5
Using Oracle9iAS Forms Services with SSO and OID

Introduction

Oracle9iAS Forms Services applications can be run in a single sign-on (SSO) environment using Oracle Login Server (Single Sign-On Server) and Oracle Internet Directory (OID) to store user name and password information. SSO is designed to work in a portal environment such as that provided by Oracle9i Application Server, where multiple Web-based applications are accessible through the portal . Without SSO, each user must maintain a separate identity and password for each application they access. Maintaining multiple accounts and passwords for each user is insecure and expensive.

You can also use

This chapter contains the following sections:

Single Sign-On (SSO)

A detailed description of SSO is available from the Oracle9i Application Server Security Guide (Chapter 6 - "Configuring Oracle9iAS Single Sign-On"). This section will explore the features which are relevant to Oracle9i Forms development.

To use single sign-on support:

The URL must be protected. Creating alias names for the Forms Listener Servlet will allow you to use SSO for selected applications. Protect the Forms URL by adding the following section to the mod_osso.conf file:
```
<Location forms90/f90servlet>
   require valid-user
   authType Basic
</Location>
```
The default Forms URL is "forms90/f90servlet".
Create users using OID, Delegated Administration Services (DAS), and assign/create resource information to these users. The resource information contains the DB credentials, and the resource name must match the name of the named user configurations for the SSO-enabled application defined in the formsweb.cfg file. The resource name is passed with the Oracle9iAS Forms Services URL as the value of the "config" query parameter.
Create a configuration section corresponding to the resource name used for Oracle9i Forms applications. For example:
```
...
[customers]
form=customers.fmx
...
[orders]
form=orders.fmx
...
```
Choose a resource name. For example, the URL might be http://<server>:<port>/forms90/f90servlet?config=customers
This will cause the request to be authenticated as shown below.

If a different configuration parameter (for example, http://.../forms90/f90servlet?config=orders) is used, the DB credentials configured for this user with resource name "orders" will be used by the Forms Server to login to the DB.
Session cookies are used to track SSO logins - these are only available to the SSO server and are lost when the browser session ends.

Authentication Flow

The following is the authentication flow of SSO support in Forms the first time that the user requests a Forms Services URL:

Text description of chap05a.gif follows

Text description of the illustration chap05a.gif

The user requests a Forms URL.
The Forms Servlet redirects the user to the SSO server.
The user provides user name and password through Login form.
The password is verified through OID (LDAP Server).
The user gets redirected to the URL with sso_userid information.
Forms Servlet gets the database credentials from OID.
Forms Servlet sets the userid parameter in the Runform session and the applet connects to the Forms Listener Servlet.
Forms Servlet starts the Forms Server.

The following is the authentication flow of SSO support in Oracle9i Forms when a user, authenticated through another Partner Application, requests an Oracle9iAS Forms Services URL.

Text description of chap052.gif follows

Text description of the illustration chap052.gif

The user requests Forms URL.
Forms Servlet redirects the user to the SSO server.
The user gets redirected to the URL with sso_userid information.
Forms Servlet gets the database credentials from OID.
Forms Servlet sets the userid parameter in the Runform session and the applet connects to the Forms Listener Servlet.
Forms Servlet starts the Forms Server.

Single Sign-On with Some Applications, Not Others

Oracle9iAS Forms Services allows you to run both single sign-on and publicy viewed applications simultaneously. In order to enable this functionality, you need to add a second alias name for the Forms Servlet. This second Forms Servlet name is required to build a second Forms Services instance.

For security reason it is not recommended you have two Forms Servlet names sharing the same formsweb.cfg file when one of them is registered with SSO. For example: If applicationA is protected by Single Sign-On authentication while applicationB is not, then it must be guaranteed that applicationA cannot be run by the second Forms Services instance , which is not using SSO. The only way to distinguish SSO-protected applications from those being publicly available is to use separate configuration files. ApplicationA will not share the same formsweb.cfg file with applicationB.

The following steps will allow you to run single sign-on and publicly viewed applications:

Create a second stand alone server instance

1. Add another alias name for the Forms Servlet to the OC4J web.xml file.

2. Register the aliased Forms Servlet with mod_oc4j.

Add an alias name for the Forms Servlet

Navigate to the \applications\forms90app\forms90web\WEB-INF\ directory of your Oracle9iAS Forms Services OC4J installation. Open the web.xml configuration file in a text editor and add the following lines to the appropriate location:

<servlet>
   <servlet-name>f90</servlet-name>
   <servlet-class>oracle.forms.servlet.FormsServlet</servlet-class>
   <init-param>
      <param-name>configFileName</param-name>
      <param-value><your configuration file name goes here></param-value>
   </init-param> 
</servlet>
<servlet-mapping>
   <servlet-name>f90</servlet-name>
   <url-pattern>/f90*</url-pattern>
</servlet-mapping>

In this example the new Forms Servlet name is "f90", but you can give it any name. The servlet initialization parameter configFileName takes the name and location of the formsweb.cfg file to be used with this servlet. The best way to create the new configuration file is to copy the formsweb.cfg file from the forms90/server directory and to rename the copy. Edit the copied configuration file and remove all the application configurations that should not be accessible without SSO. Replace "<your configuration file name goes here>" in above example with the location and the name of the formsweb.cfg copy you created.

Register the Oracle9i Forms alias name with mod_oc4j

For the new Forms Servlet name to be recognized by Oracle9iAS and served by OC4J, you need to register the servlet with mod_oc4j. This registration is done using the forms90.conf file located in the forms90/server directory of your Oracle9iAS Forms Services installation.

The following entry for the f90servlet and l90servlet alias names (in regular type) is at the end forms90.conf. Add the lines in bold type:

# Config. for OC4J
<IfModule mod_oc4j.c>
    Oc4jMount /forms90              ProductGroup2
    Oc4jMount /forms90/f90servlet   ProductGroup2
    Oc4jMount /forms90/f90servlet/* ProductGroup2
    Oc4jMount /forms90/f90     ProductGroup2
    Oc4jMount /forms90/f90/*  ProductGroup2
    Oc4jMount /forms90/l90servlet   ProductGroup2
    Oc4jMount /forms90/l90servlet/* ProductGroup2
</IfModule>

After stopping and restarting the Oracle HTTP Server, the Forms Servlet will be accessible by using:

http://<hostname>:<port>/forms90/f90servlet and http://<hostname>:<port>/forms90/f90.

The difference is that the forms90/f90servlet root might be protected by single sign-on and the forms90/f90 path uses a different Forms configuration file (other than formsweb.cfg).

Note: The Forms Listener Servlet "l90servlet" can be used with both configurations, so there is no need to create an alias name for this servlet too. The Forms Listener Servlet does not directly read from the formsweb.cfg file and thus, security is not affected when using the same Listener Servlet for both instances.

You can test the configuration by typing

http://<hostname>:<port>/forms90/f90/admin which should bring up the Listener Servlet test page.

5 Using Oracle9iAS Forms Services with SSO and OID