Thursday, March 01, 2007

oraDAV Portal and Third Party Authentication

Have you used the Oracle Drive with your portal? It is easy to set up and it is a great feature. Do you use Third-Party Authentication (TPA) with Oracle Single Sign-On (SSO)? You probably don't need it, but if your company has another SSO standard, at least it is fairly easy to set up.

What if you want to use both? Seems it should be available. Search the documentation and you won't find anything saying you can't. So it should work, right? Maybe. Nothing in the documenation tells you how, either. So far it is impossible to tell. Oracle Support has an SSO group (tpa), the http group (oraDAV), and the Portal group. Getting them to work together on this is going to be tons of fun. I'll give an update when we figure it out.

Update

Still waiting on something from Oracle Support, but I have figured out that Portal using mod_oradav does not use SSO at all. It just does a test bind against OID. SSO can be completely down and it will still authenticate (without TPA) as long as OID is up.

This means that the authentication likely happens directly from Portal via dbms_ldap. If this is the case, it means that the user's password in LDAP will be the authentication method, not what the SSO TPA is configured to use. This won't be a problem if you keep users' passwords in OID up to date with whatever your TPA mechanism is, but it is a problem, as in my case, when OID doesn't have any idea what the users' real passwords are.

Update 2

It is clear that Portal is doing the authentication against OID. No word from Oracle on whether this is by design or if there could ever be a TPA solution. For now I have to assume that it won't work unless passwords are stored in OID. Next step is to find a way to sync those passwords.

No comments: