Apex as Partner App using OID SSO

Similar Messages

• APEX as Partner APP in SSO - Post Authentication Process

  I am trying to get APEX to work as Partner APP with SSO. It's almost working but a vitol piece doesn't cooperate.
  In my old authentication scheme (built-apex) I have a Post-Authentication Process (see below) that needs to set my page 0 items. When I put this into my new authentication scheme for SSO and try to log-in, I get a blank screen.
  If i take it out, my screen displays fine, but my page 0 items are not set with the correct values. What am I missing?
  DECLARE CURSOR get_user_defaults IS
  select B.fk_school, B.year, B.pk_id,
  nvl(A.user_type,'N') user_type
  from "#OWNER#".sis_user_roles B, "#OWNER#".sis_user A
  where A.user_name = :APP_USER and
  B.fk_sis_user = A.pk_id
  order by decode(B.default_role,'Y',1,2);
  BEGIN
  FOR user_defaults_loop in get_user_defaults LOOP
  :P0_LOGIN_SCHOOL := user_defaults_loop.fk_school;
  :P0_LOGIN_SCHOOL_YEAR := user_defaults_loop.year;
  :P0_LOGIN_ROLE := user_defaults_loop.pk_id;
  :P0_USER_TYPE := user_defaults_loop.user_type;
  EXIT;
  END LOOP;
  END;

  not sure what the problem is. Are you sure that :app_user is set already?
  However it looks as if you get an error (might result in blank screen) during your process.
  btw: the pL/sqkl block could be rewritten into a single sql select without any loop.
  BEGIN
    SELECT fk_school, year, pk_id, user_type
    INTO  :P0_LOGIN_SCHOOL, :P0_LOGIN_SCHOOL_YEAR, :P0_LOGIN_ROLE, :P0_USER_TYPE
    FROM ( 
      select B.fk_school, B.year, B.pk_id,
      nvl(A.user_type,'N') user_type, rownum rn
      from "#OWNER#".sis_user_roles B
          , "#OWNER#".sis_user A
      where A.user_name = :APP_USER
      and B.fk_sis_user = A.pk_id
      order by decode(B.default_role,'Y',1,2)
    where rn <= 1
  exception
    when no_data_found then
       raise_application_error(-20001,'User "'|| :APP_USER ||'" not found!');
  END;

• Writing Partner Application Using Java SSO APIs

  Hi
  Following the document "Oracle9iAS Single Sign-On Application Developer's Guide" to implement Single Sign on
  for Partner Applications.
  When try to login into the application for the first time they successfully get redirected to the Login Server. The login page for the
  Login Server is displayed and prompts for a username and password to be entered. On entering the details for a valid user
  get redirected to the SSOSignOnServlet as expected. This servlet then calls the method
  setPartnerAppCookie(request, response) on the SSOEnablerServletBean.
  This in turn calls the setPartnerAppCookie(request, response) method on the SSOEnablerBean.
  This method requests a parameter from the HTTPRequest object which it appears should be added to the request by the Login Server.
  However, the request for the parameter returns NULL. This prevents the Servlet from setting the
  application cookie and causes the application to fall over.
  Error: oracle.security.sso.enabler.SSOEnablerException: java.lang.NullPointerException
  Since the example was going into a continuous loop of redirecting to the login
  server and then back to the application the following change has been made to the
  SSOEnablerServletBean.java file.
  // Requested URL (User requested page)
  private static String requestUrl =
  "http://10.0.7.105:8888/servlet/SSOPartnerServlet";
  // Requested URL (User requested page)
  private static String requestUrl =
  "http://10.0.7.105:8888/servlet/SSOSignOnServlet";
  Any reply will be highly appreciated.

  I have the same problem here.
  Any ideas?
  Thank You in advance
  Justinas

• How to set up ApEx as a SSO partner app?

