Skip Headers
Oracle® Application Server Single Sign-On Administrator's Guide
10g (10.1.4.0.1)

Part Number B15988-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

13 Integrating with Oracle Identity Federation

This chapter explains how to implement federated authentication using Oracle Application Server Single Sign-On and Oracle Identity Federation. Federated single sign-on permits users to access information on different corporate Web sites while authenticating to only one of those sites. You can configure either Oracle Application Server Single Sign-On or Oracle Identity Federation to be the authentication mechanism for users who want to access resources that are protected by either product.

The chapter contains the following topics:


Note:

This chapter only describes how to configure single sign-on to Oracle Identity Federation from the standpoint of the Oracle Application Server Single Sign-On product. To complete the configuration, you also need to modify settings in the Oracle Identity Federation product. See the Oracle Secure Federation Services Administration Guide for details.

13.1 How Federated Single Sign-On Works

Users need a simple way to move back and forth between content that is provided on different corporate Web sites. Corporate Web sites need a way to authenticate and authorize users who are entering from different domains that use different security products. The Oracle Identity Federation product addresses these problems.When a user tries to access a protected resource on a remote Web site, the Oracle Identity Federation product at the user's site transfers information about the user to the remote site for use in authorizing the user's request. For example:

Users might access a link on their own company's Web site to request access to content on a partner's Web site. The first time users request access, they are authenticated on their own site with user profile information stored in their home site's user data repository. The user's home (or Identity Provider) domain forwards the user's access request to the destination (a Service Provider) site along with the credentials that the destination site needs to authorize the user's request.

Using the integration between OracleAS Single Sign-On and Oracle Identity Federation, the following is possible:

For more information on Oracle Identity Federation, see the Oracle Secure Federation Services Administration Guide, available from the Oracle Documentation page on the Oracle Technology Network. The URL is as follows:

http://www.oracle.com/technology/documentation

13.1.1 Federated Single Sign-On From the User's Perspective

After completing configuration of federated single sign-on as described in this chapter, users perform a one-time authentication to both the Service Provider and the Identity Provider.

After this one-time authentication, the user only provides credentials to the Identity Provider. After authenticating, the user is able to access protected resources at the Service Provider.

13.2 Configuring the Oracle Stack as the Service Provider

When OracleAS Single Sign-On and Oracle Identity Federation perform the role of Service Provider, OracleAS Single Sign-On delegates user authentication to Oracle Identity Federation. In this scenario, you configure federated single sign-on so that Oracle Identity Federation is the intermediary that identifies an Identity Provider when users try to access resources that are protected by OracleAS Single Sign-On.

By default, the MediumHighSecurity authentication level is used for single sign-on between OracleAS Single Sign-On and Oracle Identity Federation. If you change this authentication level, Oracle recommends that you set the level to, or above, the default authentication level for OracleAS Single Sign-On. If you use a lower level, users will be challenged when they attempt to access any protected application that uses a higher security level.

The following task overview summarizes the steps for this configuration. Detailed procedures are provided after the task overview.


Note:

You must stop the OracleAS Single Sign-On server before adding modifying the policy.properties file and restart it when you are done.

Task overview: Delegating authentication to an Oracle Identity Federation instance

  1. Stop the OracleAS Single Sign-On server.

  2. Configure Oracle Identity Federation as the authentication mechanism in the policy.properties file.

  3. Add applications that are protected by Oracle Identity Federation to the list of protected applications in the policy.properties file.

  4. Restart the Oracle Application Server Single Sign-On server.

  5. Configure the Oracle Identity Federation to authenticate users who try to access the applications added to the policy.properties file.

    See the Oracle Secure Federation Services Administration Guide for details.

To stop the Oracle Application Server Single Sign-On Server

  1. From the Oracle Enterprise Manager 10g Application Server Control Console, click the instance of the application server that you want to stop.

  2. From the details page for the application server, select OC4J_SECURITY.

    If you also want to stop Oracle HTTP Server, click the HTTP Server link on the details page for the application server.

  3. Click Stop.

    A confirmation page appears.

  4. Click Yes on the confirmation page.

To delegate authentication to an Oracle Identity Federation instance

  1. Open the following file in a text editor:

    OSSO_install_dir/sso/conf/policy.properties

    Where OSSO_install_dir is the directory where Oracle Application Server Single Sign-On was installed.

  2. Uncomment and edit the following lines:

    SASSOAuthnUrl—Uncomment this line and change the host name and port to reflect the login URL for Oracle Identity Federation.

    SASSOLogoutUrl—Uncomment this line and change the host name and port to reflect the logout URL for Oracle Identity Federation.

    Note that the colon character (":") must be escaped by a backslash character ("\"), for example:

    SASSOAuthnUrl = http\://osfs_host.domain\:port/sso/authn

    SASSOLogoutUrl = http\://osfs_host.domain\:port/sso/jsp/sasso_logout_success.jsp

  3. Uncomment the following line to set the security level for Oracle Identity Federation:

    SASSOAuthLevel = MediumHighSecurity

  4. In the policy.properties file, uncomment the plug-in and audit level for the MediumHighSecurity authentication level:

    # MediumHighSecurity_AuthPlugin = oracle.security.sso.server.auth.SASSOAuth

  5. Locate the keystore file (the file name is "keystore") from the installation directory of the server hosting Oracle Identity Federation:

    Oracle_Identity_Federation_installdir/sso/conf

    Copy the keystore to the location specified in the SASSOConfigFile parameter in the policy.properties file. This location is the relative path from the local home directory for the OracleAS Single Sign-On server. For example:

    SASSOConfigFile = /sso/conf/keystore

    See the Oracle Secure Federation Services Administration Guide for details on generating the keystore.

