Doubt on single sign on?

Similar Messages

• Queries regarding Single Sign On

  Hi Experts,
  I am new to Single Sign On and have few doubts
  1)For OAM to implement single sign on across multiple applications , is it mandatory that the identity store of OAM and the application to be the same.Is it possible that the applications have their own identity store and OAM has its own and users in both the identity stores are in sync?This scenario comes into picture where for some applications the identity store is database
  2)If the first point is correct then for protecting OIM using OAM 11gR2 why do we need to enable ldap sync? can we have database as the user store for OIM and for OAM have a LDAP server for exmaple AD and then use AD connector to make sure that any users getting created in OIM is autoprovisioned to AD
  Request you to please clarify my below doubts

  Hi,
  1) No, It is not necessarily to be same identity store for OAM 11g and the applications that need to be protected. It can be different. This is the feature in OAM11g, where you can have multiple Identity stores mapped to your authentication modules.
  Yes, it is possible to have own identity store for the applications.
  Oracle provides inbuilt authentication modules only for LDAP, Kerberos and X.509. If you want OAM to authenticate against Database then you need write your own Database Authentication Module.
  Clients will always prefer Out of the box functionalities as there might not be support provided if any issues faced. If client want to built in their own mechanism then oracle will not support.
  That's why most of them goes for Ldap Sync which is inbuilt functionality.
  2) You can build your own Authentication module for OIM. Again it is time consuming process to decide on the Error Handling and the logic to build the module. It is better to go LDAP Sync.
  Hope this clarifies.

• Authentication on single sign on page slow and hangs.

  Hi members
  We are using Oracle application server single signon with Apex as partner application. The single sign on page authentication was working properly until yesterday when all of a sudden it became very slow. After the username and password are entered and login button is pressed, the blue status bar is moving extremely slow finally leading to a page not found. Can someone advise what components (logfiles etc) need to be checked to resolve this?
  Thank you.
  Ravi.

  Hi,
  I tried to find the cause but I have no clue yet as to what is wrong with this slowness of single sign on page. Can someone throw some light on this and tell what could be wrong here? Thank you. There are some errors in the HTTP Server Virtual Host log file and the log file is creates when oc4j_security was restarted. In the documentation, they were described as not uncommon. I am doubting if that is the reason behind the slowness. Thanks in advance.
  Wed May 27 11:46:09 2009] [error] [client 198.222.232.234] [ecid:
  1243439169:198.222.232.234:476:3948:151,0] File does not exist:
  d:/oracle/oracleas/apache/apache/htdocs/favicon.ico
  [Wed May 27 14:54:15 2009] [error] [client 198.222.232.234] [ecid:
  1243450455:198.222.232.234:476:4028:185,0] MOD_OC4J_0015: recv() returns
  0. There has no message available to be received and oc4j has gracefully (orderly)
  closed the connection.
  [Wed May 27 14:54:15 2009] [error] [client 198.222.232.234] [ecid: 1243450455:198.222.232.234:476:4028:185,0] MOD_OC4J_0054:
  Failed to call
  network routine to receive an ajp13 message from oc4j.
  [Wed May 27 14:54:15 2009] [error] [client 198.222.232.234] [ecid:
  1243450455:198.222.232.234:476:4028:185,0] MOD_OC4J_0033: Failed to receive
  an ajp13 message from oc4j.
  [Wed May 27 14:54:15 2009] [warn] [client 198.222.232.234] [ecid: 1243450455:198.222.232.234:476:4028:185,0] MOD_OC4J_0078:
  Network connection
  errors happened to host: test02 and port: 12501 while receiving the first response from oc4j. This request is recoverable.
  [Wed May 27 15:13:19 2009] [notice] FastCGI: process manager initialized
  (End of Log File)

