As more people like the idea of going platform independent with their applications and their implementations, this seems like a fare question to ask. Can i use my Firefox browser to log me into my applications which are configured for Windows Native Authentication using an Oracle Identity Management server.
The oracle documentation on Oracle Identity Management explicitly mention the use of non-IE browser in a WNA configured environment. (See Oracle Docs, Implementing Fallback Authentication)
Would you choose to use Firefox against a WNA SSO server you must expect a Fallback-Authentication method. Would you use your IE browser which is enabled for WNA. You would login automatically into any registered SSO partner application on that SSO server. When we dig a little deeper we can see that the auth mechanism SPNEGO is used.
This protocol is supported for IE and also some non-IE browsers like Firefox. Visit Achim Grolms webpage to see how you could achieve this.
This information has been bought to Oracle’s attention and they now are looking into the possibilities of using Firefox in a WNA environment. The limitation is not residing on the client side (Firefox) but lies in the capabilities of the Single Sign On server at this point. The Single Sign On server queries the browser information and selects based on the Browser type if it would use WNA of not. Oracle expects to support Firefox in future releases but does not yet give a specific release number. At this moment oracle confirms that 10.1.4.2 and previous releases has not yet been enhanced for using non-IE browsers in combination with WNA. Instead an Oracle INTERNAL BUG is reported which calls for this feature. This bug is registered under :
BUG:6803891 ORACLE SSO WNA COULE BE ENHANCED TO SUPPORT FIREFOX BROWSER
I hope Oracle can come up with a quick solution on this matter as it seems to be a showstopper for migrating many clients desktops to open Source desktops !
September 4th, 2008 at 16:29:20
I have the WNA working with Firefox. It is a two step process and it requires that you install a Firefox plugin called ‘User Agent Switcher’.
Step one – Configure Firefox for Kerberos. There is already a reference on your site on how to do this.
Step two – Install user agent switcher plugin on Firefox. This will alter the ‘User agent’ header when requesting a web site. You can change how Firefox presents itself to the world. I chose the value MSIE6(WinXP) and the WNA works fine with Firefox.
There is an Oracle class library which is responsible for reading the User Agent header and it will determine whether to attempt the WNA or not. Oracle had to alter the library to support Internet Explorer 7. Without the alteration, Internet Explorer 7 will not work with WNA either.
September 5th, 2008 at 09:52:53
Hi Steve,
Thanks for sharing this information as this got my setup working aswell !
The browser is now noticed as a IE browser and starts to negotiate which results in a successful Single Sign On !
( retrieved debug from $ORACLE_HOME\opmn\logs\OC4J~OC4J_SECURITY~default_island~1 )
..
08/09/05 09:27:50 Browser type: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
08/09/05 09:27:50 Browser OS supports Kerberos WNA.
08/09/05 09:27:50 Browser is IE
08/09/05 09:27:50 IE browser version = 7.0
08/09/05 09:27:50 Browser supports Kerberos WNA.
08/09/05 09:27:50 Doing SPNEGO negotiation with the browser …
08/09/05 09:27:50 Authorization header was not sent from the browser.
08/09/05 09:27:50 Sending WWW-Authenticate request …
08/09/05 09:27:50 Sending SPNEGO request.
08/09/05 09:27:50 Browser type: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
08/09/05 09:27:50 Browser OS supports Kerberos WNA.
08/09/05 09:27:50 Browser is IE
08/09/05 09:27:50 IE browser version = 7.0
08/09/05 09:27:50 Browser supports Kerberos WNA.
08/09/05 09:27:50 Doing SPNEGO negotiation with the browser …
..
I used the Browser Type ( User Agent field in the plugin ) as displayed here to fake the browser.
This is the exact same Browser type that is notices while login with a real IE 7.0 browser.
Only disappreciation would be that when you forget to disable the User Agent and visit a website that queries your browser type to sent you the right set of code based on your browser type.
It will look messed up , for example : visit a exchange webmail ( OWA ) will negotiate based on these setthing and will send IE like code instead of Firefox.
Maybe a nice feature for this plugin would be to let the User Agent be triggered based on requested URI. So that is will only fire when needed.
Again , thanks for the eye opener !
Kind Regards,
John Paul
April 21st, 2009 at 12:32:26
There is no need for plugins or whatever, as I pointed out on my blog entry of September 2007
September 24th, 2009 at 20:37:16
I have upgraded from 10.1.2.2.2 to 10.1.4.3.0. WNA does not work anymore in Firefox, probably because of the bug mentioned. IE is fine (IF6(!) that is).
Will put it to the test tomorrow, and will (b)log. Not quite sure, but previous version of Firefox was 2.x – anyone familiar with when the headers (of FF) changed?
September 25th, 2009 at 12:38:10
I can confirm it’s Firefox – using a plugin to fake the agent (to IE) will do WNA.
June 6th, 2010 at 11:10:16
There’s a simple workaround; change the user agent string FF sends to make OSSO believe FF can do WNA (which it can!);
see http://vanbortel.blogspot.com/2010/04/firefox-no-longer-does-wna-with-osso.html