How to Implement Single Sign-On (SSO) For Oracle Forms 9i / 10g?

How to Implement Single Sign-On (SSO) For Oracle Forms 9i / 10g ?

This chapter describes how to Implement Single Sign-On (SSO) For Oracle Forms 9i / 10g versions 10.1.2.3.0 to 10.1.2.3.0 [Release 10.1.2.3]. Single Sign-On (SSO) technology provides single sign-on for Web users. It is designed to work in an Oracle 9iAS / Oracle Application Server 10g environment such that end users can access multiple Web-based applications via a single username and password.

Titleimage

Posted by RENAPS DBA Team on 2024:07:22 19:38:36

Oracle Forms: How to implement Single Sign-On (SSO) for Oracle Forms 9i / 10g.

The following instructions applies to these products:

  • Oracle Forms - Version 10.1.2.3.0 to 10.1.2.3.0 [Release 10.1.2.3]
  • Oracle Fusion Middleware - Version 9.0.4.0.0 to 10.1.4.3.0 [Release AS10g to AS10gR3]
  • Oracle Application Server Single Sign-On - Version 9.0.4 to 10.1.4.3 [Release 10gR1 to 10gR3]
  • Oracle Internet Directory - Version 9.0.4 to 10.1.4.3 [Release 10gR1 to 10gR3]
  • Information in this document applies to any platform.

Purpose & Scope

Purpose

To provide instructions on how to implement Single Sign-On (SSO) for Oracle Forms 9i / 10g.<

Note: If you are using Forms 11g, refer to the advice given in Note 852352.1 - SSO 10g Integration with Portal, Forms, Reports, Discoverer in Oracle Fusion Middleware 11g Release 1

Scope

This document is applicable for Consultants, Support engineers, System / Application Administrators, System Architects.

Oracle Forms Single Sign-On Overview

Single Sign-On (SSO) technology provides single sign-on for Web users. It is designed to work in an Oracle 9iAS / Oracle Application Server 10g environment such that end users can access multiple Web-based applications via a single username and password. Without SSO, each user requires a separate identity and password for each application they access. Having multiple accounts and passwords for each user is arguably less secure and more expensive/ difficult to maintain.

Oracle Single Sign-On is composed of the following components:

Oracle Single Sign-On Server.


This is the core of Oracle SSO technology. It is integrated with Oracle HTTP Server through mod_osso. In addition, it allows management of user information in Oracle Internet Directory. Two different types of applications can use Oracle Single Sign-On:

  • Partner Applications are those that are designed or modified to delegate authentication to the Single Sign-On server. Because partner applications take advantage of the authentication services of Oracle Single Sign-On, they do not need to implement their own authentication modules.
  • External Applications are those which retain their own user names and passwords, and do not delegate responsibility for authenticating users to Oracle Single Sign-On. These applications have not been developed or modified to work within the SSO framework. A typical external application might be one developed or deployed by a third party, such as a portal Web site which requires user name and password for access to custom services like e-mail.

mod_osso

The mod_osso component is a module that plugs into Oracle HTTP Server. It enables the HTTP listener as a partner application that can use the Single Sign-On server to authenticate users. Once mod_osso is installed and configured, Web applications can register URLs that require SSO authentication with the module. Then when URL requests are received by the HTTP server, mod_osso detects which requests require SSO authentication and redirects them to the Single Sign-On server. After the Single Sign-On server authenticates the user, it passes the user's authenticated identity back to mod_osso in a secure token, or cookie. The module retrieves the user's identity from the cookie and propagates the user's identity information to applications running in the HTTP server instance. The module can propagate the user's identity information to applications running in the CGI, those running in Oracle9iAS Containers for J2EE, and it can also authenticate users for access to static files.

Oracle Forms Services applications can be run in a single sign-on (SSO) environment using Oracle Login Server (Single Sign-On Server) and Oracle Internet Directory (OID) to store user name and password information. For Single Sign-On implementation Oracle Forms is considered as an 'External Application'.

How To Implement Single Sign-On (SSO) For Oracle Forms 9i / 10g?