  I seem to be stuck in something of an endless loop here.
  I'm trying to set up the authentication for an ApEx app to use my Oracle AS SSO. When I start the wizard to create a new authentication scheme I choose "Based on a pre-configured scheme from the gallery". That shows me five choices (open door, ApEx credentials, database credentials, LDAP, and "no authentication"). When I click on the "Information" link at the bottom it displays some text for two more choices which aren't listed above: "Oracle Application Server Single Sign-On (Application Express engine as Partner App)" and "Oracle Application Server Single Sign-On (My application as Partner App)". Those descriptions also say that those choices aren't displayed because "This Application Express site must have already been registered as a partner application with the SSO server."
  OK -- no big deal. I'll just register the ApEx site as a partner app. I found this link explaining how to do that: http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html
  Now, reading that page, I get to this step in the process: "Using the Application Express Application Builder, use the create authentication scheme wizard to create an authentication scheme based on the pre-configured
  scheme Oracle Application Server Single Sign-On (Oracle HTML DB Engine as Partner App)."
  And back to the top of my loop. The wizard in Apex tells me that I can't see the SSO choice when I'm creating my app's authentication because it's not registered as a partner application, and the instructions which tell me how to register ApEx as a partner application tell me to pick the SSO choice in the ApEx wizard.
  Has anyone managed to break out of this Groundhog Day documentation loop?

  Well,
  There are 5 choices to choose from on the page. In the description of the choices at the bottom of the page there are 7, and the two additional choices talk about having to first have registered the site with SSO. So...I'm interpreting that as meaning that other 2 possible choices would be displayed if the site is registered with SSO. That, plus the fact that the page which describes how to add the site to SSO seems to think that the SSO choices are displayed in the wizard.
  So, no, there's no "exact launguage" that says what the reason is for the choices not being displayed. Can you point me to some exact language that tells me how to get those choices displayed?

• Logout URL for 9iAS SSO Partner App

  Hi,
  I've successfully set up an HTMLDB application as a Single Sign On partner APP. The login works perfectly, except I'm a little confused about the logout URL. Currently it is set to the default in the Authentication scheme, but it doesn't work too well - I get errors if I navigate back to the single sign on page from the default HTMLDB logout page. What I want it to do is to de-authenticate then automatically go back to the SSO login page. What do I change my logout URL to?
  (curently it is wwv_flow_custom_auth_std.logout?p_this_flow=&APP_ID.&p_next_flow_page_sess=4155:PUBLIC_PAGE)
  Thanks,
  Steve

  Steve - Here's a logout URL that unsets the app's
  session cookie first, then goes to Single Sign-off,
  then back to a public page in the app:
  https://host:port/pls/DAD/wwv_flow_custom_auth_std.log
  out_then_go_to_url?p_args=&APP_ID.:https://login.yourl
  ogin.com/pls/orasso/orasso.wwsso_app_admin.ls_logout?p
  doneurl=https://host:port/pls/DAD/f?p=&APP_ID.:PUBLI
  C_PAGE
  ScottI am quite new to Oracle Apex.
  I have just looked read through your posts, because I am having a similiar problem. I simply want to be able to click the logout link on my application and be able to logout of single sign on.
  I have tried your URL and I am sure it is accurate but I am unable to get it to work. I think the main problem I have is that I cant get to the logout URL on the single sign on page : http://host:port/pls/orasso/orasso.wwsso_app_admin.ls_logout
  Please could you advise ?
  Thanks
  Numan

• SSO for 'external' partner apps

  Is it possible to use oracle's SSO product with applications written in various languages (php/perl/coldfusion/.net,etc) on non-oracle servers.
  ie, if i have a php application that sits on a server entirely separate from the oracle app server or SSO server, is there documentation that allows me to write code that hands-off authentication responsabilities to the SSO. so, the php application would verify that a user is presenting a login cookie, and speak to the sso server in the backend to verify that the login cookie is valid, etc.
  Thanks very much for any help you can provide!

  I have similar kind of requirements for Single sign-on to external web applications.
  But in my applications I have to auto-generate random userid & password for different external web applications.
  These uids & password are exported to external applications, which upon recieving creates user in their applications.
  So, actual user will never have access to these credentials(uid &pwd).
  So, how can I cutomize the Portlets to do the first time SSO when user is created & their credentials to external apps are stored to OID.
  Any idea Barry..
  Bye

• SSO Authentication Audit Information for Partner Apps ?

  Hi,
  Is it possible to get Audit Information to show when a users has been authenticated by SSO for a Partner Application ?
  If I look at orasso.wwsso_audit_log_view I can see when a user has been authenticated and a row for Portal and each Partner App that gets authenticated. The question is can you tell which row relates to which Partner App or is there another table with this information ?
  i.e I have two Partner Apps, a user logs onto Portal and only visits pages for one of them, When I log I see 2 rows, I need to know which Partner App they vistied (A or B).
  Thanks
  Simon.

