Results 1 to 6 of 6

Thread: Implement SSO without OAM

  1. #1
    New Member
    Join Date
    Sep 2004
    Location
    USA
    Posts
    11

    Question Implement SSO without OAM

    We are looking to make JDE SSO using NetIQ Identity Access Manager product. It provides all standard SSO mechanisms.

    But I have not found any information on how this can be done. All Oracle documents refer to OAM (of course). And there are third party solutions, which seem like I dont necessarily need?

    Anyone out here has any experience with this?

  2. #2
    Member
    Join Date
    Dec 2000
    Location
    Australia
    Posts
    583
    This should be relatively easy.

    1) Setup your Identity Management gateway to inject a JDE_SSO_UID request header on every request to JDE after authenticating the user.
    2) Tick the OAM box on the JAS setup so that the JAS is expecting this header
    3) Firewall your JAS port so that traffic to the now SSO enabled JAS will only accept traffic via the identity gateway. (This step prevents a clever user with a browser addin from injecting the header themselves and masquerading as another user)

    This approach mimics OAM and the way its webgate interacts with JDE to provide SSO. You will likely want to also implement the logout URL. This is described in an old OAM 10g document but it still works the same way. What you want to clear is the JSESSIONID for the current JDE session so that it will be allowed to expire on the JAS per your session timeout.

    https://docs.oracle.com/cd/E17984_01...ru_oam_10g.htm

    I have used this approach with F5 BIG-IP, a custom IIS filter dll and a few other products. I have not used NetIQ but from a quick read on this https://www.netiq.com/communities/co...ata-extension/ it appears that NetIQ works in a similar way.
    Justin Miller

  3. #3
    Senior Member Larry_Jones's Avatar
    Join Date
    Nov 2000
    Location
    Spokane, WA, USA
    Posts
    3,229
    Mansat,

    and if you don't want to take the time to implement Justin's excellent (though highly technical for me) solution I thoroughly recommend Everest Software's SSO implementation as a simple, robust solution that can be implemented in 1 day. In addition It has features for basic load balancing across web servers and for isolating web servers from further logins - allowing you to perform maintenance (apply patches, etc) on web servers one at a time without impacting production users.

    We've been using the product for years and I can't say enough about how good it is and the high quality of their technical support.
    Larry Jones
    E1 9.2 - TR 9.2.2.6 on Win 2016 R2. SQL Server 2016
    Wintel, BI Publisher

  4. #4
    New Member
    Join Date
    Sep 2004
    Location
    USA
    Posts
    11
    Thank you Justin for the details. I will review these with folks here and look into doing a test in non-production.

    Manish

  5. #5
    New Member
    Join Date
    Sep 2004
    Location
    USA
    Posts
    11
    HI Larry,
    Thank you for the reply. I did come across the Everest's solution. And it does look promising. But my security dept is not looking to get an additional tool in the environment if we can avoid it.

    Will see how the suggestions from Justin go and update here.

    Thanks
    Manish

  6. #6
    Senior Member Alex_Pastuhov's Avatar
    Join Date
    Jul 2001
    Location
    Australia
    Posts
    1,742
    I just wanted to mention that with any such OAM-like approach, all your JDE comms would always be channelled through an additional networking layer, which would 1) make it all somewhat slower, plus 2) add a single point of failure risk, i.e.: if that server goes down, so would all JDE sessions connected through it. Our SSO can do this as well, but we normally set it up so that the user browser session is redirected directly to JDE (or a load balancer) in the end, so after the short SSO event it's completely out of the picture.
    Regards,
    Alexander Pastuhov
    http://www.everestsoftint.com/

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
The legal restrictions and terms of use applicable to this site are available here.
Use of this site signifies your agreement to the terms of use.
JDELIST is NOT affiliated with JD Edwards® & Company, Oracle or Peoplesoft. Contents of this site are neither endorsed nor approved by JD Edwards® & Company and, or Oracle.