ALUI 6.5 on Weblogic 10 - Single Sign-On Options

Similar Messages

• Weblogic Single Sign On on Active Directory doesn't work

  Hello!
  Please help me to work out what my mistake is.
  I configured Weblogic for SSO on Active Directory using article, described on support.oracle.com.
  My krb5.ini file is
  [libdefaults]
  default_realm = DOMAIN.RU
  default_tkt_enctypes=des-cbc-crc
  default_tgs_enctypes=des-cbc-crc
  udp_preference_limit = 1
  [realms]
  DOMAIN.RU= {
  kdc=192.168.1.1
  admin_server = DC.DOMAIN.RU
  default_domain = DOMAIN.RU
  [domain_realm]
  .DOMAIN.RU= DOMAIN.RU
  DOMAIN.RU= DOMAIN.RU
  When I try to launch check by running kinit command I get following error
  C:\Users\testuser>kinit -k -t "C:\Oracle\Middleware\user_projects\domains\base_d
  main\test.keytab" HTTP/[email protected] -J-Dsun.security.krb5
  debug=true
  KinitOptions cache name is C:\Users\testuser\krb5cc_testuserPrincipal is HTTP/[email protected]
  Kinit using keytab
  Kinit keytab file name: C:\Oracle\Middleware\user_projects\domains\base_domin\test.keytab
  KeyTabInputStream, readName(): DOMAIN.RU
  KeyTabInputStream, readName(): HTTP
  KeyTabInputStream, readName(): test01.domain.ru
  KeyTab: load() entry length: 66; type: 1Added key: 1version: 5
  Ordering keys wrt default_tkt_enctypes list
  Config name: C:\Windows\krb5.ini
  default etypes for default_tkt_enctypes: 1.
  0: EncryptionKey: keyType=1 kvno=5 keyValue (hex dump)=
  0000: 79 02 0D 8A 19 29 67 E0
  Kinit realm name is DOMAIN.RU
  Creating KrbAsReq
  KrbKdcReq local addresses for test01 are:test01/192.168.1.2
  IPv4 address
  test01/ga80:0:0:0:te2e:3de1:crew:a409%11
  IPv6 address
  default etypes for default_tkt_enctypes: 1.
  KrbAsReq calling createMessage
  KrbAsReq in createMessage
  Kinit: sending as_req to realm DOMAIN.RUException: krb_error 0 Cannot get kdc for realm DOMAIN.RU No error
  KrbException: Cannot get kdc for realm DOMAIN.RU
  at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:168)
  at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:147)
  at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:298)
  at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:237)
  at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107)
  Thank you!

  Hi,
  Refer this..
  http://help.sap.com/saphelp_crm52sp01/helpdata/EN/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm
  Regards
  Nandha

• Implementing single sign on across multiple web apps

  Hi
  I was wondering if somebody could help me. I need to implement single sign on
  for multiple web apps deployed in separate WARs in a single EAR file. I need
  to authenticate against an LDAP server and ensure that the user only has to sign
  on once per user session even if the user navigates between web apps. The weblogic
  docs only seem to go so far, i.e. "Single sign on works if each web app uses the
  same cookie" etc. So I see that, apart from buying WebLogic Enterprise Security
  there are only two ways of doing this:
  1. Implement single sign on.
  2. Create my own security realm with my own authenticator implementations.
  So my questions are:
  1. We don't want to effect the normal weblogic user/passwords used to access the
  WLS console but need to have single sign on. Should we implement single sign on
  (option 1,above) or create our own realm?
  2. Can somebody point me to somewhere on the web/in the the WLS documentation
  that shows me how to implement single sign on using session cookies?
  TIA
  Mik

  "Mik Quinlan" <[email protected]> wrote in message
  news:[email protected]..
  >
  Hi
  I was wondering if somebody could help me. I need to implement singlesign on
  for multiple web apps deployed in separate WARs in a single EAR file. Ineed
  to authenticate against an LDAP server and ensure that the user only hasto sign
  on once per user session even if the user navigates between web apps. Theweblogic
  docs only seem to go so far, i.e. "Single sign on works if each web appuses the
  same cookie" etc. So I see that, apart from buying WebLogic EnterpriseSecurity
  there are only two ways of doing this:
  1. Implement single sign on.
  2. Create my own security realm with my own authenticator implementations.
  So my questions are:
  1. We don't want to effect the normal weblogic user/passwords used toaccess the
  WLS console but need to have single sign on. Should we implement singlesign on
  (option 1,above) or create our own realm?
  2. Can somebody point me to somewhere on the web/in the the WLSdocumentation
  that shows me how to implement single sign on using session cookies?
  http://e-docs.bea.com/wls/docs81/security/thin_client.html#1039551
  That also has a pointer to:
  For more information, see session-descriptor in Assembling and Configuring
  Web Applications.

