Simple SSO

I am trying to use the following, so far with no success:
-Apache 2.0.x
-WebAgent Plugin (Netegrity Siteminder product)
-BEA WebLogic Portal Server
I am trying to replace a JBoss/Liferay installation with the webLogic Portal Server (groupsapce style) application and running into a bit of configuration issues.
I would like for the authentication of a user happen at the http server layer through the combination of the Apache http server and the WebAgent components. i would now like for weblogic to pull the "uid" token from the http header to use as the login identifier. It is critical to keep the webagent installation rather than using the built in plugin in weblogic, due too SSO contraints and sharing SSO context accross applications.
Could someone supply a way for me to configure the weblogic server to use this, or is my only conclusion to write a custom LoginModule as the documentation seems to indicate?
Thanks
Eric

I see that this is what happened - loadsdk needs to create those
packages under the partner app schema. This is correctly
described in the install text and now works well.

Similar Messages

  • Question about SSO in a JSF app

    Hello everyone. We're building an app using ADF Faces and EclipseLink. May be this question is in wrong thread but I could not find more suitable thread.
    We've already configured basic security: an Active Directory provider in WLS 10.3 and FORM based authentication in the app. And this config works fine. But we need to add simple SSO (single sign-on) to our app besides the current config.
    As I know we can obtain windows OS current user login using an ActiveX element on page. For example:
    <body>
    <script>
    document.write(new ActiveXObject("WScript.Network").UserName)
    </script>
    </body>I know that this will work in IE browsers only and we should add the app's domain to trusted list, but this is what we need.
    As I see we need something like this: if a user is trying to access a certain page (which is not secured by web app config) where will be an ActiveX element, he will be authenticated wia his current OS username and redirected to the index page. But if he first accessed another page, he will be redirected to FORM login page.
    Could you tell how to get an output from ActiveX and then use it to authenticate?

    It would be undesirable to change from app's current security config (container-based authentication), because we use Oracle proxy functionality and in our EJB session beans we need to get callers login (with container-based authentication it is rather simple).
    I've managed to pass the current OS user login from an ActiveX object on page to backing bean. But now I need to authenticate in container using this login (I don't have password). Is this possible? I've searched a lot, but still I don't see the answer.

  • Apex as Partner App using OID SSO

    Hi
    I have setup Apex as a partner App in OAS.
    Registered the partner application.
    Created a simple app that uses the builtin Apex auth as partner app using sso.
    I get the OAS login appearing as expected for authentication however apon entering credentials successfully
    The success url takes me to server:7777/sso/auth and displays page can not be found
    My OAS Partner App success url registered is server:7778/dad/apex/wwv_flow_custom_auth_sso.process_success
    app schema registered details
    My lsnr token is HTML_DB:server:7778
    other details cut and copied from OAS registration page.
    lsnr login url is the oas sso login url is this correct?
    Appears to work apart from the success url finding its way back to my app.
    TIA
    Richard.

    Hello all,
    I'm having somewhat of a similar issue, but I think our setup might be making it a bit more complex.
    First question, simple one:
    1.
    In my authentication method in my apex app, when I set my logout URL to http://{myhost}:{myport}/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http://www.google.com
    It doesn't automatically redirect. I have to press the Return button on the OAS Single Sign-Off page to redirect to www.google.com
    Is the redirect not automatic? Is there a way to make it automatic?
    2.
    We have the issue where you login via SSO into an APEX application (APEX as a partner app). But the logout url does not truly log the user out. It redirects to our public page as we expect it to, but when they press the login button, it just goes straight back in (as if they were never logged out).
    Now I know this has to do with the cookie, but here's the tricky part.
    Our OAS server (that has Portal) is on a separate box. We've upgraded all our database servers, and they all have now a different domain than the OAS server. So now, OAS is in company1.com domain and our APEX apps are on company2.net domains.
    Our DBA had setup us his own flavor of SSO logout (public synonym for all apex workspaces to use). He has an actually database procedure that used the owa_cookie package to look for the cookie and invalidate it on logout. With the new domains, his logic no longer works, because I believe the cookie is still in company1.com domain and the logout proceduce is running from the company2.net domain and cannot find the cookie (since it's not in it's domain).
    After all that, I am thinking that since we can successfully login to SSO in company2.net domain via the OAS server, then we should also be able to logout of SSO successfully via the OAS server as well. Am I on the right track here? Is it possible with multiple domains?
    Thanks,
    Chris
    Edited by: CDub on Oct 19, 2009 1:55 PM

