How to use Oracle 10g Single-Sign-On with Microsoft .

NET applications
By Sergo Grigalash ili an! San"ee Mali# Today's enterprise-wide systems are becoming increasingly sophisticated with a variety of operating systems and software development platforms. This presents the constant challenge of integration, which requires creative ways of configuring products from multiple vendors to work in tandem. This article presents another useful tip in this quest for integration. The Oracle 1 g !pplication "erver #1 g!"$ family of products provides a wide range of components for enterprise portals, content management, and application security. One useful component for %eb applications is the Oracle "ingle "ign-On #""O$ authentication module, which is functionally similar to &etegrity "ite'inder from (omputer !ssociates.

Oracle SSO
Oracle ""O is implemented using the)

mod_osso !pache module ""O *+,, components ""O database repository ""O -./"0. components

""O uses Oracle 1nternet 2irectory #O12$, which is an Oracle database based .2!compliant directory server. The topic of integrating O12 with 'icrosoft !ctive 2irectory in Oracle 3i!" was discussed in a previous article4 as an e5tension, this integration has been tested and is also valid in 1 g!". 6or the companies using Oracle 1 g!" as well as .&,T, this article presents a simple yet effective method for using Oracle ""O running on .inu5, %indows, "olaris or any other supported platform for .&,T applications running 'icrosoft 1nternet 1nformation "erver #11"$.

The method
The diagram in $igure % illustrates the method. %eb requests for .&,T applications are channeled through Oracle 1 g!" where !pache is configured to pro5y requests to the .&,T application and ""O is configured to protect the application's 78.'s. $igure %

'ethod diagram

1n this setup, mod_osso will make sure a valid user is logged in before the mod_proxy module pro5ies to the .&,T applications. 1f nobody is logged in when accessing the protected page, ""O will redirect the browser to a login page, authenticate the user, and then redirect back to the page initially requested. This setup will guarantee that somebody is logged in using ""O before the user is allowed to reach the .&,T application. This method means application users need to be set up in O12 beforehand because ""O uses O12 to validate user credentials.

Proxy setup
The first step is to set up the mod_proxy of !pache in Oracle 1 g!" to channel requests to .&,T applications on 11". 7sing the Oracle 1 g!" ,nterprise 'anager #,'$ console or by directly editing $ORACLE_HOME/Apache/Apache/conf/httpd.conf, add the following entries)
ProxyPass /dotnetapp/ http://iishost:port/dotnetapp/ ProxyPass /dotnetapp http://iishost:port/dotnetapp/ ProxyPassReverse /dotnetapp/ http://iishost:port/dotnetapp/ ProxyPassReverse /dotnetapp http://iishost:port/dotnetapp/

1n the above e5ample as well as in the rest of the article, please, replace dotnetapp, iishost:port, and 10gashost:port as it applies to your situation.

SSO setup
The second step is to set up Oracle ""O to protect the application's 78.. 7sing ,' console or by directly editing $ORACLE_HOME/Apache/Apache/conf/mod_osso.conf, add the following lines 9ust before the :/1f'odule;)
<Location /dotnetapp> require valid-user AuthType Basic

</Location> <Location /dotnetapp*> require valid-user AuthType Basic </Location>

-lease note that if you directly edit httpd conf or mod_osso conf without using the ,' console, you must apply the changes to the 2(' repository using)
!RA"L#$%!&#/'in/e(ctl stop iasconsole !RA"L#$%!&#/dc(/'in/dc(ctl update"on)i* -ct ohs -v -d !RA"L#$%!&#/'in/e(ctl start iasconsole

1t is important to restart !pache after the configuration. The easiest way, again, is to use ,' console. !lternatively, use)
!RA"L#$%!&#/op(n/'in/op(nctl restartproc ias-co(ponent+%TTP$,erver

.NET application
The .&,T application will be accessible through 1 g!" using the following 78.)
http://-.*ashost:port/dotnetapp/

1n the application, use <TT- header Osso!"ser!#n to identify the current application user, e.g.)
/i( 0ser/n + Request1%eaders12te(34!sso-0ser-/n45

The 7ser 2& format used in ""O/O12 should be)

cn+userid6cn+users6dc+yourdo(ain6dc+co(

1f the application detects that the Osso!"ser!#n header is not set, then the browser is attempting to access the application directly and not through 1 g!". 1n such a situation, as a good usability practice, we suggest that the application redirect the browser to the correct 78., which will take care of the ""O authentication for the .&,T application. To let users log out of ""O directly from the .&,T application, use the following link)
http://-.*ashost:port/osso$lo*out7p$done$url+http://-.*ashost:port/

The p_done_$r% specifies the 78. to redirect to after the logout. 7sers will access the.&,T application using)
http://-.*ashost:port/dotnetapp/