SSO for 'external' partner apps

Is it possible to use oracle's SSO product with applications written in various languages (php/perl/coldfusion/.net,etc) on non-oracle servers.
ie, if i have a php application that sits on a server entirely separate from the oracle app server or SSO server, is there documentation that allows me to write code that hands-off authentication responsabilities to the SSO. so, the php application would verify that a user is presenting a login cookie, and speak to the sso server in the backend to verify that the login cookie is valid, etc.
Thanks very much for any help you can provide!

I have similar kind of requirements for Single sign-on to external web applications.
But in my applications I have to auto-generate random userid & password for different external web applications.
These uids & password are exported to external applications, which upon recieving creates user in their applications.
So, actual user will never have access to these credentials(uid &pwd).
So, how can I cutomize the Portlets to do the first time SSO when user is created & their credentials to external apps are stored to OID.
Any idea Barry..
Bye

Similar Messages

  • SSO for External application not part of the portal framework

    Greetings,
    I am desperate!!!
    I am trying to do the following:
    I have a pl/sql application that presents to the user a set of external applications links.When the user activates a link, I would like to make a call the SSO server so it can do external application login.
    I know I can configure the external applications as described in the SSO admin guide.
    Unfortunately the API to query the SSO server for external application mapping is not public.
    ANY IDEAS ON WHERE I CAN GET THIS INFO??
    Every thing I have read says that external applications can be accessed through Portal. This is not my case. I can use any packages or classes available by the SSO server to portal, but MY APPLICATION IS NOT A PORTAL.

    I have similar kind of requirements for Single sign-on to external web applications.
    But in my applications I have to auto-generate random userid & password for different external web applications.
    These uids & password are exported to external applications, which upon recieving creates user in their applications.
    So, actual user will never have access to these credentials(uid &pwd).
    So, how can I cutomize the Portlets to do the first time SSO when user is created & their credentials to external apps are stored to OID.
    Any idea Barry..
    Bye

  • SSO for a Webdynpro App

    Hi Everyone hope you can help.
    All i would like to know is:
    If you have created a webdynpro and would like to bypass the default way of obtaining a JCO connection i.e)
    Not using the GUI under the webdynpro admin console in the portal and defining the JCO (Meta and Model) there.
    I have looked everywere and i can not find any documentation supporting "Writing your own JCO connection" inside the webdynpro app as a pooled connection.
    I used to do it in EP5 like this:
    public class Test {
    private IPortalComponentRequest request;  //used for SSO
    public void setRequest(IPortalComponentRequest value){
          request = value;
    private void BuildConnection(){
          IJCOClientService clientService = (IJCOClientService) request.getService(IJCOClientService.KEY);
          poolEntry =
    clientService.getJCOClientPoolEntry("PROD_SYSTEM", request);
          sapConnection = poolEntry.getJCOClient();*/ }
    private void closeConnection(){
          poolEntry.release();
    } //end Juan
    The API that i used is not included in the webdynpro development lib.
    Can anyone show me how to get the SSO cookie using the webdynpro API inside the webdynpro app. I need this cookie to include it into the required parameters during the JCO connection creation.
    Thanks in advance!

    Hi Diego
    There is tons of information on this.
    Check this post
    Re: Problem accessing R/3 with SSO ticket from the EP6.0
    and also links in this post.
    For Web dynpro app to R/3 these simple points should help
    -> Go to your Security provider service in VA , select the authentication template ticket and provide options for CreateTicketLoginModule with the one given in this document
    http://help.sap.com/saphelp_nw04/helpdata/en/cb/ac3d41a5a9ef23e10000000a155106/content.htm
    ->Go to your key storage service in VA and export out the certificate and import this into R/3
    ->Go to your Content administration for Web Dynpro and switch the security settings in your JCO destinations to use 'useSSO' instead of userid and password , this applies only for the destination that fetches application data. The meta data destination can be configured to use userid and password.
    Thats about it.
    Regards
    Pran
    P.S is this '=(' the mexican hat