  • Developing for a Oracle Application Server with SSO

    Hello there,
    I'm developing an application (Java) that will be deployed as a partner application within an Oracle Application Server 10g at my client. This Oracle instance has a SSO already configured, and my app will use this Identity Manager (consuming the cookie). The problem is that at my company we don't have a SSO system configured, not even an Oracle Application Server, just a simple Oracle XE 10g to hold data. So I'm wondering how can I do to develop my application and test it.
    I was looking forward to install an OAS and configure an SSO to validate my implementation, but the download link provided by Oracle is broken (http://www.oracle.com/technology/products/ias/index.html). Another alternative that I thought of was to install an OC4J and configure a Java SSO to simulate the behavior of OSSO, and make my app the cookie set by it. But OC4J supports only til Servlet 2.4 and my app is using 2.5...
    And to complete, I cannot access my client's environment. I'm supposed to write a Deploying document telling him how to deploy my app and then try to access it through Internet.
    Does anyone have an idea of how can I develop and test my app in my company's environment?
    Thanks in advance,
    Bruno Krebs.

    Apache 2.0 based OHS is located in Oracle Application Server Companion CD.
    Pavna

  • How to know if user (session) is authenticated in other application (SSO)

    Hi folks!
    We've deployed various J2EE applications in some OC4J instances. So far the applications used SSO Authentication against OiD (LDAP), but we need a public access application.
    The problem is the following: we need a different behaviour in this last application (without authentication characteristics) depending on one user is authenticated within other application that required SSO login.
    How could check if current user (session) si authenticated against SSO, for example, in ADF-STRUTS DataAction class?
    We tested the gerRemoteUser() method but is only works within the applications requering login.
    Please, anyone could guide me?
    Mike
    Thanks!

    Hi,
    Oracle AS Single Sign ON stores some of the attributes of an authenticated user in a browser cookie - the name of the Cookie is SSO_ID.
    You cannot get any information from this Cookie. The Cookie is avaliable only to the Oracle AS Single Sign ON and is meant to be used only by it. You cannot read any useful information from the Cookie as it is higly encrypted.
    If you need to know the name of the currently logged in user, your application should be a Partner Application or an External Applciation to Oracle AS Single Sign On.
    The reason is simple - you can use your browser to connect to many Websites protected by Oracle AS Single Sign ON. Thus, if your application isn't a Partner or an External Application registered with SSO, your application can't establish a context.
    Hence, your application needs to be registered as a Partner Application or an External Application with SSO.
    An application which is nto registered with SSO cannot get the User information from SSO. The getRemoteUser() method would always return a null in such cases.
    Regards,
    Sandeep

  • SSO (trusted authentification?) not working after update SAP BO 4.0 to SAP BO 4.1

