This chapter is intended for those planning to deploy or integrate Oracle E-Business Suite Release 12 in an enterprise single sign-on environment. It is particularly aimed at project managers, DBAs, and system administrators.
Important: Integration of Oracle E-Business Suite Release 12 into a single sign-on environment is entirely optional.
Oracle Application Server 10g provides a robust, integrated, and scalable identity management infrastructure. The solutions described in this chapter enable Oracle E-Business Suite Release 12 to utilize this infrastructure and provide the following features:
Users can access multiple Oracle E-Business Suite Release 12 instances (or a mixture of Oracle E-Business Suite Release 12 and other single sign-on enabled applications) by logging in only once (single sign-on)
Administrators and users can perform user management activities, such as account creation, deletion, at enterprise level.
The Oracle Single Sign-On Server and Oracle Internet Directory components shipped with Oracle Application Server 10g are required for these solutions. This chapter describes how to integrate Oracle Single Sign-On server, Oracle Internet Directory and Oracle E-Business Suite Release 12 to provide an enterprise-wide single sign-on solution. The subject is a complex one, with different sequences of actions required depending on the specific characteristics and needs of an environment.
Important: Before carrying out any of the tasks in this chapter, you must complete the generic installation steps described in My Oracle Support Knowledge Document 376811.1, Installing Oracle Application Server 10g with Oracle E-Business Suite Release 12.
Since the starting point for an Oracle Internet Directory and Oracle Single Sign-On deployment has a significant effect on the steps that need to be carried out, this chapter has been organized to provide clearly defined paths for the various possible ways of carrying out an implementation. A number of scenarios are described, beginning with the simplest and progressing to more complex types. The differences between the various scenarios are the nature of the starting environment (for example, whether a third-party user directory is in place), and the desired functionality. All the scenarios reflect real-world requirements of different Oracle E-Business Suite Release 12 sites.
The scenarios are as follows:
Deployment Scenario 0 (Base Scenario) - Integration of an existing Oracle E-Business Suite installation with a new Oracle Single Sign-On and Oracle Internet Directory infrastructure.
Deployment Scenario 1 - Integration of multiple new Oracle E-Business Suite installations with a new Oracle Single Sign-On and Oracle Internet Directory infrastructure.
Deployment Scenario 2 - Integration of a new Oracle E-Business Suite installation with existing third-party single sign-on and user directory infrastructure.
Deployment Scenario 3 - Integration of an existing Oracle E-Business Suite installation with existing third-party single sign-on and user directory infrastructure.
Deployment Scenario 4 - Integration of multiple existing Oracle E-Business Suite installations with a new Oracle Single Sign-On and Oracle Internet Directory infrastructure.
The remainder of this chapter provides a reference for profile options and login pages related to Oracle Single Sign-On, plus an introduction to various specialized features.
In large organizations, users often have a large number of userids for a variety of network-based resources such as corporate websites and custom applications. As the number of available resources grow, users and security administrators are faced with the increasingly-difficult challenge of managing a proliferation of userids and passwords across different systems.
Enterprise identity management solutions allow security administrators to define a user in a single location such as an Lightweight Directory Access Protocol (LDAP) directory, and share that common user definition throughout multiple parts of their enterprise. Oracle Identity Management, part of Oracle Application Server 10g, may be integrated with the E-Business Suite to support centralized user management via Oracle Internet Directory, and to support single sign-on functionality via Oracle Single Sign-On.
In its default configuration, Oracle E-Business Suite Release 12 allows registered users to log in using credentials stored directly in the E-Business Suite. In this default configuration, E-Business Suite system administrators are responsible for maintaining the local repository of registered E-Business Suite users.
When optionally integrated with Oracle Application Server 10g, E-Business Suite system administrators can reconfigure their environments to delegate both user administration and user authentication to Oracle Application Server 10g. This integration with Oracle Application Server 10g requires significant changes to how Oracle E-Business Suite Release 12 handles authentication. Instead of performing authentication natively, via the local E-Business Suite FND_USER table, the E-Business Suite Release 12 now delegates this functionality to the Oracle Single Sign-On server. In this configuration, Oracle E-Business Suite Release 12 can direct unauthenticated users to an Oracle Single Sign-On server for identity verification, and securely accept identities vouched for by the Single Sign-On mechanism.
Oracle Single Sign-On may, in turn, be integrated with existing third-party authentication systems such as Microsoft Windows (Kerberos), and Oracle Internet Directory may be integrated with existing third-party LDAP directories such as Microsoft Active Directory. Oracle Single Sign-On either performs authentication against information stored in Oracle Internet Directory (an LDAP server), or delegates authentication to a third-party authentication mechanism.
Note: Where a third-party authentication mechanism is in use, Oracle Single Sign-On server and Oracle Internet Directory are still required: they provide bridge functionality between Oracle E-Business Suite and the third-party single sign-on solution.
Oracle Internet Directory is the integration point that allows Oracle E-Business Suite to participate in enterprise level user management. Each Oracle E-Business Suite instance must still maintain a record of registered users, in the form of the traditional application accounts. However, the level of abstraction needed for an enterprise level user requires a mechanism that can uniquely identify a user across the enterprise. This is accomplished via a globally unique identifier (GUID). Oracle Internet Directory and Oracle E-Business Suite store GUID information for each enterprise level user; the GUID can be considered as an identity badge that is recognized by both Oracle Internet Directory and Oracle E-Business Suite.
Another requirement in such an environment is for user enrollment to be done only once, at well-defined places, with the user subsequently being known to the rest of the enterprise. Two additional features enable support for automatic propagation of user information across an enterprise:
A synchronization process between Oracle Internet Directory and a third-party LDAP server
A provisioning process between Oracle Internet Directory and Oracle E-Business Suite
Much of the complexity involved with integrating Oracle E-Business Suite into a single sign-on environment arises because of the need to consolidate fragmented or duplicated user data in the single sign-on environment, as a legacy of integrating previously isolated systems. The solution described in this document provides mechanisms to link the existing data together using the GUID. In addition, bulk migration tools are provided to move a large number of users between Oracle Internet Directory and Oracle E-Business Suite during the transition to a single sign-on environment.
Advanced features include automatically keeping a set of user profile information synchronized across an enterprise for an entity, and the ability to link an account in Oracle Internet Directory to multiple application accounts in Oracle E-Business Suite.
In this release, provisioning from Oracle E-Business Suite to Oracle Internet Directory is synchronous: that is, all user management operations carried out in Oracle E-Business Suite are also carried out in Oracle Internet Directory. However, provisioning from Oracle Internet Directory to Oracle E-Business Suite is done asynchronously.
The solution described here does not address the issue of authorization . After a user has been authenticated, Oracle E-Business Suite retrieves the authorization information associated with the application account the user is logged into. Authorization information for application accounts is managed through application responsibilities. Oracle E-Business Suite applies authorization checks as and when required during the user’s session.
