SSO and OID concepts

Similar Messages

• Questions on SSO and OID implementation on oracle EBIZ R12.0.6 ID 376811.1

  Hello Guys,
  IS ORACLE 10g enterprise edition is same oracle identity management because I am bit confused what is going on when we logged an SR we have been told to use oracle 10g AS (10.1.3.5) but in the note its always says oracle 10g AS 10.1.4.X. which is in turn an Identity management so we need install oracle 10gAS (10.1.3.5) then on top of that we install oracle identity management which comprises of OSSO and OID . is it correct ??
  in reference note 376811.1
  please advise
  thanks
  MN

  Hello Hussien,
  Anyways I upgraded to 10.1.3.5 patch_set 10gAs on ebiz r12.0.6
  I have other question regarding the doc ID 376811.1
  in there is section
  Pre-Install Task 4: Apply the latest certified Application Server Patchset
  Oracle E-Business Suite Release 12 is certified with the Application Server Patch Sets listed in the table below:
  Certified AS Patchset Download Location One-off Patch details (if any)
  Oracle Identity Management 10g Release 3 Patch Set 1 (10.1.4.2) 5983637 8811442
  Oracle Identity Management 10g Release 3 Patch Set 2 (10.1.4.3) 7215628 8811442
  Oracle Application Server and Oracle Developer Suite 10g Release 2 (10.1.2) Patch Set 2 (10.1.2.2.0) 4960210
  Oracle Application Server and Oracle Developer Suite 10g Release 2 (10.1.2) Patch Set 3 (10.1.2.3.0)
  5983622
  Follow the installation instructions provided in the patch README to install the patch on your Identity Management Server and to check supported operating systems.
  Oracle always recommends latest certified AS patchset for E-Business Suite customer
  I installed oracle 10gas 10.1.4.0.1 its up and running so do i need to just apply the patchset oracle Identity management 10gR3 patcheset (10.1.4.3)
  or  I have to apply  both 10.1.4.3 and the oracle Application server 10g release 2 (10.1.2)patch set 3(10.1.2.3.0) ???
  because in enterprise manager application server control it says version 10.1.2.0.2 and identity management components show 10.1.4.0.1 .
  thanks in advance.

• Oracle Forms 11g SSO with OID and IAM

  What versions of OID and Access Manager are required to get an Oracle Forms and Reports 11.1.1.2 application
  on Weblogic 10.3.2 configured for Oracle SSO using OID authentication?
  We want the OID to store and authenticate Users for username and password logins to the database, then
  ultimately by user Certificate authentication in OID. I have OID 11.1.1.2 installed and SSO enabled for Forms
  in Enterprise Manager.
  Is Access Manager required for Forms SSO with OID authentication to work or just to allow user interaction
  for registration and Password reset?
  Things mention OAM 10.4.3 and others talk about IAM 11g for Forms 11.1.1.2 SSO to work with OID.
  We did this back in Oracle Forms and OID 10g with JSP and LDAP to setup users but I understand 11g is
  different and IAM can help or is required for this type of SSO to work.
  Any help?
  Edited by: Kirch on Apr 30, 2013 7:39 AM

  Hi,
  According to Oracle's certification matrix found at http://www.oracle.com/technetwork/middleware/downloads/fmw-11gr1certmatrix.xls, Oracle Forms 11.1.1.2 is not supported to use any Oracle Access Manager (OAM) version. OAM is a component of IAM. It is only supported with Oracle SSO 10.1.4.x. The best solution would be to upgrade the Forms and Reports environment to either 11gR2 (11.1.2.1) or to the latest 11gR1 patchset 11.1.1.7. Both versions are compatible with OAM 11.1.1.7.0 and OID 11.1.1.7.0 where only Forms 11gR2 (11.1.2.1) is compatible with OAM 11.1.2.0 and OID 11.1.1.7.0. That would be the best solution as we have ran into configuration problems in the past with using Oracle SSO 10.1.4.x.
  Since OID 11.1.1.2.0 is already installed, you should be able to patch it up to 11.1.1.7.0.
  For user authentication in OID, it is required to have OAM or Oracle SSO as both products use WebGate or mod_osso agents for authentication and authorization. For purposes of allowing end users to register accounts and password reset, you will either need to also install another IAM component called Oracle Identity Manager (OIM) or create a customized SSO login page that can be coded to perform these actions. I believe there are some examples available on the Internet.
  Thanks,
  Scott
  http://pitss.com/us

• SSL between SSO Server and OID

  Can the communication between SSO Server and OID
  be encrypted using LDAP over SSL?
  If so, how to set-up?
  Thanks,

  Hi Bikash,
  Doc mentions that communication between AD and connector server is secure with ICF architecture.
  Just wanted to confirm if same is true between OIM and connector server.
  Saurabh mentions that between OIM and connector server ssl is required? Please confirm.
  Thanks

