Today's enterprise-wide systems are becoming increasingly sophisticated with a variety of operating systems and software development platforms. This presents the constant challenge of integration, which requires creative ways of configuring products from multiple vendors to work in tandem. This article presents another useful tip in this quest for integration.
The Oracle 10g Application Server (10gAS) family of products provides a wide range of components for enterprise portals, content management, and application security. One useful component for Web applications is the Oracle Single Sign-On (SSO) authentication module, which is functionally similar to Netegrity SiteMinder from Computer Associates.
Oracle SSOOracle SSO is implemented using the:
- mod_osso Apache module
- SSO J2EE components
- SSO database repository
- SSO PL/SQL components
SSO uses Oracle Internet Directory (OID), which is an Oracle database based LDAP compliant directory server. The topic of integrating OID with Microsoft Active Directory in Oracle 9iAS was discussed in a previous article; as an extension, this integration has been tested and is also valid in 10gAS.
For the companies using Oracle 10gAS as well as .NET, this article presents a simple yet effective method for using Oracle SSO running on Linux, Windows, Solaris or any other supported platform for .NET applications running Microsoft Internet Information Server (IIS).
The methodThe diagram in Figure A illustrates the method. Web requests for .NET applications are channeled through Oracle 10gAS where Apache is configured to proxy requests to the .NET application and SSO is configured to protect the application's URL's.
Figure A |
 |
| Method diagram |
In this setup, mod_osso will make sure a valid user is logged in before the mod_proxy module proxies to the .NET applications. If nobody is logged in when accessing the protected page, SSO will redirect the browser to a login page, authenticate the user, and then redirect back to the page initially requested. This setup will guarantee that somebody is logged in using SSO before the user is allowed to reach the .NET application. This method means application users need to be set up in OID beforehand because SSO uses OID to validate user credentials.
Proxy setupThe first step is to set up the mod_proxy of Apache in Oracle 10gAS to channel requests to .NET applications on IIS. Using the Oracle 10gAS Enterprise Manager (EM) console or by directly editing $ORACLE_HOME/Apache/Apache/conf/httpd.conf, add the following entries:
ProxyPass /dotnetapp/ http://iishost:port/dotnetapp/
ProxyPass /dotnetapp http://iishost:port/dotnetapp/
ProxyPassReverse /dotnetapp/ http://iishost:port/dotnetapp/
ProxyPassReverse /dotnetapp http://iishost:port/dotnetapp/
In the above example as well as in the rest of the article, please, replace dotnetapp, iishost:port, and 10gashost:port as it applies to your situation.
SSO setupThe second step is to set up Oracle SSO to protect the application's URL. Using EM console or by directly editing $ORACLE_HOME/Apache/Apache/conf/mod_osso.conf, add the following lines just before the </IfModule>:
<Location /dotnetapp>
require valid-user
AuthType Basic
</Location>
<Location /dotnetapp*>
require valid-user
AuthType Basic
</Location>
Please note that if you directly edit httpd.conf or mod_osso.conf without using the EM console, you must apply the changes to the DCM repository using:
$ORACLE_HOME/bin/emctl stop iasconsole
$ORACLE_HOME/dcm/bin/dcmctl updateConfig -ct ohs -v -d
$ORACLE_HOME/bin/emctl start iasconsole
It is important to restart Apache after the configuration. The easiest way, again, is to use EM console. Alternatively, use:
$ORACLE_HOME/opmn/bin/opmnctl restartproc ias-component=HTTP_Server.NET application
The .NET application will be accessible through 10gAS using the following URL:
http://10gashost:port/dotnetapp/
In the application, use HTTP header Osso-User-Dn to identify the current application user, e.g.:
Dim UserDn = Request.Headers.Item("Osso-User-Dn")
The User DN format used in SSO/OID should be:
cn=userid,cn=users,dc=yourdomain,dc=com
If the application detects that the Osso-User-Dn header is not set, then the browser is attempting to access the application directly and not through 10gAS. In such a situation, as a good usability practice, we suggest that the application redirect the browser to the correct URL, which will take care of the SSO authentication for the .NET application.
To let users log out of SSO directly from the .NET application, use the following link:
http://10gashost:port/osso_logout?p_done_url=http://10gashost:port/
The p_done_url specifies the URL to redirect to after the logout.
Users will access the.NET application using:
http://10gashost:port/dotnetapp/
Do you need help with .Net? 
1
jack - 09/05/05
Has anyone done this configuration before?
We are doing a similar thing. We are using
BEA WebLogic not .NET. I am hoping it would work
the same way. It would be interesting to use the
BEA apache plugin to do reverse proxy instead
of the mod_proxy. There could be some conflict.
» Report offensive content
2
German - 18/11/06
We needed information to install SSO. Thanks!
» Report offensive content
3
adil - 15/01/07
i want sample code for this case
» Report offensive content
4
Sly Gryphon - 21/02/07
To pass the user through to the .NET application, rather than manually checking the user via the request header, it is probably better to put the check into an authentication http module which sets the authenticated user (just using GenericPrincipal/GenericIdentity).
The module should tie into the AuthenticateRequest event and use the header to create an IIdentity/IPrincipal,
e.g. IIdentity id = new GenericIdentity( context.Request.Headers["Osso-User-Dn"] );
If you disassemble (use Reflector) the FormsAuthenticationModule you can get a good code template with things like short cutting the detection, allowing event overrides, etc.
The benefit of doing it this way is that you can tie in with the rest of .NET.
Within pages, you then just use:
string userDN = User.Identity.Name;
One benefit is that this allows you to easily configure a different module during development/testing (e.g. Windows auth module during dev), and you can write all of you in-page code to be independent of the auth method. (The same code above works just as well for Windows auth).
Implementing the check for logged in user and redirect (as suggested), is then also easily done via simple configuration of the HttpAuthorization module (without any additional code).
There are many benefits to seemlessly integrate the Oracle SSO with the .NET authentication system via a HTTP module.
» Report offensive content
5
Fernando - 23/03/07
I need put reverse proxy in front of this scenario. Can I do this?
Regards.
» Report offensive content
6
Alex - 27/11/07
Fernando,
Yes you can do this, see the link on the proxy plugin from oracle here:
http://download.oracle.com/docs/cd/B14099_19/web.1012/b14007/proxy.htm#sthref1637
cheers.
» Report offensive content
7
srikanth - 11/08/08
what is use of oracle 10g in the projects.
» Report offensive content