X

Innovative ideas for every utility

SSO Integration Patterns

Anthony Shorten
Senior Principal Product Manager
Single Sign On Support is one of the common questions I get asked from customers, partners and sales people.

Single Sign On is basically an implementation mechanism or technology that allows customers of multiple browser applications to specify
credentials once (at login typically) that are reused for that session for subsequent applications. This avoids logging on more than once. This
aids in cross product navigation where a user logs onto one application and when transfer to another application avoid logging into that other
product.

Single Sign On is not a product requirement it is an infrastructure requirement. Therefore there are infrastructure solutions available.

Typically there are two main styles of Single Sign On with different approaches for implementation.

The first style is best described as "Desktop" Single Sign-On. This is where you logon to your client machine (usually a windows based
PC) and the credentials you used to logon to that machine are reused for ANY product used after authentication. Typically this is implemented using the Kerberos protocol and Simple and Protected Negotiate (SPNEGO) protocol. This is restricted to operating systems (typically Windows) where you perform the following:

  • Setup the client machine browsers to accept and pass the credentials
    to the server. This sets the browser to read the kerberos credentials
    and pass them to the server.
  • Setup the Microsoft Active Directory Services Network Domain
    Controller to accept Kerberos and pass onto the subsequent applications.
  • Create a keytab file for Oracle WebLogic to use.
  • Configure Oracle WebLogic Indentity Assertion Provider to specify
    that the keytab is to be used and that Kerberos is to be used for the
    Identity.
  • Configure Oracle WebLogic to startup using the provider and Kerberos.
  • Set the login preferences within OUAF to CLIENT-CERT to indicate the login is passed from somewhere else. This turns off our login screen.

As you can see the majority of the work is in Oracle WebLogic and is documented in Configuring Single Sign-On with Microsoft Clients.

The second style of is best described as "Browser" Single Sign-On.
This typically means you login to the machine and then open the browser
to logon. At this point as long as the browser is open, any subsequent
application will reuse the credentials specified for the browser
session. This is the style i implemented by SSO products such as Oracle Access Manager, Oracle Enterprise SSO and other SSO products (including third party ones). Typically implementing this involves the following:

  • Setting Up Oracle Access Manager
    or the SSO product to your requirements. Oracle Access Manager supports
    lots of variations for SSO including Single Network Domain SSO,
    Multiple Network Domains, Application SSO, etc. This is all outlined in Introduction to Single Sign-On with Access Manager.
  • Setting up Oracle WebLogic with Oracle Access Manager (this allows
    Oracle WebLogic to get the credentials from Oracle Access Manager). This
    is outined in Configuring Single Sign-On with Oracle Access Manager 11g.
  • Set the login preferences within OUAF to CLIENT-CERT to indicate the login is passed from somewhere else. This turns off our login screen

Again, as you can see the majority of the work is in Oracle WebLogic and Oracle Access Manager.

Information about implementing Single Sign-On withour products (both styles) is contained in

  • Single Sign On Integration for Oracle Utilities Application Framework based products (Doc Id: 799912.1) available from My Oracle Support.
  • Oracle Identity Management Suite Integration with Oracle Utilities Application Framework based products (Doc Id: 1375600.1) available from My Oracle Support.

While the first style is lower cost typically, it is restricted to specific platforms that support Kerberos and SPNEGO. It is restricted also in flexibility, it passes the credentials from the client all the way to the server so they must match. Oracle Access Manager on the other hand is far more flexible supporting a wide range of architectures as well as including Access Control features, password control and user tracking features within WebGate. These features allow additional features to be implemented:

  • Access Control - This allows for additional security rules to be implemented. For example, turning off part of a product during time periods. I have heard of customers using Oracle Access Manager to stop online payments from being accessible after business hours from a call center, due to customer specific payment processes being implemented. This augments the inbuilt security model available from Oracle Utilities Application Framework.
  • User Tracking - Oracle Utilities Application Framework is stateless, therefore you can only see active users when they are actively running transactions, not when they are idle. WebGate has information about idle users as well as active users allowing for enhanced user tracking.

Whatever the style you choose to adopt, we have a flexible set of solutions to implement SSO. The only common element and the only step Oracle Utilities Application Framework is to change the J2EE login preference from the default FORM based to CLIENT-CERT.

Oracle Utilities, including Opower, partners with the world's hardest working electric, water and natural gas companies to empower, enhance and enable your every single day. From cloud-native products and better grid management tools to support for every single step of your customer's journey, we have the answer. Learn more at oracle.com/utilities. Get specific product information as quick as clicking right here.

Join the discussion

Comments ( 5 )
  • Charles Monday, May 12, 2014

    I'm surprised this post doesn't cover Federation and SAML


  • guest Friday, May 23, 2014

    Hi,

    I am configuring SSO for Oracle utilities customer care and billing application 4.2. I have successfully completed SSO integration with Ebiz. Same Access Manager 11g I need to configure SSO authentication for CCB. I red all white papers for SSO integration with Oracle utilities, but not get clear idea. Please suggest me note or doc to follow step by step instruction to configure SSO for CCB. Do I need to configure separate webgate for CCB as well in separate weblogic domain. I am fit confused. Please suggest me.

    Thanks

    Srini


  • acshorten Friday, July 4, 2014

    Charles, SAML And Federation are not covered directly as they are implemented indirectly with our product lines. You can refer to the Identity Management Suite for integration options with those products.

    Srini, As for SSO documentation, the basic documentation we have is usually enough. Fundamentally you set the SSO product up as per the documentation shipped with the SSO product and then enable CLIENT-CERT as the preferred login to get it working. The last step is the only bit in the product you need to configure. The majority of work is in the SSO product and Oracle WebLogic which is covered in their documentation already.


  • guest Wednesday, January 11, 2017

    Hello Anthony - We are implementing ORMB 2.5.0.3.

    My company has enterprise-wide OHS/OAM cluster that handles authentication for all of our enterprise web apps.

    Our ORMB will be 'fronted' by this OHS/OAM group.

    How can i achieve SSO ( no login screen for ORMB ) in this instance?

    I know the documentation goes through setting up a new OHS/OAM install, but this is not an option for us.

    I found the oamAuthProvider.jar file and i have added the OAM identity asserter to my weblogic. And I understand that i need to change the login option to client-cert...

    What i'm not sure of now, is how to configure the identity asserter, and what, if anything do i need the OHS/OAM team at my company to give to me? Do I need to setup the OAM Authentication provider as well, or would we configure an additional LDAP authenticator in our weblogic?

    Would appreciate any information you could give.


  • ashorten Monday, January 30, 2017

    The OAM documentation tells you how to setup SSO with Oracle WebLogic. The only setting in our product required for this is to set the CLIENT-CERT for the login setting. This tells WebLogic and the product that the identity is passed from an external source. In this case it is OAM to provide the authentication tokens.

    The configuration is not a product one, just an OAM standard SSO setup. I would recommend having a look at the Administration documentation for OAM for more information on how to setup SSO.


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.