  6. From the Oracle Enterprise Manager 10g Application Server Control Console, click the instance of Oracle Enterprise Manager 10g that you want to modify.

  7. Restart the Oracle HTTP Server and OC4J_SECURITY.

To add applications to be protected by the Oracle Identity Federation policies

  1. Stop the server, as described in "To stop the Oracle Application Server Single Sign-On Server".

  2. Edit the policy.properties file in the following location:

    install_dir/sso/conf/policy.properties

    Where install_dir is the directory where Oracle Application Server Single Sign-On is installed.

  3. In the Protected URL section of the policy.properties file, set the host and port for one or more applications that you want to be protected, for example:

    host\:port = MediumHighSecurity

    Where host\:port is the host and port of the application to be protected. The host and port are configured during or after installation. See the mid-tier documentation for details. MediumHighSecurity is the security level configured for single sign-on with Oracle Identity Federation. (See Chapter 6, "Multilevel Authentication" for details on authentication levels.)

  4. From the Oracle Enterprise Manager 10g Application Server Control Console, click the instance of application server that you want to start.

  5. Restart the Oracle HTTP Server and OC4J_SECURITY.


    Note:

    To complete the configuration, you also need to modify settings in the Oracle Identity Federation product. See the Oracle Secure Federation Services Administration Guide for details.

13.3 Configuring the Oracle Stack as the Identity Provider

When OracleAS Single Sign-On and Oracle Identity Federation perform the role of Identity Provider, Oracle Identity Federation delegates user authentication to OracleAS Single Sign-On. In this scenario, you configure federated single sign-on so that Oracle Identity Federation forwards user requests for resources to OracleAS Single Sign-On. In this case, OracleAS Single Sign-On becomes the authentication mechanism.

By default, the MediumHighSecurity authentication level is used for single sign-on between OracleAS Single Sign-On and Oracle Identity Federation. (See Chapter 6, "Multilevel Authentication" for details.) If you change this authentication level, Oracle recommends that you set the level to, or above, the default authentication level for OracleAS Single Sign-On. If you use a lower level, users will be challenged when they attempt to access any protected application that uses a higher security level.


Note:

To complete the configuration, you also need to modify settings in the Oracle Identity Federation product. See the Oracle Secure Federation Services Administration Guide for details.

To configure federated authentication using OracleAS Single Sign-On as the authentication mechanism:

  1. Go to the Oracle Enterprise Manager 10g Application Server Control Console.

  2. Click the instance of the application server that you want to stop.

  3. To prepare for stopping OC4J_SECURITY, from the details page for the application server, select OC4J_SECURITY.

  4. To prepare for stopping Oracle HTTP Server, click the HTTP Server link on the details page for the application server.

  5. Click Stop.

    A confirmation page appears.

  6. Click Yes on the confirmation page.

  7. Open the following file in a text editor:

    OSSO_install_dir/sso/conf/policy.properties

    Where OSSO_install_dir is the directory where Oracle Application Server Single Sign-On was installed.

  8. Uncomment and edit the following lines:

    SASSOAuthnUrl—Uncomment this line and change the host name and port to reflect the login URL for Oracle Identity Federation.

    SASSOLogoutUrl—Uncomment this line and change the host name and port to reflect the logout URL for Oracle Identity Federation.

    Note that the colon character (":") must be escaped by a backslash character ("\"), for example:

    SASSOAuthnUrl = http\://osfs_host.domain\:port/sso/authn

    SASSOLogoutUrl = http\://osfs_host.domain\:port/sso/jsp/sasso_logout_success.jsp

  9. Locate the keystore file (the file name is "keystore") from the installation directory of the server hosting Oracle Identity Federation:

    Oracle_Identity_Federation_install_dir/sso/conf

    Copy the keystore to the location specified in the SASSOConfigFile parameter in the policy.properties file. This location is the relative path from the local home directory for the OracleAS Single Sign-On server. For example:

    SASSOConfigFile = /sso/conf/keystore

    See the Oracle Secure Federation Services Administration Guide for details on generating the keystore.

  10. Restart OC4J_SECURITY and the Oracle HTTP Server.

13.4 Adding Federated Authentication URLs to a Web Portal

On a Web portal page, you may want to configure links to resources that each require a different authentication mechanism. The integration between Oracle Identity Federation and OracleAS Single Sign-On enables you to configure a link on a Web page that is protected by OracleAS Single Sign-On to do the following:


Note:

See the Oracle Secure Federation Services Administration Guide for details on configuring Identity Providers.

To configure a federated authentication link on a Web portal page:

  1. Set up a resource to be protected by OracleAS Single Sign-On.

  2. In the HTML code for the portal page, provide the following link:

    <a href="http(s)://<rest-of-URL>?providerid=xxx">

    Where:

    • http(s) is the protocol (http or https) to be used.

    • <rest-of-URL> is the URL to the path to the protected resource.

    • providerid is the keyword that signals to OracleAS Single Sign-On that Oracle Identity Federation must be queried for the Identity Provider.

    • xxx is the Identity Provider ID configured in Oracle Identity Federation.