Configuring Windows kerberos authentication with Oracle SSO and OID
Hello
Thanks for looking at this thread.
We have an existing setup where users log in to their Windows domain account gve.osi.net. A kerberos ticket is generated and the authentication details are passed on to Oracle SSO so that the user is granted access to a specific application EasyLink. There is a one-way replication relationship between the Microsoft Active Directory (MAD1) and Oracle Internet Directory. Kerberos has been configured with the gve.osi.net domain.
We now have to introduce a new Active Directory (MAD2), whose domain is flb.co.uk. Any new users to the company will be added to MAD2 and not to MAD1. Currently these new users will log in to the windows domain flb.co.uk and also have to then log in to the application EasyLink. i.e. they use two logins. They have to log in to the application with credentials from MAD1.
What we want is for both users on MAD1 and MAD2 to be able to log in just the once and be authenticated immediately to the EasyLink application. That requires Kerberos, Oracle SSO and OID being able to authenticate against more than one domain (or so I believe). We cannot simply export users from MAD1 to MAD2, it is not an option for the customer, we have to run with the two Active Directories parallel for some time.
I'm looking for any suggestions how this can be achieved. I have been looking at creating multiple realms in OID and configuring Oracle SSO for multiple realms only I'm not sure if this can be achived as the diomains have completely different names and I'm not sure what the DIT would be.
Appreciate any thoughts and suggestions from anybody.
The version of Oracle is 10gR2.
Regards
Andy