Configuration Option | Possible Settings | Configured Via |
---|---|---|
Initial Source of User Information |
|
Manual initial provisioning steps executed |
Master Source of Truth for Updates to User Information |
|
Provisioning profile selected for Directory Integration and Provisioning Platform |
New Userids Created in Oracle Internet Directory … |
|
Related Oracle E-Business Suite Profile Options: APPS_SSO_OID_IDENTITY APPS_SSO_AUTO_LINK_USER |
New Userids Created in Oracle E-Business Suite … |
|
Related Oracle E-Business Suite Profile Options: APPS_SSO_LDAP_SYNC APPS_SSO_AUTO_LINK_USER |
Specific Oracle E-Business Suite Userids … |
|
APPS_SSO_LOCAL_LOGIN profile option |
All Oracle Internet Directory Userids … |
|
APPS_SSO_ALLOW_MULTIPLE_ ACCOUNTS profile option |
As well as integrating Oracle E-Business Suite with Oracle Single Sign-On, Oracle Access Manager may, in turn, be integrated with Oracle Single Sign-On to provide additional authentication and integration options.
However, if Windows Native Authentication and Kerberos are also used with the combination of Oracle E-Business Suite, Oracle Single Sign-On, and Oracle Access Manager, the combined length of the redirected URLs may exceed web browser limits, and user authentication will fail. Oracle therefore recommends against the use of this particular combination of technologies for production environments.
This section explains the technical details and deployment steps using a simplified deployment scenario, where an existing Oracle E-Business Suite instance is integrated with a fresh Oracle Single Sign-On/Oracle Internet Directory infrastructure. Although many real world deployments are likely to be more complex, this scenario serves to illustrate the core concepts and procedures of the integration effort. In later sections, we build on this basic scenario to describe more sophisticated situations such as the existence of a third-party single sign-on solution, or the presence of multiple user repositories. The goal is not to describe every conceivable deployment variation, but rather to provide a number of representative cases from which implementers can intelligently derive the exact steps needed for their particular requirements.
This scenario presumes that:
Oracle E-Business Suite Release 12 has been installed and has an existing user population
Oracle Application Server 10g with Oracle Single Sign-On and Oracle Internet Directory has been installed on a separate machine
Oracle Internet Directory has no currently existing users, apart from pre-seeded users
Oracle Portal is not implemented
The requirement is to integrate Oracle E-Business Suite Release 12 with Oracle Single Sign-On and Oracle Internet Directory.
The results of implementing this solution will be that:
Oracle E-Business Suite will delegate user sign-on and authentication to Oracle Single Sign-On Server
Oracle Single Sign-On Server will authenticate user credentials against user entries in Oracle Internet Directory
Oracle Internet Directory will contain every user’s single sign-on account ID and password
Existing Oracle E-Business Suite application accounts are to be migrated to single sign-on accounts in Oracle Internet Directory using the Oracle E-Business Suite User Bulk Migration Tool. Oracle E-Business Suite Release 12 maintains a local cache of user information in its existing user directory (FND_USER). After the migration, a system administrator has a number of user management options, related to the location(s) where user information is created, and where it is provisioned (sent) to.
All user information is created in Oracle E-Business Suite, then provisioned into Oracle Internet Directory: Oracle E-Business Suite is configured as a provisioning integrated application with Oracle Internet Directory. System administrators configure the provisioning integration via provisioning profiles.
The creation of a new application account in Oracle E-Business Suite will automatically trigger the creation of a new single sign-on account in Oracle Internet Directory. Some of the user attributes from the application account may be provisioned in the single sign-on account in Oracle Internet Directory during account creation.
All user information is created in Oracle Internet Directory, then provisioned into Oracle E-Business Suite. Oracle E-Business Suite is configured as a provisioning integrated application with Oracle Internet Directory.
System administrators configure the provisioning integration via provisioning profiles: the creation of a new single sign-on account in Oracle Internet Directory will automatically trigger the creation of a new application account in E-Business Suite. Some of the user attributes from the single sign-on account may be provisioned in the application account in Oracle Internet Directory during account creation.
All user information is created in either Oracle Internet Directory or Oracle E-Business Suite, then provisioned into the other system. Oracle E-Business Suite is configured as a provisioning integrated application with Oracle Internet Directory. System administrators configure the provisioning integration via provisioning profiles.
The creation of a new application account in Oracle E-Business Suite will automatically trigger the creation of a new single sign-on account in Oracle Internet Directory. The creation of a new single sign-on account in Oracle Internet Directory will automatically trigger the creation of a new application account in Oracle E-Business Suite.
Some of the user attributes from the application account may be provisioned in the single sign-on account in Oracle Internet Directory during account creation. Some of the user attributes from the single sign-on account may be provisioned in the application account in Oracle Internet Directory during account creation.
For all three options above, a predefined set of user attributes is synchronized between Oracle E-Business Suite and Oracle Internet Directory.
This section describes the user's perception of the single sign-on environment.
Attempting to gain an access to an Oracle E-Business Suite environment, a user who has not yet been authenticated with the Oracle Single Sign-On Server is directed to a Single Sign-On login page, which can be customized to suit an individual site:
After authentication via the Single Sign-On Server (or if authentication has previously been carried out) the user is redirected to the requested page or the user’s home page in the Oracle E-Business Suite Release 12.
When a user logs out of an Oracle E-Business Suite instance, he is also logged out of the Oracle Single Sign-On server, as well as any other applications that have been integrated with Oracle Single Sign-On (called partner applications) and have been accessed in this Single Sign On session. The user will see a logout page that lists all the applications that he has been logged out of.
The user attempts to access the Oracle E-Business Suite Release 12 instance, and Oracle E-Business Suite looks for an application cookie. If the cookie is found and validated, the user is directed to the requested application page, and the rest of the steps shown here are skipped.
If the application cookie is not found, Oracle E-Business Suite redirects the user to the Oracle Single Sign-On Server, and this sequence of steps continues. The Oracle Single Sign-On Server looks for an Oracle Single Sign-On security cookie in the user’s browser. If the Oracle Single Sign-On security cookie is not found, the user must log into a valid account on the Oracle Single Sign-On Server before authentication can proceed further.
Oracle Single Sign-On Server contacts Oracle Internet Directory and authenticates the user’s credentials against the list of registered users in Oracle Internet Directory. After successful authentication, Oracle Single Sign-On Server sets an Oracle Single Sign-On security cookie in the user’s browser, and retrieves user attributes for the single sign-on account from Oracle Internet Directory.
Once the Oracle Single Sign-On security cookie has been found or set, this sequence of steps continues: Oracle Single Sign-On redirects the user to the Oracle E-Business Suite Release 12, passing a URL token that contains the user’s attributes. Oracle E-Business Suite verifies the URL token, locates the application user and creates an application session and corresponding cookie, based upon the user's assigned application responsibilities and roles. This process entrusts the process of user authentication to Oracle Single Sign-On, and user authorization to E-Business Suite. Oracle E-Business Suite then redirects the user to the requested application page, or the user’s home page.
The steps are similar for Oracle E-Business Suite and other partner applications. At the time of the partner application integration between the E-Business Suite and Oracle Application Server 10g, the E-Business Suite system administrator registers a logout routine with Oracle Single Sign-On server. This is a one-time registration step. When a user logs out from any of the registered partner applications, the partner application notifies the Oracle Single Sign-On server, which then invokes logout routines to log the user out of all registered Oracle partner applications that have been accessed in this Single Sign-On session, including Oracle E-Business Suite.
When both the application session and the single sign-on session timeout, the user will be directed to the single sign-on login page to re-authenticate. After a successful re-authentication, the user will be redirected back to Oracle E-Business Suite. The application page the user sees depends on the application technology stack in use; see table below.
