Last month I helped a customer integrate a legacy application with Oracle Enterprise Single Single On (ESSO) version 220.127.116.11. I configured the legacy application within ESSO so the login manager would recognize the screens and log the user in. I got it all to work, but ran into a problem with the Windows authentication module. The Windows authentication module was unable to use the existing Windows login session for single sign on. It took me some time to figure out how to get it working because the documentation is missing on how to configure this. It took me quite a while to get my head around it, and to save you some time I present to you my findings.
The history lesson
To get a better understanding of what is happening we have to go back three versions of ESSO to the wonderful time before Windows Vista. Back then, ESSO already existed and had a plugin for Windows Authenticator v2 to do single sign on. This plugin was created with the GINA api (https://msdn.microsoft.com/en-us/library/windows/desktop/aa375457(v=vs.85).aspx). So basically you would install the GINA plugin to do single sign on with the Windows login.
Screenshot 1: Screenshot from: (https://docs.oracle.com/cd/E15624_01/logon.11112/VGOAV.pdf)
All was well until Microsoft launched Windows Vista. Microsoft Vista removed all GINA support from the operating system and thus killed the single sign on for Windows logins in ESSO. But fortunately Vista did not completely remove this SSO feature, they replaced the GINA feature with the Windows Network Provider Login Service. You can find this service in your process explorer as the netlogon service. So in order to restore the Windows login SSO in ESSO, a new plugin was added to ESSO, the Network provider plugin. This plugin was of course a plugin for the windows v2 authenticator. So now the Windows v2 authenticator had 2 plugins, a GINA plugin for Windows XP clients and a network provider plugin for Windows Vista.
Screenshot 2: Screenshot from: (https://docs.oracle.com/cd/E21040_01/logon.11115/VGOAV.pdf )
And here comes the first semi-good choice of the ESSO team, they never added an option to the windows v2 authenticator to enable the network provider plugin. In order to keep things simple, the network provider plugin was activated by enabling the GINA plugin in the configuration menu. This was a good choice because you could create one configuration which would work on both Windows XP and windows vista. So basically the option enable GINA support would be translated on a windows vista machine to enable the network provider plugin.
Screenshot 3: Screenshot from the ESSO administrative console.
So how can this choice come back to haunt you? Well, as the developer of ESSO you can (accidentally) take the following steps:
– Remove the support for GINA clients
– Never update the configuration console, so it still says enable GINA support to enable the network login plugin
– Move the network login manager in the install dialog so it is no longer apparent that it is a plugin of the windows v2 authenticator.
And that was exactly what happened in the ESSO 18.104.22.168 release. If you check the release notes, it states that the support for GINA has been removed. On the other items, little documentation can be found.
So how do you enable SSO in ESSO?
1: During install of the login manager client, enable the following authenticators:
2: Configure the administrative console as seen in screenshot 3. Make sure the authentication dialog is set to use GINA
3: Publish the changes and enjoy the SSO.
I have contacted Oracle on this issue and asked them to fix the administrative console so the option to enable GINA is renamed to enable network provider. This of course with some additional help text to make obvious that you need to install the network provider in the login manager to make the SSO work.