• Discoverer Single sign on with other applications

  Hello,
  I am using Oracle Discoverer 10g (will be using the Discoverer Plus) as a reporting tool and had some doubts around SSO, Application Server and Oracle Internet Directory.
  We have a .NET based front end application and we want to establish a Single Sign On between this and the Discoverer, so that when a user moves from the front end to Discoverer he doesnt have to go through the authentication process again. Has anybody implemented this before.. Any help will be greatly appreciated.
  Any help will be really valuable
  Thanks and regards,
  Sumit

  Hi
  No it does not mean that. It means that in order to use SSO and Discoverer you have to authenticate using the username and passwords as stored in the OID in the Infrastructure database.
  You can set up links from Portal to third party applications but not vice versa if that other application has its own authentication mechanism.
  Does this help?
  Best wishes
  Michael Armstrong-Smith
  URL: http://learndiscoverer.com
  Blog: http://learndiscoverer.blogspot.com

• Cannot log into twitter single sign-on in system settings

  I've got a brand-new re-install of iOS5 (gold master, but the same build as the final release) that I've tried to activate the twitter single sign-on.
  I've deleted the old app. Installed the new app, and tried to sign in via the system preferences, and keep getting the "Error Signing In: The user name or password is incorrect" error.
  I know they work - I added the accounts within tweetbot and the official twitter app, as wellas used the mobile and desktop web interfaces.

  Ok, for those that setting the time to automatic didn't  solve the problem, I have some technical details behind the issue.  Checked the system log (you can do the same using XCode -- I did it with the paid app "System Status").  When I attempt to log into a Twitter via the system config (and it fails), I get the following in the log:
  Oct 31, 2011 9:27:18 PM
  Preferences [95]
  Unexpected error on AccountAuthentication connection.
  Oct 31, 2011 9:27:03
  com.apple.misd [147]
  Allowing special port forwarding for test fixtures
  Oct 31, 2011 9:27:03
  Preferences [95]
  -[MISManager sendStateUpdate]: MIS state change: 1021 -> 1021, reason 3 -> 0
  So it appears at some point the twitter connection was forwarded to a test server (or something similar). I have had every iOS 5 beta, except 2 on this phone... So I'm assuming that this is the problem. Maybe an internal setting that isn't getting reset by just reinstalling the system. The port mapping must be getting restored when a backup is restored as well. I've tried resetting network settings and then all settings to no avail. I doubt Apple will be too keen on fixing since it was dumb to use the beta on my main device (even though I'm a small time hobbiest-dev who only has one device to test on). I cannot just restore system and not backup without keeping app settings at this time. Too bad we can retire only application data.
  Just though I'd provide this information in case anyone wants to confirm their system logs.
  Russell

• Single Sign On Page deployment for https

  I created customized Single Sign On page for my application. For this customized page i updated the table WWSSO_LS_CONFIGURATION_INFO$ with
  "http://servername:7777/contextname/x.jsp UNUSED UNUSED". For this Single Sign On page is working fine.
  I enabled SSL for Http Server (its working in 4443 port). Now i can update WWSSO_LS_CONFIGURATION_INFO$ with "https://servername:4443/contextname/x.jsp UNUSED UNUSED". But my doubt is how both these urls(with different ports 4443 and 7777) will be enabled for both http and https.

  Use J2EE session variables and give every application the
  same name in its cfapplication tag or Application.cfc.
  See
  http://coldfusion.sys-con.com/read/138965.htm
  for a more complicated discussion.

• Partner application single sign-on and Oc4j

  hello,
  I'm trying to test portal's partner application single sign-on, following the examples inside the "Oracle9 iAS Single Sign-On Application Developers Guide":
  With Tomcat as jsp engine everything works fine, but with Oc4j when I try to enter the protected jsp page i have this exception:
  oracle.security.sso.enabler.SSOEnablerException: java.lang.IllegalStateException: OutputStream already retrieved
       at SSOEnablerBean.getSSOUserInfo(SSOEnablerBean.java:153)
       at SSOEnablerJspBean.getSSOUserInfo(SSOEnablerJspBean.java:57)
       at /protetta.jsp._jspService(/protetta.jsp.java:37) (JSP page line 4)
  Any suggestion?
  Thanks in advance.