• Terminating ssl on a bigip, disco and oid running on the same machine

  hi,
  please could someone point me in the right direction.
  I have a working discoverer server 10.1.2 running on a host on 7777
  I have a working 10.1.2 SSO and OIM 10.1.2 server running on the same host on port 7779
  Everything works fine with OID authentication being forwarded to AD servers.
  I'd like to put a bigip in front of the SSO server and terminate the SSL on the bigip, because this seemed to be simplest.......
  The bigip docs say delete the SSO Server from the partner apps (this isn't possible from the SSO web interface, I can only view it).
  I need to get discoverer to connect to the https://[bigip] for SSO authentication.
  I know I need to use ssoreg.sh to do this, the combination of commands eg which homes to use I am having difficulty getting right.
  Thanks in advance,
  Robbo

  And also, how I can interchange message between independent applications (or services) on the same computer?The same way you would interchange messages between them if they were running on different computers.
  You already seem to understand the concept of clients and servers passing messages between each other. There is nothing to prevent a "server" from being a client of another server. And there is nothing to prevent a client from running on the same computer as a server.

• SSO and how to Managing User Roles/Privileges with Forms using Oracle db

  We are in the process of implementing Oracle Application Server SSO with our custom Forms application using Oracle database -- all 10.2.0.1.0 version.
  In our Forms Applications, we have about a dozen roles we have assigned to various users. We need to identify each user using our Forms because we are using the GLOBAL USER throughout the application.
  Questions:
  -- Do we have to create users/passwords in both OID and application database?
  -- Is there a way to easily manage the user and passwords between SSO and Forms App/database in one place? For example, how does a user change their password once, but actually change it in both the database and SSO?
  Any advice and/or direction would be greatly appreciated.
  Thank you,
  Mika
  Edited by: user11846198 on Sep 1, 2009 1:41 PM
  Edited by: user11846198 on Sep 1, 2009 1:53 PM

  Yes, you can have global roles in the DB and assign this roles to specific OID users, and the will heritage the privilages, you can do this using Oracle Identity Management Web Tool http://hostname:7777/oiddas is not complicated.
  Greetings.

• SSO and iRecruitment

  We recently registered our E-Business instance with 10g SSO and everything is working as expected except for iRecruitment. External users can access the iRecruitment home page without any problem. When they attempt to login I expect that they are directed to a local login page, but for some reason they are directed to the SSO login page... which makes no sense for an external user. Has anyone seen this or have any suggestions for resolving the issue? Thanks.
  Frank Wright

  Our SSO login page is internally accessible only. Apparently, SSO registration is all or nothing for the entire E-Business Suite. We are able to set APPS_SSO_TYPE (the profile option to enable or disable SSO) only at the site level. Looks like this is a relatively recent change, per Metalink note 402122.1:
  "If you are on OA Framework 11.5.10 ATG CU 3 the Applications SSO Type
  can only be set at site level and no lower. Prior to OA Framework
  11.5.10 ATG CU 3, there was the ability to set the system profile
  Applications SSO Type at a lower level."
  Our SSO server authenticates against Oracle Internet Directory which is synchronizing and externally authenticating with Active Directory. EBS accounts are provisioned unidirectionally from OID. If, as I understand, SSO is all or none with all EBS applications, then I think we will have to:
  1) Modify EBS provisioning to be bidirectional, OID->EBS and EBS->OID
  2) Configure OID DIT to place reconciled EBS accounts in a container that will not be externally authenticated against AD
  3) Put our SSO login server in the DMZ
  If we do all these things then I think everything will work right. Is this correct, and/or is there any other way? It seems silly to me that external iRecruitment users should be forced to authenticate with our SSO server...
  Thanks,
  Frank Wright

• Setup and Configure IM Components SSO and DAS on Replica RMS Node

  Dear All,
  I was trying the step
  Step 5: How to Setup and Configure IM Components SSO and DAS on Replica RMS Node In Multimaster Replication (MMR) with Identity Management (IM) Cluster in High Availability Env
  But, at the stage to connect to OID, it is not connecting to the RMS database.
  When I checked login through ODM, it is connecting fine. also, ldapbind is also binding fine.
  How to solve this ? What will be the issue and where to check it ?
  Also, from the RMS, when I am connecting through EM console, I am not getting any output on Infrastructure link to change the passwords. its showing
  Identity Management
  Error retrieving information of default metadata repository.
  Unable to establish secure connection to Oracle Internet Directory Server ldap://devportal.paaf.gov.kw:636/ Base Exception : javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
  If there is any experts, pls reply. Because, last time I created a TAR and it took months to resolve and ultimately nothing happened they closed the TAR after some time as I was busy with some other works and not able to proceed with the synchronization.
  Thanks in advance,
  With Regards,
  Sheeja Anil

