Best Practices For Implementing SSO on EBS R12

Milton Estrada Technical Management Consultant estradam@tusc.com

August 09

Agenda
Overview Features and Supported Architectures Components and Build Versions Implement Single Sign-On Support for EBS R12 Know Issues Q/A References

August 09 / Slide 2 / EBSR12 SSO

Overview
This presentation will cover the integration of Oracle Application Server 10g Enterprise Edition with Oracle E-Business Suite R12 The following services running on external servers to EBS R12 are supported:
Oracle Single Sign-On (SSO) 10g Oracle Internet Directory (OID) 10g Oracle Portal 10g Oracle Discoverer 10g Oracle Web Cache 10g Third party single sign-on solutions Third party Lightweight Directory Access Protocol (LDAP) directories

These services may run:

One or more standalone servers external to existing EBS R12 environment In separate Oracle Homes on existing EBS R12 Servers

These services may not run:

In the existing EBS R12 Application Server 10g 10.1.2 Oracle Home for the Forms and Reports In the existing EBS R12 Application Server 10g 10.1.3 Oracle Home for the Web and Java services

For more information about EBS R12 Architectures see Oracle Applications Concepts, Release 12 (Part N0. B31450-01)
August 09 / Slide 3 / EBS R12 SSO

Features and Supported Architectures

Accessing EBS R12 with SSO
Oracle Application Server 10g (10.1.4.0.1), Oracle Internet Directory and Oracle Single Sign-On Server are required to enable SSO functionality for EBS R12 Implementing SSO for EBS R12 allows organizations to share one user definition throughout multiple parts of the enterprise For EBS R12 mod_osso is used for SSO authentication, replacing SSO SDK used in previous versions SSO for EBS R12 also support Single Sign-Off, which allow users to simultaneously terminate all active partner applications

Integration with Third-Party Access Management Systems and LDAP Directories

Organizations can use their existing third-party access management system to integrate with SSO. With this method SSO becomes a partner application to the third-party system, delegating the authentication process to it. Organizations that have standardized on third-party LDAP directories can optionally integrate that with Oracle Internet Directory (OID).

August 09 / Slide 4 / EBS R12 SSO

Components and Build Versions

Components listed below most be used when integrating EBS R12 with SSO
Oracle E-Business Suite R12
Component Name Oracle E-Business Release 12 Oracle 10g Application Server Oracle 10g Application Server Oracle Developer 10g (Includes Oracle Forms) Release 12.0.X to 12.1.1.X 10.1.2 10.1.3 10.1.2

Oracle Application Server 10g Enterprise Edition

Component Name Oracle Single Sign-On 10g Oracle Internet Directory 10g Oracle Portal 10g (optional) Oracle Web Cache 10g (optional) Oracle Discoverer 10g (optional)
August 09 / Slide 5 / EBS R12 SSO

Release 10.1.4.3.0 10.1.4.3.0 10.1.4.2.0 10.1.2.3.0 10.1.2.3.0

Implement Single Sign-On Support for EBS R12 SignSSO Task 1: Install E-Business Suite SSO 10g Integration patch
If you are using IBM/AIX for EBS R12, apply patch 5855635 to 10.1.3 Oracle Home

SSO Task 2: Configure Oracle Identity Management 10g (10.1.4.x) Components with EBS R12
Chose registration type Default (simple) or Advanced Compile Parameter List Check List Refresh environment settings Check that TWO_TASK variable is set correctly Run the Registration Script
o

$FND_TOP/bin/txkrun.pl -script=SetSSOReg

Restart Middle-Tier Services

SSO Task 3: Validate that Single Sign-On is Working Correctly

Run the Diagnostic Utility
o o o o

Login locally to the E-Business Suite by opening http[s]://<server>[:port]/OA_HTML/AppsLocalLogin.jsp Launch Diagnostics Run SSO Diagnostics Run OID Diagnostics http://[host]:[port]/OA_HTML/AppsLogin

Verify SSO Integration with Oracle E-Business Suite

o

Verify that SSO is correctly integrated with OID o $ORACLE_HOME/ldap/odi/log

August 09 / Slide 6 / EBS R12 SSO

Know Issues

ORA-20001: Unable to call fnd_ldap_wrapper.update_user

Update 10.1.3_OH/Apache/Apache/bin/iasobf file and set ORACLE_HOME variable Deregister/register instance again

To stop Customer field from been populated disable following business views:
For business event oracle.apps.fnd.identity.add disable subscription fnd_oid_subscriptions.hz_identity_add For business event oracle.apps.fnd.identity.modify disable subscription fnd_oid_subscriptions.hz_identity_modify For business event oracle.apps.fnd.subscription.add disable subscription fnd_oid_subscriptions.hz_subscription_add

To allow a user to bypass SSO authentication

Set system profile option Applications SSO Login Types to Local at user level Use http://[host]:[port]/OA_HTML/AppsLogin URL

When Cloning run command listed below on target instance before registering with SSO/OID $FND_TOP/bin/txkrun.pl -script=SetSSOReg -removereferences=Yes

August 09 / Slide 7 / EBS R12 SSO

Q/A

August 09 / Slide 8 / EBS R12 SSO

References
Oracle Metalink Note ID 376811.1 Titled Integrating Oracle EBusiness Suite Release 12 with 10g AS Oracle Internet Directory and Oracle Single Sign-On

August 09 / Slide 9 / EBS R12 SSO