Single Sign On Questions

Similar Messages

• Exchange Server Deployment Assistant - Single Sign On Question

  I'm running through the Exchange Server Deployment Assistant to help with a Hybrid deployment and for
  right now, I don't want to be bothered with SSO. In the Assistant, when I answer
  No to the Do you want all users to use their on-premises credentials when they log on to their Exchange Online mailbox? question when I get to the
  Before You Begin section it always shows my answer to that question as being
  Yes.
  Any ideas? Can I simply ignore the sections that relate to AD FS as I work through the steps?
  Thanks!

  Hi Adare,
  I have tested on Exchange Server Deployment Assistant with "Hybrid"->"Exchange 2010 based hybrid", and get the same result as yours.
  Information on "Do you want all users to use their on-premises credentials when they log on to their Exchange Online mailbox?" as below:
  Single sign-on allows users in both the on-premises organization and the Exchange Online organization to access resources and features across the two organizations without being prompted for additional user credentials. Single sign-on is configured for
  a hybrid deployment using identity federation and Active Directory synchronization. If you're planning to have on-premises users access Exchange Online accounts using the Outlook mail client or planning to implement Exchange Online Archiving,
  we strongly recommend selecting Yes for this question and deploying single sign-on in your on-premises organization.
  It seems that this is the reason why Yes has been selected.
  Thanks 
  Mavis Huang
  TechNet Community Support

• Single Sign On Question

  Hi All,
  My Company has a couple of Divisions. But lets work with two divisions, Corporate and Government Divisions.
  I'm currently workin on the Govmn Division. Our Intranet is protected by a firewall and users from Corporate are required to Athenticate through the Sun One Directory (LDAP). We restrict the top level directory with by the IP. If the IP is from Corp, they get the sign on request.
  Before they do that though, they go through some proxy server that will feed them the pages. It's some tool by iGate (Rainbow Technologies).
  My question is, what would the best solution to by pass these two sign ons? Is there anyway to send credentials to the ACL so it does not prompt the user for a login and password. I've read about the Identity server and I'm a bit confused.
  Any tips, help, advice would be appreciated.
  Thanks,
  Tony

  Hi All,
  My Company has a couple of Divisions. But lets work with two divisions, Corporate and Government Divisions.
  I'm currently workin on the Govmn Division. Our Intranet is protected by a firewall and users from Corporate are required to Athenticate through the Sun One Directory (LDAP). We restrict the top level directory with by the IP. If the IP is from Corp, they get the sign on request.
  Before they do that though, they go through some proxy server that will feed them the pages. It's some tool by iGate (Rainbow Technologies).
  My question is, what would the best solution to by pass these two sign ons? Is there anyway to send credentials to the ACL so it does not prompt the user for a login and password. I've read about the Identity server and I'm a bit confused.
  Any tips, help, advice would be appreciated.
  Thanks,
  Tony

• Questions on portlets and Single Sign On access

  Can anyone help in answering these questions?
  - Is it possible to integrate a SAP application in a portal via portlets (e.g. JSR) oder in Microsoft Sharepoint?
  - For Single Sign on: is SAML supported?
  - Can a SAP system be integrated into a Single-Sign-On environment that has different organizational units that need to be accessed (e.g. Sibboleth)?
  Thanks!

  hi tina,
  u study thesel links to get some idea on sso....i hope ,its useful to u.......
  User Mapping-based Single Sign On
  SAP Logon Ticket-based Single Sign-On
  regards
  bhargava

• Single Sign on using SAML between JWS application and Web Application

  Hi,
  We have two applications one is swing based Java Web Start application and other is a normal web application. We are trying to enable single sign on between both the applications. Can SAML be used to enable single sign on? If yes, can some one let us know how to do this?
  Thanks,
  Rama

  Thanks. But it is based on two WEB applications deployed on two different weblogic domains. What I am looking for is one application which is launched using Java Web Start(JNLP) and other a web application. The Java Web Start application uses its proprietary authentication implementation and the web application used DefaultAuthenticator of weblogic. Hope this detail will help you to answer my question better. I should have given this information earlier.
  Thanks.
  Rama

• Active Directory, single sign-on and  SRM Users

  We are in the process of installing SRM 7.0. using the Classic Scenario. I am seeking clarification around the creation of users in that system given the following:
  - My Basis colleagues are in the process of implementing single sign-on using Active Directory for our SAP Portal, SAP Business Warehouse and SRM systems.
  - Single sign-on will not  at this point be used for our SAP ECC 6.0 system
  My questions are:
  1. If active directory is being used do we need to create actual users within the SRM system?
  2. If actual users in the SRM system are not required, does this have any impact on the creation of the Organizational structure in SRM from the SAP ECC HR hierarchy?
  Many Thanks

  Hi Claire,
  The Single Sign On work only if user exist on every systemes.
  For example :
  If you connect trough portal to access ECC and SRM, your user id must exist in ECC and SRM.
  For Active Directory you can synchronize your user table to AD by using LDAP option.
  The best way is to configure a CUA for ECC and SRM, use the UME of Portal on ECC and synchronize the CUA to Active Directory.
  Finally use the SSO certificate between Portal ECC and SRM.
  Regards,
  Gilles SEBBAG
  Sap Technical Consultant.

