Wednesday, February 27, 2013

SSO


Facts about Implementing SSO in Oracle Application Servers
In a default configuration of Oracle Applications the user validating and sign on is done at the database level. For this purpose the FND_USER database table is used.

This how a native Sign - On in Oracle Applications will typically work

The user types in the Oracle Applications URL in his web browser.

He enters his username and password.

A connection is made by the application to the database using the database listener and the applsyspub username. The password for this user should always be default which is 'pub'.
 
Next the username and password entered by the user are validated against the information present in the FND_USER table.

After this the user Authorization is performed and the user is given access to the responsibilities that he has been assigned.

In case of implementing single sign on the job of authentication is delegated to a Lightweight Directory Access Protocol (LDAP) server. This LDAP server can either be Oracle Internet Directory (OID) server or any other third party LDAP server.

One of the main advantages of this kind of implementation is that multiple application can be integrated with the same LDAP server thus requiring the user just to sign in once and access all these application. Also since most of the organizations might already have an existing LDAP server running they may want to use the same for the purpose of this authentication.

The Authentication is the process of user validation and
Authorization is the process of identifying what resources (responsibilities) are to be allocated to that user.


In a Single Sign-On (SSO) architecture while the process of authentication is delegated to the LDAP server, the authorization process is still handled by the Oracle Applications database.

Under the Single Sign On architecture, E-Business suite is registered as a partner application within the SSO server. As a result once the user authenticates himself within the SSO server he can access all the partner application registered with that SSO sever. Also logging out of any of the partner application logs out the user out of all the partner applications.

In a Single Sign - On environment the sign on would happen in the following steps.
Once the user navigates to the E-Business suite URL a check is made for a valid 11i cookie.
 
If this not present it is assumed that the user had not logged any partner application and is presented with the Single Sign On screen.

The user enter is SSO username and password which is sent for validation against the information that is present in the LDAP server.

Once validated the user authorization takes place against the FND_USER table in the oracle applications database and the user is presented with the resource he has been allocated.
 
The user can navigate to any partner application which have been registered with the SSO server.

To implement a Single Sign On with Oracle Application you must at minimum implement the following.

A 10g Application Server with Oracle Single Sign-On (SSO).
 
A LDAP server like Oracle Internet Directory (OID) or any other Third party LDAP solution.
You may use a third party Single Sign - On solution also but under such a configuration you would still require to implement Oracle Single Sign - On, under such a situation the third party SSO actually becomes a partner application to your Oracle SSO just as the E-Business suite is registered as a partner application.

Another important fact is that implementing 10G application server does not result in upgrading the 9i Application server that comes with the standard Oracle applications 11.5.10.The 9i Application Server would still be a core component of the technology stack and just the configures services are delegated to the 10G Application Server.


User Synchronization.

Under a SSO architecture the user information is stored under two places, one in the oracle applications database and the other in the LDAP server. A user might be created in OID and it maybe required to have the user propagated to the E-Business suite. Similarly users may be created in e business suite and they would have to be then propagated to OID.
To address these issues there are a provisioning options which we can set up by using provisioning profiles.

In a typical SSO implementation we have with us three options.(E-Business with OID)

Option 1: Provision E-Business Suite to Oracle Internet Directory
Under this we set up all user created in a E-Business suite will automatically be provisioned to the OID.

Option 2: Provision Oracle Internet Directory to E-Business Suite
Under such a situation all the users are created within the OID after which they are provisioned automatically to the E-Business suite with a predefined responsibility.

Option 3: Bi directional Provisioning between E-Business Suite & Oracle Internet Directory
This option allows the users to be created in either the business suite or the OID. Regardless where they are created they are provisioned either to the E-Business Suite or OID depending on the case.

DMZ environment and SSO.
Until recently multiple entry points in E-Business suite were not supported in a SSO configuration. That is if you have a OID in the intranet it would be able to authenticate your internal user but will not be able to do the same for the external users. In such a case we had to either use two different OIDs, one for the intranet and one of the internet and the synchronize the information between both the OIDs which was a big pain. The other ways was to allow the external/internal
 users to use the native authentication method via FND_USER and allow SSO only on the intranet.