    Dear experts,
    After update SAP BO 4.0 SP05 to SAP BO 4.1 SP04 we have the problem with SSO to http://<boserver>/BOE/BI.
    Our environment:
    SAP BO 4.1 running on AIX 6.1, integrated Tomcat7, one server (no cluster)
    In fact, tomcat is able to communicate with AD, in debug mode I see
    [DEBUG] Mon Aug 04 14:57:23 CEST 2014 jcsi.kerberos: ** credentials obtained .. ** messages.
    BUT after starting http://bodev.vse.sk/BOE/BI logon page to BI launchpad is comming, no SSO action.
    Our custom properties files:
    global.properties
    sso.enabled=true
    trusted.auth.user.retrieval=REMOTE_USER
    siteminder.enabled=false
    vintela.enabled=true
    idm.realm=AD.VSE.SK
    idm.princ=krbbod
    idm.allowS4U=true
    idm.allowUnsecured=true
    idm.allowNTLM=false
    idm.logger.name=simple
    idm.logger.props=error-log.properties
    idm.keytab=/home/bodadm/keytab/krbbod.keytab
    BIlaunchpad.properties
    authentication.visible=true
    cms.visible=true
    sso.types.and.order=vintela
    (last line I added after reading some discussions, but it didn't solve the problem)
    After update I've generated the new TrustedPrincipal.conf and saved it into /usr/sap/sap_bobj/enterprise_xi40/aix_rs6000 (also using -Dbobj.trustedauth.home=/usr/sap/sap_bobj/enterprise_xi40/aix_rs6000 in JAVA_OPTS), but it didn't help.
    Before update to 4.1, SSO was working without problems.
    Can you help me?
    How can I be sure, that tomcat is passing the correct username and using the shared secret from TrustedPrincipal.conf when logging to CMS? Is it possible to debug it?
    Best regards,
    Slavomir Kysel

    Hello Raunak,
    QUERY_STRING was working fine, so I saw that trusted authentification and TrustedPrincipal.conf are OK.
    I activated trace log for BI launch pad and checked what's going on during SSO logging.
    After some playing with parameters and reading discussions to similar problems I came to the conclusion and finally I've solved my SSO problem. Magic word is trustedVintela.
    Here is my new properties files:
    global.properties
    #sso.enabled=true
    #trusted.auth.user.retrieval=REMOTE_USER
    #siteminder.enabled=false
    #vintela.enabled=true
    idm.realm=AD.VSE.SK
    idm.princ=krbbod
    idm.allowS4U=true
    idm.allowUnsecured=true
    idm.allowNTLM=false
    idm.logger.name=simple
    idm.logger.props=error-log.properties
    idm.keytab=/home/bodadm/keytab/krbbod.keytab
    BIlaunchpad.properties
    authentication.visible=true
    authentication.default=secLDAP
    sso.types.and.order=trustedVintela
    Legacy SSO settings in global.properties are not any more needed when using new parameter sso.types.and.order=trustedVintela in BIlaunchpad.properties.
    This is working SSO configuration on our installation: SAP BO 4.1 SP04 Patch1 on AIX, authentication secLDAP, trusted authentication is enabled.
    Best regards,
    Slavomir Kysel

  • SSO and IIS 7.5

    Does anyone have advice on how to configure JBoss 7.1.1.Final to successfully enable SSO using IIS 7.5 with integrated windows authentication. This used to be a simple process on CCP 9.3.2 but I've had no luck configuring JBoss 7.1.1.Final to use the SSO. The logs just always say the "LoginId not found for SSO in HttpHeader".
    I've successfully setup the redirect from IIS using the isapi filter to connect to the CCP application but have not gotten any further.
    I believe the standalone-full.xml file needs to be altered in someway to enable the SSO, any ideas?

    Hi
    We have resolved this issue, this is a known bug with JBoss 7.1.1 where the headers aren't passed through correctly. TAC had provided us with a patched version of the JBoss JAR file to resolve this.

  • Access to Guest Folder requires login when accessed from Portal/SSO

    We have wired XML-P to use OID and then registered it as a Partner Application in our Portal/SSO server (which also uses the same OID instance). All works well except now when we try to access the Guest folder from within Portal the SSO login screen pops-up. We have created a very simple HTML/URL portlet that points to the Guest folder and the idea is for users to have Public/anonymous access to this folder. Any ideas?