• Single sign on and microsoft active directory

  Hi,
  I have EBS 12.1.3 on linux. I know that I can implement single sign on to login to EBS. Now the question is: can I integrate this single sign on with my existing Microsoft Active Directory? Can you send me some links or documentation?

  Self-reply:
  http://blogs.oracle.com/stevenChan/2006/05/indepth_using_thirdparty_ident.html
  Thanks

• Single sign-on and different usernames and passwords

  Hello,
  I am building a Portal with WLPS 3.5 and WLS 6.0. I tried to get
  information about the background of single sign-on.
  I understand, that I need a Realm (i.e. LDAP Realm) to authenticate the
  user for the first login to the portal (with username and password).
  Now I would like to integrate my webmail-programm (to get emails from
  Lotus Notes via Internet) as a portlet.
  For my understanding the user has to authorizate to get access to webmail.
  Therefore I create a ACL for webmail and this ACL is assigned to my
  security Realm.
  I would like the portlet to show after login the number of mails for the
  specific user. But where are the username and password for webmail stored
  and how are they received and forwarded?
  I understand that my ACL included all users that have access to webmail
  (i.e. all users). But I only want emails for the specific user.
  Does WLS get all usernames and passwords while the first login? Do I have to
  implement a algorithmen to get the specific username and password for the
  requested resource in my portlet?
  Has anyone solved a similar problem or can tell me where I can get more
  information. I read the WebLogic Security document but I cant find a
  answer to my questions.
  Thanks
  Lydia

  Lydia,
  I'm not an expert in this area, but I can give you a start.
  As for single sign-on, there are different levels. For single sign-on across web-apps,
  the servlet spec requires this (section 12.6 of th 2.3 spec) and therefore Weblogic
  does this.
  What you are talking about is single sign-on across back-end applications through
  a web-app. BEA has partnered with Securant (just acquired by RSA) to provide this
  kind of functionality. Browse to http://www.rsasecurity.com/products/ and look
  at the ClearTrust product. BEA has also partnered with Netegrity (www.netegrity.com)
  with their SiteMinder product. Neither is included in the Weblogic license. I'm
  sure either vendor would be excited to explain how their product will solve your
  problem if you give them a call.
  As for where the username and passwords are stored, that is up to the realm. If
  you are using the default WLPS RDBMSRealm, the username and encrypted password
  are stored in the WLCS_USER table. If you are using LDAPRealm, they are stored
  in your LDAP server.
  Hope this was useful!
  PJL
  [email protected] wrote:
  Hello,
  I am using PersonalizationServer 3.5 and WLS 6.0 SP 2.
  Now I try to unterstand the functionality of Single sign-on when a user
  has different usernames and passwords for different applications.
  Can someone explain where the usernames and passwords for a user are
  stored (all in the LDAP-realm or a RDBMS-realm?) When a user access the
  application how username and passwords are mapped? Or usernames and
  passwords for all applications are the same and will be equalized?
  Precisely I would like to get access to a mail-account for a specific
  user
  (webmail from Lotus Notes).
  Thanks for any help
  Lydia

• Single Sign On and Command line

  Hi!
  We have application without any logon form which executed from command line by BAT file:
  app.exe Username Password par1 par2 ...
  where par1, par2... is parameters of application
  So question is: can Oracle Single Sign On set user credentials to the command line? Can we use OSSO for application without logon form?
  Thank you.

  SSO is for web apps, you could try to use OID to perform the autentification of your application but you should change your application so it looks for the users in LDAP.
  Greetings.

