User external authentication

hello,
I have read documentation about the technique for SSO to enable authentication between SAP and non-SAP systems but I didn't find a solution for our problem.
We seek a way to authenticate extern SAP users. We have two SAP systems (ERP and BI) and other non-SAP systems and we want users to authenticate once.
For this reason we are interested in any other authentication mechanisms (eg HTTP authentication header, or otherwise) which has been possible programmatic authentication (from an external application, most likely written in. NET). We need to access the web interface for BI and ERP without the need for additional licenses (such as SAP Enterprise Portal).
Please help me with a solution.
Thanks you

Hi,
it's more complicated. First, I will tell you how it works with SAP Portal. A user authenticates against portal and he gets a logon ticket. The back end systems are configured that they accept only tickets signed by portal. So when user is pointed to a backend system it checks ticket and if everything is fine the user gets authenticated.
So you could try to replicate this set up with your portal. The problem is that I don't know if there is a library for generating logon tickets. So you would have to figure out format of SAP logon tickets.
SAP provides a library that can be used to verify SAP logon tickets. So you could use the following approach. You would create a dummy service on ECC box that would require authentication. After authentication it would generate a logon ticket and redirect user to the portal. You would implement a custom logon procedure on your portal. You would just read a logon ticket (browser cookie) generated by ECC and verify it using SAP library. If everything is OK the user would get logged to portal. You would also configure BI system to accept tickets from ECC. It has some disadvantages. For example user needs to have direct access to ECC box but this could be solved using web dispatcher. Basically, you would set up ECC as an identity provider in SAML terminology.
As you can see I ignored non-SAP systems because it really depends on what you can do with them. As I said there is a library from SAP for verifying SAP logon tickets. So you can create a custom logon procedure for all these systems.
So to summarize it. Answer for the first question is maybe. Using SAML instead of proprietary SAP logon tickets might be more suitable. Other options could be to use proxies to do some translations between various formats. It's really hard to recommend anything without additional information.
Cheers

Similar Messages

External Authentication won't correctly set USER name or Role

I am using JAVA under Google App Engine for my backend and attempting to log a user into a room using external authentication. I can connect and get into the room just fine my issue is with the user infomation once I am logged in. The user has a null username and ID (possibly generated) and thier role is set to zero (or at least not high enough to publish). If the room is set to auto-Promote then I do have the ability to publish (this is what I would expect) but still I needed the user to have a role of owner (so they can create nodes).
Here is a little of the java on the back end (I removed my shared secret):
public String getRoomToken(String roomID, String userName, String userID, int userRole) {
 try {
 Session session = am.getSession(roomID);
 return session.getAuthenticationToken(..., "Bob", "TestID", 100);
 //return session.getAuthenticationToken(..., userName, userID, userRole);
 } catch (Exception e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 return null;
getAuthenticationToken is hardely changed from what is in the AFCS.java in the examples folder but here it is in any case
/** * get an external authentication token */
public String getAuthenticationToken(String accountSecret, String name, String id, int role) throws Exception
 if (role < UserRole.NONE || role > UserRole.OWNER)
 throw new Error("invalid-role");
 String token = "x:" + name + "::" + this.account
 + ":" + id + ":" + this.room + ":"+ Integer.toString(role);
 String signed = token + ":" + sign(accountSecret, token);
 // unencoded
 //String ext = "ext=" + signed;
 // encoded
 String ext = "exx=" + Utils.base64(signed);
 return ext;
This should work. My Shared secret is removed above but I doubt that is the problem as my app does authenticate just fine it just throws an exception telling me I don't have the required permissions to publish when I try to do anything. while observing from the DevConsole I see a user in the room but they are marked as null. Note that non-external authentication works just fine. If I hardcode my login creds in AdobeHSAuthenticator I can get in just fine with no issue. Also if the room I get an authenticationToken for does not match the roomURL I connect to with ConnectSessionContainer I will fail to login correctly like I would expect. So I know my credentials are getting to the AFCS and being decrypted correctly (as I can only authenticate for the room I send in that credential token) but for some reason it simply won't set my role and username/userid correctly. Any help would be great, this has caused me a great deal of grief for days now...
Thanks guys...
Ves

Well this is wierd I was trying to set this up so that I could get the log output on that run and I ended up changing
<rtc:AdobeHSAuthenticator id="auth" authenticationKey="{Application.application.parameters['token'] as String}"/>
to
<rtc:AdobeHSAuthenticator id="auth" authenticationKey="{token}"/>
and adding a preinitialize function of:
protected function preInit():void
 templateID = Application.application.parameters['room'];
 token = Application.application.parameters['token'];
oddly enough it now works like a charm now. It is still disconcerting that I was able to actually enter the room even though my token was somehow corrupted (that probably isn't intened behavior). If this shows up agian I will try and track down the particulars and send you guys an email as an FYI. thanks for the help....
Ves

