6 Replies Latest reply on Feb 7, 2013 12:06 PM by 779386

    Oracle SSO: Customize Login


      i've got a question to oracle single sign-on.

      the traditional way when a user wants to access a mod_osso protected resource (e.g. oracle portal) and the user is not already signed on, the oracle sso login page appears. there the user enters username and password and after a successful login the user is redirected to the requested resource.

      i need to change that behaviour to the following:
      1) user wants to access a mod_osso protected resource (e.g. oracle portal) and is not logged in
      2) system should look in custom http-header fields for username and password
      3a) username/password found in http-header: - log user in and redirect him to requested resource (don't show sso login page)
      3b) username/password not found in http-header or username/password are invalid - show sso login page

      how can i achieve that?

        • 1. Re: Oracle SSO: Customize Login
          Roberto Barrera
          You can change the page for loggin, for that, you need to create a jsp page that do what you want to achive, deploy it to the OAS, and after that, look on the orasso schema inside the database, there are a table that contains the url of the login page, modify it and test.

          Hope this helps
          • 2. Re: Oracle SSO: Customize Login
            Asif M. Naqvi
            I think you can't do it.

            By checking headers on a page yourself, and then authenticating and redirecting the calls you are trying to devise a custom login mechanism.
            You can use a custom login portlet but I think you cannot change the login mechanism. That is dealt with SSO login server and it internally redirects you the users after verifying their credentials with OID, to the requested success_urls.

            please see this note for custom login page changes in 10.1.2 and onwards (also note a change in 10.1.4)
            Metalink note: 290445.1

            Please also see this piece in the documentation.

            • 3. Re: Oracle SSO: Customize Login
              i want to get redirected to the success_url.

              e.g. url to sso-protected form: http://myServer:myPort/forms/frmservlet...

              i have a hyperlink to the above url. when a user clicks this hyperlink and is NOT signed on the sso-login page appears and after successful login the user gets redirected to the requested form. i changed the hyperlink to place additional values in the http-header. now if the user isn't signed-on the login page should only be displayed if there is no or incorrect login information in the http-header.

              i've written a own sso-plugin class (according to "Third-Party Integration Modules" in "Oracle Application Server Single Sign-On Administrator’s Guide") which works fine if a valid username is given in my custom http-header field. but if the given username doesn't exist in the OID instead of displaying the login-page the application server shows an error 500 page and in the sso log i see the exception that the given user doesn't exist.

              is there a way to to tell SSO to redirect to the standard sso-login-page, when the exception user doesn't exist is thrown?

              here's my sso-plugin class:

              public class MySSOPlugin implements IPASAuthInterface {

              public MySSOPlugin() {

              public IPASUserInfo authenticate(HttpServletRequest request)
              throws IPASAuthException, IPASInsufficientCredException {
              String userName = null;
              userName = request.getHeader("ssoUserName");
              catch (Exception e)
              throw new IPASInsufficientCredException("No Header");
              if (userName == null)
              throw new IPASInsufficientCredException("No Acme Header");
              IPASUserInfo authUser = new IPASUserInfo(userName);
              return authUser;

              • 4. Re: Oracle SSO: Customize Login
                here's the exception from ssoServer.log (when specifying a non-oid-user in custom sso plugin):

                Mon Oct 12 11:59:26 CEST 2009 [ERROR] AJPRequestHandler-ApplicationServerThread-5 Could not get attributes for user, myUser
                oracle.ldap.util.NoSuchUserException: User does not exist - SIMPLE NAME = myUser
                     at oracle.ldap.util.Subscriber.getUser_NICKNAME(Subscriber.java:1159)
                     at oracle.ldap.util.Subscriber.getUser(Subscriber.java:912)
                     at oracle.ldap.util.Subscriber.getUser(Subscriber.java:859)
                     at oracle.security.sso.server.ldap.OIDUserRepository.getUserProperties(OIDUserRepository.java:493)
                     at oracle.security.sso.server.auth.AuthUtil.getUserMapping(AuthUtil.java:1179)
                     at oracle.security.sso.server.ui.SSOLoginServlet.processSSOPartnerRequest(SSOLoginServlet.java:998)
                     at oracle.security.sso.server.ui.SSOLoginServlet.doPost(SSOLoginServlet.java:328)
                     at oracle.security.sso.server.ui.SSOLoginServlet.doGet(SSOLoginServlet.java:285)
                     at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
                     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
                     at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:824)
                     at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:330)
                     at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:830)
                     at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:224)
                     at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:133)
                     at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
                     at java.lang.Thread.run(Thread.java:534)
                Mon Oct 12 11:59:26 CEST 2009 [ERROR] AJPRequestHandler-ApplicationServerThread-5 Could not locate user attributes for user: myUser

                • 5. Re: Oracle SSO: Customize Login
                  Were you ever able to get this working?
                  • 6. Re: Oracle SSO: Customize Login
                    This seems to be caused by the Oracle SSO lookup not being able to access the proper attributes.
                    As an admin I tried to secure the server by disabling anonymous bind and blocking every user from being able to access other users attributes: which FAILED!
                    It seems that for SSO to be working, you need Anonymous Bind enabled and under the "tree" where your users are, the Everynon user should have a grant to read.
                    It's really stupid, but I have not been able to get it working otherwise.
                    I also added the user used to do the LDAP query in the SSO plugin to have the same rights as Everyone, but it still fails.

                    If anyone has a solution, please post!