• Single sign-on and custom DBLoginModule

  Hi,
  I need help in making sso work. I have Application Server version 10.1.3.1.0, I've developed application in JDeveloper 10.1.3.3. that uses form based login and when deployed to server I can normally login/logout. Now I want to enable single sign on, so I've changed security provider of javasso to the one I'm using in my application (oracle.sample.dbloginmodule.DBProcLM.DBProcOraDataSourceLoginModule) and started javasso, added my application to participating applications, and restarted the instance.
  When I try to access my application, login page of javasso is shown but I cannot login, always get incorrect username/password. The strange thing is that logs are empty, so i guess that dblogin module is never fired.
  Also I've changed my login method so it supports identity callback, like described in here .
  This Re: Custom Login Module and JavaSSO said that orion-application.xml of my application and javasso should be the same, I haven't figured out what should I do with javasso orion-application.xml and how sould it look like.
  this is orion-application.xml of my application
  <?xml version = '1.0' encoding = 'windows-1250'?>
  <orion-application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd">
  <library path="./adf"></library>
  <jazn location="./jazn-data.xml" provider="XML"/>
      <data-sources path="./data-sources.xml"/>
  <jazn-loginconfig>
       <application>
            <name>secure-web-app</name>
            <login-modules>
                 <login-module>
                      <class>oracle.sample.dbloginmodule.DBProcLM.DBProcOraDataSourceLoginModule</class>
                      <control-flag>required</control-flag>
                      <options>
                           <option>
                                <name>data_source_name</name>
                                <value>jdbc/WMSPortalDS</value>
                           </option>
                           <option>
                                <name>debug</name>
                                <value>true</value>
                           </option>
                           <option>
                                <name>plsql_procedure</name>
                                <value>PK_SECURITY.GET_USER_AUTHENTICATION</value>
                           </option>
                           <option>
                                <name>log_level</name>
                                <value>ALL</value>
                           </option>
                      </options>
                 </login-module>
            </login-modules>
       </application>
  </jazn-loginconfig>        
  </orion-application>this is orion-application.xml of javasso
  <?xml version = '1.0' encoding = 'utf-8'?>
  <orion-application
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd"
      schema-major-version="10"
      schema-minor-version="0"
      component-classification="internal">
  <security-role-mapping name="{{PUBLIC}}">
      <group name="{{PUBLIC}}" />
  </security-role-mapping>
  <jazn provider="XML">
  </jazn>
  </orion-application>Please help, this is very urgent to me, all advices and guide lines are more than welcome.
  Thanks in advance,
  Tomislav.

  To be clear maybe someone will help.
  I have a cluster topology, with one application server and 3 oc4j instances.
  I've done following steps and without success, on my test instance:
  1. Deployed application with custom DBLogin (I'm using: oracle.sample.dbloginmodule.DBProcLM.DBProcOraDataSourceLoginModule)
  2. Sucessfully login / logout -> so I guess DBLogin is working fine
  3. Stopped the java sso application
  4. Changed the javasso Security Provider to my custom DBLogin with following parameters:
  class: oracle.sample.dbloginmodule.DBProcLM.DBProcOraDataSourceLoginModule
  data_source_name - jdbc/WMSPortalDS
  log_level - ALL
  plsql_procedure - PK_SECURITY.GET_USER_AUTHENTICATION
  debug - true
  5. Added Connection Pool and Data Source in javasso Administration -> JDBC -> tested connections and it was sucessful
  6. Started javasso application
  7. Then I went to Java SSO Configuration -> Participating applications -> checked my application
  8. Restarted instance
  9. Try to login -> invalid username / password
  In enerprise manager Log files -> javasso -> there are only messages regarding starting and stopping application
  Questions:
  1. orion-application.xml for javasso -> what exactly needs to be specified inside, currently I have following:
  <?xml version="1.0"?>
  <orion-application  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd"  deployment-version="10.1.3.1.0" default-data-source="jdbc/OracleDS" component-classification="internal"
    schema-major-version="10" schema-minor-version="0" >
          <web-module id="javasso-web" path="javasso-web.war" />
          <security-role-mapping name="{{PUBLIC}}">
                  <group name="{{PUBLIC}}" />
          </security-role-mapping>
          <persistence path="persistence" />
          <jazn provider="XML">
                  <property name="custom.loginmodule.provider" value="true" />
                  <property name="role.mapping.dynamic" value="true" />
          </jazn>
          <log>
                  <file path="application.log" />
          </log>
          <data-sources path="./data-sources.xml" />
  </orion-application>2. orion-application.xml for my application
  <?xml version="1.0"?>
  <orion-application  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd"  deployment-version="10.1.3.1.0" default-data-source="jdbc/OracleDS" see-parent-data-sources="false" component-classification="external"
    schema-major-version="10" schema-minor-version="0" >
          <web-module id="Portal" path="Portal.war" />
          <persistence path="persistence" />
          <library path="./adf" />
          <jazn provider="XML" location="jazn-data.xml" default-realm="jazn.com" >
                  <property name="custom.loginmodule.provider" value="true" />
                  <property name="role.mapping.dynamic" value="true" />
                  <jazn-web-app auth-method="CUSTOM_AUTH" />
          </jazn>
          <log>
                  <file path="application.log" />
          </log>
          <data-sources path="./data-sources.xml" />
  </orion-application>3. How to get any information into logs, I cannot find out what I'm doing wrong since there's no output in logs for javasso and my application.
  Please help, I'm really stuck and I have to resolve this as soon as possible.
  Thanks in advance,
  Tomislav.

