SSO Integration Patterns

Single Sign On Support is one of the common questions I get asked from customers, partners and sales people.

Single Sign On is basically an implementation mechanism or technology that allows customers of multiple browser applications to specify credentials once (at login typically) that are reused for that session for subsequent applications. This avoids logging on more than once. This aids in cross product navigation where a user logs onto one application and when transfer to another application avoid logging into that other product.

Single Sign On is not a product requirement it is an infrastructure requirement. Therefore there are infrastructure solutions available.

Typically there are two main styles of Single Sign On with different approaches for implementation.

The first style is best described as "Desktop" Single Sign-On. This is where you logon to your client machine (usually a windows based PC) and the credentials you used to logon to that machine are reused for ANY product used after authentication. Typically this is implemented using the Kerberos protocol and Simple and Protected Negotiate (SPNEGO) protocol. This is restricted to operating systems (typically Windows) where you perform the following:

  • Setup the client machine browsers to accept and pass the credentials to the server. This sets the browser to read the kerberos credentials and pass them to the server.
  • Setup the Microsoft Active Directory Services Network Domain Controller to accept Kerberos and pass onto the subsequent applications.
  • Create a keytab file for Oracle WebLogic to use.
  • Configure Oracle WebLogic Indentity Assertion Provider to specify that the keytab is to be used and that Kerberos is to be used for the Identity.
  • Configure Oracle WebLogic to startup using the provider and Kerberos.
  • Set the login preferences within OUAF to CLIENT-CERT to indicate the login is passed from somewhere else. This turns off our login screen.

As you can see the majority of the work is in Oracle WebLogic and is documented in Configuring Single Sign-On with Microsoft Clients.

The second style of is best described as "Browser" Single Sign-On. This typically means you login to the machine and then open the browser to logon. At this point as long as the browser is open, any subsequent application will reuse the credentials specified for the browser session. This is the style i implemented by SSO products such as Oracle Access Manager, Oracle Enterprise SSO and other SSO products (including third party ones). Typically implementing this involves the following:

  • Setting Up Oracle Access Manager or the SSO product to your requirements. Oracle Access Manager supports lots of variations for SSO including Single Network Domain SSO, Multiple Network Domains, Application SSO, etc. This is all outlined in Introduction to Single Sign-On with Access Manager.
  • Setting up Oracle WebLogic with Oracle Access Manager (this allows Oracle WebLogic to get the credentials from Oracle Access Manager). This is outined in Configuring Single Sign-On with Oracle Access Manager 11g.
  • Set the login preferences within OUAF to CLIENT-CERT to indicate the login is passed from somewhere else. This turns off our login screen

Again, as you can see the majority of the work is in Oracle WebLogic and Oracle Access Manager.

Information about implementing Single Sign-On withour products (both styles) is contained in

  • Single Sign On Integration for Oracle Utilities Application Framework based products (Doc Id: 799912.1) available from My Oracle Support.
  • Oracle Identity Management Suite Integration with Oracle Utilities Application Framework based products (Doc Id: 1375600.1) available from My Oracle Support.

While the first style is lower cost typically, it is restricted to specific platforms that support Kerberos and SPNEGO. It is restricted also in flexibility, it passes the credentials from the client all the way to the server so they must match. Oracle Access Manager on the other hand is far more flexible supporting a wide range of architectures as well as including Access Control features, password control and user tracking features within WebGate. These features allow additional features to be implemented:

  • Access Control - This allows for additional security rules to be implemented. For example, turning off part of a product during time periods. I have heard of customers using Oracle Access Manager to stop online payments from being accessible after business hours from a call center, due to customer specific payment processes being implemented. This augments the inbuilt security model available from Oracle Utilities Application Framework.
  • User Tracking - Oracle Utilities Application Framework is stateless, therefore you can only see active users when they are actively running transactions, not when they are idle. WebGate has information about idle users as well as active users allowing for enhanced user tracking.

Whatever the style you choose to adopt, we have a flexible set of solutions to implement SSO. The only common element and the only step Oracle Utilities Application Framework is to change the J2EE login preference from the default FORM based to CLIENT-CERT.


I'm surprised this post doesn't cover Federation and SAML

Posted by Charles on May 13, 2014 at 07:10 AM EST #


I am configuring SSO for Oracle utilities customer care and billing application 4.2. I have successfully completed SSO integration with Ebiz. Same Access Manager 11g I need to configure SSO authentication for CCB. I red all white papers for SSO integration with Oracle utilities, but not get clear idea. Please suggest me note or doc to follow step by step instruction to configure SSO for CCB. Do I need to configure separate webgate for CCB as well in separate weblogic domain. I am fit confused. Please suggest me.


Posted by guest on May 24, 2014 at 01:14 AM EST #

Charles, SAML And Federation are not covered directly as they are implemented indirectly with our product lines. You can refer to the Identity Management Suite for integration options with those products.

Srini, As for SSO documentation, the basic documentation we have is usually enough. Fundamentally you set the SSO product up as per the documentation shipped with the SSO product and then enable CLIENT-CERT as the preferred login to get it working. The last step is the only bit in the product you need to configure. The majority of work is in the SSO product and Oracle WebLogic which is covered in their documentation already.

Posted by acshorten on July 04, 2014 at 12:12 PM EST #

Post a Comment:
  • HTML Syntax: NOT allowed

Anthony Shorten
Hi, I am Anthony Shorten, I am the Principal Product Manager for the Oracle Utilities Application Framework. I have been working for over 20+ years in the IT Business and am the author of many a technical whitepaper, manual and training material. I am one of the product managers working on strategy and designs for the next generation of the technology used for the Utilities and Tax markets. This blog is provided to announce new features, document tips and techniques and also outline features of the Oracle Utilities Application Framework based products. These products include Oracle Utilities Customer Care and Billing, Oracle Utilities Meter Data Management, Oracle Utilities Mobile Workforce Management and Oracle Public Service Revenue Management. I am the product manager for the Management Pack for these products.


« July 2016