Handling Hybrid Applications in Oracle ESSO

In a recent project involving Oracle ESSO (Oracle Enterprise Single Sign-On, a Desktop-based Single Sign-On solution that Oracle acquired from Passlogix in 2011), I stated to the customer that Oracle ESSO was flexible enough to handle Automatic Sign-on on most of the web and native applications running on PCs, including Text-based applications through a Terminal... And of course, after such a statement, you can imagine how satisfied the customer was when he found a very common application to prove that I was wrong ! And this application was nothing more than Skype, the popular VOIP application from the web...

Without getting into technical details, this is basically how Oracle ESSO works: it is able to identify the login form of any Web-Based application (by recognizing the URL and the HTML form) or any Windows-Native application (by recognizing the executable signature, and the UI forms within application). Once recognized, it takes over the login process by providing the appropriate credential, either recorded in a previous manual login, or provisioned by a Provisioning system such as Oracle Identity Manager or Tivoli Identity Manager.

The challenge with Skype was... it is not web nor windows based application. It is a new type of application called Hybrid application, with an embedded web server and browser to serve the HTML pages to render the UIs. The business logics (javascripts) are either stored locally, or accessed remotely through SOAP or REST services from Skype servers. This is a way to simplify development effort by having a consistent UIs and logics across different platform, including mobile devices.

Now it is not completely true that ESSO is not able to handle Skype. It does actually recognize the application as a web application, and then it is able to store the credential into the ESSO repository. This is an out-of-the-box mode which allows ESSO to store any website credential centrally and in a secure way, rather than utilizing the browser "remember credentials" capability. But in this mode we do not have control on the web application, such as preventing the automatic re-login after an explicite logout.

In order to add more control logic onto an application that we want to "eSSO"-enable, we need to use Oracle ESSO Logon Manager Admin Console to create an application template. But in this case we can not capture the application as a native windows application, because we can not drill out into the UI form; and we can not capture as a web application either, because we do not have the actual URL... By chance, in Oracle ESSO 11g, we have a new option to create an application template. In the past we need to specify in advance the type of application that we want to capture (web or native). Now, we can use the Title Bar button directly from the application that we want to add ESSO controls on. Here are the steps, by making sure that ESSO-LM Admin Console and Skype are already started:

1. Create a template from the Skype application Title Bar button

2. Ignore the Javascript errors... we do not need them anyway

3. Double confirm that ESSO has successfully recognized the "username" and "password" fields, and change the form name to match your need (Skype Login in this case)

4. Move to Fields Tab in the [Web] Window

5. Select SendKeys as Transfer method

6. Add 'Enter' key as the last action, because the submit button is not explicitly present so we have to reproduce the login sequence manually:

7. Now your template is completed and you can add your ESSO control to fit your requirements! In this case, I set the Logon Loop Grace Period to 480 minute, so when the end-user is logged in and decides to log out within this window, Oracle ESSO will not attempt to re-login again. And this timer is reset if Skype is restarted manually. 

Hope you enjoy the reading, and don't hesitate to download ESSO for your own testing!


Post a Comment:
  • HTML Syntax: NOT allowed

Hi, I am Manh-Kiet Yap (known as Kiet @oracle) and I'm currently the Technical Director at the APAC Advanced Customer Services.

I've recently received my 15 years of long service award, after being successively Technical Consultant in France, Presales at Hong Kong, FMW Product Manager in EMEA, Presales Mgr in APAC and finally Architect at Oracle ACS.

With my 15 years experience around Middleware, I hope you will find this blog valuable if you are navigating around Oracle Fusion Middleware !

View Manh-Kiet Yap's profile on LinkedIn


« July 2016