  Rule [ 47 ]: fuser link
  ~~~~~~~~~~~~~~~~~~~~~~~
  Description:
  Check if the fuser symbolic link /sbin/fuser -> /bin/fuser exists or
  not. This is required for Suse 8.0 and Suse 9.0.
  Test [ PASSED ] :
  Not required =~ Exists|Not required
  Action:
  fuser link exists or not required.
  Rule [ 48 ]: orarun package
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Description:
  Check if the orarun package is installed and if the oracle user
  environment need to be reset. This is only required for Suse 8.0 and
  Suse 9.0.
  Test [ PASSED ] :
  Not applicable =~ Not installed|Installed correctly|Not
  applicable|Environment reset not required
  Action:
  orarun is not installed or installed correctly.
  Rule [ 49 ]: semmsl
  ~~~~~~~~~~~~~~~~~~~
  Description:
  Check if semmsl kernel parameter is 256 or higher. For more details on
  how to configure this parameter, refer to Oracle Application Server
  10.1.2 Installation Guide - Chapter 4 - Section 4.3.2 Configuring the
  Kernel Parameters on Linux.
  Test [ PASSED ] :
  Adequate = Adequate
  Action:
  semmsl kernel parameter is 256 or higher.
  Rule [ 50 ]: semmns
  ~~~~~~~~~~~~~~~~~~~
  Description:
  Check if semmns kernel parameter is 32000 or higher. For more details
  on how to configure this parameter, refer to Oracle Application Server
  10.1.2 Installation Guide - Chapter 4 - Section 4.3.2 Configuring the
  Kernel Parameters on Linux.
  Test [ PASSED ] :
  Adequate = Adequate
  Action:
  semmns kernel parameter is 32000 or higher.
  Rule [ 51 ]: semopm
  ~~~~~~~~~~~~~~~~~~~
  Description:
  Check if semopm kernel parameter is 100 or higher. For more details on
  how to configure this parameter, refer to Oracle Application Server
  10.1.2 Installation Guide - Chapter 4 - Section 4.3.2 Configuring the
  Kernel Parameters on Linux.
  Test [ PASSED ] :
  Adequate = Adequate
  Action:
  semopm kernel parameter is 100 or higher.
  Rule [ 52 ]: semmni
  ~~~~~~~~~~~~~~~~~~~
  Description:
  Check if semmni kernel parameter is 142 or higher. For more details on
  how to configure this parameter, refer to Oracle Application Server
  10.1.2 Installation Guide - Chapter 4 - Section 4.3.2 Configuring the
  Kernel Parameters on Linux.
  Test [ PASSED ] :
  Adequate = Adequate
  Action:
  semmni kernel parameter is 142 or higher.
  Rule [ 53 ]: shmall
  ~~~~~~~~~~~~~~~~~~~
  Description:
  Check if shmall kernel parameter is 2097152 or higher. For more
  details on how to configure this parameter, refer to Oracle
  Application Server 10.1.2 Installation Guide - Chapter 4 - Section
  4.3.2 Configuring the Kernel Parameters on Linux.
  Test [ PASSED ] :
  Adequate = Adequate
  Action:
  shmall kernel parameter is 2097152 or higher.
  Rule [ 54 ]: shmmax
  ~~~~~~~~~~~~~~~~~~~
  Description:
  Check if shmmax kernel parameter is 2147483648 or higher. For more
  details on how to configure this parameter, refer to Oracle
  Application Server 10.1.2 Installation Guide - Chapter 4 - Section
  4.3.2 Configuring the Kernel Parameters on Linux.
  Test [ PASSED ] :
  Adequate = Adequate
  Action:
  shmmax kernel parameter is 2147483648 or higher.
  Rule [ 55 ]: shmmni
  ~~~~~~~~~~~~~~~~~~~
  Description:
  Check if shmmni kernel parameter is 4096 or higher. For more details
  on how to configure this parameter, refer to Oracle Application Server
  10.1.2 Installation Guide - Chapter 4 - Section 4.3.2 Configuring the
  Kernel Parameters on Linux.
  Test [ PASSED ] :
  Adequate = Adequate
  Action:
  shmmni kernel parameter is 4096 or higher.
  Rule [ 56 ]: msgmax
  ~~~~~~~~~~~~~~~~~~~
  Description:
  Check if msgmax kernel parameter is 8192 or higher. For more details
  on how to configure this parameter, refer to Oracle Application Server
  10.1.2 Installation Guide - Chapter 4 - Section 4.3.2 Configuring the
  Kernel Parameters on Linux.
  Test [ PASSED ] :
  Adequate = Adequate
  Action:
  msgmax kernel parameter is 8192 or higher.
  Rule [ 57 ]: msgmnb
  ~~~~~~~~~~~~~~~~~~~
  Description:
  Check if msgmnb kernel parameter is 65535 or higher. Refer to Oracle
  Application Server 10g Installation Guide 10g - Chapter 4 - Section
  4.3.3 Configuring the Kernel Parameters on Linux for more details on
  how to configure this.
  Test [ PASSED ] :
  Adequate = Adequate
  Action:
  msgmnb kernel parameter is 65535 or higher.
  Rule [ 58 ]: msgmni
  ~~~~~~~~~~~~~~~~~~~
  Description:
  Check if msgmni kernel parameter is 2878 or higher. For more details
  on how to configure this parameter, refer to Oracle Application Server
  10.1.2 Installation Guide - Chapter 4 - Section 4.3.2 Configuring the
  Kernel Parameters on Linux.
  Test [ PASSED ] :
  Adequate = Adequate
  Action:
  msgmni kernel parameter is 2878 or higher.
  Rule [ 59 ]: file-max
  ~~~~~~~~~~~~~~~~~~~~~
  Description:
  Check if file-max kernel parameter is 131072 or higher. For more
  details on how to configure this parameter, refer to Oracle
  Application Server 10.1.2 Installation Guide - Chapter 4 - Section
  4.3.2 Configuring the Kernel Parameters on Linux.
