SSO Authentication Not Working
Our configuration is HTML DB v1.6.0.00.87 running on our host name hostx with port 7779 and the OAS HTTP server running on hostx on port 7778.
I had our administrator follow the instructions in http://www.oracle.com/technology/products/database/htmldb/howtos/sso_partner_app.html for registering HTML DB as a partner application. I have one HTML DB application setup for an authentication scheme of "Based on authentication scheme from gallery:Oracle Application Server Single Sign-On (HTML DB as Partner Application)". When I attempt to run it from Application Builder, I get the error below and it then directs me to http://hostx:7779/pls/our_dad/f? and the "p=" is missing for some reason and gives me a "Error ERR-7620 Could not determine workspace for application ()." error.
Error in portal_sso_redirect: missing application registration:
Error p_partner_app_name:g_listener_token:HTML_DB:hostx:7778
Please register this application as described in the installation guide.
Redirecting to login server for authentication.
The URL for running the application is: http://hostx:7779/pls/our_dad/f?p=101:1
My system administrator has checked to see the HTML_DB listener token is set correctly. When she queried against the wwsec_enabler_config_info$ table the token looks OK. It returns 7779 as the port number, but the error message above is listing 7778. Why?
What can we look at to determine the cause of this problem? I am struggling because I am not familiar with the Oracle Application Server environment.
Now SERVER_PORT and HTTP_PORT are both 7778 in SQL Workshop. They are both pointing to the port that HTTP is running on. Is this correct? I would assume not because the HTML DB application that uses the SSO Partner App. scheme is still giving me the same error:
Error in portal_sso_redirect: missing application registration:
Error p_partner_app_name:g_listener_token:HTML_DB:hostx:7778
Please register this application as described in the installation guide.
Redirecting to login server for authentication.
If HTTP is running on port 7778, then should HTTP_PORT be 7778? I assume, yes.
If HTML DB was installed on port 7779, then should SERVER_PORT be 7779? I assume, yes.
What sets the values of SERVER_PORT and HTTP_PORT within HTML DB?
My admin reran regapp.sql and defined the HTML_DB listener token as HTML_DB:hostx:7779, yet based on the error above HTTP is looking on port 7778 for HTML DB and not finding it. Am I interpreting the error correctly?
Similar Messages
-
NTLM SSO is not working using IIS
Hi,
We have unable to login to the infoview using SSO getting u201C page canu2019t found u201C error.
1. We can login to the infoview using AD authentication when tomcat as the application server but we are unable to login to the infoview using SSO when IIS as the application server.
2. If we select the option called u201Cintegrated windows Authenticationu201D under internet options then the SSO is not working and if we uncheck the u201Cintegrated windows Authenticationu201D in the internet options then we are able to login to the infoview using SSO.We are able to login to the infoview using SSO on another environments and the working and problematic environments we Configured IIS6, XI2 SP4.
4.We tried to login to the infoview using http://servername instead of entire URL however we are getting error.
5.We restarted IIS but no use.
6.Our admin follow the below options-
Open a registry editor, such as Regedit.exe or Regedt32.exe.
Navigate to:
HKLM\System\CurrentControlSet\Services\HTTP\Parameters
Right-click Parameters, select New | DWORD value, and then name the value MaxFieldLength.
Right-click Parameters, select New | DWORD value, and then name the value MaxRequestBytes.
In the right pane, double-click MaxFieldLength, and then set its value to 32768 (decimal).
In the right pane, double-click MaxRequestBytes, and then set its value to 32768 (decimal).
Close the registry editor and restart the IIS Admin service for the change to take effect.
But we are getting same problem.
7.We tried to login to the infoview using http://localhost but issue still persists.
8.We installed jakarta redirector.Is this root cause of this issue?
9.We selected intigrated windows authentication under default websites and i am sure i gave all the options under internet information manager.
Any one please help on this.
My environment is-
BOXIR2 SP4,
NTLM SSO,
Windows 2003,
IIS6."We tried to login to the infoview using http://servername instead of entire URL however we are getting error"
What's the error using the hostname for SSO with integrated windows authentication enabled on only the infoview virtual directory?
Regards,
Tim -
SSO is not working for an Alias URL but is working for original portal URL
Hello,
We have a BSP running inside the portal and expects authentication.
When I run this BSP using the portal regular address everything is working OK and SSO is working after logging into the portal.