  Well in that case i guess am in luck because i am working with oracle. The thing however is that I don't know where to fetch the information about the installation and all that in order to proceed ahead.
  Besides it seems, the easier it was to make the application and deploy it on the apex, the harder it is to integrate it with the SSO.
  Also i don't understand when you say "public apex.oracle.com", I always thought it was meant only for oracle employees as in it's not accessible through the internet.
  You won't (unless you work for Oracle) be able to do
  that on the public apex.oracle.com site as far as I'm
  aware.

• Partner App OAS SSO integration does not work

  Hi All,
  I try to make OAS SSO work. I have app I built in HTML DB, I try to make it work as Partner Application for OAS SSO. I've done all requierments to install SSO SDK and try to make it work - it was fruitless.
  Then I try to make Test App work (\ssosdk307_032101\demo\plsql\) - it was fruitless also.
  I received the same error messages in Apache error_logs:
  [Thu Nov  4 12:06:54 2004] [error] [client 192.168.83.43] [ecid: 1099562814:192.168.83.197:9461:0:1,0] mod_plsql: /test2/test_setup HTTP-503 ORA-6550 Call to WPG_SESSION API Failed.
  [Thu Nov  4 12:06:54 2004] [error] [client 192.168.83.43] [ecid: 1099562814:192.168.83.197:9461:0:1,0] mod_plsql: ORA-06550: line 4, column 2:
  PLS-00201: identifier 'FLOWS_010500.WPG_SESSION' must be declared
  ORA-06550: line 4, column 2:
  PL/SQL: Statement ignored
  ORA-06550: line 5, column 16:
  PLS-00201: identifier 'WPG_SESSION_PRIVATE.CREATE_SESSION' must be declared
  ORA-06550: line 5, column 2:
  PL/SQL: Statement ignored
  ORA-06550: line 6, column 15:
  PLS-00201: identifier 'WPG_SESSION_PRIVATE.GET_LW_USER' must be declared
  ORA-06550: line 6, column 2:
  PL/SQL: Statement ignored
  ORA-06550: line 7, column 2:
  PLS-00201: identifier 'FLOWS_010500.WPG_SESSION' must be declared
  ORA-06550: line 7, column 2:
  PL/SQL: Statement ignored
  Could someone point me what to do in order to make it work? I guess I miss some step but I don't know what one I've missed :(((
  Thanks,
  Sergiy

  Scott,
  Thanks for your reply. I double check instruction and re-done all steps. I try to start demo application (I didn't even go further tneh step 4 in Install.txt!)
  from ...\ssosdk307_032101\demo\plsql\Readme.txt 5. To verify the web server setup, go to the following URL to see the test page:
  http://<hostname>:<port>/pls/<dad_name>/<schema_name>.test_setup
  , but I receive the same error messages in IE and in Apache error_logs.
  I see at this point one weak area - this is DAD. As I understand I need to create dad in dads.conf, am I right?
  Maybe I didn't created it right?
  Could you post some working dad for SingleSignOn?
  Thanks,
  Sergiy

• How to make use of SSO login credentials of oracle in Authentication shema using APEX

  Hi
  I am using SSO login for Authorizations. Would like make use of SSO for creating authentication schema. I would appreciate if someone can help me on this. My main requirement is to assign privilege based on users using SSO loging.

  Here's an example.
  I create a new application in APEX called Master with Application ID = 100. I modify some templates, create some LOV's in this master template.
  I create a 2nd application in APEX called Subscriber with Application ID = 101.
  In 101 I go to Shared Components => List of Values => Create. Choose to create as a copy of an existing list of values. In the dropdown, I choose Master (100) and click Next. You then are presented with all of the LOV's from your master application. First off you want to change the name from Copy of <LOV> to just <LOV> more because it is kind of confusing if you don't. In the copy drop-down, this where you choose Copy and Subscribe.
  The way it works is that once an object subscribes, you always make changes to that object in Master (100), and there is a button to push that change to all subscribing applications. So if you have 30 applications subscribing to that one LOV, you just make the change once, push it to the subscribers and they are now up to date.
  Keep in mind it doesn't work with all objects and only certain objects may be subscribed to. Objects like Application Processes for instance do not have a subscription feature, but you could use packages to keep common logic and just reference the same package anywhere you need it.
  What I ended up doing was to create a master and a subscription application. The subscription template has no actual pages, just subscriptions to templates and LOV's that I need. Whenever I need a new application, I just create a new application as a copy of that subscription application and my subscriptions are already setup for me.
  Check out the documentation and just search for Subscribe or Subscription and it should explain pretty much what I did above.