    Hi,
    You can try to enable "Turn on password protected sharing" in Network Sharing Center. After that, only people with a user name and password on the computer will be able to log into shared network folders.
    Another workaround method you can try:
    Open Run, type rundll32.exe keymgr.dll, KRShowKeyMgr, then Press
    Enter.
    In the prompt dialog, choose and delete the user account used to network sharing.
    Roger Lu
    TechNet Community Support

  • SSO logout question

    Good day gentlemen,
    I'm having a little problem with SSO built-in authentication scheme. I've created a simple application to test it, and enabled the built-in authentication scheme, Oracle Application Server Single Sign-On (Application Express as Partner Application).
    - Everything runs fine, when i access the app, the login page configured in SSO shows... but when i logout from the created application it doesn't work correctly, i just enter the app url again and gain normal access to it.
    My question is: do i have to create a Logout function to invalidate the session?

    Edson,
    There's some discussion here and some good tips from Anton: SSO authentication and another post here, which stresses the importance of first identifying your objectives, as a logout URL in an SSO setup must be constructed so that it does what you want it to do: Logout URL for 9iAS SSO Partner App .
    Scott

  • SSO using Windows Active Directory but without EP or Java stack

    Good morning and thank you in advance for your help.
    The question is:
    our environment includes windows domain with Active Directory, ECC 6.0 ABAP (DEV, QAS, PROD), BW 7.0 (DEV, QAS, PROD) only ABAP stack.
    I would like to know if we can enable SSO using only this configuration without introducing EP or Java stack.
    Best regards
    Max

    Hi Willi,
    It won't be that easy to understand each other... as my english is not that good either
    Most of the points introduced in the SAP help link are automatically performed by sapinst.
    Almost all my customers running on MS are not using an AV, and neither get into troubles...
    but no user ever connect on the SAP server, only admin, for maintenance purpose or SAP admin when needed...
    Internet explorer should not be used on a sever, MS itself says it should be uninstalled...
    Best regards
    SAP on SQL General Update for Customers & Partners April 2014
    10. Do Not Install SAPGUI on SAP Servers
    Windows Servers have the ability to run many desktop PC applications such as SAPGUI and Internet Explorer however it is strongly recommended not to install this software on SAP servers, particularly production servers.
    To improve reliability of an operating system it is recommended to install as few software packages as possible.  This will not only improve reliability and performance, but will also make debugging any issues considerably simpler
    “A server is a server, a PC is a PC”.  Customers are encouraged to restrict access to production servers by implementing Server Hardening Procedure. 
    SAP Servers should not be used as administration consoles and there should be no need to directly connect to a server. Almost all administration can be done remotely
    SAP on SQL General Update for Customers & Partners September 2013
    Internet Explorer (and any other non-essential software) should always be removed from every SAP DB or Application server. 
    The following command line removes IE from Windows 2008 R2, Windows 2012 and Windows 2012 R2:
    Open command prompt as an Administrator ->  dism /online /Disable-Feature /FeatureName:Internet-Explorer-Optional-amd64

  • SSO (single sign on) on NetWeaver 7.0 Enterprise Portal based on spnego with Microsoft Active Directory

    Hi,
    we are using SAP Netweaver Enterprise Portal 7.0 (SP25) based on Windows 2008 R2/Oracle 11g.
    When we setup the Portal, we used the UME of the ECC - ABAP.
    The portal is used internally only.
    Now we want to provide SSO.
    User authenticate against Windows Active Directory (Windows 2003).
    We thought SSO via spnego would be the best solution.
    Any better alternates, we should use?
    We are following the SAP documentation:
    SAP-Bibliothek - Benutzerauthentifizierung und Single Sign-On
    We still want to create users in ABAP and assign them the portal roles. LDAP access should only have read access, to verify the security token from Active Directory.
    When we setup the portal from scratch using ABAP as its UME, in the system configuration, LDAP can't be selected/add as data source.
    In case we understand the documentation correctly, we would now need to add LDAP via the configtool for read access.
    What is not clear to us, when we active now LDAP via config tool, if we would now lose the ABAP connection.
    Is there a tutorial for SSO Netweaver 7.0 EP, like for EP 7.3, available?
    In 7.3 SSO is pretty simple to get it running, thanks to the many tutorials here and on the internet.
    Thanks for your help.
    Best regards
    Carlos Behlau