  • Using SSO for 2 partner application that different domainname

    Dear expert,
    I have to implement the Oracle SSO with 2 existing Web Application that separate domainname (eg. domainA.com and domainB.com). I have read from OTN the SSO using HTTP Cookie for partner applications but the standard cookie can not be accessed from different domainname.
    Please, Who can help me on this case?
    Thanks in advance,
    Kotaro

    Reading and googling through much unclear RMAN content I came to the conclusion that it simply is not possible to use RMAN to copy SCHEMA_A from INSTANCE_A in MACHINE_A into INSTANCE_B without blowing away SCHEMA_B in INSTANCE_B on MACHINE_B.
    So, I need to use RMAN to set up INSTANCE_A_COPY on MACHINE_B. Then I can have both INSTANCE_B and INSTANCE_A_COPY on MACHINE_B. If MACHINE_A should fail then I can switch over to MACHINE_A_COPY and run both instances, no problem.
    Question: I would like to save time and disk space by not copying a 1TB reference tablespace/schema into INSTANCE_A_COPY. When I run INSTANCE_A_COPY it will need to join to the read-only reference tablespace/schema in INSTANCE_B. What will be the performance of a “distributed join” on tables across two instances in the same machine?

  • SSO for some SAP Apps, but forced login for the sensitive data application

    We have R/3 4.7 (Enterprise), with EP 6.0 and Web AS 6.40.  We have implemented Employee Self Service, as well as CRM, and some BW reports through EP 6.0.  We have a Broadvision Portal that is on top of EP 6.0.  In other words, the employees login to the Broadvision Portal, and authenticate against our Active Directory user store.  Then they will choose the SAP apps listed above, which go through the SAP Portal (EP 6.0)
    We want to allow SSO through EP when users choose either CRM, or BW reports, but we want to force a login when they choose ESS, since this data is more sensitive.  The problem we have had is that when we turn on SSO, it allows the user through for all 3 SAP apps.  My question is: How can we force a login for just ESS, but not for the other 2 apps.
    Thanks.

    Rick,
    I suppose, Eric meant Authentication Schemes ("authschemes") instead of security zones.
    An authentication scheme is essentially a pointer to a JAAS logon stacks on the J2EE Engine plus a frontend ("login screen"). Authentication schemes are assigned numbers ("priorities"), the higher the number the more trustworthy the authentication of the underlying JAAS stack is regarded.
    Example:
    Let's assume you use the default authscheme "uidpwdlogon" for all your iviews. It features a password-based or SAP logon ticket-based logon and is assigned a value of 20. All iviews that have this authscheme set in its "authscheme" property are accessible for you without any further authentication once you have passed this scheme (or any other authscheme with a priority <= 20).
    Now, you set one individual iview to use authscheme "certlogon", which requires an X.509 certificate and is valued "21". When accessing this iview, the portal will force a re-authentication (as 21>20).
    By configuring custom authschemes and JAAS logon stacks you can easily implement your scenario. Simply ensure that all your ESS iviews will be using an authscheme with a value greater that your default value.
    Regards,
    Dominik

  • SSO for external applications

    Hi,
    We are using SSO to integrate with external applications. There is a need to open the third party application from eBusiness Center when we click on a button. Can anyone guide me how SSO invokes the external application when you click on any link for the same. I need to invoke the URL same way from the button click as well.
    Thanks,
    Viral

    Hi,
    Can anybody help regarding the same?
    Thanks,
    Viral

  • SSO Authentication Audit Information for Partner Apps ?

    Hi,
    Is it possible to get Audit Information to show when a users has been authenticated by SSO for a Partner Application ?
    If I look at orasso.wwsso_audit_log_view I can see when a user has been authenticated and a row for Portal and each Partner App that gets authenticated. The question is can you tell which row relates to which Partner App or is there another table with this information ?
    i.e I have two Partner Apps, a user logs onto Portal and only visits pages for one of them, When I log I see 2 rows, I need to know which Partner App they vistied (A or B).
    Thanks
    Simon.