• Outlook Email Integration proxy issue while using Single Sign-On

  Hi All,
  This is my first post on the forum, so I'd like to say hello :).
  We are using the OEI to attach some e-mails. Unfortunately the Single Sign-On option was not available for us.
  Now when SSO supports POST profile it seems like we should be fine. Unfortunately when I try to log in OEI is asking me about proxy credentials - login and password.
  I would like to understand on which side GSK or Oracle we need to configure the plug-in and how we can do this. Of course in order to set up proxy.
  Thanks a lot, Szymon

  I see only two possibilities -
  Either update all your LDAP user ids to Upper case
  Or Update all your CE user id's and MDM user id's to Lower case.
  Thanks,
  Shambhu.

• Safari and Single Sign on Certificates

  Hi Experts,
  I use service.sap.com in Safari Browser (Lion 10.7.3) internet page & under the below given circumstances, I have a problem loading the page.
  Step 1: Install Firefox (any version) for Mac. Open the service.sap.com internet page and register for Single Sign on Option with the website. After the SSO certificate is added, you may close the firefox.
  Step 2: Open the Service.sap.com website in the safari browser. Browser automatically opens a popup to choose the certificate for single sign on. Choose Cancel in the Pop Up window. Now the page won't load. But if you do the same in the Firefox, the page loads properly. I have tried in Microsoft Windows with different browsers including Google Chrome, Firefox , Internet Explorer 8 and above - all these working correctly by loading the page without the certificate.
  I also could not register for Single Signon from a Safari Browser in Lion 10.7.3;
  Any expert advice is very helpful
  Thanks
  Kasee

  With a workaround, issue is solved.
  I installed Mozilla Firefox, than installed the respective certificate in firefox.
  Now when I open Safari and point to the website, system shows me the correct certificate.
  On choosing the certificate, problem is solved.

• Transparent single sign on domain logon / wireless

  Hello,
  I recently found out about the "single sign on" option in combination with "perform immediatly before user logon" which allows a user to enter wifi credentials and so be able to log on to a domain computer without cached credentials.
  It seems like the windows logon screen always shows four input boxes: two for domain credentials and two for wireless credentials.
  I would like to get rid of the double credential boxes in the logon screen and make the logon process transparent to users. Their domain and wireless credentials are the same so they have to enter the same information twice.
  Is this possible or am I doing something wrong?

  Hi,
  Thank you for the update, if no further help needed, please mark the proper post as an answer, this may help the others who might encounter the same issue reading this thread.
  And if any futher questions, welcome to post in Technet forum.
  Best regards
  Michael Shao
  TechNet Community Support

• Single sign-on in weblogic cluster?

            I am using wls 7.0 sp1 that form a cluster by two managed servers each at different
            physical machine.
            In front of the servers, a hardware load-balancer providing a virtual ip that
            mapped to the real ip of the 2 machines.
            I deployed a web application to the cluster. The html & jsp files are all protected
            by Form Based Authorization.
            My expectation is, whenever I sign-on to the first managed server, the login credential
            should also be valid for the second managed server.
            But it is not the case.
            My situation is:
            - open brower with url: http://virtual.ip:7001/admin.jsp
            - the load balancer map the request to my first managed server.
            - the response from the first managed server prompt the login page for username
            and password.
            - after POST the information, my target admin.jsp page display properly.
            - when I click the link within the admin.jsp page, eg. http://virtual.address:7001/status.jsp
            there is two possibilities:
            1. the load balancer route the request to the first managed server and everything
            well.
            or
            2. the load balancer route the request to the second managed server and response
            with login page again.
            The second case is definitely not what I expected.
            Question:
            Is it the default behavior of Weblogic cluster on the single sign-on? I think
            my login is against a WLS domain (at least a cluster), not to a specific web server!
            Any comments are welcome.
            

