Introduction to Oracle Single Sign-On System

Introduction Single sign-on Server (SSO) provides a mechanism that allows a number of different Applications common to an enterprise to share a user authentication service. With Oracle's enterprise-wide Single Sign-On, a user is required to log on, or authenticate once. That verification of the user identity is valid for the duration of the user session, and for every Application participating in the Single Sign-On framework. The user session ends, across every Application, when the user logs out of any partner Applications. User authentication process will be delegated to SSO and it will manage user credentials (password, digital certificate, etc.) Key Components in the Single Sign-On System OracleAS Single Sign-On interacts with the following components: 1. Single Sign-On Server 2. Partner Applications 3. External Applications 4. mod_osso 5. Oracle Internet Director 6. Oracle Identity Management Infrastructure Single Sign-On Server The single sign-on server consists of program logic in the OracleAS database, Oracle HTTP Server, and OC4J server that enables you to log in securely to applications. These applications take two forms: partner applications and external applications. In both cases, you gain access to several applications by authenticating only once. Partner Applications OracleAS applications delegate the authentication function to the single sign-on server. For this reason, they are called partner applications. An authentication module called mod_osso enables these applications to accept authenticated user information instead of a user name and password once you have logged in to the single sign-on server. A partner application is responsible for determining whether a user authenticated by OracleAS Single Sign-On is authorized to use the application. External Applications External applications do not delegate authentication to the single sign-on server. Instead, they display HTML login forms that ask for application user names and passwords. Each external application may require a unique user name and password. You can configure the single sign-on server to provide user names and passwords to external applications on users’ behalf once they have logged in to the single sign-on server. The server uses the single sign-on user name to locate and retrieve application names and passwords and to log the user in. mod_osso mod_osso is an Oracle HTTP Server module that provides authentication to OracleAS Applications. It replaces the single sign-on SDK, used in earlier releases of OracleAS Single Sign-On to integrate partner applications. Located on the application server, mod_osso simplifies the authentication process by serving as the sole partner application to the single sign-on server. In this way, mod_osso renders authentication transparent to OracleAS applications. The administrator for these applications is spared the burden of integrating them with an SDK. After authenticating a user, mod_osso transmits the simple header values that applications may use to authorize the user: · User name · User GUID · Language and territory Oracle Internet Directory Oracle Internet Directory is the repository for all single sign-on user accounts and passwords: administrative and non-administrative. The single sign-on server authenticates users against their entries in the directory. At the same time, it retrieves user attributes from the directory that enable applications to validate users. Oracle Identity Management InfrastructureOracleAS Single Sign-On is just one link in an integrated infrastructure that also includes Oracle Internet Directory, Oracle Directory Integration and Provisioning, Oracle Delegated Administration Services, and OracleAS Certificate Authority. Working together, these components, called the Oracle Identity Management infrastructure, manage the security life cycle of users and other network entities in an efficient, cost-effective way.