    Well in that case i guess am in luck because i am working with oracle. The thing however is that I don't know where to fetch the information about the installation and all that in order to proceed ahead.
    Besides it seems, the easier it was to make the application and deploy it on the apex, the harder it is to integrate it with the SSO.
    Also i don't understand when you say "public apex.oracle.com", I always thought it was meant only for oracle employees as in it's not accessible through the internet.
    You won't (unless you work for Oracle) be able to do
    that on the public apex.oracle.com site as far as I'm
    aware.

  • How to make a Tomcat external app come to portal SSO for sign-on

    We have a portal instance where users login through sso. We have couple of tomcat based apps running on a separate server. We want to accomplish the following:
    - When a portal user visit the tomcat application through a link on the portal, portal's login is accepted and the user will not have to re-login.
    - When a user tries to directly go to the tomcat application, tomcat application redirects the user to portal for login and then redirect back to the tomcat application
    How can we accomplish the above? Thanks for your help.
    Ashraf

    Ashraf,
    What you are discribing is basically the implementation of an SSO Partner application. Portal is implemented as a partner app, hence the login page and credential you refer to is really the SSO user rather than the Portal user. If you implemented your custom applications as a partner application then the user would be presented with the SSO login page for authentication, any subsequent access to the portal would automatically be logged on (and vice-versa). In order to be a partner application you will need to register your application with the Oracle SSO web component (on Apache this is mod_osso, while other plugins exist for other major web servers).
    As it is actually the URL to the application you are protecting rather than the application itself, the solution is tied to the HTTP server being used rather than the actual container hosting the application.

  • Logout URL for 9iAS SSO Partner App

    Hi,
    I've successfully set up an HTMLDB application as a Single Sign On partner APP. The login works perfectly, except I'm a little confused about the logout URL. Currently it is set to the default in the Authentication scheme, but it doesn't work too well - I get errors if I navigate back to the single sign on page from the default HTMLDB logout page. What I want it to do is to de-authenticate then automatically go back to the SSO login page. What do I change my logout URL to?
    (curently it is wwv_flow_custom_auth_std.logout?p_this_flow=&APP_ID.&p_next_flow_page_sess=4155:PUBLIC_PAGE)
    Thanks,
    Steve

    Steve - Here's a logout URL that unsets the app's
    session cookie first, then goes to Single Sign-off,
    then back to a public page in the app:
    https://host:port/pls/DAD/wwv_flow_custom_auth_std.log
    out_then_go_to_url?p_args=&APP_ID.:https://login.yourl
    ogin.com/pls/orasso/orasso.wwsso_app_admin.ls_logout?p
    doneurl=https://host:port/pls/DAD/f?p=&APP_ID.:PUBLI
    C_PAGE
    ScottI am quite new to Oracle Apex.
    I have just looked read through your posts, because I am having a similiar problem. I simply want to be able to click the logout link on my application and be able to logout of single sign on.
    I have tried your URL and I am sure it is accurate but I am unable to get it to work. I think the main problem I have is that I cant get to the logout URL on the single sign on page : http://host:port/pls/orasso/orasso.wwsso_app_admin.ls_logout
    Please could you advise ?
    Thanks
    Numan