    Hi,
    I was able to generate the key via ktab program.
    But when I am enable SSO, nothing is happening when I try to log-on via SSO to the portal.
    I installed WebDiag tool on the portal server and ran trace.
    The users are located in domain: company.com of activate directory.
    The Java AS are located in domain: sap.company.com of activate directory.
    The sap.company.com domain acts as child of company.com.
    When I check the WebDiag trace, I see for the SPNegoLoginModule - the entry "... no key (etype: 23) for realm sap.company.com available ..."
    I would except company.com as realm key, as the keytabs have been generated on the domain controller of company.com.
    Is it possible to get SSO with child domain running?
    Based on the statement of the network folks, child and father domain having a trust.
    Thanks for your help.
    Best regards
    Carlos

  • SSO with ITS & Webenabling WEBGui

    Hello,
    We have configured SSO with R/3 system. It works fine.
    The requirement is, we have to webenable R/3 system thru SAP GUI For Windows and SAP GUI For HTML.
    We are able to do both on developement environment where both R/3 and portal has got the same host names.
    But in the qa environment, we are able to webenable R/3 with SAP GUI For Windows and the SSO also works fine. But when we try to using SAP GUI For Html, it asks for the username and pwd again. Here the portal and R/3 has different host names.
    Otherwise the settings in dev and test are exactly the same. Has anybody got a clue why is it not working?
    Regards,
    Rukmani

    Hi all,
    it is always good to start with a good checklist. Here is probably the best one: https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/sso checklist.html
    My suggestion is: do not skip even simple steps, sometimes problem appears there
    Regards,
    Pavol

  • SSO to SAP EP6 (for Employee Self Service) using WebSEAL

    Hi SDN friends,
    We are about to embark on a SSO implementation using IBM WebSEAL for SAP EP6 ESS (Employee Self Service) connecting through to an SAP R/3 4.7 server.  Since the ESS solution for 4.7 still uses ITS services, this means that we have ITS iViews in the EP6 portal.
    We have managed to look through the whitepaper 'IBM Tivoli Access Manager - Single Sign On for SAP NetWeaver - September 2005' described at https://www.sdn.sap.com/irj/sdn/developerareas/ibm
    We have the following queries, if anybody has a simple answer to these:
    -  Is it absolutely necessary to configure an SNC connection between ITS/EP6 and R/3 server to achieve SSO for the portal?
    -  Given that SAP EP6 references ITS IAC iviews, is it necessary for us to configure both ITS and EP6 for SSO, or can we simply configure EP6 for SSO?  If so, is it also necessary to configure both for SSL?
    -  Otherwise, how easy is it to set up SSO in this scenario without SSL (for demo purposes)?
    Any thoughts would be greatly appreciated.
    Cheers
    John Moy

    Hello John,
    regarding your questions:
    ad 1) no. SNC is only mandatory if you use X.509-based SSO to R/3. You can also use SAP logon ticket-based SSO from EP to R/3 or usermapping that do both not require SNC.
    ad 2) yes, you have to configure both EP and ITS at WebSeal.
    ad 3) you can always omit SSL. However for production use, it is recommended.
    Regards
    Michael

  • Using SSO to connect to database from J2EE

    I have an SSO enabled J2EE application and an SSO enabled database and I can connect to both of these applicatins using the single sign-on account.
    What I want to know is
    How do you get a J2EE application to connect to the database with the already connected SSO credentials?
    I am using Oracle 10g for both the app server and database
    Any help will be gratefully received.

    Hello,
    Also we have a simple how-to about database proxy authentication in the OC4J 10.1.3 How-tos page (see How-To Configure and Use Proxy-authentication with Data Sources ).
    Regards
    Tugdual Grall

  • SSO to a hosted R/3 system

    Can we use SSO with logon tickets when the R/3 system is hosted by an external partner and the domain name is not the same as the domain name of the portal server? We're accessing the R/3 trough a VPN tunnel.
    Will SSO work also when accessing the portal from the internet???

