Proper security structure for Single Sign on Server

Similar Messages

• How to enable a partner application for Single Sign-On?

  Can someone please advise me on how to enable my existing J2EE web application for the Oracle Single Sign-On?
  My requirement is i want to provide the single sign-on authentication service to my J2EE web application. For this, I would like to make my application as a partner application similar like the OracleAS Portal.
  I am using Oracle 10g ( OralceAS, Oracle Infra, OID ...)
  I found the following service/APIs which Oracle provides. I am not sure which one is suitable for me.
  1. mod_osso ( Static)
  --- In this case, I have to make a entry in mod_osso.config file to protect the URL. should I have to register the URL again through single sign on admin page ("Administer Partner Application") after make a entry in config file?
  2. mod_osso ( Dynamic directive)
  -- in this case, I have to modify the code by providing the directives like 401, 499.. etc. So i don't prefer this as i don't want to touch my app.
  --If I go with this option, should i have to register the URL with Single sign on server through SSO admin page ( as mentioned in the above step#1) ?
  3. SSO SDK
  - Since it was deprecated and need java coding, i am prefer this option.
  -- however, if i go with this option, i will develop code by using SDK. in this case i need to register the URL in SSO server through admin page.. am i right?
  Note:- OSSO server integrated with Active Directory for the authentication.
  Thanks,
  -Senthil

  sharon38_74 wrote:
  they said that our internal application needs to send a "login request" to etran via SSL with the user's information encoded in base 64 format. etran captures the HTTP header containing user authentication and authorization information, and parses the required information from the HTTP header.
  My question is that how I set user information in HTTP header? From my understanding, once I am able to set the user information in HTTP header, it is in base 64 format?Your application need to act like a proxy. You can invoke a HTTP request programmatically using java.net.URLConnection. You can set request headers using URLConnection#setRequestProperty(). Also see the API docs: [http://java.sun.com/javase/6/docs/api/java/net/URLConnection.html]. You only need to know the header field name where to set the Base64-encoded value in. You need to Base64-encode the value yourself.

• Deploying OracleAS Single Sign-On Server Cluster setup with a Proxy Server

  I have a question regarding setting up a OracleAS Single Sign-On Server in a cluster mode along with a Apache Proxy Server.
  Step1 - I'm planning to install OracleAS Single Sign-On Server on two nodes sso1.oracle.com and sso2.oracle.com in a Cluster. Both the nodes in the cluster accesed via Load balancer i.e sso.oracle.com.
  Step2 - Then I'm planning to setup two Apache Servers as Proxy Server i.e apache1.oracle.com and apache2.oracle.com. These two apache servers are accessed via Load balancer i.e apache.oracle.com
  The question I have is
  1)while setting up OracleAS Single Sign-On cluster I would provide Load balancer host i.e sso.oracle.com as part of the install. So that all the user requests coming to sso1.oracle.com/sso2.oracle.com get redirected back to Load balancer.
  2)But as part of the Apache Server proxy setup I am also supposed to redirect from SSO server to apache.oracle.com
  But using ssocfg.sh I can only provide either sso.oracle.com or apache.oracle.com NOT BOTH.
  In this case what I should
  1) avoid redirecting to sso.oracle.com instead redirect only to apache server OR are there any other methods to configure.
  I have above setup working fine in DEV environment, where there is only one sso server and one apache proxy server. Problem really comes when I go for setting OSSO server as a cluster in this case I have to redirect to load balancer as well as proxy server?

  why not using webcacheclustering between the apache and the 2 sso's?

• How to install for Single Sign-on?