  • No effect for registration the Partner Application SSO for OAS 10.1.2.0.2

    Dear OAS experts, could you please help me with the problem, it worried me for weeks:
    I have 2 OAS 10.1.2.0.2 on a different physical servers -
    1) type Identity Management, host - OIDserver.mysite.ru, ORACLE_HOME = /d01/oracle/prd/imapp,
    2) type J2EE and Web Cache, host - PerlApp.mysite.ru, ORACLE_HOME = /d01/oracle/prd/app_server_101202
    they both are in the farm INFRA.mysite.RU, Repository Type - Database
    There is a Perl application on a 2-nd server, it should be working thru SSO thru any free port (https). I defined 4445 for it. It's supposed that reference https://PerlApp.mysite.ru:4445 will be redirected to SSO. (On a 4445 for ssl it is faking certificate Oracle for testing purposes, but it doesnt bother me cause I need just to check if it redirects to SSO server, and next step I make certificate real).
    What I did: I registered partner app on 1 server as per doc:
    $ORACLE_HOME/sso/bin/ssoreg.sh -oracle_home_path /d01/oracle/prd/imapp -site_name PerlApp.mysite.ru:4445 -config_mod_osso TRUE -mod_osso_url https://PerlApp.mysite.ru:4445 -remote_midtier -config_file /d01/oracle/prd/imapp/Apache/Apache/conf/osso/osso4445.conf
    Then I transfer appeared file osso4445.conf from 1 to 2 server thru FTP in /d01/oracle/prd/app_server_101202/Apache/Apache/conf/osso/
    I changed /d01/oracle/prd/app_server_101202/Apache/Apache/conf/mod_osso.conf on 2 server a bit, so that it referenced new config file osso4445.conf
    It looks like:
    LoadModule osso_module libexec/mod_osso.so
    <IfModule mod_osso.c>
    OssoIpCheck off
    OssoIdleTimeout off
    OssoConfigFile /d01/oracle/prd/app_server_101202/Apache/Apache/conf/osso/osso4445.conf
    # Insert Protected Resources: (see Notes below for how to protect resources)
    # Notes
    # 1. Here's what you need to add to protect a resource,
    # e.g. <ApacheServerRoot>/htdocs/private:
    # <Location /private>
    # require valid-user
    # AuthType Basic
    # </Location>
    </IfModule>
    At the end I restarted HTTP-server thru OEM console and checked:
    when I go to https://PerlApp.mysite.ru:4445 there is no any SSO redirect, it is just a certified page for App Server. What have I done wriong?

    Oracle AS 10.1.2 doesn't support J2EE 1.4 in general. You might be lucky with your tests on the other 10.1.2.x versions. For J2EE 1.4 applications you should consider AS 10.1.3.x.
    --olaf                                                                                                                                                                                                                                                                                                                                                                                           

  • Apex as Partner App using OID SSO

    Hi
    I have setup Apex as a partner App in OAS.
    Registered the partner application.
    Created a simple app that uses the builtin Apex auth as partner app using sso.
    I get the OAS login appearing as expected for authentication however apon entering credentials successfully
    The success url takes me to server:7777/sso/auth and displays page can not be found
    My OAS Partner App success url registered is server:7778/dad/apex/wwv_flow_custom_auth_sso.process_success
    app schema registered details
    My lsnr token is HTML_DB:server:7778
    other details cut and copied from OAS registration page.
    lsnr login url is the oas sso login url is this correct?
    Appears to work apart from the success url finding its way back to my app.
    TIA
    Richard.

    Hello all,
    I'm having somewhat of a similar issue, but I think our setup might be making it a bit more complex.
    First question, simple one:
    1.
    In my authentication method in my apex app, when I set my logout URL to http://{myhost}:{myport}/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=http://www.google.com
    It doesn't automatically redirect. I have to press the Return button on the OAS Single Sign-Off page to redirect to www.google.com
    Is the redirect not automatic? Is there a way to make it automatic?
    2.
    We have the issue where you login via SSO into an APEX application (APEX as a partner app). But the logout url does not truly log the user out. It redirects to our public page as we expect it to, but when they press the login button, it just goes straight back in (as if they were never logged out).
    Now I know this has to do with the cookie, but here's the tricky part.
    Our OAS server (that has Portal) is on a separate box. We've upgraded all our database servers, and they all have now a different domain than the OAS server. So now, OAS is in company1.com domain and our APEX apps are on company2.net domains.
    Our DBA had setup us his own flavor of SSO logout (public synonym for all apex workspaces to use). He has an actually database procedure that used the owa_cookie package to look for the cookie and invalidate it on logout. With the new domains, his logic no longer works, because I believe the cookie is still in company1.com domain and the logout proceduce is running from the company2.net domain and cannot find the cookie (since it's not in it's domain).
    After all that, I am thinking that since we can successfully login to SSO in company2.net domain via the OAS server, then we should also be able to logout of SSO successfully via the OAS server as well. Am I on the right track here? Is it possible with multiple domains?
    Thanks,
    Chris
    Edited by: CDub on Oct 19, 2009 1:55 PM

