Queries regarding Single Sign On
Hi Experts,
I am new to Single Sign On and have few doubts
1)For OAM to implement single sign on across multiple applications , is it mandatory that the identity store of OAM and the application to be the same.Is it possible that the applications have their own identity store and OAM has its own and users in both the identity stores are in sync?This scenario comes into picture where for some applications the identity store is database
2)If the first point is correct then for protecting OIM using OAM 11gR2 why do we need to enable ldap sync? can we have database as the user store for OIM and for OAM have a LDAP server for exmaple AD and then use AD connector to make sure that any users getting created in OIM is autoprovisioned to AD
Request you to please clarify my below doubts
Hi,
1) No, It is not necessarily to be same identity store for OAM 11g and the applications that need to be protected. It can be different. This is the feature in OAM11g, where you can have multiple Identity stores mapped to your authentication modules.
Yes, it is possible to have own identity store for the applications.
Oracle provides inbuilt authentication modules only for LDAP, Kerberos and X.509. If you want OAM to authenticate against Database then you need write your own Database Authentication Module.
Clients will always prefer Out of the box functionalities as there might not be support provided if any issues faced. If client want to built in their own mechanism then oracle will not support.
That's why most of them goes for Ldap Sync which is inbuilt functionality.
2) You can build your own Authentication module for OIM. Again it is time consuming process to decide on the Error Handling and the logic to build the module. It is better to go LDAP Sync.
Hope this clarifies.
Similar Messages
-
How to pass credentials/saml token exchange to the sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication
Identity provider here is Oracle identity provider
harika kakkireniHi,
The following materials for your reference:
Consuming List.asmx on a claims based sharepoint site
http://social.technet.microsoft.com/Forums/sharepoint/en-US/f965c1ee-4017-4066-ad0f-a4f56cd0e8da/consuming-listasmx-on-a-claims-based-sharepoint-site?forum=sharepointcustomizationprevious
Sharepoint Claims based authentication and Single Sign on
http://social.technet.microsoft.com/Forums/sharepoint/en-US/2dfc1fdc-abc0-4fad-a414-302f52c1178b/sharepoint-claims-based-authentication-and-single-sign-on?forum=sharepointadminprevious
Sharepoint Claim Based Authentication Web Service issuehttp://social.msdn.microsoft.com/Forums/office/en-US/dd4cc581-863c-439f-938f-948809dd18db/sharepoint-claim-based-authentication-web-service-issue?forum=sharepointgeneralprevious
Best Regards
Dennis Guo
TechNet Community Support -
How to integrate Single Sign-On and JSF?
Hi all,
We are going to develop a web application using Oracle technologies, including ADF and JSF.
But we´ll need to secure our website using Oracle Identity Manager (Single Sign-On). I am having difficulties to find any resource explaining how to do that.
Also, the IM (SSO) will run on a Oracle AS instance and our web app (ADF+JSF) will run on a separete OC4J instance, due to ADF version. Is this a problem?
ThanksWe too are in the process of implementing iStore with SSO features.
And if you believe me it seems to me as nightmare.
In our scenerio we are intgrating this SSO with Third party access control too (AD and Siteminder). I would request you to please respond me on the following mail id , so we can share our experince which will help us in our implementation
[email protected]
regards and thanks in advance
Vikas Deep -
OAM 11g Single Sign-On and OAM 11g Cookies
Hi all,
I need to know following,
is it possible to get the username and password from the OAM 11g + IIS Webgate cookies and forward the same to the application for further authentication? is there any way to decrypt the cookie and use the information in the application?
Regards.Yes , you can get the user password ,but for that you will have to write a custom plugin , else it is not possible.
Refer step number 9 in the blog Single Sign on with Oracle Access Manager: Creating a Custom Authentication Plugin -
Active Directory, single sign-on and SRM Users
We are in the process of installing SRM 7.0. using the Classic Scenario. I am seeking clarification around the creation of users in that system given the following:
- My Basis colleagues are in the process of implementing single sign-on using Active Directory for our SAP Portal, SAP Business Warehouse and SRM systems.