• Getting error like "Error in portal_sso_redirect: missing application registration information" while trying to run application using Oracle SSO

  Hi All,
  I am trying to implement SSO authentication for my APEX application. I have registered the application as a SSO partner application.
  I have set the authentication scheme to Oracle Application server Single Sign On.
  When i run the application i am getting the below error.
  Error in portal_sso_redirect: missing application registration information: p_partner_app_name:g_listener_token:HTML_DB:ofss220104.in.oracle.com:5050Please register this application as described in the installation guide.
  Please help me to resolve this.
  Thanks and Regards,
  Suhas

  Suhas,
  After you registered your application as a SSO partner application did you use the information from Oracle SSO (home URL, success URL, Logout URL, app_name etc) and loaded it into the APEX_SSO schema using the regapp.sql script from the ssosdk?
  Step 4 of http://www.oracle.com/technetwork/testcontent/sso-partner-app-100552.html#INSTALL
  Ricker

• Is it possible to have custom PL/SQL signoff/logout pages per partner app?

  Hello -
  We are currently using one OID server as our SSO midtier for an Oracle portal and Oracle EnterpriseOne applications. Following document (342942.1) we have successfully been able to create a customized sign-off/logoff page. However this page defined is the same for all partner application. We would like the ability to send the users to one page if they logoff from the portal, and to another page if they logoff EnterpriseOne. Is there a way to determine which partner app is calling for a logoff, and we could populate the p_done_url variable from there?
  Thank you.

  Why not just wait for the request to complete in your PL/SQL?
  function FND_CONCURRENT.WAIT_FOR_REQUEST
  (request_id IN number default NULL,
  interval IN number default 60,
  max_wait IN number default 0,
  phase OUT varchar2,
  status OUT varchar2,
  dev_phase OUT varchar2,
  dev_status OUT varchar2,
  message OUT varchar2) return boolean;
  Trust iguru here.. the users will not notice.

• Registering a Partner application with Oracle SSO 10gR2

  Hi Everybody
  I'd like to ask a question around registering a partner application with Oracle SSO.
  I have entered my home_url, logout_url and cancel_url e.g. home_url is https://vevopuitest1.co.uk/vevo_test1 and so on for the other fields.
  When I save the details some information is automatically created e.g. Site Id, Site Token etc.
  The bit that I am particularly interested in are the fields Single Sign-On URL and Single Sign-Off URL.
  For my purposes these fields are respectively: https://cwassotest1.co.uk/pls/orasso/orasso.wwsso_app_admin.ls_login and https://cwassotest1.co.uk/pls/orasso/orasso.wwsso_app_admin.ls_logout
  My questions are:
  1. Where do these values come from?
  2. Can I view them anywhere, say, in Oracle Directory Manager or using ldif queries?
  I would like to be able to verify these values.
  Many Thanks
  Andy

  I'm afraid this won't answer your question completely, but AFAIK in principle it does not matter on which machine SSO is running, as long as it passes the user id and credentials properly through the HTTP Header. Even more: in practice it is very common to have SSO running on a different machine than where your app runs.
  So what I would do is find out how to use ADF Faces with SSO. Perhaps someone else can provide pointers on that.
  Jan Kettenis

