Deploying
1y ago
27 Views
1 Downloads
1.51 MB
15 Pages
Report/dmca
Download PDF

Transcription

Deploying “Single-sign On” withRDC 46 OnSite:An examination of methods toallow Single-Sign-On for existingRDC 46 OnSite environmentsSunil G. Singh, Ahila SelverajDBMS Consulting12 October 2010Systems IntegrationSession 151

OHSUG 2010 San Antonio: SI Focus Group; Deploying “Single-sign On” with RDC 46 OnSiteOctober 2010Acknowledgements Many thanks to OHSUG for this opportunity topresent to the OHSUG Systems IntegrationFocus Group.Many thanks to the OHSUG SystemsIntegration Focus Group Chairs for their infinitepatience in receiving and expeditious review ofthis presentation.Many thanks to everyone who participated inthe development of presentation. 2010 DBMS Consulting, Inc. Unauthorized Duplication is Strictly ProhibitedPresented by: Sunil G. Singh2

OHSUG 2010 San Antonio: SI Focus Group; Deploying “Single-sign On” with RDC 46 OnSiteOctober 2010Assumptions Audience has a working knowledge of currentOC/RDC 4.6 internals/architecture.Nothing presented is intended to bypass anysecurity measures or GCP SOPs for the use ofRDC. 2010 DBMS Consulting, Inc. Unauthorized Duplication is Strictly ProhibitedPresented by: Sunil G. Singh3

OHSUG 2010 San Antonio: SI Focus Group; Deploying “Single-sign On” with RDC 46 OnSiteOctober 2010Problem Statement While products such as Oracle IdentityManagement (OIM) provide extremely robustsolutions for Single-Sign On, Oracle RDC does notnatively support this type of solution.However, enterprise customers and external siteusers are seeking ways to have a protected, securepublic-facing RDC environment, without exposingtheir internal infrastructure to security risks, butstill also one username and password for accessingRDC. 2010 DBMS Consulting, Inc. Unauthorized Duplication is Strictly ProhibitedPresented by: Sunil G. Singh4

OHSUG 2010 San Antonio: SI Focus Group; Deploying “Single-sign On” with RDC 46 OnSiteOctober 2010PreRequisites for using Oracle RDBMSauthentication in RDC The Oracle RDBMS USERNAME must be the SAMEas the LDAP or AD UsernameIf Oracle RDBMS authentication is used for RDC,then there must be a way to synchronize theOracle RDBMS password with a more generalauthentication source Usually LDAP or AD 2010 DBMS Consulting, Inc. Unauthorized Duplication is Strictly ProhibitedPresented by: Sunil G. Singh5

OHSUG 2010 San Antonio: SI Focus Group; Deploying “Single-sign On” with RDC 46 OnSiteOctober 2010PreRequisites for using Oracle RDBMSauthentication in RDC (2) This can be done by having a password verificationfunction applied to the RDC user's profile. Thefunction, in turn, can make a call from the RDBMSto the external authentication source DBMS LDAP can provide lookup and can deleteand replace a changed password On-Line exampleThis method is useful since it takes into account allways a user can change a password at the RDBMS. 2010 DBMS Consulting, Inc. Unauthorized Duplication is Strictly ProhibitedPresented by: Sunil G. Singh6

OHSUG 2010 San Antonio: SI Focus Group; Deploying “Single-sign On” with RDC 46 OnSiteOctober 2010PreRequisites for using Oracle RDBMSauthentication in RDC (3) Changes from an LDAP or AD interface can bepushed into the Oracle RDBMS Oracle OID/OIM is one method of accomplishingthis NOTE: Rules for password must then be incommon between all platforms. For example,not allowing a password to start with a numberis a restriction in Oracle RDBMS, but allowed inLDAP or AD. So the LDAP or AD rules must bemodified to be compliant with Oracle RDBMSrules. 2010 DBMS Consulting, Inc. Unauthorized Duplication is Strictly ProhibitedPresented by: Sunil G. Singh7

OHSUG 2010 San Antonio: SI Focus Group; Deploying “Single-sign On” with RDC 46 OnSiteOctober 2010Scenario 1: Use external .JSP or .PHP scriptsfrom Juniper or Cisco As Juniper and Cisco are both common public facingnetwork devices which can also be used to authentic publicfacing users, they are both also capable of calling a .JSP or.PHP script located on the RDC Application serverUsing a concept of "tokenizing", the username andpassword can be stored in the logon session of the networkdevice, and passed as a POST parameter to the .JSP or.PHP scriptsThe .JSP or .PHP script can then log into RDC OnSiteautomaticallyOn-Line example 2010 DBMS Consulting, Inc. Unauthorized Duplication is Strictly ProhibitedPresented by: Sunil G. Singh8

OHSUG 2010 San Antonio: SI Focus Group; Deploying “Single-sign On” with RDC 46 OnSiteOctober 2010Scenario 1: Use external .JSP or .PHP scriptsfrom Juniper or Cisco (2) Note that the POST parameters can be derived from lookingat the View Source of the actual RdcLogin.do page. In thelower section, the required parameters are listed, alongwith their defaults. Note that some are optional and someare "HIDDEN", meaning that they could be required but arenot shown in the calling browser URL. (EXAMPLE WILLFOLLOW IN FINAL PRESENTATION) Computation for Date and Time have to be taken intoaccount. Using the script on the RDC application serveritself could lead to some issues in DISPLAYED time (notaudit trail timestamps) since these values would then becomputed from the RDC Application Server and not theuser's desktop local time. 2010 DBMS Consulting, Inc. Unauthorized Duplication is Strictly ProhibitedPresented by: Sunil G. Singh9

OHSUG 2010 San Antonio: SI Focus Group; Deploying “Single-sign On” with RDC 46 OnSiteOctober 2010Scenario 2: Integration with SiteMinder Siteminder is also very common for managing public facingweb applicationsSiteminder has native APIs built in for authentication toLDAPUsing any Java tool, these APIs can be called with a similarpassthrough mechanism to authenticate against the RDCinstance This implies a separate login page is built in Java, and then checksLDAP and then passes through to RDCThis application can be extended to also allow resets of thepassword across both LDAP and RDC.On-Line example 2010 DBMS Consulting, Inc. Unauthorized Duplication is Strictly ProhibitedPresented by: Sunil G. Singh10

OHSUG 2010 San Antonio: SI Focus Group; Deploying “Single-sign On” with RDC 46 OnSiteOctober 2010Scenario 3: Changing the authenticationmechanism in the Oracle RDBMS Given RDC 4.6 uses Oracle 11g, there are manyfeatures in Advanced Security which allow the 11gRDBMS to change the way clients authenticate: KerberosPKIRADIUSOIM also can change the default mechanism foraccount and user authentication if the OracleRDBMS is connected to an OIM repository 2010 DBMS Consulting, Inc. Unauthorized Duplication is Strictly ProhibitedPresented by: Sunil G. Singh11

OHSUG 2010 San Antonio: SI Focus Group; Deploying “Single-sign On” with RDC 46 OnSiteOctober 2010Scenario 3: Changing the authenticationmechanism in the Oracle RDBMS (2) In an environment that uses central authenticationbased on these methods, SSO is then achievablewithin RDC by leveraging the fact that the RDCinstance no longer requires a password from theRDBMS level.This method is not officially supported, but thereare customers using this method today.On-Line example 2010 DBMS Consulting, Inc. Unauthorized Duplication is Strictly ProhibitedPresented by: Sunil G. Singh12

OHSUG 2010 San Antonio: SI Focus Group; Deploying “Single-sign On” with RDC 46 OnSiteOctober 2010Customized Solutions for SSO with RDC Possible to build a customized interface or portalpageSuggest using SPML version 2.0 standards Extensible Metatagging availableToken based SSO also possibleBiometrics also possible 2010 DBMS Consulting, Inc. Unauthorized Duplication is Strictly ProhibitedPresented by: Sunil G. Singh13

OHSUG 2010 San Antonio: SI Focus Group; Deploying “Single-sign On” with RDC 46 OnSiteOctober 2010BiographiesSunil G. Singh, President & CEO, DBMS Consulting,Inc. Sunil is a Global Oracle Health Sciences deployment expertfor DBMS Consulting. He has been an active member of theOHSUG community since 1996 and is extremely grateful forthis opportunity to makes these presentations at OHSUG2010.Ahila Selvaraj, Senior OHS Developer, DBMSConsulting, Inc. Ahila is a Senior OHS Developer for DBMS Consulting,specializing in integration of OC to other OHS systems, withover 10 years of PL/SQL experience. 2010 DBMS Consulting, Inc. Unauthorized Duplication is Strictly ProhibitedPresented by: Sunil G. Singh14

OHSUG 2010 San Antonio: SI Focus Group; Deploying “Single-sign On” with RDC 46 OnSiteOctober 2010Contact InformationSunil G. SinghDBMS Consulting, Incsingh@clinicalserver.com 1-860-983-5848 2010 DBMS Consulting, Inc. Unauthorized Duplication is Strictly ProhibitedPresented by: Sunil G. Singh15

Scenario 2: Integration with SiteMinder Siteminder is also very common for managing public facing web applications Siteminder has native APIs built in for authentication to LDAP Using any Java tool, these APIs can be called with a similar passthrough mechanism to authenticate against the RDC instance

Related Books

Single Sign-on 5 - Citrix Product Documentation

Single Sign-on 5 - Citrix Product Documentation

Sign Pro 5 Instruction Manual

Sign Pro 5 Instruction Manual

Single Sign-On Buyer's Guide - QuickLaunch

Single Sign-On Buyer's Guide - QuickLaunch

Fort Bend County Construction Details

Fort Bend County Construction Details

Azure Active Directory Single Sign-on (SSO) for Vonage .

Azure Active Directory Single Sign-on (SSO) for Vonage .

Single Sign-on 4 - Citrix Virtual Apps

Single Sign-on 4 - Citrix Virtual Apps

Qt - riptutorial

Qt - riptutorial

Words in Vision: A Filipino Sign Language Thesaurus .

Words in Vision: A Filipino Sign Language Thesaurus .

The Everything Sign Language Book : American Sign Language Made Easy .

The Everything Sign Language Book : American Sign Language Made Easy .

Azure Active Directory Single Sign-On - Adoption Kit

Azure Active Directory Single Sign-On - Adoption Kit

Machine Learning - University of Texas at Arlington

Machine Learning - University of Texas at Arlington

Sign of the Times - Umalusi

Sign of the Times - Umalusi

PopularTags

Recent Views