External Authentication Solution?

I am looking for an external authentication solution for Web AS (ABAP Specifically but the whole AS would be preferable)
i.e. Our External Authetication system sits in front of SAP that does Auth then passes username in a HTTP Header to SAP..
So far we have these previous solutions
1. SAP WAS Java -> Using Header Authenticaion Module
2. SAP Netweaver -> Using ITS Standalone configured for PAS and SNC
So For SAP Web AS We need to do this for the ABAP side of things and I from what I can gather from the documentation the only mechanism to do this is to either :
a) use ITS Standalone in front of the SAP Web AS ABAP or,
b) use the current J2EE solution using Header Authentication Module.???
Now we cannot install ITS Standalone so that is out it is then up to the J2ee solution.
My question is : The documentation refers to Integrated Java -> Does this mean that the Java is installed by default? or does it have to be installed separately?
I have installed the Web AS Preview Installation (ABAP) 2004s but I've put it in this forum as it's more general type concept question
Ideally we'd like to have an ICM SSO solution so that we just deal with one point but I don't know if this is possible?

Raff,
Thank you for your reply. We checked with our server configuration and it does appear to have OpenSSL enabled.
extension=openssl.so
Apache Version
Apache/2.2.11 (Unix) PHP/5.2.9 with Suhosin-Patch mod_ssl/2.2.11 OpenSSL/0.9.7m mod_apreq2-20051231/2.6.0 mod_perl/2.0.3 Perl/v5.8.7
Other than the original apache error log message, we are not getting any error messages in the php error log to indicate a problem. I am making the call from an https://URL with a valid certificate. I get the same error message as before.

Similar Messages

External Authentication in 9.0.2

I have an external authentication module with Login Server 3.0.9 and I'm migrating my applications to the new release.
I checked for the ssoauthx.pks package specification and it says that external authentication module is no longer supported with this release. The only way to authenticate my users is to sync with oid.
Is this is the only way to do external authentication?. Are future version of iAS will still depend on OID for authentication?

Hi Nestor,
Even i am looking for similar solution and thinking of giving you some suggetion....
Oracle 9iAS R2 makes it madatory to use OID (or sync with OID) in SSO architecture.
We are trying to implement plug-in procedure (when_compare_replace) in OID to replace the password comparison for SSO requests. we are planning to check for our cookie to authenticate the user.
but i don't know how exactly this will work...
hope this helps
-vijay

External Authentication in EAS using MSAD

We use MSAD for our external authentication and it works fine ifthe user logon names are set up a certain way in MSAD. However,some of them are set up differently and Essbase won't allow us touse external authentication for them. Is there a setting somewherein Essbase that can be changed to allow more than one user logonname format coming from MSAD?

Hi Krista, Unfortunately u cannot specify two formats to authenticate. If iunderstand correclty you want to identify a user in MSAD by morethan one feild, as far as i know essbase external authenticationthe xml file cannot use more than one feild. your most probable solution to this would be to add the feildyou are using in your xml file to all users using essbase inMSAD. Please use the following link if you need furtherinformation. http://dev.hyperion.com/techdocs/essbase/essbase_712/Docs/techref/techref.htm#config/security/configure/config.htm here is the sample active directory format. <msad name="<a href="ldapserver.htm">msadServer</a>"> <trusted><ahref="trust.htm">false</a></trusted> <url><ahref="provurl.htm">ldap://host<img src="i/expressions/face-icon-small-tongue.gif" border="0">ortNo/DIT</a></url><userDN>cn=UserName</userDN><password>UserPassword</password> <user><url>ou=people</url></user> <group> <url>ou=Groups</url> </group></msad>

OID External Authentication issue

Hi..
I have configured synchronization profile to import users from TDS to OID using DIP but it does not work as change log is not enabled on TDS side.
Now i have configured External Authentication Plugin and i craeted same users in in TDS and also in OID but external authenctication does not work.
Can you please point out if i missing some point or is synchronization profile is must for External Authentication.
Find the product version details -
OID 11.1.1.6
Tivoli Directory Server 6.1
Regards
Santosh
Edited by: user601746 on Jan 8, 2013 1:02 AM

Got the solution.
I used bootstrap loading to create users from TDS to OID then configure external authentication..works fine... :)

External authentication with OID

I know that OID 10g is capable of performing external authentication against AD, Sun OneDirectory, Novell eDirectory and openLDAP, but what about something else like Oracle Virtual Directory?
As I understand, there is an out of the box script that will create and external authentication plugin that calls a few procedures from the auth_external package. The auth_external package also an out-of-the-box package with a few procedures (authenticate_user and change_passwd) I've seen so far. I haven't looked in the ODS schema, but I'm assuming this auth_external package is wrapped and not generally viewable.
Anyone out there have any ideas, how this auth_external package works, or better yet... does anyone know if the out-of-the-box solution for external authentication will work with any LDAP directory (in this case a virtual one)?
Thanks.

