My Oracle Support Banner

Clarification of Manual for Web Service with SSO (Doc ID 2429552.1)

Last updated on JANUARY 13, 2021

Applies to:

Oracle Agile Product Collaboration - Version and later
Information in this document applies to any platform.


On the security guide, it mentions that Web Service clients or SDK code cannot be used with SSO.

Agile Product Lifecycle Management Security Guide
Release 9.3.6

5.2.2 SSO-based Authentication

snip ---

Note the following:

Agile SDK code cannot connect to an Agile application URL protected by SSO.

Users cannot develop Java Web Service client code and connect to an Agile Web Service protected by SSO.

Webdav (AgileDrive) cannot connect to an Agile Application Server URL protected by SSO.

Web Service clients or SDK code must connect directly to Agile server nodes with actual WebLogic ports or set up an alternate proxy that is not protected by SSO.

For more information, refer to the ”Configuring Single Sign-On” chapter in the Agile PLM Administrator Guide. The chapter also includes a helpful diagram of the Agile SSO Plug-in Architecture.

There is also an ER.

However, on the SDK Developer Guide, it mentions the following.

Agile Product Lifecycle Management ]

SDK Developer Guide - Developing PLM Extensions
Release 9.3.6

Authenticating Users
All default out-of-box Web services and user customized versions are protected by the
application server. To access a protected Web service, add the following lines in your
Web service client stub code:
Example 2–1 Accessing a protected Web Service
// Configure the stub with the necessary authentication information
To remove the Web container protection for a specific Web service, add the lines in the
following applications:
application.ear#integration.war/WEB-INF/web.xml files:
<web-resource-name>Unprotect web services</web-resource-name>
<url-pattern>/ws/<web service name></url-pattern>
<url-pattern>/services/<web service name></url-pattern>

Using Single Sign-On Cookies for Client-Server Access
After a user on the WSX client is authenticated by the Agile 9.X server which is
protected by third party single sign-on products, the browser is granted a Single
sign-on cookie. This cookie is sent to the custom j2ee Web application, provided this
application is in the same DNS domain as the Agile 9.X server. Now, to invoke the Web
service deployed on Agile 9.X server, you can pass the single sign-on cookie instead of
username and password as a valid credential.

Note: If you are using both username and or password and single
sign-on cookies, the single sign-on cookie has precedence over
username or password

Invoking the Web Service Client with a Single Sign-on Cookie
This is accomplished by first, retrieving the single sign-on cookie from the HTTP
request followed by modifying the SOAP binding stub code.

Retrieving the Single Sign-On Cookie
Before invoking the Web service client stub, you must retrieve the single sign-on
cookie in the HTTP request. By default, the single sign-on cookie provided by
SiteMinder is called SMSESSION. Modify the cookie to the format specified in
RFC2965 available at The simplest format is
name=value where you can access both name and value by calling the
javax.servlet.http.Cookie object method.

Which document is correct? Is it possible to run custom Web Service through SSO?



To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.