Best Practices from Oracle Development's A‑Team

Single Sign On for WebCenter Interaction

Mark Nelson


In this post, I review and provide detailed instructions on how to set up SSO for WebCenter.

Main Article

I have spent a little time recently setting up single sign on for WebCenter Interaction.

My environment is WebCenter Interaction 10.3 running on Oracle WebLogic Server 10.3 on Windows 2003 Server, with an Oracle HTTP Server (Apache 1.3) HTTP Proxy, Oracle Access Manager providing SSO, and Oracle Internet Directory as the LDAP Authentication Server.  The portal data store is the Oracle 11g Database (

There were a few issues, and the documentation does not reflect current versions, which meant I needed to rely on some assistance and a little bit of guessing in addition to the documentation.  As such, I though this would be a good piece of work to document to make it easier for others to repeat (and for the next time I need to do it!)

I would like to acknowledge assistance from the following people (alphabetical order): Clarence Cheah, Rory Douglas, Iyad Kloub, Ali Mukadam, Luke McQueen, Igor Polyakov, Tamer Qumhieh, Mike Wertzberger and Tanya Williams.

This post contains just the highlights – the stuff that is not in the documentation, or easy to work out.  Following this, I will post complete step by step instructions.

Oracle 11g Database Configuration

There is an issue running WebCenter Interaction 10.3 with Oracle Database 11g.  It seems to be introduced when you install the WebCenter Identity Integration for LDAP module.  After doing this, the overnight jobs start to fail with an SQL error, the portal fails, and will no longer start.  Here is the query you may find in your log files when this happens:

# Copyright 2012 Oracle Corporation. # All Rights Reserved. # # Provided on an 'as is' basis, without warranties or conditions of any kind, # either express or implied, including, without limitation, any warranties or # conditions of title, non-infringement, merchantability, or fitness for a # particular purpose. You are solely responsible for determining the # appropriateness of using and assume any risks. You may not redistribute. SELECT   MAX(CS.ACCESSLEVEL) AS ACCESSLEVEL,   C.NAME,   C.ISLOCALIZED,   C.OBJECTID,   MC2.MEMBERSHIPTYPE FROM   PTCOMMUNITIES C,   PTCOMMSECURITY CS,   PTVGROUPMEMBERSHIP GM,   (SELECT     MAX(MC.MEMBERSHIPTYPE) AS MEMBERSHIPTYPE,     MC.COMMUNITYID   FROM     PTMYCOMMUNITIES MC,     PTVGROUPMEMBERSHIP GM   WHERE     GM.GROUPID=MC.GROUPID     AND GM.USERID=263   GROUP BY     MC.COMMUNITYID) MC2   WHERE GM.GROUPID=CS.GROUPID   AND GM.USERID=263   AND C.OBJECTID=CS.OBJECTID   AND C.OBJECTID=MC2.COMMUNITYID GROUP BY   C.NAME,   C.ISLOCALIZED,   C.OBJECTID,   MC2.MEMBERSHIPTYPE ORDER BY   LOWER(C.NAME) ASC

This query will fail with the error “not a GROUP BY expression.”  Careful inspection of the query seems to indicate that it is fine.  I ran it on an Oracle 10g database and it did run successfully.  After some digging, it seems that the 11g query optimiser may be causing this issue, and the following database setting seems to fix it:


I also applied the patch to the database.  I did not test this setting on, so can’t tell you if it will solve the issue on too.

WebCenter Interaction Configuration

To make WebCenter Interaction work with the HTTP proxy, you need to make some changes to the configuration files located in <BEA_HOME>\alui\settings\portal:

In configuration.xml, you need to locate SystemProperties and change ServerName and HTTPPort to match your proxy server, as shown in the example:

 <component name="portal:SystemProperties" type="http://www.plumtree.com/config/component/types/portal/systemproperties">        <!-- lines removed for brevity -->        <setting name="ServerName">             <value xsi:type="xsd:string">proxy.server</value>        </setting>        <setting name="HTTPPort">             <value xsi:type="xsd:integer">8080</value>        </setting>        <!-- lines removed for brevity -->     </component>

You also need to make a couple of changes in the portalconfig.xml file, which is located in <BEA_HOME>\alui\settings\portal.  The first change goes into the URLMapping component, shown below.  You need to set the ApplicationURL0 and the SecureApplicationURL0 to the URL of the proxy server, not the portal server.  These changes are highlighted below.  In the example, the proxy server is proxy.server:8080.

 <component name="portal:URLMapping" type="http://www.plumtree.com/config/component/types/portal/urlmapping">         <!-- URLMapping - Entry 0 -->         <setting name="URLFromRequest0">             <value xsi:type="xsd:string">*</value>         </setting>         <setting name="ApplicationURL0">             <value xsi:type="xsd:string">http://proxy.server:8080/portal/server.pt</value>         </setting>         <setting name="SecureApplicationURL0">             <value xsi:type="xsd:string">http://proxy.server:8080/portal/server.pt</value>         </setting>         <clients>             <client name="portal"/>         </clients>     </component>

The other change you need to make, it to turn on the SSO.  This is done in the Authentication component.  You need to set the SSO vendor (to 3 for Oracle Access Manager) and the cookie domain.  These are highlighted in the example below.

 <component name="portal:Authentication" type="http://www.plumtree.com/config/component/types/portal/authentication">      <!-- lines removed for brevity -->      <setting name="SSOVendor">          <value xsi:type="xsd:integer">3</value>      </setting>      <setting name="CookieDomain">          <value xsi:type="xsd:string">.server</value>      </setting>      <!-- lines removed for brevity -->   </component>

Oracle Access Manager Configuration

When you set up the Policy Domain for the WebGate on the HTTP proxy, you need to make the following settings:

  • In the Resources tab, add a resource of type http with URL /portal.
  • In the Default Rules tab, create a Default Rule, with an Authentication post success action that redirects to /portal/SSOServlet and passes a HeaderVar called UID with the cn as its value.
  • Make sure your policy includes GET and POST for http.


These are key things that needed to be done to get this all working, which were not always easy to work out from the documentation.  I am working with a few of the others here to fully document the whole procedure, and will post that when it is done.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha