Single sign-on using Kerberos and Ldap

Similar Messages

• Single Sign On between BPM and Siebel

  Hi,
  How are you? has somebody involved in a proyect where SSO was implemented between BPM and Siebel? is there an Oracle Standard way of achieving this?
  thanx in Advanced and Kind Regards!
  Gerardo J

  Hi Harsh,
  I heard about SPNego a mechanism you use for making single Sign On Using Kerberos Authentication with Web clients...
  check this link.. It may give you some inputs...
  http://help.sap.com/saphelp_nw04/helpdata/en/43/4bd58c6c5e5f34e10000000a1553f6/content.htm
  Thanks,
  Sudhakar.

• How to use single sign-on  for BCC and Experience Manager

  Does anyone have experience in implementing single-sign-on for BCC and Endeca Experience manager for business users.

  With the older versions of Endeca commerce stack there is no OOTB support for this. However with Oracle Commerce 11, SSO with BCC and Experience Manager are out of the box. Oracle Commerce 11 is released today.

• Enter your Single Sign-On user name and password to sign in

  Hi,
  Could anybody tell me the user and password by default for administering SSO ? I think the user is orasso but I am not sure ...
  From:
  http://localhost:7777/pls/orasso/orasso.home
  I click on Login
  And here I get the message: Enter your Single Sign-On user name and password to sign in
  Here I have to use the user/password I don't know :(
  Thanks for your help,
  Paul

  You also may want to look at DAS to manage the users of your applications:
  http://download-west.oracle.com/docs/cd/B14099_19/idmanage.1012/b14086/toc.htm

• Single Sign-On using SAML in WebLogic Server 10.3

  I followed Vikrant Sawant's tutorial on how to configure single sign-on (SSO) with SAML in WebLogic (http://www.oracle.com/technology/pub/articles/dev2arch/2006/12/sso-with-saml.html) but am being forced to re-authenticate when going from Domain B back to Domain A. I'd appreciate any help or suggestions.
  I posted a question in the General forum here:
  Single Sign-On using SAML in WebLogic Server 10.3

  I too am facing the same problem SSO with SAML - Session on Source Site killed after landing on Destination
  Thanks
  Togotutor
  <b><a class="jive-link-external" href="http://www.togotutor.com">http://www.togotutor.com</a> (Learn Programming and Administration for Free)</b>
  Edited by: user7507600 on Sep 17, 2010 10:01 AM

• Single sign-on using Oracle Identity Management

  Hi All,
  I am new to Oracle Identity Management. We are planning to implement Oracle Identity Management in our environment, which consists of :
  * Microsoft Active Directory.
  * Microsoft Exchange
  * Oracle eBusiness Suite Release 12 running on RedHat Enterprise Linux 5.5
  Is it possible to implement single sign-on using Oracle Identity Management. Once you integrate Microsoft Active Directory, Microsoft Exchange & Oracle eBS, a user should not be prompted to enter password to access Oralce Applications once he logins to his computer/Windows.
  Thank you for your time.
  Thanks

  Hi,
  You need to use different product eSSO for single sign on. to manage user credentials for applications from OIM then you need to implement Provisioning Gateway connector.
  Once you have eSSO Logon manager running on users workstation, user will be prompted for credentials for first time then going forward it will not ask.
  Regards,
  Raghav.

• Single sign on using IDM??????...plz help

  hey friends,,i need to make single sign on using IDm without system access mananger,,but using identity manager,,,i have netbean in which i have deployed idm war,,,now i have company site in which various subb-sites r thr,,,i need to make single sign on for all these,,,i dont know how to proceed so plz help...