Oracle Forms Single Sign-On - Oracle Internet Directory Configuration

Create a Single Sign-On user, for example, using the Oracle Internet Directory - Delegated Administration Service (DAS)

  1. The DAS can be accessed via browser by specifying the URL http://hostname.domain:portno/oiddas e.g. http://mymachine.oracle.com:port/oiddas
  2. Click on the "Directory" tab
  3. Log in as an Oracle Internet Directory administrator. An administrator account is required to create a new SSO user e.g. orcladmin
  4. Click on the Create button
  5. Type in the new SSO username in the "User Name" field. This value must be unique for each person added to the system. For this example, create a SSO user called 'FORMS_SSO_USER1' with the password 'FORMS_SSO_USER1'
  6. Type in a password and values for the other required fields
  7. Click on the Submit button.
  8. A message should appear saying:
  9. "Successfully created the user FORMS_SSO_USER1."

Edit this new Single Sign-On user account to store the information for the target database connection.

  1. Click on Users
  2. Search for the new SSO user by typing in the new SSO username e.g. FORMS_SSO_USER1 in the Search field. Click the GO button to perform the search.
  3. To update the SSO user account, select it first by checking the radio button under the Select column. Then click the Edit button.
  4. In the Edit User screen click on the link "Public Group Assignments (This is not valid for Version 10.1.x)"
  5. Each Forms application requires database connection information to be stored in OID (Oracle Internet Directory) to run in SSO mode. The database connect information is listed as "Resource Access Information" (Resource Access Descriptor (RAD)) in the OID. Click on the Create Button under the "Resource Access Information" section
  6. Specify a Resource Name. The "Resource Name" field value should be the same name as is to be used for the "config" query parameter in the Forms Services application URL. In this example, the "Resource Name" will be FORMS_SSO_DB and the "Resource Type" will be OracleDB. Click on the Next button
  7. Specify the database connection information. For an Oracle RDBMS connection, database alias information needs to exist in the Oracle 9iAS / OracleAS 10g middle tier tnsnames.ora. This is the same as would be configured for any SQL*Net connection.
  8. Click on the Submit button. A message should appear: "The Resource is created in cache.". Click OK
  9. Back in the User Edit Screen - click on the Submit Button. A message should appear: "Successfully modified the user".

**Important Note**
Failure to click on the Submit button will mean that the newly created Resource Access Information (Resource Access Descriptor (RAD)) created in cache will be lost and therefore not associated with this Single Sign-On user

Oracle Forms Single Sign-On - mod_osso Configuration (Forms 9i Only)

Protect the Forms Servlet URL with mod_osso authentication.
Note: These steps are only required when configuring SSO for Oracle 9iAS Rel 2 Forms Services.

It is the Forms URL which will be protected. A mod_osso authentication entry is already present in the forms90.conf file, but it is commented out. Uncomment it e.g.

# Forms mod_osso authentication directive 


require valid-user
authType Basic


Alternatively add the following section to the $ORACLE_HOME\Apache\Apache\conf\mod_osso.conf file. The lines must be added between the and tags. e.g.

# Forms mod_osso authentication directive 
..

require valid-user
authType Basic

..

Stop and restart the middle tier Oracle HTTP Server for the changes to take effect.

Oracle Forms Single Sign-On - Forms Configuration

Create a SSO Config Section in the Formsweb.cfg

  1. Edit the $ORACLE_HOME\forms90\server\formsweb.cfg file
  2. Scroll down to the bottom and add a new config section e.g.
    For Forms 9i:
    # Forms mod_osso authentication directive 
    
    
    require valid-user
    authType Basic
    
    
    

    For Forms 10g:
    # Forms mod_osso authentication directive 
    
    
    require valid-user
    authType Basic
    
    
    

    (If the ssoDynamicResourceCreate applet parameter is true, the SSO user will have the option of specifying Resource Access Information (Resource Access Descriptor (RAD)) if the SSO user does not already have in this example FORMS_SSO_DB associated with the account. The ssoCancelURL entry here will point to a custom built HTML document which tells what the user what they must do having clicked on the cancel button in the OID/DAS Create Resource Access Information (Resource Access Descriptor (RAD)) screen)

    **Important Note** The config section name must be the same as the "Resource Name" created under the "Resource Access Information" in the Oracle Internet Directory.
  3. Save the changed file.