- Single sign-on will not at this point be used for our SAP ECC 6.0 system
My questions are:
1. If active directory is being used do we need to create actual users within the SRM system?
2. If actual users in the SRM system are not required, does this have any impact on the creation of the Organizational structure in SRM from the SAP ECC HR hierarchy?
Many ThanksHi Claire,
The Single Sign On work only if user exist on every systemes.
For example :
If you connect trough portal to access ECC and SRM, your user id must exist in ECC and SRM.
For Active Directory you can synchronize your user table to AD by using LDAP option.
The best way is to configure a CUA for ECC and SRM, use the UME of Portal on ECC and synchronize the CUA to Active Directory.
Finally use the SSO certificate between Portal ECC and SRM.
Regards,
Gilles SEBBAG
Sap Technical Consultant. -
Oracle Application Single Sign-On
Dear All,
We have a requirement that there should be single sign-on for the users to use both the Oracle and non-Oracle Applications. We are using Oracle Application Server 10g at the back end.
How to enable single sign-on. Is there any tool that we need to install.
Pls guide us as we are entirely new to this process.
Regards,
RajaniHi,
You need to install and configure Oracle Internet directory and Single Sign On compontents of Oracle Application server 10g in order to have the Single Sign On working with Oracle Applications. After the Oracle Application Server Infrastructure tier installation there is addition integration steps you need to follow to integrate the Single Sign on with Oracle E-business suite. You can use DIP features ( Directory Integration and Provisiotion) to integrate with Third party directory server like Micrososft AD, Sun directory server etc. for Integrating the non oracle based application i think you have to use oracle single sign on API and you need to do bit of coding as well. You can also enble single sign on for database users but this requires advance security option enabled on the Database side and finally you can integrate Single sign on for OS users as well.
Raj -
Oracle Single Sign on and Oracle Internet Directory
Hello Gurus,
What is the relationship between Oracle Single Sign on and Oracle Internet Directory.
To my understanding, OID is required to install SSO.
If OID already exist, can we just install SSO and go on integrating it to existing OID.
Great Thanks,
vimal jain.
[email protected]Hi Tim,
I've been working on this and could reproduce the issue with anonymous binds. A fix will be ready in 4.2.1.
So what I really need is the password used for login to pass to the is_member call.The P101_PASSWORD item does not save state. However, you can access the value during submit processing of the login page, for example in the post authentication function of your authentication scheme. People sometimes put code in there to query the user's groups (e.g. with apex_ldap.member_of2) and save them in an application. This item value can then be used in the authorization schemes.
Regards,
Christian -
Single Sign-on and PORTAL30 DAD
What I've done:
1) Setup up PORTAL30 DAD with Single Sign-on
2) Created schema called JOHN with "hello world" procedure call TEST
3) Grant execute on TEST to PORTAL30
4) Goto http://<servername>/pls/portal30/john.test
5) Receive "Procedure Doesn't Exist" error
6) Change DAD from single sign-on to Basic authentication
7) Repeat Step 4 with no problemsHi Derick,
I want to make our discussion into 2 parts
1) Sign on
2) Viewing data based on the Heirarchy
1)Before discussing about the Sign on i want to know which connectivity you are using ? Live offcie or QaaWS.
2) We can make the second point possible in two ways One is with providing restriction at universe level
and the other one is through the use of flash variables.
Using flash variables:
The main idea of using flash variables is reading the User ID from BO authentication and based on that we fetch the Heirarchy level of that user. Then we use some excel logic to hide the data from Low level heirarchy(Here we use Dynamic Visibility for components).
I hope this is what you ar looking for....
If so i have more points to acheive such scenario.
Please provide the your BO environment details, such that it will be easy to identify the better best wat to acheve it.
Regards,
AnjaniKumar C.A. -
Single Sign On and URL's generated from SolMan
Is it possible to generate single sign on URL's from Solution Manager - or more clearly is it possible to generate URLs to documents that will take advantage of Single Sign On that has already been setup?
