OAM - Cross Domain SSO Solution

Similar Messages

• Problem with Cross-domain SSO, NTLM and ITS to R/3

  Hello,
  We are using EP 6.0.13.0 on a Windows environment.  We have an ITS running WebGUI/ESS/MSS in another domain and that is the same domain where the R/3 and BI systems reside.  We have configured NTLM authentication using IIS web server 6.0 and the IISProxy 1.6.2.  We have configured SSO with the backends using the same ID as in the MS-ADS.  Almost everything works fine.
  The problem is that when we use the NTLM logon VIA the IIS to the portal, and then navigate to a WebGUI service transaction we are prompted for login.  When we refresh the portal screen and try again - it works.
  We have configured the mdc.hosts and are using the sendSAPSSO2Cookie.asp to generate the cross-domain logon ticket.
  I have read that ITS may require the PAS be set up but I thought that was only used when you are going directly to the ITS (leveraging the NTLM authentication) - not when you are going through the portal.
  Does anyone have some experience using ALL of the SSO features (i.e. SSO, cross-domain support, ITS, windows integrated authentication)?
  We have though about the relax option for the domain but it does not apply as our domains are:
  SERVER1.domain1.com and SERVER2.domain2.com
  ... so relaxing would not help unless we relaxed to the ".COM" which is unreasonable.
  My regards,
  Judson Maizels

  Hi JUDSON
  well i'll give one easy solution
  make a alias under host file reside in winnt\system32\drivers\etc directory which has same domain name
  i.e
  SERVER1.domain1.com   server1.mydomain.com
  SERVER2.domain2.com   server2.mydomain.com
  it's works in my schenario we have a same system landscape
  as you
  regards,
  kaushal

• OAM Access Manager SSO solution fails to open docs and pdfs

  Hi
  I have created a solusion for SSO like this.
  OAM against AD, running on windows (server A). Webpass is on IIS.
  The applikation I'm protecting is an Weblogic 10.0 application running on windows (server B)
  I have also installed the webgate on serverB running on Apache 2.0, and all the installation is done by following the documentation for Weblogic sso
  (This is to make the application runnable directly through port 80 and redirecting in Apache)
  The sso works fine.
  But i have a problem in IE6
  When the application is trying to open documents to view them in msword or pdf for printing, the document is not opened, I get an "file not found" exeption in the browser, and the url for getting the document seems very long. (The grey popup)
  When I open the application in IE8 it works fine, and the url for getting document seems short (just the docID)
  (The application is currently only compatible for IE6 so running it in IE8 will cause other problems)
  I cannot find any error messages in any logs.
  If I run the excact same application without sso its working fine in both IE8 and IE6
  Regards
  Tine

  Hi
  This is a followup to the question in this thread
  The system is now able to load pdf's and doc documents, and the reason it did not work before was due to the cache settings on the webgate. The system is now caching documents in the temporarInternetfolder created for the users and loads word and pdf files for printing without problems.
  Now.. my problem is that the application is also running a kind of "generate pdf, doc, html files" application which are saving some modified files on the local users area. (my computer)
  After that the application ask to load these documents into the applications database.
  When I use the Apache mod_weblogic.c to proxy the requests, large files (5 MB) are not able to be loaded into the application database. I get a "the connection with the server was terminated abnormally" exeption.
  Small files (94 KB) are working fine.
  Does anyone have any idea of what can cause this?
  I have upgraded Apache from 2.0.58 to Apache 2.0.63 and I use mod_wl128_20.so as the weblogic module.
  Regards
  Tine

• Does cross-damain SSO scalable to work with over 200 different domain?

