Skip Headers

Oracle Workflow Administrator's Guide
Release 2.6.3

Part Number B10283-02
Previous Next       Contents Index Glossary
         Previous  Next          Contents  Index  Glossary

Step 4 Synchronizing Workflow Directory Services with Oracle Internet Directory

If you are using the standalone version of Oracle Workflow, you can synchronize the user information in your Workflow directory service with Oracle Internet Directory (OID) using Lightweight Directory Access Protocol (LDAP). This integration is recommended because it enables you to manage and publish user information in a central location which various systems can reference.

Synchronization with OID enables Oracle Workflow to do the following:

Attention: To implement single sign-on integration, you must install Oracle Workflow with Oracle Application Server, and you must use a version of the Oracle Database that is certified with your version of Oracle Application Server.

For more information about leveraging the Oracle Identity Management infrastructure, see: Oracle Workflow Security.

Context: You need to perform this step only once.

Oracle Internet Directory

Oracle Internet Directory is a general purpose directory service that enables fast retrieval and centralized management of information about dispersed users and network resources. It combines Lightweight Directory Access Protocol (LDAP) Version 3 with the high performance, scalability, robustness, and availability of the Oracle Database.

LDAP is a standard, extensible directory access protocol. It is a common language that LDAP clients and servers use to communicate. LDAP was conceived as an internet-ready, lightweight implementation of the International Standardization Organization (ISO) X.500 standard for directory services. It requires a minimal amount of networking software on the client side, which makes it particularly attractive for internet-based, thin client applications.

The advantages of OID include:

Oracle Internet Directory also provides data management tools, such as Oracle Directory Manager and a variety of command-line tools, for manipulating large volumes of LDAP data.
Oracle Internet Directory also takes advantage of all the availability features of the Oracle Database. Because directory information is stored securely in the Oracle Database, it is protected by the backup capabilities of the database. Additionally, the Oracle Database, running with large datastores and heavy loads, can recover from system failures quickly.

Oracle Application Server Single Sign-On uses Oracle Internet Directory to store user entries. It maps users for any partner application to user entries in OID entries, and authenticates them by using LDAP mechanisms.

See Also

Oracle Internet Directory Administrator's Guide

Oracle Application Server Single Sign-On

Oracle Application Server Single Sign-On is a component of Oracle Application Server that provides a framework for secure single sign-on, allowing users to log in to multiple Web-based applications by entering a user name and password only once.

Attention: To implement single sign-on integration for Oracle Workflow, you must install Oracle Workflow with Oracle Application Server, and you must use a version of the Oracle Database that is certified with your version of Oracle Application Server.

Oracle Application Server Single Sign-On provides the following benefits:

The core of the Oracle Application Server Single Sign-On technology is the Login Server. The Login Server authenticates users and passes their identities to the partner applications that are integrated with it.

Partner applications support a single sign-on mechanism that enables them to accept a user's username and password as validated by the Login Server. A partner application delegates its authentication to the Login Server. If a partner application is registered with the Login Server, users can log into it using the single sign-on mechanism.

With mod_osso, an Oracle module that enables single sign-on, Oracle HTTP Server becomes a partner application of the Login Server. Oracle Workflow uses Oracle HTTP Server as its Web server. If you implement Oracle Internet Directory/Single Sign-On integration, Oracle Workflow participates in single sign-on by using mod_osso to authenticate access to its secured web pages.

When a user first tries to access a secured Workflow web page, the Workflow security package WFA_SEC checks the CGI environment variable REMOTE_USER for user information. If the user is not already logged in to Oracle Workflow or another Oracle Application Server Single Sign-On participating application, the user will be prompted to log in before the page appears.

Note: The WFA_SEC package must be loaded as a post-install step if you choose to implement Oracle Internet Directory/Single Sign-On integration. For more information, see your installation documentation.

To set the variable REMOTE_USER, Oracle HTTP Server internally calls to mod_osso. Acting as an Oracle Application Server Single Sign-On partner application, mod_osso transparently redirects the user to the Login Server to obtain authentication credentials, if no application cookie is present.

The Login Server performs the following steps:

Oracle HTTP Server with mod_osso then performs the following steps:

If, during the same session, the user again seeks access to the same or to a different partner application, the Login Server does not prompt the user for a username and password. Instead, the Login Server obtains the information from the login cookie that is already on the client browser. The login cookie provides the Login Server with the user's identity and indicates that authentication has already been performed. If there is no login cookie, the Login Server presents the user with a login page.

To guard against eavesdropping, the Login Server can send the login cookie to the client browser over an encrypted SSL channel.

The login cookie expires with the session, either at the end of a time interval specified by the administrator, or when the user exits the browser. The login cookie is never written to disk.

Note: To log out of a partner application and log in as another user, the user must also log out of the Login Server session. Otherwise, the authentication request returns the partner application to the logged in state of the previous user.

See Also

Oracle Application Server Single Sign-On Administrator's Guide

Oracle Application Server Single Sign-On Application Developer's Guide

Oracle Internet Directory Synchronization

Oracle Workflow provides APIs to synchronize the user information in your Workflow directory service with OID. These APIs are defined in a PL/SQL package called WF_LDAP. See:

Workflow LDAP APIs, Oracle Workflow API Reference.

Note: OID integration includes only individual users, not user groups. Workflow roles are not maintained through OID.

arrow icon   To Synchronize Workflow Directory Services with OID

1. During installation, use the Workflow Configuration Assistant to choose to integrate with OID. You enter LDAP preferences in the Workflow Configuration Assistant, which are then stored as global Workflow preferences. After installation, you can use the Global Preferences page to verify that the following preferences are set to the appropriate information for your OID installation, and optionally modify these settings. See: To Set Global User Preferences.
Note: If you choose to integrate with OID during installation, Workflow directory service views that support this integration are automatically implemented for you. See: Integrating Oracle Workflow Directory Services with Oracle Internet Directory.
2. Ensure that the PL/SQL package named DBMS_LDAP is loaded in your database. This package contains the functions and procedures which can be used to access data from LDAP servers and is required for LDAP synchronization.
For the standalone version of Oracle Workflow, if you choose to integrate with OID by entering LDAP preferences in the Workflow Configuration Assistant, this package should be loaded as a post-installation step. For more information, see the installation documentation for the software with which you installed Oracle Workflow.
3. For single sign-on integration, ensure that the Database Access Descriptor for Oracle Workflow is protected in the mod_osso configuration file. For the standalone version of Oracle Workflow, if you choose to integrate with OID by entering LDAP preferences in the Workflow Configuration Assistant, mod_osso configuration is automatically performed for you during installation. For more information, see the Oracle Application Server 10g Installation Guide.
Attention: To implement single sign-on integration, you must install Oracle Workflow with Oracle Application Server, and you must use a version of the Oracle Database that is certified with your version of Oracle Application Server.
4. To begin the synchronization, run the WF_LDAP.Synch_all( ) API. This function retrieves all the existing user information from OID, based on the LDAP directory information specified in the Global Workflow Preferences, and raises the oracle.apps.global.user.change event. Predefined subscriptions to this event create new users in the WF_LOCAL_ROLES table if necessary and load the user information into the WF_LOCAL_ROLES table.
Because Synch_all( ) retrieves information for all users stored in OID, you should use this function only once during setup. If necessary, however, you can also run Synch_all( ) as required for recovery or cleanup.
Use the following commands to run Synch_all( ):
declare
res boolean := FALSE;
begin

res := wf_ldap.synch_all();
if (res) then
dbms_output.put_line('succeeded');
else
dbms_output.put_line('failed ');
end if;
end;
/
5. Subsequently, you must maintain the synchronization between your Workflow directory service and OID by retrieving and loading only changed OID user information. It is recommended that you update the user information every ten minutes.
You can use either WF_LDAP.Synch_changes( ) or WF_LDAP.Schedule_changes( ) to retrieve changed user information from OID. WF_LDAP.Synch_changes( ) identifies LDAP user changes in OID, including creation, modification, and deletion, by querying the LDAP change log records. The function connects to OID based on the LDAP directory information specified in the Global Workflow Preferences. If there is a change, the function retrieves the user information from OID and raises the oracle.apps.global.user.change event. Predefined subscriptions to this event create new users in the WF_LOCAL_ROLES table if necessary and load the user information into the table. You can use WF_LDAP.Synch_changes( ) to perform a single update.
To continue updating user information periodically, use WF_LDAP.Schedule_changes( ). This procedure submits a database job using the DBMS_JOB utility to run WF_LDAP.Synch_changes( ) repeatedly at an interval that you specify. The default interval, which is also the recommended frequency to check for updates, is ten minutes.
You can create a script to run WF_LDAP.Schedule_changes( ). For example, to run the API at an interval of ten minutes, create a SQL file with the following commands:
declare
begin
wf_ldap.schedule_changes(0,0,10);
end;
/
Then run SQL*Plus and load your new script to the database.
Note: You must terminate the running of any WF_LDAP APIs before changing your LDAP setup, such as by migrating to a different LDAP server.
Attention: If you implement OID integration, you must maintain your users only through OID. You must not create ad hoc users in the WF_LOCAL_ROLES table, because you risk discrepancies in your user information and unpredictable results if you use any tool other than OID to maintain users after integrating with OID. Consequently, if you implement OID integration, you must not use the CreateAdHocUser( ), SetAdHocUserStatus( ), SetAdHocUserExpiration( ), or SetAdHocUserAttr( ) APIs in the WF_DIRECTORY package.
You can still use ad hoc roles, however, since Workflow roles are not maintained through OID.

See Also

Setting Global User Preferences

Workflow LDAP APIs, Oracle Workflow API Reference

User Entry Has Changed Event, Oracle Workflow Developer's Guide

Managing Job Queues, Oracle Administrator's Guide

Workflow Directory Service APIs, Oracle Workflow API Reference


         Previous  Next          Contents  Index  Glossary


Oracle Logo
Copyright © 2003 Oracle Corporation.

All rights reserved.