At next step, we have configured an alias for the portal URL at the DNS Server.
When activating the BSP from the alias URL it asks for 2nd authentication. Meaning, SSO is not working after logging into the portal.
I have activated an HTTP trace in order to see why and it seems like when running it from the alias name it recognizes it as a different domain and I assume this is why the authentication is coming up.
I would like to suppress this for the alias URL but don't know how.
I found this UME property on the server:ume.logon.security.relax_domain.level
This UME property controls the amount of sub domains to remove from the server name to obtain the domain for which the logon ticket is valid.
I have changed this property from its default value 1 to 3 (and restarted the server of course) which, in our case, leaves only ourCompany.com for the ticket in the original server URL. Yet, the authentication pop up is still not supressed when browsing through the alias URL.
Any idea what can I do next?
Thanks,
RoyHi Dezso,
I found the 401 let me know if I look on it right:
I have an entry node with two subnodes: request and response.
The response has:
<responseStatus>HTTP/1.1 401 Unauthorized</responseStatus>
And the request before that doesn't have any MYSAPSSO2 in it, all it has which is related to cookies is this:
<header name="Cookie">UserUniqueIdentifier=1174345919524; alreadyLogged=1179560552416</header>
<cookies>
<cookie name="alreadyLogged">1179560552416</cookie>
<cookie name="UserUniqueIdentifier">1174345919524</cookie>
</cookies>
Can you advice what to do next? -
Revision: 1720
Author: [email protected]
Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
Log Message:
Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
QA: Yes
Doc: No
Details:
Update to the TomcatLoginCommand to work correctly with NIO endpoints.
Ticket Links:
http://bugs.adobe.com/jira/browse/LCDS-304
Modified Paths:
blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. javaRevision: 1720
Author: [email protected]
Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
Log Message:
Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
QA: Yes
Doc: No
Details:
Update to the TomcatLoginCommand to work correctly with NIO endpoints.
Ticket Links:
http://bugs.adobe.com/jira/browse/LCDS-304
Modified Paths:
blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. java -
Hi...
I'm trying to use SSO between portal (jCo, webdynpro...) and ABAP System...
I follow "Single Sign-On in a Complex System Landscape" tutorial, but when I try to test any jCo connection, this error appears to me:
com.sap.tc.webdynpro.services.exceptions.WDRuntimeException: Failed to enrich connection properties
And following logs, I can see this error:
Cannot provide X.509 certificate of user "Silva, Jose" (unique ID: "USER.PRIVATE_DATASOURCE.un:123456") because of an unexpected UME internal problem. (Backend system: "UMESystemLandscapeDummy")
[EXCEPTION]
com.sap.security.api.umap.NoLogonDataAvailableException: This user does not have a certificate.
at com.sap.security.core.umap.imp.UserMappingDataImp.enrich(UserMappingDataImp.java:412)
at com.sap.tc.webdynpro.serverimpl.core.sl.AbstractJCOClientConnection.createPool(AbstractJCOClientConnection.java:346)
at com.sap.tc.webdynpro.serverimpl.core.sl.AbstractJCOClientConnection.checkPoolEntry(AbstractJCOClientConnection.java:296)
at com.sap.tc.webdynpro.serverimpl.core.sl.AbstractJCOClientConnection.getClient(AbstractJCOClientConnection.java:396)
at com.sap.tc.webdynpro.tools.explorer.JCOConnectionsDetails.onActionTestConnection(JCOConnectionsDetails.java:229)
at com.sap.tc.webdynpro.tools.explorer.wdp.InternalJCOConnectionsDetails.wdInvokeEventHandler(InternalJCOConnectionsDetails.java:303)
at com.sap.tc.webdynpro.progmodel.generation.DelegatingView.invokeEventHandler(DelegatingView.java:87)
at com.sap.tc.webdynpro.progmodel.controller.Action.fire(Action.java:67)
at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.doHandleActionEvent(WindowPhaseModel.java:420)
at com.sap.tc.webdynpro.clientserver.window.WindowPhaseModel.processRequest(WindowPhaseModel.java:132)
at com.sap.tc.webdynpro.clientserver.window.WebDynproWindow.processRequest(WebDynproWindow.java:335)
at com.sap.tc.webdynpro.clientserver.cal.AbstractClient.executeTasks(AbstractClient.java:143)
at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:313)
at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:713)
at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:666)
at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:250)
at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doPost(DispatcherServlet.java:53)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
I don't know what to do...