  • APEX as Partner APP in SSO - Post Authentication Process

    I am trying to get APEX to work as Partner APP with SSO. It's almost working but a vitol piece doesn't cooperate.
    In my old authentication scheme (built-apex) I have a Post-Authentication Process (see below) that needs to set my page 0 items. When I put this into my new authentication scheme for SSO and try to log-in, I get a blank screen.
    If i take it out, my screen displays fine, but my page 0 items are not set with the correct values. What am I missing?
    DECLARE CURSOR get_user_defaults IS
    select B.fk_school, B.year, B.pk_id,
    nvl(A.user_type,'N') user_type
    from "#OWNER#".sis_user_roles B, "#OWNER#".sis_user A
    where A.user_name = :APP_USER and
    B.fk_sis_user = A.pk_id
    order by decode(B.default_role,'Y',1,2);
    BEGIN
    FOR user_defaults_loop in get_user_defaults LOOP
    :P0_LOGIN_SCHOOL := user_defaults_loop.fk_school;
    :P0_LOGIN_SCHOOL_YEAR := user_defaults_loop.year;
    :P0_LOGIN_ROLE := user_defaults_loop.pk_id;
    :P0_USER_TYPE := user_defaults_loop.user_type;
    EXIT;
    END LOOP;
    END;

    not sure what the problem is. Are you sure that :app_user is set already?
    However it looks as if you get an error (might result in blank screen) during your process.
    btw: the pL/sqkl block could be rewritten into a single sql select without any loop.
    BEGIN
      SELECT fk_school, year, pk_id, user_type
      INTO  :P0_LOGIN_SCHOOL, :P0_LOGIN_SCHOOL_YEAR, :P0_LOGIN_ROLE, :P0_USER_TYPE
      FROM ( 
        select B.fk_school, B.year, B.pk_id,
        nvl(A.user_type,'N') user_type, rownum rn
        from "#OWNER#".sis_user_roles B
            , "#OWNER#".sis_user A
        where A.user_name = :APP_USER
        and B.fk_sis_user = A.pk_id
        order by decode(B.default_role,'Y',1,2)
      where rn <= 1
    exception
      when no_data_found then
         raise_application_error(-20001,'User "'|| :APP_USER ||'" not found!');
    END;

  • How to set up ApEx as a SSO partner app?

    I seem to be stuck in something of an endless loop here.
    I'm trying to set up the authentication for an ApEx app to use my Oracle AS SSO. When I start the wizard to create a new authentication scheme I choose "Based on a pre-configured scheme from the gallery". That shows me five choices (open door, ApEx credentials, database credentials, LDAP, and "no authentication"). When I click on the "Information" link at the bottom it displays some text for two more choices which aren't listed above: "Oracle Application Server Single Sign-On (Application Express engine as Partner App)" and "Oracle Application Server Single Sign-On (My application as Partner App)". Those descriptions also say that those choices aren't displayed because "This Application Express site must have already been registered as a partner application with the SSO server."
    OK -- no big deal. I'll just register the ApEx site as a partner app. I found this link explaining how to do that: http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html
    Now, reading that page, I get to this step in the process: "Using the Application Express Application Builder, use the create authentication scheme wizard to create an authentication scheme based on the pre-configured
    scheme Oracle Application Server Single Sign-On (Oracle HTML DB Engine as Partner App)."
    And back to the top of my loop. The wizard in Apex tells me that I can't see the SSO choice when I'm creating my app's authentication because it's not registered as a partner application, and the instructions which tell me how to register ApEx as a partner application tell me to pick the SSO choice in the ApEx wizard.
    Has anyone managed to break out of this Groundhog Day documentation loop?

