Friday, September 26, 2008

Single Sign On connection cycle

Single Sign-On centralizes management of passwords. To the end user, it appears as though he only logs on once, typically to a corporate portal, and then has access to all the application services he is authorized to use without any further login prompts.To enable Single Sign-On, first the users must be registered in an Oracle Internet Directory.

The Figure illustrates the Single Sign-On connection cycle, which consists of a number of steps:

  1. The browser issues a URL contacting an SSO-enabled service. This request does not include the SSO cookie authentication.
  2.  The service returns a redirection URL, instructing the browser to contact the SSO server with a logon request
  3. The browser contacts the SSO server with a logon request.
  4. The SSO server sends a logon prompt window to the browser.
  5. The browser returns a username and password to the SSO server.
  6. The SSO server passes the username and password to the OID for validation, using the LDAP protocol. Note that steps 1 through 5 have used HTTP, as will 8 and 9.
  7. The OID returns a positive authentication (for the purposes of this example) back to the SSO server, using LDAP.
  8. The SSO server sends an SSO cookie to the browser with a redirection URL instructing the browser to contact the service it originally requested.
  9. The browser contacts the SSO-enabled service, this time with the SSO cookie, and will be logged in to it without further authentication required.
  10. Any URLs contacting other SSO-enabled applications will result in an immediate logon until the lifetime of the SSO cookie expires.
Single Sign-On is written in PL/SQL. It is a set of procedures in a schema created in the metadata repository database. These generate login screens to prompt for a username and
password, and then use LDAP to request an Oracle Internet Directory to authenticate the username-password pair. The cookie that is set in the browser is an encrypted, non-persistent cookie. It should therefore be impossible to hijack a user’s session by copying the cookie to another machine.

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)