Blog | Dec 11, 2012
Do You Know SSO?
By: Naveen Chadha
Do you know how SSO Integration is an important IT Solution?
As an eBusiness Suite (EBS) Remote Managed Services group, we have been part of many Oracle Single Sign On (OSSO) solutions, implementing different architectural setups for our customers. Recently we implemented OSSO solution for one of our customers to integrate all EBS environments with central Single Sign On. On top of a vanilla implementation, the customer had a desire to login-less access to their EBS applications. We provided them a solution to use Window Native Authentication feature for login-less access to all their EBS applications. The customer was delighted to have WNA feature working for their environments. The customer was able to access their Oracle environments without an application login which saved lot of operation time. The successful completion of this project has encouraged to me share basic details about SSO.
What are Single Sign-On (SSO) and Oracle SSO?
Single Sign On is a methodology which enables a user to login many different applications by logging in to a system once. With Single Sign-On (SSO), users are authenticated only once, regardless of how many servers or services they attempt to access after the initial logon.
In simple words, the network (any 3rd party tools such as Open LDAP, Active Directory, or Novell’s eDirectory) keeps track of user login credentials and uses them again and again whenever a user attempts to access any application. Say for example a user logs on to his workstation Monday morning and he has pending Purchase Orders to approve. For this he needs to login to Oracle Financial Applications. He used his network credentials to login to his workstation and now he will have to use his financial application credentials to login to application and approve POs.
But in the Oracle SSO environment the financial application will determine the authentication based on the information provided by network server (LDAP) so the user does not need to login again to the financial application.
Oracle E-Business Suite comes with native user authentication (FND_USERS) and management (FND_LOGINS) capabilities. If one needs more-advanced features, it's also possible to integrate it with Oracle Internet Directory and Oracle Single Sign-On or Oracle Access Manager, which allows you to link the E-Business Suite with third-party tools like Microsoft Active Directory, Windows Kerberos, and CA Netegrity SiteMinder.
Oracle Single Sign-On supports single sign-on for web applications, allowing web users who access Oracle systems to sign in once, and be authenticated to multiple web applications including Oracle and non-Oracle applications. These all applications are called Partner and External applications.
Partner applications can be multiple eBusiness Suite environments (Production and non-Production), discoverer, Portal, Collaboration suite or some other oracle related applications which delegates the login function to Oracle Application Server SSO.
External applications can be any social networking site or can be messengers like Yahoo, Live or Gmail and they do not delegate the login function to Oracle Application Server SSO.
What are the benefits?
The benefits of OSSO apply to many areas:
- User experience: The most obvious benefit is that users can move between applications without logging each time securely and uninterruptedly. SSO effectively joins these individual services into portals/portlets and removes the service boundaries - switching from one application to the next appears seamless to the user.
- Security: Users credentials are provided directly to the central SSO server, not the actual service that the user is trying to access, and therefore the credentials cannot be cached by the service. The central authentication point – the SSO service – limits the possibility of phishing.
- Resource savings: IT administrators can save their time and resources by utilizing the central web access management service. Application and web developers receive a complete authentication and authorization framework that they can use to build secure, user customized services.
- Windows Native Authentication:
- Windows native authentication is an authentication methodology for those who use IE on windows 2000. When this functionality is setup in Oracle Application Server SSO, users log into Single Sign-On application automatically using Kerberos credentials obtained from Kerberos Realm when user logs into a Windows 2000 desktop/laptop. In simple words if user has logged into his computer using his network credentials then he will not be asked to login again into financial applications. His network credentials will be used to login to financial application automatically.
How does authentication work?
Single Sign On (SSO) is part of the Oracle Application Server identity management technology that is stored within the Oracle Application Server database repository. It works basically on the concept of web browser cookies which are authenticated by the Oracle AS server and reciprocated to partner or external applications on the end user web browser. When a user first logs into an EBS environment or any partner application, the application redirects the user to the Oracle Application Server Single Sign-On. The AS server checks for login cookie, and it finds one, the AS server identifies the user with the information (encrypted) present in the login cookie. If a login cookie is not present then user needs to pass on his login credentials. The AS server will then authenticate the user with the login credentials using authentication routines. If the authentication is successful, then the AS server establishes a login cookie on the client browser to facilitate SSO for future authentications.
I hope this makes an interesting reading on an important topic that has helped a number of our customers.