My portal certificate has a problem, or is my abap certificate?
Thanx...
(sorry for my poor english)Hi,
If you are working with JCO's please make sure that SSO will not work for metadata jco creation.
use the UID PWD method as part of metadata jco creation.
it will work fine
this messege as per my knowledge, may be helpfull for you -
SSO logout not working properly (cookie remains set)
Hi, I've just implemented single sign-on authentication for my APEX 2.2 applications with help of these two howtos:
http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html#INSTALL
http://becomeappsdba.blogspot.com/2007/01/apex-apps-configure-sso-ii.html
It quite works smoothly, e.g. for pages that require authentication the user is redirected
("Redirecting to the Login Server for authentication...") to the SSO server (another machine, a part of Oracle Collaboration Suite infrastructure). There on the login screen, the user enters the credentials and after submit (if the credentials are OK) is redirected back to the APEX application as an authenticated user.
When the user clicks "Logout", the application redirects him (her) to the page specified in the "Logout URL" attribute of the SSO authentication scheme and the displayed username changes to "nobody". So far so good.
However, the problem is that the user is in fact not logged out. On a subsequent attempt to get to an authenticated page within the same browser window the application displays for a short while "Redirecting to the Login Server for authentication..." but it doesn't really get the user to the SSO logon screen to enter username and password and instead it redirects him (her) directly to the required page as the previously authenticated user (the user who clicked the "Logout" sign). The only workaround is to close the browser window and start over again as the other user, which is not very convenient nor secure. It seems that despite the seeming logout the cookie remains set and I don't how to force the application to get rid of the cookie upon logout.
Has anybody faced this behaviour and has some assistance for me?
Thanks in advance.
ZdenekScott,
thank you very much for your prompt explanation and pointing to the right thread. There, I was able to quickly find what I was looking for - the logout URL:
https://host:port/pls/DAD/wwv_flow_custom_auth_std.logout_then_go_to_url?p_args=&APP_ID.:https://login.yourlogin.com/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=https://host:port/pls/DAD/f?p=&APP_ID.:PUBLIC_PAGE
Having that, it took me just 5 minutes to adopt it to my conditions (change machine names & page number), paste it to the SSO authentication scheme's logout URL field and sucessfully test it.
To summarize for others in need, these are relevant links to this topic:
Re: Partner Application in SSO logout does'nt synchronize
SSO authentication
Logout URL for 9iAS SSO Partner App
Thanks again & appologies for asking this question without preceding proper searching for answer in this excelent & useful forum.
Zdenek -
Safari 5.0.3 on Windows XP Kerberos SSO does not work
Our web application runs on JBoss Server 5 supports Kerberos v5 SSO. We have tested it against Firefox, IE, and Google Chrome, and they all works well.
But Safari 5.0.3 does not work.
Our application sends "WWW-Authenticate: Negotiate" to Safari. Safari always pops up a dialog for name and password. After I typed the name and password, and click Login, Safari send NTLM message (NTLMSSP_NEGOTIATE) to the web application, and login failed.
Someone described that Safari supports Kerberos authentication without any additional configuration.
I do not know what goes wrong with my environment and how to solve this issue. Your help is appreciated.
My Safari 5.0.3 runs on Windows XP Professional Service Pack 3.
Thanks
GuofengI'm having the same issue. Have you been able to resolve it?
-
Kerberos Authentication Not Working on OS X 10.6
Using FF version 20.0, on OS X 10.6.8, I can not get it to use Kerberos authentication to allow SSO to a SharePoint web site.
On OS X 10.8, with the same configuration in the about:config, everything works fine - the user is not prompted for credentials.
I have put the necessary entires in network.negotiate-auth.delegation-uris and network.automatic-ntlm-auth.trusted-uris, network.negotiate-auth.gsslib is set to true.
When I have setup to log the errors from the authentication module, I find in the log file "Fail to load gssapi library".
Interestingly on 10.8, when I start Firefox from the command line the Kerberos authentication does not work. When I start it via the icon, it does. What is the difference? Are the preferences not being loaded when launching via the command line?
Thanks for any help,
RichardFound the solution:
Was a combination of kinit being run on login (apparently a known 10.6 bug). Our Mac team were able to alter the appropriate plist file so that this does happen on login.
We also had to add an extra SPN for the actual server, as well as the DNS name of the SharePoint site we were trying to access with Kerberos authentication - although this may have something to do with using host-named site collections at the SharePoint end.
Main problem was the kinit thing though. -
SSO is not working for SAPGUI for HTML
Hi Experts,
We have configured SSO between EP and ECC.SSO is working fine for SAPGUI for windows.But it is not working for SAPGUI for HTML.
Workflow iViews are getting error.
"SWITCH to HTTPS does not occur."
The domain names are different for EP and ECC.
Please let me know ,is there any settings need to check.
Regards,
Bala.Hi
The point here is that your Portal server is on a different domain, so you have to configure the logon ticket issuer (portal) to generate logon ticket for multiple domains.
http://help.sap.com/saphelp_nw04s/helpdata/en/a0/88a340fa432b54e10000000a1550b0/frameset.htm
Best regards
Johann -
Ldap authentication not working for Solaris 8 host - Help!
Greetings folks,
I just recently migrated a host to use LDAP authentication. The only difference between this host and the rest of the hosts in the environment that I've converted to use LDAP is that this one is running Solaris 8.
Here's the steps I took to migrate it (though, I used the same steps for another Sol8 host in another environment and it works fine):
ldapclient -P stg -d mydomain.com -D cn=proxyagent,ou=profile,dc=mydomain,dc=com -w secret 192.168.1.69
My /etc/nsswitch.conf looks like this:
passwd: files ldap
group: files ldap
My /etc/pam.conf looks like this:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_ldap.so.1
sshd auth requisite pam_authtok_get.so.1
sshd auth sufficient pam_unix_auth.so.1
sshd auth required pam_ldap.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_ldap.so.1
passwd auth sufficient pam_passwd_auth.so.1
passwd auth required pam_ldap.so.1
I've also cleared out the local user accounts for my human users, so there aren't any more passwd or shadow entries (yes, I ran pwconv). I also cleaned out the /etc/group entries for the same users. The machine appears to be configured properly, because I can run various DS commands that indicate this:
hostname# getent passwd user1
user1::1001:1001:User 1:/opt/home/user1:/bin/bash
hostname# ldaplist -l passwd user1
dn: uid=user1,ou=people,dc=mydomain,dc=com
shadowFlag: 0
userPassword: {crypt}(removed)
uid: user1
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
objectClass: top
cn: user1
uidNumber: 1001
gidNumber: 1001
gecos: User 1
homeDirectory: /opt/home/user1
loginShell: /bin/bash
However, in the end, actual logins to this host fail via ssh. Snooping the traffic reveals that all the right info is being handed back to the client, including the crypt'ed password hash, uid, etc. just like I see with other hosts that work.
Any ideas?
Thanks!
PatrickI assume you have applied lastest kernel patch and 108993 to this Solaris8 machine, and its nss_ldap.so.1 and pam_ldap.so.1 are the same as the other Solaris8 LDAP clients that are working for ssh via LDAP auth.
1) Please replace "objectClass: account" with "objectClass: person", I know SUN ONE DS5.2 likes "person".
2) Did you test and verify telnet/ftp/su working? but SSH not working?
3) If telnet/ftp/su all worked, and SSH (SUN-SSH or OpenSSH), make sure you have "UsePAM yes" in sshd_config and restart sshd.
4) It is not a must I think but normally I will add "shadow: files ldap" to /etc/nsswitch.conf, restart nscd after that.
5) Whenever ldapclient command is run and ldap_cachemgr is restarted, I usually also restart nscd and sshd after that, if not testing result may not be accurate as nscd is still remembering OLD stuffs cached which could be very misleading.
6) You may use "ssh -v userid@localhost" to watch the SSH communications, on top of your usual "snoop"ing of network packets.
7) Use the sample pam.conf that is meant for pam_ldap from Solaris 10 system admin guide with all the pam_unix_cred.so.1 lines commented out. This works for me, there is no sshd defintions as it will follow "other".
http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view
Gary -
Hi there,
We're running AireOS 8.0 in a WLC 8500 series and we're getting problems trying to enable HA scenario. These are the scenarios we have tested:
management interface tagged + switchport trunk tagged + HA tagged + switchport trunk tagged = SSO not working
management interface tagged + switchport trunk tagged + HA tagged + switchport access = SSO not working
management interface untagged + switchport trunk native vlan + HA untagged + switchport access = SSO not working
No scenario is working and in cases 1 and 2 we are lossing the associated APs and we only recover them in case 3.
