Oracle Single Sign-On (OSSO) 10gR3

Statement of Direction
 Oracle Statement of Direction—Oracle Single Sign-On 10gR3

Disclaimer
This document in any form, software or printed matter, contains proprietary information that is the exclusive
property of Oracle. Your access to and use of this confidential material is subject to the terms and conditions
of your Oracle Software License and Service Agreement, which has been executed and with which you agree
to comply. This document and information contained herein may not be disclosed, copied, reproduced or
distributed to anyone outside Oracle without prior written consent of Oracle. This document is not part of
your license agreement nor can it be incorporated into any contractual agreement with Oracle or its
subsidiaries or affiliates.
This document is for informational purposes only and is intended solely to assist you in planning for the
implementation and upgrade of the product features described. It is not a commitment to deliver any material,
code, or functionality, and should not be relied upon in making purchasing decisions. The development,
release, and timing of any features or functionality described in this document remains at the sole discretion
of Oracle.
Due to the nature of the product architecture, it may not be possible to safely include all features described in
this document without risking significant destabilization of the code.
 Oracle Statement of Direction—Oracle Single Sign-On 10gR3

Purpose ............................................................................................. 2
Introduction ........................................................................................ 2
Future Direction ................................................................................. 3
Impact on Product Stacks .................................................................. 3
Support Information ........................................................................... 4
License Issues ................................................................................... 4
Oracle Fusion Middleware SSO Certification Matrix ........................... 5
 Oracle Statement of Direction—Oracle Single Sign-On 10gR3

Purpose
The purpose of this document is to discuss the product plans and the future of Oracle Single
Sign-On (OSSO) 10gR3.

Introduction
OSSO 10gR3 has for some time been the preferred, recommended solution for authenticating
users and achieving single sign-on across multiple applications hosted on Oracle Application
Server - based on Oracle Container for J2EE (OC4J). This includes applications deployed on
standalone OC4J, Oracle Fusion Middleware-based applications such as
Portal/Forms/Reports/Discoverer, WebCenter, and etc., and enterprise applications such as
Oracle E-Business Suite.

As of the Oracle Fusion Middleware 11g release, Oracle’s preferred application server – and the
foundation of the middleware platform – is Oracle WebLogic Server. Oracle Access Manager
10gR3 (OAM 10.1.4.3.0) is the default, preferred authentication and SSO solution for Oracle
Fusion Middleware 11g and Fusion Applications.

OSSO is made up of two components: a server component deployed as a J2EE application on

Oracle Application Server (OC4J); and a web server plug-in, called mod_osso, for Apache–based
Oracle HTTP Server (OHS). OSSO 10gR3 server is not supported on WebLogic Server (WLS)
and as a consequence, OSSO 10gR3 server is being placed into maintenance mode starting with
the OFM 11g release. OSSO’s web server plug-in components – mod_osso – are certified for
OHS 11g. An additional client component, an OSSO Identity Assertion Provider [IAP], was
introduced and is bundled with OFM 11g to facilitate integration with WebLogic Server 11g
(WLS 10.3.1). Note that the OSSO Identity Assertion Provider is a WebLogic Server 11g (WLS
10.3.1) security provider that is used to insert the authenticated user into the JAAS subject of the
WLS application container.

Customers can continue to run OSSO 10gR3 on Oracle Application Server (OC4J) and integrate
with Fusion Middleware-based applications running on WebLogic Server 11g. Of course,
customers can also continue to integrate OSSO 10gR3 with applications running on Oracle
Application Server (OC4J) such as Oracle E-Business Suite. Oracle Fusion Middleware (OFM)
11g applications have been certified for integration with 10g OSSO, as summarized in the
certification matrix in “Oracle Fusion Middleware SSO Certification Matrix” section.

To summarize, Oracle Access Manager is Oracle’s strategic product for authentication and single
sign-on and as of the Oracle Fusion Middleware 11g release Oracle is not planning any further
enhancements to OSSO 10gR3. The implications of this product strategy include:

• There is no WebLogic Server based 11g version of OSSO server.

• OSSO client components – mod_osso for OHS 11g and OSSO IAP for WLS 10.3.1 are
available to facilitate integration between OSSO 10gR3 server and OFM 11g.

2
 Oracle Statement of Direction—Oracle Single Sign-On 10gR3

• No further enhancements will be performed on OSSO 10gR3 server, but bug fixes will
continue as per the Oracle lifetime support policy.

Future Direction
At Oracle, there are 2 web single sign-on (SSO) products available: Oracle Single Sign-On 10gR3
(OSSO) and Oracle Access Manager 10gR3 (OAM). OSSO is available for customers that
purchase Oracle Fusion Middleware. The issue with OSSO is that it is certified on selected
Oracle infrastructure such as Oracle Application Server (OC4J), Oracle HTTP Server (OHS),
and Oracle Internet Directory (OID). For customers with heterogeneous environments with
various application servers, web servers, and LDAP directories, OAM is the recommended
solution. OAM has an extended certification matrix- that covers most popular enterprise
Operating System platforms and technologies.