  Test [ PASSED ] :
  Adequate = Adequate
  Action:
  file-max kernel parameter is 131072 or higher.
  Rule [ 60 ]: ip_local_port_range
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Description:
  Check if ip_local_port_range kernel parameter is between 10000 and
  65000 or higher. For more details on how to configure this parameter,
  refer to Oracle Application Server 10.1.2 Installation Guide - Chapter
  4 - Section 4.3.2 Configuring the Kernel Parameters on Linux.
  Test [ PASSED ] :
  Adequate = Adequate
  Action:
  ip_local_port_range kernel parameter is between 10000 and 65000 or
  higher.
  Rule [ 61 ]: limit processes
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Description:
  Check if the limit of max processes is set to 16384 or higher. For
  more details on how to configure this parameter, refer to Oracle
  Application Server 10.1.2 Installation Guide - Chapter 4 - Section
  4.3.2 Configuring the Kernel Parameters on Linux.
  Test [ PASSED ] :
  Adequate = Adequate
  Action:
  The limit of max processes is set to 16384 or higher.
  Rule [ 62 ]: limit descriptors
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Description:
  Check if the limit of file descriptors is set to 65536 or higher. For
  more details on how to configure this parameter, refer to Oracle
  Application Server 10.1.2 Installation Guide - Chapter 4 - Section
  4.3.2 Configuring the Kernel Parameters on Linux.
  Test [ PASSED ] :
  Adequate = Adequate
  Action:
  The limit of descriptors is set to 65536 or higher.
  Rule [ 63 ]: Port 1521
  ~~~~~~~~~~~~~~~~~~~~~~
  Description:
  Check if port 1521 is free or not. If port 1521 is used by an Oracle
  listener version 10.1.0.2 or later, then the existing listener will be
  used by the existing database and the Oracle Application Server 10g
  Metadata Repository. The installer will perform this configuration
  automatically. If port 1521 is used by an Oracle listener version
  earlier than 10.1.0.2, then the existing listener need to be stopped.
  After the installation is complete, the new 10.1.0.2 listener can be
  configured to listen to the existing (pre 10.1.0.2) databases. If port
  1521 is used by non-oracle programs, then this program need to be
  configured to listen to ports other than 1521. Refer to Installation
  Guide, section 4.4.4 for more details.
  Test [ PASSED ] :
  TNS Listener 10.1.0.2 or higher is running =~ TNS Listener 10.1.0.2 or
  higher is running|Free
  Action:
  Port 1521 is not used, or is used by TNS*Listener version 9.0.1 or
  higher.
  Rule [ 64 ]: Environment Variables
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Description:
  Check if the following environment variables are not set: TNS_ADMIN,
  ORA_NLS, and LD_BIND_NOW. In addition, the following environment
  variables must not references to any existing Oracle Home: PATH,
  CLASSPATH and LD_LIBRARY_PATH.
  Test [ FAILED ] :
  Has reference to existing Oracle Homes = Properly defined
  Action:
  Refer to the following table for the necessary action to take:
  <PRE>
  Return Value          Action
  Has reference to existing     Remove any reference to existing
  Oracle Homes          Oracle Homes from PATH, CLASSPATH
                      and LD_LIBRARY_PATH.
  Some variables are set     Unset TNS_ADMIN, ORA_NLS, and
                      LD_BIND_NOW.
  Cannot access /etc/oratab     Grant read permission on
                      /etc/issue to the current user.
  </PRE>
  Rule [ 67 ]: DNS Lookup
  ~~~~~~~~~~~~~~~~~~~~~~~
  Description:
  Check if the host is properly registered in the DNS.
  Test [ FAILED ] :
  nslookup IP_address = Host correctly registered in DNS
  Action:
  Refer to the following table for the necessary action to take:
  <PRE>
  Return Value          Action
  nslookup host.domain     The DNS server failed to resolve the
                      nslookup using host.domain.
  nslookup IP_address     The DNS server failed to resolve the
                      nslookup using IP address.
  Cannot determine IP address Fix any problem with host IP address.
  Cannot access          Grant execute permission on
  /usr/bin/nslookup      /usr/bin/nslookup to the current
                      user.
  </PRE>
  Rule [ 68 ]: /etc/hosts format
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Description:
  Check if /etc/hosts file contains a line with "ip_address
  fully_qualified_hostname short_hostname".
  Test [ PASSED ] :
  Contains host.domain = Contains host.domain
  Action:
  The Fuly Qualified Domain name has been set correctly.
  Rule [ 69 ]: Oracle Home length
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Description:
  Check that the path to the Oracle home directory is not longer than
  127 characters.
  Test [ PASSED ] :
  Less than 127 char = Less than 127 char
  Action:
  Oracle Home directory is not longer than 127 characters.
  Rule [ 70 ]: Memory for Dev Kit
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Description:
  Check if the machine has enough memory to install Developer Kits
