Deploying OracleAS Single Sign-On Server Cluster setup with a Proxy Server

Similar Messages

• Oracle Single Sign on Integration with Oracle EBS  r12

  Hello,
  I am working on a project to integrate Oracle Single Sign On on Oracle r12. There is plenty of information available on Oracle Support but few inter-mixing and confusing terminology keeps popping up and I do not understand how all pieces together work. I am new to Oracle Single Sign On.
  Here are few basic questions.
  1. What is the difference between Oracle Internet Directory, Oracle Virtual Directory and Oracle Active Directory
  2. Are the terms Identity Management and Oracle Single Sign On interchangeable?   What is the difference between two?
  3. What is Oracle Access manager and how different that is from Identity Management?
  4. What is Oracle HTTP Server 11g webgate and how different that is from a normal traditional Oracle HTTP Server?
  5. What is Oracle EBS Accessgate?  Why do I need it?  On metalink some notes do not indicate use of Accessgate at all for OSSO deployment while some makes it look like required.And advise on above will help.
  Thank you
  Darsh

  Hi Darsh,
  1. Oracle Internet Directory (OID) is Oracle LDAP storage solution (more here), Oracle Virtual Directory is Oracle solution that can read identity data (and filter it (mask it) based on policies) from Oracle/non-Oracle databases, Oracle/non-Oracle Directories and files and provide the user profiles as LDAP view (more here), There is nothing called Oracle Active Directory, you must be referring to Microsoft Active Directory.
  2. No, Oracle Single Sign On (OSSO) is a feature in iAS (its obsolete), Identity Management is wide umbrella of solutions and concepts.
  3. Oracle Access Manager is one component of Oracle Identity and Access Management suite of products.
  4. Webgate is Oracle access Manager agent that is installed on a webtier, it intercepts the web requests and collect the credentails, send them to Oracle Access Manager for security evaluation (decide what Authentication is needed, verify collect credentials, etc), webgate then enforce the Access Manager decision.
  5. Oracle EBS AccessGate is a java application that has the same use of OAM Webgate (it is OAM agent) but specific to E Business suite, EBS Access Gate is the new solution replacing OSSO agents, OAM is replacing OSSO server component, EBS and OSSO customers can use OAM server with OSSO agents, or with EBS AccessGate.
  HTH.
  Ghassan

• Oracle single sign-on scenario. pls help.

  Hi,
  I have following basic Oracle single sign-on setup in place along with integration with Active Directory 2003.
  All the users are provisioned in AD, which is then synchronized with OID. The OID users is then manually synchronized to Oracle
  E-business suite (FND_USER table).
  So, the flow is like this :
  AD > OID > Ebiz suite
  Problem :
  We are now migrating users in AD 2003 to AD 2008 and i am being asked to perform impact analysis on Oracle Single sign-on environment while this AD migration is in process.
  Any clues or your inputs on impact that this will create on single sign-on will be much appreciated.
  Thanks in advance

  Hi Darsh,
  1. Oracle Internet Directory (OID) is Oracle LDAP storage solution (more here), Oracle Virtual Directory is Oracle solution that can read identity data (and filter it (mask it) based on policies) from Oracle/non-Oracle databases, Oracle/non-Oracle Directories and files and provide the user profiles as LDAP view (more here), There is nothing called Oracle Active Directory, you must be referring to Microsoft Active Directory.
  2. No, Oracle Single Sign On (OSSO) is a feature in iAS (its obsolete), Identity Management is wide umbrella of solutions and concepts.
  3. Oracle Access Manager is one component of Oracle Identity and Access Management suite of products.
  4. Webgate is Oracle access Manager agent that is installed on a webtier, it intercepts the web requests and collect the credentails, send them to Oracle Access Manager for security evaluation (decide what Authentication is needed, verify collect credentials, etc), webgate then enforce the Access Manager decision.
  5. Oracle EBS AccessGate is a java application that has the same use of OAM Webgate (it is OAM agent) but specific to E Business suite, EBS Access Gate is the new solution replacing OSSO agents, OAM is replacing OSSO server component, EBS and OSSO customers can use OAM server with OSSO agents, or with EBS AccessGate.
  HTH.
  Ghassan

