Facts about Implementing SSO in Oracle Application Servers
In a default configuration
of Oracle Applications the user validating and sign on is done at the database
level. For this purpose the FND_USER database table is used.
This how a native Sign - On in Oracle Applications will typically work
The user types in the Oracle Applications URL in his web browser.
He enters his username and password.
A connection is made by the application to the database using the database
listener and the applsyspub username. The password for this user should always
be default which is 'pub'.
Next the username and password entered by the user are validated against the
information present in the FND_USER table.
After this the user Authorization is performed and the user is given access to
the responsibilities that he has been assigned.
In case of implementing single sign on the job of authentication is delegated
to a Lightweight Directory Access Protocol (LDAP) server. This LDAP server can
either be Oracle Internet Directory (OID) server or any other third party LDAP
server.
One of the main advantages of this kind of implementation is that multiple
application can be integrated with the same LDAP server thus requiring the user
just to sign in once and access all these application. Also since most of the
organizations might already have an existing LDAP server running they may want
to use the same for the purpose of this authentication.
The Authentication is
the process of user validation and
Authorization is the process of identifying what resources (responsibilities)
are to be allocated to that user.
In a Single Sign-On (SSO) architecture while the process of authentication is
delegated to the LDAP server, the authorization process is still handled by the
Oracle Applications database.
Under the Single Sign On architecture, E-Business suite is registered as a
partner application within the SSO server. As a result once the user
authenticates himself within the SSO server he can access all the partner
application registered with that SSO sever. Also logging out of any of the
partner application logs out the user out of all the partner applications.
In a Single Sign - On environment the sign on would happen in the following
steps.
Once the user navigates to the E-Business suite URL a check is made for a valid
11i cookie.
If this not present it is assumed that the user had not logged any partner
application and is presented with the Single Sign On screen.
The user enter is SSO username and password which is sent for validation
against the information that is present in the LDAP server.
Once validated the user authorization takes place against the FND_USER table in
the oracle applications database and the user is presented with the resource he
has been allocated.
The user can navigate to any partner application which have been registered
with the SSO server.
To implement a Single Sign On with Oracle Application you must at minimum
implement the following.
A 10g Application Server with Oracle Single Sign-On (SSO).
A LDAP server like Oracle Internet Directory (OID) or any other Third party
LDAP solution.
You may use a third party Single Sign - On solution also but under such a
configuration you would still require to implement Oracle Single Sign - On,
under such a situation the third party SSO actually becomes a partner application
to your Oracle SSO just as the E-Business suite is registered as a partner
application.
Another important fact is that implementing 10G application server does not
result in upgrading the 9i Application server that comes with the standard
Oracle applications 11.5.10.The 9i Application Server would still be a core
component of the technology stack and just the configures services are
delegated to the 10G Application Server.
User Synchronization.
Under a SSO architecture the user information is stored under two places, one
in the oracle applications database and the other in the LDAP server. A user
might be created in OID and it maybe required to have the user propagated to
the E-Business suite. Similarly users may be created in e business suite and
they would have to be then propagated to OID.
To address these issues there are a provisioning options which we can set up by
using provisioning profiles.
In a typical SSO implementation we have with us three options.(E-Business with
OID)
Option 1: Provision E-Business Suite to Oracle Internet Directory
Under this we set up all user created in a E-Business suite will automatically
be provisioned to the OID.
Option 2: Provision Oracle Internet Directory to E-Business Suite
Under such a situation all the users are created within the OID after which
they are provisioned automatically to the E-Business suite with a predefined
responsibility.
Option 3: Bi directional Provisioning between E-Business Suite & Oracle
Internet Directory
This option allows the users to be created in either the business suite or the
OID. Regardless where they are created they are provisioned either to the
E-Business Suite or OID depending on the case.
DMZ environment and SSO.
Until recently multiple entry points in E-Business suite were not supported in
a SSO configuration. That is if you have a OID in the intranet it would be able
to authenticate your internal user but will not be able to do the same for the
external users. In such a case we had to either use two different OIDs, one for
the intranet and one of the internet and the synchronize the information
between both the OIDs which was a big pain. The other ways was to allow the
external/internal users to use the
native authentication method via FND_USER and allow SSO only on the intranet.
