Oracle Workflow Guide
Release 2.6.2

Part Number A95265-02
Previous Next       Contents Index Glossary
         Previous  Next          Contents  Index  Glossary

Step 4 Synchronizing Workflow Directory Services with Oracle Internet Directory

If you are using the standalone version of Oracle Workflow, and you have installed Oracle9iAS Release 2 or higher, you can synchronize the user information in your Workflow directory service with Oracle Internet Directory (OID) using Lightweight Directory Access Protocol (LDAP). This integration is recommended because it enables you to manage and publish user information in a central location which various systems can reference.

Synchronization with OID enables Oracle Workflow to do the following:

Context: You need to perform this step only once.

Oracle Internet Directory

Oracle Internet Directory is a general purpose directory service that enables fast retrieval and centralized management of information about dispersed users and network resources. It combines Lightweight Directory Access Protocol (LDAP) Version 3 with the high performance, scalability, robustness, and availability of Oracle9i.

LDAP is a standard, extensible directory access protocol. It is a common language that LDAP clients and servers use to communicate. LDAP was conceived as an internet-ready, lightweight implementation of the International Standardization Organization (ISO) X.500 standard for directory services. It requires a minimal amount of networking software on the client side, which makes it particularly attractive for internet-based, thin client applications.

The advantages of OID include:

Oracle9iAS Single Sign-On uses Oracle Internet Directory to store user entries. It maps users for any partner application to user entries in OID entries, and authenticates them by using LDAP mechanisms.

See Also

Oracle Internet Directory Administrator's Guide

Oracle9iAS Single Sign-On

Oracle9iAS Single Sign-On is a component of Oracle9i Application Server that provides a framework for secure single sign-on, allowing users to log in to multiple Web-based applications by entering a user name and password only once.

Oracle9iAS Single Sign-On provides the following benefits:

The core of the Oracle9iAS Single Sign-On technology is the Login Server. The Login Server authenticates users and passes their identities to the partner applications that are integrated with it.

Partner applications support a single sign-on mechanism that enables them to accept a user's username and password as validated by the Login Server. A partner application delegates its authentication to the Login Server. If a partner application is registered with the Login Server, users can log into it using the single sign-on mechanism.

With mod_osso, an Oracle module that enables single sign-on, Oracle HTTP Server becomes a partner application of the Login Server. Oracle Workflow uses Oracle HTTP Server as its Web server. If you implement Oracle Internet Directory/Single Sign-On integration, Oracle Workflow participates in single sign-on by using mod_osso to authenticate access to its secured web pages.

When a user first tries to access a secured Workflow web page, the Workflow security package WFA_SEC checks the CGI environment variable REMOTE_USER for user information. If the user is not already logged in to Oracle Workflow or another Oracle9iAS Single Sign-On participating application, the user will be prompted to log in before the page appears.

Note: The WFA_SEC package must be loaded as a post-install step if you choose to implement Oracle Internet Directory/Single Sign-On integration. For more information, see your installation documentation.

To set the variable REMOTE_USER, Oracle HTTP Server internally calls to mod_osso. Acting as an Oracle9iAS Single Sign-On partner application, mod_osso transparently redirects the user to the Login Server to obtain authentication credentials, if no application cookie is present.

The Login Server performs the following steps:

Oracle HTTP Server with mod_osso then performs the following steps:

If, during the same session, the user again seeks access to the same or to a different partner application, the Login Server does not prompt the user for a username and password. Instead, the Login Server obtains the information from the login cookie that is already on the client browser. The login cookie provides the Login Server with the user's identity and indicates that authentication has already been performed. If there is no login cookie, the Login Server presents the user with a login page.

To guard against eavesdropping, the Login Server can send the login cookie to the client browser over an encrypted SSL channel.

The login cookie expires with the session, either at the end of a time interval specified by the administrator, or when the user exits the browser. The login cookie is never written to disk.

Note: To log out of a partner application and log in as another user, the user must also log out of the Login Server session. Otherwise, the authentication request returns the partner application to the logged in state of the previous user.

See Also

Oracle9iAS Single Sign-On Administration Guide

Oracle9iAS Single Sign-On Application Developer's Guide

Oracle Internet Directory Synchronization

Oracle Workflow provides APIs to synchronize the user information in your Workflow directory service with OID. These APIs are defined in a PL/SQL package called WF_LDAP. See: Workflow LDAP APIs.

Note: OID integration includes only individual users, not user groups. Workflow roles are not maintained through OID.

arrow icon   To Synchronize Workflow Directory Services with OID

	declare
res boolean := FALSE;
begin
wf_log_pkg.WF_DEBUG_FLAG := TRUE;

res := wf_ldap.synch_all();
if (res) then
dbms_output.put_line('succeeded');
else
dbms_output.put_line('failed ');
end if;
end;
/

		declare
begin
wf_log_pkg.WF_DEBUG_FLAG := TRUE;
wf_ldap.schedule_changes(0,0,10);
end;
/

Note: You must terminate the running of any WF_LDAP APIs before changing your LDAP setup, such as by migrating to a different LDAP server.

Attention: If you implement OID integration, you must maintain your users only through OID. You must not create ad hoc users in the WF_LOCAL_USERS table, because you risk discrepancies in your user information and unpredictable results if you use any tool other than OID to maintain users after integrating with OID. Consequently, if you implement OID integration, you must not use the CreateAdHocUser( ), SetAdHocUserStatus( ), SetAdHocUserExpiration( ), or SetAdHocUserAttr( ) APIs in the WF_DIRECTORY package.

You can still use ad hoc roles, however, since Workflow roles are not maintained through OID.

See Also

Setting Global User Preferences

Workflow LDAP APIs

User Entry Has Changed Event

Managing Job Queues, Oracle Administrator's Guide

Workflow Directory Service APIs


         Previous  Next          Contents  Index  Glossary


Oracle
Copyright © 2002 Oracle Corporation.

All Rights Reserved.