SSO and OID concepts
Is there any document which explains the concept and architecure of SSO and OID concepts in simple words ??
Check the following notes/documents:
Overview of Oracle Single Sign-On
http://download.oracle.com/docs/cd/B32110_01/web.1013/b28957/toc.htm
Note: 261914.1 - Integrating Oracle E-Business Suite Release 11i with Oracle Internet Directory and Oracle Single Sign-On
https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=261914.1
Note: 233436.1 - Installing Oracle Application Server 10g with Oracle E-Business Suite Release 11i
https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=233436.1
Similar Messages
-
Questions on SSO and OID implementation on oracle EBIZ R12.0.6 ID 376811.1
Hello Guys,
IS ORACLE 10g enterprise edition is same oracle identity management because I am bit confused what is going on when we logged an SR we have been told to use oracle 10g AS (10.1.3.5) but in the note its always says oracle 10g AS 10.1.4.X. which is in turn an Identity management so we need install oracle 10gAS (10.1.3.5) then on top of that we install oracle identity management which comprises of OSSO and OID . is it correct ??
in reference note 376811.1
please advise
thanks
MNHello Hussien,
Anyways I upgraded to 10.1.3.5 patch_set 10gAs on ebiz r12.0.6
I have other question regarding the doc ID 376811.1
in there is section
Pre-Install Task 4: Apply the latest certified Application Server Patchset
Oracle E-Business Suite Release 12 is certified with the Application Server Patch Sets listed in the table below:
Certified AS Patchset Download Location One-off Patch details (if any)
Oracle Identity Management 10g Release 3 Patch Set 1 (10.1.4.2) 5983637 8811442
Oracle Identity Management 10g Release 3 Patch Set 2 (10.1.4.3) 7215628 8811442
Oracle Application Server and Oracle Developer Suite 10g Release 2 (10.1.2) Patch Set 2 (10.1.2.2.0) 4960210
Oracle Application Server and Oracle Developer Suite 10g Release 2 (10.1.2) Patch Set 3 (10.1.2.3.0)
5983622
Follow the installation instructions provided in the patch README to install the patch on your Identity Management Server and to check supported operating systems.
Oracle always recommends latest certified AS patchset for E-Business Suite customer
I installed oracle 10gas 10.1.4.0.1 its up and running so do i need to just apply the patchset oracle Identity management 10gR3 patcheset (10.1.4.3)
or I have to apply both 10.1.4.3 and the oracle Application server 10g release 2 (10.1.2)patch set 3(10.1.2.3.0) ???
because in enterprise manager application server control it says version 10.1.2.0.2 and identity management components show 10.1.4.0.1 .
thanks in advance. -
Oracle Forms 11g SSO with OID and IAM
What versions of OID and Access Manager are required to get an Oracle Forms and Reports 11.1.1.2 application
on Weblogic 10.3.2 configured for Oracle SSO using OID authentication?
We want the OID to store and authenticate Users for username and password logins to the database, then
ultimately by user Certificate authentication in OID. I have OID 11.1.1.2 installed and SSO enabled for Forms
in Enterprise Manager.
Is Access Manager required for Forms SSO with OID authentication to work or just to allow user interaction
for registration and Password reset?
Things mention OAM 10.4.3 and others talk about IAM 11g for Forms 11.1.1.2 SSO to work with OID.
We did this back in Oracle Forms and OID 10g with JSP and LDAP to setup users but I understand 11g is
different and IAM can help or is required for this type of SSO to work.
Any help?
Edited by: Kirch on Apr 30, 2013 7:39 AMHi,
According to Oracle's certification matrix found at http://www.oracle.com/technetwork/middleware/downloads/fmw-11gr1certmatrix.xls, Oracle Forms 11.1.1.2 is not supported to use any Oracle Access Manager (OAM) version. OAM is a component of IAM. It is only supported with Oracle SSO 10.1.4.x. The best solution would be to upgrade the Forms and Reports environment to either 11gR2 (11.1.2.1) or to the latest 11gR1 patchset 11.1.1.7. Both versions are compatible with OAM 11.1.1.7.0 and OID 11.1.1.7.0 where only Forms 11gR2 (11.1.2.1) is compatible with OAM 11.1.2.0 and OID 11.1.1.7.0. That would be the best solution as we have ran into configuration problems in the past with using Oracle SSO 10.1.4.x.
Since OID 11.1.1.2.0 is already installed, you should be able to patch it up to 11.1.1.7.0.
For user authentication in OID, it is required to have OAM or Oracle SSO as both products use WebGate or mod_osso agents for authentication and authorization. For purposes of allowing end users to register accounts and password reset, you will either need to also install another IAM component called Oracle Identity Manager (OIM) or create a customized SSO login page that can be coded to perform these actions. I believe there are some examples available on the Internet.
Thanks,
Scott
http://pitss.com/us -
SSL between SSO Server and OID
Can the communication between SSO Server and OID
be encrypted using LDAP over SSL?