  Hello Community
      When you install a Sharepoint 2013 Server farm
  how do you install the Sharepoint 2013 Server farm
  so that it is setup for "Single Sign-on (SOS)"?
      Thank you
      Shabeaut

  Hi Shabeaut,
  Yes, in this case if your users who are in different domain can are able to log in to SharePoint manually you can enable trust relation for all types
  of browser, here are the links you can follow.
  http://expressionsinweb.com/2011/05/17/allow-the-pass-through-of-window%E2%80%99s-credentials-to-sharepoint/
  http://blog.fpweb.net/sharepoint-credentials-prompt-quick-tip/#.VKHarl4B4
  and for understanding the concept of ADFS with SharePoint and what other claim provider to implement SSO see below.
  http://www.slideshare.net/thomasvochten/spsuk2013-adfs-sp2013
  Krishana Kumar http://www.mosstechnet-kk.com
  Please mark the replies and Proposed as answer if they help and solve your issue

• Setting up BusinessObjects Enterprise 3.1 for Single Sign On with Xcelsius

  Hi all
  Does anyone have any documentation and/or whitepapers that documents the setting up BusinessObjects Enterprise 3.1 for Single Sign On with Xcelsius Dashboards (xcelsius accessing BusinessObjects universe data through QAAWS and Live Office..
  Thank you for your help.
  Kind regards,
  Dean

  Based on the replies in this thread I'm guessing that there is someone out there that has gotten SSO to work with Xcelsius? If so could you please post the details of how that was achieved?
  When we purchased Xcelsius we were under the impression that it supported SSO but have never been able to get it to work and finally had SAP tell us that Xcelsius did not support SSO.
  Our understanding is that in order to bypass a login for Xcelsius you have to use QaaWS as the datasource and hardcode an enterprise id and password.
  LiveOffice supports SSO but not when it's used as a datasource within Xcelsius.

• Can't find the security tab for group in Windows server 2012

  can't find the security tab for group in Windows server 2012
  but I can find it in Windows 2008 R2
  so how to display the security tab for group in 2012?
  Please click the Mark as Answer button if a post solves your problem!

  Click on the View menu and ensure that "Advanced Features" is enabled/selected.
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

• Proper Folder Structure For CS6

  Hello there,
  I am seeing many recent examples from Adobe help that suggests a DPS project needs to have a folder/file structure that has seperate files for both virticle and horizontal orentations. Since CS6 offer dual orentations what exactly is the proper folder structure for the most recent release of InDesign/DPS.
  Please help clarify this kindly.
  Sincerialy,
  Ken Harper

  Our newest File structure for multiple renditions in CS6 concerning the "import-impossible-bug" is:
  _Stack_1280x752
  000_cover
  001_toc
  002_article_1
  _Stack_1024x768
  000_cover
  001_toc
  002_article_1
  _Stack_1024x600
  000_cover
  001_toc
  002_article_1
  _Stack_480x960
  000_cover
  001_toc
  002_article_1
  _Links
  000_cover
  001_toc
  002_article_1
  We produce each new Stack for a different Rendition with alternate Layouts but delete the Old one within that file, so we can continue to use multi stack import and sidecar.xml.
  The Assets to all of the Stacks are saved within the _Links directory so we don't need to duplucate the Files.

• Flash File for Single Sign On

  Hi,
  [disclaimer]
  I usually post in the ColdFusion forum so I am sorry if this
  topic should be moved into a different Flash section.
  [preface]
  I am trying to implement a single sign on solution between
  several sites that are located both within the same network and on
  external hosting services. I've tried several things with
  <iframe> and <img> tags to get a logged in environment
  established on each server - to no avail.
  [quesion]
  Can SWF file be programmed to access a ColdFusion, ASP, or
  php page via aboslute path that would at minimum set a cookie on
  the computer for each of those sites?
  [example]
  I have one HTML page that has 5 <iframe> tags - each of
  a partner site. The URLs called in the <iframe> do nothing
  more than set a cookie of the UUID. I'd like a flash file that does
  the same - eliminating frames.
  Thnks in advance. Please let me know if more details are
  needed. Please do not offer alternatives - the situation is
  uniquely complex and I'd rather not go through all the why's and
  why nots - that's been the last 6 months of my life. I really just
  need to know if I can create a cookie from flash for multiple sites
  without having the browser physcially having to go there.