  You need to have J2EE Policy Agent on the Appserver mechine where you will have your IDM server running. There are set of configuration steps involved in-order to acheive SSO/Pass thorugh Authentication.
  Thanks
  --ANJI                                                                                                                                                                                                                                                                                                                                                                                                                                                       

• Single Sign on using SAML between JWS application and Web Application

  Hi,
  We have two applications one is swing based Java Web Start application and other is a normal web application. We are trying to enable single sign on between both the applications. Can SAML be used to enable single sign on? If yes, can some one let us know how to do this?
  Thanks,
  Rama

  Thanks. But it is based on two WEB applications deployed on two different weblogic domains. What I am looking for is one application which is launched using Java Web Start(JNLP) and other a web application. The Java Web Start application uses its proprietary authentication implementation and the web application used DefaultAuthenticator of weblogic. Hope this detail will help you to answer my question better. I should have given this information earlier.
  Thanks.
  Rama

• Oracle Single Sign-On: Use NTLM inside LAN

  hi,
  i want to configure oracle single sign-on to use NTLM authentication when accessing a protected resource from the LAN (specific IP-range). when a user is accessing a protected resource from the internet it should still show up the login-page.
  how can i achieve that?
  regards,
  matthias

  Hi Darsh,
  1. Oracle Internet Directory (OID) is Oracle LDAP storage solution (more here), Oracle Virtual Directory is Oracle solution that can read identity data (and filter it (mask it) based on policies) from Oracle/non-Oracle databases, Oracle/non-Oracle Directories and files and provide the user profiles as LDAP view (more here), There is nothing called Oracle Active Directory, you must be referring to Microsoft Active Directory.
  2. No, Oracle Single Sign On (OSSO) is a feature in iAS (its obsolete), Identity Management is wide umbrella of solutions and concepts.
  3. Oracle Access Manager is one component of Oracle Identity and Access Management suite of products.
  4. Webgate is Oracle access Manager agent that is installed on a webtier, it intercepts the web requests and collect the credentails, send them to Oracle Access Manager for security evaluation (decide what Authentication is needed, verify collect credentials, etc), webgate then enforce the Access Manager decision.
  5. Oracle EBS AccessGate is a java application that has the same use of OAM Webgate (it is OAM agent) but specific to E Business suite, EBS Access Gate is the new solution replacing OSSO agents, OAM is replacing OSSO server component, EBS and OSSO customers can use OAM server with OSSO agents, or with EBS AccessGate.
  HTH.
  Ghassan

• SSO on WAS 6.20 (unix) using kerberos and Windows Active Directory (AD)

  Hi Gurus!!
  We are looking for the way to implement the Single Sign On in our R/3 Systems installed on unix of the Active Directory (obviously windows) users using Microsoft Kerberos.
  I'm not able to find a documentation about this arquitecture.
  Can somebody help me?
  Is any documentation related with this topic?
  Did Somwbody configure this kind of SSO?
  Thank you very much in advanced,
  Edorta Ramos

  Ramos,
  I should have made it clearer. When I referred to AS, I was referring to the SAP ABAP AS (e.g. application server). Of course the KDC (e.g. Microsoft Active Directory) has an AS service as well...
  yes, you can Kerberos enable (Kerberize) the SAP ABAP AS and SAP GUI using Kerberos libraries for Windows and AIX. As I mentioned already, since AIX is involved you should consider evaluating and buying SAP certified SNC libraries available from a SAP partner. Your first place to look is in SAP EcoHub (click link at top of this SDN forum to enter EcoHub) and search for SNC or Kerberos.
  You asked about gssapi library - as I have said a few times, there is no gssapi (e.g. SNC library) provided by SAP for UNIX or Linux, so if you are using AIX you need to look elsewhere (e.g. SAP partner) and the SAP partner will also provide the compatible/supported library for the Windows workstations as well so you get a complete solution from the vendor.
  Thanks,
  Tim

• Single Sign On -- Enterprise portal and BI JAVA

  Hi,
  I need to watch reports BI J2ee from an EP 7.00. I have configured the single sign On but it works just for ABAP BI Stack.
  This is what I have done for SSO JAVA:
  Importing the BI JAVA Certificate to the SAP NetWeaver 2004s Portal (SAP EP 7.0)
         1.      Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%admingo.bat.
         2.      Connect to the portal server.
         3.      Choose  are the values of and of certificate SAPLogonTicketKeypair-cert (see above).
  You also have to add these values under evaluate_assertion_ticket:
     13.      Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%admingo.
     14.      Connect to the portal server.
     15.      Choose  (for example, CN=J2E)
  Any clue?
  Regards