If so, how to set-up?
Thanks,Hi Bikash,
Doc mentions that communication between AD and connector server is secure with ICF architecture.
Just wanted to confirm if same is true between OIM and connector server.
Saurabh mentions that between OIM and connector server ssl is required? Please confirm.
Thanks -
Terminating ssl on a bigip, disco and oid running on the same machine
hi,
please could someone point me in the right direction.
I have a working discoverer server 10.1.2 running on a host on 7777
I have a working 10.1.2 SSO and OIM 10.1.2 server running on the same host on port 7779
Everything works fine with OID authentication being forwarded to AD servers.
I'd like to put a bigip in front of the SSO server and terminate the SSL on the bigip, because this seemed to be simplest.......
The bigip docs say delete the SSO Server from the partner apps (this isn't possible from the SSO web interface, I can only view it).
I need to get discoverer to connect to the https://[bigip] for SSO authentication.
I know I need to use ssoreg.sh to do this, the combination of commands eg which homes to use I am having difficulty getting right.
Thanks in advance,
RobboAnd also, how I can interchange message between independent applications (or services) on the same computer?The same way you would interchange messages between them if they were running on different computers.
You already seem to understand the concept of clients and servers passing messages between each other. There is nothing to prevent a "server" from being a client of another server. And there is nothing to prevent a client from running on the same computer as a server. -
SSO and how to Managing User Roles/Privileges with Forms using Oracle db
We are in the process of implementing Oracle Application Server SSO with our custom Forms application using Oracle database -- all 10.2.0.1.0 version.
In our Forms Applications, we have about a dozen roles we have assigned to various users. We need to identify each user using our Forms because we are using the GLOBAL USER throughout the application.
Questions:
-- Do we have to create users/passwords in both OID and application database?
-- Is there a way to easily manage the user and passwords between SSO and Forms App/database in one place? For example, how does a user change their password once, but actually change it in both the database and SSO?
Any advice and/or direction would be greatly appreciated.
Thank you,
Mika
Edited by: user11846198 on Sep 1, 2009 1:41 PM
Edited by: user11846198 on Sep 1, 2009 1:53 PMYes, you can have global roles in the DB and assign this roles to specific OID users, and the will heritage the privilages, you can do this using Oracle Identity Management Web Tool http://hostname:7777/oiddas is not complicated.
Greetings. -
We recently registered our E-Business instance with 10g SSO and everything is working as expected except for iRecruitment. External users can access the iRecruitment home page without any problem. When they attempt to login I expect that they are directed to a local login page, but for some reason they are directed to the SSO login page... which makes no sense for an external user. Has anyone seen this or have any suggestions for resolving the issue? Thanks.
Frank WrightOur SSO login page is internally accessible only. Apparently, SSO registration is all or nothing for the entire E-Business Suite. We are able to set APPS_SSO_TYPE (the profile option to enable or disable SSO) only at the site level. Looks like this is a relatively recent change, per Metalink note 402122.1:
"If you are on OA Framework 11.5.10 ATG CU 3 the Applications SSO Type
can only be set at site level and no lower. Prior to OA Framework
11.5.10 ATG CU 3, there was the ability to set the system profile
Applications SSO Type at a lower level."
Our SSO server authenticates against Oracle Internet Directory which is synchronizing and externally authenticating with Active Directory. EBS accounts are provisioned unidirectionally from OID. If, as I understand, SSO is all or none with all EBS applications, then I think we will have to:
1) Modify EBS provisioning to be bidirectional, OID->EBS and EBS->OID
2) Configure OID DIT to place reconciled EBS accounts in a container that will not be externally authenticated against AD
3) Put our SSO login server in the DMZ
If we do all these things then I think everything will work right. Is this correct, and/or is there any other way? It seems silly to me that external iRecruitment users should be forced to authenticate with our SSO server...
Thanks,
Frank Wright -
Setup and Configure IM Components SSO and DAS on Replica RMS Node
Dear All,
I was trying the step
Step 5: How to Setup and Configure IM Components SSO and DAS on Replica RMS Node In Multimaster Replication (MMR) with Identity Management (IM) Cluster in High Availability Env
But, at the stage to connect to OID, it is not connecting to the RMS database.
When I checked login through ODM, it is connecting fine. also, ldapbind is also binding fine.
How to solve this ? What will be the issue and where to check it ?
Also, from the RMS, when I am connecting through EM console, I am not getting any output on Infrastructure link to change the passwords. its showing
Identity Management
Error retrieving information of default metadata repository.
Unable to establish secure connection to Oracle Internet Directory Server ldap://devportal.paaf.gov.kw:636/ Base Exception : javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
If there is any experts, pls reply. Because, last time I created a TAR and it took months to resolve and ultimately nothing happened they closed the TAR after some time as I was busy with some other works and not able to proceed with the synchronization.