When the application session has expired, but not the single sign-on session, the user will be directed to the Oracle Single Sign-On server, and then back to Oracle E-Business Suite Release 12, without being prompted to re-authenticate. Depending on the technology stack in use at the time when the session timeout occurred, the user will then see one of the following pages listed in the table below.
Technology Stack | Session Timeout Behavior |
---|---|
Oracle Application Framework | Application home page |
CRM | If the current request on detection of application session expiration was a ‘GET’, the user sees the requested page. If the current request was a ‘POST’, the user sees the posting page without the post having been performed. |
Forms | A series of pop up windows will appear, leading the user to the Single Sign-On login page. The original form will remain, and the user can return to it after being re-authenticated and closing the popup windows. |
When an application session is terminated because the maximum valid period has been reached, or because of a period of user inactivity, Oracle E-Business Suite redirects the user to Oracle Single Sign-On for re-authentication. Oracle Single Sign-On server checks the single sign-on cookie; if it is still valid, the user is redirected back to Oracle E-Business Suite Release 12. If the single sign-on cookie has expired as well, Oracle Single Sign-On server requires the user to authenticate again before redirecting him back to Oracle E-Business Suite Release 12.
The application session timeout value takes precedence over the Oracle Single Sign-On timeout settings. For example, until an application session times out (or the user explicitly logs out), a user may continue to access the partner application even if his Oracle Single Sign-On security cookie has expired. Oracle therefore recommends setting the E-Business Suite's Application Server application session timeout value to be equal to, or less than, that of the Oracle Single Sign-On server.
This section describes the various options for management of users in a Single Sign-On environment.
Selected users can be permitted to log in to the application directly, i.e. without going through the single sign-on process. This allows users such as the system administrator to troubleshoot a configuration when the Oracle Single Sign-On server is not functioning correctly, or is unavailable. Such local users can now log into the application directly via the applications login page, AppsLocalLogin.jsp. The supplied SYSADMIN account is configured to have local access. In addition, the SYSADMIN account can control which additional users (if any) are permitted to have local access to the Oracle E-Business Suite; this is accomplished via the Applications SSO Login Types (APPS_SSO_LOCAL_LOGIN) profile option.
Important: Oracle recommends reserving use of the Applications SSO Login Types (APPS_SSO_LOCAL_LOGIN) profile option to a limited number of advanced users, to reduce the possibility of confusion over the master source of user passwords.
After the Oracle Single Sign-On integration is complete, user information exists in two places: Oracle Internet Directory and Oracle E-Business Suite Release.
This shared information has the following characteristics:
A GUID uniquely identifies a user across multiple systems.
Both Oracle Internet Directory and Oracle E-Business Suite store GUID information for each single sign-on user.
During the authentication handshake between Oracle Internet Directory and Oracle E-Business Suite, Oracle Single Sign-On passes the authenticated user information in the form of GUID to Oracle E-Business Suite, which then uses the GUID to locate the corresponding application account.
Once a GUID is generated and stored in both a single sign-on account in Oracle Internet Directory and an application account in Oracle E-Business Suite, the two accounts are said to be linked.
A number of processes are used to establish this link. The most commonly used ones are explained below, and the rest in the more advanced deployment scenarios later in this section.
Tools are provided to migrate existing users in bulk between Oracle Internet Directory and Oracle E-Business Suite. Both Oracle Internet Directory and Oracle E-Business Suite provide command line utilities to export and import users via flat text files in LDIF format.
New users created on either system can be provisioned into the other via the provisioning process. The provisioning system consists of components of both Oracle Internet Directory and Oracle E-Business Suite that queue user events on each system, plus an Oracle Internet Directory process that periodically pushes or pulls these events to or from Oracle E-Business Suite. The provisioning process establishes the GUID link for provisioned accounts. During this process, single sign-on accounts are automatically linked to Oracle E-Business Suite application accounts.
Provisioning has the following characteristics:
Once linked, user changes from either system can be provisioned into the other.
The provisioning process between Oracle Internet Directory and each Oracle E-Business Suite instance is determined by a provisioning profile.
The provisioning profile controls which user events are provisioned, the direction of provisioning, and the user attributes included in each event.
Oracle E-Business Suite is said to be a provisioning integrated application with Oracle Internet Directory when a provisioning profile is created for it.
Refer to the “Supported Attributes” section for information on which attributes can be provisioned between the systems, and “Configuring Directory Integration Platform Provisioning Templates” for more details on the provisioning process.
At the start of the deployment, Oracle E-Business Suite Release 12 is the sole repository of user information. Users who will need to access Oracle E-Business Suite via Oracle Single Sign-On must already exist or be created in Oracle Internet Directory.
Important: For pending users that are enabled in Oracle E-Business Suite after user creation, the IDENTITY_MODIFY event from E-Business Suite to Oracle Internet Directory must be enabled.
Existing Oracle E-Business Suite users can be migrated into Oracle Internet Directory by means of the bulk migration tool (see “Migrating Data between Oracle E-Business Suite Release 12 and Oracle Internet Directory” for details).
After the initial migration, you may choose to allow new users to be created either from Oracle Internet Directory or from Oracle E-Business Suite, and then provision them into the other system. This is achieved by enabling either the SUBSCRIPTION_ADD event from Oracle Internet Directory to Oracle E-Business Suite, or the IDENTITY_ADD event from Oracle E-Business Suite to Oracle Internet Directory, refer to “Configuring Directory Integration Platform Provisioning Templates” for more details.
Alternatively, you may choose to create new users from both Oracle Internet Directory and Oracle E-Business Suite, and then provision them into the other system. This is achieved by enabling both the SUBSCRIPTION_ADD event from Oracle Internet Directory to Oracle E-Business Suite, and the IDENTITY_ADD event from Oracle E-Business Suite to Oracle Internet Directory. Refer to “Configuring Directory Integration Platform Provisioning Templates” for more details.
Bidirectional provisioning requires careful planning, and is subject to the following restrictions:
The provisioning process from Oracle Internet Directory to Oracle E-Business Suite is asynchronous.
The provisioning process from Oracle E-Business Suite to Oracle Internet Directory is synchronous.
The events that are responsible for this will fail if, for example, a user with the same username has been created concurrently on the other system, or the user’s profile (for example, password) does not meet the policy set on the other system.
As there is currently no mechanism to roll back the original change on the system that triggered the event, the failure can put the entire system into an unstable state.
Therefore, if choosing this option, it is essential to coordinate the account policy on all the systems involved, and place appropriate safeguards on the user creation process.
For example, usernames created directly on one system need to be chosen in the context of names used across the single sign-on environment.
Whether new users are created in either Oracle Internet Directory or Oracle E-Business Suite, they must be the granted the appropriate roles or responsibilities via Oracle E-Business Suite User Management in order to access application functionality.
User information stored in Oracle Internet Directory single sign-on accounts is generally managed independently of user information stored in Oracle E-Business Suite Release 12 application accounts.
System administrators must decide:
Which user attributes are to be provisioned between an Oracle E-Business Suite Release 12 instance and Oracle Internet Directory.
Which system is to be the master “source of truth” for a given attribute. This determines the provisioning direction for that attribute.
System administrators then enable the IDENTITY_MODIFY events in the appropriate direction with the appropriate attribute list. Please refer to “Configuring Directory Integration Platform Provisioning Templates” for more details.
Note the following current restrictions:
Updates to email ID in Oracle Internet Directory are not correctly reflected in the E-Business Suite (HZ_CONTACT_POINTS in TCA) unless the PERSON_PARTY_ID foreign key in the FND_USER table has been defined. Furthermore, if PERSON_PARTY_ID is changed, because a user is linked to another person in TCA, information stored in OID can overwrite this other person’s information during provisioning.
Provisioning from Trading Community Architecture (TCA) to Oracle Internet Directory is not supported.
Provisioning of data from Oracle Human Resources to Oracle Internet Directory is supported via the Oracle Human Resources Agent, which is released as part of the Oracle Internet Directory suite of utilities. Note that the Oracle Human Resources Agent supplied with Oracle Internet Directory is unidirectional. That is, it ensures that Oracle Internet Directory is synchronized with HR, so that changes to user data in HR cause the corresponding data to be updated in Oracle Internet Directory. However, if changes are made to user data in Oracle Internet Directory, the HR connector does not synchronize these changes back to HR. A bidirectional connector is planned for a future build.
The provisioning process may be set up such that when a single sign-on account in Oracle Internet Directory is deleted, the associated Oracle E-Business Suite application account(s) is end-dated. This is done by enabling the IDENTITY_DELETE event from Oracle Internet Directory to Oracle E-Business Suite in the provisioning profile (see “Configuring Directory Integration Platform Provisioning Templates” for details).
Note: Dates are not synchronized between Oracle Internet Directory and E-Business Suite, and vice-versa.
Subject to organizational security and audit policies, it may be preferable to disable single sign-on accounts in Oracle Internet Directory rather than delete them, since this allows an applications account to be re-enabled at a later date as required. This can be particularly useful in the case of contractors who may leave and rejoin.
Note: See “Enabling/Disabling Users” for more information on enabling/disabling users.
One of the major objectives of single sign-on integration is centralized user password management using Oracle Internet Directory, which provides the following features:
Accessing Oracle E-Business Suite via Oracle Single Sign-On does not require passwords in the Oracle E-Business Suite; the password stored in Oracle Internet Directory is sufficient for authentication.
The password for an application account in Oracle E-Business Suite Release 12 is replaced with the reserved keyword ‘EXTERNAL’, if (as will usually be the case) the only permitted method to access that application account is via Oracle Single Sign-On.
Password management for such users is carried out entirely in Oracle Internet Directory.
The majority of end users will be able to change their single sign-on passwords using the standard methods provided by Oracle Internet Directory. For example, users may employ the Delegated Administration Service (DAS), described in the Oracle Internet Directory Administrator's Guide, Release 10g.
To reset single sign-on passwords, an administrator should follow the methods provided by Oracle Internet Directory as detailed in the chapters ‘Directory Entries Administration’ and ‘The Delegated Administration Service’, in the Oracle Internet Directory Administrator's Guide, Release 10g.
Oracle Internet Directory is designated as the master user directory for passwords. The user’s password creation, modification and Oracle Single Sign-On login activities are subject to the Oracle Internet Directory rules that govern how passwords are created and used. For example, Oracle Internet Directory system administrators may establish policies for password expiration, minimum length, and alphanumeric mixes. Refer to the ‘Password Policies in Oracle Internet Directory’ chapter of the Oracle Internet Directory Administrator's Guide, Release 10g for an explanation of supported password policies.
If the provisioning profile specifies that passwords in application accounts are to be provisioned from Oracle E-Business Suite Release 12 to Oracle Internet Directory, Oracle E-Business Suite Release 12 password policies must be at least as restrictive as the ones in Oracle Internet Directory. This ensures that passwords can be successfully propagated from Oracle E-Business Suite Release 12 to the single sign-on accounts in Oracle Internet Directory.
Passwords stored in Oracle Internet Directory are case sensitive. Mixed case passwords in Oracle E-Business Suite are migrated with the case preserved.
For users who have been granted local access to Oracle E-Business Suite via the Applications SSO Login Types (APPS_SSO_LOCAL_LOGIN) profile, Oracle E-Business Suite retains the relevant applications account password. This is true even if Oracle Internet Directory or the third-party LDAP directory has been designated as the master user directory for passwords. All existing password-related features in the Oracle E-Business Suite remain the same for local accounts. For example, the user must use the Self-Service change password screen (‘Preferences’ page) to maintain passwords.
For users who have both single sign-on and local access to Oracle E-Business Suite, local password change in Oracle E-Business Suite can be synchronized to Oracle Internet Directory, if the provisioning profiles are set up accordingly. The reverse direction is not possible, because Oracle Internet Directory only stores the hash of the passwords, not encrypted passwords as Oracle E-Business Suite does.
Because of the potential difficulty of educating users about the special password management considerations that apply to application accounts configured with the Applications SSO Login Types (APPS_SSO_LOCAL_LOGIN) profile, this profile option should, as noted earlier, only be employed for a limited number of system administration or other advanced accounts. The System Administrator is required to set the local password using the AFPASSWD utility or FNDCPASS utility, in case user passwords stored only in LDAP (APPS password is set to EXTERNAL) also need to be stored locally in Oracle E-Business Suite.
For more information about the AFPASSWD and FNDCPASS utilities, refer to the Applications DBA Duties chapter of Oracle E-Business Suite System Administrator's Guide - Configuration.
Oracle Internet Directory has a powerful and flexible set of configuration options. Most E-Business Suite system and security administrators will be able to use the default Oracle Internet Directory configuration. Security administrators with advanced security requirements may choose to use alternate Oracle Internet Directory configurations. Refer to the ‘Directory Deployment’ chapter in the Oracle Internet Directory Administrator's Guide, Release 10g. Items of particular importance to Oracle E-Business Suite integration are:
Identity management realm
DIT structure
What attribute is chosen as the nickname attribute
Whether new users are to be created
Only from Oracle Internet Directory
Only from Oracle E-Business Suite Release 12
From both Oracle E-Business Suite and Oracle Internet Directory
Whether updates to user information are to be provisioned. If so, what user attributes are to be provisioned, and the direction of provisioning.
Which users only need local access to Oracle E-Business Suite 12, which users only need access via Oracle Single Sign-On, and which users need both types of access.
Oracle Single Sign-On settings:
Session timeout values for both Oracle E-Business Suite and Oracle Single Sign-On server.
Password policy for both Oracle E-Business Suite and Oracle Single Sign-On server.
Current Oracle Internet Directory host, port, and administration account information.
Complete all steps in My Oracle Support Knowledge Document 376811.1, Installing Oracle Application Server 10g with Oracle E-Business Suite Release 12. Begin by picking a template for creating the provisioning profile that will be used in the installation process:
If your deployment creates new users from Oracle Internet Directory only, start with the template ProvOIDToApps.tmp.
If your deployment creates new users from Oracle E-Business Suite only, start with the template ProvAppsToOID.tmp.
If your deployment creates new users from both Oracle Internet Directory and Oracle E-Business Suite, start with the template ProvBiDirection.tmp. This provisioning profile is selected by default.
You may need to further customize the template based on the events and attributes that need to be provisioned: refer to “Configuring Directory Integration Platform Provisioning Templates” for details of the templates and the configuration process.
