Post on 24-Mar-2020
Best Best Practices Practices FFor or
Implementing Implementing SSO SSO
on on EBS R12EBS R12
August 09
Milton Estrada
Technical Management Consultant
estradam@tusc.com
AgendaAgenda
� Overview
� Features and Supported Architectures
� Components and Build Versions
� Implement Single Sign-On Support for EBS R12
� Know Issues
August 09 / Slide 2 / EBSR12 SSO
� Know Issues
� Q/A
� References
OverviewOverview� This presentation will cover the integration of Oracle Application Server 10g Enterprise
Edition with Oracle E-Business Suite R12
� The following services running on external servers to EBS R12 are supported:� Oracle Single Sign-On (SSO) 10g
� Oracle Internet Directory (OID) 10g
� Oracle Portal 10g
� Oracle Discoverer 10g
� Oracle Web Cache 10g
� Third party single sign-on solutions
� Third party Lightweight Directory Access Protocol (LDAP) directories
August 09 / Slide 3 / EBS R12 SSO
� Third party Lightweight Directory Access Protocol (LDAP) directories
� These services may run:� One or more standalone servers external to existing EBS R12 environment
� In separate Oracle Homes on existing EBS R12 Servers
� These services may not run:� In the existing EBS R12 Application Server 10g 10.1.2 Oracle Home for the Forms and Reports
� In the existing EBS R12 Application Server 10g 10.1.3 Oracle Home for the Web and Java services
� For more information about EBS R12 Architectures see Oracle Applications Concepts, Release 12 (Part N0. B31450-01)
Features and Supported ArchitecturesFeatures and Supported Architectures� Accessing EBS R12 with SSO
� Oracle Application Server 10g (10.1.4.0.1), Oracle Internet Directory and Oracle Single Sign-On Server are required to enable SSO functionality for EBS R12
� Implementing SSO for EBS R12 allows organizations to share one user definition throughout multiple parts of the enterprise
� For EBS R12 mod_osso is used for SSO authentication, replacing SSO SDK used in previous versions
� SSO for EBS R12 also support Single Sign-Off, which allow users to simultaneously terminate all active partner applications
� Integration with Third-Party Access Management Systems and LDAP Directories� Organizations can use their existing third-party access management system to integrate with SSO.
August 09 / Slide 4 / EBS R12 SSO
� Organizations can use their existing third-party access management system to integrate with SSO. With this method SSO becomes a partner application to the third-party system, delegating the authentication process to it.
� Organizations that have standardized on third-party LDAP directories can optionally integrate that
with Oracle Internet Directory (OID).
Components and Build VersionsComponents and Build VersionsComponents listed below most be used when integrating EBS R12 with SSO
� Oracle E-Business Suite R12
Component Name Release
Oracle E-Business Release 12 12.0.X to 12.1.1.X
Oracle 10g Application Server 10.1.2
Oracle 10g Application Server 10.1.3
Oracle Developer 10g (Includes Oracle Forms) 10.1.2
August 09 / Slide 5 / EBS R12 SSO
• Oracle Application Server 10g Enterprise Edition
Component Name Release
Oracle Single Sign-On 10g 10.1.4.3.0
Oracle Internet Directory 10g 10.1.4.3.0
Oracle Portal 10g (optional) 10.1.4.2.0
Oracle Web Cache 10g (optional) 10.1.2.3.0
Oracle Discoverer 10g (optional) 10.1.2.3.0
Implement Single SignImplement Single Sign--On Support for EBS R12On Support for EBS R12� SSO Task 1: Install E-Business Suite SSO 10g Integration patch
� If you are using IBM/AIX for EBS R12, apply patch 5855635 to 10.1.3 Oracle Home
� SSO Task 2: Configure Oracle Identity Management 10g (10.1.4.x) Components with EBS R12� Chose registration type – Default (simple) or Advanced
� Compile Parameter List Check List
� Refresh environment settings
� Check that TWO_TASK variable is set correctly
� Run the Registration Scripto $FND_TOP/bin/txkrun.pl -script=SetSSOReg
� Restart Middle-Tier Services
August 09 / Slide 6 / EBS R12 SSO
� Restart Middle-Tier Services
� SSO Task 3: Validate that Single Sign-On is Working Correctly� Run the Diagnostic Utility
o Login locally to the E-Business Suite by opening http[s]://<server>[:port]/OA_HTML/AppsLocalLogin.jsp
o Launch Diagnostics
o Run SSO Diagnostics
o Run OID Diagnostics
� Verify SSO Integration with Oracle E-Business Suiteo http://[host]:[port]/OA_HTML/AppsLogin
� Verify that SSO is correctly integrated with OID
o $ORACLE_HOME/ldap/odi/log
Know IssuesKnow Issues• ORA-20001: Unable to call fnd_ldap_wrapper.update_user
� Update 10.1.3_OH/Apache/Apache/bin/iasobf file and set ORACLE_HOME variable
� Deregister/register instance again
• To stop “Customer” field from been populated disable following business views:� For business event oracle.apps.fnd.identity.add disable subscription
fnd_oid_subscriptions.hz_identity_add
� For business event oracle.apps.fnd.identity.modify disable subscription fnd_oid_subscriptions.hz_identity_modify
� For business event oracle.apps.fnd.subscription.add disable subscription fnd_oid_subscriptions.hz_subscription_add
August 09 / Slide 7 / EBS R12 SSO
fnd_oid_subscriptions.hz_subscription_add
• To allow a user to bypass SSO authentication� Set system profile option “Applications SSO Login Types” to “Local” at user level
� Use http://[host]:[port]/OA_HTML/AppsLogin URL
• When Cloning run command listed below on target instance before registering with SSO/OID
� $FND_TOP/bin/txkrun.pl -script=SetSSOReg -removereferences=Yes