Oracle Single Sign-On（SSO） Solution

转：http://blog.csdn.net/pan_tian/article/details/8691726

Single Sign-On(SSO)即单点登录，在多个应用系统中，用户只需要登录一次就可以访问所有相互信任的应用系统。在此条件下，管理员无需修改或干涉用户登录就能方便的实施希望得到的安全控制。

Oracle现有两套单点登录的解决方案：Oracle Access Manager，Oracle Single Sign-On Server (OSSO)。
Oracle官方推荐Access Manager作为SSO的解决方案，Oracle Single Sign-On Server的高级用户最终也会建议迁移到Oracle Access Manager解决方案上。

 

OAM SSO实现方式有两种：一种是通过OAM Agent(WebGate)，另外一种是使用OSSO Agents（mod_osso)

1.) 使用OAM Agent(WebGate代理),然后和Oracle E-Business Suite Access Gate集成(此处以EBS为例). 

WebGate是Web服务器的一个插件，用于拦截HTTP请求，并把请求导向Oracle Access Manager (OAM)来获取用户认证。

 

OAM SSO登陆的过程描述：

When a user tries to access a protected application, the request is received by OAM which checks for the existence of the SSO cookie.

After authenticating the user and setting up the user context and token, OAM sets the SSO cookie and encrypts the cookie with the SSO Server key (which can be decrypted only by the SSO Engine).

Depending on the actions (responses in OAM 11g) specified for authentication success and authentication failure, the user may be redirected to a specific URL, or user information might be passed on to other applications through a header variable or a cookie value.

Based on the authorization policy and results of the check, the user is allowed or denied access to the requested content. If the user is denied access, she is redirected to another URL (specified by the administrator in Webgate registration).

可以看到，Oracle OAM通过Cookie存储用户的信息，进而通过Cookie来实现单点访问授信站点。

 

2.) 使用mod_osso代理，这种方法只适用于从Oracle Single Sign-On Server 10gR3升级上来的用户。

详细见：About SSO Log In Processing with OAM Agents中的“About SSO Login Log In Processing with OSSO Agents (mod_osso)”

 

关于Cookie

Cookies就是服务器暂存放在你的电脑里的资料( 用户ID，密码、浏览过的网页、停留的时间等信息)，好让服务器用来辨认你的计算机。 当你在浏览网站的时候，Web服务器会先送一小小资料放在你的计算机上，Cookies 会帮你在网站上一些内容都记录下来。当下次你再访问同一个网站，Web服务器会先看看有没有它上次留下的Cookies资料，有的话，就会 依据Cookie里的内容来判断使用者，送出特定的网页内容给你。 一般来说，Cookie通过HTTP Headers从服务器端返回到浏览器上。IE Cookies 文件夹路径保存于注册表：HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies

 

 

See Also:

About SSO Log In Processing with OAM Agents
Overview of Single Sign-On Integration Options for Oracle E-Business Suite [ID 1388152.1]
Integrating Oracle E-Business Suite Release 11i with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate [ID 1536941.1]

Oracle Access Manager 11.1.2 Certified with E-Business Suite 12 

Oracle Access Manager 11.1.2 Certified With E-Business Suite 11i 
Introduction to Installing WebGates