Call now: 252-767-6166  
Oracle Training Oracle Support Development Oracle Apps

 E-mail Us
 Oracle Articles
New Oracle Articles

 Oracle Training
 Oracle Tips

 Oracle Forum
 Class Catalog

 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Oracle Support

 SQL Tuning

 Oracle UNIX
 Oracle Linux
 Remote s
 Remote plans
 Application Server

 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support

 Remote S


 Consulting Staff
 Consulting Prices
 Help Wanted!


 Oracle Posters
 Oracle Books

 Oracle Scripts

Don Burleson Blog 









OracleAS Single Sign-On (SSO)

Oracle Application Server Tips by Burleson Consulting

Prior to the introduction OracleAS SSO, each component within OracleAS required separate password and authentication management.  Besides the duplication of passwords, the lack of a unified security interface presented a huge maintenance issues and also compromised the overall manageability of the application.

Without SSO, every user is required to maintain a distinct password for every application in the enterprise.  As anyone who has dozens of passwords can tell you, they must write-down the passwords, which can cause a serious security breach.  With SSO, each user has only one password for all applications within the OracleAS framework.

Unlike traditional Oracle applications, SSO is designed for web-based users.  Any Oracle system can be web-enabled, and the end-user community can securely access their applications from the Internet, anywhere in the world.  The central components of OracleAS SSO are the mod_osso module and the SSO login server, and that will be the focus of our SSO exploration.  As an OracleAS administrator, you are responsible for maintaining enterprise security, and knowledge of SSO administration is required.

OracleAS uses two techniques for end-user authentication, one for local ?partner? applications (internal) and another for external applications.  Because of the infinite possible authentication mechanisms of external applications, they cannot be integrated into SSO and LDAP entries are used to manage security.

  • Local Partner Applications ? Local applications authentication is performed from a lookup table within the isadb schema on the repository.  The lookup table contains all of the data including the user ID, password and privileges for local users.

  • External applications - External SSO identification allows any third-party products to be incorporated in a OracleAS system.  External applications use the Oracle Internet Directory and OracleAS handles authentication using standard LDAP entries.  At connect time, OracleAS binds to OID and looks up the remote users credentials in the appropriate directory on the server.

While this chapter focuses on SSO administration, you can find details for user assignment and application management with SSO in Chapter 12, OracleAS Security.  Now that we understand the basic authentication methods of SSO, let?s take a closer look at the internals of SSO.  Let?s get started with a quick review of SSO management scripts and then look at the mod_osso utility and then learn how it is used to administer OracleAS SSO security.  Let?s start by exploring SSO configuration.

Configuring the SSO server

The configuration of SSO involves the creation and management of the server-side components for the SSO login server.  These configuration tasks include:

  • Allocate SSO directories ? These must be allocated with the proper OS permissions to maintain security

  • Set-up SSO configuration files ? These must contain the correct values for your system

  • Configure SSO programs ? These must be configured properly

  • Establish SSO library routines ? These must have proper group permissions

These are relatively trivial tasks, but crucial to the successful use of SSO.  Let?s start by looking at the SSO directory structures and understand the purpose and functions of the components within each directory.

SSO Directories

The SSO log-in server will have the following directories allocated at install time.  Each of these directories serves a specific purpose to SSO and contains important scripts and executables.

  • $ORACLE_HOME/reports/conf ? This directory has the configuration files for Oracle Reports

  • $ORACLE_HOME/sso/bin  ? This directory contain SSO executables

  • $ORACLE_HOME/dcm/bin ? This is the directory for the DCM utility files

  • $ORACLE_HOME/Apache/Apache/conf - This is the location of the mod_osso configuration file

  • $ORACLE_HOME/sso/lib ? This contains the  ossoreg.jar file and other SSO library routines 

These are the main driving directories for SSO and they contain important programs for SSO management.  One of the most important is the SSO configuration utility.  It is located in $ORACLE_HOME/sso/bin/, and is a shell script that invokes Java routines to manage the SSO layer.  The script accepts the new_host_name and new_port name as arguments.  For example, if we wanted to add server diogenes on port 1446 we would issue the following command: diogenes 1446

Internally, the script issues the following Java invocation, calling the Java program:

java $*

Now that we see the contents of SSO files, let?s take a quick look and enabling and configuring SSO.

Enabling SSO

Enabling SSO is quite simple.  Turning-on SSO requires adjusting the SINGLESIGNON parameter in the rwservlet configuration file (  When singlesession=yes, you are telling OracleAS that you will use SSO to authenticate users.  As we have noted, the rwservlet configuration file is usually found in the $ORACLE_HOME/reports/conf directory.

After you have completed configuring the SSO server, you must configure OHS to use SSO.  This is done by making an entry in the mod_osso.conf file and enabling mod_osso in the OMS configuration file. The file osso.conf contains partner registration record registered with Single Sign-On (SSO) server.  Once the OHS is configured for SSO, you can use SSO to protect individual resources via the SSO server.  There are several important directives in the file:

  • OSS Idle Timeout - If you set OssoIdleTimeout on, OracleAS will invoke a global inactivity timeout to disconnect idle sessions.  

  • OSS IP Check - If you set the OssoIpCheck on, OracleAS SSO will invoke a IP address check to ensure the authenticating browser is the same as the browser requesting access to protected facilities.

The SSO login server is the component of OracleAS that accepts the users? password and manages their access to all OracleAS applications.  After the user enters an accepted password, OracleAS sends a message to all applications that this user has been authenticated and (optionally) stores a cookie on the browser. This cookie is used for to avoid the need to re-enter the password during subsequent visits.

TIP: Any web browser that uses SSO should be configured to accept cookies because the end-user will become annoyed with the repeated login screens that are displayed without cookie support.

Because SSO governs security for the whole enterprise, you must have Full Administrator privileges on the login server to configure the SSO login server.  If you want to access the SSO login server from OracleiAS Portal, you must be an Authorized OracleAS Portal Administrator.

OracleAS repository has some important SSO log tables that assist in tracking SSO interaction and errors.  Let?s take a quick look at these log tables.


This is an excerpt from "Oracle 10g Application Server Administration Handbook" by Don Burleson and John Garmany.

If you like Oracle tuning, you may enjoy the new book "Oracle Tuning: The Definitive Reference", over 900 pages of BC's favorite tuning tips & scripts. 

You can buy it direct from the publisher for 30%-off and get instant access to the code depot of Oracle tuning scripts.


Oracle Training at Sea
oracle dba poster

Follow us on Twitter 
Oracle performance tuning software 
Oracle Linux poster


Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  

and include the URL for the page.


Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


Copyright © 1996 -  2017

All rights reserved by Burleson

Oracle ® is the registered trademark of Oracle Corporation.

Remote Emergency Support provided by Conversational