You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Shilpa Potnis <Sh...@kpit.com> on 2001/08/24 12:23:30 UTC

A query on Single Sign On

Hi

I would like to know about the Single Sign On Facility.

If I have an application running on oracle apps server and one on Tomcat
can I use the single sign On Facility availiable with Apache. Of yes
how.

Shilpa

Re: A query on Single Sign On

Posted by "Craig R. McClanahan" <cr...@apache.org>.

On Fri, 24 Aug 2001, Shilpa Potnis wrote:

> Date: Fri, 24 Aug 2001 15:53:30 +0530
> From: Shilpa Potnis <Sh...@kpit.com>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: A query on Single Sign On
>
> Hi
>
> I would like to know about the Single Sign On Facility.
>
> If I have an application running on oracle apps server and one on Tomcat
> can I use the single sign On Facility availiable with Apache. Of yes
> how.
>
> Shilpa
>

Are you speaking of the Single Sign On facility included with Tomcat 4?
The instructions below apply only to Tomcat 4, so you'd have to consult
the Oracle app server docs for how to configure Oracle :-).

Basically, Single Sign On (SSO) lets you share an authenticated user
identity across the set of web applications that are running on a single
virtual host in Tomcat 4.  It is enabled by uncommenting the following
entry in server.xml:

  <Valve className="org.apache.catalina.authenticator.SingleSignOn"
             debug="0"/>

The rules of the game go like this:

* All web apps in this virtual host must share the same
  <Realm> entry -- no <Realm> entries at the per-web-app
  level.

* All web apps in this virtual host can have security
  constraints that require authentication before access.
  Each of these web apps uses container managed security
  in the usual way (configure your favorite login method,
  and so on).

* The first time that the user accesses *any* protected
  resource in any of the apps, they will be asked to
  authenticate themselves.

* As the user switches to another app and accesses a
  protected resource there, the container will remember
  the user's identity, and not challenge them for
  authentication again.

* As soon as the user logs off from one webapp (i.e. by
  invalidating the session if you are using form based
  login), you are logged off from all of them.

* SSO support uses a cookie to maintain user identity,
  so clients must have cookies enabled.

To get a mental picture of how it works, think of a portal site like
Yahoo.  You're challenged to log on the first time you try to access one
of the apps (mail, chat, etc.), but then Yahoo remembers who you are
across all of the apps.

Craig