9-4 Forms Services Deployment Guide Figure 9–2 Authentication Flow for Subsequent Client Requests

1.

The user requests the Forms URL, as shown in the upper left side of the image. 2. The Forms servlet redirects the user to the OracleAS Single Sign-On Server server and its login page, indicated on the bottom left of the image. 3. The user is redirected to the URL with the sso_userid information. 4. The Forms servlet retrieves the database credentials from Oracle Internet Directory, as shown in the center of the image. 5. The Forms servlet sets the user ID parameter in the Runform session and the applet connects to the Forms listener servlet. 6. The Forms servlet starts the Forms server, shown on the bottom right of the image.

9.2 Available Features with OracleAS Single Sign-On, Oracle Internet Directory and Forms

The following features and enhancements are available with this release of Oracle Forms Services: ■ Section 9.2.1, Dynamic Resource Creation When A Resource Is Not Found In Oracle Internet Directory ■ Section 9.2.2, Support for Dynamic Directives With Forms and OracleAS Single Sign-On ■ Section 9.2.3, Support for Database Password Expiration for Forms Running with OracleAS Single Sign-On

9.2.1 Dynamic Resource Creation When A Resource Is Not Found In Oracle Internet Directory

In single-sign on mode, when a user tries to connect to a database using Forms, the user is authenticated by mod_osso in combination with the OracleAS Single Sign-On Server and Oracle Internet Directory. Once the user is authenticated, the user is Client Browser mod_osso Forms Servlet Single Sign-On Server Forms Server OID LDAP Server 6 4 3 1 2 5 Using Forms Services with Oracle Single Sign-On 9-5 directed to the Forms servlet which takes the users request information containing the single sign-on user name. The user name and the application name build a unique pair that identifies the users resource information for this application in Oracle Internet Directory. When an authenticated Forms user has neither the resource for a particular application that is being requested nor a default resource in Oracle Internet Directory, then the user is redirected to the self-service console page of Oracle Internet DirectoryDAS to dynamically create them. After creating the resource, the user is redirected back to the original Forms request URL. The way Forms Services handles the missing resource information can be customized by the application or Forms Services administrator. The following options are available: ■ Allow dynamic resource creation default ■ Redirect the user to a pre-defined URL as specified by the ssoErrorUrl parameter ■ Display the Forms error message The redirection URL is provided by the system administrator in the Forms configuration files and should be either absolute or relative.

9.2.2 Support for Dynamic Directives With Forms and OracleAS Single Sign-On

Enforcing single sign-on in Forms is done within the formsweb.cfg file. The single sign-on parameter, ssoMode, when set to TRUE, indicates that the application requires authentication by OracleAS Single Sign-On Server. This parameter allows a Forms Services instance to handle both application types, ones protected by database password and ones protected by OracleAS Single Sign-On Server. Because single sign-on is configured in the formsweb.cfg file, Enterprise Manager Fusion Middleware Control can be used to manage this aspect of authentication.

9.2.3 Support for Database Password Expiration for Forms Running with OracleAS Single Sign-On