In single-sign on mode, when a user tries to connect to a Forms application, the user is authenticated by webgate in combination with an authentication server and Forms Identity Store. Once the user is authenticated, the user is directed to the Forms servlet which takes the user's request information containing the single sign-on user name. The user name and the application name build a unique pair that identifies the user's resource information for this application in Forms Identity Store.

When an authorized Forms user has neither the resource for a particular application that is being requested nor a default resource in Forms Identity Store, then the user is redirected to the Forms RAD Servlet for the creation of the Resource Access Descriptor. After creating the resource, the user is redirected to the original Forms request URL.

The way Oracle Forms Services handles the missing resource information can be customized by the application or Oracle Forms Services administrator. The following options are available:

• Allow dynamic resource creation (default)

• Redirect the user to a pre-defined URL as specified by the ssoErrorUrl parameter

• Display the Forms error message

The redirection URL is provided by the system administrator in the Forms configuration files and should be either absolute or relative.

Enforcing single sign-on in Forms is done within the formsweb.cfg file. The single sign-on parameter, ssoMode, when set to a valid value other than FALSE, indicates that the application requires authentication by authentication server.

This parameter allows a Forms Services instance to handle both application types, those that rely or do not rely on single sign-on for retrieving the database password. Because single sign-on is configured in the formsweb.cfg file, Fusion Middleware Control users can use to manage this aspect of authentication.

In Oracle Forms Services 12c, if the database password has expired and the Forms Services application, running in single sign-on mode, helps to renew it, the new password entered by the user updates the Resource Access Descriptor (RAD) in Forms Identity Store for this application. This feature ensures that authenticating a Forms user via authentication server with Forms continues to work even when the user's database password has changed. However, if password changes are made in SQL*Plus, and not in Oracle Forms, the database connect string is not updated in the Forms Identity Store.