Thanks in advance,
With Regards,
Sheeja AnilRule [ 47 ]: fuser link
~~~~~~~~~~~~~~~~~~~~~~~
Description:
Check if the fuser symbolic link /sbin/fuser -> /bin/fuser exists or
not. This is required for Suse 8.0 and Suse 9.0.
Test [ PASSED ] :
Not required =~ Exists|Not required
Action:
fuser link exists or not required.
Rule [ 48 ]: orarun package
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Description:
Check if the orarun package is installed and if the oracle user
environment need to be reset. This is only required for Suse 8.0 and
Suse 9.0.
Test [ PASSED ] :
Not applicable =~ Not installed|Installed correctly|Not
applicable|Environment reset not required
Action:
orarun is not installed or installed correctly.
Rule [ 49 ]: semmsl
~~~~~~~~~~~~~~~~~~~
Description:
Check if semmsl kernel parameter is 256 or higher. For more details on
how to configure this parameter, refer to Oracle Application Server
10.1.2 Installation Guide - Chapter 4 - Section 4.3.2 Configuring the
Kernel Parameters on Linux.
Test [ PASSED ] :
Adequate = Adequate
Action:
semmsl kernel parameter is 256 or higher.
Rule [ 50 ]: semmns
~~~~~~~~~~~~~~~~~~~
Description:
Check if semmns kernel parameter is 32000 or higher. For more details
on how to configure this parameter, refer to Oracle Application Server
10.1.2 Installation Guide - Chapter 4 - Section 4.3.2 Configuring the
Kernel Parameters on Linux.
Test [ PASSED ] :
Adequate = Adequate
Action:
semmns kernel parameter is 32000 or higher.
Rule [ 51 ]: semopm
~~~~~~~~~~~~~~~~~~~
Description:
Check if semopm kernel parameter is 100 or higher. For more details on
how to configure this parameter, refer to Oracle Application Server
10.1.2 Installation Guide - Chapter 4 - Section 4.3.2 Configuring the
Kernel Parameters on Linux.
Test [ PASSED ] :
Adequate = Adequate
Action:
semopm kernel parameter is 100 or higher.
Rule [ 52 ]: semmni
~~~~~~~~~~~~~~~~~~~
Description:
Check if semmni kernel parameter is 142 or higher. For more details on
how to configure this parameter, refer to Oracle Application Server
10.1.2 Installation Guide - Chapter 4 - Section 4.3.2 Configuring the
Kernel Parameters on Linux.
Test [ PASSED ] :
Adequate = Adequate
Action:
semmni kernel parameter is 142 or higher.
Rule [ 53 ]: shmall
~~~~~~~~~~~~~~~~~~~
Description:
Check if shmall kernel parameter is 2097152 or higher. For more
details on how to configure this parameter, refer to Oracle
Application Server 10.1.2 Installation Guide - Chapter 4 - Section
4.3.2 Configuring the Kernel Parameters on Linux.
Test [ PASSED ] :
Adequate = Adequate
Action:
shmall kernel parameter is 2097152 or higher.
Rule [ 54 ]: shmmax
~~~~~~~~~~~~~~~~~~~
Description:
Check if shmmax kernel parameter is 2147483648 or higher. For more
details on how to configure this parameter, refer to Oracle
Application Server 10.1.2 Installation Guide - Chapter 4 - Section
4.3.2 Configuring the Kernel Parameters on Linux.
Test [ PASSED ] :
Adequate = Adequate
Action:
shmmax kernel parameter is 2147483648 or higher.
Rule [ 55 ]: shmmni
~~~~~~~~~~~~~~~~~~~
Description:
Check if shmmni kernel parameter is 4096 or higher. For more details
on how to configure this parameter, refer to Oracle Application Server
10.1.2 Installation Guide - Chapter 4 - Section 4.3.2 Configuring the
Kernel Parameters on Linux.
Test [ PASSED ] :
Adequate = Adequate
Action:
shmmni kernel parameter is 4096 or higher.
Rule [ 56 ]: msgmax
~~~~~~~~~~~~~~~~~~~
Description:
Check if msgmax kernel parameter is 8192 or higher. For more details
on how to configure this parameter, refer to Oracle Application Server
10.1.2 Installation Guide - Chapter 4 - Section 4.3.2 Configuring the
Kernel Parameters on Linux.
Test [ PASSED ] :
Adequate = Adequate
Action:
msgmax kernel parameter is 8192 or higher.
Rule [ 57 ]: msgmnb
~~~~~~~~~~~~~~~~~~~
Description:
Check if msgmnb kernel parameter is 65535 or higher. Refer to Oracle
Application Server 10g Installation Guide 10g - Chapter 4 - Section
4.3.3 Configuring the Kernel Parameters on Linux for more details on
how to configure this.
Test [ PASSED ] :
Adequate = Adequate
Action:
msgmnb kernel parameter is 65535 or higher.
Rule [ 58 ]: msgmni
~~~~~~~~~~~~~~~~~~~
Description:
Check if msgmni kernel parameter is 2878 or higher. For more details
on how to configure this parameter, refer to Oracle Application Server
10.1.2 Installation Guide - Chapter 4 - Section 4.3.2 Configuring the
Kernel Parameters on Linux.