Identify the user population that only need local login access to Oracle E-Business Suite, and set the Applications SSO Login Types (APPS_SSO_LOCAL_LOGIN) profile accordingly for those users (see ”Oracle E-Business Suite Release 12 Single Sign-On Profile Options”).
Configure session time out values in both Oracle E-Business Suite Release 12 and Oracle Single Sign-On.
Configure password policies, as appropriate, in Oracle Internet Directory and the E-Business Suite.
Migrate existing Oracle E-Business Suite accounts to Oracle Internet Directory using the Oracle E-Business Suite User Bulk Migration Tool (see “Migrating Data between Oracle E-Business Suite Release 12 and Oracle Internet Directory”).
Set Oracle E-Business Suite profile options (see ”Oracle E-Business Suite Release 12 Single Sign-On Profile Options”).
Profile Name (Internal Profile Code) | Recommended Value |
---|---|
Applications SSO type (APPS_SSO) | Set to ‘SSWA w/SSO’ to switch to Single Sign-On mode |
Self-Service Personal Home Page mode (APPLICATIONS_HOME_PAGE) | Set to the desired choice of home page |
Applications SSO Login Types (APPS_SSO_LOCAL_LOGIN) | At the site level, set the value to be the usage mode the majority of users will be in. Override at the user level for users who have special needs |
Applications Local Login URL (APPS_LOCAL_LOGIN_URL) | If using a customized local login page, set the value to be the name of the page, otherwise leave unchanged |
Applications SSO Auto Link User (APPS_SSO_AUTO_LINK_USER) | Set as needed, see “Oracle E-Business Suite Release 12 Single Sign-On Profile Options” |
Applications SSO Allow Multiple Accounts (APPS_SSO_ALLOW_MULTIPLE_ACCOUNTS) | Leave unchanged |
Application SSO LDAP Synchronization (APPS_SSO_LDAP_SYNC) | Leave unchanged at the site level, override at user level for users with special needs |
Applications Local Change Password URL (APPS_LOCAL_CHANGE_PWD_URL) | Leave unchanged unless using a customized self-service change password page to change passwords in Oracle E-Business Suite Release 12 |
Application SSO Change Password URL (APPS_SSO_CHANGE_PWD_URL) | Set to the absolute URL for self-service password change page in Oracle Internet Directory |
Applications SSO Enable OID Identity Add Event (APPS_SSO_OID_IDENTITY) | Set as needed, see “Oracle E-Business Suite Release 12 Single Sign-On Profile Options” |
This section and the following three present more sophisticated deployment scenarios. The solutions given should be interpreted as guidelines or building blocks rather than definitive instructions, as all real world deployments will be unique. In the cases presented, the solutions are built upon the basic scenario discussed above, and only highlight those actions that are different from or additional to, the basic one.
Multiple new Oracle E-Business Suite Release 12 environments have been installed using the Rapid Install Wizard. Other than the default seeded Release 12 administrative accounts, no user accounts have been registered yet.
No Single Sign-On infrastructure in place.
Oracle Portal is not implemented.
This scenario applies when a customer wants to integrate multiple new Oracle E-Business Suite Release 12 environments with a single Oracle Single Sign-On instance.
Oracle Application Server 10g with Oracle Single Sign-On and Oracle Internet Directory are needed for the integration required. All the installations of Oracle E-Business Suite Release 12 delegate user sign-on and authentication to Oracle Single Sign-On Server.
Oracle Single Sign-On Server authenticates user credentials against user entries in Oracle Internet Directory. Oracle Internet Directory contains every user’s single sign-on account id and password.
Either Oracle Internet Directory or one Oracle E-Business Suite Release 12 instance can be designated as the source of user enrollment. If Oracle Internet Directory is the source, details of user accounts can be propagated to each Oracle E-Business Suite instance via the provisioning process. If an Oracle E-Business Suite instance is the source, the provisioning process will propagate user accounts from that instance to Oracle Internet Directory, and then to the other Oracle E-Business Suite instances.
Optional: User profile information in an Oracle E-Business Suite Release 12 instance can be kept synchronized with the information in Oracle Internet Directory.
See Base Scenario 0 for details of steps required.
In this solution, the system administrator must decide which component will be the point of user enrollment and the source of truth for user information. Either Oracle Internet Directory or one Oracle E-Business Suite instance can be chosen for this role.
Oracle Internet Directory is the point of user enrollment and source of truth.
After a user is created in Oracle Internet Directory, the user identity can be propagated to each Oracle E-Business Suite instance via the provisioning process. To accomplish this, the provisioning profile for each Oracle E-Business Suite Release 12 instance needs to enable the SUBSCRIPTION_ADD event from Oracle Internet Directory to Oracle E-Business Suite Release 12.
Optional: The provisioning profile can also be configured such that user profile information change in Oracle Internet Directory can be propagated to each Oracle E-Business Suite Release 12 instance. To accomplish this, the provisioning profile for each Oracle E-Business Suite Release 12 instance needs to enable the IDENTITY_MODIFY event from Oracle Internet Directory to Oracle E-Business Suite Release 12.
An Oracle E-Business Suite Release 12 instance (such as HR) is designated as the point of user enrollment and source of truth (the master instance).
After a user is created from the master Oracle E-Business Suite Release 12 instance, the provisioning process can be used to propagate the user identity first to Oracle Internet Directory, then to other Oracle E-Business Suite Release 12 instances. To accomplish this, the provisioning profile for the master Oracle E-Business Suite Release 12 instance needs to enable the IDENTITY_ADD event from Oracle E-Business Suite Release 12 to Oracle Internet Directory. The provisioning profile for the rest of the Oracle E-Business Suite Release 12 instances needs to enable the SUBSCRIPTION_ADD event from Oracle Internet Directory to Oracle E-Business Suite Release 12.
Optional: The provisioning profile can also be configured such that user profile information change in the master Oracle E-Business Suite Release 12 instance can be propagated to Oracle Internet Directory, then to other Oracle E-Business Suite Release 12 instances.
This section presents a slightly more sophisticated, and common, deployment scenario.
Oracle E-Business Suite Release 12 has been newly installed using the Rapid Install Wizard. Other than the default seeded Release 12 administrative accounts, no user accounts have been registered yet.
A third-party authentication mechanism such as Microsoft Windows Kerberos or CA eTrust SiteMinder (formerly Netegrity SiteMinder) is in use as a corporate single sign-on solution.
A third-party LDAP directory such as Microsoft Active Directory or SunONE/iPlanet is in use as a corporate user directory.
Oracle Portal is not implemented.
Need to integrate new installation of Oracle E-Business Suite Release 12 with existing third-party single authentication mechanisms and third-party LDAP directory infrastructure
Oracle Application Server 10g (including Oracle Single Sign-On and Oracle Internet Directory) are mandatory prerequisites for integration with third-party authentication mechanisms or third-party LDAP directories.
Integrating Oracle E-Business Suite directly with third-party authentication mechanisms or third-party LDAP directories is not supported.
Oracle E-Business Suite and Oracle Single Sign-On need to be set up to enable Oracle E-Business Suite delegation of authentication to Oracle Single Sign-On, which in turn delegates the functionality to the third-party single sign-on authentication mechanism.
Oracle Internet Directory needs to be set up to synchronize a minimal set of user attributes when integrating with a third-party LDAP directory. Refer to the Oracle Directory Integration and Provisioning Platform in Oracle Internet Directory Administrator's Guide Release 10g for more information about performing this integration.