Externally Authenticated User

Hi, My application is a Pro C / Oracle 8i based application. I was using hardcoded user ids and passwords which we removed thru externally authenticated user. Now my application is stable in production but users are complaining of very slow performance of Oracle database.
Is this due to externally authenticated user id ? Does it impact the system performance ?
Edited by: user594301 on Jan 21, 2009 3:01 AM

Were you using lightweight sessions or connection pooling before and now initiating a new connection for each user?

Creating Externally Authenticated users

Greetings,
We recently migrated our Security team from Windows XP to Windows 7. With this upgrade, they were forced to stop using the java Oracle 9i Enterprise Manager to manage security and database users. I was able to find the View->DBA tab in Oracle SQL Developer which allows for things like CREATE LIKE, CREATE, etc, but under the CREATE USER, I see nowhere where the tool allows for a user other than a normal database authenticated account. We have a few key databases where we must create externally authenticated users (EXTERNAL) and this just isn't an option. Is this functionality anywhere in the tool?
Thanks
Bradd

We recently migrated our Security team from Windows XP to Windows 7. With this upgrade, they were forced to stop using the java Oracle 9i Enterprise Manager to manage security and database users. I was able to find the View->DBA tab in Oracle SQL Developer which allows for things like CREATE LIKE, CREATE, etc, but under the CREATE USER, I see nowhere where the tool allows for a user other than a normal database authenticated account. We have a few key databases where we must create externally authenticated users (EXTERNAL) and this just isn't an option. Is this functionality anywhere in the tool?
I don't understand what you are trying to do.
Post your full sql developer info and explain in detail what you mean; with an example if possible.
You can create users in the DB the way you do with any tool: write the appropriate DDL for CREATE USER. For OS authentication you add the OS_AUTHENT_PREFIX to the user name.
In sql developer create connections for those users using the connections dialog that you use for any other user. On that dialog there is a checkbox for OS authentication.
See this article by Sue Harper and see if the example for local OS authentication she provides answers your question:
http://www.oracle.com/technetwork/issue-archive/2008/08-may/o38sql-102034.html
To configure local OS authentication for a new user, first find the value of the OS_AUTHENT_PREFIX database initialization parameter in your system's init.ora file. When you create this new user in the database, you must add this parameter value as a prefix to the OS username. The default value is OPS$, for backward compatibility with earlier database releases. (If the value is "", the OS username and the database username are the same, so you don't need to add a prefix to create the Oracle usernames.)
Establish a basic connection with the HR schema as the SYSTEM user. Execute the following from the SQL worksheet, using your database's OS_AUTHENT_PREFIX prefix and substituting your own OS username for "sue":
CREATE USER ops$sue IDENTIFIED EXTERNALLY; GRANT Connect, resource to sue;
Now create a basic connection for this user from the New / Select Database Connection dialog box. Enter a connection name; select Basic for Connection Type ; fill in the Hostname and Port fields; select OS Authentication ; and provide a SID or Service name . Click Test and Connect as before.

Externally Authenticated Users

Dear Sirs;
I have a windows 2003 server with Oracle Database R2 installed on it. I have been trying to create an externally authenticated user but unfortunately it is not working. Are there any special procedures that I must pay attention too? I followed all the instructions that are mentioned in the documentation in the library section.
Thank you in advance for your help.
Mazen

Dear Sirs;
I could finally solve this problem. It turned out that the registry must contain the following entry: osauth_prefix_domain with the value of 0. This entry is located in windows registry > HKEY_LOCAL_MACHINE > SOFTWARE > ORACLE > KEY_OraDb10g_home1. This entry was supposed to be there by default but for some reason it wasn't.
Anyway thanks for everyone who considered helping.
Mazen

Granting exp/imp privilege to externally authenticated user

DB version:11.2.0.2
OS : AIX 6.1
We have a DB User(schema) called OPS$appuser who is externally authenticated.
This user should be granted privilege to perform import of scott schema's dumpfile to another schema called appschema2.
This is what appuser will be doing at the unix command line
$ su - appuser
$ exp / owner=scott file=scott.dmp
$ imp / file=scott.dmp fromuser=scott touser=appschema2in short these are the DB schemas involved
OPS$appuser -- The user performing the exp and imp
scott -- The schema which is being exported
appschema2 -- The schema which OPS$appuser imports the contents in scott.dmp to.Due to security reasons, we can't grant IMP_FULL_DATABASE privilege to OPS$appuser. So, what privilege can I give to OPS$appuser to perform the above exp and imp tasks?
Hope the exp and imp sytax i've mentioned above are correct