  Hello
  Has anyone successfully implement multi-domain SSO with this scalability?
  thanks

  Hi Surendar,
  cross domain support is from security point not a proper solution.
  The ITS issues a MYSAPSSO2 cookie. The cookie specification says that the browser rules who is getting cookies. Normally only site with the corresponding DNS name will get.
  Possible solution would be:
  If you switch your application, the service which creates the ticket must be connect with another DNS name. Your DNS server allows to configure aliases. So just connect your WebServer with WGate with this new (alias) name, then you will get a cookie with another entry in DOMAIN property of the cookie.
  See ITS parameters:
  http://help.sap.com/saphelp_webas620/helpdata/en/4b/0c00273d6d11d480aa00c04f99fbf0/frameset.htm
  regards,
  -markus

• Groupware solution for cross domains

  Hello all,
  Does anyone know if groupware solution is supported for  if  groupware servers ( in our case lotus Domino Servers ) are located in 2 different domains.
  Our landscape is like this..
  1 connector , default proxy instance , CRM Server and 1 Lotus Server on 1 domain and the 2nd Lotus server is on a different domain...Directory assistance is setup////
  Wanted to know if Groupwaer solution is supported for such a landscape?
  Thanks.
  Regards,
  Pratima

  I have come across information where groupware has worked across different domains.
  If anyone has worked on cross domains...it would be great if you can share what u have done..
  In our case, if the groupware server is in a different domain, userlist is not getting generated with an error "user does not exist in the groupware domain" even though it does exist ...works fine for users in the same domain as the connector and CRM.
  In the transaction SCOT, we have configured the the MailHost = 'abcsmtp' and the MailPort = '25'...
  Regards,
  Pratima
  Edited by: pratima purigali on Apr 14, 2010 8:31 AM

• SSO solution required for SAP,OBIEE,EBS,java,SQLserver,Apache applications

  Hi,
  We have applications including ERP like SAP , Oracle Applications , Oracle OBIEE and applications also using Java/Apache/SQL Server. We are looking for a SSO solution between all these applications so that user will sign in one application and will be authenticated for other applications. We are also looking for LDAP so that we keep the user credentials in one location.
  On top of that there is added complexities like we have multi tenant environment. In other words users from different domain say test.com, prod.com will come to our same application with same user may be.
  Hence with the above requirements, please guide with solution or white paper if any to do the following :
  1. Identify a SSO + LDAP solution
  2. Find the product(s) where Total cost of ownership is optimum.

  - For Single Sign On, you can go for *"Oracle Access Manager*" since it has OTB integrations for all application you specified such as PSFT,SAP,OBIEE,etc..
  OAM can support single domain and multi domain SSO.
  If you have cross domain scenario, then you can use "*Oracle Identity Federation*"
  - For common user repository, You can go for "*Oracle Virtual Directory*" to consolidate all user repositories. Otherwise, you can go for Oracle Internet Directory and synchronize all you user stores to OID using DIP connector.
  Thanks
  GK
  Edited by: GK Goalla on May 26, 2011 7:40 AM

• Cross Domain Trust Error, while opening the infopath in sharepoint list.

  Dear All,
  Facing some issue in
  Environement:
  Windows = Windows Server 2008
  Shareppoint = Sharepoint Server 2013.
  Project Server = Project Server 2013
  Info Path = Info Path Designer 2013
  Detailed:
  I have sharepoint environment with Project Server,I which have created task list in my project site and then i customize that form using info path their is one column named: "Product Name" in my task list which is drop down menu in that menu
  i want to show all the project name which are created in PWA Site. For that i made the External data connection to my sql server and select my desired table from that and also configured the my column data "i:e; Product Name. And published it to the my
  site. Now when i opened that form it prompts the error
  "The form cannot be submitted because this action would violate cross-domain restrictions. 
  If this form template is published to a SharePoint document library, cross-domain access for user form templates must be enabled
  under InfoPath Forms Services in SharePoint Central Administration, and the data connection settings must be stored in a UDC file in a data connection library in the same site collection. 
  If this is an administrator-approved form template, the security level of the form must be set to full trust, or the data connection
  settings must be stored in a UDC file by using the Manage data connection files option under InfoPath Forms Services in SharePoint Central Administration ."
  Oopsss !!
  Now start googling it found couple of solution shared listed below:
  1. Enable the cross domain authenticated in Central Admin –> General Application Settings –> Configure InfoPath Form Services (Done)
  2. Now Created the data connection library in my site collection which is PWA Site after that i went to the infopath and creating the data connection and
  Convert to Connection File and enter the URL of the data connection library
  and its prompt the error " the specified url is not a data connection library and enter the correct filename" didnt remember the exact error description at the moment.
  So, that was all stuff, Kindly suggest me any step which i missed that or ay solution that resolve my this issue.
  Thanks
  REGARDS DANISH DANIE

  it seems the data-seed failed in your dehydration store.
  so i would check if user orabple exsits in your db (pw is orabpel) .. and recreate the schema by executing the following script (based on your db)
  orabpel\system\database\scripts\domain_oracle.ddl
  hth clemens

• Cross domain error while displaying .SWF files in  portal

  Hi Experts,
  i am working on EP ,
  i am trying to display a .swf file in a iview but that file is  giving an error as
  Add a cross domain policy file to the external data web server
  this swf file is retriving data from BI system.
  Please suggest !!
  i got a solution of putting a crossdoaim.xml file in root directory but thats not possible

  I think two urls will work for you:
  Xcelsius SWF with QaaWS through SSL: Cannot access external data
  http://livedocs.adobe.com/flex/3/html/help.html?content=security2_04.html

• Business Process Apps using cross domain CSOM or REST calls: which one is the easiest to use?

  Hi
  I have build a  few (on prem) provider hosted and  SharePoint hosted apps to really surface data held in host web. Now, I want to do something a bit more complex by starting to build a process follow that makes a number of cross domain calls -
  the success handler of the preceding call setting up the next cross domain call  and so on . 
  For example:
  Document Library 1
  Document 1, Content type ct_1 (various attributes set inc taxonomy, lookup etc)
  I want to copy this document and any set fields to ……..
  Document Library 2
  Document 2, Content type ct_2 (inherits from ct_1) ( ( various attributes, set as above) 
   I just wondered if this was achievable with
  client side REST or would this be better with
  CSOM :-( Thos I am stating to hate CSOM ;-.I did have a look at server side code ( csom/rest) and I thought quite verbose and a backwards step plus not really amenable to later moving to Angular or Knockout- tho please let me know if this initial assumption
  is wrong.  
  One controversial view
  would be to code up a full  farm trust web part because the server side apis are well understood. Also,  one or two dlls are are likely to be difficult to migrate at some stage - assuming  V Next does not mechanisms to
  prevent full trust farm solutions complete with bard wire and watchtowers ;-)
  The other option thought of would be a 2013 w/f but I would a fancy form to go with this as I would want to capture user
  input
  Be interested to hear the thoughts from the community 
  Daniel, WSL
  Freelance consultant

  Hi,
  According to your post, my understanding is that you have cross-domain problems in apps for SharePoint.
  There are many different techniques to overcome cross-domain issues in JavaScript.
  You can use Rest to resolve it. Please refer to:
  Cross Domain and SharePoint Hosted Apps using REST
  More information:
  Solving cross-domain problems in apps for SharePoint
  Cross Domain and SharePoint Hosted Apps using CSOM
  Thanks,
  Linda Li                
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Linda Li
  TechNet Community Support

• Cross Domain Security Express - RAC configuration

  Hi All,
  Not sure if the general DB forum is the place for this but here goes.
  I am involved in designing a solution that wants to provide access to data from networks each trusted to a different level of security. The CDSE CDSS white paper look something like the design that we drew up.
  http://www.oracle.com/industries/government/pdfs/oracle-cross-domain-security-express-ds.pdf
  Question 1
  In the diagram on p3 does this reflect a single rac cluster spanning two separate networks, what would connectivity requirements be between the nodes?
  Question 2
  Is physical storage shared across networks and then logically divided using labels?
  Question 3
  COuld you define separate tablespaces and use partitioning to force higher and lower secured content into respective tablespaces in separate storage.
  Thanks in advance for any guidance
  Tim

