synchronizing the user and sso sessions
TRANSCRIPT
8/4/2019 Synchronizing the User and SSO Sessions
http://slidepdf.com/reader/full/synchronizing-the-user-and-sso-sessions 1/3
1
Synchronizing the User and SSO Sessions: SSO Synchronization Filter
In Fusion Middleware 11g, a new component that synchronizes the container user session
and SSO session has been introduced. SSO Sync Filter is an Oracle WebLogic system filter
implementation that intercepts all requests to the container, acts on protected resource
requests, and attempts to synchronize the container's user session with the useridentifying header in OSSO (Proxy-Remote-User) or the user data in the Oracle Access
Manager SSO session cookie (ObSSOCookie).
SSO Synchronization Filter (SSO Sync Filter) is an implementation of the Servlet Filter
based on Java Servlet Specification version 2.3. SSO sync filter relieves applications from
tracking the SSO user session and synchronizing it with their respective sessions. Instead,
applications would only need to synchronize with container's user session.
SSO Sync Filter intercepts each request to the container and determines whether to act on
it based on certain HTTP headers that are attached to the request. Filter expects SSO agent
to have set those headers in the Web Tier. When access is made to unprotected areas of theapplication, the filter acts as a pass through. Once a protected resource is accessed, SSO
agents in the Web Tier, direct user to perform authentication with SSO system such as
Oracle Access Manager. After the authentication, Oracle Access Manager Identity Asserter
helps establish a user identity in form of JAAS Subject to the container and a user session is
created. WebLogic maintains the user session data as part of HTTP Session Cookie
(JSESSIONID).
Subsequent access to the application resources provides two pieces of information to the
SSO Sync Filter:
User identifying header in OSSO (Proxy-Remote-User) User data in the Oracle Access Manager SSO session cookie (ObSSOCookie)
The job of SSO Sync Filter is to make sure that the user identity in the container matches
with that of the SSO session. If there is a mismatch, filter invalidates the container's user
session. As a result, the downstream application would only have to track container usersession and react in a consistent fashion regardless of SSO environment in use.
Notes:
Enabled and Active by Default : SSO Sync Filter fetches the user information from
the configured tokens, gets the user from existing session (if any), invalidates the
session and redirects to the requested URL in case the CurrentSessionUser does not
match the incoming SSO User. Otherwise, the request is simply passed through.
If you have not configured the OSSO or Oracle Access Manager Assertion Providers
in your domain, the filter disables automatically during WebLogic Server start-up.
8/4/2019 Synchronizing the User and SSO Sessions
http://slidepdf.com/reader/full/synchronizing-the-user-and-sso-sessions 2/3
2
Active for All URI's by Default (/* ): No changes are required in the application
code.
Configured for the OSSO Tokens/Header: Proxy-Remote-User, and performs a
case insensitive match.
Configured for the Oracle Access Manager SSO Tokens/Header:
OAM_REMOTE_USER and REMOTE_USER, and does a case insensitive match. Global Logout : SSO Sync Filter is intended to provide the Single Logout Experience
to the Oracle Fusion Middleware applications that use the OSSO or Oracle Access
Manager Solutions. Is handled similarly to single sign-on. After global logout is
performed, SSO filter reconciles the session when subsequent access to an
application that has not cleaned up its session is made.
Any application that uses the OSSO or Oracle Access Manager Solutions is expected
to invalidate its session before making a call to OSSO logout or Oracle Access
Manager Logout. For more information on OSSO logout, see "SSO Logout with
Dynamic Directives". For details about Oracle Access Manager Logout,
see "Configuring Global Logout for Oracle Access Manager".
Application Session Time Out : SSO cookies typically track user inactivity/idle
times and force users to login when a time out occurs. OSSO and Oracle Access
Manager are no exception. Oracle Access Manager takes a sophisticated approach at
this and specifically tracks Maximum Idle Session Time and Longest Idle SessionTime along with SSO session creation time and time when it was last refreshed.
The general recommendation for applications that are maintaining their own
sessions when integrating with SSO systems is to configure their session time outs
close to that of SSO session time outs so as to make user experience remains
consistent across SSO and application session time outs.
You can alter the behavior of the SSO Sync Filter for application requirements by passing
various over-riding system properties to WebLogic. To do this, you change the Oracle
WebLogic startup script and check for EXTRA_JAVA_PROPERTIES in setDomainEnv.sh. The
properties and Sync behavior is shown in Table 10-13.
Table 10-13 SSO Sync Filter Properties and Sync Behavior
Area
Overriding System
Property
Default
value of
System
property
Default Behavior of the Sync
Filter
Status
(Active or
Inactive)
sso.filter.enable Not
configured
Enabled
Case sso.filter.name.exact.match Not Case Ignore Match
8/4/2019 Synchronizing the User and SSO Sessions
http://slidepdf.com/reader/full/synchronizing-the-user-and-sso-sessions 3/3
3
Area
Overriding System
Property
Default
value of
System
property
Default Behavior of the Sync
Filter
sensitive
matches
configured
Configured
Tokens
sso.filter.ssotoken Not
configured OSSO: Look for Proxy-
Remote-User
Oracle Access Manager:
Look for
OAM_REMOTE_USER and
REMOTE_USER.
OAM_REMOTE_USER takes
precedence.
URI
Mappings
Not Applicable Not
Applicable
/*
You cannot enable the filter for selected applications. The SSO Sync Filter is a system filter.
As such, it is activated for all deployed applications (the URI mapping is /*).
Note:
You cannot enable the filter for selected applications.
The following procedure gives some tips about modifying the SSO Sync filter propertiesand behavior.
To modify the SSO Sync Filter properties and behavior
1. Disable the Filter: Change the system property "sso.filter.enable" to "false" (pass as
-D to the jvm) and restart the Oracle WebLogic Server. This toggles the filter status.
2. User-Identifying Header Differs from Pre-Configured Sync Filter Tokens: Over-
ride the SSO token that the Sync Filter looks for using the system property
"sso.filter.ssotoken".
For example, pass to the WebLogic Server jvm in the WebLogic Server startup script -Dsso.filter.ssotoken=HEADERNAME, and restart the server.