None,as imp_full_database is required for this.
Also you would better use expdp and impdp using the network_link parameter.
Doing so, you could write a pl/sql procedure using the dbms_data_pump API to replace the command line cr*p and there will be no commandline access required anymore.
Sybrand Bakker
Senior Oracle DBA

Proxy login from externally authenticated user

Hi Experts,
I created an externally authenticated user in database. And can login without password with below syntax.
SQL> connect / @TESTDB
Connected.
SQL> show user;
USER is "SCOTT"
This scott user has a proxy permission to another DBuser PROXY_USER.
I got the syntax but that works only from Database OS.
sqlplus [proxy_user]/
SQL*Plus: Release 11.1.0.6.0 Production on Mon Nov 15 16:28:47 2010
Copyright (c) 1982, 2010, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Release 11.1.0.6.0 - 64bit Production
I can connect as externally authenticated user from windows CLIENT running on Release 10.2.0.1.0
SQL> connect / @TESTDB
Connected.
But the above mentioned Proxy connectivity syntax fails with below from CLIENT
SQL> connect [proxy_user]/ @TESTDB
SP2-0306: Invalid option.
Usage: CONN[ECT] [logon] [AS {SYSDBA|SYSOPER}]
where <logon> ::= <username>[<password>][@<connect_identifier>] | /
But the same syntax works from Database OS!
I can login from TOAD but can't login from SQLDEVELOPER or SQLPLUS
My sqldeveloper version is:
Version 2.1.1.64
Build MAIN-64.45
and sqlplus is:
SQL*Plus: Release 10.2.0.1.0
Any idea?
Thanks.
Edited by: Nadvi on Nov 18, 2010 3:09 PM

Hi Nadvi
If you get SQLPLUS working SQLDeveloper (thick jdbc/oci/instant client) is certainly worth trying.
I am not sure what is the issue with your setup the proxy usecases I am familiar with are:
Through the SQLDeveloper ui
There are two ways of doing proxy logins:
where p1 is proxy user and c1 is proxy client:
1/single session method (if no 2nd password or distinguished name required)
on main connection popup
user: p1[c1]
password: p1
2/Two session method
Main Connection popup
user: p1
password p1
popup connection authentication
proxy client: c1
none or password or distinguished name
-Turloch
SQLDeveloper Team

Password aging for externally authenticated user

Hello All:
How can we implement the password aging of externally authenticated user.
Thanks
San~

If the user is externally authenticated, then the password expiry should be external. E.g for the unix account.
"When you choose external authentication for a user, the user account is maintained by Oracle, but password administration and user authentication is performed by an external service. This external service can be the operating system or a network service, such as Oracle Net.
With external authentication, your database relies on the underlying operating system or network authentication service to restrict access to database accounts. A database password is not used for this type of login. If your operating system or network service permits, you can have it authenticate users. If you do so, set the initialization parameter OS_AUTHENT_PREFIX, and use this prefix in Oracle user names. The OS_AUTHENT_PREFIX parameter defines a prefix that Oracle adds to the beginning of every user's operating system account name. Oracle compares the prefixed user name with the Oracle user names in the database when a user attempts to connect."

Error while Configuring AD external authentication plug in

Hi
While configuring Active directory external authentication plug I am getting following error
OID Active Directory Plug-in Configuration
Please make sure Database and OID are up and running.
Please enter Active Directory host name: clmad101.ad.company.com
Do you want to use SSL to connect to Active Directory? (y/n) n
Please enter Active Directory port number [389]: 389
Please enter DB connect string:SQLPLUS sys/manager1 @infradb.ad.company-.com @md61nthiims1.ad.company.com:1521
Please enter ODS password:
Please enter confirmed ODS password:
Please enter OID host name: md61nthiims1.ad.company.com
Please enter OID port number [389]: 389
Please enter orcladmin password:
Please enter confirmed orcladmin password:
Please enter the subscriber common user search base [orclcommonusersearchbase]:
CN=Users,dc=ad,dc=company,dc=com
Please enter the Plug-in Request Group DN:
Please enter the exception entry property [(!(objectclass=orcladuser))]: (|(!obj
ectclass=orcladuser))(cn=orcladmin))
Do you want to setup the backup Active Directory for failover? (y/n) n
Installing Plug-in Packages ...
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Registering Plug-ins ...
adding new entry cn=adwhencompare,cn=plugin,cn=subconfigsubentry
adding new entry cn=adwhenbind,cn=plugin,cn=subconfigsubentry
Done.
Is there anythign wrong in the DB connect string??
Thanks