User information from the third-party LDAP directory for all users who will access Oracle E-Business Suite via single sign-on. Oracle Internet Directory also needs to be set up to provision users in Oracle Internet Directory to Oracle E-Business Suite.
Existing users in the third-party LDAP can be bulk migrated into Oracle Internet Directory, and then bulk migrated into Oracle E-Business Suite.
Optional: A set of user profile information in Oracle E-Business Suite can be kept synchronized with the information in the third-party LDAP directory.
Sign on process: the sign on user experience is the same as that in the base scenario, except that the login page is served by the third-party authentication mechanism.
Sign out process: when a user logs out from Oracle E-Business Suite Release 12, Oracle Single Sign-On Server logs the user out of all registered Oracle partner applications. The user is also logged out of the third-party single sign-on solution.
Session timeout: the session timeout user experience is the same as that in the base scenario, except that the user will be asked to re-authenticate only when the application session, the Oracle Single Sign-On session and the third-party session have all become invalid.
When an unauthenticated user attempts to access Oracle E-Business Suite Release 12, Oracle E-Business Suite Release 12 delegates user authentication to Oracle Single Sign-On server, which in turn delegates to the third-party authentication mechanisms.
Note: For further details of integration with third-party authentication mechanisms, refer to Oracle Application Server Single Sign-On Administrator's Guide 10g, Chapter 13, “Integrating with Third-Party Access Management Systems".
Oracle Internet Directory can synchronize user information with a third-party LDAP server via the synchronization process.
Oracle Internet Directory includes tools to bulk migrate user between Oracle Internet Directory and third-party LDAP server.
Note: Refer to the Oracle Internet Directory 10g Administrator’s Guide for more information.
At the starting point of the deployment, the third-party LDAP server is the sole user repository. For users registered there who will need to access Oracle E-Business Suite, the single sign-on solution requires them to exist in Oracle Internet Directory as well as in Oracle E-Business Suite Release 12.
Oracle recommends retaining the third-party LDAP directory as the master source of truth for user information. Use the Oracle Internet Directory synchronization solution to migrate users from the third-party LDAP directory into Oracle Internet Directory, and then use the Oracle Internet Directory provisioning solution to move users into Oracle E-Business Suite.
Important: For pending users that are enabled in Oracle E-Business Suite after user creation, the IDENTITY_MODIFY event from E-Business Suite to Oracle Internet Directory must be enabled.
Existing users can be migrated from the third-party LDAP directory into Oracle Internet Directory, and then into Oracle E-Business Suite via the bulk migration tool.
System administrators can create synchronization profiles to integrate Oracle Internet Directory with the third-party LDAP directory, which results in:
Creation of a new single sign-on account in the third-party LDAP directory automatically triggering the creation of a new single sign-on account in Oracle Internet Directory.
Ability to specify users to be synchronized, and which attributes of the users are to be created in Oracle Internet Directory.
Creation of a GUID attribute for each user created in Oracle Internet Directory.
System administrators also create provisioning profiles to integrate Oracle E-Business Suite Release 12 with Oracle Internet Directory, which results in:
Creation of a new account in Oracle Internet Directory automatically triggering the creation of a new application account in Oracle E-Business Suite Release 12.
Ability to specify user attributes created in Oracle E-Business Suite.
System administrators can configure synchronization profiles to synchronize some or all of the user attributes from the single sign-on account in the third-party LDAP directory into the single sign-on account in Oracle Internet Directory when those attributes are modified.
System administrators can configure provisioning profiles to provision some or all of the user attributes from Oracle Internet Directory into Oracle E-Business Suite when those attributes are modified.
Synchronization and provisioning profiles can also be used to configure the system such that terminating a user in the third-party LDAP directory also end-dates the user in Oracle E-Business Suite.
Password management can, if desired, remain as it was before the integration. That is, user passwords can remain in the third-party LDAP; it is not necessary to duplicate them in Oracle Internet Directory. Note that Oracle E-Business Suite will not store passwords for users provisioned from Oracle Internet Directory.
End user tasks: Most end users should use the methods provided by the third-party LDAP directory for password maintenance functions.
System administrator tasks: To reset single sign-on passwords, an administrator should follow the methods provided by the third-party LDAP directory.
Password management policies: User’s password creation, modification and single sign-on login activities are subject to the third-party LDAP rules that govern how passwords are created and used.
Oracle Internet Directory has a powerful and flexible set of configuration options. Most E-Business Suite system and security administrators will be able to use the default Oracle Internet Directory configuration. Security administrators with advanced security requirements may choose to use alternate Oracle Internet Directory configurations. Please refer to the ‘Directory Deployment’ chapter in the Oracle Internet Directory Administrator's Guide, Release 10g. Items of particular importance to Oracle E-Business Suite integration are:
Identity management realm
DIT structure
What attribute is chosen as the nickname attribute
2. Synchronization between Oracle Internet Directory and third-party LDAP directory:
Identifying users who need to access Oracle E-Business Suite Release 12, and must therefore be synchronized from the third-party LDAP directory to Oracle Internet Directory.
Which user attributes to synchronize from the third-party LDAP directory to Oracle Internet Directory.
3. Provisioning between Oracle Internet Directory and Oracle E-Business Suite
Which attributes to provision during account creation.
Whether to provision user changes from Oracle Internet Directory to Oracle E-Business Suite Release 12. If yes, which attributes to provision.
Decisions related to single sign-on settings.
Session timeouts for Oracle Single Sign-On, third-party single sign-on, and Oracle E-Business Suite Release 12.
Current third-party LDAP/single sign-on deployment information, including host, port, and administration account information.
Documentation from Oracle and third-party LDAP and single sign-on product vendors describing integration with Oracle Application Server 10g.
Complete all steps in My Oracle Support Knowledge Document 376811.1, Installing Oracle Application Server 10g with Oracle E-Business Suite Release 12. The installation process requires the choice of a template for creating the provisioning profile.
Start with the template ProvOIDToApps.tmp.
This deployment may require further customization of the template file to configure the provisioning process, in particular which attributes are provisioned. Refer to “Configuring Directory Integration Platform Provisioning Templates” for details of the templates and the configuration process.
Configure Oracle Single Sign-On Server to work with third-party authentication mechanism.
Migrate existing accounts that need to access Oracle E-Business Suite from third-party LDAP into Oracle Internet Directory. Configure Oracle Internet Directory and third-party LDAP synchronization process.
Migrate existing Oracle Internet Directory users into Oracle E-Business Suite.
Configure session timeout value.
Setting Oracle E-Business Suite profile options. The profile settings should be similar to that of the base scenario. Refer to “Oracle E-Business Suite Release 12 Single Sign-On Profile Options” for details of all relevant profile options.
Variation of this scenario may have some of the following characteristics:
Oracle E-Business Suite fresh install involved.
Existing Oracle Single Sign-On and Oracle Internet Directory infrastructure.
No third-party authentication mechanism or third-party LDAP directory involved.
The major difference here is that all steps relating to third-party (non-Oracle) software can be ignored.
This scenario describes a more complex deployment possibility, which may be required in some larger organizations.
Oracle E-Business Suite Release 12 is in use, and has existing users populated in an up-to-date FND_USER repository.