  I get the same problem with my partner application. It runs fine on JServer but I get the following problem on oc4j:
  oracle.security.sso.enabler.SSOEnablerException: java.lang.IllegalStateException: OutputStream already retrieved     
  at oracle.br.aerochain.sso.SSOEnablerBean.getSSOUserInfo(SSOEnablerBean.java, Compiled Code)     
  at oracle.br.aerochain.sso.SSOEnablerJspBean.getSSOUserInfo(SSOEnablerJspBean.java, Compiled Code)     
  at /jsp/papp.jsp._jspService(/jsp/papp.jsp.java, Compiled Code)     
  at com.orionserver[Oracle9iAS (9.0.2.0.0) Containers for J2EE].http.OrionHttpJspPage.service(OrionHttpJspPage.java, Compiled Code)     
  at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpApplication.serviceJSP(HttpApplication.java, Compiled Code)     
  at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.JSPServlet.service(JSPServlet.java, Compiled Code)     
  at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java, Compiled Code)     
  at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java, Compiled Code)     
  at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java, Compiled Code)     at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpRequestHandler.run(HttpRequestHandler.java, Compiled Code)     
  at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].util.ThreadPoolThread.run(ThreadPoolThread.java, Compiled Code)
  Did anyone get a solution for this?
  TIA

• Configuring JCo3 Connection Pool with single sign on on non SAP Java server

  Hi Everyone,
  i have configured a connection pool on JBoss as per JCo3 Documentation and is working great.
  Now I need help to configure this connection pool with single sign on so that RFc on SAP ECC systems are executed using end users credential rather than using single user name password used to configure JCo connection pool.
  On SAP Java stack I am sure its possible within Java WebDynpro    and i assume using JCA resource adapter. But what if we don't want to use SAP Java App server.
  Any help will be appreciated.
  Thanks,
  Divyakumar Jain

  Eason, 你好！
  I have exactly the same problem.  Did you find a solution to this problem?  If so, please let me know!

• How to pass credentials/saml token access sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication

  How to pass credentials/saml token exchange to the sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication 
  Identity provider here is Oracle identity provider 
  harika kakkireni

  Hi,
  The following materials for your reference:
  Consuming List.asmx on a claims based sharepoint site
  http://social.technet.microsoft.com/Forums/sharepoint/en-US/f965c1ee-4017-4066-ad0f-a4f56cd0e8da/consuming-listasmx-on-a-claims-based-sharepoint-site?forum=sharepointcustomizationprevious
  Sharepoint Claims based authentication and Single Sign on
  http://social.technet.microsoft.com/Forums/sharepoint/en-US/2dfc1fdc-abc0-4fad-a414-302f52c1178b/sharepoint-claims-based-authentication-and-single-sign-on?forum=sharepointadminprevious
  Sharepoint Claim Based Authentication Web Service issuehttp://social.msdn.microsoft.com/Forums/office/en-US/dd4cc581-863c-439f-938f-948809dd18db/sharepoint-claim-based-authentication-web-service-issue?forum=sharepointgeneralprevious
  Best Regards
  Dennis Guo
  TechNet Community Support

• ApEx 2.1.0.00.39 as Partner Application in Oracle AS Single Sign-On

  Hi,
  I've installed the last Application Express 2.1.0.00.39 (oracle-xe-10.2.0.1-1.0.i386.rpm and oracle-xe-univ-10.2.0.1-1.0.i386.rpm) but, when I try to "create an authentication scheme" for configure an ApEx application to use SSO under
  Home>Application Builder>Application xxx>Shared Components>Authentication Schemes>Create Authentication Scheme
  in the second step of the procedure I don't find the choice "Oracle Application Server Single Sign-On (Application Express engine as Partner App)".
  I found only these:
  - Show Built-In Login Page and Use Open Door Credentials
  - Show Login Page and Use Application Express Account Credentials
  - Show Login Page and Use Database Account Credentials
  - Show Login Page and Use LDAP Directory Credentials
  - No Authentication (using DAD)
  even if under the help voice "V Information" the others two are describes:
  Oracle Application Server Single Sign-On (Application Express engine as Partner App) delegates authentication to the Oracle Application Server Single Sign-On (SSO) Server. This Application Express site must have already been registered as a partner application with the SSO server. For more information, contact your administrator.
  Oracle Application Server Single Sign-On (My application as Partner App) delegates authentication to the SSO server. In this case, you must register an application with SSO as a partner application. See the next page for more details.
  Does Someone know how to resolve it?
  Thanks
  Emanuele

