GRC AC CUP 5.3 SP06: Single Sign-On
Has anyone gotten single sign-on with Compliant User Provisioning to work? I've got my java stack authenticating kerberos tickets through SPNEGO with LDAP as the user data source. It works fine on every other application (RAR, SPM, ERM) except for CUP, which requires users to login. Is there anyway to force single sign-on inside of CUP or will my users always be required to type in their passwords for requesting and approving access?
Daniela,
Thank you, that's exactly what I was looking for, but I'm currently getting an error stating the following:
Application error occurred during request processing.
Details: com.sap.engine.services.servlets_jsp.server.exceptions.WebIllegalArgumentException: Cannot redirect to "null" location.
My redirection URL looks like this:
http://<server>:<port>/RedirectApp/?redirecturl=http://<server>:<port>/AE/index.jsp
Does that look right? What support pack were you able to get this working on?
Similar Messages
-
CUP 5.3 - Single Sign On fu00FCr end user request screen?
Hi everyone,
Is there any way to achieve Single Sign On in a windows environment using the corporate Active Directory for the END USER REQUEST SCREEN in CUP 5.3?
I am aware of the document "Single Sign-On with SAP BusinessObjects Access Control 5.3" by the SAP GRC RIG (Harleen Kaur) so I know how to achieve Single Sign On for the CUP application itself.
I am also aware of the option to deactivate "end user verification required" in the authentication source definition in CUP.
What our end users are asking for is true single sign on. They would like to enter a request WITHOUT providing network user ID and/or password manually.
Thanks!Hi Raghu,
Thanks a lot!
We have not yet configured SSO but are in the phase of analyzing our options.
I understood that SSO is only possible for the server:port//AE/index_apr.jsp page in CUP.
What about the end user request screen (server:port/AE)? Will this work with Windows-SSO using SPNEGO? Would I set the authentication source to LDAP or to UME (UME has multiple LDAP as user data source)?
Many thanks and best regards
Patrick -
GRC and CUP and Mobiliity question
Hello GRC friends:
In an environment where GRC and CUP are configured and working, the question came to me,
can the requests for the Firefighter ID be sent to a mobile device?
The person responsible for the request approval must now sign on thier PC.
Are there any known impediments to sending these to say an iPAD to be approved?
Thank you in advance for your assistance.
Regards,
Joe Gonzales
856 912 1136HI Josep!
There are some applications for mobile devices that you'll be able to find here: http://ecohub.sap.com/store/mobility
This particular application is for GRC approval:http://ecohub.sap.com/store/mobility/catalog/#!solution:SAPGRCAccessApprover
I don't know the cost and if it's available in your country neither....
Cheers,
Diego. -
Partner application single sign-on and Oc4j
hello,
I'm trying to test portal's partner application single sign-on, following the examples inside the "Oracle9 iAS Single Sign-On Application Developers Guide":
With Tomcat as jsp engine everything works fine, but with Oc4j when I try to enter the protected jsp page i have this exception:
oracle.security.sso.enabler.SSOEnablerException: java.lang.IllegalStateException: OutputStream already retrieved
at SSOEnablerBean.getSSOUserInfo(SSOEnablerBean.java:153)
at SSOEnablerJspBean.getSSOUserInfo(SSOEnablerJspBean.java:57)
at /protetta.jsp._jspService(/protetta.jsp.java:37) (JSP page line 4)
Any suggestion?
Thanks in advance.I get the same problem with my partner application. It runs fine on JServer but I get the following problem on oc4j:
oracle.security.sso.enabler.SSOEnablerException: java.lang.IllegalStateException: OutputStream already retrieved
at oracle.br.aerochain.sso.SSOEnablerBean.getSSOUserInfo(SSOEnablerBean.java, Compiled Code)
at oracle.br.aerochain.sso.SSOEnablerJspBean.getSSOUserInfo(SSOEnablerJspBean.java, Compiled Code)
at /jsp/papp.jsp._jspService(/jsp/papp.jsp.java, Compiled Code)
at com.orionserver[Oracle9iAS (9.0.2.0.0) Containers for J2EE].http.OrionHttpJspPage.service(OrionHttpJspPage.java, Compiled Code)
at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpApplication.serviceJSP(HttpApplication.java, Compiled Code)
at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.JSPServlet.service(JSPServlet.java, Compiled Code)
at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java, Compiled Code)
at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java, Compiled Code)
at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java, Compiled Code) at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].server.http.HttpRequestHandler.run(HttpRequestHandler.java, Compiled Code)
at com.evermind[Oracle9iAS (9.0.2.0.0) Containers for J2EE].util.ThreadPoolThread.run(ThreadPoolThread.java, Compiled Code)
Did anyone get a solution for this?