Thanks
- JackieHello Jacqulyn,
What do you mean by generating SSO URL ? Do you mean you want to developp code that generates this URL or using a standard functionality ?
Best regards,
Stéphane. -
Hello,
we realized single sign on on our mac machines. It runs great. Now i want to combine it with our SAP logon groups. There's an error that he cannot find the KDC. Where's the problem? Is it nit possible to combine groups with using snc?
We set the followign connection string:
SAP Prod: conn=/M/sapmachine.firma.de/S/1234/G/example_group&sncon=true&sncname=p:[email protected]&sncqop=9Hi Derick,
I want to make our discussion into 2 parts
1) Sign on
2) Viewing data based on the Heirarchy
1)Before discussing about the Sign on i want to know which connectivity you are using ? Live offcie or QaaWS.
2) We can make the second point possible in two ways One is with providing restriction at universe level
and the other one is through the use of flash variables.
Using flash variables:
The main idea of using flash variables is reading the User ID from BO authentication and based on that we fetch the Heirarchy level of that user. Then we use some excel logic to hide the data from Low level heirarchy(Here we use Dynamic Visibility for components).
I hope this is what you ar looking for....
If so i have more points to acheive such scenario.
Please provide the your BO environment details, such that it will be easy to identify the better best wat to acheve it.
Regards,
AnjaniKumar C.A. -
Hi - we're trying to implement a VPD on our company database at the moment and were wondering if a single sign-on architecture on our middle tier could be successfully tied to a VPD on the database tier. We have a number of clients, both internal and external, who will be accessing the database via the web and we need to control who sees what. Could you advise on the feasibility of this approach? Thanks
Hi Derick,
I want to make our discussion into 2 parts
1) Sign on
2) Viewing data based on the Heirarchy
1)Before discussing about the Sign on i want to know which connectivity you are using ? Live offcie or QaaWS.
2) We can make the second point possible in two ways One is with providing restriction at universe level
and the other one is through the use of flash variables.
Using flash variables:
The main idea of using flash variables is reading the User ID from BO authentication and based on that we fetch the Heirarchy level of that user. Then we use some excel logic to hide the data from Low level heirarchy(Here we use Dynamic Visibility for components).
I hope this is what you ar looking for....
If so i have more points to acheive such scenario.
Please provide the your BO environment details, such that it will be easy to identify the better best wat to acheve it.
Regards,
AnjaniKumar C.A. -
Single sign-on and custom DBLoginModule
Hi,
I need help in making sso work. I have Application Server version 10.1.3.1.0, I've developed application in JDeveloper 10.1.3.3. that uses form based login and when deployed to server I can normally login/logout. Now I want to enable single sign on, so I've changed security provider of javasso to the one I'm using in my application (oracle.sample.dbloginmodule.DBProcLM.DBProcOraDataSourceLoginModule) and started javasso, added my application to participating applications, and restarted the instance.
When I try to access my application, login page of javasso is shown but I cannot login, always get incorrect username/password. The strange thing is that logs are empty, so i guess that dblogin module is never fired.
Also I've changed my login method so it supports identity callback, like described in here .
This Re: Custom Login Module and JavaSSO said that orion-application.xml of my application and javasso should be the same, I haven't figured out what should I do with javasso orion-application.xml and how sould it look like.
this is orion-application.xml of my application
<?xml version = '1.0' encoding = 'windows-1250'?>
<orion-application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd">
<library path="./adf"></library>
<jazn location="./jazn-data.xml" provider="XML"/>
<data-sources path="./data-sources.xml"/>
<jazn-loginconfig>
<application>
<name>secure-web-app</name>
<login-modules>
<login-module>
<class>oracle.sample.dbloginmodule.DBProcLM.DBProcOraDataSourceLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>data_source_name</name>
<value>jdbc/WMSPortalDS</value>
</option>
<option>
<name>debug</name>
<value>true</value>
</option>
<option>
<name>plsql_procedure</name>
<value>PK_SECURITY.GET_USER_AUTHENTICATION</value>
</option>
<option>
<name>log_level</name>
<value>ALL</value>
</option>
</options>
</login-module>
</login-modules>
</application>
</jazn-loginconfig>
</orion-application>this is orion-application.xml of javasso
<?xml version = '1.0' encoding = 'utf-8'?>
<orion-application
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd"
schema-major-version="10"
schema-minor-version="0"
component-classification="internal">
<security-role-mapping name="{{PUBLIC}}">
<group name="{{PUBLIC}}" />
</security-role-mapping>
<jazn provider="XML">
</jazn>
</orion-application>Please help, this is very urgent to me, all advices and guide lines are more than welcome.