But as of ATG Rollup 4 multiple E-Business entry points have now been
supported, bringing the much need relief
Another new feature is that as of SSO build 4.0 its is now also possible to
have a Secure Sockets Layer (SSL) configuration in your Single Sign On server.
In Next blog let us discuss about steps to implement Oracle SSO in details
Check below 25 points which
Apps DBA should know for Apps(11i/R12) integration with SSO/OID (Single
Sign-On/Oracle Internet Directory)
1. If you change
APPS password using
FNDCPASS utility, update provisioning profile with new password using OIDPROVTOOL.
(More on OID Scripts & Tools coming soon). This
is required as APPS password is stored in provisioning profile in OID.
2. If you clone
E-Business Suite Instance,
——2.1 Deregister old E-Business Suite details from target OID Instance,
——2.2 Deregister Integration details from cloned target E-Business Suite
instance
——2.3 Reregister target E-Business Suite Instance to target OID and SSO
instance
(More on cloning Oracle Apps instance integrated with OID/SSO
coming soon)
3. Session
Idle Timeout value
in E-Business/Apps is set to 30 minute by default but there is NO
Session Idle timeout value set on SSO (There is Global Timeout
value set to 8 hours in Oracle SSO which is different from Idle Timeout). If
session is Idle for more than 30 minutes in Apps/E-Business suite, users will
be redirected to SSO and user can get back to Apps “without” entering
username password as user session cookie is still valid on SSO Server .
For global Idle Session time out to work properly set Idle timeout value to
required value in Oracle SSO server and match that with E-Business Suite
Instance.
4. User with NameUSER1in FND_USERS can be linked to usernameUSER2in OID
, so username need not to be same. Users in E-Business Suite/Apps are linked to
Users in OID/SSO via GUID.
5. User
mapping between OID & E-Business/Apps -> Login name in OID is identified
by attribute “orclcommonnicknameattribute” which
by default is “uid“.
To understand this better, think of user User “Atul Kumar” in OID with various
attribute likefirst name,lastname,phonenumber,
cn, sn, uid…. If for “Atul Kumar” value of attribute uid is set to “akumar” then
user should use “akumar” to login.
This “akumar” (value of attribute “uid”) is mapped to USER_NAME column of tableFND_USER and “orclguid” attribute in OID should have
same value as USER_GUIDcolumn value
in FND_USER table. As mentioned in point 4, users
in OID & Apps are linked via GUID and this value should be same. (More on
user mapping and authentication flow with SSO coming soon)
6. Currently supported nickname attribute to be mapped to
FND_USER table are “uid”
and “mail”
7. If naming convention of
your users in OID is different from users in E-Business/Apps (like atul.kumar
in OID but kumaratul in apps/E-Business Suite) then disable profile “Applications SSO Auto Link User”
8. Not all attributes for
users can be integrated/synchronized from OID to E-Business Suite or Vice
Versa. For list of attributes supported currently (as of build 5) check
Appendix C on Page 88 of Integration guide.
9. Updates to email ID in
Oracle Internet Directory are not correctly reflected in the E-Business Suite HZ_CONTACT_POINTS in TCA unless the PERSON_PARTY_ID
foreign key in the FND_USER table has been defined. Furthermore, ifPERSON_PARTY_ID is changed i.e. user is linked to
another person in TCA, information stored in OID can overwrite this other
person’s information during provisioning.
10. As of build 5, logout from
OAM (Oracle Application Manager) results in page not found,
though users can logout successfully from professional forms and self service
web applications.
11. Users can be provisioned
from E-Business/11i/R12 (FND_USER) to OID, OID to E-Business Suite, and two
way. (How to find current user provisioning direction coming soon in
OID Scripts post)
12. User Provisioning from TCA (Trading Community
Architecture) to OID
is not yet supported (as of
build 5). Provisioning of HR to OID, FND_USER to OID or from OID to FND_USER is
supported.
13. If provisioning profile
includes password to be provisioned from E-Business Suite/Apps to OID, password
policy in E-Business Suite should be atleast as restrictive as OID else when you create user in
E-Business Suite/Apps without password not not in line with password policy,
you will get non descriptive error message.
14. User can login to
E-Business Suite Locally (NO SSO, directly from FND_USER) or to SSO (authentication via SSO) or BOTH.
Set profile option “Applications SSO Login Types” to
LOCAL or BOTH at userlevel and use
http(s)://(hostname).(domainname):(port)/
OA_HTML/ AppsLocalLogin.jsp
For SSO authentication use URL
http(s)://(hostname).(domainname):(port)/oa_servlets/AppsLogin
15. It is possible to register
multiple E-Buisness Suite Instance (Test, Dev, UAT) to single OID/SSO Instance.
(How to find list of E-Business Suite instance registered against
OID, coming soon in OID Scripts)
16. If you have OID with multiple
Realm (How to find default and all available realms in OID, coming soon
in OID scripts), E-Business Suite/11i/R12 can be registered against default
OID realm only (As of SSO build 5).
17. It is possible to link
multiple E-Business Suite accounts to single SSO account but vice versa is not
possible/supported. i.e. User1 and User2 in E-Business account can be linked to
user3 in OID/SSO (For more
information Check Profile
Option “Applications
SSO Allow Multiple Accounts”)
18. It is possible to synch User Password from E-Business Suite to OID but vice
versa is not allowed. This is because passwords in E-Buisness
Suite/Apps/11i/R12 are encrypted but are hashed in OID.
19. If you are palnning to
implement SSO Integration with E-Business /11i/R12 in enterprise where
E-Business Suite and OID are already implemented and working independently,it is
possible to bulkload user from OID to E-Business(Users
which are already in OID but not in E-Business Suite) orfrom
E-Busienss to OID(Users which are already in E-Business Suite but not in OID) and
map common users.
20. For bulk migrating users
from E-Business Suite to OID or from OID to E-Business Suite, check AppsUserExport, LDAPUserImport, ldifmigrator,
bulkload.sh utility
21. When users are imported
(initial load) from OID to E-Business/Apps 11i/R12 using LDAPUserImport, all
user “attributes” can’t be imported.
22. If hashing
method in OID is not MD5, bulkload of users to OID (initial set
of users migrated from Apps/E-Business Suite) . (How to
find default hasing method in OID, coming soon in OID Scripts..)
23. During initial load of
users from E-Business Suite to OID (using bulkload.sh),password policy in OID is not
verified . This
is because E-Business Suite passwords are encrypted in dump file and bulk load
tool can’t check passwords.
24. Oracle Application Server
(SSO/OID) & Apps/E-Business Suite database server system clocks should be
in synch else users will face issue during login/logoff
25.
Leave your comments on what
you think is important for Apps/11i/R12 integration with OID/SSO to fill point
no. 25
Here are few more interview
question, focused on Oracle 10g Application Server, Apps 11i/r12/12i and
integration of Oracle E-Business Suite with 10g AS (Portal/OID/SSO)
Q. Explain Architecture
of 10g AS
A. Infrastructure Tier (MR+IM) & Middle Tier (J2EE, Portal,
Wireless, Discoverer, Forms & Reports)
Q. Explain broad level
steps to install 10g AS
A. Install Infrastructure tier first & then Middle Tier
(understand Infrastructure & Middle Tier install option Install 10g AS Infrastructure Tier)
Q. Explain broad level
steps integrate E-Business Suite (Apps 11i/R12/12i) with Microsoft Active
Directory
A. Integrate E-Business Suite with OID and then integrate OID
with AD
Q. How to
authenticate Apps 11i/R12/12i Users against AD password
A. Configure external authentication plug-in in OID (OID should
be integrated with Apps 11i/R12)
Q. How to synchronize AD
password with OID and vice versa
Q. How to identify if a
particular user is authenticated locally in Apps 11i/R12 or against OID
A. Check column ENCRYPTED_USER_PASSWORD in FND_USER table in
APPS schema (set to LOCAL, EXTERNAL or BOTH)
Q. Explain broad level steps
to integrate Apps with OID/SSO
Q. How to clone Apps 11i/R12 integrated with 10g AS
(Portal/OID/SSO)
Q. Under which schema in
E-Business Suite, Oracle SSO server details are stored (If Apps is integrated with SSO)
A. SSOSDK
Q. What is difference between Listen & Port directive in httpd.conf
A. Listen is port number on which Web Server is
listening where as Portis used to create
self referential URL’s. In 10g AS with Webcache configured, Listen is port number on which Web Server is listening
& Portis port
number on which webcache is listening
- If HTTP load balancer is configured (listening on port 80) in front of
Apps 11i/R12 and web server (Apache) of 11i/R12 listening on port 8001 then in
httpd.conf defineListen 8000 & Port 80
Q. What is difference
between OPMN & DCM in 10g AS ?
Q. Broad level steps to
configured Load Balancer (HA) in 10g Portal
Q. What is ptlconfig,
iasconfig.xml and location of these files
A. In Oracle 10g AS Middle Tier under
$ORACLE_HOME/portal/conf
iasconfig.xml – Configuration file for Portal
ptlconfig – Utility to configure Portal
Q. Is it possible to
configure E-Business in non-default realm of OID
A. Not possible in current version of Apps-SSO/OID integration
build 5
Q. How to migrate users
from OID to Apps (FND_USER) and vice versa
Q. What is windows
Native Authentication
Here are few Apps DBA
interview questions you can expect, if recruiter is looking for SSO-Apps
Integration expertise
Q. How to find if your
E-Business Suite is integrated with SSO/OID (10g Identity Management)
- There are multiple ways to
find out Apps 11i/R12 is integrated with SSO/OID
a) Check if SSOSDK schema exists (in Apps 11i/R12) and check table in SSOSDK
schema
b) Check if log file exists at $OAD_TOP/rgf/$CONTEXT_NAME/sso
c) Profile option Option “Application SSO Types”
Q. If Single Sign-On
server & OID is down, can users still login ?
Yes, use localLogin
Q. Name few Profile
Option w.r.t. SSO Integration
- Application SSO Types
- Application SSO login types
- Application SSO Auto link User
* Make sure you know about
these profile option as explain these profile option and how they effect SSO
Integration
Q. Which SSO build
version you are currently working ?
- Build 1, 2.1, 2.2, 3, 3.1, 4, 5, 6
Q. What is OID version
you used for Apps-SSO/OID Integration ?
Latest certified OID version is 10.1.4.0.1 (Other certified were 10.1.2.0.2,
9.0.4 )
Q. What was direction of
User synchronization ?
- From OID to Apps
- Apps to OID
- Bidirectional
Q. What extra steps you
need to do after changing apps password in SSO Integrated Apps Instances ?
- Update provisioning profile in OID with new apps password
Q. If new users created
is not able to login, how will you troubleshoot ?
- Check if user exist in both Apps (FND_USER) and OID (If
not check if user provisioning is working fine)
- If user exist check Password (in FND_USER) is set to External (If set to
LOCAL user should try AppsLocalLogin.jsp)
Q. User is currently set
to Login via SSO, what steps you need to do to change user for Local
Login
(AppsLocalLogin.jsp)
- Set Profile Option “Applications SSO Login Types” to LOCAL or BOTH
- Reset User Password using FNDCPASS
- Login using URL /OA_HTML/AppsLocalLogin.jsp
Q. Where is log file for
Apps Registration to SSO/OID ?
$APPLRGF/sso ($COMMON_TOP/rgf/$CONTEXT_NAME/sso)
Q. Where is log file for
User Provisioning ?
On OID Node under $ORACLE_HOME/ldap/odi/log
Q. How you clone Oracle
Apps (11i/R12) Instance Integrated with OID/SSO
On Apps
- Clone E-Business Suite using Rapid Clone
On OID/SSO
- Migrate User/Groups from source to target using ldifwrite & bulkload.sh
- Migrate Password Policy, DAS Admin Group
and finally Register target
Apps to Target OID/SSO
Q. What all issues you
encountered during SSO/OID Integration ?
Q. What is Subscription
List ?
Q. What is mapping file
w.r.t. User provisioning between Apps & OID and what is default location of
oracle shipped
mapping file in Apps ?
- $FND_TOP/admin/template/*.tmp
Q. What is ODISRV in OID
?
ODISRV stands for Directory Integration Server and used during
user provisioning between Apps and OID
Q. How to load initial
Set of user from Apps to OID or Vice-Versa ?
From Apps to OID
- Create intermediate LDIF file
- Using ldifmigrator create final LDIF file
- Use bulkload to load ldif file containing users to OID
- Finally create subscription for bulkloaded users
From OID to Apps
- Use ldifwrite to create dump of users into LDIF file
- Using LDAPUserImport to import user to apps
Post your questions in comment
section
