Implement SSO without OAM


We are looking to make JDE SSO using NetIQ Identity Access Manager product. It provides all standard SSO mechanisms.

But I have not found any information on how this can be done. All Oracle documents refer to OAM (of course). And there are third party solutions, which seem like I dont necessarily need?

Anyone out here has any experience with this?
This should be relatively easy.

1) Setup your Identity Management gateway to inject a JDE_SSO_UID request header on every request to JDE after authenticating the user.
2) Tick the OAM box on the JAS setup so that the JAS is expecting this header
3) Firewall your JAS port so that traffic to the now SSO enabled JAS will only accept traffic via the identity gateway. (This step prevents a clever user with a browser addin from injecting the header themselves and masquerading as another user)

This approach mimics OAM and the way its webgate interacts with JDE to provide SSO. You will likely want to also implement the logout URL. This is described in an old OAM 10g document but it still works the same way. What you want to clear is the JSESSIONID for the current JDE session so that it will be allowed to expire on the JAS per your session timeout.

I have used this approach with F5 BIG-IP, a custom IIS filter dll and a few other products. I have not used NetIQ but from a quick read on this it appears that NetIQ works in a similar way.

and if you don't want to take the time to implement Justin's excellent (though highly technical for me) solution I thoroughly recommend Everest Software's SSO implementation as a simple, robust solution that can be implemented in 1 day. In addition It has features for basic load balancing across web servers and for isolating web servers from further logins - allowing you to perform maintenance (apply patches, etc) on web servers one at a time without impacting production users.

We've been using the product for years and I can't say enough about how good it is and the high quality of their technical support.
Thank you Justin for the details. I will review these with folks here and look into doing a test in non-production.

HI Larry,
Thank you for the reply. I did come across the Everest's solution. And it does look promising. But my security dept is not looking to get an additional tool in the environment if we can avoid it.

Will see how the suggestions from Justin go and update here.

I just wanted to mention that with any such OAM-like approach, all your JDE comms would always be channelled through an additional networking layer, which would 1) make it all somewhat slower, plus 2) add a single point of failure risk, i.e.: if that server goes down, so would all JDE sessions connected through it. Our SSO can do this as well, but we normally set it up so that the user browser session is redirected directly to JDE (or a load balancer) in the end, so after the short SSO event it's completely out of the picture.