Can someone from Oracle please comment on this? is "AUTH_EXTERNAL" package "out of box" or do we have to write it?
I am following instructions from
http://download.oracle.com/docs/cd/B14099_19/idmanage.1012/b14082/plugin_cust_ext_auth.htm
LINE/COL ERROR
143/9 PL/SQL: Statement ignored
143/19 PLS-00201: identifier 'AUTH_EXTERNAL.AUTHENTICATE_USER' must be
declared
241/11 PL/SQL: Statement ignored
241/11 PLS-00201: identifier 'AUTH_EXTERNAL.CHANGE_PASSWD' must be
declared
251/11 PL/SQL: Statement ignored
251/11 PLS-00201: identifier 'AUTH_EXTERNAL.RESET_PASSWD' must be
declared
LINE/COL ERROR
-------- -----------------------------------------------------------------

Oracle Virtual Directory vs. Oracle External Authentication Plug-in

I am working in Windows 2003 Server platform and I have Oracle Portal 10g R2 with Oracle Single Sign On 10g R2 setup. I also have Microsoft Active Directory setup. I want to use Microsoft Active Directory users from Oracle Portal and as per my understanding I could use Oracle External Authentication Plug-in or Oracle Virtual Directory for this purpose. I would like to use Oracle Virtual Directory if possible. Could someone please tell me if I could use Oracle Virtual Directory or not?
Thanks.

Yeah, I could use Oracle External Authentication Plug-in, but I am having issues with running the oidspadi.sh script on my Windows 2003 server environment. I am running this script using Cygwin's latest software, but for some reason I get the following error message.
: command not found8:
: command not found8:
: command not found3:
: command not found7:
: command not found1:
: command not found8:
: command not found9:
: command not found0: clear
OID Active Directory Plug-in Configuration
Please make sure Database and OID are up and running.
: command not found7:
: command not found0:
oidspadi.sh: line 103: syntax error near unexpected token 'fi'
'idspadi.sh: line 103:' fi
Therefore, I was trying to find an alternative solution, which will be using Virtual Directory. Right now, I have installed Oracle Virtual Directory on my testing system and I have both Active Directory server and OID server part of LDAP Browser. My goal is to using Oracle Portal to log-in and first look for the user in OID if not found then look in Active Directory. Can this be accomplished using Oracle Virtual Directory?
Please let me know.

ACS Server: External Authentication configuration error

Hi ALL
I have installed the ACS server and configure properly and it works fine.
But whenever i restart the machine, following error message appears on the external database configuration wizard.
External Authentication Configuration Error
ACS has encountered a problem while attempting to process your request. This could be due to one of the following:
An incorrect installation or configuration of the third-party DLLs required to support this External Database
A corrupt ACS configuration
So after i found this error, i just restart all the seven services and every things works fine.
I always encountered the same error message after restarting the machine each time.
Can any body recomend the solution or can help me to resolve the issue.
Thanks

Hi,
Please try the following workaround.
1. Go to Start > Programs > Administrative Tools > Services.
2. Stop the following services in the following order.
CSAuth
CSDbSync
CSLog
CSMon
CSRadius
CSTacacs
CSAdmin
3. After stopping the following services, start them all again in the following order.
CSAdmin
CSAuth
CSDbSync
CSLog
CSMon
CSRadius
CSTacacs
Please let me know if this was able to help.
If the above doesn't help, please reinstall the ACS as the dll files that are being used
by the ACS have been corrupted, before uninstalling and reinstalling, do take a
backup of ACS server database from System Configuration > ACS backup > Backup Now.
Also make sure that the ACS is installed on the default drive.
tnx
somishra

Oracle Security - External Authentication

The requirement is to enable the user to allow access to DB by making the user enter the user name and password only once while accessing the Cognos reports. (Cognos is a BI tool). So the user will enter the username and password at the time he accesses the Cognos application, after this there should not be any logons to access DB.
Cognos stores the user name and password in a LDAP store (in NDS residing on Windows 2000 Advanced Server). So, the question is, can Oracle leverage on the user information stored in the LDAP for Cognos? The external authentication provided by Oracle suggests that if the user info store can be in LDAP provided it is in OID.
Please let me know if this can be achieved and if so, where can I get details about the same.