TIA -
Configuring JCo3 Connection Pool with single sign on on non SAP Java server
Hi Everyone,
i have configured a connection pool on JBoss as per JCo3 Documentation and is working great.
Now I need help to configure this connection pool with single sign on so that RFc on SAP ECC systems are executed using end users credential rather than using single user name password used to configure JCo connection pool.
On SAP Java stack I am sure its possible within Java WebDynpro and i assume using JCA resource adapter. But what if we don't want to use SAP Java App server.
Any help will be appreciated.
Thanks,
Divyakumar JainEason, 你好!
I have exactly the same problem. Did you find a solution to this problem? If so, please let me know! -
How to pass credentials/saml token exchange to the sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication
Identity provider here is Oracle identity provider
harika kakkireniHi,
The following materials for your reference:
Consuming List.asmx on a claims based sharepoint site
http://social.technet.microsoft.com/Forums/sharepoint/en-US/f965c1ee-4017-4066-ad0f-a4f56cd0e8da/consuming-listasmx-on-a-claims-based-sharepoint-site?forum=sharepointcustomizationprevious
Sharepoint Claims based authentication and Single Sign on
http://social.technet.microsoft.com/Forums/sharepoint/en-US/2dfc1fdc-abc0-4fad-a414-302f52c1178b/sharepoint-claims-based-authentication-and-single-sign-on?forum=sharepointadminprevious
Sharepoint Claim Based Authentication Web Service issuehttp://social.msdn.microsoft.com/Forums/office/en-US/dd4cc581-863c-439f-938f-948809dd18db/sharepoint-claim-based-authentication-web-service-issue?forum=sharepointgeneralprevious
Best Regards
Dennis Guo
TechNet Community Support -
ApEx 2.1.0.00.39 as Partner Application in Oracle AS Single Sign-On
Hi,
I've installed the last Application Express 2.1.0.00.39 (oracle-xe-10.2.0.1-1.0.i386.rpm and oracle-xe-univ-10.2.0.1-1.0.i386.rpm) but, when I try to "create an authentication scheme" for configure an ApEx application to use SSO under
Home>Application Builder>Application xxx>Shared Components>Authentication Schemes>Create Authentication Scheme
in the second step of the procedure I don't find the choice "Oracle Application Server Single Sign-On (Application Express engine as Partner App)".
I found only these:
- Show Built-In Login Page and Use Open Door Credentials
- Show Login Page and Use Application Express Account Credentials
- Show Login Page and Use Database Account Credentials
- Show Login Page and Use LDAP Directory Credentials
- No Authentication (using DAD)
even if under the help voice "V Information" the others two are describes:
Oracle Application Server Single Sign-On (Application Express engine as Partner App) delegates authentication to the Oracle Application Server Single Sign-On (SSO) Server. This Application Express site must have already been registered as a partner application with the SSO server. For more information, contact your administrator.
Oracle Application Server Single Sign-On (My application as Partner App) delegates authentication to the SSO server. In this case, you must register an application with SSO as a partner application. See the next page for more details.
Does Someone know how to resolve it?
Thanks
EmanueleThanks for all your help Scott
I've added the -PORTAL_SSO- .....
After this I've had a new problem same to this: Re: SSO Authentication Not Working
"get the error below and it then directs me to http://hostx/htmldb/f? and the "p=" is missing"
But after a lot of tests I discovered where was the problem: "The apache configuration for the proxy!!"
This an extract from the installation doc :
SetEnv force-proxy-request-1.0 1
ProxyPass /htmldb http://127.0.0.1:8080/htmldb
ProxyPassReverse /htmldb http://127.0.0.1:8080/htmldb
ProxyPass /i http://127.0.0.1:8080/i
ProxyPassReverse /i http://127.0.0.1:8080/i
ProxyPass /sys http://127.0.0.1:8080/sys
ProxyPassReverse /sys http://127.0.0.1:8080/sys
where you replace 127.0.0.1 with the name OR ip address of your XE installation. 8080 is the default http port of your XE installation. "
Well, I used the IP ADDRESS and in the @regapp > listener_token the NAME!!! (HTML_DB:servername.domain:80)
I changed the IP ADDRESS with the NAME, restarted the httpd service and now all works fine.
Emanuele -
Single Sign on using SAML between JWS application and Web Application
Hi,
We have two applications one is swing based Java Web Start application and other is a normal web application. We are trying to enable single sign on between both the applications. Can SAML be used to enable single sign on? If yes, can some one let us know how to do this?
Thanks,
RamaThanks. But it is based on two WEB applications deployed on two different weblogic domains. What I am looking for is one application which is launched using Java Web Start(JNLP) and other a web application. The Java Web Start application uses its proprietary authentication implementation and the web application used DefaultAuthenticator of weblogic. Hope this detail will help you to answer my question better. I should have given this information earlier.
Thanks.
Rama -
OBIEE 11G with Single Sign-On and Active Directory
Hi guys,
Release Version: Oracle Business Intelligence 11.1.1.5.0
Patch applied: 11.1.1.5.0 BP3 (Patch 13832750)
OBIEE Server operating system: Windows Server 2008 SP2 (32-bits Operating System).
We are trying to configure Single Sign-On according to TechNote_WNA_SSO_AD_V4.0.doc.
Our krb5login.conf:
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="[email protected]"
keyTab=cgdkobi2.keytab
useKeyTab=true
storeKey=true
debug=true
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="[email protected]"
keyTab=cgdkobi2.keytab
useKeyTab=true
storeKey=true
debug=true
We generate de keytab file:
C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.24\bin\ktab.exe -k cgdkobi2.keytab -a [email protected]
Password for [email protected]:XXXXXXX
Done!
Service key for [email protected] is saved in cgdkobi2.keytab
C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.2-4\bin\kinit -k -t cgdkobi2.keytab cgdkobi2
New ticket is stored in cache file C:\Users\cgdkobi2\krb5cc_cgdkobi2
C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.2-4\bin\klist -k -t cgdkobi2.keytab
Key tab: cgdkobi2.keytab, 1 entry found.
[1] Service principal: [email protected]
KVNO: 1
Time stamp: Mar 15, 2013 10:34
C:\OracleBI11g\user_projects\domains\bifoundation_domain>klist
Current LogonId is 0:0x406163f5
Cached Tickets: (0)
We re-start the services and logon into analytics web and SSO doesn't work but there's not an error. It runs successfully with and Active Directoy user and password. Seems like SSO wasn't enabled, but I checked is enabled.
Any suggestion?
Thanks in advancedFollow the posts : OBI 11.1.1.6.SSO and You are not currently signed in to Oracle BI Server" for OBIEE 11.1.1.6 SSO do the troubleshooting mentioned there.
Also check your logs for error like the one below:
[2012-03-09T16:42:36.000-05:00] [OBIPS] [NOTIFICATION:1] [] [saw.securitysubsystem.checkauthentication.runimpl] [ecid: 6c98b5cce1f24814:2a613331:135f95fbdff:-8000-0000000000005b7a,0:1:1] [tid: 5932] Authentication Failure.
Odbc driver returned an error (SQLDriverConnectW).
State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
[nQSError: 43113] Message returned from OBIS.
[nQSError: 13039] The impersonator does not exist in the BI Security Service. (08004)[[
If you are getting this when you login to OBIEE : You are not currently signed in to Oracle BI Server"
then you need to apply this patch : 13553428 QA:BLK:DELIVER TO CORP. OID LDAP USERS FAILED WITH IMPERSONATOR DOES'NT EXIST. 11.1.1.6.0 Generic Platform (American English) General Oracle BI Suite EE Apr 5, 2012 799.4 KB
Let us know the updates. Hope this helps. Mark if it does.!
Thanks,
SVS -
Difference between Federated single sign on and just Single sign on
Can anyone please give a clear definition of what is
1. Federated Single sign on?
2. Just Single Sign on ?
As a security expert if you were to Architect security what will you suggest ?
Lets take an example Landscape
NW1(ABAP + JAVA)- system, NW-2(ABAP+JAVA) system and EP( java only), LDAP
I am having a hard time convincing the customer to have both CONSUMER AND PRODUCER PORTAL for Federated single sign on? is this a bad idea. Customer says just give me SSO(with just one portal acting as CONSUMER/PRODUCER).
initial GOLIVE user load will be 700+ users.
Edited by: Franklin Jayasim on Jul 16, 2010 7:52 PM
Edited by: Franklin Jayasim on Jul 16, 2010 7:53 PM
Edited by: Franklin Jayasim on Jul 16, 2010 7:57 PM
Edited by: Franklin Jayasim on Jul 17, 2010 12:17 AMHi Denny Liao
The project is going to have BI(NW) and ECC/SRM/HR(NW) and sepparate portal ( EP - Java only )
I thought that normal SSO will help in the intranetwork, what happens if the employee(user) needs to work from home.
What about the external vendors suppliers etc...? -
How to integrate Single Sign-On and JSF?
Hi all,
We are going to develop a web application using Oracle technologies, including ADF and JSF.
But we´ll need to secure our website using Oracle Identity Manager (Single Sign-On). I am having difficulties to find any resource explaining how to do that.
Also, the IM (SSO) will run on a Oracle AS instance and our web app (ADF+JSF) will run on a separete OC4J instance, due to ADF version. Is this a problem?
ThanksWe too are in the process of implementing iStore with SSO features.
And if you believe me it seems to me as nightmare.
In our scenerio we are intgrating this SSO with Third party access control too (AD and Siteminder). I would request you to please respond me on the following mail id , so we can share our experince which will help us in our implementation
[email protected]
regards and thanks in advance
Vikas Deep -
OAM 11g Single Sign-On and OAM 11g Cookies
Hi all,
I need to know following,
is it possible to get the username and password from the OAM 11g + IIS Webgate cookies and forward the same to the application for further authentication? is there any way to decrypt the cookie and use the information in the application?
Regards.Yes , you can get the user password ,but for that you will have to write a custom plugin , else it is not possible.
Refer step number 9 in the blog Single Sign on with Oracle Access Manager: Creating a Custom Authentication Plugin -
Active Directory, single sign-on and SRM Users
We are in the process of installing SRM 7.0. using the Classic Scenario. I am seeking clarification around the creation of users in that system given the following:
- My Basis colleagues are in the process of implementing single sign-on using Active Directory for our SAP Portal, SAP Business Warehouse and SRM systems.
- Single sign-on will not at this point be used for our SAP ECC 6.0 system
My questions are:
1. If active directory is being used do we need to create actual users within the SRM system?
2. If actual users in the SRM system are not required, does this have any impact on the creation of the Organizational structure in SRM from the SAP ECC HR hierarchy?
Many ThanksHi Claire,
The Single Sign On work only if user exist on every systemes.
For example :
If you connect trough portal to access ECC and SRM, your user id must exist in ECC and SRM.
For Active Directory you can synchronize your user table to AD by using LDAP option.
The best way is to configure a CUA for ECC and SRM, use the UME of Portal on ECC and synchronize the CUA to Active Directory.
Finally use the SSO certificate between Portal ECC and SRM.
Regards,
Gilles SEBBAG
Sap Technical Consultant. -
AnyConnect WebVPN Single Sign-on and Sharepoint 2013
I know that single sign-on is currently working and supported for Sharepoint 2010 on 9.0 and later code however is Sharepoint 2013 supported? I can't seem to find any documentation or any material on this. Any help on this would be fantastic.
Thanks!I'd like to know if Sharepoint 2013 is supported at all with ASA 9.x clientless SSL VPN. We get this error message:
-
Authentication between Single Sign-On and Web based applications
Hi everyone,
I need to create a way in Portal 10g (10.1.2.0.2) that allow me to do the following:
Once the user is logged on Portal (against Single Sign-On - SSO) he doesn't need to retype his username/password when he access a web based application throught the portal, in my case, an ASP application (not .NET, just ASP).
I made a test creating a External Application in SSO and after publishing this portlet (external application) inside portal.
It worked, BUT I was prompted to inform username/password to log on the aplication.
So, the user end up entering his password twice.
Does anybody know a way to acomplish this task?
The documentation I'm researching is:
Oracle Application Server Single Sign-On
Administrator's Guide
10g Release 2 (10.1.2)
B14078-02
Oracle Application Server Single Sign-On
Security Guide
10g Release 2 (10.1.2)
B13999-03
Thank you very much,
Diogo Santos.have figured out how to secure any HTML, ASP, PHP, CFM, etc. web page again Portal / OID using the PDK toolkit.
Using AJAX (Asynchronous JavaScript and XML) and one Oracle Stored Procedure just adding a simple Javascript call to any HTML, ASP, PHP, etc. web page can secure it via Oracle SSO (OID). Access to any secured web page will require that it to be linked from an authenticated Portal session or a page opened in an authenticated Portal session.
This process can be easily modified to add in group security etc. This is just my starting point.
1) Create a stored procedure
# Make sure it has access to portal.wwctx_api.is_logged_on
CREATE OR REPLACE PROCEDURE login_ajax_check (
display_error IN number default NULL) AS
BEGIN NULL;
If portal.wwctx_api.is_logged_on = false then
htp.prn('DENY');
ELSE
htp.prn('ALLOW');
END IF;
Exception when others then htp.p('DENY');
END;
2) Use this Javascript in any page you wish to secure.
<-- Begin Paste Here -->
<script>
var allowgo=2
function ajaxCallRemotePage(url)
if (window.XMLHttpRequest)
// Non-IE browsers
req = new XMLHttpRequest();
req.onreadystatechange = processStateChange;
req.open("GET", url, false);
req.setRequestHeader("If-Modified-Since", "Sat, 1 Jan 2000 00:00:00 GMT");
req.send(null);
else if (window.ActiveXObject)
// IE
req = new ActiveXObject("Msxml2.XMLHTTP");
req.onreadystatechange = processStateChange;
req.open("GET", url, false);
req.setRequestHeader("If-Modified-Since", "Sat, 1 Jan 2000 00:00:00 GMT");
req.send();
else
return; // Navigateur non compatible
// process the return of the "ajaxCallRemotePage"
function CheckPortal()
ajaxCallRemotePage('[Your page calling the procedure from above]');
function processStateChange()
if (req.readyState == 4)
if (req.status == 200)
if (req.responseText.substring(0,4) == 'ALLO')
allowgo = 0;
else
allowgo = 1;
function doPage()
if (allowgo==1)
window.location='[Your login or error page]';
CheckPortal();
doPage();
</script>
<-- End Paste Here -->
That's it!!! Super easy. It works great too.
Larry Schenavar
[email protected]
Maybe you are looking for
-
I have updated my iphone and now i am unable to sync my ringtones.... i have read the apple support and have tried all of the tips uncheck and sync then re check ringtones and then sync again - No tried making the ringtones again and saving to comput
-
Snow leopard clients can no longer connect after 10.7.3 update.
Hey, We updated to 10.7.3 on the server side and our snow leopard clients can no longer connect. Our lion clients have no trouble connecting. They recieve an box saying an error occured, with no other information. Any ideas?
-
Payment Reference Field KIDNO Not apprearing at the time of Vendor Payment
Hi, When we are making the Vendor Payment thru F-53, we are not able to see the Payment Reference Field KIDNO there. But when the payment document is posted and we see the line items then this field KIDNO comes there as non-modifiable field. We want
-
Essbase 11.1.2.1 Visualize & explorer Error
I am currently trying to install Essbase 11.1.2.1 Excel Add-in, but on our system we have to change the default install location from C:\Oracle\Middleware\.... to "C:\program files\oracle\Middleware\...." most of the application works apart from one
-
Getting input from a file(user I/O redirection)
alright i am stuck on this program. Heres what i have to do I have to write a program usinbg arrays and looping. The program should get its input from a file (user I/O redirection). The first number in the file will be the number of numbers that foll