• Single Sign-On and External Applications Portlet

  I would like to know how complicated would be to call an External Application with SSO (like Hotmail), outside the External Applications Portlet.
  We have defined around 10 external applications with SSO,they worked fine.
  but due to look&feel issues, we would like to put them in a content area , like items that when the user clicks, takes them to the external application and performs the single sign-on.
  Any advice will be appreciated.
  tks!!

  Maria, I was experimenting with this last night, to answer your question, and I think a cool way of doing this would be the following:
  Create a custom attribute called "App ID" - make this a NUMBER type. This is where the external application id will be stored.
  Create a custom item type: "External Application"
  You have two options for the base type: either "URL" or "<None>". If you pick URL, then you can have the item contain the URL for fapp_process_login, but this is not advisable because it will require the administrator to type in this long URL every time a new application is added.
  If you select base type URL, you should use that URL to let the administrator provide a URL to the application's homepage, or a help page or something of that sort.
  Edit the newly created item to set the Attribute and Procedure properties.
  Add the "App ID" attribute - no default.
  On the Procedure tab, add the following procedures (called as HTTP), each with the App ID passed as "p_app_id":
  Login http://server.domain.com/pls/portal30_sso/portal30_sso.wwsso_app_admin.fapp_process_login
  Edit http://server.domain.com/pls/portal30_sso/portal30_sso.wwsso_app_admin.edit_fappuser
  That's it!
  Add the new custom item type to a folder, and all the administrator needs to do is set the title, and App ID for the new item.
  Excercise for the Reader
  You will notice that clicking on the Edit link will take you to the login server when you are done editing the credentials. To avoid this, pass another parameter to the edit procedure - p_done_url, and set a value for that to point to the page that you want to go to after editing credentials.

• Single Sign-on and external applications

  Hi,
  Someone might be able to point me in the right direction about this.
  I have registered each of my applications as external applications within Oracle Portal in order to avail of single sign-on.
  This is fine to a point, but registering applications in this way still requires the user to enter a username and password once in order to login to the application the first time they use it, even though they have already logged into the Portal. As long as the user doesn't log out of the application they can close their browser and when they come back to the application they are still logged in.
  None of the applications I use are oracle partner applications.
  My problem is that I want to avoid the user having to log in to the application the first time they use it.
  Ideally they should login to Portal once and then any subsequent applications they access, they are automatically logged into them without having to enter a username and password.
  Is there a way to do this or will I have to write a custom login for each application to circumnavigate this first time using the application login issue ?
  Are there any docs that someone could point me at.
  Many thanks,

  Maria, I was experimenting with this last night, to answer your question, and I think a cool way of doing this would be the following:
  Create a custom attribute called "App ID" - make this a NUMBER type. This is where the external application id will be stored.
  Create a custom item type: "External Application"
  You have two options for the base type: either "URL" or "<None>". If you pick URL, then you can have the item contain the URL for fapp_process_login, but this is not advisable because it will require the administrator to type in this long URL every time a new application is added.
  If you select base type URL, you should use that URL to let the administrator provide a URL to the application's homepage, or a help page or something of that sort.
  Edit the newly created item to set the Attribute and Procedure properties.
  Add the "App ID" attribute - no default.
  On the Procedure tab, add the following procedures (called as HTTP), each with the App ID passed as "p_app_id":
  Login http://server.domain.com/pls/portal30_sso/portal30_sso.wwsso_app_admin.fapp_process_login
  Edit http://server.domain.com/pls/portal30_sso/portal30_sso.wwsso_app_admin.edit_fappuser
  That's it!
  Add the new custom item type to a folder, and all the administrator needs to do is set the title, and App ID for the new item.
  Excercise for the Reader
  You will notice that clicking on the Edit link will take you to the login server when you are done editing the credentials. To avoid this, pass another parameter to the edit procedure - p_done_url, and set a value for that to point to the page that you want to go to after editing credentials.

