Oracle9iAS Single Sign-On
Oracle9iAS Single Sign-On enables users to sign in only once for all applications for which they are authorized to access. Oracle9iAS Single Sign-On is commonly used with portals, which can display multiple applications on a single page. Users enter their username and password only once to access the applications on the page.
You configure Oracle9iAS Single Sign-On using a Web-based interface. You can perform tasks such as setting the maximum session length, adding partner applications, and changing the administrator password.
See the Oracle9iAS Single Sign-On Administrator’s Guide for details.
Table 7–8 Changes to Oracle9iAS Single Sign-On If you change this: You affect these components:
Hostname, Port, or Protocol (HTTP or HTTPS)
If you change the hostname, port, or protocol of Oracle HTTP Server, this affects Single Sign-On. See the section"Oracle HTTP Server" for details.
Oracle9iAS Portal:
Three cases are possible (for details onptlasst, see the Oracle9iAS Portal Configuration Guide):
Case 1: If you are running Portal and Oracle9iAS Single Sign-On on the same machine, and you changed the name of the machine, you need to run the script:
(UNIX)ORACLE_HOME/assistants/opca/ptlasst.csh (Windows)ORACLE_HOME\assistants\opca\ptlasst.cmd in SSOPARTNERCONFIG mode:
ptlasst.csh -i typical -mode SSOPARTNERCONFIG -s portal -sp portal -c webdbsvr2.us.oracle.com:1521:s901dev3 -sdad portal -o orasso -odad orasso -host webdbsvr1.us.oracle.com -port 3000 -silent -verbose -sso_c webdbsvr2.us.oracle.com:1521:s901dev3 -sso_h webdbsvr1.us.oracle.com -sso_p 3000 -pa orasso_pa -pap orasso_pa -ps orasso_ps -pp orasso_ps -pd portal_dblink -p_tns websso_ps -s_tns portal -iasname myIAS
Note: Runningptlasst in SSOPARTNERCONFIG mode creates a new row for the partner application instead of updating the existing row. This does not prevent Portal from working, but it can become a usability issue when the list of partner applications builds up on the Global Logout screen and some links might break.
(continued in next row)
Oracle9iAS Single Sign-On
(continued from previous row) Hostname, Port, or Protocol (HTTP or HTTPS)
Oracle9iAS Portal (continued):
Case 2: If you are running Portal and the Oracle9iAS Single Sign-On server on separate machines and you just changed the name of the Oracle9iAS Single Sign-On machine (the name of the Portal machine did not change), you need to run the script:
(UNIX) ORACLE_HOME/assistants/opca/ptlasst.csh (Windows) ORACLE_HOME\assistants\opca\ptlasst.cmd
in SSOPARTNERCONFIG mode. Specify the new Oracle9iAS Single Sign-On server name and port in the Oracle9iAS Single Sign-On server name and port parameters:
ptlasst.csh -i typical -mode SSOPARTNERCONFIG -s portal -sp portal -c webdbsvr2.us.oracle.com:1521:s901dev3 -sdad portal -o orasso -odad orasso -host webdbsvr1.us.oracle.com -port 3000 -silent -verbose -sso_c webdbsvr2.us.oracle.com:1521:s901dev3 -sso_h webdbsvr1.us.oracle.com -sso_p 3000 -pa orasso_pa -pap orasso_pa -ps orasso_ps -pp orasso_ps -pd portal_dblink -p_tns websso_ps -s_tns portal -iasname myIAS
Case 3: If you are pointing a Portal instance from one Oracle9iAS Single Sign-On server to another one, you need to do the following:
1. Add the Portal as a partner application to the new Oracle9iAS Single Sign-On server. See the section "Adding a Partner Application" in Chapter 2 of the Oracle9iAS Single Sign-On Administrator’s Guide for details.