    Well,
    There are 5 choices to choose from on the page. In the description of the choices at the bottom of the page there are 7, and the two additional choices talk about having to first have registered the site with SSO. So...I'm interpreting that as meaning that other 2 possible choices would be displayed if the site is registered with SSO. That, plus the fact that the page which describes how to add the site to SSO seems to think that the SSO choices are displayed in the wizard.
    So, no, there's no "exact launguage" that says what the reason is for the choices not being displayed. Can you point me to some exact language that tells me how to get those choices displayed?

  • Access to my Office 365 third-party app for external user : "a User account is not registered for the account"

    In my third-party web application of Office 365, I want to have access to the contacts, events and emails of all the users from the organizations who installed my app. The thing is I don't want that all these users have to grant me access, I just want one
    admin of the org to grant access for my app and then be able to retrieve the data I need for all the users.
    To test for one organization, I logged in as the admin and proceed to the Oauth2 authentication to retrieve the access token and in the first request (the GET one to retrieve an authorization code) i add the parameter
    prompt=admin_consent.
    With this access token, I can access the data (emails, contact, event) of the admin
    for instance for the contacts
    uri: https://outlook.office365.com/ews/odata/Users(adminemail)/Contacts
    but not the data of the other users of this org with this uri
    uri: https://outlook.office365.com/ews/odata/Users(useremail)/Contacts
    The only thing I can do is retrieve an access token for each user but it supposed that each user has to authorize the access to the app but it's very cumbersome. So, i don't see what enables the parameter prompt=admin_consent and how to use it. Does anybody
    know what it does?
    And my question is: how can I do to access the data of all the users of one organization when the access has been granted by one admin?
    Thank you!

        
    This was answered on StackOverflow by Dushyant Gill.  http://stackoverflow.com/questions/25316175/access-to-my-office-365-third-party-app-for-external-user-a-user-account-is-n/25316678#25316678
    You are sending the OAuth request to a tenant specific endpoint of Azure AD. Note the {key_provided} part of your Url - that part represents the tenantid or a registered domain name of an Azure AD tenant. Azure AD throws this error is the user signing in
    is not a user in that tenant.
    Multi-tenant applications like yours have two options:
    Perform home realm discovery yourself and send the SSO request to the correct tenant-specific endpoint of Azure AD: when a new Azure AD organization signs-up for your application, record its tenant ID, and registered domain names. On your login page, ask
    the user for their email and try to discover what Org they belong to using the suffix the email.
    Use the common endpoint of Azure AD. Instead of the {key_provided} part of the URL, use 'common'. In this case Azure AD will determine the user's tenant and sign-in the user. The token that your application will receive will still be from the user's tenant
    (iss claim).
    2 is more convenient for apps. However #1 has an advantage when the user's Organization has customized their sign-in page with the company logo etc - in the case of #1 the user will directly be taken to the customized and familiar sign-in page.
    I recommend a combination of the two: try determining the user's organization and sending them to the tenant specific SSO endpoint. If you're not able to - send them to the common endpoint.

  • Do i need to buy external sensor for nike ipod app on my iPhone 5s

    do i need to buy external sensor for nike ipod app on my iPhone 5s

    http://store.apple.com/us/product/MA368LL/E/nike-ipod-sensor?fnode=4a
    Peace, Clyde

Maybe you are looking for