How To Implement Single Sign-On (SSO) For Oracle Forms 9i / 10g?

Oracle Forms Single Sign-On - Oracle Internet Directory Configuration

Create a Single Sign-On user, for example, using the Oracle Internet Directory - Delegated Administration Service (DAS)

1. The DAS can be accessed via browser by specifying the URL http://hostname.domain:portno/oiddas e.g. http://mymachine.oracle.com:port/oiddas
2. Click on the "Directory" tab
3. Log in as an Oracle Internet Directory administrator. An administrator account is required to create a new SSO user e.g. orcladmin
4. Click on the Create button
5. Type in the new SSO username in the "User Name" field. This value must be unique for each person added to the system. For this example, create a SSO user called 'FORMS_SSO_USER1' with the password 'FORMS_SSO_USER1'
6. Type in a password and values for the other required fields
7. Click on the Submit button.
8. A message should appear saying:
9. "Successfully created the user FORMS_SSO_USER1."

Edit this new Single Sign-On user account to store the information for the target database connection.

1. Click on Users
2. Search for the new SSO user by typing in the new SSO username e.g. FORMS_SSO_USER1 in the Search field. Click the GO button to perform the search.
3. To update the SSO user account, select it first by checking the radio button under the Select column. Then click the Edit button.
4. In the Edit User screen click on the link "Public Group Assignments (This is not valid for Version 10.1.x)"
5. Each Forms application requires database connection information to be stored in OID (Oracle Internet Directory) to run in SSO mode. The database connect information is listed as "Resource Access Information" (Resource Access Descriptor (RAD)) in the OID. Click on the Create Button under the "Resource Access Information" section
6. Specify a Resource Name. The "Resource Name" field value should be the same name as is to be used for the "config" query parameter in the Forms Services application URL. In this example, the "Resource Name" will be FORMS_SSO_DB and the "Resource Type" will be OracleDB. Click on the Next button
7. Specify the database connection information. For an Oracle RDBMS connection, database alias information needs to exist in the Oracle 9iAS / OracleAS 10g middle tier tnsnames.ora. This is the same as would be configured for any SQL*Net connection.
8. Click on the Submit button. A message should appear: "The Resource is created in cache.". Click OK
9. Back in the User Edit Screen - click on the Submit Button. A message should appear: "Successfully modified the user".

**Important Note**
Failure to click on the Submit button will mean that the newly created Resource Access Information (Resource Access Descriptor (RAD)) created in cache will be lost and therefore not associated with this Single Sign-On user

Oracle Forms Single Sign-On - mod_osso Configuration (Forms 9i Only)

Protect the Forms Servlet URL with mod_osso authentication.
Note: These steps are only required when configuring SSO for Oracle 9iAS Rel 2 Forms Services.

It is the Forms URL which will be protected. A mod_osso authentication entry is already present in the forms90.conf file, but it is commented out. Uncomment it e.g.

# Forms mod_osso authentication directive 


require valid-user
authType Basic

Alternatively add the following section to the $ORACLE_HOME\Apache\Apache\conf\mod_osso.conf file. The lines must be added between the and tags. e.g.

# Forms mod_osso authentication directive 
..

require valid-user
authType Basic

..

Stop and restart the middle tier Oracle HTTP Server for the changes to take effect.

Oracle Forms Single Sign-On - Forms Configuration

Create a SSO Config Section in the Formsweb.cfg

1. Edit the $ORACLE_HOME\forms90\server\formsweb.cfg file
2. Scroll down to the bottom and add a new config section e.g.
   For Forms 9i:

   # Forms mod_osso authentication directive 
   
   
   require valid-user
   authType Basic
   
   
   

   
   For Forms 10g:

   # Forms mod_osso authentication directive 
   
   
   require valid-user
   authType Basic
   
   
   

   
   (If the ssoDynamicResourceCreate applet parameter is true, the SSO user will have the option of specifying Resource Access Information (Resource Access Descriptor (RAD)) if the SSO user does not already have in this example FORMS_SSO_DB associated with the account. The ssoCancelURL entry here will point to a custom built HTML document which tells what the user what they must do having clicked on the cancel button in the OID/DAS Create Resource Access Information (Resource Access Descriptor (RAD)) screen)
   
   **Important Note** The config section name must be the same as the "Resource Name" created under the "Resource Access Information" in the Oracle Internet Directory.
3. Save the changed file.