  Hi Kalyan,
  Did you use SAML method for SSO??
  Thanks
  Santhosh

• When we need to go for single sign-on in SAP-XI

  hi,
     When exactly we need single sign-on, and if we do not implement single sign-on in XI , do we get any problems during implementing the project.
  Regards
  siva

  Siva,
  SSO is used to avoid signing on using password each time into ur IR /ID RWB or Appln. system. See each and everytime when u log in to these systems u need to give user name and pwd, but if  enabled SSO then it won't prompt for u the password. Once u enter the username it will log u in.
  No, you won't get any problem in XI , if u haven't enabled SSO in XI. Its the additional feature so that it will not affect ur implementation.
  -raj.

• How to set custom HTTP header for single sign on

  Currently we just begin to use an application called "etran". This application requires user name and password to login. Now, my assignment is to integrate etran application in our internal application. This means that somewhere in our internal application, there is a link leads to the etran application.
  It is going to be single sign on, that means that once user logs into our internal application, when he/she clicks on the etran link, no sign on to etran is needed.
  I consult with the technical people in etran. they said that our internal application needs to send a "login request" to etran via SSL with the user's information encoded in base 64 format. etran captures the HTTP header containing user authentication and authorization information, and parses the required information from the HTTP header.
  My question is that how I set user information in HTTP header? From my understanding, once I am able to set the user information in HTTP header, it is in base 64 format?
  Thanks in advance for your help.

  sharon38_74 wrote:
  they said that our internal application needs to send a "login request" to etran via SSL with the user's information encoded in base 64 format. etran captures the HTTP header containing user authentication and authorization information, and parses the required information from the HTTP header.
  My question is that how I set user information in HTTP header? From my understanding, once I am able to set the user information in HTTP header, it is in base 64 format?Your application need to act like a proxy. You can invoke a HTTP request programmatically using java.net.URLConnection. You can set request headers using URLConnection#setRequestProperty(). Also see the API docs: [http://java.sun.com/javase/6/docs/api/java/net/URLConnection.html]. You only need to know the header field name where to set the Base64-encoded value in. You need to Base64-encode the value yourself.

• SAP Security Report for single and composite roles

  Hi
    I have a requirement to create a cutomize report in SAP Security.
  I have to display Composite roles,corresponding single roles,the tcodes assigned to those single roles and the description of t- codes. The selection screen has composite roles,single role and T-code which are optional.User can enter selection in any of the selection critreria.How should I go on this?If user gives only composite roles on the selection for e.g 'TEST'. for this role I get suppose 3 child roles 'TEST1' 'TEST2' 'TEST3' from table AGR_AGRS.Now to get the tcodes i go to table 'AR_1251' and I get the tcodes.
  But if user give only single role on the selection for eg 'TEST2' ,for this single role 'TEST2' there would be multiple composite roles.for e.g, 'TEST' 'SAP1' 'SAP2' etc..Now if go to get the tcodes for this single role in AGR_1251,I will ceatainly get the tcodes for eg MM01,FB01,etc.But then how would I know whether MM01 belongs to composite role 'TEST' SAP1' or SAP2' for the single role 'TEST2'.
  Please advise.
  Thanks
  Edited by: Julius Bussche on Aug 13, 2009 4:52 PM
  Subject title improved

  I though of seperate selection options for singles and composites, but you also said:
  > But if user give only single role on the selection for eg 'TEST2' ,for this single role 'TEST2' there would be multiple composite roles.
  My suggestion would be to build better single roles, but that is just me...
  Cheers,
  Julius

• Using API's for Single Sign On

  Hi,
  we are trying to develop the Single sign on feature for our site.We have used the API's WWSEC_API for this.It creates a portal user with add_portal_user method in the table WWSEC_PERSON$ fine! but with the same user name and password we are unable to login.
  Any help??
  null