But as of ATG Rollup 4 multiple E-Business entry points have now been supported, bringing the much need relief
 

Another new feature is that as of SSO build 4.0 its is now also possible to have a Secure Sockets Layer (SSL) configuration in your Single Sign On server.

In Next blog let us discuss about steps to implement Oracle SSO in details
                                 


Check below 25 points which Apps DBA should know for Apps(11i/R12) integration with SSO/OID (Single Sign-On/Oracle Internet Directory)
1. If you change APPS password using FNDCPASS utility, update provisioning profile with new password using OIDPROVTOOL. (More on OID Scripts & Tools coming soon). This is required as APPS password is stored in provisioning profile in OID.
2. If you clone E-Business Suite Instance,
——2.1 Deregister old E-Business Suite details from target OID Instance,
——2.2 Deregister Integration details from cloned target E-Business Suite instance
——2.3 Reregister target E-Business Suite Instance to target OID and SSO instance
(
More on cloning Oracle Apps instance integrated with OID/SSO coming soon)
3. Session Idle Timeout value in E-Business/Apps is set to 30 minute by default but there is NO Session Idle timeout value set on SSO (There is Global Timeout value set to 8 hours in Oracle SSO which is different from Idle Timeout). If session is Idle for more than 30 minutes in Apps/E-Business suite, users will be redirected to SSO and user can get back to Apps “without” entering username password as user session cookie is still valid on SSO Server .
For global Idle Session time out to work properly set Idle timeout value to required value in Oracle SSO server and match that with E-Business Suite Instance.
4. User with NameUSER1in FND_USERS can be linked to usernameUSER2in OID , so username need not to be same. Users in E-Business Suite/Apps are linked to Users in OID/SSO via GUID.
5. User mapping between OID & E-Business/Apps -> Login name in OID is identified by attribute “orclcommonnicknameattribute” which by default is “uid“. To understand this better, think of user User “Atul Kumar” in OID with various attribute likefirst name,lastname,phonenumber, cn, sn, uid…. If for “Atul Kumar” value of attribute uid is set to “akumar” then user should use “akumar” to login.
This “akumar” (value of attribute “uid”) is mapped to USER_NAME column of tableFND_USER and “orclguid” attribute in OID should have same value as USER_GUIDcolumn value in FND_USER table. As mentioned in point 4, users in OID & Apps are linked via GUID and this value should be same. (
More on user mapping and authentication flow with SSO coming soon)
6. Currently supported nickname attribute to be mapped to FND_USER table are “uid” and “mail
7. If naming convention of your users in OID is different from users in E-Business/Apps (like atul.kumar in OID but kumaratul in apps/E-Business Suite) then disable profile “Applications SSO Auto Link User
8. Not all attributes for users can be integrated/synchronized from OID to E-Business Suite or Vice Versa. For list of attributes supported currently (as of build 5) check Appendix C on Page 88 of Integration guide.
9. Updates to email ID in Oracle Internet Directory are not correctly reflected in the E-Business Suite HZ_CONTACT_POINTS in TCA unless the PERSON_PARTY_ID foreign key in the FND_USER table has been defined. Furthermore, ifPERSON_PARTY_ID is changed i.e. user is linked to another person in TCA, information stored in OID can overwrite this other person’s information during provisioning.
10. As of build 5, logout from OAM (Oracle Application Manager) results in page not found, though users can logout successfully from professional forms and self service web applications.
11. Users can be provisioned from E-Business/11i/R12 (FND_USER) to OID, OID to E-Business Suite, and two way. (How to find current user provisioning direction coming soon in OID Scripts post)
12. User Provisioning from TCA (Trading Community Architecture) to OID is not yet supported (as of build 5). Provisioning of HR to OID, FND_USER to OID or from OID to FND_USER is supported.
13. If provisioning profile includes password to be provisioned from E-Business Suite/Apps to OID, password policy in E-Business Suite should be atleast as restrictive as OID else when you create user in E-Business Suite/Apps without password not not in line with password policy, you will get non descriptive error message.
14. User can login to E-Business Suite Locally (NO SSO, directly from FND_USER) or to SSO (authentication via SSO) or BOTH. Set profile option “Applications SSO Login Types” to LOCAL or BOTH at userlevel and use
http(s)://(hostname).(domainname):(port)/ OA_HTML/ AppsLocalLogin.jsp
For SSO authentication use URL
http(s)://(hostname).(domainname):(port)/oa_servlets/AppsLogin
15. It is possible to register multiple E-Buisness Suite Instance (Test, Dev, UAT) to single OID/SSO Instance. (How to find list of E-Business Suite instance registered against OID, coming soon in OID Scripts)
16. If you have OID with multiple Realm (How to find default and all available realms in OID, coming soon in OID scripts), E-Business Suite/11i/R12 can be registered against default OID realm only (As of SSO build 5).
17. It is possible to link multiple E-Business Suite accounts to single SSO account but vice versa is not possible/supported. i.e. User1 and User2 in E-Business account can be linked to user3 in OID/SSO (For more
information Check Profile Option “Applications SSO Allow Multiple Accounts
)
18. It is possible to synch User Password from E-Business Suite to OID but vice versa is not allowed. This is because passwords in E-Buisness Suite/Apps/11i/R12 are encrypted but are hashed in OID.
19. If you are palnning to implement SSO Integration with E-Business /11i/R12 in enterprise where E-Business Suite and OID are already implemented and working independently,it is possible to bulkload user from OID to E-Business(Users which are already in OID but not in E-Business Suite) orfrom E-Busienss to OID(Users which are already in E-Business Suite but not in OID) and map common users.
20. For bulk migrating users from E-Business Suite to OID or from OID to E-Business Suite, check AppsUserExport, LDAPUserImport, ldifmigrator, bulkload.sh utility
21. When users are imported (initial load) from OID to E-Business/Apps 11i/R12 using LDAPUserImport, all user “attributes” can’t be imported.
22. If hashing method in OID is not MD5, bulkload of users to OID (initial set of users migrated from Apps/E-Business Suite) . (How to find default hasing method in OID, coming soon in OID Scripts..)
23. During initial load of users from E-Business Suite to OID (using bulkload.sh),password policy in OID is not verified . This is because E-Business Suite passwords are encrypted in dump file and bulk load tool can’t check passwords.
24. Oracle Application Server (SSO/OID) & Apps/E-Business Suite database server system clocks should be in synch else users will face issue during login/logoff
25.
Leave your comments on what you think is important for Apps/11i/R12 integration with OID/SSO to fill point no. 25

