Jason Bennett's Developer Corner

Home

My Articles

Recommended Books

Contact Me

A Little About Jason Bennett ...

I've had an interest in publishing technical articles and HELPFUL code for a few years. I am (by trade and hobby) a developer who specializes in Oracle technologies and web based architectures. I have been an employee of both TUSC and Oracle Corporation. My intent here is to share my ideas and coding experiences with the developer community as a whole. As with all developers some of my ideas are great and some of them are .... well you know. Anyway, I hope you find something here that will aid in your endeavor, or spark a new idea.
I am more than happy to assist with technical issues and will even write a little code if need be. If you find something on the site that is really useful and you'd like to make a contribution (absolutely up to you and absolutely not required), just click the "Make a Donation" button on the left!
Good luck and good coding !

	Monday, April 19, 2004

Using PHP to Create Custom SSO Login and Sign-Off Pages

Creating custom SSO Login and Sign-Off screens for OracleAS 10g is quick and easy with PHP.

by David Jason Bennett

If you have installed OracleAS 10g Enterprise Edition and are ready to create custom SSO login and sign-off pages, then you might want to consider using PHP over the traditional PL/SQL and JSP methods. This article demonstrates how quick and easy it is to create and manage custom login and sign-off pages for SSO using PHP.

Overview of Custom SSO Login and Sign-Off pages

If you have developed SSO enabled applications under 9iAS or OracleAS 10g, then you know that initial access to those applications is granted through a login screen. Conversely, the action of logging out results in the display of a sign-off page that contains a list of partner applications and verifies that the user has successfully logged out each partner application. The login page and the sign-off page play vital roles in the Single Sign-On process. The login page is responsible for user authentication and for creating the uniquely encrypted session cookie used by the login server to validate that user is currently authenticated. The sign-off page ensures that the user is completely logged out of all other partner applications.

Chapter twelve (12) of the Oracle Application Server Single Sign-On Administrator’s Guide 10g (9.0.4) describes the framework provided as part of the Login Server for creating customized login/sign-off pages. The chapter also details the steps required to register your custom pages with the login server. Although the sample page code provided in the Oracle documentation is focused around PL/SQL and JSP, the framework can be used with virtually any web-based technology. The remainder of this article demonstrates how you can use PHP as an alternative to PL/SQL and JSP to build your SSO login and sign-off pages.

A big advantage of using PHP over PL/SQL and JSP is the ease with which the pages can be deployed and modified. With PHP, you simply open the file, make a change, and save the file. The new page and changes are picked up instantly.

Step 1: Configure OracleAS 10g to Use PHP

The first step in the process of creating our custom login/sign-off pages is to configure PHP under OracleAS 10g. If PHP is already installed on the machine that is hosting OracleAS 10g, then configuring PHP to run under OracleAS 10g’s version of Apache is a simple matter of adding the following entries to the httpd.conf :

LoadModule php4_module libexec/libphp4.so

# PHP Mod Section

AddType application/x-httpd-php .php

AddType application/x-httpd-php-source .phps

</IfModule>

The shared object library, libphp4.so, should be placed in the $ORACLE_HOME/Apache/Apache/libexec directory of the OracleAS 10g instance home. A note of caution, if your version of PHP was included as part of your Linux or Unix distribution, it may have been compiled against Apache 2.0. If this is the case, then the libphp4.so file generated during the compilation of the PHP binaries will not be compatible with OracleAS 10g’s version of Apache. You will have to reinstall/recompile PHP against OracleAS 10g’s Apache distribution. If PHP is not installed on your host machine, then you will need to download it from http://www.php.net and install it. Follow these steps (as root) to install PHP on your Linux or Unix server.

1. Download and expand the PHP source tarball in the directory of your choice. I recommend expanding it under the /opt directory. After the tar file is expanded you will see a directory such as /opt/php-4.3.4 (this may vary depending upon the release of PHP you are installing).

2. Make sure that the ORACLE_HOME environment variable is set to the ORACLE_HOME where OracleAS 10g is installed.

3. Navigate to /opt/php-4.3.4 and execute the following command:

./configure --with-oci9=$ORACLE_HOME

--with-apxs=$ORACLE_HOME/Apache/Apache/bin/apxs

--enable-sigchild

4. Execute the ‘make’ command with no parameters. Note, you may need to copy the contents of the $ORACLE_HOME/Apache/Apache/include to /opt/php-4.3.4/include if you get errors during the make phase related to the location of include (.h) files.