Oracle Forms Single Sign-On - Testing the Configuration

Run the form using the URL http://machinename.domain:portno/forms90/f90servlet?config=FORMS_SSO_DB e.g. http://mymachine.oracle.com:port/forms90/f90servlet?config=FORMS_SSO_DB

In the Oracle Single Sign-On dialogue page enter FORMS_SSO_USER1 as the username and password. (This is the same username and password as created in OID)

Forms Applet should be invoked. No database authentication dialogue will appear. This is because the database connection information has already been stored and associated with the SSO user in the OID.

Exit the Forms Application and all browser sessions.

Now test that the SSO user truely only needs to log in once when using Oracle web based applications from the same browser session.

Invoke a new browser, and log in to Oracle Portal e.g. http://machinename.domain:portno/pls/portal e.g. http://mymachine.oracle.com:port/pls/portal

Login using the same SSO username and password: FORMS_SSO_USER1

After logging in to Portal in the same browser session type in the URL to invoke the Forms application e.g. http://machinename.domain:portno/forms90/f90servlet?config=FORMS_SSO_DB e.g. http://mymachine.oracle.com:port/forms90/f90servlet?config=FORMS_SSO_DB

The Forms applet should appear without asking for any SSO or database username and password.

Oracle Forms 9i Single Sign-On Limitations & Forms 10g SSO New Features

No Forms Applet parameter ssoMode available for Forms 9i.

Instead, the f90servlet alias must be protected in the mod_osso configuration. The alias 'forms90/f90servlet' is the alias provided by the default install/ configuration. By protecting this alias all attempts to invoke forms via 'forms90/f90servlet' will be subject to a Single Sign-On login dialogue box. Therefore it may be preferable to create other alias names for the Forms Listener Servlet so that SSO can be used for some applications, but not others.

Reference:
Note 220629.1 How To Enable SSO For Some Forms 9i Applications, And Not Others?

In Oracle Application Server 10g Forms Services, creating extra aliases for the Forms Listener Servlet is not required. Instead SSO can be enabled or disabled by setting the Forms Applet parameter ssoMode to true or false.

Reference:
Note 263145.1 How to Enable SSO For Some Forms 10g Applications, And Not Others?

Programmatic retrieval of SSO user information using GET_APPLICATION_PROPERTY

In Forms 9i it is only possible to obtain the Single Sign-On username via :

GET_APPLICATION_PROPERTY(sso_userid);

This returns a string containing the Single Sign On user ID if the user has been authenticated via the Login Server. A NULL value is returned if SSO was not used.

In Forms 10g, the GET_APPLICATION_PROPERTY built-in has been enhanced so it is possible to also obtain the user distinguished name (dn) and the subscriber distinguished name (subscriber dn) e.g.

GET_APPLICATION_PROPERTY(sso_usrdn);
GET_APPLICATION_PROPERTY(sso_subdn);

Dynamic creation of Resource Access Information

n Forms 9i, SSO integration will fail if no Resource Access Information (Resource Access Descriptor (RAD)) exists for the single sign-on user who is attempting to run the forms application.

In Forms 10g, the SSO functionality has been enhanced so this situation can be better handled in one of the following three ways:

  • Forms applet parameter ssoDynamicResourceCreate is set to true (the default value). This allows the SSO user to create the missing Resource Access Information 'on the fly.' The SSO user will be presented with the Resource Access Information / Resource Access Descriptor (RAD) dialogue page in which they can enter the resource access details.
  • Forms applet parameter ssoDynamicResourceCreate is set to false. The SSO user cannot create the missing Resource Access Information / Resource Access Descriptor (RAD) and will be presented with an error message that the Resource Access Information / RAD does not exist, and it will not be possible to run the forms application.
  • Forms applet parameter ssoDynamicResourceCreate is set to false. The SSO user can be redirected to a custom URL / web page when there is no Resource Access Information defined. This can be done by setting the Forms applet parameter ssoErrorUrl to the desired URL.

Reference:

Note 248105.1 How to Dynamically Create Single Sign-On (SSO) Resource Access Descriptor (RAD) Using Forms 10g?

Oracle Application Server 10g Forms Single Sign-On technical brief

Handling of database password expiry

In Forms 6i / 9i, the details of a password expiry / change are not propagated to the Resource Access Information / Resource Access Descriptor (RAD) held in the Oracle Internet Directory. Consequently password expiry causes Single Sign-On integration to stop working, until the password in the RAD is also changed. The RAD details can be changed manually via the OID Delegated Administration Service (DAS) or programmatically via the OID API.

In Forms 10g, password expiry is automatically handled. If the database password has expired, and the Oracle Forms application running in SSO mode is used to renew it, then the new password entered by the user is used to update the Resource Access Descriptor (RAD) in OID for this application. This ensures that Single Sign-On continues working even when a database password has changed. No configuration is required to enable this functionality, it exists by default.

Ready for an Oracle Forms Upgrade from 9i or 10g to latest version: Automate your Oracle Forms Upgrade process with ORMIT™-Forms

Upgrading Oracle Forms from older, obsolete, or deprecated versions is essential for maintaining optimal performance, security, and compatibility. Newer Oracle Forms versions offer enhanced functionality, improved user interfaces, and better integration with modern technologies, ensuring seamless operation in today’s dynamic IT environments. Security updates and patches in the latest versions protect against vulnerabilities that could compromise sensitive data. Additionally, newer versions support the latest operating systems and browsers, enhancing user accessibility and experience. Upgrading also brings compliance with current standards, reducing the risk of legal and operational issues. Furthermore, Oracle’s support for outdated versions is limited or nonexistent, making troubleshooting and maintenance increasingly difficult. By upgrading, organizations can leverage Oracle's latest innovations, streamline processes, and ensure robust, scalable, and secure application development and deployment. Investing in an upgrade is a strategic move to future-proof applications and maximize return on investment.

ORMIT™-Forms automates every Oracle Forms Upgrade from all earlier versions to the latest versions. ORMIT™-Forms guarantees the overall success of your Oracle Forms Upgrade with an emphasis on efficiency, cost and time savings, eliminating any potential risk. The automated process is extremely fast and secure. It automates a large quantity of actions while eliminating the guess work associated with manual upgrades. ORMIT™-Forms also minimizes downtime and identifies manual tasks that require DBA action.

Migrating to Java from Oracle Forms 9i or 10g: an easy way to save a lot by skipping the numerous upgrades to last version with ORMIT-OpenJava

Migrating from old, obsolete, or deprecated Oracle Forms versions to Java-based forms with tools like ORMIT-OpenJava offers significant advantages over merely upgrading to the latest Oracle Forms version. Java-based forms provide a modern, flexible, and scalable solution that integrates seamlessly with contemporary IT environments. Migration ensures better performance, enhanced user experiences, and improved compatibility with current technologies and standards. Tools like ORMIT-OpenJava streamline the migration process, reducing downtime and minimizing risks. Furthermore, Java-based applications benefit from a robust ecosystem and active community support, ensuring long-term sustainability and innovation. Migrating to Java also eliminates dependency on proprietary technologies, offering greater freedom and future-proofing applications against technological obsolescence. This strategic move not only enhances operational efficiency but also maximizes return on investment by leveraging open-source advantages and reducing ongoing maintenance costs.

ORMIT™-OpenJava automates your Oracle Forms Migration to a modern Java/React/Angular technology stack. ORMIT™-OpenJava guarantees the overall success of your Oracle Forms Migration with an emphasis on efficiency, cost and time savings, eliminating any potential risk. The automated process is extremely fast and secure. It automates a large quantity of actions while eliminating the guess work associated with manual migrations.

Return to Blog