Here are few more interview question, focused on Oracle 10g Application Server, Apps 11i/r12/12i and integration of Oracle E-Business Suite with 10g AS (Portal/OID/SSO)
Q. Explain Architecture of 10g AS
A. Infrastructure Tier (MR+IM) & Middle Tier (J2EE, Portal, Wireless, Discoverer, Forms & Reports)
Q. Explain broad level steps to install 10g AS
A. Install Infrastructure tier first & then Middle Tier (understand Infrastructure & Middle Tier install option Install 10g AS Infrastructure Tier)
Q. Explain broad level steps integrate E-Business Suite (Apps 11i/R12/12i) with Microsoft Active Directory
A. Integrate E-Business Suite with OID and then integrate OID with AD
Q. How to authenticate Apps 11i/R12/12i Users against AD password
A. Configure external authentication plug-in in OID (OID should be integrated with Apps 11i/R12)
Q. How to synchronize AD password with OID and vice versa
Q. How to identify if a particular user is authenticated locally in Apps 11i/R12 or against OID
A. Check column ENCRYPTED_USER_PASSWORD in FND_USER table in APPS schema (set to LOCAL, EXTERNAL or BOTH)
Q. Explain broad level steps to integrate Apps with OID/SSO
Q. How to clone Apps 11i/R12 integrated with 10g AS (Portal/OID/SSO)
Q. What extra steps you will do after changing APPS Password in instance integrated with OID/SSO
A. Check How to change APPS Password
Q. Under which schema in E-Business Suite, Oracle SSO server details are stored (If Apps is integrated with SSO)
A. SSOSDK
Q. What is difference between Listen & Port directive in httpd.conf
A. Listen is port number on which Web Server is listening where as Portis used to create self referential URL’s. In 10g AS with Webcache configured, Listen is port number on which Web Server is listening & Portis port number on which webcache is listening
- If HTTP load balancer is configured (listening on port 80) in front of Apps 11i/R12 and web server (Apache) of 11i/R12 listening on port 8001 then in httpd.conf defineListen 8000 & Port 80
Q. What is difference between OPMN & DCM in 10g AS ?
Q. Broad level steps to configured Load Balancer (HA) in 10g Portal
Q. What is ptlconfig, iasconfig.xml and location of these files
A. In Oracle 10g AS Middle Tier under $ORACLE_HOME/portal/conf 
iasconfig.xml – Configuration file for Portal
ptlconfig – Utility to configure Portal
Q. Is it possible to configure E-Business in non-default realm of OID
A. Not possible in current version of Apps-SSO/OID integration build 5
Q. How to migrate users from OID to Apps (FND_USER) and vice versa
Q. What is windows Native Authentication