Oracle Forms Single Sign-On - Testing the Configuration

Run the form using the URL http://machinename.domain:portno/forms90/f90servlet?config=FORMS_SSO_DB e.g. http://mymachine.oracle.com:port/forms90/f90servlet?config=FORMS_SSO_DB

In the Oracle Single Sign-On dialogue page enter FORMS_SSO_USER1 as the username and password. (This is the same username and password as created in OID)

Forms Applet should be invoked. No database authentication dialogue will appear. This is because the database connection information has already been stored and associated with the SSO user in the OID.

Exit the Forms Application and all browser sessions.

Now test that the SSO user truely only needs to log in once when using Oracle web based applications from the same browser session.

Invoke a new browser, and log in to Oracle Portal e.g. http://machinename.domain:portno/pls/portal e.g. http://mymachine.oracle.com:port/pls/portal

Login using the same SSO username and password: FORMS_SSO_USER1

After logging in to Portal in the same browser session type in the URL to invoke the Forms application e.g. http://machinename.domain:portno/forms90/f90servlet?config=FORMS_SSO_DB e.g. http://mymachine.oracle.com:port/forms90/f90servlet?config=FORMS_SSO_DB

The Forms applet should appear without asking for any SSO or database username and password.

Oracle Forms 9i Single Sign-On Limitations & Forms 10g SSO New Features

No Forms Applet parameter ssoMode available for Forms 9i.

Instead, the f90servlet alias must be protected in the mod_osso configuration. The alias 'forms90/f90servlet' is the alias provided by the default install/ configuration. By protecting this alias all attempts to invoke forms via 'forms90/f90servlet' will be subject to a Single Sign-On login dialogue box. Therefore it may be preferable to create other alias names for the Forms Listener Servlet so that SSO can be used for some applications, but not others.

Reference:
Note 220629.1 How To Enable SSO For Some Forms 9i Applications, And Not Others?

In Oracle Application Server 10g Forms Services, creating extra aliases for the Forms Listener Servlet is not required. Instead SSO can be enabled or disabled by setting the Forms Applet parameter ssoMode to true or false.

Reference:
Note 263145.1 How to Enable SSO For Some Forms 10g Applications, And Not Others?

Programmatic retrieval of SSO user information using GET_APPLICATION_PROPERTY

In Forms 9i it is only possible to obtain the Single Sign-On username via :

GET_APPLICATION_PROPERTY(sso_userid);

This returns a string containing the Single Sign On user ID if the user has been authenticated via the Login Server. A NULL value is returned if SSO was not used.

In Forms 10g, the GET_APPLICATION_PROPERTY built-in has been enhanced so it is possible to also obtain the user distinguished name (dn) and the subscriber distinguished name (subscriber dn) e.g.

GET_APPLICATION_PROPERTY(sso_usrdn);
GET_APPLICATION_PROPERTY(sso_subdn);

Dynamic creation of Resource Access Information

n Forms 9i, SSO integration will fail if no Resource Access Information (Resource Access Descriptor (RAD)) exists for the single sign-on user who is attempting to run the forms application.

In Forms 10g, the SSO functionality has been enhanced so this situation can be better handled in one of the following three ways:

• Forms applet parameter ssoDynamicResourceCreate is set to true (the default value). This allows the SSO user to create the missing Resource Access Information 'on the fly.' The SSO user will be presented with the Resource Access Information / Resource Access Descriptor (RAD) dialogue page in which they can enter the resource access details.
• Forms applet parameter ssoDynamicResourceCreate is set to false. The SSO user cannot create the missing Resource Access Information / Resource Access Descriptor (RAD) and will be presented with an error message that the Resource Access Information / RAD does not exist, and it will not be possible to run the forms application.
• Forms applet parameter ssoDynamicResourceCreate is set to false. The SSO user can be redirected to a custom URL / web page when there is no Resource Access Information defined. This can be done by setting the Forms applet parameter ssoErrorUrl to the desired URL.

Reference:

Note 248105.1 How to Dynamically Create Single Sign-On (SSO) Resource Access Descriptor (RAD) Using Forms 10g?

Oracle Application Server 10g Forms Single Sign-On technical brief

Handling of database password expiry

In Forms 6i / 9i, the details of a password expiry / change are not propagated to the Resource Access Information / Resource Access Descriptor (RAD) held in the Oracle Internet Directory. Consequently password expiry causes Single Sign-On integration to stop working, until the password in the RAD is also changed. The RAD details can be changed manually via the OID Delegated Administration Service (DAS) or programmatically via the OID API.

In Forms 10g, password expiry is automatically handled. If the database password has expired, and the Oracle Forms application running in SSO mode is used to renew it, then the new password entered by the user is used to update the Resource Access Descriptor (RAD) in OID for this application. This ensures that Single Sign-On continues working even when a database password has changed. No configuration is required to enable this functionality, it exists by default.