Test [ PASSED ] :
Adequate = Adequate
Action:
msgmni kernel parameter is 2878 or higher.
Rule [ 59 ]: file-max
~~~~~~~~~~~~~~~~~~~~~
Description:
Check if file-max kernel parameter is 131072 or higher. For more
details on how to configure this parameter, refer to Oracle
Application Server 10.1.2 Installation Guide - Chapter 4 - Section
4.3.2 Configuring the Kernel Parameters on Linux.
Test [ PASSED ] :
Adequate = Adequate
Action:
file-max kernel parameter is 131072 or higher.
Rule [ 60 ]: ip_local_port_range
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Description:
Check if ip_local_port_range kernel parameter is between 10000 and
65000 or higher. For more details on how to configure this parameter,
refer to Oracle Application Server 10.1.2 Installation Guide - Chapter
4 - Section 4.3.2 Configuring the Kernel Parameters on Linux.
Test [ PASSED ] :
Adequate = Adequate
Action:
ip_local_port_range kernel parameter is between 10000 and 65000 or
higher.
Rule [ 61 ]: limit processes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Description:
Check if the limit of max processes is set to 16384 or higher. For
more details on how to configure this parameter, refer to Oracle
Application Server 10.1.2 Installation Guide - Chapter 4 - Section
4.3.2 Configuring the Kernel Parameters on Linux.
Test [ PASSED ] :
Adequate = Adequate
Action:
The limit of max processes is set to 16384 or higher.
Rule [ 62 ]: limit descriptors
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Description:
Check if the limit of file descriptors is set to 65536 or higher. For
more details on how to configure this parameter, refer to Oracle
Application Server 10.1.2 Installation Guide - Chapter 4 - Section
4.3.2 Configuring the Kernel Parameters on Linux.
Test [ PASSED ] :
Adequate = Adequate
Action:
The limit of descriptors is set to 65536 or higher.
Rule [ 63 ]: Port 1521
~~~~~~~~~~~~~~~~~~~~~~
Description:
Check if port 1521 is free or not. If port 1521 is used by an Oracle
listener version 10.1.0.2 or later, then the existing listener will be
used by the existing database and the Oracle Application Server 10g
Metadata Repository. The installer will perform this configuration
automatically. If port 1521 is used by an Oracle listener version
earlier than 10.1.0.2, then the existing listener need to be stopped.
After the installation is complete, the new 10.1.0.2 listener can be
configured to listen to the existing (pre 10.1.0.2) databases. If port
1521 is used by non-oracle programs, then this program need to be
configured to listen to ports other than 1521. Refer to Installation
Guide, section 4.4.4 for more details.
Test [ PASSED ] :
TNS Listener 10.1.0.2 or higher is running =~ TNS Listener 10.1.0.2 or
higher is running|Free
Action:
Port 1521 is not used, or is used by TNS*Listener version 9.0.1 or
higher.
Rule [ 64 ]: Environment Variables
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Description:
Check if the following environment variables are not set: TNS_ADMIN,
ORA_NLS, and LD_BIND_NOW. In addition, the following environment
variables must not references to any existing Oracle Home: PATH,
CLASSPATH and LD_LIBRARY_PATH.
Test [ FAILED ] :
Has reference to existing Oracle Homes = Properly defined
Action:
Refer to the following table for the necessary action to take:
<PRE>
Return Value Action
Has reference to existing Remove any reference to existing
Oracle Homes Oracle Homes from PATH, CLASSPATH
and LD_LIBRARY_PATH.
Some variables are set Unset TNS_ADMIN, ORA_NLS, and
LD_BIND_NOW.
Cannot access /etc/oratab Grant read permission on
/etc/issue to the current user.
</PRE>
Rule [ 67 ]: DNS Lookup
~~~~~~~~~~~~~~~~~~~~~~~
Description:
Check if the host is properly registered in the DNS.
Test [ FAILED ] :
nslookup IP_address = Host correctly registered in DNS
Action:
Refer to the following table for the necessary action to take:
<PRE>
Return Value Action
nslookup host.domain The DNS server failed to resolve the
nslookup using host.domain.
nslookup IP_address The DNS server failed to resolve the
nslookup using IP address.
Cannot determine IP address Fix any problem with host IP address.
Cannot access Grant execute permission on
/usr/bin/nslookup /usr/bin/nslookup to the current
user.
</PRE>
Rule [ 68 ]: /etc/hosts format
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Description:
Check if /etc/hosts file contains a line with "ip_address
fully_qualified_hostname short_hostname".
Test [ PASSED ] :
Contains host.domain = Contains host.domain
Action:
The Fuly Qualified Domain name has been set correctly.
Rule [ 69 ]: Oracle Home length
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Description:
Check that the path to the Oracle home directory is not longer than
127 characters.
