Using Forms Services with Oracle Single Sign-On 9-13 ■ Oracle Forms authenticates the user through Oracle Internet Directory or LDAP, as shown in the center of the image. ■ Forms then connects as the proxy user with or without a password, passing in the real username from the Oracle Internet Directory repository. ■ Typically, the proxy user is configured with least set of privileges. In the following procedure, the proxy user has connect and create session privileges. ■ The database accepts the create session action for the proxy user and uses the real username in audits and access control. ■ The Oracle Internet Directory user cannot connect to the database independently without configuration of the proxy user account. ■ The proxy user account isolates the client from direct SQLPlus connections.

9.6.2 Enabling Proxy User Connections

To use a proxy support in Forms, you first need to create a proxy user. In this example, the proxy user is called midtier:

1.

Create a proxy user in the database. SQL CREATE USER midtier IDENTIFIED BY midtierPW; 2. Assign connect and create session privileges to midtier: SQL GRANT CONNECT,CREATE SESSION TO midtier; At this point, this proxy user has connect and create session privileges and has no grants on any of the user schemas. 3. Create a database user which has one-to-one mapping with a SSO username that is, if appuser is the SSO username create database user appuser. SQL CREATE USER appuser IDENTIFIED BY appuserPW; 4. Assign create session privileges to appuser. SQL GRANT CREATE SESSION TO appuser; 5. To make it possible to connect through the midtier user you need to alter the database user: SQL ALTER USER appuser GRANT CONNECT THROUGH midtier; The user appuser can now connect through the midtier account. Alternatively, you can define the roles that the proxy user can connect to the database as SQL ALTER USER appuser GRANT CONNECT THROUGH midtier WITH ROLE role_name; Repeat Step 3 and 4 for all database users who need to use the proxy user account. It is also possible to set up the database users in Oracle Internet Directory with the help of the database functionality called Enterprise User Security. If you choose this method, the proxy user is the only user defined in the database and the additional benefit of easy administration is gained. For more information on using Enterprise User Security, refer to the Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory 11g Release 1 11.1.1. 9-14 Forms Services Deployment Guide The application users password is not presented to the database; only the user name and the proxy users user name and password. Forms, with the help of OCI calls, issues the equivalent of: SQL connect midtier[appuser]midtierPWdatabaseTnsName For example, suppose your application always connects to the database using midtier. This midtier now informs the database that the actual user is appuser. Without using proxy users, the SQL command select USER from DUAL would return midtier, but, using proxy users, this query returns appuser. This essentially tells the database to trust that the user is authenticated elsewhere and to let the user connect without a password and to grant the connect role.

9.6.3 Enabling SSO in formsweb.cfg