• LDAP authorization problem in OC4J 10.1.3. using OID

  I'm attempting to secure a j2ee application using OID and SSO. I'm using the standard OID Security Provider.As long as my user in ldap is located within a group that is part of the cn=groups everything works fine. However, if the user is defined in a nested group authentication fails.
  Scenario 1 (working):
  cn=mse-se-staff,cn=groups,dc=global,dc=mycompany,dc=net
  Scenario 2 (not working):
  cn=mse-se-staff,cn=exchange,cn=groups,dc=global,dc=mycompany,dc=net
  I know that when using a third party ldap provider one can change the searchscope to search nested groups. Is there a way to set this in the standard OID security provider as well?
  I have tried pre-pending the security-role-mapping with the additional group like so:
       <security-role-mapping name="USERS">
            <group name="exchange/mse-se-staff" />
       </security-role-mapping>
  This did not work however. Can I use nested groups with OID? Again this works fine if the user is defined in a group that is part of cn=groups.
  Here are all the important configuration pieces:
  web.xml:
  <security-constraint>
            <web-resource-collection>
                 <web-resource-name>access to the application</web-resource-name>
                 <url-pattern>/svc</url-pattern>                               
            </web-resource-collection>
            <!-- authorization to admin urls -->
            <auth-constraint>
                 <role-name>USERS</role-name>
            </auth-constraint>
  </security-constraint>
  orion-application.xml:
       <security-role-mapping name="USERS">
            <group name="mse-se-staff" />
       </security-role-mapping>
       <jazn provider="LDAP" location="*my ldap here*">
       <jazn-web-app auth-method="SSO" jaas-mode="doAsPrivileged" />
  </jazn>
  Thanks,
  Marc

  Could you try settings java.naming.referral jndi env referral and re try.

• Multiple Infrastructure servers with Single OID/SSO Server

  I am trying to migrate an application from OAS/8.1.6 to 9iAS. We have multiple OAS instances clustered using Microsoft NLB and the remote database is also on a Microsoft cluster. We intend to use Single Sign On for authentication of clients (application is in remote 9i Database accessed via a PLSQL DAD)
  Have successfully implemented this on a single machine - installed 9iAS Infrastructure and now web clients can go to url http://server.com/myapp and are redirected to the single sign on pages before running the /myapp application via the PLSQL DAD.
  However, I am having problems trying to scale this via installing further infrastructure instances which utilise the first OID/SSO server above. This appears to be a supported configuration and during install I am prompted for the location of the OID/SSO server - the first server is located correctly and installation works fine.
  However, mod_osso doesn't seem to be configured when the subsequent servers are installed. I've followed the procedures described in the Oracle Note 217155.1 "HOW TO avoid the redirection to the SSO-Server" to configure the new servers as partner applications to the original server. A PLSQL Dad has also been configured on these servers and tested without mod_osso in the way.
  Accessing the /myapp application via any of the new servers results in redirection to single sign on pages with the text "Error: Invalid value specified. (WWC-41409)" being displayed on the login page so there's obviously a configuration error.
  Has anybody else been through the exercise of creating a distributed enterprise level infrastructure installation of 9iAS and would be willing to share any lessons learnt? Or does anyone know how to solve the WWC-41409 error?

  If you haven't finished configuring your server configuration already you might want to do a search on Metalink using the key word "ptlasst.bat". You can create and wire multiple repositories using this utility.

• Error when using OID in Jazn

  Hi,
  I am trying to use OID for J2EE Security and using oracle.security.jazn.oc4j.JAZNUserManager. I tried to use XML as the provider and it worked,but when I tried to use OID for the same,it failed.
  (entry in orion-application.xml)
       <jazn     provider="LDAP" default-realm="jazn.com" location="ldap://oidhost:389" >
       <jazn-web-app auth-method="SSO" />
       </jazn>
  Whenever I start my OC4J, I get an error as
  oracle.security.jazn.JAZNNamingException: The system is unable to retreive the specified realm(s).
  I tried
  java -jar jazn.jar -listrealms
  And that too gave error.
  It would be great if someone can tell me if I need to specify the base dn anywhere,or the entries that should be in the oid.
  Thanks,
  Shipra

  Hi,
  We are also in a similar predicament, about to use OID 3.0.1 on Windows 2000 with JAZN-LDAP provider to do authentication in our web application. We also can get the XML provider to work successfully. We haven't tried LDAP provider yet because of reading this thread.
  Lee, you state that JAZN-LDAP isn't certified with OID 3.0.1, but does it work? The reason we ask is we have been made aware that OID 9 for Windows NT /2000 will not be available for another six to eight weeks therefore as our requirements are to use OID we do not wish to go down another route.
  However, if this is not possible what are our options? Could you also clarify when OID 9 release 2 for Windows NT /2000 will be available?
  regards
  Fran