            Note my answer is not directly related to your question, but it might help.
            From my experience to configure WL cluster with hardware load balancer, the session
            stick (layer 7 switch) should be used (either using the session cookie, or ServerID
            cookie). That is, unless one instance is down, all requests from the same session
            are better go to the same server. I ever tried round-robin or random load balance
            policy at hardware load balancer without session stick, and the result was as
            disappointing as you have seen.
            "franky c." <[email protected]> wrote:
            >
            >
            >I am using wls 7.0 sp1 that form a cluster by two managed servers each
            >at different
            >physical machine.
            >In front of the servers, a hardware load-balancer providing a virtual
            >ip that
            >mapped to the real ip of the 2 machines.
            >I deployed a web application to the cluster. The html & jsp files are
            >all protected
            >by Form Based Authorization.
            >
            >My expectation is, whenever I sign-on to the first managed server, the
            >login credential
            >should also be valid for the second managed server.
            >
            >But it is not the case.
            >
            >My situation is:
            >- open brower with url: http://virtual.ip:7001/admin.jsp
            >- the load balancer map the request to my first managed server.
            >- the response from the first managed server prompt the login page for
            >username
            >and password.
            >- after POST the information, my target admin.jsp page display properly.
            >- when I click the link within the admin.jsp page, eg. http://virtual.address:7001/status.jsp
            > there is two possibilities:
            > 1. the load balancer route the request to the first managed server
            >and everything
            >well.
            > or
            > 2. the load balancer route the request to the second managed server
            >and response
            >with login page again.
            >
            >The second case is definitely not what I expected.
            >
            >Question:
            >Is it the default behavior of Weblogic cluster on the single sign-on?
            >I think
            >my login is against a WLS domain (at least a cluster), not to a specific
            >web server!
            >
            >
            >Any comments are welcome.
            >
            >
            

• Single Sign-On using SAML in WebLogic Server 10.3

  I followed Vikrant Sawant's tutorial on how to configure single sign-on (SSO) with SAML in WebLogic (http://www.oracle.com/technology/pub/articles/dev2arch/2006/12/sso-with-saml.html) but am being forced to re-authenticate when going from Domain B back to Domain A. I'd appreciate any help or suggestions.
  I posted a question in the General forum here:
  Single Sign-On using SAML in WebLogic Server 10.3

  I too am facing the same problem SSO with SAML - Session on Source Site killed after landing on Destination
  Thanks
  Togotutor
  <b><a class="jive-link-external" href="http://www.togotutor.com">http://www.togotutor.com</a> (Learn Programming and Administration for Free)</b>
  Edited by: user7507600 on Sep 17, 2010 10:01 AM

• NTLM and Single Sign On with WebLogic 8.1

  Hi guys,
  I've only been using WebLogic for about 3 weeks now, I have developed a small web app using servlets and need to add "single sign-on" functionality to it. One of my colleagues advised me to use NTLM, but he doesnt have any experience in implementing it with WebLogic.
  Could anyone send me some instructions or directions? Sample code maybe? I dont have much experience with security.
  Thanks guys,
  Tommy

  Hi Tommy,
  I used to work for a security company that built an off-the-shelf product that did NTLM SSO (along with SPNEGO), so I feel that I can give you a little bit of advice here. If you want a quick solution, buy it from Quest. The product is called Vintela SSO. If you want to actual build this your self however, I have given a rough guide of how to start.
  Essentially, you will need to develop new Identity Assertion and Authentication provider MBeans. There are guides on how to do this in the WebLogic SSPI documentation.
  http://edocs.bea.com/wls/docs81/dvspisec/index.html
  The Authentication provider should be pretty trivial (just making mappings from autheticated users to roles), but the Identity Assertion provider is a whole other kettle of fish. You will need to do some serious reading on NTLM:
  http://davenport.sourceforge.net/ntlm.html#whatIsNtlm
  You will also need to pickup a copy of an NTLMSSP java library. You can get one called jCIFS from http://jcifs.samba.org/
  Your identity assertion provider needs to parse the NTLM credential from the WWWAuthenticate line in a HTTP Request from IE. You then need to validate the token using JCIFs. You then use JAAS to create a JAAS Login Principal that is passed to the new Authentication Provider which will match the authenticate user against groups. Then you slip to the normal SSPI role-mapping process from there.
  Once you have created the new providers, you need to wrap them in JMX MBeans so that WebLogic can use them.
  This is all going to be quite a big job to implement.