  install type. The minimum requirements is 256 MB.
  Test [ PASSED ] :
  Available = Available
  Action:
  The machine has enough memory to install J2EE & Webcache install type.
  Rule [ 71 ]: Memory for BI&Forms
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Description:
  Check if the machine has enough memory to install Business
  Intelligence & Forms install type. The minimum requirements is 1 GB.
  Test [ PASSED ] :
  Available =~ Available|Install type not available
  Action:
  The machine has enough memory to install Business Intelligence & Forms
  install type.
  Rule [ 72 ]: Space for BI&Forms
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Description:
  Check if the machine has enough disk space to install Business
  Intelligence & Forms install type. The minimum requirements is 2 GB.
  Test [ PASSED ] :
  Available =~ Available|Install type not available
  Action:
  The machine has enough disk space to install Business Intelligence &
  Forms install type.
  Rule [ 73 ]: control-center
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Description:
  Check if the minimum required control-center package version is
  installed. For RedHat AS/ES 4.0: control-center-2.8.0-12.
  Test [ PASSED ] :
  Adequate =~ Adequate|Not required
  Action:
  The required compat-db package version or higher is installed.
  Rule [ 74 ]: xscreensaver
  ~~~~~~~~~~~~~~~~~~~~~~~~~
  Description:
  Check if the minimum required xscreensaver package version is
  installed. For RedHat AS/ES 4.0: xscreensaver-4.18-5.rhel4.2.
  Test [ PASSED ] :
  Adequate =~ Adequate|Not required
  Action:
  The required compat-db package version or higher is installed.

• Java SSO and IIS

  This is a repeat of this post: Java SSO and IIS
  Noone answered there.
  Hello,
  my organization uses Java SSO authentication in Oracle Application Server. Now we want to "expand" SSO so that our IIS applications can benefit from Oracle SSO and user needn't print user name / password again. Is there any way to use Java SSO in IIS? In this project we use Java SSO, not Oracle Identity Management.
  Thanks in advance

  Hi ,
  I was installed and configured policy agent successfully.while i am trying to access the application url i am getting following error.
  I am using IIS6.0 and access manager 7.1.
  Error 2824:15b9918 AuthService: AuthService::processLoginStatus() Exception message=[Application user ID is not valid.] errorCode='107' templateName=login_failed_template.jsp.
  2009-03-10 00:03:05.828 Error 2824:15b9918 PolicyEngine: am_policy_evaluate: InternalException in AuthService::processLoginStatus() with error message:Exception message=[Application user ID is not valid.] errorCode='107' templateName=login_failed_template.jsp and code:3
  2009-03-10 00:03:05.828 Warning 2824:15b9918 PolicyAgent: am_web_is_access_allowed()(http://fcs-ylwkuzfoz1q.ramesh.com:99/website.html, GET) denying access: status = Access Manager authentication service failure
  2009-03-10 00:03:05.828 Debug 2824:15b9918 PolicyAgent: am_web_is_access_allowed(): Successfully logged to remote server for GET action by user unknown user to resource http://fcs-ylwkuzfoz1q.ramesh.com:99/website.html.
  2009-03-10 00:03:05.828 Info 2824:15b9918 PolicyAgent: am_web_is_access_allowed()(http://fcs-ylwkuzfoz1q.ramesh.com:99/website.html, GET) returning status: Access Manager authentication service failure.
  2009-03-10 00:03:05.828 Debug 2824:15b9918 PolicyAgent: HttpExtensionProc(): status after am_web_is_access_allowed = Access Manager authentication service failure (3)
  2009-03-10 00:03:05.828 Error 2824:15b9918 PolicyAgent: HttpExtensionProc(): status: Access Manager authentication service failure (3)
  2009-03-10 00:03:05.828 Debug 2824:15b9918 PolicyAgent: OnSendResponse(): HTTP Status code is 500
  can any one please help me to resolve this.
  Thanks
  Ramesh Kumar GV

• SSO and external applications

  Hello folks,
  Due to my inexperience with PS6, I'm looking for some high-level outline that will help me look in the right places and understand things better here.
  I have an external application that requires authentication via a web form (or by attaching the username and password on the URL as parameters).
  What I want to do is have a channel of this application and utilize information from the SSO mechanism to redirect the request to that remote app and provide the credentials for a transparent login.
  From what I understand this can be done by having a servlet in that channel to retrieve the credentials of the user for that remote application from the SSO and then redirect to the external application, attaching the credentials to the URL.
  Is the above correct? I would appreciate any pointers or considerations since my experience with PS is minimal.
  Thanks in advance,
  Manos

  I don't see a way to that servlet to retrieve a password for the user - it's not stored in the session.
  There are following options:
  1. OpenText LiveLink way: You have some "hidden" password for every user (based on user's ID and a shared key) known only to your server and this servlet. Servlet will supply this password.
  2. Normal way - web server: Implement login module to this application, which will trust REMOTE_USER variable provided by the agent on the web server.
  3. Normal way - standalone app: Implement login module to this application which will validate DSAME session cookie on the DSAME server. You can use example code in the SUNWam/samples/ of your server.

• ADFS SSO and SharePoint 2013 on-premise Hybrid outbound search results from SharePoint Online - does it work?

  Hi, 
  I want to setup an outpund hybrid search for SharePoint 2013 on-premise to SharePoint Online.
  But I'm not shure if this works with ADFS SSO.
  Has somebody experience with this setup?
  Here's my guide which I'm going to use for this installation:
  Introduction
  In this post I'll show you how to get search results from your SharePoint Online in your SharePoint 2013 on-premise search center.
  Requirements
  User synchronisation ActiveDirectory to Office 365 with DirSync
  DirSync password sync or ADFS SSO
  SharePoint Online
  SharePoint 2013 on-premise
  Enterprise Search service
  SharePoint Online Management Shell
  Instructions
  All configuration will be done either in the Search Administration of the Central Administration or in the PowerShell console of your on-premise SharePoint 2013 server.
  Set up Sever to Server Trust
  Export certificates
  To create a server to server trust we need two certificates.
  [certificate name].pfx: In order to replace the STS certificate, the certificate is needed in Personal Information Exchange (PFX) format including the private key.
  [certificate name].cer: In order to set up a trust with Office 365 and Windows Azure ACS, the certificate is needed in CER Base64 format.
  First launch the Internet Information Services (IIS) Manager
  Select your SharePoint web server and double-click Server Certificates
  In the Actions pane, click Create Self-Signed Certificate
  Enter a name for the certificate and save it with OK
  To export the new certificate in the Pfx format select it and click Export in the Actions pane
  Fill the fields and click OK Export to: C:\[certificate
  name].pfx Password: [password]
  Also we need to export the certificate in the CER Base64 format. For that purpose make a right-click on the certificate select it and click on View...
  Click the Details tab and then click Copy to File
  On the Welcome to the Certificate Export Wizard page, click Next
  On the Export Private Key page, click Next
  On the Export File Format page, click Base-64 encoded X.509 (.CER), and then click Next.
  As file name enter C:\[certificate
  name].cer and then click Next
  Finish the export
  Import the new STS (SharePoint Token Service) certificate
  Let's update the certificate on the STS. Configure and run the PowerShell script below on your SharePoint server.
  if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}
  # set the cerficates paths and password
  $PfxCertPath = "c:\[certificate name].pfx"
  $PfxCertPassword = "[password]"
  $X64CertPath = "c:\[certificate name].cer"
  # get the encrypted pfx certificate object
  $PfxCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxCertPath, $PfxCertPassword, 20
  # import it
  Set-SPSecurityTokenServiceConfig -ImportSigningCertificate $PfxCert
  Type Yes when prompted with the following message.
  You are about to change the signing certificate for the Security Token Service. Changing the certificate to an invalid, inaccessible or non-existent certificate will cause your SharePoint installation to stop functioning. Refer
  to the following article for instructions on how to change this certificate: http://go.microsoft.com/fwlink/?LinkID=178475. Are you
  sure, you want to continue?
  Restart IIS so STS picks up the new certificate.
  & iisreset
  & net stop SPTimerV4
  & net start SPTimerV4
  Now validate the certificate replacement by running several PowerShell commands and compare their outputs.
  # set the cerficates paths and password
  $PfxCertPath = "c:\[certificate name].pfx"
  $PfxCertPassword = "[password]"
  # get the encrypted pfx certificate object
  New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxCertPath, $PfxCertPassword, 20
  # compare the output above with this output
  (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
  [/code]
  ## Establish the server to server trust
  [code lang="ps"]
  if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}
  Import-Module MSOnline
  Import-Module MSOnlineExtended
  # set the cerficates paths and password
  $PfxCertPath = "c:\[certificate name].pfx"
  $PfxCertPassword = "[password]"
  $X64CertPath = "c:\[certificate name].cer"
  # set the onpremise domain that you added to Office 365
  $SPCN = "sharepoint.domain.com"
  # your onpremise SharePoint site url
  $SPSite="http://sharepoint"
  # don't change this value
  $SPOAppID="00000003-0000-0ff1-ce00-000000000000"