A third-party authentication mechanisms such as Microsoft Windows Kerberos or CA eTrust SiteMinder (formerly Netegrity SiteMinder) is in use as a corporate single sign-on solution.
A third-party LDAP directory such as Microsoft Active Directory or SunONE/iPlanet is in use as a corporate user directory.
At the start of the implementation, a user may exist in both Oracle E-Business Suite Release 12 and the third-party LDAP directory, with either the same user name in both, or a different user name in each.
Oracle Portal is not implemented.
Need to integrate existing Oracle E-Business Suite Release 12 with existing third-party single sign-on and user directory infrastructure.
Oracle Application Server 10g (including Oracle Single Sign-On and Oracle Internet Directory) is needed for the integration. Oracle E-Business Suite and Oracle Single Sign-On need to be set up so that Oracle E-Business Suite delegates authentication to Oracle Single Sign-On, which in turn delegates the functionality to the third-party authentication mechanism in use.
Oracle Internet Directory must be configured to synchronize a minimal set of information from the third-party LDAP directory for users who will access Oracle E-Business suite via single sign-on.
Existing users in the third-party LDAP directory can be bulk migrated into Oracle Internet Directory.
Existing accounts in both Oracle E-Business Suite and third-party LDAP can be linked. With proper planning, new users can be synchronized from the third-party LDAP directory into Oracle Internet Directory, and then into Oracle E-Business Suite.
Optional: User profile information in Oracle E-Business Suite can be kept synchronized with the information in the third-party LDAP directory.
The single sign-on, sign-off and session timeout processes in this deployment scenario are similar to that in Scenario 2, with one significant difference during sign-on. In the case where a user already has an account in the third-party LDAP directory and an account in Oracle E-Business Suite (with the same account name or a different account name), Oracle recommends the following approach:
Migrate the third-party LDAP account into Oracle Internet Directory through either the bulk migration tool (for existing accounts) or the synchronization process (for new accounts).
Use the Link-on-the-Fly feature to link the single sign-on account in Oracle Internet Directory with the applications account in Oracle E-Business Suite Release 12, by proceeding as follows:
In the single sign-on handshake (described in the base scenario) Oracle Single Sign-On returns the GUID of the authenticated user to Oracle E-Business Suite.
Oracle E-Business Suite then uses the GUID to try to locate the user’s Oracle E-Business Suite application account.
If it is the first time the user is accessing an Oracle E-Business Suite instance, no associated application account will be found, since the user’s Oracle E-Business Suite account did not have the GUID information before the Oracle Single Sign-On integration took place.
The user is directed to a ‘Link Account’ page (see screenshot below) for entry of the Oracle E-Business Suite application account username and password.
Once the application account information has been successfully verified, the user is redirected to the requested Oracle E-Business Suite page or the user’s home page, as applicable. Additional logic is as follows:
The association between the single sign-on account and the application account (represented by the GUID) is retained.
Oracle E-Business Suite will not redirect the user to the ‘Link Account’ page on subsequent accesses.
If the application account information is not verified, the user is directed back to the ‘Link Account’ page.
This overall process is illustrated by the following diagram:
Advanced Option: In cases where users have accounts in both a third-party LDAP directory and Oracle E-Business Suite, it may sometimes be the case that all the LDAP account names are known to be identical to the Oracle E-Business Suite account names. In such cases, the value of the profile ‘Applications SSO Auto Link User’ can be set to ‘Y’. Subsequently, when Oracle E-Business Suite fails to locate an application account by GUID, it will try to locate one by the account name, and if successful it will then link the two accounts by GUID. The linking operation will be performed behind the scenes, and the user will not see the ‘link account’ page. See “Oracle E-Business Suite Release 12 Single Sign-On Profile Options” for more details.
The complexity of user management in this scenario lies mostly in the process of reconciling existing user data in the third-party LDAP and Oracle E-Business Suite. It is always necessary to synchronize the third-party LDAP data into Oracle Internet Directory for any users who need to access Oracle E-Business Suite via single sign-on. The single sign-on accounts in Oracle Internet Directory should be identical to the accounts in the third-party LDAP directory. No action is required for users whose details reside in the third-party LDAP and who do not need to access Oracle E-Business Suite.
For the rest of this discussion, it is assumed that all existing third-party LDAP users will need to access Oracle E-Business Suite, and that such users will therefore need to exist in Oracle Internet Directory. Depending on the characteristics of the existing data and desired functionality, there are various possibilities.
Option 1: Require users always to have created an account in the third-party LDAP directory and an account in the Oracle E-Business Suite, via the user enrollment method provided by each system.
In this case, the LDAP accounts are migrated into Oracle Internet Directory. The Oracle Internet Directory accounts and the Oracle E-Business Suite accounts are linked via the Link-on-the-Fly process described above (neither SUBSCRIPTION_ADD nor IDENTITY_ADD event are enabled in any provisioning profiles used).
Optionally, administrators can configure the synchronization and provisioning process so that changes in user attributes can be propagated:
From the third-party LDAP directory into Oracle E-Business Suite via Oracle Internet Directory
From Oracle E-Business Suite into the third-party LDAP directory via Oracle Internet Directory
In both directions
The list of user attributes supported is currently limited, and listed later in "Supported Attributes”.
Option 2: Propagate new accounts from the third-party LDAP directory to Oracle E-Business Suite via Oracle Internet Directory (as described in Scenario 2).
Existing accounts in LDAP and/or Oracle E-Business Suite will need to be reconciled. If a user has an existing account in the LDAP directory, and an existing account in Oracle E-Business Suite, the Link-on-the-Fly feature can be used to link the two accounts; no other action is required If a user has an existing account in Oracle E-Business Suite, but not in the third-party LDAP directory, an account must be created in the LDAP directory, and Link-on-the-Fly used to link the two accounts (this step needs to be performed before provisioning is configured).
If a user has an existing account in the third-party LDAP directory, but not in the Oracle E-Business Suite, an account must be created in Oracle E-Business Suite, and Link-on-the-Fly used to link the two accounts.
To eliminate the need to use the “Link Account” functionality for new users, new accounts can be propagated from the third-party LDAP directory to Oracle E-Business Suite via the Oracle Internet Directory synchronization and provisioning process. This strategy also eliminates the need for new users to enroll multiple times. However, before enabling this process, system administrators must set up procedures to ensure that new account names created in the third-party LDAP directory will not conflict with any existing account names in Oracle E-Business Suite.
Optionally, administrators can configure the synchronization and provisioning process so that changes in user attributes can be propagated from the third-party LDAP directory into Oracle E-Business Suite via Oracle Internet Directory.
Once a single sign-on account in Oracle Internet Directory is linked to an application account in Oracle E-Business Suite, the password for the application account in Oracle E-Business Suite is, as mentioned earlier, replaced with the reserved keyword “EXTERNAL”. The password stored in the master user directory for passwords is sufficient for authentication purposes.
Note that Oracle Single Sign-On server delegates user authentication to the third-party single sign-on solution, which in turn authenticates users against the third-party LDAP directory. As Oracle Internet Directory passwords will consequently be ignored, it is inadvisable to retain any passwords in Oracle Internet Directory.