Test [ PASSED ] :
Less than 127 char = Less than 127 char
Action:
Oracle Home directory is not longer than 127 characters.
Rule [ 70 ]: Memory for Dev Kit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Description:
Check if the machine has enough memory to install Developer Kits
install type. The minimum requirements is 256 MB.
Test [ PASSED ] :
Available = Available
Action:
The machine has enough memory to install J2EE & Webcache install type.
Rule [ 71 ]: Memory for BI&Forms
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Description:
Check if the machine has enough memory to install Business
Intelligence & Forms install type. The minimum requirements is 1 GB.
Test [ PASSED ] :
Available =~ Available|Install type not available
Action:
The machine has enough memory to install Business Intelligence & Forms
install type.
Rule [ 72 ]: Space for BI&Forms
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Description:
Check if the machine has enough disk space to install Business
Intelligence & Forms install type. The minimum requirements is 2 GB.
Test [ PASSED ] :
Available =~ Available|Install type not available
Action:
The machine has enough disk space to install Business Intelligence &
Forms install type.
Rule [ 73 ]: control-center
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Description:
Check if the minimum required control-center package version is
installed. For RedHat AS/ES 4.0: control-center-2.8.0-12.
Test [ PASSED ] :
Adequate =~ Adequate|Not required
Action:
The required compat-db package version or higher is installed.
Rule [ 74 ]: xscreensaver
~~~~~~~~~~~~~~~~~~~~~~~~~
Description:
Check if the minimum required xscreensaver package version is
installed. For RedHat AS/ES 4.0: xscreensaver-4.18-5.rhel4.2.
Test [ PASSED ] :
Adequate =~ Adequate|Not required
Action:
The required compat-db package version or higher is installed. -
This is a repeat of this post: Java SSO and IIS
Noone answered there.
Hello,
my organization uses Java SSO authentication in Oracle Application Server. Now we want to "expand" SSO so that our IIS applications can benefit from Oracle SSO and user needn't print user name / password again. Is there any way to use Java SSO in IIS? In this project we use Java SSO, not Oracle Identity Management.
Thanks in advanceHi ,
I was installed and configured policy agent successfully.while i am trying to access the application url i am getting following error.
I am using IIS6.0 and access manager 7.1.
Error 2824:15b9918 AuthService: AuthService::processLoginStatus() Exception message=[Application user ID is not valid.] errorCode='107' templateName=login_failed_template.jsp.
2009-03-10 00:03:05.828 Error 2824:15b9918 PolicyEngine: am_policy_evaluate: InternalException in AuthService::processLoginStatus() with error message:Exception message=[Application user ID is not valid.] errorCode='107' templateName=login_failed_template.jsp and code:3
2009-03-10 00:03:05.828 Warning 2824:15b9918 PolicyAgent: am_web_is_access_allowed()(http://fcs-ylwkuzfoz1q.ramesh.com:99/website.html, GET) denying access: status = Access Manager authentication service failure
2009-03-10 00:03:05.828 Debug 2824:15b9918 PolicyAgent: am_web_is_access_allowed(): Successfully logged to remote server for GET action by user unknown user to resource http://fcs-ylwkuzfoz1q.ramesh.com:99/website.html.
2009-03-10 00:03:05.828 Info 2824:15b9918 PolicyAgent: am_web_is_access_allowed()(http://fcs-ylwkuzfoz1q.ramesh.com:99/website.html, GET) returning status: Access Manager authentication service failure.
2009-03-10 00:03:05.828 Debug 2824:15b9918 PolicyAgent: HttpExtensionProc(): status after am_web_is_access_allowed = Access Manager authentication service failure (3)
2009-03-10 00:03:05.828 Error 2824:15b9918 PolicyAgent: HttpExtensionProc(): status: Access Manager authentication service failure (3)
2009-03-10 00:03:05.828 Debug 2824:15b9918 PolicyAgent: OnSendResponse(): HTTP Status code is 500
can any one please help me to resolve this.
Thanks
Ramesh Kumar GV -
Hello folks,
Due to my inexperience with PS6, I'm looking for some high-level outline that will help me look in the right places and understand things better here.
I have an external application that requires authentication via a web form (or by attaching the username and password on the URL as parameters).
What I want to do is have a channel of this application and utilize information from the SSO mechanism to redirect the request to that remote app and provide the credentials for a transparent login.
From what I understand this can be done by having a servlet in that channel to retrieve the credentials of the user for that remote application from the SSO and then redirect to the external application, attaching the credentials to the URL.
Is the above correct? I would appreciate any pointers or considerations since my experience with PS is minimal.
Thanks in advance,
ManosI don't see a way to that servlet to retrieve a password for the user - it's not stored in the session.
There are following options:
1. OpenText LiveLink way: You have some "hidden" password for every user (based on user's ID and a shared key) known only to your server and this servlet. Servlet will supply this password.
2. Normal way - web server: Implement login module to this application, which will trust REMOTE_USER variable provided by the agent on the web server.