  when i use the following code to create a new user:
  declare
  v_user portal30_sso.sso_user_type;
  begin
  portal30_sso.wwsso_ls_private.get_default_user_config (v_user );
  v_user.ssousername := 'NEWUSER';
  v_user.hashed_password := 'secret';
  v_user.ssorole := 'USER'; -- ordinary user. Use 'FULL' for an admin.
  portal30_sso.wwsso_ls_private.ls_create_user
  p_newuser => v_user,
  p_err => v_err
  end;
  i get the following error:
  ORA-06510: PL/SQL: unhandled user-defined exception
  ORA-06510: PL/SQL: unhandled user-defined exception
  ORA-06512: at "PORTAL30_SSO.WWPRO_API_NODE_REGISTRY", line 231
  ORA-01403: no data found
  ORA-06512: at "PORTAL30_SSO.WWCTX_SSO", line 501
  ORA-06512: at "PORTAL30_SSO.WWCTX_SSO", line 514
  ORA-06512: at "PORTAL30_SSO.WWCTX_API", line 56
  ORA-06512: at "PORTAL30_SSO.WWSEC_PERS_BRI_TRG", line 15
  ORA-04088: error during execution of trigger 'PORTAL30_SSO.WWSEC_PERS_BRI_TRG'
  ORA-06512: at "PORTAL30_SSO.WWSSO_LS_PRIVATE", line 2168
  ORA-06512: at "ATS.CREATE_USER", line 128
  ORA-06512: at line 8
  DAD name: portal30
  PROCEDURE : ats.create_user.self_register
  URL : http://mycnn4.us.oracle.com:80/pls/portal30/ats.create_user.self_register
  PARAMETERS :
  ============
  p_username:
  tom
  p_password:
  tom
  p_password_confirm:
  tom
  p_email:
  tom
  has anyone had this problem?
  thanks,
  anu
  null

• Can Adobe Media Server 5.3 communicate with Shibboleth or ADFS for single sign on?

  I work at a university and was wondering if this is possible, thanks.

  Moving this discussion to the Adobe Media Server forum.

• What is default user and password for Single Sign On

  When I try to run a test.rdf report (that comes for demonstration purpose). A page appears which asks form SSO user and password.<br>
  I tried all user IDs and password that I have used so for during installation. But none works. Please give me hint about it.

  Hi,
  If you would like to turn off the SSO for Reports, you can edit the Reports server's .conf file. For some reason, Oracle enabled SSO by default for Reports.
  You can access this file through OEM, or you can hand-edit it. It is located at ORACLE_HOME\reports\conf\<rep_server_name>.conf. (Make a back-up first just in case).
  Scroll down about a third of the file until you locate the <security>. . .</security> section.
  Delete this section, save the file (and run dcmctl updateconfig if you hand-edited the file), and restart the OC4J_BI_Forms instance.
  You will no longer get the SSO sign-in page when you run a report.
  HTH,
  Jim

• Should i use secure sockets for my whole client/server application?

  Hi,
  I have a client server application, and I want to ensure that the login process is secure (i.e. use secure sockets). but I dont know how to switch back to a normal socket once that is done.
  So I am left thinking that i should just use SSL for my whole application, which can last pretty long. But I would rather not. Is there any other way of doing this?
  or should I just encrypt the login info using MD5 or something like that, then send it over an unsecure socket?
  thanks!

  Hey,
  Are you sure you haven't confused JGSS for JSSE?
  Imagine you have a client-server system and you sometimes want data sent over the wire to be encrypted... JGSS offers you this flexibility; if you a encrypted transmission, run ift through JGSS before transmitting it; if you don't want an encrypted transmission, bypass JGSS and just send the transmission.
  The benefit is the security (encryption) isn't hard-wired into you communications protocol i.e. TLS. JGSS has nothing to do with connections it is just protocol for securing messages, not sending them.
  You would need to establish the secure context but this could be done at startup and persist for the duration of you applicaiton invocation. You perhaps might need to implement a mechanism to identify encrypted messages on the receiving peer (so it knows to attempt decryption).
  Admittedly, kerberos seems like one of those 'inside-joke' things. I've come to realise if you don't have some sort of kerberos realm/server against which to authenticate - you need to swap it out as the underlying mechanism. How this is done I'm not sure yet, but I intend to find out today....further down the rabbit hole I go!
  If I discover anything helpful, I will let you know.
  Warm regards,
  D