  Thanks for all your help Scott
  I've added the -PORTAL_SSO- .....
  After this I've had a new problem same to this: Re: SSO Authentication Not Working
  "get the error below and it then directs me to http://hostx/htmldb/f? and the "p=" is missing"
  But after a lot of tests I discovered where was the problem: "The apache configuration for the proxy!!"
  This an extract from the installation doc :
  SetEnv force-proxy-request-1.0 1
  ProxyPass /htmldb http://127.0.0.1:8080/htmldb
  ProxyPassReverse /htmldb http://127.0.0.1:8080/htmldb
  ProxyPass /i http://127.0.0.1:8080/i
  ProxyPassReverse /i http://127.0.0.1:8080/i
  ProxyPass /sys http://127.0.0.1:8080/sys
  ProxyPassReverse /sys http://127.0.0.1:8080/sys
  where you replace 127.0.0.1 with the name OR ip address of your XE installation. 8080 is the default http port of your XE installation. "
  Well, I used the IP ADDRESS and in the @regapp > listener_token the NAME!!! (HTML_DB:servername.domain:80)
  I changed the IP ADDRESS with the NAME, restarted the httpd service and now all works fine.
  Emanuele

• Single Sign on using SAML between JWS application and Web Application

  Hi,
  We have two applications one is swing based Java Web Start application and other is a normal web application. We are trying to enable single sign on between both the applications. Can SAML be used to enable single sign on? If yes, can some one let us know how to do this?
  Thanks,
  Rama

  Thanks. But it is based on two WEB applications deployed on two different weblogic domains. What I am looking for is one application which is launched using Java Web Start(JNLP) and other a web application. The Java Web Start application uses its proprietary authentication implementation and the web application used DefaultAuthenticator of weblogic. Hope this detail will help you to answer my question better. I should have given this information earlier.
  Thanks.
  Rama

• OBIEE 11G with Single Sign-On and Active Directory

  Hi guys,
  Release Version: Oracle Business Intelligence 11.1.1.5.0
  Patch applied: 11.1.1.5.0 BP3 (Patch 13832750)
  OBIEE Server operating system: Windows Server 2008 SP2 (32-bits Operating System).
  We are trying to configure Single Sign-On according to TechNote_WNA_SSO_AD_V4.0.doc.
  Our krb5login.conf:
  com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  principal="[email protected]"
  keyTab=cgdkobi2.keytab
  useKeyTab=true
  storeKey=true
  debug=true
  com.sun.security.jgss.krb5.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  principal="[email protected]"
  keyTab=cgdkobi2.keytab
  useKeyTab=true
  storeKey=true
  debug=true
  We generate de keytab file:
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.24\bin\ktab.exe -k cgdkobi2.keytab -a [email protected]
  Password for [email protected]:XXXXXXX
  Done!
  Service key for [email protected] is saved in cgdkobi2.keytab
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.2-4\bin\kinit -k -t cgdkobi2.keytab cgdkobi2
  New ticket is stored in cache file C:\Users\cgdkobi2\krb5cc_cgdkobi2
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.2-4\bin\klist -k -t cgdkobi2.keytab
  Key tab: cgdkobi2.keytab, 1 entry found.
  [1] Service principal: [email protected]
  KVNO: 1
  Time stamp: Mar 15, 2013 10:34
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>klist
  Current LogonId is 0:0x406163f5
  Cached Tickets: (0)
  We re-start the services and logon into analytics web and SSO doesn't work but there's not an error. It runs successfully with and Active Directoy user and password. Seems like SSO wasn't enabled, but I checked is enabled.
  Any suggestion?
  Thanks in advanced