3. Normal way - standalone app: Implement login module to this application which will validate DSAME session cookie on the DSAME server. You can use example code in the SUNWam/samples/ of your server. -
Hi,
I want to setup an outpund hybrid search for SharePoint 2013 on-premise to SharePoint Online.
But I'm not shure if this works with ADFS SSO.
Has somebody experience with this setup?
Here's my guide which I'm going to use for this installation:
Introduction
In this post I'll show you how to get search results from your SharePoint Online in your SharePoint 2013 on-premise search center.
Requirements
User synchronisation ActiveDirectory to Office 365 with DirSync
DirSync password sync or ADFS SSO
SharePoint Online
SharePoint 2013 on-premise
Enterprise Search service
SharePoint Online Management Shell
Instructions
All configuration will be done either in the Search Administration of the Central Administration or in the PowerShell console of your on-premise SharePoint 2013 server.
Set up Sever to Server Trust
Export certificates
To create a server to server trust we need two certificates.
[certificate name].pfx: In order to replace the STS certificate, the certificate is needed in Personal Information Exchange (PFX) format including the private key.
[certificate name].cer: In order to set up a trust with Office 365 and Windows Azure ACS, the certificate is needed in CER Base64 format.
First launch the Internet Information Services (IIS) Manager
Select your SharePoint web server and double-click Server Certificates
In the Actions pane, click Create Self-Signed Certificate
Enter a name for the certificate and save it with OK
To export the new certificate in the Pfx format select it and click Export in the Actions pane
Fill the fields and click OK Export to: C:\[certificate
name].pfx Password: [password]
Also we need to export the certificate in the CER Base64 format. For that purpose make a right-click on the certificate select it and click on View...
Click the Details tab and then click Copy to File
On the Welcome to the Certificate Export Wizard page, click Next
On the Export Private Key page, click Next
On the Export File Format page, click Base-64 encoded X.509 (.CER), and then click Next.
As file name enter C:\[certificate
name].cer and then click Next
Finish the export
Import the new STS (SharePoint Token Service) certificate
Let's update the certificate on the STS. Configure and run the PowerShell script below on your SharePoint server.
if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}
# set the cerficates paths and password
$PfxCertPath = "c:\[certificate name].pfx"
$PfxCertPassword = "[password]"
$X64CertPath = "c:\[certificate name].cer"
# get the encrypted pfx certificate object
$PfxCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxCertPath, $PfxCertPassword, 20
# import it
Set-SPSecurityTokenServiceConfig -ImportSigningCertificate $PfxCert
Type Yes when prompted with the following message.
You are about to change the signing certificate for the Security Token Service. Changing the certificate to an invalid, inaccessible or non-existent certificate will cause your SharePoint installation to stop functioning. Refer
to the following article for instructions on how to change this certificate: http://go.microsoft.com/fwlink/?LinkID=178475. Are you
sure, you want to continue?
Restart IIS so STS picks up the new certificate.
& iisreset
& net stop SPTimerV4
& net start SPTimerV4
Now validate the certificate replacement by running several PowerShell commands and compare their outputs.
# set the cerficates paths and password
$PfxCertPath = "c:\[certificate name].pfx"
$PfxCertPassword = "[password]"
# get the encrypted pfx certificate object
New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxCertPath, $PfxCertPassword, 20
# compare the output above with this output
(Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
[/code]
## Establish the server to server trust
[code lang="ps"]
if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}
Import-Module MSOnline
Import-Module MSOnlineExtended
# set the cerficates paths and password
$PfxCertPath = "c:\[certificate name].pfx"
$PfxCertPassword = "[password]"
$X64CertPath = "c:\[certificate name].cer"
# set the onpremise domain that you added to Office 365
$SPCN = "sharepoint.domain.com"
# your onpremise SharePoint site url
$SPSite="http://sharepoint"
# don't change this value
$SPOAppID="00000003-0000-0ff1-ce00-000000000000"
# get the encrypted pfx certificate object
$PfxCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxCertPath, $PfxCertPassword, 20
# get the raw data
$PfxCertBin = $PfxCert.GetRawCertData()
# create a new certificate object
$X64Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
# import the base 64 encoded certificate
$X64Cert.Import($X64CertPath)
# get the raw data
$X64CertBin = $X64Cert.GetRawCertData()
# save base 64 string in variable
$CredValue = [System.Convert]::ToBase64String($X64CertBin)
# connect to office 3656
Connect-MsolService
# register the on-premise STS as service principal in Office 365
# add a new service principal
New-MsolServicePrincipalCredential -AppPrincipalId $SPOAppID -Type asymmetric -Usage Verify -Value $CredValue