  # get the encrypted pfx certificate object
  $PfxCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxCertPath, $PfxCertPassword, 20
  # get the raw data
  $PfxCertBin = $PfxCert.GetRawCertData()
  # create a new certificate object
  $X64Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
  # import the base 64 encoded certificate
  $X64Cert.Import($X64CertPath)
  # get the raw data
  $X64CertBin = $X64Cert.GetRawCertData()
  # save base 64 string in variable
  $CredValue = [System.Convert]::ToBase64String($X64CertBin)
  # connect to office 3656
  Connect-MsolService
  # register the on-premise STS as service principal in Office 365
  # add a new service principal
  New-MsolServicePrincipalCredential -AppPrincipalId $SPOAppID -Type asymmetric -Usage Verify -Value $CredValue
  $MsolServicePrincipal = Get-MsolServicePrincipal -AppPrincipalId $SPOAppID
  $SPServicePrincipalNames = $MsolServicePrincipal.ServicePrincipalNames
  $SPServicePrincipalNames.Add("$SPOAppID/$SPCN")
  Set-MsolServicePrincipal -AppPrincipalId $SPOAppID -ServicePrincipalNames $SPServicePrincipalNames
  # get the online name identifier
  $MsolCompanyInformationID = (Get-MsolCompanyInformation).ObjectID
  $MsolServicePrincipalID = (Get-MsolServicePrincipal -ServicePrincipalName $SPOAppID).ObjectID
  $MsolNameIdentifier = "$MsolServicePrincipalID@$MsolCompanyInformationID"
  # establish the trust from on-premise with ACS (Azure Control Service)
  # add a new authenticatio realm
  $SPSite = Get-SPSite $SPSite
  $SPAppPrincipal = Register-SPAppPrincipal -site $SPSite.rootweb -nameIdentifier $MsolNameIdentifier -displayName "SharePoint Online"
  Set-SPAuthenticationRealm -realm $MsolServicePrincipalID
  # register the ACS application proxy and token issuer
  New-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri "https://accounts.accesscontrol.windows.net/metadata/json/1/" -DefaultProxyGroup
  New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https://accounts.accesscontrol.windows.net/metadata/json/1/" -IsTrustBroker -Name "ACS"
  Add a new result source
  To get search results from SharePoint Online we have to add a new result source. Run the following script in a PowerShell ISE session on your SharePoint 2013 on-premise server. Don't forget to update the settings region
  if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}
  # region settings
  $RemoteSharePointUrl = "http://[example].sharepoint.com"
  $ResultSourceName = "SharePoint Online"
  $QueryTransform = "{searchTerms}"
  $Provier = "SharePoint-Remoteanbieter"
  # region settings end
  $SPEnterpriseSearchServiceApplication = Get-SPEnterpriseSearchServiceApplication
  $FederationManager = New-Object Microsoft.Office.Server.Search.Administration.Query.FederationManager($SPEnterpriseSearchServiceApplication)
  $SPEnterpriseSearchOwner = Get-SPEnterpriseSearchOwner -Level Ssa
  $ResultSource = $FederationManager.GetSourceByName($ResultSourceName, $SPEnterpriseSearchOwner)
  if(!$ResultSource){
  Write-Host "Result source does not exist. Creating..."
  $ResultSource = $FederationManager.CreateSource($SPEnterpriseSearchOwner)
  $ResultSource.Name = $ResultSourceName
  $ResultSource.ProviderId = $FederationManager.ListProviders()[$Provier].Id
  $ResultSource.ConnectionUrlTemplate = $RemoteSharePointUrl
  $ResultSource.CreateQueryTransform($QueryTransform)
  $ResultSource.Commit()
  Add a new query rule
  In the Search Administration click on Query Rules
  Select Local SharePoint as Result Source
  Click New Query Rule
  Enter a Rule name f.g. Search results from SharePoint Online
  Expand the Context section
  Under Query is performed on these sources click on Add Source
  Select your SharePoint Online result source
  In the Query Conditions section click on Remove Condition
  In the Actions section click on Add Result Block
  As title enter Results for "{subjectTerms}" from SharePoint Online
  In the Search this Source dropdown select your SharePoint Online result source
  Select 3 in the Items dropdown
  Expand the Settings section and select "More" link goes to the following URL
  In the box below enter this Url https://[example].sharepoint.com/search/pages/results.aspx?k={subjectTerms}
  Select This block is always shown above core results and click the OK button
  Save the new query rule

  Hi  Janik,
  According to your description, my understanding is that you want to display hybrid search results in SharePoint Server 2013.
  For achieving your demand, please have a look at the article:
  http://technet.microsoft.com/en-us/library/dn197173(v=office.15).aspx
  If you are using single sign-on (SSO) authentication, it is important to test hybrid Search functionality by using federated user accounts. Native Office 365 user accounts and Active Directory Domain Services
  (AD DS) accounts that are not federated are not recognized by both directory services. Therefore, they cannot authenticate using SSO, and cannot be granted permissions to resources in both deployments. For more information, see Accounts
  needed for hybrid configuration and testing.
  Best Regards,
  Eric