  Hi All,
  Not sure if the general DB forum is the place for this but here goes.
  I am involved in designing a solution that wants to provide access to data from networks each trusted to a different level of security. The CDSE CDSS white paper look something like the design that we drew up.
  http://www.oracle.com/industries/government/pdfs/oracle-cross-domain-security-express-ds.pdf
  Question 1
  In the diagram on p3 does this reflect a single rac cluster spanning two separate networks, what would connectivity requirements be between the nodes?
  Question 2
  Is physical storage shared across networks and then logically divided using labels?
  Question 3
  COuld you define separate tablespaces and use partitioning to force higher and lower secured content into respective tablespaces in separate storage.
  Thanks in advance for any guidance
  Tim

• Error 2170 in Cross Domain Policy deployed in Enterprise Portal

  Hi All,
  We are facing an Error # 2170 for the Cross Domain Policy in Enterprise Portal.
  We developed the dashboard using 2 web service connections (using ECC Remote Enabled Functon Module). The Web services were made Public so that they can be accessed from any network. We developed the dashboard using the public enabled webservices and exported to the SWF file which is working fine.
  But when we place the dashboard SWF file in the Enterprise portal it gives the error " Cross Domain Policy Error #2170" .
  We Placed the Cross domain Policy file in ECC Server in the root directory and placed the same in Enterprise portal C drive.
  But still it shows the same error when we preview the dashboard in Enterprise Portal.
  The Cross Domain Policy File that we are using is as follows:
  -<cross-domain-policy> <site-control permitted-cross-domain-policies="all"/>
              <allow-access-from secure="false" to-ports="" domain=""/>
             <allow-http-request-headers-from secure="false" domain="" headers=""/>
             <allow-https-request-headers-from secure="false" domain="" headers=""/>
  </cross-domain-policy>
  Please let us know if the cross doamin file is correctly coded and suggest us with suitable solutions for this problem. Also let us know if there is some alternative solution to this issue.
  Thanks,
  Malla Reddy D

  Hello Malla,
  Maybe SAP Note 1240810 helps... Anyway, I would say that if your issue is with the direct SAP NW BI connection, through BICS, the only file which is relevant is bicsremotecrossdomain.xml, which should be located on your server HTTP root.
  Another check you can perform is if you have both portal certificate entries as per SAP Note 1508663.
  Kind Regards,
  Marcio

• Oracle maps cross domains

  Hello everyone,
  I am facing the following issue. I have mapviewer deployed on a serverA and a web app deployed on serverB.
  Then I call the mapviewer FOI server from the app of serverB and I get the following error message:
  *[MVThemeBasedFOIControl.foiLoaded] mapviewer-05523 cannot process response from mapviewer server. (<?xml version="1.0" encoding="UTF-8" ?> <oms_error> Requests are not allowed to be sent to this remote target URL via proxy servlet. (http://172.31.128.50/mapviewer/foi)</oms_error>)*
  I am using mapviewer Ajax API version Ver11_1_1_5_B110527.
  Has anyone experinced such errror?????????

  Ok lads,
  Seems I found the solution. Following the instructions from this post [http://oraclemaps.blogspot.com/2008/09/cross-domain-oracle-maps-scripting.html] I have 90% the solution.
  What also needs to be done is to pass the url of serverB to the mapviewer configuration file of serverA in the section <proxy_enabled_hosts>.
  At list this works for me.

