Combining Oracle ADF and OID

In an upcoming project, I have to work with the Oracle Internet Directory. The situation: there are some existing Oracle Report and Forms applications. I will help them to develop their first Oracle ADF application. All these applications will use SSO for the authentication and autorisation. The accounts for the SSO are stored in OID. Now, I have used SSO before, but that was just the Java SSO of OC4J container (as described here). And this jSSO was based on a file-based sevurity provider. But now I have to use the Oracle SSO and it must be based on the Oracle Identity Management Security Provider instead of the XML file.
So this extra long weekend (in Holland we have an extra day off because of Easter) I started to look in to this matter. The first thing to do was to install the OID. I soon found out that this isn't installable as a separate product like Oracle XE, for example. I eventually ended up here and downloaded the necessary stuff (Oracle Identity Management Infrastructure and Oracle Identity Federation).
Running the setup went without any 'big' issues and some minutes later I had it running on my machine. (The only issue I had was that I had to remove the environment variable 'ORACLE_HOME' which I used for running the standalone OC4J Server on my laptop).
The first thing I wanted to try out was to use an ADF application in combination with the OID, without the SSO part. As ADF application I used the TUHRA application. TUHRA stands for 'The Ultimate Human Resource Application' and can be found here. Tha application is used in the book 'Oracle JDeveloper 10g for Forms & PL/SQL Developers' about which I blogged before. Anyway, if you have worked yourself through chapter 14 (about security), you will end up with an ADF application that has a web.xml that has something similar to:

If you deploy the application to your standalone OC4J Server, it will default use the file-based security provider. So the first thing to do is to modify the OC4J instance, so you can also use the OID as security provider. You do this to go to the OC4J Enterprise Manager and click the tab 'Administration'. See this picture:
You can then choose the option 'Identity Management' in the topic 'Security' and setup the connection to the OID installation you just did:

After this, you can change the security provider for each deployed application by choosing the option 'Security Providers' in the topic 'Security'. See this picture:

The final thing to configure is the TUHRA application itself. If you open the project 'ViewController' in JDeveloper, you can find a file 'orion-application.xml' in the directory 'META-INF'. With this file you can tell OC4J the application uses the LDAP security provider by giving the file the following content:

Now deploy the application and run it. You can now only access the application with users that are defined in the OID and that belong to a group in the OID that matches one of the roles in the web.xml, like this:

So far, so good, but now for the next challenge: to use the Oracle SSO module. A quick look at the documentation and howto makes me conclude that this cannot be done with a simple standalone OC4J Server, because a HTTP server is required. But I will dive into this and if I have it running, I will post it rightaway :)

Tags: Oracle ADF, Oracle iAS