Oracle SSO

From RavenWiki
Jump to navigationJump to search
The Raven-related software described on this page is NOT supported or maintained by University Information Services. It is provided here in the hope that it may be useful, but it may contain bugs and security vulnerabilities. It may be supported and maintained by others. You should evaluate whether it meets you particular needs before using it.

Oracle includes a Single Signon server (Oracle SSO) as part of the Oracle Application Server package. The Single Signon server runs under Apache and it turns out to be possible to protect the SSO server with the Apache authentication module and then add a small Java 'shim' to pass the identity established by UcamWebauth into the SSO system. If I remember correctly, it's still necessary to create accounts inside the SSO server, the UcamWebauth integration simply allows them to authenticate using an existing UcamWebauth service such as Raven.

The Java 'shim' actually just passes an identity as established by Apache into SSO - it could just as easily be used with any other Apache authentication method.

A copy of the 'shim' is available from http://raven.cam.ac.uk/project/SSO_UcamWebauth/

A writeup of CASifying Oracle Portal takes a different approach - since CAS and Raven are similar this alternate approach may be relavent.

In what follows, $ORACLE_HOME stands for the path to wherever OracleAS is installed. This path should replace $ORACLE_HOME in all the following examples.

Basic UcamWebauth Installation

  • Create $ORACLE_HOME\Apache\raven
  • Collect the latest Windows mod_ucam_webauth distribution for Apache v1.3 from http://raven.cam.ac.uk/project/apache/files/WIN32/; unzip this somewhere and copy mod_ucam_webauth.so and msvcr70.dll to $ORACLE_HOME\Apache\raven
  • For user with Raven, collect the current PEM formated Raven key(s) from https://raven.cam.ac.uk/project/keys/ and copy them to $ORACLE_HOME\Apache\raven. Beware that the key file name has no suffix but that some browsers may add a '.txt' suffix when downloading
  • Create a file at $ORACLE_HOME\Apache\raven\raven.conf containing the single line:
"# Raven configuration"
  • Log into Oracle Enterprise Manager and edit the webserver main httpd.conf file by adding the following lines at the end:
# Include the Raven configuration file
include "$ORACLE_HOME\Apache\raven\raven.conf"
  • Click the 'Apply' button and then restart the server.
  • raven.conf should now appear in the list of configuration files managed by Enterprise Manager. Edit raven.conf by including the following, replacing <some random string> with something known only to you:
LoadModule ucam_webauth_module "$ORACLE_HOME/Apache/raven/mod_ucam_webauth.so"
AAKeyDir "$ORACLE_HOME/Apache/raven/"
AACookieKey "<some random string>"
  • If the local webserver clock is not accurately synchronised to correct time then include 'AAClockSkew <seconds>' on a new line after AACookieKey, replacing <seconds> with the maximum likely offset of the local clock in seconds from correct time
  • Click the 'Apply' button and then restart the server.

Testing the installation

  • Create a directory $ORACLE_HOME/Apache/Apache/htdocs/raven-test
  • Create a simple HTML document in $ORACLE_HOME/Apache/Apache/htdocs/raven-test/index.html
  • In Enterprise Manager, edit raven.conf by adding the following to the end:
<Location /raven-test/> 
  AuthType Ucam-WebAuth 
  Require valid-user
</Location> 
  • Click the 'Apply' button and then restart the server.
  • Browsing to http://server/raven-test:7777/ should now provoke a Raven authentication dialogue and then display the test document. If it doesn't, look in the server's error_log for clues.

Configuring OracleSSO to use Raven

  • In $ORACLE_HOME\sso\plugin, create the directory tree uk\ac\cam\ucs\webauth
  • Obtain a copy of the SSOUcamWebAuth.java source file.
  • Compile the Java source either with the following command or using the supplied compile.bat file
$ORACLE_HOME\jdk\bin\javac -classpath \   
 $ORACLE_HOME\sso\lib\ipastoolkit.jar;$ORACLE_HOME\j2ee\home\lib\servlet.jar \ 
 SSOUcamWebAuth.java
  • Copy the resulting SSOUcamWebAuth.class file to $ORACLE_HOME\sso\plugin\uk\ac\cam\ucs\webauth
  • In Enterprise Manager, edit raven.conf by adding the following:
AADescription "the Oracle Application Server SSO Service"
AAMaxSessionLife 300

<Location /pls/orasso/ORASSO.wwwsso_app_admin.ls_login>
  AuthType Ucam-WebAuth
  Require valid-user
</Location>

<Location /sso/auth>
  AuthType Ucam-WebAuth
  Require valid-user
</Location>
  • Click the 'Apply' button and then restart the server.
  • Edit $ORACLE_HOME\sso\conf\policy.properties, replacing the current line starting MediumSecurity_AuthPlugin with
MediumSecurity_AuthPlugin = uk.ac.cam.ucs.webauth.SSOUcamWebAuth
  • Restart the single sign-on middle tier (in Enterprise Manager, with $ORACLE_HOME/opmn/bin/opmnctl, or otherwise)

jw35.