5.0
  Patch applied: 11.1.1.5.0 BP3 (Patch 13832750)
  OBIEE Server operating system: Windows Server 2008 SP2 (32-bits Operating System).
  We are trying to configure Single Sign-On according to TechNote_WNA_SSO_AD_V4.0.doc.
  Our krb5login.conf:
  com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  principal="[email protected]"
  keyTab=cgdkobi2.keytab
  useKeyTab=true
  storeKey=true
  debug=true
  com.sun.security.jgss.krb5.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  principal="[email protected]"
  keyTab=cgdkobi2.keytab
  useKeyTab=true
  storeKey=true
  debug=true
  We generate de keytab file:
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.24\bin\ktab.exe -k cgdkobi2.keytab -a [email protected]
  Password for [email protected]:XXXXXXX
  Done!
  Service key for [email protected] is saved in cgdkobi2.keytab
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.2-4\bin\kinit -k -t cgdkobi2.keytab cgdkobi2
  New ticket is stored in cache file C:\Users\cgdkobi2\krb5cc_cgdkobi2
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.2-4\bin\klist -k -t cgdkobi2.keytab
  Key tab: cgdkobi2.keytab, 1 entry found.
  [1] Service principal: [email protected]
  KVNO: 1
  Time stamp: Mar 15, 2013 10:34
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>klist
  Current LogonId is 0:0x406163f5
  Cached Tickets: (0)
  We re-start the services and logon into analytics web and SSO doesn't work but there's not an error. It runs successfully with and Active Directoy user and password. Seems like SSO wasn't enabled, but I checked is enabled.
  Any suggestion?
  Thanks in advanced

  Follow the posts : OBI 11.1.1.6.SSO and You are not currently signed in to Oracle BI Server" for OBIEE 11.1.1.6 SSO do the troubleshooting mentioned there.
  Also check your logs for error like the one below:
  [2012-03-09T16:42:36.000-05:00] [OBIPS] [NOTIFICATION:1] [] [saw.securitysubsystem.checkauthentication.runimpl] [ecid: 6c98b5cce1f24814:2a613331:135f95fbdff:-8000-0000000000005b7a,0:1:1] [tid: 5932] Authentication Failure.
  Odbc driver returned an error (SQLDriverConnectW).
  State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
  [nQSError: 43113] Message returned from OBIS.
  [nQSError: 13039] The impersonator does not exist in the BI Security Service. (08004)[[
  If you are getting this when you login to OBIEE :      You are not currently signed in to Oracle BI Server"
  then you need to apply this patch : 13553428 QA:BLK:DELIVER TO CORP. OID LDAP USERS FAILED WITH IMPERSONATOR DOES'NT EXIST. 11.1.1.6.0 Generic Platform (American English) General Oracle BI Suite EE Apr 5, 2012 799.4 KB
  Let us know the updates. Hope this helps. Mark if it does.!
  Thanks,
  SVS

• Difference between Federated single sign on  and just Single sign on

  Can anyone please give a clear definition of what is
  1. Federated Single sign on?
  2. Just Single Sign on ?
  As a security expert if you were to Architect security what will you suggest ?
  Lets take an example Landscape
  NW1(ABAP + JAVA)- system, NW-2(ABAP+JAVA)  system and EP( java only), LDAP
  I am having a hard time convincing the customer to have both CONSUMER AND PRODUCER PORTAL for Federated single sign on? is this a bad idea. Customer says just give me SSO(with just one portal acting as CONSUMER/PRODUCER).
  initial GOLIVE user load will be 700+ users.
  Edited by: Franklin Jayasim on Jul 16, 2010 7:52 PM
  Edited by: Franklin Jayasim on Jul 16, 2010 7:53 PM
  Edited by: Franklin Jayasim on Jul 16, 2010 7:57 PM
  Edited by: Franklin Jayasim on Jul 17, 2010 12:17 AM

  Hi  Denny Liao
  The project is going to have BI(NW) and ECC/SRM/HR(NW) and sepparate  portal ( EP - Java only )
  I thought that normal SSO will help in the intranetwork, what happens if the employee(user)  needs to work from home.
  What about the external vendors suppliers etc...?

• How to integrate Single Sign-On and JSF?

  Hi all,
  We are going to develop a web application using Oracle technologies, including ADF and JSF.
  But we´ll need to secure our website using Oracle Identity Manager (Single Sign-On). I am having difficulties to find any resource explaining how to do that.
  Also, the IM (SSO) will run on a Oracle AS instance and our web app (ADF+JSF) will run on a separete OC4J instance, due to ADF version. Is this a problem?
  Thanks

  We too are in the process of implementing iStore with SSO features.
  And if you believe me it seems to me as nightmare.
  In our scenerio we are intgrating this SSO with Third party access control too (AD and Siteminder). I would request you to please respond me on the following mail id , so we can share our experince which will help us in our implementation
  [email protected]
  regards and thanks in advance
  Vikas Deep

• OAM 11g Single Sign-On and OAM 11g Cookies

  Hi all,
  I need to know following,
  is it possible to get the username and password from the OAM 11g + IIS Webgate cookies and forward the same to the application for further authentication? is there any way to decrypt the cookie and use the information in the application?
  Regards.

  Yes , you can get the user password ,but for that you will have to write a custom plugin , else it is not possible.
  Refer step number 9 in the blog Single Sign on with Oracle Access Manager: Creating a Custom Authentication Plugin