In parallel, after enabling tagged interface in management, the "show ip arp" of the switch shows the IP through the HA interface and the ping is lost outwards WLC and inwards.
Any suggestion?
Regards.Try to delete the config on switch and try this.
Switch config :
interface range <>
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan X,Y,Z
Channel-group <> mode on
Still not working then check if WLC is reachable via ssh or telnet!
if you have access via ash or telnet then reboot WLC by using "reset system" command .
hope it helps.
Regards
Dont forget to rate helpful posts -
Sg300 - 802.1x NPS - mac authentication not working
I configured 802.1x on a sg300 switch. It is working very well with some Windows 7 machines and a Windows Server 2008 NPS server.
Now I tried to get the MAC authentication running, on a 3850X it is working without problems, but every access request sent from the SG300 is declined.
My current port configuration on the SG300:
interface fastethernet1
dot1x guest-vlan enable
dot1x max-req 1
dot1x reauthentication
dot1x timeout quiet-period 10
dot1x authentication 802.1x mac
dot1x radius-attributes vlan static
dot1x port-control auto
switchport mode access
On the Windows NPS server there is following error to see:
Authentication Details:
Connection Request Policy Name: Secure Wire
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: myradius.local
Authentication Type: -
EAP Type: -
Account Session Identifier: 30353030399999
Reason Code: 1
Reason: An internal error occurred. Check the system event log for additional information.
There is compared to the message from the 3850 the authentication type missing (PAP) and a not very helpful error message displayed...Still not working.
I tried different settings and (also older) software versions on the SF302-08P.
Also started to change the settings on the NPS (though it is working with the 3850X!), without success.
The NPS reports following error:
Schannel:
The following fatal alert was received: 40.
EventID 36887
If I search for this error, every source is pointing to certificate errors, but there should not be any certificate involved?!
... is this a bug on the SF302-08P? -
Cisco Ise Central Web authentication not working
Hello Guys,
CWA is not working. It says that authentication suceeded but posture status is pending. No error in my Monitor--authentication. Checking it in my Windows 7, it does not shows the CWA portal.
What might be the possible problem of this.?
thanksKindly review the below links:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml -
"Allow insecure authentication" not working on mac mail after upgrade to Yosimite
I recently upgraded to the new Yosemite OS. Since then, I have not been able to access my ISP's IMAP server. After spending time troubleshooting with the service provider, it seems that the "allow insecure authentication" feature is not working. The password appears to be sent as a series of "*" which the server can not recognize and I fail the login. It is of note that I am still able to access this email account through my iPhone 4S with all the same settings and had no issues before the Yosimite upgrade. Is there anyway around this issue?
I had the same problem. Rebooting the computer fixed the issue for me.
-
J2EE and user authentication not working
Hi,
has anyone gotten the basic/form based authentication to
work in the latest version of the 9iAS?
Oracle9iAS (9.0.2.0.0)
I've read all the posts and articles from orionsupport.com
BUT it still does not work.
Support Folks from ORacle: Where is the latest documentation
for the Server ???? Everything seems outdated??
cheers,
VijayHi,
You can change User and password through SU01 through UME. and also read SNote: Note 891614 - Login problems / Expired password
Regards
Thomas
Maybe you are looking for
-
Scheduling is not working.
Hi Experts, Scheduling is not working. I have created the Standalone agent and start the agent. It is working fine. I have scenario on package. I did scheduling for every data at 5AM. The scheduling is not happing (Scheduling is not working). In topo
-
HP laserjet M2727 driver for OSX 10.7.4 crashed application
I recently updated hp laserjet driver for M2727 nf printer. When I hit the print command, it crashes the application and does not print. Any suggestions to fix it?
-
Can i video chat with someone on a windows pc using yahoo messenger?
hi, i am considering buying a macbook laptop and would like to know before i purchase, can i video chat with someone using a windows pc with vista os on it if we are both using yahoo messenger? if so please tell me how to set that up correctly b/c th
-
How do i combine two iTunes accounts into one and cancel one?
How an I combine my wife's itunes account with mine and have a single account for the two of us?
-
Master-detail relationship - passing parameter from form to form
Hello. I have a question about master detail relationship. In first form we have master-detail relationship. Example on dept, emp tables: We query dept (master), so we can get one or many emp (detail) records. Then we have a third table - tasks. Task