Thanks in advance,
Tomislav.To be clear maybe someone will help.
I have a cluster topology, with one application server and 3 oc4j instances.
I've done following steps and without success, on my test instance:
1. Deployed application with custom DBLogin (I'm using: oracle.sample.dbloginmodule.DBProcLM.DBProcOraDataSourceLoginModule)
2. Sucessfully login / logout -> so I guess DBLogin is working fine
3. Stopped the java sso application
4. Changed the javasso Security Provider to my custom DBLogin with following parameters:
class: oracle.sample.dbloginmodule.DBProcLM.DBProcOraDataSourceLoginModule
data_source_name - jdbc/WMSPortalDS
log_level - ALL
plsql_procedure - PK_SECURITY.GET_USER_AUTHENTICATION
debug - true
5. Added Connection Pool and Data Source in javasso Administration -> JDBC -> tested connections and it was sucessful
6. Started javasso application
7. Then I went to Java SSO Configuration -> Participating applications -> checked my application
8. Restarted instance
9. Try to login -> invalid username / password
In enerprise manager Log files -> javasso -> there are only messages regarding starting and stopping application
Questions:
1. orion-application.xml for javasso -> what exactly needs to be specified inside, currently I have following:
<?xml version="1.0"?>
<orion-application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd" deployment-version="10.1.3.1.0" default-data-source="jdbc/OracleDS" component-classification="internal"
schema-major-version="10" schema-minor-version="0" >
<web-module id="javasso-web" path="javasso-web.war" />
<security-role-mapping name="{{PUBLIC}}">
<group name="{{PUBLIC}}" />
</security-role-mapping>
<persistence path="persistence" />
<jazn provider="XML">
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
</jazn>
<log>
<file path="application.log" />
</log>
<data-sources path="./data-sources.xml" />
</orion-application>2. orion-application.xml for my application
<?xml version="1.0"?>
<orion-application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd" deployment-version="10.1.3.1.0" default-data-source="jdbc/OracleDS" see-parent-data-sources="false" component-classification="external"
schema-major-version="10" schema-minor-version="0" >
<web-module id="Portal" path="Portal.war" />
<persistence path="persistence" />
<library path="./adf" />
<jazn provider="XML" location="jazn-data.xml" default-realm="jazn.com" >
<property name="custom.loginmodule.provider" value="true" />
<property name="role.mapping.dynamic" value="true" />
<jazn-web-app auth-method="CUSTOM_AUTH" />
</jazn>
<log>
<file path="application.log" />
</log>
<data-sources path="./data-sources.xml" />
</orion-application>3. How to get any information into logs, I cannot find out what I'm doing wrong since there's no output in logs for javasso and my application.
Please help, I'm really stuck and I have to resolve this as soon as possible.
Thanks in advance,
Tomislav. -
Single Sign-on and SSL problems
We are using WebLogic Portal and Server (version 8.1 SP3). We want to have a single sign-on when entering the portal, so that users do not need to reauthenticate each time they access an application via an applet in the portal. We also want to protect the username/password authentication and all other connection information using SSL. We have applications in multiple domains.
When not using SSL, SSO works okay. We are challenged for username/password exactly once, whether we access the Portal, or an application directly. As soon as we enable SSL, we are challenged repeatedly, and in some cases cannot access the applications at all, as the challenge always fails.
We suspect that there is a Session cookie problem and that something is clobering the cookie and thus breaking the session. Does anyone have any idea on what might be causing the problem?Hi Derick,
I want to make our discussion into 2 parts
1) Sign on
2) Viewing data based on the Heirarchy
1)Before discussing about the Sign on i want to know which connectivity you are using ? Live offcie or QaaWS.
2) We can make the second point possible in two ways One is with providing restriction at universe level
and the other one is through the use of flash variables.
Using flash variables:
The main idea of using flash variables is reading the User ID from BO authentication and based on that we fetch the Heirarchy level of that user. Then we use some excel logic to hide the data from Low level heirarchy(Here we use Dynamic Visibility for components).
I hope this is what you ar looking for....
If so i have more points to acheive such scenario.
Please provide the your BO environment details, such that it will be easy to identify the better best wat to acheve it.
Regards,
AnjaniKumar C.A. -
Single Sign on and Protect URL step
Hi,
I have successfully installed Oracle Internet Directory, Identity Server, Web Pass, Policy manager, Access Server and WebGate (attached to Oracle HTTP Server from Oracle Management Infrastructure).
My questions are:
- How do I protect URL so the user will need to login to access certain URL?
- How do I enable single sign on and test it?
- What are the general steps involve to enable URL protection (so if the url is protected it will prompt for username and password) and single sign on using Oracle Internet Directory?
Kindly help me if anyone know a solution or can point me to the right documentation. I have tried to read Oracle Access Manager - Access Administration Guide, but keep getting confused.
Thanks.
Regards,
AlfonsoHi,
You can follow Oracle Access Manager Integration Guide (10.1.4.0.1) B25347-01, chapter 4, to achieve this. This document will answer most of your questions.
Regards, -
Single Sign-On and Data Visibility Rights
Hello,
I was wondering whether anyone has any best practices for implementing single sign on and user identification with Excelsius.
More specifically, I need to interrogate user role, and limit certain data visibility based on that role.
For example, a sales rep may only see certain data for their own territories, but the regional and national managers can see more.
With the emphasis in improving enterprise integration with the new version coming up, I'm also wondering if there are any improvements included for this aspect.
Thanks in advance.
DerickHi Derick,
I want to make our discussion into 2 parts
1) Sign on
2) Viewing data based on the Heirarchy
1)Before discussing about the Sign on i want to know which connectivity you are using ? Live offcie or QaaWS.
2) We can make the second point possible in two ways One is with providing restriction at universe level
and the other one is through the use of flash variables.
Using flash variables:
The main idea of using flash variables is reading the User ID from BO authentication and based on that we fetch the Heirarchy level of that user. Then we use some excel logic to hide the data from Low level heirarchy(Here we use Dynamic Visibility for components).
I hope this is what you ar looking for....
If so i have more points to acheive such scenario.
Please provide the your BO environment details, such that it will be easy to identify the better best wat to acheve it.
Regards,
AnjaniKumar C.A.
Maybe you are looking for
-
Any way to get CPU-seconds for process or a thread from within my app?
I'm trying to guage the work by different processes within our application. I'd like to be able to get the number of CPU-seconds before a long task and then again after the task finishes and compute the difference. I'm sure I could poll the % CPU eve
-
Hi, I have a problem to transfer a XML file content to a MS SQL database by a given/fixed stored procedure. I'm able to transfer the content of the file by using following method ... hstmt = DBPrepareSQL (hdbc, EXEC usp_InsertReport '<Report> ..... <
-
Document table and paragraph with POI
Hi wrotten the following program in order to read paragraph and tables in a word document: * To change this template, choose Tools | Templates * and open the template in the editor. package prezziarioreader; import org.apache.poi.hwpf.HWPFDocument; i
-
How to capture Field validation errors in the Error table in ODI 11g
Hello, We are using ODI 11g (11.1.1.5) and the scenario is to read the data from a flat file (.txt) and do a bulk insert into MS SQL Server database table. We need to capture the error records (if the source field size is greater than the target colu
-
Web service design trade-offs (TCP read mode vs headers)
If I use HTTP headers, I can stimulate and monitor my LV RT code from a web browser while my PC-based LV code is also talking to the LV RT app. Sometimes, however, the header is the only part that is returned by the web service. In order to fix thi