Did you check the debug information from the external auth plugin.?
This is mentioned in metalink note https://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=277382.1
here an excerpt:
D) Enabled plug in debugging at the database level. Reference documentation: Oracle Internet Directory Administrator's Guide 10g (9.0.4) Chapter 43 Integration with the Microsoft Windows Environment - Troubleshooting Integration with Microsoft Windows Under section "Debugging the Microsoft Active Directory External Authentication Plug-in"
...enable the plug-in debugging. To do this, enter:
> sqlplus ods/odspassword @$ORACLE_HOME/ldap/admin/oidspdon.pls
To check the plug-in debugging log, enter:
> sqlplus system/manager
SQL> select * from ods.plg_debug_log order by id;
(To delete the plug-in debugging log:
> sqlplus system/manager
SQL> truncate table ods.plg_debug_log
To disable the plug-in debugging:
> sqlplus ods/ods @$ORACLE_HOME/ldap/admin/oidspdof.pls
E) Dump the plug-in profile to make sure it is enabled and configured correctly:
> ldapsearch -h <OID host> -p <OID port> -D "cn=orcladmin" -w <orcladmin password> -b "cn=plugin,cn=subconfigsubentry" -L -s sub "(objectclass=*)" "*"
please take also a look into the DIPTESTER tool available in
http://www.oracle.com/technology/sample_code/products/oid/java_diptester.tar
regards
--Olaf

Plug-in Request Group field into the external authentication plug-in

Hi all,
I'd like to know if anyone has already tried to filter who can have the permission to call the external authentication plug-in setting it into Plug-in Request Group field.
I've made some tests adding some users into groups OracleDASAdminGroup, OracleUserSecurityAdmins and groups that I've created under my DC settings. Unfortunatly, I've had no success.
Is possible to do this?
Thank you.
Message was edited by:
user571491

Hi all,
I'd like to know if anyone has already tried to filter who can have the permission to call the external authentication plug-in setting it into Plug-in Request Group field.
I've made some tests adding some users into groups OracleDASAdminGroup, OracleUserSecurityAdmins and groups that I've created under my DC settings. Unfortunatly, I've had no success.
Is possible to do this?
Thank you.
Message was edited by:
user571491

External Authentication on Windows

Guys, this is driving me crazy.
I had an external user configured on my Oracle 9.2.0.5 database on a Windows 2003 Server.
It was working, I use it to make dump backups.
Now, without any change on any oracle param or bounce it just stoped working.
I have two instances, for one it's working, for the other it's not.
Both instances are on the same server (so I'm using the same sqlnet.ora file with NTS authentication).
Today I removed and recreate the user on both instances, but I keep getting the same problem.
create user "OPS$DOMAIN\ORABACKUP" identified externally
default tablespace users
temporary tablespace temp
The parameters are the same on both instances:
os_authent_prefix string OPS$
os_roles boolean FALSE
remote_login_passwordfile string EXCLUSIVE
remote_os_authent boolean FALSE
remote_os_roles boolean FALSE
Do you have any ideas of why this could happen??
Is there another parameter related to external authentication that I don't know?
Thanks!

Was there ever an answer on this, having problems with setup using same versions

AD External Authentication Plug-In verification issue

We are working on a Proof of Concept instance to integrate MS AD with OID for the first time for E-Biz 11i.
1) I completed the bulk load of all the existing users from AD to OID successfully
2) completed enabling the syncrhonization profile
3) Ran the txkrun.pl successfully
4) However i wanted to check the External authentication plug-in and i get the below issue.
How to debug ldapcompare ? Where is the logfile for ldapcompare ?
ldapcompare -h OID_Host -p 389 -D "cn=orcladmin" -w ******* -b "cn=lastname\, firstname,ou=consultants,ou=users,ou=usaeast,dc=adadmin,dc=lps,dc=netsrv,dc=us" -a userPassword -v abcdefgh
The value abcedefgh is not contained in the attribute userPassword in DN cn=lastname\, firstname,ou=consultants,ou=users,ou=usaeast,dc=adadmin,dc=lps,dc=netsrv,dc=us.
An ldapbind on the same AD server is successful, but ldapcompare is failing.

