After completing this snippet you should be able to configure your applications
to use mod_osso for Single Sign-On
in Oracle9i Application Server
(Oracle9iAS).
Introduction
Single Sign-On (SSO) is an authentication service in Oracle9iAS
that provides a mechanism for Web-based applications to authenticate the
user. It provides an enterprise-wide Single Sign-On mechanism. This means
that a user needs to provide username and password only once in a session
to access any application that is associated with the Single Sign-On Server.
In Oracle9iAS, SSO server
is used to authenticate the user and to pass the user's identity to various
secured applications he or she tries to access. SSO server uses an encrypted
login cookie to identify the users who have been authenticated. It uses
an encrypted Secured Socket Layer (SSL) channel to pass the login cookie
to the client web browser which will be used by the applications to authenticate
the user without asking him or her to sign in again.
With SSO server, applications can be registered as :
1. Partner Applications or
2. External Applications
Partner applications work within the SSO framework and use the SSO APIs
to implement the security logic, that is they delegate the authentication
to SSO
server. External applications, on the other hand, use their own authentication
logic and SSO server is only used to provide the mapping for SSO server
usernames and existing application usernames.
mod_osso is a component of
Oracle9iAS that plugs into HTTP
Server and provides integration with SSO server to authenticate users.
It enables HTTP Server to act as a partner application to SSO server. Applications
running under HTTP server can register their URL that needs to be protected
with mod_osso. When this URL is
requested, mod_osso authenticates
the user with SSO server to allow him or her to access the URL.
The advantage of using mod_osso
is that you do not have to write any code to implement security with Single
Sign-On in your application.
Description
The steps below explain the flow of control while authenticating using
mod_osso
:
The user requests the protected resource (say, an application) running
under HTTP server.
The mod_osso module detects that
the resource needs authentication and checks if a cookie is present for
this user.
If the cookie exists, mod_osso
retrieves user identity from it, propagates the identity to the requested
application and allows the user to access the protected resource.
If the cookie does not exist, it redirects the request to the SSO server.
The SSO server looks for its own SSO cookie for this user to check if
this user was authenticated before.
If the cookie is not found, it asks the user for username and password
and checks the credentials against SSO repository (Oracle Internet Directory).
On successful authentication, it creates an SSO cookie in user's browser.
All the subsequent HTTP requests of user interacting with the SSO server
send this cookie to it, authenticating the user and avoiding the need to
re-authenticate till the cookie is valid. The SSO server passes the user's
identity in an encrypted form back to mod_osso.
mod_osso creates its own cookie and propagates the user information to
requested resource and allows the user to access it. Henceforth the client
sends this cookie along with all the HTTP request to the partner application.
This allows the application to authenticate and grant access to user directly
without re-directing him to SSO server for authentication.
The following section shows how to configure an application to use mod_osso
for Single Sign-On.
Enabling mod_osso with the HTTP Server :
When Oracle9iAS is installed,
the HTTP server is automatically configured to enable mod_osso.
If it is not already configured, enter the following in mod_osso.conf
file to enable mod_osso:
LoadModule osso_module libexec/mod_osso.so
<IfModule mod_osso.c>
OssoConfigFile conf/osso.conf
OssoIpCheck on
OssoIdleTimeout off
</IfModule>
The files mod_osso.conf and osso.conf are located at
<Ora9iAS_home>/Apache/Apache/conf
directory . The file osso.conf contains partner registration record
registered with Single Sign-On (SSO) server.
where <Ora9iAS_home>
is the directory where Oracle9i Application
Server is installed .
Protecting the applications using mod_osso
Assume that a J2EE application has been deployed to Oracle9iAS
Containers for J2EE (OC4J) in Oracle9iAS
and the mapping URL (i.e. context root) is /myApp.
To configure this application to use mod_osso
for Single Sign-On, make the following entry in mod_osso.conf
file in the IfModule tag.
mod_osso.conf file is located at <Ora9iAS_home>/Apache/Apache/conf
directory.
The HTTP server needs to be restarted to allow the new changes to take
effect. When the user tries to access the protected application URL from
the browser, he or she will be redirected to Single Sign-On page to login.
On successful login, the main page of the application is displayed. On
subsequent requests for the application, the request is not re-directed
to the SSO server. Instead the login cookie is used for authentication.
Similarly, if the user accesses another application that is secured
under the SSO server, he or she will not require to login again because
the authentication has already been done by the SSO server.
Note : The user whose credentials are provided during login should
exist in Oracle Internet Directory, that is the SSO server repository.
Bookmark