Configuring Oracle Access Manager Single Sign-on

This article describes the steps that have to be performed in order to set up the Oracle Access Manager Single Sign-on (SSO) to YSoft SafeQ 5 web interface. The configuration of SSO requires advanced knowledge of system configuration, working with SQL database and with the configuration files.

Article also expects that you are familiar with Oracle Access Manager and you are able to set it up as its configuration is out of scope of this document.

Prerequisites

  • Setup YSoft SafeQ connection to LDAP directory that contains users that will be interacting with the system (see Tools - LDAP Integration for help) and start the replication process.

  • Choose at least one of the replicated users as system administrator. This is necessary as default admin account (or any other user created in YSoft SafeQ) will not be able to login to the system via SSO). Edit selected user and assign him system role safeq admins.

Configuration

  1. Login to Web Administration console with default admin account.

  2. Navigate yourself to the System > System settings page

  3. Switch Views menu to Expert options.

  4. Use search filter to find configuration property ssoAuthenticationType and set its value to "ORACLE" (without quotes).

  5. Use search filter to find configuration property oracleSsoLoginHeader and set its value to name of the HTTP header that will contain username of the user logged via Oracle Access Manager that should be automatically logged to the YSoft SafeQ Administration console via SSO.

  6. Save changed settings via Save changes button.

  7. Restart YSoft SafeQ Web Interface system service.

  8. You should be now able to login to the YSoft SafeQ Web Administration console via SSO if everything is setup correctly. Use proxy address (assigned to the YSoft SafeQ in Oracle Access Manager) in your web browser and if your Oracle Access Manager session is valid you should immediately see the YSoft SafeQ Dashboard page and you will be logged with your account.

Limit Tomcat incoming connections to Single Sign-on server

  1. Find server.xml file located in <SafeQ_dir>/tomcat/conf

  2. Backup original file so you are able to restore YSoft SafeQ to original state in case of any problems. Copy file to same location and add .bak extension (so you will have two files in conf directory: server.xml and server.xml.bak)

  3. Find two (HTTP and HTTPS) connector definitions (see examples bellow, by default these connectors have port 80 and 443 but this can differ base on your instruction entered in time of YSoft SafeQ installation) and put comments (<!-- -->) around them

  4. Find AJP connector in the same configuration file and setup shared secret. Add parameter request.secret and set its value to any password that you choose (see examples in boxes bellow).

  5. Setup Oracle Access Manager proxy settings in mod_osso.conf (or httpd.conf) file. Use AJP protocol for connection to the YSoft SafeQ Tomcat server and setup same secret password that you used in Tomcat's server.xml file (see examples bellow).

  6. Restart YSoft SafeQ Web Interface system service and Oracle Access Management server

  7. You should now be able to access YSoft SafeQ Web Administration console in same manner as before via proxy URL and additionally you should not be able to access it in browser directly via original YSoft SafeQ Administration console URL (either on http:// or https://)

Original connectors in server.xml file
<Connector port="80" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8" />
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
keystoreFile="SAFEQ\conf\ssl-keystore"
clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8" />
Commented connectors in server.xml file
<!--<Connector port="80" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8" />-->
 
<!--<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
keystoreFile="SAFEQ\conf\ssl-keystore"
clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8" />-->
Original AJP connector in server.xml file
<Connector port="8009"
enableLookups="false" redirectPort="@webServerPortHTTPS@" protocol="AJP/1.3" />
AJP connector in server.xml with added password phrase
<Connector port="8009" request.secret="SECRET_PASSWORD"
enableLookups="false" redirectPort="@webServerPortHTTPS@" protocol="AJP/1.3" />
Example of mod_jk settings in mod_osso.conf (httpd.conf) of Oracle Access Manager
 # mod_jk configuration
JkWorkersFile conf/workers.properties
JkShmFile logs/mod_jk.shm
JkLogFile logs/mod_jk.log
JkLogLevel info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
JkMount /* safeq
Oracle Access Manager workers.properties with password (referenced from mod_osso.conf)
# Define the list of workers that will be used
# for mapping requests
worker.list=safeq
# Define safeq
worker.safeq.port=8009
worker.safeq.host=REAL_SAFEQ_IP
worker.safeq.type=ajp13
worker.safeq.secret=SECRET_PASSWORD

Troubleshooting

Q: I see error message that say that Oracle SSO is not configured correctly instead of Dashboard page when I access proxy URL

A: Value of the oracleSsoLoginHeader is empty. You need to disable SSO (see bellow) and enter the name of the HTTP header with username (see instructions in previous chapter Set up Single Sign on in YSoft SafeQ).

Q: I see message about failed SSO autologin in my browser instead of the Dashboard page

A: If message states that it can't found user with your username, your account is not replicated from the LDAP directory to the YSoft SafeQ database. If messages states that it can't found username null, the name of the HTTP header you entered in the oracleSsoLoginHeader is not correct or SSO is setup incorrectly in the Oracle Access Manager (sessions are not valid and HTTP header does not contain username of the logged user). You need to disable SSO (see bellow) and enter a correct name of the HTTP header with username (see instructions in previous chapter Set up Single Sign on in YSoft SafeQ).

Q: I enabled Oracle SSO but it does not work and I don't see any way how to disable it as I can't login to the YSoft SafeQ Web Administration console

A: Local YSoft SafeQ users can't login to the system when SSO is enabled. When SSO is not working and you need to disable it or modify the faulty settings you need to do it directly in the YSoft SafeQ database. This is very dangerous operation and you must know what you are doing or repercussion for the system can be fatal. Contact YSoft Technical Support if you are not sure how to

  1. Use your stored database access credentials obtained from installer when YSoft SafeQ has been installed

  2. Login via Database management tool (this depends on your environment and used database engine)

  3. Open SQL query tool and execute update query in the box bellow

  4. Restart YSoft SafeQ CML and YSoft SafeQ Web Interface system services

  5. You should now be able to login to the YSoft SafeQ Web Administration console with standard admin account

Update query
update safeq_config set value = '' where conf_key = 'ssoAuthenticationType'