$MsolServicePrincipal = Get-MsolServicePrincipal -AppPrincipalId $SPOAppID
$SPServicePrincipalNames = $MsolServicePrincipal.ServicePrincipalNames
$SPServicePrincipalNames.Add("$SPOAppID/$SPCN")
Set-MsolServicePrincipal -AppPrincipalId $SPOAppID -ServicePrincipalNames $SPServicePrincipalNames
# get the online name identifier
$MsolCompanyInformationID = (Get-MsolCompanyInformation).ObjectID
$MsolServicePrincipalID = (Get-MsolServicePrincipal -ServicePrincipalName $SPOAppID).ObjectID
$MsolNameIdentifier = "$MsolServicePrincipalID@$MsolCompanyInformationID"
# establish the trust from on-premise with ACS (Azure Control Service)
# add a new authenticatio realm
$SPSite = Get-SPSite $SPSite
$SPAppPrincipal = Register-SPAppPrincipal -site $SPSite.rootweb -nameIdentifier $MsolNameIdentifier -displayName "SharePoint Online"
Set-SPAuthenticationRealm -realm $MsolServicePrincipalID
# register the ACS application proxy and token issuer
New-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri "https://accounts.accesscontrol.windows.net/metadata/json/1/" -DefaultProxyGroup
New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https://accounts.accesscontrol.windows.net/metadata/json/1/" -IsTrustBroker -Name "ACS"
Add a new result source
To get search results from SharePoint Online we have to add a new result source. Run the following script in a PowerShell ISE session on your SharePoint 2013 on-premise server. Don't forget to update the settings region
if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}
# region settings
$RemoteSharePointUrl = "http://[example].sharepoint.com"
$ResultSourceName = "SharePoint Online"
$QueryTransform = "{searchTerms}"
$Provier = "SharePoint-Remoteanbieter"
# region settings end
$SPEnterpriseSearchServiceApplication = Get-SPEnterpriseSearchServiceApplication
$FederationManager = New-Object Microsoft.Office.Server.Search.Administration.Query.FederationManager($SPEnterpriseSearchServiceApplication)
$SPEnterpriseSearchOwner = Get-SPEnterpriseSearchOwner -Level Ssa
$ResultSource = $FederationManager.GetSourceByName($ResultSourceName, $SPEnterpriseSearchOwner)
if(!$ResultSource){
Write-Host "Result source does not exist. Creating..."
$ResultSource = $FederationManager.CreateSource($SPEnterpriseSearchOwner)
$ResultSource.Name = $ResultSourceName
$ResultSource.ProviderId = $FederationManager.ListProviders()[$Provier].Id
$ResultSource.ConnectionUrlTemplate = $RemoteSharePointUrl
$ResultSource.CreateQueryTransform($QueryTransform)
$ResultSource.Commit()
Add a new query rule
In the Search Administration click on Query Rules
Select Local SharePoint as Result Source
Click New Query Rule
Enter a Rule name f.g. Search results from SharePoint Online
Expand the Context section
Under Query is performed on these sources click on Add Source
Select your SharePoint Online result source
In the Query Conditions section click on Remove Condition
In the Actions section click on Add Result Block
As title enter Results for "{subjectTerms}" from SharePoint Online
In the Search this Source dropdown select your SharePoint Online result source
Select 3 in the Items dropdown
Expand the Settings section and select "More" link goes to the following URL
In the box below enter this Url https://[example].sharepoint.com/search/pages/results.aspx?k={subjectTerms}
Select This block is always shown above core results and click the OK button
Save the new query ruleHi Janik,
According to your description, my understanding is that you want to display hybrid search results in SharePoint Server 2013.
For achieving your demand, please have a look at the article:
http://technet.microsoft.com/en-us/library/dn197173(v=office.15).aspx
If you are using single sign-on (SSO) authentication, it is important to test hybrid Search functionality by using federated user accounts. Native Office 365 user accounts and Active Directory Domain Services
(AD DS) accounts that are not federated are not recognized by both directory services. Therefore, they cannot authenticate using SSO, and cannot be granted permissions to resources in both deployments. For more information, see Accounts
needed for hybrid configuration and testing.
Best Regards,
Eric
Eric Tao
TechNet Community Support -
Hi,
I have a form that was working with webutil. We implemented SSO on the server. Know the webutil jar file does not load - it can not find it.
Getting the following message in java console:
Loading http://capps.cauto.com/forms90/webutil/webutil.jar from JAR cache
Loading http://capps.cauto.com/forms90/webutil/jacob.jar from JAR cache
Loading http://capps.cauto.com/forms90/java/f90all_jinit.jar from JAR cache
RegisterWebUtil - Loading Webutil Version 1.0.2 Beta
Loading http://capps.cauto.com/forms90/java/rolloverbutton.jar from JAR cache
Loading http://capps.cauto.com/forms90/java/hyperlink.jar from JAR cache
connectMode=HTTP, native.
Forms Applet version is : 90290
java.io.IOException: Could not connect to http://wadjet.cauto.com/forms90/webutil/webutil.jar
at oracle.jre.protocol.jar.JarCache$CachedJarLoader.download(Unknown Source)
at oracle.jre.protocol.jar.JarCache$CachedJarLoader.load(Unknown Source)
at oracle.jre.protocol.jar.JarCache.get(Unknown Source)
Has anyone use SSO and webutil?