According to the 8.1.7 documentation:
"Enterprise user security provides single sign-on to Oracle8i using interoperable X.509 v3 certificates over Secure Sockets Layer (SSL) v3, and supports the following LDAP-compliant directory services:
Oracle Internet Directory Release 2.0.5 or later
Microsoft Active Directory "
So it sounds like they do not support Novell's LDAP implementation.
Here's a page on managing Enterprise Users http://technet.oracle.com/docs/products/oracle8i/doc_library/817_doc/network.817/a85430/asomeus.htm
Here's a page on managing OS Authentication -http://technet.oracle.com/doc/windows/server.815/a68694/output/ch10.htm
I just finished writing a chapter on OS Authentication in my Oracle security book. I would stay away from OS Authentication unless you have a small number of users. I have not yet researched Enterprise Users, but the concensus seems to be that they provide a much more robust solution.

Error while Configuring AD external authentication plug in

Hi
While configuring Active directory external authentication plug I am getting following error
OID Active Directory Plug-in Configuration
Please make sure Database and OID are up and running.
Please enter Active Directory host name: clmad101.ad.company.com
Do you want to use SSL to connect to Active Directory? (y/n) n
Please enter Active Directory port number [389]: 389
Please enter DB connect string:SQLPLUS sys/manager1 @infradb.ad.company-.com @md61nthiims1.ad.company.com:1521
Please enter ODS password:
Please enter confirmed ODS password:
Please enter OID host name: md61nthiims1.ad.company.com
Please enter OID port number [389]: 389
Please enter orcladmin password:
Please enter confirmed orcladmin password:
Please enter the subscriber common user search base [orclcommonusersearchbase]:
CN=Users,dc=ad,dc=company,dc=com
Please enter the Plug-in Request Group DN:
Please enter the exception entry property [(!(objectclass=orcladuser))]: (|(!obj
ectclass=orcladuser))(cn=orcladmin))
Do you want to setup the backup Active Directory for failover? (y/n) n
Installing Plug-in Packages ...
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Registering Plug-ins ...
adding new entry cn=adwhencompare,cn=plugin,cn=subconfigsubentry
adding new entry cn=adwhenbind,cn=plugin,cn=subconfigsubentry
Done.
Is there anythign wrong in the DB connect string??
Thanks

Did you check the debug information from the external auth plugin.?
This is mentioned in metalink note https://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=277382.1
here an excerpt:
D) Enabled plug in debugging at the database level. Reference documentation: Oracle Internet Directory Administrator's Guide 10g (9.0.4) Chapter 43 Integration with the Microsoft Windows Environment - Troubleshooting Integration with Microsoft Windows Under section "Debugging the Microsoft Active Directory External Authentication Plug-in"
...enable the plug-in debugging. To do this, enter:
> sqlplus ods/odspassword @$ORACLE_HOME/ldap/admin/oidspdon.pls
To check the plug-in debugging log, enter:
> sqlplus system/manager
SQL> select * from ods.plg_debug_log order by id;
(To delete the plug-in debugging log:
> sqlplus system/manager
SQL> truncate table ods.plg_debug_log
To disable the plug-in debugging:
> sqlplus ods/ods @$ORACLE_HOME/ldap/admin/oidspdof.pls
E) Dump the plug-in profile to make sure it is enabled and configured correctly:
> ldapsearch -h <OID host> -p <OID port> -D "cn=orcladmin" -w <orcladmin password> -b "cn=plugin,cn=subconfigsubentry" -L -s sub "(objectclass=*)" "*"
please take also a look into the DIPTESTER tool available in
http://www.oracle.com/technology/sample_code/products/oid/java_diptester.tar
regards
--Olaf

Plug-in Request Group field into the external authentication plug-in

Hi all,
I'd like to know if anyone has already tried to filter who can have the permission to call the external authentication plug-in setting it into Plug-in Request Group field.
I've made some tests adding some users into groups OracleDASAdminGroup, OracleUserSecurityAdmins and groups that I've created under my DC settings. Unfortunatly, I've had no success.
Is possible to do this?
Thank you.
Message was edited by:
user571491