• Single-Sign with Essbase and WebLogic

  Hi,I am trying to achieve a single sign-on between my WebLogic application and Essbase. I am looking at the new security platform API but I don't quite understand how that achieves single sign-on.The API requires me to authenticate the user with a username/password first before I can get the token, but the user is already authenticated by WebLogic and there is no way to get the password (SSL with form authentication).Does the security platform not cover this scenario? Thanks,- Robert

  For System 9, I think SiteMinder comes close to what the OP wants, but it does not apply to fat client tools.
  See http://download.oracle.com/docs/cd/E10530_01/doc/epm.931/html_cas_help/ch02s03.html for the encouraging bits and http://download.oracle.com/docs/cd/E10530_01/doc/epm.931/html_cas_help/ch02s03s01.html for the discouraging bits.
  But it comes close.
  System 11 expands the number of SSO hosts, but alas, also seems to not support fat clients: http://download.oracle.com/docs/cd/E12825_01/epm.111/epm_security/cas_help.htm
  So, access to Workspace is easy, but the classic add-in and SV are still not there.
  Regards,
  Cameron Lackpour

• Single Sign on using SAML between JWS application and Web Application

  Hi,
  We have two applications one is swing based Java Web Start application and other is a normal web application. We are trying to enable single sign on between both the applications. Can SAML be used to enable single sign on? If yes, can some one let us know how to do this?
  Thanks,
  Rama

  Thanks. But it is based on two WEB applications deployed on two different weblogic domains. What I am looking for is one application which is launched using Java Web Start(JNLP) and other a web application. The Java Web Start application uses its proprietary authentication implementation and the web application used DefaultAuthenticator of weblogic. Hope this detail will help you to answer my question better. I should have given this information earlier.
  Thanks.
  Rama

• Single sign-on and different usernames and passwords

  Hello,
  I am building a Portal with WLPS 3.5 and WLS 6.0. I tried to get
  information about the background of single sign-on.
  I understand, that I need a Realm (i.e. LDAP Realm) to authenticate the
  user for the first login to the portal (with username and password).
  Now I would like to integrate my webmail-programm (to get emails from
  Lotus Notes via Internet) as a portlet.
  For my understanding the user has to authorizate to get access to webmail.
  Therefore I create a ACL for webmail and this ACL is assigned to my
  security Realm.
  I would like the portlet to show after login the number of mails for the
  specific user. But where are the username and password for webmail stored
  and how are they received and forwarded?
  I understand that my ACL included all users that have access to webmail
  (i.e. all users). But I only want emails for the specific user.
  Does WLS get all usernames and passwords while the first login? Do I have to
  implement a algorithmen to get the specific username and password for the
  requested resource in my portlet?
  Has anyone solved a similar problem or can tell me where I can get more
  information. I read the WebLogic Security document but I cant find a
  answer to my questions.
  Thanks
  Lydia

  Lydia,
  I'm not an expert in this area, but I can give you a start.
  As for single sign-on, there are different levels. For single sign-on across web-apps,
  the servlet spec requires this (section 12.6 of th 2.3 spec) and therefore Weblogic
  does this.
  What you are talking about is single sign-on across back-end applications through
  a web-app. BEA has partnered with Securant (just acquired by RSA) to provide this
  kind of functionality. Browse to http://www.rsasecurity.com/products/ and look
  at the ClearTrust product. BEA has also partnered with Netegrity (www.netegrity.com)
  with their SiteMinder product. Neither is included in the Weblogic license. I'm
  sure either vendor would be excited to explain how their product will solve your
  problem if you give them a call.
  As for where the username and passwords are stored, that is up to the realm. If
  you are using the default WLPS RDBMSRealm, the username and encrypted password
  are stored in the WLCS_USER table. If you are using LDAPRealm, they are stored
  in your LDAP server.
  Hope this was useful!
  PJL
  [email protected] wrote:
  Hello,
  I am using PersonalizationServer 3.5 and WLS 6.0 SP 2.
  Now I try to unterstand the functionality of Single sign-on when a user
  has different usernames and passwords for different applications.
  Can someone explain where the usernames and passwords for a user are
  stored (all in the LDAP-realm or a RDBMS-realm?) When a user access the
  application how username and passwords are mapped? Or usernames and
  passwords for all applications are the same and will be equalized?
  Precisely I would like to get access to a mail-account for a specific
  user
  (webmail from Lotus Notes).
  Thanks for any help
  Lydia

• Single Sign-on and SSL problems

  We are using WebLogic Portal and Server (version 8.1 SP3). We want to have a single sign-on when entering the portal, so that users do not need to reauthenticate each time they access an application via an applet in the portal. We also want to protect the username/password authentication and all other connection information using SSL. We have applications in multiple domains.
  When not using SSL, SSO works okay. We are challenged for username/password exactly once, whether we access the Portal, or an application directly. As soon as we enable SSL, we are challenged repeatedly, and in some cases cannot access the applications at all, as the challenge always fails.
  We suspect that there is a Session cookie problem and that something is clobering the cookie and thus breaking the session. Does anyone have any idea on what might be causing the problem?