    Hi,
    1. in common domain ITS is a problem. Let's say you have portal.intranet.company.com and its.outsourced.company.com. In this case you can set in portal using relax-domain setting of UME, that cookie will be generated for *.company.com. Portal works, ITS works. But when you logoff, you are still logged in. The problem is, that ITS resent SSO ticket after accepting portal's one (no advice helped to get rid of this "feature", although with latest PL). If logoff deletes ITS's one (because HTTP is a stupid protocol, it happens), you cannot logoff really, browser sends ticket issued by portal and you are in again. There are also ugly backside effects with exceptions and so on.
    2. If you create alias its.intranet.company.com (from point 1), you use in portal this alias and cookie is issued for *.intranet.company.com (default setting) , browser can see both server in the same domain. I made a simple test and that worked. So I do not know about potential backside effects.
    Definitelly, in HTTP (stupid one) server does not know, who issued some cookie and for which domain, so R/3 will never know it in any case (of course, content contains SID of ticket issuer)
    3. Well, you will need proxy will manipulation of headers and content of HTTP traffic. This means SSL from browser must terminate in proxy and optionally start again here and continue to portal - this. I think that there is a thread in these forums how to do it. You will need to study in detail SAP's document about Apache reverse proxy (probably you use apache on solaris). I'm afraid I could not find a link quickly, try search in SDN.
    4. IMHO SAP logon tickets are suitable and secure enough for most of applications like internet shops, customer support... There are weaker solutions of other vendors deployed in Internet without problems. But surely in case of bank applications for VIP customers every wise consultant will recommend additional security.
    The problem I met with is possible to eliminate with setting cookie only for reverse proxy. If you set cookie's domain restriction too wide (e.g. *.company.com), it will be delivered to any server in *.company.com. This is a well-know weakness of HTTP. There were simple cracks in the past, that somebody created non-authorized server thehacker.company.com (well, internet is large and ugly place sometimes) - if you have access to DNS of some internet provider and if your end user clicks OK in every dialog window (what most of users obviously does , you are in trouble, this unathorized server might receive the ticket. Probability is low, as hacker must have knowledge of logon ticket feature, your architecture and application, write access to DNS, create some fake page forwarding to hacker's server and so on. But why not? I expect that every serious hacker reads all relevant forums. Who can guarentee you that some of answers here (also this are not hacker's trojan horses? If you talk about security, if you use sources that are not 100% trusted, you should double check and analyse. And count the risk and possible loss of money.
    Pavol

Maybe you are looking for

  • Write series of space characters in a list

    Hi experts, is there a way i can write a series of space characters in a list, i need a simpler way so that i'll not have to write it manually. right now my code looks like this. write:/1 '|', '****', '|'. "<---(5 spaces)( represents space char). the

  • What is wrong with icloud mail  and how do I fix it?

    What is wrong with icloud mail and how do I fix it? I put the icloud mail login address in the browser, it brings up the login screen. I put the login details in correctly, it says icloud has stopped responding, I always send to Apple. It restarts an

  • Lifetime and behavior of the String Constant Pool

    If you 'inline' a String constant in Java, I'm aware in the VM spec that it says this String is put in the constant pool. What is the lifetime of the constant pool and what is it tied to? Is there one constant pool per Class, per Class instance, or p

  • WHEN I SIGN IN TO MY ITUNES, SOMEONE ELSES PLAYLISTS/MUSIC COMES UP!

    THIS IS DRIVING ME ABSOLUTELY MAD! ME & MY DAUGHTER BOTH HAVE IPHONES & ITUNES ACCOUNTS. THE PROBLEM IS, WHEN I SIGN IN TO MY ACCOUNT, HER MUSIC PLAYLISTS COME UP & MINE HAVE DISAPPEARED! I HAVE BEING TRYING TO RESOLVE THIS FOR DAYS NOW. WHY CAN'T I

  • CRM contact record passing the values from Custom application

    Hi, I am passing the values from my custom WPF application to create the contact. while passing the first name, last name, addressLine 1  Mobile number it's working fine. while am passing the date of birth it's throughing an error. I am not able to i