• Best Practice when deploying a single mdb into a cluster

  At a high level, we are converting all of our components to Weblogic processes that use Stateless Session Beans and Message Driven Beans. All of the weblogic processes will be clustered, and all of the topic queues will be distributed (Uniform Distributed Topics / Queues).
            We have one component that is a single MDB reading from a single queue on 1 machine. It is a requirement that the JMS messages on that queue be processed in order, and the processing of messages frequently requires that the same row in the DB be updated. Does anyone have any thoughts on the best design for that in our clustered environment?
            One possible solution we have come up with (not working):
            Possible Solution 1: Use a distributed topic and enforce a single client via client-id on the connection factory, causing a single consumer.
            1.Deploy a uniform-distributed Topic to the cluster.
            2.Create a connection factory with a client-id.
            3.Deploy a single FooMDB to the cluster.
            Problem with Solution 1: WL allows multiple consumers on Topic with same client-id
            1.Start (2) servers in cluster
            2.FooMDB running on Server_A connects to Topic
            3.FooMDB running on Server_B fails with unique id exception (yeah).
            4.Send messages - Messages are processed only once by FooMDB on Server_A (yeah).
            5.Stop Server_A.
            6.FooMDB running on Server_B connects automatically to Topic.
            7.Send messages - Messages are processed by FooMDB on Server_B (yeah).
            8.Start Server_A
            9.FooMDB successfully connects to Topic, even though FooMDB on Server_B is already connected (bad). Is this a WL bug or our config bug??
            10.Send messages - Messages are processed by both FooMDB on Server_A and Server_B (bad). Is this a WL bug or our config bug??
            Conclusion: Does anyone have any thoughts on the best design for that in our clustered environment? and if the above solution is doable, what mistake might we have made?
            Thank you in advance for your help!
            kb

  Thanks for the helpful info Tom.
            Kevin - It seems that for both the MDB, and the JMS provider, there are (manual or scripted) actions to be taken during any failure event + failure probes possibly required to launch these actions...?
            In the case of the JMS provider, the JMS destination needs to be migrated in the event of managed-server or host failure; if this host is the one that also runs the Admin server then the Admin server also needs to be restarted on a new host too, in order that it can become available to receive the migration instructions and thus update the config of the managed server which is to be newly targetted to serve the JMS destination.
            In the case of the MDB, a deployment action of some sort would need to take place on another managed-server, in the event of a failure of the managed server or the host, where the original MDB had been initally deployed.
            The JMS Destination migration actions can be totally avoided by the use of another JMS implementation which has a design philosophy of "failover" built into it (for example, Tibco EMS has totally automatic JMS failover features) and could be accessed gracefully by using Weblogic foreign JMS. The sinlge MDB deployed on one of the Weblogic managed servers in the cluster would still need some kind of (possibly scripted) redeployment action, and on top of this, there would need to be some kind of health check process to establish if this re-deployment action was actually required to be launched. It is possible that the logic and actions required just to establish the true functional health of this MDB could themsevles be as difficult as the original design requirement :-)
            All of this suggests that for the given requirement; the BEA environment is not well suited; and if no other environment or JMS provider is available at your site, then a manipulation of process itself may be required to enable it to be handled in a highly-available way which can be gracefully administered in a Weblogic cluster.
            We have not discussed the message payload design and the reasons that message order must be respected - by changing the message payload design and possibly adding additional data, this requirement "can", "in certain circumstances", be avoided.
            If you can't do that, I suggest you buy a 2 node Sun Cluster with shared HA storage and use this to monitor a simple JMS client java program that periodically checks for items on the Queue. The Tibco EMS servers could also be configured on this platform and give totally automatic failover protection for both process and host failure scenarios. With the spare money we can go to the pub.
            P.S. I don't work for Tibco or Sun and am a BIG Weblogic fan :-)

• Integrating Oracle BI Publisher with Oracle Single Sign-on security.

  I am trying to integrate BI Publisher with Oracle Single Sign-on running on a different machine.
  The BI Publisher is installed with an Oracle application server 10.3.1 (includes a HTTP server). These are the steps I followed:
  1) Registered BI publisher as a partner application in the Oracle SSO admin console which generated a single sign-off url.
  2) Made the required modifications in the mod_osso.xml config file.
  3) On the BI publisher admin page went to the securities tab and opted the SSO security and entered the single sign-off url generated in the previous step.
  4) Restarted the Oracle ID mgt infrastructure and the BI pub server.
  The BI pub login is not getting redirected to the SSO page.
  Please let me know as what is that I am missing. I've been cracking my head with this for quite long - any help will be highly appreciated.

  "user589320"
  APEX is only using BI Publisher to transform the XML data of your report and the template you provide into PDF, Word or Excel. For this, APEX sends the XML data and the template to BI Publisher, and BI Publisher sends back to completed document. So there's nothing stored in BI Publisher, all templates, report definitions, etc are stored in the APEX schema. This has the advantage that you can reference item values and other information in your print documents, and it also ensures that you don't have to access the database again from within BI Publisher, i.e. you don't need to communicate any authentication information to BI Publisher.
  Of course BI Publisher itself also provide the ability to store reports and to store templates. But those are not accessible from APEX through the built-in integration. You can however use the same templates you use for BI Publisher directly on load them into APEX for use there.
  Lastly, if you want to use and print reports in both BI Publisher and your APEX applications, you can do that through web services, take a look at Tyler Muth's BLOG for more information on this topic:
  http://tylermuth.wordpress.com/2008/03/31/call-bi-publisher-web-services-from-apex/
  Regards,
  Marc

• Oracle Single Sign on JSP Database Connection

  I am writing a JSP Search Screen that launches off of Oracle Portal (behind SSO). What I'm looking to do is have the JSP connect to the database as that user, and then show the information available to that user (we have this handled by a VPD). I was wondering how I could get access to the single signon RAD in order to connect to the database from within my JSP. Any help would be greatly appreciated.

  Hi Darsh,
  1. Oracle Internet Directory (OID) is Oracle LDAP storage solution (more here), Oracle Virtual Directory is Oracle solution that can read identity data (and filter it (mask it) based on policies) from Oracle/non-Oracle databases, Oracle/non-Oracle Directories and files and provide the user profiles as LDAP view (more here), There is nothing called Oracle Active Directory, you must be referring to Microsoft Active Directory.
  2. No, Oracle Single Sign On (OSSO) is a feature in iAS (its obsolete), Identity Management is wide umbrella of solutions and concepts.
  3. Oracle Access Manager is one component of Oracle Identity and Access Management suite of products.
  4. Webgate is Oracle access Manager agent that is installed on a webtier, it intercepts the web requests and collect the credentails, send them to Oracle Access Manager for security evaluation (decide what Authentication is needed, verify collect credentials, etc), webgate then enforce the Access Manager decision.
  5. Oracle EBS AccessGate is a java application that has the same use of OAM Webgate (it is OAM agent) but specific to E Business suite, EBS Access Gate is the new solution replacing OSSO agents, OAM is replacing OSSO server component, EBS and OSSO customers can use OAM server with OSSO agents, or with EBS AccessGate.
  HTH.
  Ghassan

• Oracle Single Sign-On: Use NTLM inside LAN

  hi,
  i want to configure oracle single sign-on to use NTLM authentication when accessing a protected resource from the LAN (specific IP-range). when a user is accessing a protected resource from the internet it should still show up the login-page.
  how can i achieve that?
  regards,
  matthias

  Hi Darsh,
  1. Oracle Internet Directory (OID) is Oracle LDAP storage solution (more here), Oracle Virtual Directory is Oracle solution that can read identity data (and filter it (mask it) based on policies) from Oracle/non-Oracle databases, Oracle/non-Oracle Directories and files and provide the user profiles as LDAP view (more here), There is nothing called Oracle Active Directory, you must be referring to Microsoft Active Directory.
  2. No, Oracle Single Sign On (OSSO) is a feature in iAS (its obsolete), Identity Management is wide umbrella of solutions and concepts.
  3. Oracle Access Manager is one component of Oracle Identity and Access Management suite of products.
  4. Webgate is Oracle access Manager agent that is installed on a webtier, it intercepts the web requests and collect the credentails, send them to Oracle Access Manager for security evaluation (decide what Authentication is needed, verify collect credentials, etc), webgate then enforce the Access Manager decision.
  5. Oracle EBS AccessGate is a java application that has the same use of OAM Webgate (it is OAM agent) but specific to E Business suite, EBS Access Gate is the new solution replacing OSSO agents, OAM is replacing OSSO server component, EBS and OSSO customers can use OAM server with OSSO agents, or with EBS AccessGate.
  HTH.
  Ghassan

• Oracle Single Sign on and Oracle Internet Directory

  Hello Gurus,
  What is the relationship between Oracle Single Sign on and Oracle Internet Directory.
  To my understanding, OID is required to install SSO.
  If OID already exist, can we just install SSO and go on integrating it to existing OID.
  Great Thanks,
  vimal jain.
  [email protected]

  Hi Tim,
  I've been working on this and could reproduce the issue with anonymous binds. A fix will be ready in 4.2.1.
  So what I really need is the password used for login to pass to the is_member call.The P101_PASSWORD item does not save state. However, you can access the value during submit processing of the login page, for example in the post authentication function of your authentication scheme. People sometimes put code in there to query the user's groups (e.g. with apex_ldap.member_of2) and save them in an application. This item value can then be used in the authorization schemes.
  Regards,
  Christian

• Using a Mac on windows network with a proxy server

  Hi I’m very new to Macs to apologies if this is a really silly question. I’m
  trying to setup a Mac on our network and I’m having an issue getting it to work
  properly with our proxy server. I have connected the Mac to the network and
  selected automatic proxy configuration in the network settings using the URL of
  our Pac file. I am asked for a proxy username and password when I initially try and
  access a website but once I have entered my credentials they are saved in
  keychain and anyone coming after me can browse using my account. I work in a
  hospital so there are many different people accessing different devices. We
  monitor and trace all users internet browsing so my question is can I configure
  the Mac to ask for proxy credentials for different users? On our windows devices
  a login box will appear if the browser has been closed and reopened. Can I do
  this with the Mac?????
  Any help you can offer will be very much appreciated.
  Thanks

  The short answer is that the IT department is a strict Microsoft shop and also incompetent. Almost everything in that message is patently false. Unfortunately, when accessing Microsoft Server services like this, you will need the support of the IT staff to tell you various settings to use. I think it is pretty clear that they have no intention of doing that.
  There is nothing "special" about bootcamp. It is just a boot loader. A Mac running Windows via bootcamp is a Windows PC, not a Mac. As such, it will work perfectly fine in the network. You could also try running Parallels. I believe Parallels can be configured to use a bootcamp partition so you could run Windows via either bootcamp or Parallels.
  One of the few things that is correct is that Apple does have to provide driver support for bootcamp and there is the possibility of random incompatibilities - but no more so than any other PC manufacturer. Parallels/VMWare may work around that with a different set of incompatibilities. Don't be too worried about this part. These "incompatibilities" are minor and almost always with funky hardware devices. What you want to do should work perfectly with either Parallels/VMWare or Bootcamp.

• Using a Mac with a proxy server

  Hi I’m very new to Macs to apologies if this is a really silly question. I’m
  trying to setup a Mac on our network and I’m having an issue getting it to work
  properly with our proxy server. I have connected the Mac to the network and
  selected automatic proxy configuration in the network settings using the URL of
  our Pac file. I am asked for a proxy username and password when I initially try and
  access a website but once I have entered my credentials they are saved in
  keychain and anyone coming after me can browse using my account. I work in a
  hospital so there are many different people accessing different devices. We
  monitor and trace all users internet browsing so my question is can I configure
  the Mac to ask for proxy credentials for different users? On our windows devices
  a login box will appear if the browser has been closed and reopened. Can I do
  this with the Mac?????
  Any help you can offer will be very much appreciated.
  Thanks

  Do NOT store the proxy server username and password in Keychain.
  Easy to say, but by default, the next person to enter their password is likely to store their username password in the Keychain.
  You can use Applications -> Utilities -> Keychain Access to give the Keychain a separate password and to auto-lock it after 'n' minutes.  If you are the only one to know the Keychain password, then no one will be able to add the Proxy server username/password to the keychain.
  Keychain Access -> Edit -> Change Settings for Keychain Login...
  Keychain Access -> Edit -> Change Password for Keychain Login... (this is NOT required; you can keep the keychain set to use the same password you use for your login, as long as no one else knows that password; changing the settings to lock the keychain is sufficient for your needs)
  The good news is that only you will be able to access stuff stored in the Keychain.  The bad news is that if you do need stuff in the Keychain, you will need to enter the keychain password everytime you need to get at them.