Hi all,
I'd like to know if anyone has already tried to filter who can have the permission to call the external authentication plug-in setting it into Plug-in Request Group field.
I've made some tests adding some users into groups OracleDASAdminGroup, OracleUserSecurityAdmins and groups that I've created under my DC settings. Unfortunatly, I've had no success.
Is possible to do this?
Thank you.
Message was edited by:
user571491

External Authentication on Windows

Guys, this is driving me crazy.
I had an external user configured on my Oracle 9.2.0.5 database on a Windows 2003 Server.
It was working, I use it to make dump backups.
Now, without any change on any oracle param or bounce it just stoped working.
I have two instances, for one it's working, for the other it's not.
Both instances are on the same server (so I'm using the same sqlnet.ora file with NTS authentication).
Today I removed and recreate the user on both instances, but I keep getting the same problem.
create user "OPS$DOMAIN\ORABACKUP" identified externally
default tablespace users
temporary tablespace temp
The parameters are the same on both instances:
os_authent_prefix string OPS$
os_roles boolean FALSE
remote_login_passwordfile string EXCLUSIVE
remote_os_authent boolean FALSE
remote_os_roles boolean FALSE
Do you have any ideas of why this could happen??
Is there another parameter related to external authentication that I don't know?
Thanks!

Was there ever an answer on this, having problems with setup using same versions

PHP external authentication issue

Trying to login to AFCS connection using external authentication.
PHP file generates a key correctly and everything seems to fine up until i get to using the key inside flex.
at the login stage i get the following error in the console trace from the library login call
As far as i can tell everything is right... how can i tell what is wrong with the authentication key?
AFCS Beta Build # : 1.1
requestInfo https://connectnow.acrobat.com/{roomname}?exx=eDp7dXRmOF9lbmNvZGUoZGFyaXVzKX06OmRtOmFnZW50ZG06aHR0cHM6Ly9jb25uZWN0bm93LmF jcm9iYXQuY29tL2hpaW50ZXJmYWNlL2RtOjEwMDo4N2NmNWUwMjIzZTVhMmFkYzI2MmY4MDVlNWJmMWVlM2Y4OTJlY 2Qx&mode=xml&x=0.2519759591668844
#THROWING ERROR# bad authentication key

There are a few mistakes in the key. There is some PHP 'code' in it (wrong string expansion ?) and you are using a full URL instead of the room name.
If you want more details send me a private message, but you should check the way you call the get authentication token method.

AD External Authentication Plug-In verification issue

We are working on a Proof of Concept instance to integrate MS AD with OID for the first time for E-Biz 11i.
1) I completed the bulk load of all the existing users from AD to OID successfully
2) completed enabling the syncrhonization profile
3) Ran the txkrun.pl successfully
4) However i wanted to check the External authentication plug-in and i get the below issue.
How to debug ldapcompare ? Where is the logfile for ldapcompare ?
ldapcompare -h OID_Host -p 389 -D "cn=orcladmin" -w ******* -b "cn=lastname\, firstname,ou=consultants,ou=users,ou=usaeast,dc=adadmin,dc=lps,dc=netsrv,dc=us" -a userPassword -v abcdefgh
The value abcedefgh is not contained in the attribute userPassword in DN cn=lastname\, firstname,ou=consultants,ou=users,ou=usaeast,dc=adadmin,dc=lps,dc=netsrv,dc=us.
An ldapbind on the same AD server is successful, but ldapcompare is failing.

I get invalid credentials. Though the network password is correct. I feel its somewhere i messed up the 3rd party plug-in configuration. Is there a method to get debug information for ldapcompare command ?
From metalink NOTE : 277382.1
"When using the above command, ldapcompare binds to OID using the OID admin user (typically "cn=orclAdmin") and password. Then it provides the AD username and requests that the value supplied as AD-USER-PASSWORD be compared to whatever is stored in AD username's userPassword attribute. Because OID does not store a value in its own user entries/userPassword attributes for AD-synchronized entries, this ldapcompare call will cause OID to invoke the plug-in and verify the userPassword value in AD instead.
If the plug-in works, the ldapcompare should return a message saying that the given password is contained in the userpassword attribute, e.g.
"

