How to use Oracle 10g Single-Sign-On with Microsoft .NET applications

By Sergo
Grigalashvili and Sanjeev Malik

Today’s enterprise-wide systems are becoming increasingly
sophisticated with a variety of operating systems and software development
platforms. This presents the constant challenge of integration, which requires
creative ways of configuring products from multiple vendors to work in tandem.
This article presents another useful tip in this quest for integration.

The Oracle
10g Application Server (10gAS) family of products provides a wide range of
components for enterprise portals, content management, and application
security. One useful component for Web applications is the Oracle Single
Sign-On (SSO) authentication module, which is functionally similar to Netegrity
SiteMinder from Computer Associates.

Oracle SSO

Oracle SSO is implemented using the:

mod_osso Apache module
SSO
J2EE components
SSO
database repository
SSO
PL/SQL components

SSO uses Oracle Internet Directory (OID), which is an Oracle
database based LDAP compliant directory server. The topic of integrating OID
with Microsoft Active Directory in Oracle 9iAS was discussed in a previous
article; as an extension, this integration has been tested and is also
valid in 10gAS.

For the companies using Oracle 10gAS as well as .NET, this
article presents a simple yet effective method for using Oracle SSO running on
Linux, Windows, Solaris or any other supported platform for .NET applications
running Microsoft Internet Information Server (IIS).

The method

The diagram in Figure
A illustrates the method. Web requests for .NET applications are channeled
through Oracle 10gAS where Apache is configured to proxy requests to the .NET
application and SSO is configured to protect the application’s URL’s.

Figure A

Method diagram

In this setup, mod_osso
will make sure a valid user is logged in before the mod_proxy module proxies to the .NET applications. If nobody is
logged in when accessing the protected page, SSO will redirect the browser to a
login page, authenticate the user, and then redirect back to the page initially
requested. This setup will guarantee that somebody is logged in using SSO
before the user is allowed to reach the .NET application. This method means
application users need to be set up in OID beforehand because SSO uses OID to
validate user credentials.

Proxy setup

The first step is to set up the mod_proxy of Apache in Oracle 10gAS to channel requests to .NET
applications on IIS. Using the Oracle 10gAS Enterprise Manager (EM) console or
by directly editing $ORACLE_HOME/Apache/Apache/conf/httpd.conf, add the following
entries:

ProxyPass /dotnetapp/ http://iishost:port/dotnetapp/

ProxyPass /dotnetapp http://iishost:port/dotnetapp/

ProxyPassReverse /dotnetapp/ http://iishost:port/dotnetapp/

ProxyPassReverse /dotnetapp http://iishost:port/dotnetapp/

In the above example as well as in the rest of the article,
please, replace dotnetapp, iishost:port, and 10gashost:port as it applies to your situation.

SSO setup

The second step is to set up Oracle SSO to protect the
application’s URL. Using EM console or by directly editing $ORACLE_HOME/Apache/Apache/conf/mod_osso.conf,
add the following lines just before the </IfModule>:

    <Location /dotnetapp>
        require valid-user
        AuthType Basic
    </Location>
    <Location /dotnetapp*>
        require valid-user
        AuthType Basic
    </Location>

Please note that if you directly edit httpd.conf or mod_osso.conf
without using the EM console, you must apply the changes to the DCM repository
using:

$ORACLE_HOME/bin/emctl stop iasconsole

$ORACLE_HOME/dcm/bin/dcmctl updateConfig -ct ohs -v -d

$ORACLE_HOME/bin/emctl start iasconsole

It is important to restart Apache after the configuration.
The easiest way, again, is to use EM console. Alternatively, use:

$ORACLE_HOME/opmn/bin/opmnctl restartproc ias-component=HTTP_Server

.NET application

The .NET application will be accessible through 10gAS using
the following URL:

http://10gashost:port/dotnetapp/

In the application, use HTTP header Osso-User-Dn to identify the current application user, e.g.:

Dim UserDn = Request.Headers.Item("Osso-User-Dn")

The User DN format used in SSO/OID should be:

cn=userid,cn=users,dc=yourdomain,dc=com

If the application detects that the Osso-User-Dn header is not set, then the browser is attempting to
access the application directly and not through 10gAS. In such a situation, as
a good usability practice, we suggest that the application redirect the browser
to the correct URL, which will take care of the SSO authentication for the .NET
application.

To let users log out of SSO directly from the .NET
application, use the following link:

http://10gashost:port/osso_logout?p_done_url=http://10gashost:port/

The p_done_url
specifies the URL to redirect to after the logout.

Users will access the.NET application using:

http://10gashost:port/dotnetapp/

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

Payroll

The Best Human Resources Payroll Software of 2023

With a lot of choices in the market, we have highlighted the top six HR and payroll software options for 2023.

A computer running Windows 11. — Image: Microsoft.

Software

Windows 11 update brings Bing Chat into the taskbar

Microsoft's latest Windows 11 allows enterprises to control some of these new features, which also include Notepad, iPhone and Android news.

A software engineer works from home. — Image: tanatat/Adobe Stock

CXO

Tech jobs: No rush back to the office for software developers as salaries reach $180,000

Salaries for remote roles in software development were higher than location-bound jobs in 2022, Hired finds.

Project management process to manage and develop with resources to deliver quality product, agile development cycle, businessman project manager balance on clock juggling project management elements. — Image: Nuthawut/Adobe Stock

Software

The 10 best agile project management software for 2023

With so many agile project management software tools available, it can be overwhelming to find the best fit for you. We've compiled a list of 10 tools you can use to take advantage of agile within your organization.

A user typing a password. — Image: Song_about_summer/Adobe Stock

Security

1Password is looking to a password-free future. Here’s why

With phishing-based credentials theft on the rise, 1Password CPO Steve Won explains why the endgame is to 'eliminate’ passwords entirely.

PURPOSE This Media disposal policy from TechRepublic Premium provides specific instructions for ensuring organization data is properly protected when disposing of old storage media. From the policy: POLICY DETAILS When disposing of damaged, unusable, obsolete, off-lease, decommissioned, old, or end-of-service-life equipment and media, the organization requires that the guidelines outlined herein be followed: Hard drives, ...

PURPOSE To take some of the effort out of writing (and rewriting) emails to share with company staff and executives, TechRepublic Premium has assembled basic templates to handle the most common types of communications. Simply copy the text into your favorite word processor and customize it to fit your needs. Then, paste it into an ...

PURPOSE The purpose of this policy from TechRepublic Premium is to provide guidelines for developing mobile applications from a security, procedural and best practices standpoint. While it contains technical guidelines, it is not intended to serve as a programming guide but as a framework for operations. This policy can be customized as needed to fit ...

How to use Oracle 10g Single-Sign-On with Microsoft .NET applications