Blog | Dec 11, 2012

Do You Know SSO?

By: Naveen Chadha

 

Do you know how SSO Integration is an important IT Solution?

As an eBusiness Suite (EBS) Remote Managed Services group, we have been part of many Oracle Single Sign On (OSSO) solutions, implementing different architectural setups for our customers. Recently we implemented OSSO solution for one of our customers to integrate all EBS environments with central Single Sign On. On top of a vanilla implementation, the customer had a desire to login-less access to their EBS applications. We provided them a solution to use Window Native Authentication feature for login-less access to all their EBS applications. The customer was delighted to have WNA feature working for their environments. The customer was able to access their Oracle environments without an application login which saved lot of operation time. The successful completion of this project has encouraged to me share basic details about SSO.

What are Single Sign-On (SSO) and Oracle SSO?

Single Sign On is a methodology which enables a user to login many different applications by logging in to a system once. With Single Sign-On (SSO), users are authenticated only once, regardless of how many servers or services they attempt to access after the initial logon.      

A typical SSO environmentIn simple words, the network (any 3rd party tools such as Open LDAP, Active Directory, or Novell’s eDirectory) keeps track of user login credentials and uses them again and again whenever a user attempts to access any application. Say for example a user logs on to his workstation Monday morning and he has pending Purchase Orders to approve. For this he needs to login to Oracle Financial Applications. He used his network credentials to login to his workstation and now he will have to use his financial application credentials to login to application and approve POs.

But in the Oracle SSO environment the financial application will determine the authentication based on the information provided by network server (LDAP) so the user does not need to login again to the financial application.                                                                                 

A typical Oracle SSO environment

 

 

Oracle  E-Business   Suite  comes with native user authentication (FND_USERS) and management (FND_LOGINS) capabilities. If one needs more-advanced features, it's also possible  to integrate  it with Oracle Internet Directory and Oracle Single Sign-On or Oracle Access Manager, which allows you to link the E-Business  Suite with  third-party  tools  like Microsoft Active Directory, Windows Kerberos, and CA Netegrity SiteMinder.

Oracle Single Sign-On supports single sign-on for web applications, allowing web users who access Oracle systems to sign in  once, and be authenticated to multiple web applications including Oracle and non-Oracle applications. These all applications are called Partner and External applications.

Partner applications can be multiple eBusiness Suite environments (Production and non-Production), discoverer, Portal, Collaboration suite or some other oracle related applications which delegates the login function to Oracle Application Server SSO.

External applications can be any social networking site or can be messengers like Yahoo,  Live or Gmail and they do not delegate the login function to Oracle Application Server SSO.

What are the benefits?

The benefits of OSSO apply to many areas:

 

 

How does authentication work?

Single Sign On (SSO) is part of the Oracle Application Server identity management technology that is stored within the Oracle Application Server database repository. It works basically on the concept of web browser cookies which are authenticated by the Oracle AS server and reciprocated to partner or external applications on the end user web browser. When a user first logs into an EBS environment or any partner application, the application redirects the user to the Oracle Application Server Single Sign-On. The AS server checks for login cookie, and it finds one, the AS server identifies the user with the information (encrypted) present in the login cookie. If a login cookie is not present then user needs to pass on his login credentials. The AS server will then authenticate the user with the login credentials using authentication routines. If the authentication is successful, then the AS server establishes a login cookie on the client browser to facilitate SSO for future authentications.

I hope this makes an interesting reading on an important topic that has helped a number of our customers.