  Hi Jorge,
  if the UME is used with an ABAP based system as the back-end user storage, do the following:
  Generate and export the Portal Certificate:
  Go to Visual Administrator
  Choose <SID> - Server - Services - Key Storage - from the tree Select the view TicketKeystore under Views
  If the SAPLogonTicketKeypair exist, delete it.
  If the SAPLogonTicketKeypair-cert exist, delete it.
  Generate a portal certificate using the following steps:
  Under Entry choose Create.
  Enter the folowing values in u201CKey and Certificate Generationu201D
  Organization Unit Name (OU) = J2EE
  Common Name (CN) = <SID>
  Entry Name = SAPLogonTicketKeypair
  Store Certificate: X
  Algorithm: DSA
  Click u201CGenerateu201D
  Import the Portal Java Certificate into ABAP
  STRUSTSSO2
  System PSE:
  u201CImport Certificateu201D - Choose your exported .crt file - File format = Binary
  Click u201CAdd to Certificate Listu201D
  Click u201CAdd to ACLu201D - System ID = <SID>, Client = 000
  save it.
  Export PSE ABAP Certificate and import into J2EE Portal:
  STRUST
  Choose PSE, export it and save as <SID>.pse
  sapgenpse export_p12 -p <SID>.pse <SID>.p12
  copy the generated p12 file <SID>.p12 to J2EE Portal
  Go to Visual Administrator
  Choose <SID> - Server - Services - Key Storage - from the tree Select the view TicketKeystore under Views
  export the .p12 ABAP certificate with "Load"
  adjust com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule:
  Choose <SID> - Server - Services - Security Provider - from the components tree select evaluate_assertion_ticket
  ensure that trustediss<n>, trusteddn<n>, trustedsys<n> are correct set.
  ume.configuration.active = true.
  restart the ICM in SMICM
  If you also want to use SSL, there are some further steps to be done.
  Regards,
  Gerd

• Authentication on single sign on page slow and hangs.

  Hi members
  We are using Oracle application server single signon with Apex as partner application. The single sign on page authentication was working properly until yesterday when all of a sudden it became very slow. After the username and password are entered and login button is pressed, the blue status bar is moving extremely slow finally leading to a page not found. Can someone advise what components (logfiles etc) need to be checked to resolve this?
  Thank you.
  Ravi.

  Hi,
  I tried to find the cause but I have no clue yet as to what is wrong with this slowness of single sign on page. Can someone throw some light on this and tell what could be wrong here? Thank you. There are some errors in the HTTP Server Virtual Host log file and the log file is creates when oc4j_security was restarted. In the documentation, they were described as not uncommon. I am doubting if that is the reason behind the slowness. Thanks in advance.
  Wed May 27 11:46:09 2009] [error] [client 198.222.232.234] [ecid:
  1243439169:198.222.232.234:476:3948:151,0] File does not exist:
  d:/oracle/oracleas/apache/apache/htdocs/favicon.ico
  [Wed May 27 14:54:15 2009] [error] [client 198.222.232.234] [ecid:
  1243450455:198.222.232.234:476:4028:185,0] MOD_OC4J_0015: recv() returns
  0. There has no message available to be received and oc4j has gracefully (orderly)
  closed the connection.
  [Wed May 27 14:54:15 2009] [error] [client 198.222.232.234] [ecid: 1243450455:198.222.232.234:476:4028:185,0] MOD_OC4J_0054:
  Failed to call
  network routine to receive an ajp13 message from oc4j.
  [Wed May 27 14:54:15 2009] [error] [client 198.222.232.234] [ecid:
  1243450455:198.222.232.234:476:4028:185,0] MOD_OC4J_0033: Failed to receive
  an ajp13 message from oc4j.
  [Wed May 27 14:54:15 2009] [warn] [client 198.222.232.234] [ecid: 1243450455:198.222.232.234:476:4028:185,0] MOD_OC4J_0078:
  Network connection
  errors happened to host: test02 and port: 12501 while receiving the first response from oc4j. This request is recoverable.
  [Wed May 27 15:13:19 2009] [notice] FastCGI: process manager initialized
  (End of Log File)