External authentication on Essbase 9.3.1

I am migrating from Essbase 7.3.x on 32-bit Windows to System9 on 64-bit windows. External authentication works on both Shared Services and EAS. I have successfully registered EAS and Essbase with shared services however I do not see Essbase in "User console" of Shared Services as an application. I am able to create native authenticated users in Essbase but unable to externalise the security. I get the following error messages when trying to externalise:
Error: 1051549: Can not convert Analytic Services to Shared Services mode when Analytic Services is not configured with Shared Services or the initialization process has failed
On starting Essbase, I see the following error message when I use the same CSSconfig file as used by shared services:
[Wed Jul 16 10:26:45 2008]Local/ESSBASE0///Error(1051223)
Single Sign On function call [css_init] failed with error [getOSVersion]
[Wed Jul 16 10:26:45 2008]Local/ESSBASE0///Info(1051198)
Single Sign-On Initialization Failed !
If I point to the current CSS file used in production Essbase 7, I get the following message:
[Wed Jul 16 10:33:26 2008]Local/ESSBASE0///Error(1051223)
Single Sign On function call [css_init] failed with error [-1]
[Wed Jul 16 10:33:26 2008]Local/ESSBASE0///Info(1051198)
Single Sign-On Initialization Failed !
In either case everything except External Authentication on System9 for Essbase works.
Both shared services and Essbase are on the same 64-bit Windows box.
Any help in resolving this will be greatly appreciated.
Thanks,
Vikram.

HI:
I recommand following these steps:
1. Go to the box where you have your Essbase installed
2. Pull up the Shared Services Configuration Utility
3. Select COmponent to be registered as Essbase
4. Remeber to stop the essbase - i assume you are getting the error hence essbae would not have loaded.
5. Re-register Essbase with Shared services
6.Start essbase in Foreground
It shuld Start :) good Luck..let me know If this failed..
Thanks,
Sriram

External Authentication won't correctly set USER name or Role

I am using JAVA under Google App Engine for my backend and attempting to log a user into a room using external authentication. I can connect and get into the room just fine my issue is with the user infomation once I am logged in. The user has a null username and ID (possibly generated) and thier role is set to zero (or at least not high enough to publish). If the room is set to auto-Promote then I do have the ability to publish (this is what I would expect) but still I needed the user to have a role of owner (so they can create nodes).
Here is a little of the java on the back end (I removed my shared secret):
public String getRoomToken(String roomID, String userName, String userID, int userRole) {
 try {
 Session session = am.getSession(roomID);
 return session.getAuthenticationToken(..., "Bob", "TestID", 100);
 //return session.getAuthenticationToken(..., userName, userID, userRole);
 } catch (Exception e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 return null;
getAuthenticationToken is hardely changed from what is in the AFCS.java in the examples folder but here it is in any case
/** * get an external authentication token */
public String getAuthenticationToken(String accountSecret, String name, String id, int role) throws Exception
 if (role < UserRole.NONE || role > UserRole.OWNER)
 throw new Error("invalid-role");
 String token = "x:" + name + "::" + this.account
 + ":" + id + ":" + this.room + ":"+ Integer.toString(role);
 String signed = token + ":" + sign(accountSecret, token);
 // unencoded
 //String ext = "ext=" + signed;
 // encoded
 String ext = "exx=" + Utils.base64(signed);
 return ext;
This should work. My Shared secret is removed above but I doubt that is the problem as my app does authenticate just fine it just throws an exception telling me I don't have the required permissions to publish when I try to do anything. while observing from the DevConsole I see a user in the room but they are marked as null. Note that non-external authentication works just fine. If I hardcode my login creds in AdobeHSAuthenticator I can get in just fine with no issue. Also if the room I get an authenticationToken for does not match the roomURL I connect to with ConnectSessionContainer I will fail to login correctly like I would expect. So I know my credentials are getting to the AFCS and being decrypted correctly (as I can only authenticate for the room I send in that credential token) but for some reason it simply won't set my role and username/userid correctly. Any help would be great, this has caused me a great deal of grief for days now...
Thanks guys...
Ves

Well this is wierd I was trying to set this up so that I could get the log output on that run and I ended up changing
<rtc:AdobeHSAuthenticator id="auth" authenticationKey="{Application.application.parameters['token'] as String}"/>
to
<rtc:AdobeHSAuthenticator id="auth" authenticationKey="{token}"/>
and adding a preinitialize function of:
protected function preInit():void
 templateID = Application.application.parameters['room'];
 token = Application.application.parameters['token'];
oddly enough it now works like a charm now. It is still disconcerting that I was able to actually enter the room even though my token was somehow corrupted (that probably isn't intened behavior). If this shows up agian I will try and track down the particulars and send you guys an email as an FYI. thanks for the help....
Ves

External Authentication Solution?

Similar Messages

Maybe you are looking for