Thanks,
Mary SantryMary,
using single sign-On with Forms should not have an impact to webutil.jar.
Just to be sure: You configured webutil and it works if not running using single sign-on. You configured Forms to use singke sign-on (uncommenting th emod_osso directive in forms90.conf file) and from now on webutil.jar cannot be found.
What if you directly try and request the webutil.jar file from a Browser
http://wadjet.cauto.com/forms90/webutil/webutil.jar ?
Can you access jacob.jar using a Browser URL?
Fran -
Hi,
i want to use SSO with Bi Beans. I have my BiBeans deployed on a 9iasR2 (9.0.2.3). I edit the mod_osso.conf with <Location /*appname*> require valid-user authType Basic </Location> and i have in BIController uncomment the sso blocks.
After authenticated to the SSO, i got always a NullPointerException. I looked in the code and i found that application.getBISession() is not initalized.
Please, have anybody an idea, or knows anybody a documentation about SSO and BIBeans.
best regards
Renecn=XXX information is missing for the SSO Server (orasso) when going to http://servername:7777/pls/orasso/orasso.home. Is that causing the problem? If so, how can I resolve it?
Thanks.
Andy -
SSO and success URL with parameters
Hello
I have succeeded to configure HTML_DB engine as Partner App for Oracle SSO.
HTML_DB 1.5.0.00.33
Oracle IAS Release 1 ehk 1.0.2.2.2
I'm entering into HTMLDB application from outside directly to concrete page with concrete parameters. The calling outside app is authenticated with SSO.
Example URL: http://host/pls/DAD/f?p=103:3:::::PAR1,PAR2:VAL1,VAL2
I'm then authenticated checked against SSO and redirected to my requested page, but the parameters are lost. The URL looks like http://host/pls/DAD/f?p=103:3:987698769876098
It only happens at first try. Next time I have a session and I'm redirected together with parametes.
It seams that this http://host/pls/DAD/wwv_flow_custom_auth_sso.process_success is getting somehow wrong parameter URLC. Without parameters. Why?
Please help!
Yours,
jan lakspereHi
Thanks, Scott.
This patch 1.5.1 solved this problem. Now SSO redirect forwards the parameters together with URL.
Yours,
jan -
SSO and LDAP no working after revokeing Territory selection choice of SSO
Hi i have 9ias 9.0.2 infrastructure on win 2k box.
earlier the territory selection choice was checked.
but when i unchecked that option. and i logged out of SSO.
Now the problem is i am not getting the SSO and Internet Directory home pages.
and in Enterprise manager web page shows both are up.
win 2k's task manager also shows the all the three process of Internet directory also running along with other essentianl processs.
any clue....
my whole work and intranet & extranet is not accessible due to this.... it will be great to me if i get any tip of hint...
thanks a lot... in advance...
regards
samir([email protected])Well, this is certainly a case where I would be opening a tech support case. Your server is down, and you need help . .
I'll try what I can for you.
[18/Jun/2004:09:21:57 -0400] vipmail2 httpd[1560]: Account Debug: SASL [10.29.11.63] Cannot get namespace for domain vipmail2.kvcc.edu: Entry not found
This likely means that you've missed another, earlier error in the log. I suspect that what may have happened, is that the USER that Messaging Server connects to LDAP with has had a password change, and you're no longer able to BIND to LDAP to make queries.
I would start looking at your LDAP Access Log, and see what user you're attempting to BIND as, and see if that BIND is successful.
The contents of msg.conf and your other file is useful as information, but is not a user-editable file. You must use configutil to make changes, as this data is stored in LDAP, and on server startup, the files will be rewritten with ldap data.
Maybe you are looking for
-
FR Chart Question: How to display % next to numbers?
Hi FRville residents, I am building a report that is mapped to the Actual/Budget column. In the Grid, I added % sign through FR formatting. When I map this column in my chart, and display the value, the chart shows values only. For example let say fo
-
Question... Need upgrade to play video games on the hp mini
http://www.shopping.hp.com/webapp/shopping/computer_can_series.do?storeName=computer_store&category=... I just bought this cute computer and i want to play sims 3 but it says i need to upgrade my graphics card. Where can i get it...? Does anyone else
-
Disabling F1 and F2 screen brightness keys on windows xp
Is there any way to disable the F1 and F2 brightness keys on a bootcamp windows xp? Using a wired keyboard connected to my imac
-
I have a iPhone 5 and ipad mini with cellular. Whatever I do on one device like mail calendar notes reminders and surfing I want that it should be possible to continue and duplicate in other device .how do I achieve it .?i have I cloud on both.
-
Hello, My computer is HP Pavillion g 6 -2370ER. I've installed Linux Ubuntu and accidentally have deleted windows 8. How can I get back my Windows 8? Unfortunately I've deleted my recovery files too. I bought computer on 21st september 2013 This ques