• Authenticate using JAAS and LDAP

  Hi,
  I am trying to authenticate a user using JAAS against LDAP. I am able to hit LDAP, but failing when it comes to authentication.
  Yes, I have made sure the user and password are right.
  Here is my code and error message. Would really appreciate if someone can tell me what am I doing wrong here.
  My 'jaas.config' file :
  JNDILogin {
       com.sun.security.auth.module.JndiLoginModule Required
       debug=true
       useFirstPass=false
       strongDebug=true
       tryFirstPass=true
       storePass=true
       user.provider.url="Ldap://xxx.xxx.xxx.xxx:389/CN=someSecurityService,OU=XX,OU=XXXXX,OU=XXXXXX,OU=XXXXX,OU=XXXXXX,DC=XXX,DC=XXXXX,DC=XXX"
  group.provider.url="Ldap://xxx.xxx.xxx.xxx:389/CN=someSecurityService,OU=XX,OU=XXXXX,OU=XXXXXX,OU=XXXXX,OU=XXXXXX,DC=XXX,DC=XXXXX,DC=XXX";
  My implementation class 'ClientSideSecurityImp,java' :
  import javax.security.auth.Subject;
  import javax.security.auth.callback.CallbackHandler;
  import javax.security.auth.login.LoginContext;
  import javax.security.auth.login.LoginException;
  import org.apache.log4j.*;
  import com.sun.security.auth.callback.TextCallbackHandler;
  import com.sun.security.auth.module.JndiLoginModule;
  * Filename is ClientSideSecurity.java
  public class ClientSideSecurityImp
  private static final Logger log = Logger
  .getLogger(ClientSideSecurityImp.class);
  private Subject activeSubject = null;
  private String userName = null;
  private String appName = null;
  private String viaMech = null;
  private LoginContext lc = null;
  public ClientSideSecurityImp(String appNameVal)
  this.appName = appNameVal;
  * (non-Javadoc)
  public boolean userAuthenticate() throws SecurityException//,
  // AuthenticationException
  boolean authenticated = false;
  String whereAmI = "ClientSideSecurityImp.UserAuthenticate()";
  CallbackHandler handler = null;
  JndiLoginModule jndi = new JndiLoginModule();
  handler = new TextCallbackHandler();
  if (lc == null)
  try
  lc = new LoginContext("JNDILogin", handler);
  lc.login();
  } catch (LoginException e)
  // TODO Auto-generated catch block
  e.printStackTrace();
  activeSubject = lc.getSubject();
  log.debug(activeSubject.toString());
  // if we return with no exeption then authentication was sucessful.
  authenticated = true;
  return authenticated;
  * @return success at removing the certificates.
  public boolean logout()
  String whereAmI = "ClientSideSecurityImp.logout()";
  boolean success = false;
  this.userName = "";
  this.activeSubject = null;
  return true;
  My test class with main 'ClientSideSecurityImpTest.java' :
  import org.apache.log4j.Logger;
  import org.apache.log4j.PropertyConfigurator;
  import com.jaas.ClientSideSecurityImp;
  import junit.framework.TestCase;
  * TODO To change the template for this generated type comment go to
  * Window - Preferences - Java - Code Style - Code Templates
  public class ClientSideSecurityImpTest extends TestCase
  private static ClientSideSecurityImp cssi = new ClientSideSecurityImp("MyApp");
  private static final Logger log = Logger.getLogger(ClientSideSecurityImp.class);
  public static void main(String[] args)
  PropertyConfigurator.configure("log4j.properties");
  boolean test = cssi.userAuthenticate();
  log.debug("**##$$##** Authenticated :" + test);
  Error I get :
  I get some error messages here that is expected as I have 'tryFirstPass=true' in my 'jaas.config' file. Then it asks for the user and password again. After that this is what I get:
  Ldap username: user
  Ldap password: password
            [JndiLoginModule] user entered username: user
            [JndiLoginModule] user entered password: password
            [JndiLoginModule]: User not found
  javax.naming.NoInitialContextException: Cannot instantiate class: =com.sun.jndi.ldap.LdapCtxFactory [Root exception is java.lang.ClassNotFoundException: =com/sun/jndi/ldap/LdapCtxFactory]
       at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:652)
       at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
       at javax.naming.InitialContext.init(InitialContext.java:219)
       at javax.naming.InitialContext.<init>(InitialContext.java:175)
       at com.sun.security.auth.module.JndiLoginModule.attemptAuthentication(JndiLoginModule.java:496)
       at com.sun.security.auth.module.JndiLoginModule.login(JndiLoginModule.java:310)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
       at com.jaas.ClientSideSecurityImp.userAuthenticate(ClientSideSecurityImp.java:58)
       at com.test.ClientSideSecurityImpTest.main(ClientSideSecurityImpTest.java:29)
  Caused by: java.lang.ClassNotFoundException: =com/sun/jndi/ldap/LdapCtxFactory
       at java.lang.Class.forName0(Native Method)
       at java.lang.Class.forName(Class.java:219)
       at com.sun.naming.internal.VersionHelper12.loadClass(VersionHelper12.java:42)
       at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:649)
       ... 17 more
            [JndiLoginModule] regular authentication failed
            [JndiLoginModule]: aborted authentication failed
  javax.security.auth.login.FailedLoginException: User not found
       at com.sun.security.auth.module.JndiLoginModule.attemptAuthentication(JndiLoginModule.java:624)
       at com.sun.security.auth.module.JndiLoginModule.login(JndiLoginModule.java:310)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
       at com.jaas.ClientSideSecurityImp.userAuthenticate(ClientSideSecurityImp.java:58)
       at com.test.ClientSideSecurityImpTest.main(ClientSideSecurityImpTest.java:29)
  java.lang.NullPointerException
       at com.jaas.ClientSideSecurityImp.userAuthenticate(ClientSideSecurityImp.java:65)
       at com.jaas.ClientSideSecurityImpTest.main(ClientSideSecurityImpTest.java:29)
  Thanks in advance.