Oracle Access Manager certification matrix:

• http://www.oracle.com/technology/products/id_mgmt/coreid_acc/pdf/oracle_access
_manager_certification_10.1.4_r3_matrix.xls

As a key part of Oracle’s security product strategy, Oracle Access Manager (OAM) becomes the
preferred single sign-on technology for Oracle Fusion Middleware, Oracle Applications, and
heterogeneous 3rd party environments. Over a series of planned and projected releases, Oracle
intends to converge the feature sets of OAM and OSSO, provide upgrades and migrations from
previous OAM and OSSO releases, and provide backward compatibility support for OSSO
customers by certifying both 10g and 11g versions of mod_osso and the 11g version of the
OSSO identity assertion provider for WLS with OAM 11g servers.

The short-term direction is to encourage customers to use OAM 10gR3 for most deployment
scenarios. However, some Oracle products cannot use OAM 10gR3 due to dependencies on
OSSO 10gR3 infrastructure. These products, such as Portal, Forms, Reports, and Discoverer
will continue their dependency on OSSO 10gR3 even in their 11g release. For these customers,
Oracle recommends using OSSO 10gR3 server with mod_osso for OHS 11g or OSSO IAP for
WLS 11g for those products. If these same customers require SSO to any non Oracle stack of
products, then Oracle recommends integrating OSSO 10gR3 with OAM 10gR3 using the well-
documented integration methods.

Impact on Product Stacks

Oracle Fusion Middleware 11gR1

Both OAM 10gR3 and OSSO 10gR3 have been certified against Oracle Fusion Middleware
11gR1-based applications. However, OAM 10gR3 is not certified with Oracle Fusion
Middleware-based applications that have a hard dependency on OSSO 10gR3. These Oracle
Fusion Middleware-based applications include Classic Portal, Forms, Reports, and Discoverer.
All other Oracle Fusion Middleware 11g components – including SOA, WebCenter, Oracle

3
 Oracle Statement of Direction—Oracle Single Sign-On 10gR3

Application Development Framework (ADF), and Enterprise Manager – have been certified with
both SSO products.

E-Business Suite
Today, OSSO 10gR3, used in conjunction with Oracle Internet Directory (OID) 10g and
Directory Integration Platform (DIP) 10g, provides authentication and single sign-on to Oracle
E-Business Suite R11 and R12. Customers migrating to OID 11g and DIP 11g can continue to
use OSSO 10gR3, which is certified to work with both products.

Since OAM 10gR3 is the recommended SSO solution in the future, E-Business Suite is planning
to certify multiple releases with OAM 10gR3. OAM 10gR3 may be used directly as a SSO
solution with E-Business Suite and optionally in conjunction with OSSO 10gR3 to support
integration with products in the E-Business Suite technology stack that do not support OAM
such as Discoverer and Portal. Note that both SSO solutions, OSSO 10gR3 and OAM 10gR3,
will work with the 10g and 11g versions of OID and DIP. More information about this
integration will be available on the E-Business Suite website when the full certification process
completes.

License Issues
There is a new license available named “Oracle Access Manager Basic” that is a direct
replacement for the specific OSSO license included in the Oracle Fusion Middleware 10g
package. Any customer that has licenses for OSSO can get OAM by converting their license to
“OAM Basic”. The number of CPUs supported will be exactly the same and customers can
purchase more if necessary. There are restrictions on usage for the “OAM Basic” license. The
restriction is that customers can use OAM to integrate to only the Oracle stack of products. This
means web servers must be OHS, application servers must be OC4J or WLS, and directory
servers must be Oracle Internet Directory.

For more information about the OAM Basic license, please see the licensing documentation for
Oracle Fusion Middleware 11g:

• http://download.oracle.com/docs/cd/E12839_01/doc.1111/e14860/oam_basic.htm#
CHDBECDJ

Support Information
Although OSSO 10gR3 will not receive any enhancements, Oracle will still investigate any issues
and provide fixes once the issues are verified as product issues.

4
 Oracle Statement of Direction—Oracle Single Sign-On 10gR3

For more information on Oracle’s lifetime support policy and how that impacts OSSO, please
visit:
• http://www.oracle.com/support/lifetime-support-policy.html

Furthermore, for complete Oracle Fusion Middleware certification details please see the
certification matrix page:
• http://www.oracle.com/technology/software/products/ias/files/fusion_certification.h
tml.

Oracle Fusion Middleware SSO Certification Matrix

The figure below shows the various certifications between Oracle’s SSO products, OAM and
OSSO, with Oracle Fusion Middleware applications.

5
Statement of Direction
Oracle Single Sign-On 10gR3
Copyright © 2009, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and
the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other
Oracle Corporation
warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or
World Headquarters
fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are
500 Oracle Parkway
formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any
Redwood Shores, CA 94065
means, electronic or mechanical, for any purpose, without our prior written permission.
U.S.A.

Worldwide Inquiries: Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective

Phone: +1.650.506.7000 owners.

Fax: +1.650.506.7200
oracle.com 0109