  Follow the posts : OBI 11.1.1.6.SSO and You are not currently signed in to Oracle BI Server" for OBIEE 11.1.1.6 SSO do the troubleshooting mentioned there.
  Also check your logs for error like the one below:
  [2012-03-09T16:42:36.000-05:00] [OBIPS] [NOTIFICATION:1] [] [saw.securitysubsystem.checkauthentication.runimpl] [ecid: 6c98b5cce1f24814:2a613331:135f95fbdff:-8000-0000000000005b7a,0:1:1] [tid: 5932] Authentication Failure.
  Odbc driver returned an error (SQLDriverConnectW).
  State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
  [nQSError: 43113] Message returned from OBIS.
  [nQSError: 13039] The impersonator does not exist in the BI Security Service. (08004)[[
  If you are getting this when you login to OBIEE :      You are not currently signed in to Oracle BI Server"
  then you need to apply this patch : 13553428 QA:BLK:DELIVER TO CORP. OID LDAP USERS FAILED WITH IMPERSONATOR DOES'NT EXIST. 11.1.1.6.0 Generic Platform (American English) General Oracle BI Suite EE Apr 5, 2012 799.4 KB
  Let us know the updates. Hope this helps. Mark if it does.!
  Thanks,
  SVS

• Difference between Federated single sign on  and just Single sign on

  Can anyone please give a clear definition of what is
  1. Federated Single sign on?
  2. Just Single Sign on ?
  As a security expert if you were to Architect security what will you suggest ?
  Lets take an example Landscape
  NW1(ABAP + JAVA)- system, NW-2(ABAP+JAVA)  system and EP( java only), LDAP
  I am having a hard time convincing the customer to have both CONSUMER AND PRODUCER PORTAL for Federated single sign on? is this a bad idea. Customer says just give me SSO(with just one portal acting as CONSUMER/PRODUCER).
  initial GOLIVE user load will be 700+ users.
  Edited by: Franklin Jayasim on Jul 16, 2010 7:52 PM
  Edited by: Franklin Jayasim on Jul 16, 2010 7:53 PM
  Edited by: Franklin Jayasim on Jul 16, 2010 7:57 PM
  Edited by: Franklin Jayasim on Jul 17, 2010 12:17 AM

  Hi  Denny Liao
  The project is going to have BI(NW) and ECC/SRM/HR(NW) and sepparate  portal ( EP - Java only )
  I thought that normal SSO will help in the intranetwork, what happens if the employee(user)  needs to work from home.
  What about the external vendors suppliers etc...?

• How to integrate Single Sign-On and JSF?

  Hi all,
  We are going to develop a web application using Oracle technologies, including ADF and JSF.
  But we´ll need to secure our website using Oracle Identity Manager (Single Sign-On). I am having difficulties to find any resource explaining how to do that.
  Also, the IM (SSO) will run on a Oracle AS instance and our web app (ADF+JSF) will run on a separete OC4J instance, due to ADF version. Is this a problem?
  Thanks

  We too are in the process of implementing iStore with SSO features.
  And if you believe me it seems to me as nightmare.
  In our scenerio we are intgrating this SSO with Third party access control too (AD and Siteminder). I would request you to please respond me on the following mail id , so we can share our experince which will help us in our implementation
  [email protected]
  regards and thanks in advance
  Vikas Deep

• OAM 11g Single Sign-On and OAM 11g Cookies

  Hi all,
  I need to know following,
  is it possible to get the username and password from the OAM 11g + IIS Webgate cookies and forward the same to the application for further authentication? is there any way to decrypt the cookie and use the information in the application?
  Regards.

  Yes , you can get the user password ,but for that you will have to write a custom plugin , else it is not possible.
  Refer step number 9 in the blog Single Sign on with Oracle Access Manager: Creating a Custom Authentication Plugin