Here are few Apps DBA interview questions you can expect, if recruiter is looking for SSO-Apps Integration expertise
Q. How to find if your E-Business Suite is integrated with SSO/OID (10g Identity Management)
- There are multiple ways to find out Apps 11i/R12 is integrated with SSO/OID
a) Check if SSOSDK schema exists (in Apps 11i/R12) and check table in SSOSDK schema
b) Check if log file exists at $OAD_TOP/rgf/$CONTEXT_NAME/sso
c) Profile option Option “Application SSO Types”
Q. If Single Sign-On server & OID is down, can users still login ?
Yes, use localLogin
Q. Name few Profile Option w.r.t. SSO Integration
- Application SSO Types
- Application SSO login types
- Application SSO Auto link User
* Make sure you know about these profile option as explain these profile option and how they effect SSO Integration
Q. Which SSO build version you are currently working ?
- Build 1, 2.1, 2.2, 3, 3.1, 4, 5, 6
Q. What is OID version you used for Apps-SSO/OID Integration ?
Latest certified OID version is 10.1.4.0.1 (Other certified were 10.1.2.0.2, 9.0.4 )
Q. What was direction of User synchronization ?
- From OID to Apps
- Apps to OID
- Bidirectional
Q. What extra steps you need to do after changing apps password in SSO Integrated Apps Instances ?
- Update provisioning profile in OID with new apps password
Q. If new users created is not able to login, how will you troubleshoot ?
- Check if user exist in both Apps (FND_USER) and OID  (If not check if user provisioning is working fine)
- If user exist check Password (in FND_USER) is set to External (If set to LOCAL user should try AppsLocalLogin.jsp)
Q. User is currently set to Login via SSO, what steps you need to do to change user for Local Login 
(AppsLocalLogin.jsp)
- Set Profile Option “Applications SSO Login Types” to LOCAL or BOTH
- Reset User Password using FNDCPASS
- Login using URL  /OA_HTML/AppsLocalLogin.jsp
Q. Where is log file for Apps Registration to SSO/OID ?
$APPLRGF/sso ($COMMON_TOP/rgf/$CONTEXT_NAME/sso)
Q. Where is log file for User Provisioning ?
On OID Node under $ORACLE_HOME/ldap/odi/log
Q. How you clone Oracle Apps (11i/R12) Instance Integrated with OID/SSO
On Apps
- Clone E-Business Suite using Rapid Clone
On OID/SSO
- Migrate User/Groups from source to target using ldifwrite & bulkload.sh
- Migrate Password Policy, DAS Admin Group
and finally Register target Apps to Target OID/SSO
Q. What all issues you encountered during SSO/OID Integration ?
Q. What is Subscription List ?
Q. What is mapping file w.r.t. User provisioning between Apps & OID and what is default location of oracle shipped
mapping file in Apps ?
- $FND_TOP/admin/template/*.tmp
Q. What is ODISRV in OID ?
ODISRV stands for Directory Integration Server and used during user provisioning between Apps and OID
Q. How to load initial Set of user from Apps to OID or Vice-Versa ?
From Apps to OID
- Create intermediate LDIF file
- Using ldifmigrator create final LDIF file
- Use bulkload to load ldif file containing users to OID
- Finally create subscription for bulkloaded users
From OID to Apps
- Use ldifwrite to create dump of users into LDIF file
- Using LDAPUserImport to import user to apps
Post your questions in comment section

No comments:

Post a Comment