 |
|
|
|
|
|
|
|
|
|
|
 |
 |
|
||||||||
 |
    |
|
||||||||
 |
|
|
||||||||
|
|
|||||||||
|
DAS: Configuring
SSO for a multi-realm Environment In this session we will show you how to configure Oracle Single Sign-on server for a multi-realm environment. This will give us the ability to choose which realm the user will login to. Configuring the Single Sign-on server for multiple realms involves creating an entry for each realm in the Single Sign-on schema. Every realm that you create in Oracle Internet Directory must have a corresponding entry in the Single Sign-on schema. This SSO configuration is also know as "Hosting". On the previous page you should have already configured OID and DAS for multiple realms. Now we want to allow users to choose the realm they want to authenticate against. After enabling SSO for hosted mode, users will see an extra login field on their login web page. This field is often referred to as the "Company" field because many people use realms to separate companies or external users, from their default realm which is typically used to manage local or internal users. To configure the SSO server for multiple realms, complete the steps that follow. Steps 1, 2, and 5 must be completed only once because these steps enable the SSO server for multiple realms. Steps 3 and 4 must be completed each time you add a realm. 1. Ensure that you have installed the Oracle AS infrastructure. Installing the infrastructure installs the SSO server. Note: Before you execute this command you will need to get the orasso schema password. To obtain this password open Oracle Directory Manager and navigate to the following directory entry: cn=OracleContext cn=Products cn=IAS cn=IAS Infrastructure Databases orclReferenceName=iasdb.us.oracle.com OrclResourceName=ORASSO The orasso schema password is located in the attribute "orclpasswordattribute" in the OrclResourceName=ORASSO directory entry. Copy this password down as you will need when you execute the next two commands.
2. Go to the $ORACLE_HOME/sso/admin/plsql/wwhost directory. Run the enblhstg.csh script using the syntax that follows. See Table 10-1 for an explanation of the script parameters: Example: ./enblhstg.csh -mode sso -sc sso_schema_connect_string -ss orasso -sw sso_ schema_password -h oid_host_name -p oid_port -d "cn=orcladmin" -w oid_bind_ password Note: If the SSO server is part of a distributed deployment, make sure that you execute the script on the identity management infrastructure computer. Here is another Example of the command: ./enblhstg.csh -mode sso -sc webdbsvr2:1521:s901dev3 -ss orasso -sw orasso -h dlsun670.us.oracle.com -p 3060 -d "cn=orcladmin" -w welcome123
3. Add realms to Oracle Internet Directory. This step should have already been done on the previous page and does not need to be done again if you have already created the realm. 4. Create an entry for the realm in the single sign-on database. Use the script $ORACLE_HOME/sso/admin/plsql/wwhost/addsub.csh. Again, if your SSO server is part of a distributed deployment, execute the script on the identity management infrastructure. Use the following syntax to execute the script: addsub.csh -name realm_nickname -id realm_ID -mode sso SC sso_schema_ connect_string Ss sso_schema_name SW sso_schema_password -h oid_host_name -p oid_port -d oid_bind_dn -w oid_bind_dn_password -sp sys_schema_password Example:
Parameter........Description -mode................The value here must be sso. -sc.....................The connect string for the single sign-on schema. Use the format host:port:sid. -ss.....................The name of the single sign-on schema. This parameter must be orasso. -sw...................The password for the single sign-on schema. See Appendix B to learn how to obtain it. -h......................The host name for the Oracle Internet Directory server. -p......................The port number for the Oracle Internet Directory server. -d......................The bind DN for the Oracle Internet Directory server. The value of this parameter is cn=orcladmin. This is the directory super user. -w.....................The password for the Oracle Internet Directory super user, cn=orcladmin. -name................The realm nickname. This is the value that you enter into the company field on the login page. -id.....................The realm ID. Choose an integer greater than 1. The value 1 is reserved for the default realm. The single sign-on server uses realm IDs internally, as an index. -sp.....................The sys schema password. The default is CHANGE_ON_INSTALL Note: When the script asks you about the duplicated subscriber entry, choose the option to use the existing entry.
5. Update the sample login page with the multiple realm version of the page. You do this by editing the login.jsp page, which you can find in the $ORACLE_HOME/j2ee/OC4J_SECURITY/applications/sso/web/jsp directory. Note: In a distributed deployment, this file is located on the single sign-on middle tier. After making a backup copy of the file, uncomment this section: The file should look like this after editing:
Watch a viewlet to see how its done. 6. Stop and then start the single sign-on middle tier. If you are not running a middle tier application such as portal then restart the Infrastructure instance where the SSO server is running. Testing Your New Hosted SSO Environment Navigate in your browser to the DAS home page and from there click on the "Login" link. First try to login as the "orcladmin" user in the default realm. Example: User Name: orcladmin Password: ******** Company: acme
Now try to login as a user that is in your new realm. Example: User Name: rmoyer Password: ******** Company: NASA
Now try to login as the "orcladmin" user in the new realm. Remember, you now have two oracladmin users. One for each realm. This is important to note because you may have different administrators for each realm and each of these administrators may have different passwords. Example: User Name: orcladmin Password: ******** Company: NASA
|
 |
|
||||||||
 |
 |
 |
 |
 |
|
|||||
 |
|
|||||||||