• Integrating iPlanet Web Server 6.0 with SunOne App Server 7.0

  I am experiencing problems integrating iPlanet Web Server 6.0 with SunOne App Server 7.0
  My magnus.conf is
  #ServerRoot /usr/iplanet/servers/https-test
  ServerID https-test
  ServerName sulev016.eur.gep.ge.com
  ErrorLog /usr/iplanet/servers/https-test/logs/errors
  PidLog /usr/iplanet/servers/https-test/logs/pid
  User root
  MtaHost localhost
  DNS off
  Security off
  ClientLanguage en
  AdminLanguage en
  DefaultLanguage en
  RqThrottle 128
  StackSize 131072
  CGIWaitPid on
  TempDir /tmp/https-test-ab0d7966
  Init fn=flex-init access="$accesslog" format.access="%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] \"%Req->reqpb.clf-request%\" %Req->srvhdrs.clf-status% %Req->srvhdrs.content-length%"
  Init fn=load-types mime-types=mime.types
  Init fn="load-modules" shlib="/usr/iplanet/servers/bin/https/lib/libNSServletPlugin.so" funcs="NSServletEarlyInit,NSServletLateInit,NSServletNameTrans,NSServletService" shlib_flags="(global|now)"
  Init fn="NSServletEarlyInit" EarlyInit=yes
  Init fn="NSServletLateInit" LateInit=yes
  Init fn="load-modules" shlib="/usr/iplanet/servers/plugins/passthrough/bin/libpassthrough.so" funcs="init-passthrough,auth-passthrough,check-passthrough,service-passthrough" NativeThread="no"
  Init fn="init-passthrough"
  ==========================================
  my obj.conf is
  <Object name=default>
  NameTrans fn="assign-name" from="(/OMS|/OMS/*)" name="passthrough"
  NameTrans fn="NSServletNameTrans" name="servlet"
  NameTrans fn="pfx2dir" from="/servlet" dir="/usr/iplanet/servers/docs/servlet" name="ServletByExt"
  NameTrans fn=pfx2dir from=/mc-icons dir="/usr/iplanet/servers/ns-icons" name="es-internal"
  NameTrans fn="pfx2dir" from="/manual" dir="/usr/iplanet/servers/manual/https" name="es-internal"
  NameTrans fn=document-root root="$docroot"
  PathCheck fn=unix-uri-clean
  PathCheck fn="check-acl" acl="default"
  PathCheck fn=find-pathinfo
  PathCheck fn=find-index index-names="index.html,home.html"
  ObjectType fn=type-by-extension
  ObjectType fn=force-type type=text/plain
  Service type="magnus-internal/jsp" fn="NSServletService"
  Service method=(GET|HEAD) type=magnus-internal/imagemap fn=imagemap
  Service method=(GET|HEAD) type=magnus-internal/directory fn=index-common
  Service method=(GET|HEAD) type=*~magnus-internal/* fn=send-file
  AddLog fn=flex-log name="access"
  </Object>
  <Object name=cgi>
  ObjectType fn=force-type type=magnus-internal/cgi
  Service fn=send-cgi user="$user" group="$group" chroot="$chroot" dir="$dir" nice="$nice"
  </Object>
  <Object name="servlet">
  ObjectType fn=force-type type=text/html
  Service fn="NSServletService"
  </Object>
  <Object name="jsp092">
  ObjectType fn="type-by-extension"
  ObjectType fn="change-type" type="magnus-internal/jsp092" if-type="magnus-internal/jsp"
  Service fn="NSServletService" type="magnus-internal/jsp092"
  </Object>
  <Object name="ServletByExt">
  ObjectType fn=force-type type=magnus-internal/servlet
  Service type="magnus-internal/servlet" fn="NSServletService"
  </Object>
  <Object name="es-internal">
  PathCheck fn="check-acl" acl="es-internal"
  </Object>
  <Object name="passthrough">
  ObjectType fn="force-type" type="magnus-internal/passthrough" Service type="magnus-internal/passthrough" fn="service-passthrough" servers="http://3.224.68.131:81"
  Error reason="Bad Gateway" fn="send-error" uri="$docroot/badgateway.html"
  </Object>
  The requests are not passing through to the app server when i try to access it through port 80.
  Presently I am testing my appln over port 81 on the app server.
  Thanks and Regards
  Vineet Guliani

  Each ObjectType and Service directive should begin on a new line. You appear to have placed two directives on a single line.