• Single Sign on and Protect URL step

  Hi,
  I have successfully installed Oracle Internet Directory, Identity Server, Web Pass, Policy manager, Access Server and WebGate (attached to Oracle HTTP Server from Oracle Management Infrastructure).
  My questions are:
  - How do I protect URL so the user will need to login to access certain URL?
  - How do I enable single sign on and test it?
  - What are the general steps involve to enable URL protection (so if the url is protected it will prompt for username and password) and single sign on using Oracle Internet Directory?
  Kindly help me if anyone know a solution or can point me to the right documentation. I have tried to read Oracle Access Manager - Access Administration Guide, but keep getting confused.
  Thanks.
  Regards,
  Alfonso

  Hi,
  You can follow Oracle Access Manager Integration Guide (10.1.4.0.1) B25347-01, chapter 4, to achieve this. This document will answer most of your questions.
  Regards,

• How to enable a partner application for Single Sign-On?

  Can someone please advise me on how to enable my existing J2EE web application for the Oracle Single Sign-On?
  My requirement is i want to provide the single sign-on authentication service to my J2EE web application. For this, I would like to make my application as a partner application similar like the OracleAS Portal.
  I am using Oracle 10g ( OralceAS, Oracle Infra, OID ...)
  I found the following service/APIs which Oracle provides. I am not sure which one is suitable for me.
  1. mod_osso ( Static)
  --- In this case, I have to make a entry in mod_osso.config file to protect the URL. should I have to register the URL again through single sign on admin page ("Administer Partner Application") after make a entry in config file?
  2. mod_osso ( Dynamic directive)
  -- in this case, I have to modify the code by providing the directives like 401, 499.. etc. So i don't prefer this as i don't want to touch my app.
  --If I go with this option, should i have to register the URL with Single sign on server through SSO admin page ( as mentioned in the above step#1) ?
  3. SSO SDK
  - Since it was deprecated and need java coding, i am prefer this option.
  -- however, if i go with this option, i will develop code by using SDK. in this case i need to register the URL in SSO server through admin page.. am i right?
  Note:- OSSO server integrated with Active Directory for the authentication.
  Thanks,
  -Senthil

  sharon38_74 wrote:
  they said that our internal application needs to send a "login request" to etran via SSL with the user's information encoded in base 64 format. etran captures the HTTP header containing user authentication and authorization information, and parses the required information from the HTTP header.
  My question is that how I set user information in HTTP header? From my understanding, once I am able to set the user information in HTTP header, it is in base 64 format?Your application need to act like a proxy. You can invoke a HTTP request programmatically using java.net.URLConnection. You can set request headers using URLConnection#setRequestProperty(). Also see the API docs: [http://java.sun.com/javase/6/docs/api/java/net/URLConnection.html]. You only need to know the header field name where to set the Base64-encoded value in. You need to Base64-encode the value yourself.

• Proper security structure for Single Sign on Server

  We are all used to how we design security structure for vCenter Server if you have had an existing VMware environment prior to 5.1.  Who should have administrative privileges in vCenter Server, what roles, permissions, and so on should be assigned to what users and groups - these questions have already been addressed in our current configuration.
  Now Single Sign on introduces a significant new point of consideration for determining issues of access and authentication.
  I'd like to get some ideas on how this should be handled.  For example, should previous VMware administrators by definition become Single Sign on Administrators? Should the administrators of the Active Directory domain now start to get involved with the Single Sign on Server?
  For example, Single Sign on now forces VMware administrators to configure things like:
  -Password Complexity Policy for SSO
  -Password Expiration for SSO
  -Lockout Policy
  We already probably have these things tightly controlled in AD and locked down with group policy, but you can't apply group policy directly to an SSO server and make it receive a GPO from Active Directory.  (You can make the Windows OS that SSO is running on have a GPO applied, but it won't configure SSO itself, just the OS).
  VMware admins are looking at a new set of questions relating to authentication and authorization.  Someone has to have written something or will be writing something to help us get the big picture of what is changing with SSO if anything and how we need to look at SSO from a security design and best practices.
  Should we just make existing vCenter Server admins SSO admins or do we need to take a step back and reconsider?

  Hello,
  Actually, yes. SSO is fairly robust in 5.5. It has a few limitations around email of expired passwords, but that is mainly because some people do not use them. I use SSO to provide the usernames and passwords for all my VMware vCenter and related product service accounts. I.e. an account for vdp, Horizon, vCops, Log Insight, etc.  This is more about keeping systems segregated once more with no real need for AD for services. But AD via SSO is used by users.
  Read the documentation, and determine how SSO fits into your current password policy and take a long hard look at your virtualization management environment. Is there a 1 service account per service talking directly to vCenter? If not, SSO can help you implement that. The key is to match its functionality to your security policy.
  Best regards,
  Edward L. Haletky
  VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014
  Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
  Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast