Sunday, March 27, 2011

Automated Single Sign-On through WebCenter PS3 External Application Connection

Every company maintains multiple Web applications, internal or external. In order to make these applications to work together, usually we need to enable Single Sign-On (SSO) for authentication. Typically, this can be very costly and requires advanced configurations. If you are building portal solution with WebCenter PS3, you may avoid complexity by leveraging External Application Connection feature. Read more about this feature from WebCenter Developer and Administration guides - 63.13 Working with External Applications and 25 Managing External Applications. As you can read from developer guide, automated SSO feature is supported for J2EE security container login method j_security_check for authentication. We did several tests with third-party Struts application, where custom made security check was implemented. It also works well, I will share our test results with you in this post.

Download sample Struts application, we are using it as a third-party secured application with its own Login page - There is WebCenter PS3 application, it defines External Application Connection and integrates external Struts application into portal - You can deploy Struts application on WebLogic server, just extract downloaded archive and point installation wizard to extracted Web folder. All required Struts libraries are already included into sample archive:

To trigger external application automatic authentication, WebCenter menu link must point to ADF external application login servlet. As per documentation, menu link must be defined as following: /adfextapplogin?extappid=applicationName. In my case, applicationName=myExtApp:

This menu item is set to be visible only to authenticated users:

We can deploy and login into our portal application - menu link will be present. However, when user will try to click on it, message saying that external application is not found will be shown to the user:

Its possible to specify External Application Connection during design time, with JDeveloper wizard or directly on runtime. Let's do this on runtime, through WebCenter application administration console. User must be granted at least ConnectionManager role, but in this example let's grant Administrators role. We can do this on runtime as well, no need to redeploy WebCenter application. Just open Enterprise Manager and select WebCenter application - ExternalAppAccess in our case:

Go to the security section and add user redsam to Administrators role:

Now go to WebCenter administration screen, Services -> External Applications section - add new connection:

Application Name must be same as we have defined on WebCenter menu. For User ID and User Password check HTML source code of Login page, in my example it will be user_id and pswd respectively. For Login URL, check form tag and use action property with Login URL string:

In my example, Login URL will have this format: http://server-ip:server-port/Web/ Where Web is Struts application name and is action property value. Authentication method will be POST, as you can see from Login page HTML source. Complete connection information:

If needed, we can provide additional variable values for hidden fields, however our example is not using such fields.

Registered External Application Connection:

Let's login now as normal user, not administrator - redsam1:

Click on external application link - if you will try to access external application for the first time for current user, WebCenter will render automatically External Application Login Information ADF task flow to collect login credentials:

Sample Struts application accepts oracle/oracle for username and password, let's type it and press Login. Make sure you allow WebCenter to remember Login credentials - once authenticated, provided credentials wil remain mapped with current WebCenter authenticated user:

Authentication is completed successfully, external Struts application welcome page is loaded inside our portal:

Now we can logout and login again with the same user, to test if external application login credentials were stored in WebCenter security store:

Click on external application link - authentication for external Struts application is completed automatically this time, the same as it would be done with SSO solution:

WebCenter solution for portal allows to access external third-party application and standard ADF application task flows from the same portal - example of ADF task flow accessed in the same portal:

Now let's logout and login with another user, this time - redsam2. This user was never authenticated with external application, WebCenter asks to provide login credentials:

We can uncheck "Remember My Login Information" check-box and process with Login, in this case username and password will not be stored inside WebCenter security store. But authentication will be completed successfully:

If we logout and login again with the same user redsam2, since login credentials for external application were not stored inside WebCenter security store, user will be requested to provide them again:

You may ask, what we should do, if external application username or password data will be changed. Thats not a problem at all, there is out-of-the-box WebCenter PS3 ADF task flow - External Applications Change Password, we can use it:

Drag and drop it into any fragment or page, reference that fragment or page from WebCenter menu model:

On runtime, login as user redsam1, you will see there is second level menu item will be available - Change Password (as we have specified in WebCenter menu model). Click on it and you will get standard Change Password ADF task flow from WebCenter:

Let's change User Name with wrong value, for test purposes:

Try to access external Struts application, automatic login will fail - we have set not existing user name:

Change user name back to one existing inside Struts application:

User will be successfully automatically authenticated through WebCenter External Application Connection:


Anonymous said...

Hi! I am in Oracle WebCenter Spaces registered an external application, which implements authorization and authentication (tried ADF Security and JAAS),
when you click on the link in the WebCenter application to extapp://JaasSample for the first time as it should be laid out login screen WebCenter (Connecting to My External Application).
But after authorization is still issued to the login page of the external application, i.e. do not get Single Sign-On (SSO). Give that to do?

Andrejus Baranovskis said...

May be some properties for login form are declared incorrectly....


Anonymous said...

I'm in the Login URL field instead / wrote /j_security_check and it worked.
And one more question, how from WebCenter to pass parameters to external application?

Andrejus Baranovskis said...

There is section to define parameters?


Chandra_Samal said...

Does webcenter support AD for SSO ?
If my org got a Intranet site (which picks my windows login to auth) from which i need to link my Spaces and need to establish SSO between my existing intranet website and spaces.
How to achive this ?
spaces are configired to auth using AD(from Weblogic security realms).

Thanks in Advance

Andrejus Baranovskis said...

Yes, WebCenter runs on WebLogic - and consumes security from WebLogic. Its enough to define SSO on WebLogic level.


Mahesh Upadhyay said...

Hello Andrejus,

I have registered external application and provided shared credentials but I am getting "An unexpected error occurred while trying to automatically log in to the external application"

I have tried to connect to Yahoo Email and PeopleSoft application.


Andrejus Baranovskis said...

I dont think it will work with Yahoo, not sure about PeopleSoft. Keep in mind, it works only with basic security.


Anonymous said...

excelente post.
But I have a question about the custom login modules in jdeveloper 10.1.3. how to implement the Forgot Password jsp and how I can define it in faces-config.xml file or web.xml. I've tried to Implemented using a servlet, but does not work.
For any hint I am grateful to you.
The procedure is as follows:
Login page appears first in front of the user. User fills the login and password information and enters into the application for further actions. After successful user login, user can edit and save its profile information, change password and logout itself. If user is not able to login to the application i.e. forget the password, it can get password by clicking the link "Forgot Password?" in the login page itself. User is asked for the email id, which if valid and registered then password is sent to the email id. User can now login to the application by checking the mail and getting the password from there.

Anonymous said...

Hi Andrejus,
I am trying to do the external web application integration with WebClipping. I've follwed all the steps mentioned here, except i've used WebClipping portlet prducer, and also configure external application connection from JDeveloper. But when i try to go to the external web application, getting this exception:

oracle.portlet.client.extapp.ExternalAppCredentialException: SOAP Exception Fault Code = SOAP-ENV:Server
Caused by: oracle.portlet.client.connection.web.pdkclient.SOAPException: Error: Failed to authenticate user with external application
oracle.webdb.provider.v2.utils.soap.SOAPException: Error: Failed to authenticate user with external application

Could you please tell me the reason behind this error?


Laxmi said...

Hi Andrejus,

We are trying to call the custom service which we have to open in new window from an external app(Guidewire) how do we achieve the same.

Since when we hit the custom service it asks for Oracle webcenter credentials but USer might have logged in from GW so there will be GW session running.In that case how we will pass webcenter credential and open the service in new window.