  Eric Tao
  TechNet Community Support

• SSO and WebUtil

  Hi,
  I have a form that was working with webutil. We implemented SSO on the server. Know the webutil jar file does not load - it can not find it.
  Getting the following message in java console:
  Loading http://capps.cauto.com/forms90/webutil/webutil.jar from JAR cache
  Loading http://capps.cauto.com/forms90/webutil/jacob.jar from JAR cache
  Loading http://capps.cauto.com/forms90/java/f90all_jinit.jar from JAR cache
  RegisterWebUtil - Loading Webutil Version 1.0.2 Beta
  Loading http://capps.cauto.com/forms90/java/rolloverbutton.jar from JAR cache
  Loading http://capps.cauto.com/forms90/java/hyperlink.jar from JAR cache
  connectMode=HTTP, native.
  Forms Applet version is : 90290
  java.io.IOException: Could not connect to http://wadjet.cauto.com/forms90/webutil/webutil.jar
       at oracle.jre.protocol.jar.JarCache$CachedJarLoader.download(Unknown Source)
       at oracle.jre.protocol.jar.JarCache$CachedJarLoader.load(Unknown Source)
       at oracle.jre.protocol.jar.JarCache.get(Unknown Source)
  Has anyone use SSO and webutil?
  Thanks,
  Mary Santry

  Mary,
  using single sign-On with Forms should not have an impact to webutil.jar.
  Just to be sure: You configured webutil and it works if not running using single sign-on. You configured Forms to use singke sign-on (uncommenting th emod_osso directive in forms90.conf file) and from now on webutil.jar cannot be found.
  What if you directly try and request the webutil.jar file from a Browser
  http://wadjet.cauto.com/forms90/webutil/webutil.jar ?
  Can you access jacob.jar using a Browser URL?
  Fran

• SSO and BiBeans

  Hi,
  i want to use SSO with Bi Beans. I have my BiBeans deployed on a 9iasR2 (9.0.2.3). I edit the mod_osso.conf with <Location /*appname*> require valid-user authType Basic </Location> and i have in BIController uncomment the sso blocks.
  After authenticated to the SSO, i got always a NullPointerException. I looked in the code and i found that application.getBISession() is not initalized.
  Please, have anybody an idea, or knows anybody a documentation about SSO and BIBeans.
  best regards
  Rene

  cn=XXX information is missing for the SSO Server (orasso) when going to http://servername:7777/pls/orasso/orasso.home. Is that causing the problem? If so, how can I resolve it?
  Thanks.
  Andy

• SSO and success URL with parameters

  Hello
  I have succeeded to configure HTML_DB engine as Partner App for Oracle SSO.
  HTML_DB 1.5.0.00.33
  Oracle IAS Release 1 ehk 1.0.2.2.2
  I'm entering into HTMLDB application from outside directly to concrete page with concrete parameters. The calling outside app is authenticated with SSO.
  Example URL: http://host/pls/DAD/f?p=103:3:::::PAR1,PAR2:VAL1,VAL2
  I'm then authenticated checked against SSO and redirected to my requested page, but the parameters are lost. The URL looks like http://host/pls/DAD/f?p=103:3:987698769876098
  It only happens at first try. Next time I have a session and I'm redirected together with parametes.
  It seams that this http://host/pls/DAD/wwv_flow_custom_auth_sso.process_success is getting somehow wrong parameter URLC. Without parameters. Why?
  Please help!
  Yours,
  jan lakspere

  Hi
  Thanks, Scott.
  This patch 1.5.1 solved this problem. Now SSO redirect forwards the parameters together with URL.
  Yours,
  jan

• SSO and LDAP no working after revokeing Territory selection choice of SSO

  Hi i have 9ias 9.0.2 infrastructure on win 2k box.
  earlier the territory selection choice was checked.
  but when i unchecked that option. and i logged out of SSO.
  Now the problem is i am not getting the SSO and Internet Directory home pages.
  and in Enterprise manager web page shows both are up.
  win 2k's task manager also shows the all the three process of Internet directory also running along with other essentianl processs.
  any clue....
  my whole work and intranet & extranet is not accessible due to this.... it will be great to me if i get any tip of hint...
  thanks a lot... in advance...
  regards
  samir([email protected])

  Well, this is certainly a case where I would be opening a tech support case. Your server is down, and you need help . .
  I'll try what I can for you.
  [18/Jun/2004:09:21:57 -0400] vipmail2 httpd[1560]: Account Debug: SASL [10.29.11.63] Cannot get namespace for domain vipmail2.kvcc.edu: Entry not found
  This likely means that you've missed another, earlier error in the log. I suspect that what may have happened, is that the USER that Messaging Server connects to LDAP with has had a password change, and you're no longer able to BIND to LDAP to make queries.
  I would start looking at your LDAP Access Log, and see what user you're attempting to BIND as, and see if that BIND is successful.
  The contents of msg.conf and your other file is useful as information, but is not a user-editable file. You must use configutil to make changes, as this data is stored in LDAP, and on server startup, the files will be rewritten with ldap data.