5. If step 4 was successful, execute the command ‘make install’.

6. PHP should now be installed on your machine. Copy the file libphp4.so from /opt/php-4.3.4/libs to $ORACLE_HOME/Apache/Apache/libexec.

Step 2: Create an Apache/OHS Alias for your PHP Pages

Now that PHP is installed and configured under OracleAS 10g, you need to create a physical directory to hold your PHP pages. You can place the directory anywhere as long as the Oracle user has read access to it. After you have created the directory, you will need to map it to an alias under OHS (Apache). In the $ORACLE_HOME/Apache/Apache/conf/httpd.conf file, under the <IfModule mod_alias.c> entry, add another set of entries similar to the following:

Alias /php/ "/opt/oracle/MyDevelopment/PHP/"

Options Indexes MultiViews

AllowOverride None

Order allow,deny

Allow from all

</Directory>

This new Alias will form the basis for URLs that access your PHP pages. The URLs will have the form http://<;;hostname>:<port>/php/<filename>.php

Step 3: Creating the PHP Login Page

As mentioned earlier, chapter twelve (12) of the Oracle Application Server Single Sign-On Administrator’s Guide 10g (9.0.4) goes into great detail with respect to the required parameters and components of a custom SSO login page, as well as providing sample code for both PL/SQL and JSP versions of a custom SSO login page. All custom SSO login pages will have the following page parameters at a minimum:

· site2pstoretoken – Parameter that contains the authentication request token for login processing. The login server passes this parameter to the page.

· ssousername – Parameter that contains the name of the user logging in.

· password – Parameter that contains the user’s password.

· p_submit_url – Parameter that contains the URL to which the page submits. The login server passes this parameter to the page.

· p_error_code – parameter that contains any authentication related error code. The login server passes this parameter to the page if an error occurs during authentication.

· p_cancel_url – This parameter contains the URL to which the user will be redirected if the cancel button or link is pressed.

The following is a working example of a custom login page coded with PHP:

<?php

import_request_variables("gp", "");

$str_token = $site2pstoretoken;

$str_user = $ssousername;

$str_err = $p_error_code;

$str_cancel = $p_cancel_url;

$str_submit = $p_submit_url;

<html>

<title> PHP Single Sign-On Page</title>

<style>

.banner_div { background-color: red;

color: white;

font-size: 50;

text-align: center;

padding-top: 1.0%;

height: 10% ;

position: relative;}

.error { color: red }

</style>

PHP Single Sign-On

</div>

<?php

if (! is_null($str_token)) { ?>

<form action="<?php print($str_submit) ?>" METHOD='POST' name='LoginForm' AutoComplete='off'>

<table>

<?php

//Check for error messages

if (trim($str_err) != ""){

<tr><td>Error:</td><td><div class="error"><?php print($str_err) ?></div></td></tr>

<?php } ?>

<tr><td>Username:</td><td><input type='text' name='ssousername' size='15' maxlength='80' value=''></td></tr>

<tr><td>Password:</td><td><input type='password' name='password' size='15' maxlength='255' value=''></td></tr>

<tr>

</td>

</tr>

</table>

</form>

<?php }else{ ?>

<h2><center><div class="error">This page can not be accessed directly!</div></center></h2>

<?php } ?>

</div>

</table>

</body>

</html>

After you have created your custom login page, save it in the directory you created in step 2 with a file extension of php (ssologin.php). The page should be accessible immediately through any web browser.

Step 4: Creating the PHP Sign-Off Page

The steps required to create a custom Sign-Off page are very similar to those required to create the login page. The following page parameters are required for every sign-off page:

· p_app_name[1 ..n] – Parameter(s) representing the names of the partner applications participating in the Single Sign-Off process. There is a parameter of the form p_app_name1.. p_app_name(n) for each partner application associated with the login server. The sign-off page will be required to execute a loop to discover each parameter.

· p_app_url[1..n] – Parameter(s) containing the partner application logout URL. The successful execution of each URL results in the display of an icon in the form of a check mark. There is a parameter of the form p_app_url1..p_app_url(n) for each partner application associated with the login server. The sign-off page will be required to execute a loop to discover each parameter.

· p_done_url – Parameter contain the URL to the application from which the user logged out.

The following is a working example of a custom sign-off page coded with PHP:

<?php

import_request_variables("gp", "");

$done_url = $p_done_url;

<html>

<title> PHP Single Sign-Off Page</title>

<style>

.banner_div { background-color: red;

color: white;

font-size: 50;

text-align: center;

padding-top: 1.0%;

height: 10% ;

position: relative;}

.error { color: red }

</style>

PHP Single Sign-Off

</div>

<?php

$i=0;

for(;;)

{

$i++;

//Create numbered parameter name values.

$param1 = "p_app_name".$i;

$param2 = "p_app_logout_url".$i;

$app_name = $$param1;

$url_name = $$param2;

if(trim($app_name)!=""){

if ($i==1){

print("<table border=1 >");

print("<tr>");

print("<th>Appliction Name</th>");

print("<th>Logout Status</th>");

print("</tr>");

}

print("<tr>");

print("<td>");

print($app_name);

print("</td>");

print("<td><img src='");

print($url_name);

print("'></td>");

print("</tr>");

}else{

if ($i>1){

print("</table>");

print("<br>");

print("<form><INPUT TYPE='button' NAME='p_request' VALUE='Return' ");

print(" onClick='javascript:document.location.href = \"");

print($done_url);

print("\";'>");

print("<form>");

}else{

print("<h2><center><div class=\"error">This page can not be accessed directly!</div></center></h2>");

}

break;

}

</table>

</div>

</body>

</html>

After you have created your custom sign-off page, save it in the directory you created in step 2 with a file extension of php (ssosignoff.php). The page should be accessible immediately through any web browser.

Step 5: Registering the New Pages with the Login Server

The final step in the process of creating custom SSO login and sign-off pages is to register them with login server. In past releases of the application server, both pages were registered by updating the WWSSO_LS_CONFIGURATION_INFO$ table in ORASSO schema (or login server schema). The WWSSO_LS_CONFIGURATION_INFO$ table contains a column called LOGIN_URL that determines the location of each of the pages associated with the login server:

· Login Page

· Change Password page

· Single Sign-Off Page

By default, the column LOGIN_URL contains the entry ‘unused unused unused’. ‘unused’ represents a placeholder for a custom page. In the past, the first ‘unused’ was a placeholder for the login page. The second unused was a placeholder for change password page. Starting with OracleAS 10g, the placeholders for the login page and the change password page are no longer represented in the WWSSO_LS_CONFIGURATION_INFO$ table. Instead, they are represented by the parameters loginPageUrl and chgPasswordPageUrl found in the $ORACLE_HOME/sso/conf/policy.properties file of the OracleAS 10g Infrastructure instance. The Single Sign-Off page is still represented by the third ‘unused’ placeholder in the WWSSO_LS_CONFIGURATION_INFO$ table.

To register the login page created in step 3, edit the $ORACLE_HOME/sso/conf/policy.properties file under the OracleAS 10g Infrastructure home and add an entry similar the following:

LoginPageURL= http://<;;host>:<port>/php/ssologin.php

To register the sign-off page created in step 4, login into the ORASSO schema in the database instance where the login server was installed (typically the Infrastructure database instance). The password for ORASSO can be located in OID under the following DN: OrclResourceName=ORASSO,orclReferenceName=asdb,cn=IAS Infrastructure Databases,cn=IAS,cn=Products,cn=OracleContext

After successfully logging in to the ORASSO schema, execute a DML statement similar to the following:

UPDATE WWSSO_LS_CONFIGURATION_INFO$

SET LOGIN_URL='UNUSED UNUSED http://<;;host>:<port> /php/ssosignoff.php';

COMMIT;

After registering both pages, stop and start the SSO processes on the OracleAS 10g Infrastructure. To test the pages, simply try logging into to any partner application such as Oracle Portal.

Conclusion

This article served to demonstrate how quick and easy it is to create and manage custom login and sign-off pages for OracleAS 10g SSO using PHP. The article also provided specific instruction on how to install PHP under OracleAS 10g’s version of Apache.

David Jason Bennett (djboracle@aol.com) has been an Oracle developer since 1994 and is formerly of Oracle Corporation.

6:57:20 PM