Enabling SSO for Partner Applications – Oracle Application Server 10g


Partner applications are those which are deployed in one of the OC4J instances of Oracle Application Server. Also External applications are those which are external to you oracle application server, example gmail client. Suppose that you have installed an Oracle Application Server and one of your product team hands over you an EAR file for deploying on a newly installed application server. You will quickly create an OC4J instance and deploy the EAR file. This application which you deployed in you application server becomes partner application.

We can register such partner application and make them SSO enabled. Below are the steps for doing so.

Enabling SSO for Partner Applications:

Follow the below steps for enabling SSO for partner applications.

1) Login to SSO administration application using orcladmin/<password>

SSO Administration URL: http://(hostname):(port)/pls/orasso

Example: http://ap101fam.us.oracle.com:7777/pls/orasso/

2) Click on “SSO Server Administration”

3) Click on “Administer Partner Applications”

4) Click on “Add Partner Application”

5) Enter the information in the fields present under “Partner Application Login”. You can leave the other fields as it is default.

If you see here, we are using logout URL as http://www.google.com. This is just to verify that logout is taking us to the desired URL that we enter here. If we put again our application URL then you wont know the difference. However many applications has there own logout URLs, you can put the same here.

Click on Apply.

It will generate following information.

ID:     9EE32214
Token:     5E4DL0R69EE32214
Encryption Key:     73A5A67FE93E03D8
Login URL:     http://ap101fam.us.oracle.com:7777/pls/orasso/orasso.wwsso_app_admin.ls_login
Single Sign-Off URL:     http://ap101fam.us.oracle.com:7777/pls/orasso/orasso.wwsso_app_admin.ls_logout

Click on OK

You can see that your application got added in list of registered applications in SSO.

oho Wait wait !! we are not done yet.

Once you do this and try to access the application, it won’t ask for SSO login. why?? how does your HTTP server know that this application is been registered in SSO? For this you need tell HTTP server that this applicaiton is now registered in SSO and if a user tries to access this applicaiton he should be diverted to SSO login page. This is done by mod_osso.conf. We put the entry of our application in mod_osso.conf and bounce HTTP_Server component. But be careful to make changes in mod_osso.conf file of tier where your original application (which you registered in SSO) belongs. My application was deployed in one of the OC4J instance of mid tier. So will make changes in mid tier mod_osso.conf file and will bounce mid-tier Apache.

You need to make following changes in mod_osso.conf file

<Location /hrapp>
require valid-user
AuthType Basic

Here /hrapp is the application context root of applicaiton we deployed.

Bounce HTTP Server in mid tier

bash-2.05$ ./opmnctl stopproc ias-component=HTTP_Server
opmnctl: stopping opmn managed processes…
bash-2.05$ ./opmnctl startproc ias-component=HTTP_Server
opmnctl: starting opmn managed processes…

Now try accessing the application hrapp and this time it will ask for SSO login and password. So even though there was no login required for this application, by registering in SSO we made it SSO enabled.

Hope this helps !!

3 thoughts on “Enabling SSO for Partner Applications – Oracle Application Server 10g

  1. Very nice and bruief description. But how to register an external partbner application, which is running neither in an Oracle AS, nor on the same machine?
    How to tell this application (in our case a indico conference management system) to usr the login mechanism of my AS infrastructure?

    My best regards Michael

  2. hey, question for you. is there any way to make the OSSO config conditional on IP? i have something like this in place and working just fine, but now i need to make a server-to-server URL request to this server from a Java application behind the scenes. is there any way to configure the Location block to exempt a request from SSO if coming from 172.16.xx.xxx?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s