  The error message clear cut says that the JVM cannot find the class com.sun.jndi.ldap.LdapCtxFactory. Make sure the LDAP provider jar which contains this class is in your program's classpath.

• Single sign on using AES or Triple DES algorithm.

  Hello all-
  At my client place we have to setup a Single Sign On Functionality to an external system. The link will be on the portal page for the employees to click. This functioanlity has to be done by either AES (Advanced Encryption Algorithm) or Triple DES algorithm.
  When the user clicks the SSO link on the portal page, the BSP application should implement any of these two above mentioned encryption algorithms and post the encrypted key appended to the third party URL. Then the third party system will decrypt and verify the user who is requesting the information and accordingly either allow or deny.
  If anyone has any info on this please revert back.
  Thank you very much for the help.
  Ramesh.

  Hi Ramesh,
  Did u get any clarification regarding Standard Triple DES algorithm.
  If yes,Please let me know.
  Thanks,
  JOhny lever

• Ldap and Single Sign on. for AACG and CCG

  If any body done ldap integration.
  Here are my problems.
  1) No clear documentation for AACG ldap configuration for GRCC. There little bit of documentation on GRCM but GRCC.
  2) CCG - also no clear documentation. just one screen what values it is neeed.
  3) does OID supported?
  4) can I used corporate AD for user integration.
  The Documentation doesnot talk about
  a) what happens if ldapis enabled can I login with admin account locally if ldap doesnot work?
  b) when ldap is enabled.. what role is assinged...
  thanks,
  Narender

  If you have a look at My Oracle Support (support.oracle.com) Document ID 741001.1: GRC Suite Support Matrix
  It looks like only EGRCM supports LDAP/OID to some degree. Also I would suggest to open an SR to make sure that the GRC products you want to use LDAP for are supported.