• Are Cross Domain Flash Local Shared Objects (LSO aka Flash Cookie) possible

  Hi,
  I found several solutions for creating Flash LSOs from JavaScript (for example: http://www.nuff-respec.com/technology/cross-browser-cookies-with-flash )
  If Page (www.hostA.com/index.html) and the .swf file are from the same site, everything works fine.
  Now I'm trying to load the page form www.hostA.com/index.html, which includes www.hostB.com/flashcookie.swf (different sites). But then I cannot read or store the LSO.
  I have tried several configurations (crossdomain.xml,  Security.allowDomain("...") ), but nothing works.
  Is this kind of cross domain access to a LSO possible?
  Can a flash based advertisement delivered by a 3rd party save a LSO on my disc?
  Thanks
  -stephan

  I 100% agree!  We have an application that the Government requires information to be stored on the users computer as part of Multi-Factor-Authentication.  We originally wrote it as a browser application and when everyone and their brother started deleting browser cookies because of security concerns, we totally re-wrote it as a Flash application to take advantage of permanent storage.  This new "feature" in Flash Player is causing much concern because thousands of users will need to start answering lots of security questions every single time they use the application (ie: daily) and our staff is having to handle technical support questions that shouldn't exist.  Right now it's only IE that's causing the issue, but I'm sure every browser and Internet Security program will soon be adding this to their products.  There should at least be a way for the USER to white-list a specific Domain so Flash could exempt those sites from ANY external program trying to delete ALL Shared Objects/Local Storage/Flash Cookies.  The USER should be given that choice.  This would satisfy the extra privacy you are putting in there and still allow information to be stored from sites that require it.
  John

• I am developing a flex web application which needs to access Other domain ,is there any other way other than cross domain policy available ? please help

  i am developing a flex web application which needs to access Other domain (Payment Gateway API),is there any other way other than cross domain policy available ? please help.
  we donot have access other domain thats why we want other solution..

  All the paths to CFCs are the same in my live production site.  Can you be more specific as to what you mean by "RemoteClass aliases in your AS Classes and CFCs (if any) are correct."?  How will the app know that the CFC is on http://myLiveSite.com instead of http://myDevSite.com?  The only line of code that I have noticed that points to a URL is the endpoint in a file called _Super_XXX.as.  And at the top of that file it says that the file is not meant for editting.
  To clarify...I see your app/code all exists on a server access via a web browser so I can understand that everything still works when deployed.  Mine is a mobile app so when I am developing and testing on my local computer the URL points to my local development machine.  However when I deploy it to a mobile device like a tablet and run the app, it needs to be able to access a cfc on a remote server via a different URL ie. my http://myLiveSite.com/myCFC.cfc instead of http://localhost/myCFC.cfc
  Thanks for your help!  I will now take a look at your thread.
  Message was edited by: ace0215

• Accessing .flv without cross domain access?

  Hello, I am making a game that uses the soundmixer.computeSpecrum method.  I am trying to use it inconjunction with youtube videos, but unfortunatly there is a bug with flash that prevent computeSpectrum from working with youtube videos.  So I thought of a workaround by being able to access the direct .flv link of the youtube video using php, but unfortuantly I can't access it in flash because of flash and youtube's cross domain policies. 
  So I am wondering, is there any way for me to be able to access the flv using an external server or something, but without having to actually download the .flv to the server, as that would take up too much bandwidth.
  Also, if you know of a different way to analyze the audio of a youtube video that is playing, that would also be helpful.
  Thanks!

  Hi Mark,
  Please try to clean up the cached credential in your computer. Then fill in with new domain information (domainB\user) when it prompted for credentials next time and check the Remember my credential to save it. About how to remove cached credentials, please
  follow these steps:
  1. Launch the Credential Manager from Control Panel > All Control Panel Items > Credential Manager.
  2. In the Generic Credentials section you’ll see a setting for [MS Outlook] which will include your SSO details. Click the downward-pointing arrow to the right of that value.
  3. In the expand details, click Remove from vault. Then Outlook will no longer have a stored copy of your old login information (domainA\user).
  If it doesn’t work, please change the windows account with domainB\user information to have a try.
  Regards,
  Winnie Liang
  TechNet Community Support