2. Run the script:
(UNIX) ORACLE_HOME/assistants/opca/ptlasst.csh (Windows) ORACLE_HOME\assistants\opca\ptlasst.cmd
in SSOPARTNERCONFIG mode to associate Portal with the new Oracle9iAS Single Sign-On server:
ptlasst.csh -i typical -mode SSOPARTNERCONFIG -s portal -sp portal -c webdbsvr2.us.oracle.com:1521:s901dev3 -sdad portal -o orasso -odad orasso -host webdbsvr1.us.oracle.com -port 3000 -silent -verbose -sso_c webdbsvr2.us.oracle.com:1521:s901dev3 -sso_h webdbsvr1.us.oracle.com -sso_p 3000 -pa orasso_pa -pap orasso_pa -ps orasso_ps -pp orasso_ps -pd portal_dblink -p_tns websso_ps -s_tns portal -iasname myIAS
Case 2 and Case 3 above assume that the Oracle Internet Directory server that the Oracle9iAS Single Sign-On servers point to is the same. If not, you also need to runssooconf.sql. See the section"Oracle Internet Directory" for details.
Table 7–8 Changes to Oracle9iAS Single Sign-On (Cont.) If you change this: You affect these components:
Oracle9iAS Single Sign-On
(continued from previous row) Hostname, Port, or Protocol (HTTP or HTTPS)
mod_osso:
Run the Single Sign-On registration tool to re-register mod_osso. See the section
"Reregistering the Oracle HTTP Server with the Single Sign-On Server" in the Oracle9iAS Single Sign-On Release Notes for details.
Note: Running the registration tool creates a new row for the partner application instead of updating the existing row. This does not prevent the application from working, but it can become a usability issue when the list of partner applications builds up on the Global Logout screen and some links might break.
Oracle9iAS Wireless:
The registration tool for the Wireless partner application is:
(UNIX)ORACLE_HOME/wireless/sample/reRegisterSSO.sh Note: RunningreRegisterSSO creates a new row for the partner application instead of updating the existing row. This does not prevent the application from working, but it can become a usability issue when the list of partner applications builds up on the Global Logout screen and some links might break.
Password of ORASSO schema
You can change the password using the SSO Administration page or SQL*Plus.
Oracle HTTP Server and Oracle9iAS Portal:
1. Use Oracle Enterprise Manager Web site to change the Database Password field for the DAD that accesses the Oracle9iAS Single Sign-On schema to match the new password.
This changes thePlsqlDatabasePassword parameter in the ORACLE_HOME/Apache/modplsql/conf/dads.conf file.
2. Restart HTTP Server.
Oracle9iAS Portal:
Update thessoServerPassword property for the Oracle9iAS Single Sign-On target in theORACLE_HOME/sysman/emd/targets.xml file.
Table 7–8 Changes to Oracle9iAS Single Sign-On (Cont.) If you change this: You affect these components:
Oracle9iAS Single Sign-On
Password of ORASSO_PS schema
Oracle9iAS Portal:
No changes required if Portal uses the Metadata Repository API to retrieve the password. If Portal stores the password in a database table, then it has to update the table.
Password of the lightweight SSO administrator (DN:
cn=orcladmin, cn=users, o=company, dc=com)
No repercussions on other components.
Logout_url, success_url, failure_url, or home_url of partner applications, including mod_osso module
Oracle9iAS Single Sign-On:
You can change these URLs through the SSO Server Administration Page.
Disable Oracle9iAS Single Sign-On
Oracle9iAS Reports Services:
EditORACLE_HOME/reports/conf/rwservlet.properties to set SINGLESIGNON=NO (default is YES).
Any DAS:
Changes to Oracle9iAS Single Sign-On are reflected by mod_osso, from which DAS gets Oracle9iAS Single Sign-On information.
Oracle9iAS Single Sign-On application entry password, which is stored in Oracle Internet Directory at:
orclApplicationCommonName
=ORASSO, cn=SSO,
cn=Products, cn=OracleContext You can change the
password by changing the userPassword attribute using ODM or a command-line utility.
Oracle9iAS Single Sign-On:
RunORACLE_HOME/sso/admin/plsql/sso/ssooconf.sql in SQL*Plus as the ORASSO user to update the password in the Oracle9iAS Single Sign-On preference store. This enables Oracle9iAS Single Sign-On to connect to Oracle Internet Directory.
Load balancing Oracle HTTP Server and Load Balancer:
If Oracle HTTP Server for the Oracle9iAS Single Sign-On server is behind a load balancer, you need to set theKeepAlive directive in the fileORACLE_HOME/
Apache/Apache/conf/httpd.conf tooff. If this directive is set toon, the load balancer maintains state with Oracle HTTP Server for the same connection, and this results in a HTTP 503 error code.
Table 7–8 Changes to Oracle9iAS Single Sign-On (Cont.) If you change this: You affect these components: