Third-Party Directory Integration Concepts and Considerations 16-23 4. The application provides content to the user. Figure 16–5 Flow for Windows Native Authentication When the user logs out of the Windows session, this application and any single sign-on applications accessed are logged out at the same time. To use Windows Native Authentication in deployments where Microsoft Active Directory is the central directory, a user must exist in Microsoft Active Directory. If Windows Native Authentication is enabled, then, for local Oracle Internet Directory users to invoke the single sign-on server, you must populate the attributes orclsamaccountname and krbprincipalname for each user entry.

16.3.3.2 Authenticating Users Against Multiple Microsoft Active Directory Domains

To authenticate users against multiple Microsoft Active Directory domains that are part of a single forest, create a global catalog and have Oracle Application Server Single Sign-On connect to the global catalog for authentication. However, if the domains are not part of the same forest, then you must create domain trusts between the domains. For detailed configuration procedures, refer to Configuring Windows Native Authentication on page 18-8.

16.3.3.3 Overriding an Application Authentication Mechanism with Windows Native Authentication

Windows Native Authentication does not automatically override an application’s existing authentication mechanism. To use Windows Native Authentication and Oracle Application Server Single Sign-On with an application that contains an internal authentication mechanism, you must perform one of the following tasks: ■ Remove the application’s internal authentication mechanism. ■ Configure the application as an Oracle Application Server Single Sign-On external application. This requires storing a valid application user name and password in the application configuration, making the authentication process transparent to the user after he or she logs in with Oracle Application Server Single Sign-On. For Microsoft Active Directory Oracle Internet Directory Windows 2000 Server Key Distribution Center OracleAS Single Sign-On Server User Synchronization 2 4 3a Browser 3 Oracle HTTP Server OracleAS Partner Applications 1 3b 16-24 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform more information, refer to the Oracle Fusion Middleware Administrators Guide for Oracle Single Sign-On.

16.3.4 Oracle Internet Directory Schema Elements for Microsoft Active Directory

Table 16–4 lists the schema elements in Oracle Internet Directory for users that are imported from Microsoft Active Directory.

16.3.5 Integration with Multiple Microsoft Active Directory Domain Controllers

A deployment of Microsoft Active Directory with multiple domains can have either a single DIT or a combination of two or more DITs. In Microsoft Active Directory, a group of DITs is called a forest. Figure 16–6 shows how a forest in Microsoft Active Directory is reflected in Oracle Internet Directory. Table 16–4 Oracle Internet Directory Schema Elements for Microsoft Active Directory Schema Element Description orclObjectGUID Stores Microsoft Active Directorys OBJECTGUID attribute value for users and groups migrated to Oracle Internet Directory from Microsoft Active Directory. orclObjectSID Stores Microsoft Active Directorys OBJECTSID attribute value for users and groups migrated to Oracle Internet Directory from Microsoft Active Directory. orclSAMAccountName Stores the value of Microsoft Active Directorys SAMAccountName attribute. In Oracle Internet Directory, this attribute is defined as a directory string type. However, in Microsoft Active Directory this attribute cannot accept any special or non-printable characters. If any entry is added in Oracle Internet Directory with this attribute, it can only contain a simple text string or synchronization from Oracle Internet Directory to Microsoft Active Directory will fail. orclUserPrincipalName Stores the Kerberos user principal name for Microsoft Active Directory users. orclADGroup Contains Microsoft Active Directory group attributes, which are used to synchronize Microsoft Active Directory group objects with Oracle Internet Directory group objects in an Oracle Directory Integration environment. orclADUser Contains Microsoft Active Directory user attributes, which are used to synchronize Microsoft Active Directory user objects with Oracle Internet Directory user objects in an Oracle Directory Integration and Provisioning environment. orclSourceObjectDN Represents the DN for the respective entry in Microsoft Active Directory. This value is required to perform external authentication if different domains are mapped between both directories. See Also: Oracle Fusion Middleware User Reference for Oracle Identity Management for detailed information about the Oracle Internet Directory schema elements for Microsoft Active Directory