I get invalid credentials. Though the network password is correct. I feel its somewhere i messed up the 3rd party plug-in configuration. Is there a method to get debug information for ldapcompare command ?
From metalink NOTE : 277382.1
"When using the above command, ldapcompare binds to OID using the OID admin user (typically "cn=orclAdmin") and password. Then it provides the AD username and requests that the value supplied as AD-USER-PASSWORD be compared to whatever is stored in AD username's userPassword attribute. Because OID does not store a value in its own user entries/userPassword attributes for AD-synchronized entries, this ldapcompare call will cause OID to invoke the plug-in and verify the userPassword value in AD instead.
If the plug-in works, the ldapcompare should return a message saying that the given password is contained in the userpassword attribute, e.g.
"

External authentication on Essbase 9.3.1

I am migrating from Essbase 7.3.x on 32-bit Windows to System9 on 64-bit windows. External authentication works on both Shared Services and EAS. I have successfully registered EAS and Essbase with shared services however I do not see Essbase in "User console" of Shared Services as an application. I am able to create native authenticated users in Essbase but unable to externalise the security. I get the following error messages when trying to externalise:
Error: 1051549: Can not convert Analytic Services to Shared Services mode when Analytic Services is not configured with Shared Services or the initialization process has failed
On starting Essbase, I see the following error message when I use the same CSSconfig file as used by shared services:
[Wed Jul 16 10:26:45 2008]Local/ESSBASE0///Error(1051223)
Single Sign On function call [css_init] failed with error [getOSVersion]
[Wed Jul 16 10:26:45 2008]Local/ESSBASE0///Info(1051198)
Single Sign-On Initialization Failed !
If I point to the current CSS file used in production Essbase 7, I get the following message:
[Wed Jul 16 10:33:26 2008]Local/ESSBASE0///Error(1051223)
Single Sign On function call [css_init] failed with error [-1]
[Wed Jul 16 10:33:26 2008]Local/ESSBASE0///Info(1051198)
Single Sign-On Initialization Failed !
In either case everything except External Authentication on System9 for Essbase works.
Both shared services and Essbase are on the same 64-bit Windows box.
Any help in resolving this will be greatly appreciated.
Thanks,
Vikram.

HI:
I recommand following these steps:
1. Go to the box where you have your Essbase installed
2. Pull up the Shared Services Configuration Utility
3. Select COmponent to be registered as Essbase
4. Remeber to stop the essbase - i assume you are getting the error hence essbae would not have loaded.
5. Re-register Essbase with Shared services
6.Start essbase in Foreground
It shuld Start :) good Luck..let me know If this failed..
Thanks,
Sriram

External Authentication in 9.0.2

I have an external authentication module with Login Server 3.0.9 and I'm migrating my applications to the new release.
I checked for the ssoauthx.pks package specification and it says that external authentication module is no longer supported with this release. The only way to authenticate my users is to sync with oid.
Is this is the only way to do external authentication?. Are future version of iAS will still depend on OID for authentication?

Hi Nestor,
Even i am looking for similar solution and thinking of giving you some suggetion....
Oracle 9iAS R2 makes it madatory to use OID (or sync with OID) in SSO architecture.
We are trying to implement plug-in procedure (when_compare_replace) in OID to replace the password comparison for SSO requests. we are planning to check for our cookie to authenticate the user.
but i don't know how exactly this will work...
hope this helps
-vijay

External Authentication in EAS using MSAD

We use MSAD for our external authentication and it works fine ifthe user logon names are set up a certain way in MSAD. However,some of them are set up differently and Essbase won't allow us touse external authentication for them. Is there a setting somewherein Essbase that can be changed to allow more than one user logonname format coming from MSAD?

Hi Krista, Unfortunately u cannot specify two formats to authenticate. If iunderstand correclty you want to identify a user in MSAD by morethan one feild, as far as i know essbase external authenticationthe xml file cannot use more than one feild. your most probable solution to this would be to add the feildyou are using in your xml file to all users using essbase inMSAD. Please use the following link if you need furtherinformation. http://dev.hyperion.com/techdocs/essbase/essbase_712/Docs/techref/techref.htm#config/security/configure/config.htm here is the sample active directory format. <msad name="<a href="ldapserver.htm">msadServer</a>"> <trusted><ahref="trust.htm">false</a></trusted> <url><ahref="provurl.htm">ldap://host<img src="i/expressions/face-icon-small-tongue.gif" border="0">ortNo/DIT</a></url><userDN>cn=UserName</userDN><password>UserPassword</password> <user><url>ou=people</url></user> <group> <url>ou=Groups</url> </group></msad>

User external authentication

Similar Messages

Maybe you are looking for