  Hi Derick,
  I want to make our discussion into 2 parts
  1) Sign on
  2) Viewing data based on the Heirarchy
  1)Before discussing about the Sign on i want to know which connectivity you are using ? Live offcie or QaaWS.
  2) We can make the second point possible in two ways One is with providing restriction at universe level
  and the other one is through the use of flash variables.
  Using flash variables:
  The main idea of using flash variables is reading the User ID from BO authentication and based on that we fetch the Heirarchy level of that user. Then we use some excel logic to hide the data from Low level heirarchy(Here we use Dynamic Visibility for components).
  I hope this is what you ar looking for....
  If so i have more points to acheive such scenario.
  Please provide the your BO environment details, such that it will be easy to identify the better best wat to acheve it.
  Regards,
  AnjaniKumar C.A.

• Customize Single sign on

  I tried the metalink note for customizing single sign on and
  when i run the custom login it doest redirect to the users home
  page, its simply dies.
  Can some explain the parameters in the package
  portal30_sso.wwsso_app_admin.
  ls_login
  site2pstoretoken in varchar2
  ,ssousername in varchar2 default null
  ,password in varchar2 default null
  ,subscribername in varchar2 default null
  ,p_request in varchar2 default null
  ,p_test_cookies in varchar2 default null
  ,p_suppress_warning in boolean default false
  and how to use the site2pstoretoken and other parameters.
  Thank in advance
  Mir

  In your mod_wl_ohs.conf add the following two lines:
  Debug ON
  WLLogFile /tmp/mod_wl_ohs.log
  Bounce your OHS/Aapche instance and try to access the site again. You can then review the log to see if it's telling you anything that could shed some light on the issue. You can post up the log here if you want and I can give you my two cents worth of advice. I'm very familiar with with the OHS/OAM setup and config, but I haven't used the SSO server before, so I might be a bit out of my territory.
  Here's a sample of what my mod_wl_ohs looks like if you want to see an example:
  #NOTE : This is a template to configure mod_weblogic.
  LoadModule weblogic_module "${ORACLE_HOME}/ohs/modules/mod_wl_ohs.so"
  # This empty block is needed to save mod_wl related configuration from EM to this file when changes are made at the Base Virtual Host Level
  #<IfModule weblogic_module>
  # WebLogicHost <WEBLOGIC_HOST>
  # WebLogicPort <WEBLOGIC_PORT>
  # Debug ON
  # WLLogFile /tmp/weblogic.log
  # MatchExpression *.jsp
  #</IfModule>
  # <Location /weblogic>
  # SetHandler weblogic-handler
  # PathTrim /weblogic
  # ErrorPage http:/WEBLOGIC_HOME:WEBLOGIC_PORT/
  # </Location>
  <IfModule weblogic_module>
  Debug ON
  WLLogFile /tmp/mod_wl_ohs.log
  <Location /app1>
  WebLogicHost companyserver.companydomain.com
  WebLogicPort 7004
  SetHandler weblogic-handler
  </Location>
       <Location /app2>
  WebLogicHost companyserver.companydomain.com
  WebLogicPort 7004
  SetHandler weblogic-handler
  </Location>     
  </IfModule>

• HELP needed on Single Sign on

  can any one give me some reference documents or reference links which can be used
  for single sign on to the Portal server and to several other applications.
  I need also some documents which should be able to connect to an AS400 application
  and to a peoplesoft application thro' my portal.
  plz help me in this regard. i really don't have any idea regarding this and i
  have been asked to do this. plz send me the documents which should clearly explain
  everything
  Thanx in Advance
  Prasanna

  Hello Prasanna,
  There is a new code sample on dev2dev ( http://dev2dev.bea.com/index.jsp ) that
  shows how to modify the login framework for Portal to support single signon. This
  code example modifies the security and portal webflows to allow you to plug in a
  custom login implementation.
  The example is called "WebLogic Portal Login Framework" and it is located at
  http://dev2dev.bea.com/code/codedetailcontent.jsp?productType=weblogic+portal&codeType=code+sample&filepath=components%2Fdev2dev%2Fcodelibrary%2Fcodesamples%2Fcodesample_wlplogin.htm
  Prasanna wrote:
  can any one give me some reference documents or reference links which can be used
  for single sign on to the Portal server and to several other applications.
  I need also some documents which should be able to connect to an AS400 application
  and to a peoplesoft application thro' my portal.
  plz help me in this regard. i really don't have any idea regarding this and i
  have been asked to do this. plz send me the documents which should clearly explain
  everything
  Thanx in Advance
  Prasanna--
  Ture Hoefner
  BEA Systems, Inc.
  4001 Discovery Drive
  Suite 340
  Boulder, CO 80303
  www.bea.com
  [att1.html]