• Intermittent proxy error "There is a problem with the proxy server's security certificate. Outlook is unable to connect to the proxy server "

  Hi all,
  From time to time (at least once a day), the following message pops up on the user's screen:
  "There is a problem with the proxy server's security certificate. Outlook is unable to connect to the proxy server . Error Code 80000000)."
  If we click "OK" it goes away and everything continues to work although sometimes Outlook disconnects. It is quite annoying...
  Any ideas?
  Thank you in advance

  Hi,
  For the security alert issue, I'd like to recommend you check the name in the alert windows, and confirm if the name is in your certificate.
  Additionally, to narrow down the cause, when the Outlook client cannot connect again, I recommand you firstly check the connectivity by using Test E-mail AutoConfiguration. For more information, you can refe to the following article:
  http://social.technet.microsoft.com/Forums/en-US/54bc6b17-9b60-46a4-9dad-584836d15a02/troubleshooting-and-introduction-for-exchange-20072010-autodiscover-details-about-test-email?forum=exchangesvrgeneral
  Thanks,
  Angela Shi
  TechNet Community Support

• There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site "Mailserver"

  Good day Guys
  First of all I am not an Exchange Expert, and I might be asking a very stupid question, but please bare with me. :) 
  While I was on leave our Mail server fell over and The company got a Specialist to help out for the time being.
  We where\are on Microsoft Exchange 2007 , which Fell over, and the specialist was able to recover as much data as he could.
  They then installed Exchange 2013 and tried to migrate everything from 2007 to 2013 and not everything migrated over.
  But the problem is, Outlook Anywhere was enable on 2007 and worked a 100% (before the disaster)
  With Exchange 2013 I get the following error message when trying to connect With Outlook 2013, using an external connection:
  "There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site "Mailserver"
  Outlook is unable to connect to the Proxy server. (Error Code 0)"
  Has anyone had the Similar when migrating over from 2007 to 2013 or is this an Issue on IIS and nothing to do with Exchange migration?
  Your assistance will be greatly appreciated.

  Hi,
  Firstly, I would suggest we use Exchange 2013 FE as the Outlook Anywhere proxy server.
  For the certificate issue, it mostly occurs because the host name that Outlook are trying to access does not match the certificate SAN. Please check with this point. If they do not match, you
  can change the host name by referring to the following article:
  https://support.microsoft.com/kb/940726/en-us?wa=wsignin1.0
  Thanks,
  Simon Wu
  TechNet Community Support

• Does PI need a direct connection to third party or can work with a proxy server based connection to third party?

  does PI need a direct connection to third party or can work with a proxy server based connection to third party?

  Hi,
  It basically includes 3 systems, one is our ECC sender system, middle one is PI box and third one is the receiver system. Data is successfully reaching to PI system from our sender system.Now we want to forward this to our third party system from PI box.
                                                                  I want to know that such sending of data requires direct connection to third party or it can be done by proxy server based connection to third party.If it is possible then what are the steps to do this?
  Regards-
  Anuj Nogja

• Exchange Server Deployment Assistant - Single Sign On Question

  I'm running through the Exchange Server Deployment Assistant to help with a Hybrid deployment and for
  right now, I don't want to be bothered with SSO. In the Assistant, when I answer
  No to the Do you want all users to use their on-premises credentials when they log on to their Exchange Online mailbox? question when I get to the
  Before You Begin section it always shows my answer to that question as being
  Yes.
  Any ideas? Can I simply ignore the sections that relate to AD FS as I work through the steps?
  Thanks!

  Hi Adare,
  I have tested on Exchange Server Deployment Assistant with "Hybrid"->"Exchange 2010 based hybrid", and get the same result as yours.
  Information on "Do you want all users to use their on-premises credentials when they log on to their Exchange Online mailbox?" as below:
  Single sign-on allows users in both the on-premises organization and the Exchange Online organization to access resources and features across the two organizations without being prompted for additional user credentials. Single sign-on is configured for
  a hybrid deployment using identity federation and Active Directory synchronization. If you're planning to have on-premises users access Exchange Online accounts using the Outlook mail client or planning to implement Exchange Online Archiving,
  we strongly recommend selecting Yes for this question and deploying single sign-on in your on-premises organization.
  It seems that this is the reason why Yes has been selected.
  Thanks 
  Mavis Huang
  TechNet Community Support