The primary role of the third-party LDAP directory here can be represented as shown in the following diagram:
Oracle Internet Directory has a powerful and flexible set of configuration options. Most E-Business Suite system and security administrators will be able to use the default Oracle Internet Directory configuration. Security administrators with advanced security requirements may choose to use alternate Oracle Internet Directory configurations. Refer to the ‘Directory Deployment’ chapter in the Oracle Internet Directory Administrator's Guide, Release 10g. Items of particular importance to Oracle E-Business Suite integration are:
Identity management realm
DIT structure
The attribute chosen as the nickname attribute
Synchronization between Oracle Internet Directory and third-party LDAP directory. Items of particular importance are:
Identifying users who need to access Oracle E-Business Suite Release 12 and who therefore need to be synchronized between the third-party LDAP directory and Oracle Internet Directory
Which attributes to use to synchronize between Oracle Internet Directory and the third-party LDAP directory
Which user management option described above to use.
Decisions related to single sign-on settings, especially session timeouts for:
Oracle Single Sign-On
Third-party single sign-on components
Oracle E-Business Suite Release 12
Current third-party LDAP/single sign-on deployment information, including host, port, and administration account information. For this, you may need to refer to documentation from Oracle and third-party LDAP and Single Sign-On product vendors describing integration with Application Server Release 10g.
Depending on the user management options, develop a strategy to reconcile existing accounts in Oracle E-Business Suite 12 and the third-party LDAP.
Complete all steps in My Oracle Support Knowledge Document 376811.1, Installing Oracle Application Server 10g with Oracle E-Business Suite Release 12. The installation process requires the choice of a template for creating the provisioning profile.
If relying solely on the Link-on-the-Fly feature, start with the template ProvBiDiNoCreation.tmp; otherwise, start with the template ProvOIDToApps.tmp.
This deployment may require further customization of the template file to configure the provisioning process, in particular which attributes are synchronized. Refer to “Configuring Directory Integration Platform Provisioning Templates” for details of the templates and the configuration process.
Configure Oracle Single Sign-On Server to work with third-party authentication mechanism.
Migrate existing third-party LDAP accounts to Oracle Internet Directory, and configure synchronization between third-party LDAP and Oracle Internet Directory.
Configure session timeout setting.
Setting Oracle E-Business Suite profile options. Refer to “Oracle E-Business Suite Release 12 Single Sign-On Profile Options” for further details of all relevant profile options.
A variation of this scenario may have the following characteristics:
Existing Oracle E-Business Suite Release 12 Installation
Existing Oracle Single Sign-On and Oracle Internet Directory infrastructure
No third-party single authentication mechanism or third-party LDAP directory involved
The major difference here is that all steps relating to third-party (non-Oracle) software can be ignored.
Multiple Oracle E-Business Suite Release 12 instances are implemented, and each has an existing user population.
No existing Oracle Single Sign-On infrastructure is in place
Oracle Portal is not implemented.
This scenario applies to sites that have more than one Oracle E-Business Suite Release 12 instance in use, but no Oracle Single Sign-On infrastructure in place. The requirement is to enable Oracle Single Sign-On for the multiple Oracle E-Business Suite instances.
Oracle Application Server 10g (including Oracle Single Sign-On and Oracle Internet Directory) is needed for the integration. Each Oracle E-Business Suite instance delegates user sign-on and authentication to Oracle Single Sign-On Server.
Oracle Single Sign-On Server authenticates user credentials against user entries in Oracle Internet Directory. Oracle Internet Directory contains every user’s single sign-on account id and password.
A single sign-on account needs to be created for every user in Oracle Internet Directory. Existing applications accounts in Oracle E-Business Suite instances need to be linked to the single sign-on account.
Optional: User profile information in Oracle E-Business Suite can be kept synchronized with the information in Oracle Internet Directory.
The single sign-on architecture is the same as that described in the base scenario. In addition, the Link-on-the-Fly feature described in Scenario 3 may be used.
The options for user management in this scenario depend on the characteristics of existing user data in the multiple Oracle E-Business Suite instances.
Option 1: If one of the Oracle E-Business Suite instances (such as an HR system) is currently serving as the source of truth for user information for all Oracle E-Business suite instances, it is possible to change this in a two-stage process. First, migrate the existing users from that Oracle E-Business Suite instance into Oracle Internet Directory using the bulk migration tool, and then configure the provisioning process such that any further new users created in that Oracle E-Business Suite instance are automatically provisioned into Oracle Internet Directory.
Users who already have accounts on the other Oracle E-Business Suite instances will use the Link-on-the-Fly mechanism to link their single sign-on accounts to their application accounts on those instances.
New users provisioned into Oracle Internet Directory can be selectively provisioned into the other Oracle E-Business Suite instances.
Option 2: If none of the existing Oracle E-Business Suite instances is the master source of truth for user information, it is possible to migrate the existing accounts in all Oracle E-Business Suite instances into Oracle Internet Directory with the following restrictions on the existing data:
No two users have the same account names across all Oracle E-Business Suite instances.
If a user has accounts in multiple Oracle E-Business Suite instances, those accounts must be of the same account name.
After the migration, new users can be created from Oracle Internet Directory, and then selectively provisioned into an Oracle E-Business suite instance.
Option 3: If the above options are not feasible, a deployment may choose not to rely on the provisioning process for creating accounts (no SUBSCRIPTION_ADD nor IDENTITY_ADD event enabled in provisioning profile). Every user who needs single sign-on access to an Oracle E-Business Suite is required to have created a single sign-on account in Oracle Internet Directory, and an application account in that Oracle E-Business Suite Release 12 instance, via the user enrollment method provided by each system. The Oracle Internet Directory account and Oracle E-Business Suite account are linked via the Link-on-the-Fly process when the user accesses an Oracle E-Business instance for the first time.
The Oracle E-Business Suite local login page is now a Framework-based page. By default, all regions are displayed on the login page. As with all Framework-based pages, however, it can be personalized. Some of the personalizations that may be desired are:
Hiding "Register Here" and "Login Assistance" links
Hiding the language images region
Hiding the Cancel button
Setup Steps for Login Page Personalization
Set the profile FND_PERSONALIZATION_REGION_LINK_ENABLED to Yes
Select the Functional Administrator responsibility
Select the Personalization tab
Enter the document path for the Local Login page definition: for example, /oracle/apps/fnd/sso/login/webui.
Select a Region to customize: for example, /oracle/apps/fnd/sso/login/webui/LoginRN
This takes you to the Choose Personalization Context page: select Apply.
The personalization structure is displayed where an item can be selected and its properties changed
In most cases, a user’s single sign-on account in Oracle Internet Directory will correspond to a single application account in Oracle E-Business Suite Release 12. However, there may be special cases where a user has a single sign-on account in Oracle Internet Directory and multiple application accounts in Oracle E-Business Suite Release 12. In such a case, it is possible to associate a single sign-on account in Oracle Internet Directory with multiple application accounts in Oracle E-Business Suite Release 12:
This feature can be enabled by system administrators via a profile option (‘Applications SSO Allow Multiple Accounts’). To utilize this feature, proceeds as follows:
Log in to Oracle E-Business Suite using a valid single sign-on account in Oracle Internet Directory.
Once logged in, access the ‘Single Sign-On Account Settings’ page by clicking the ‘Account Settings’ button from the ‘Preferences’ page.
To associate additional application accounts with an existing single sign-on account, choose ‘Add Account’ and enter the new application account user name and password when prompted.
Verification of the new application account information will result in redirection back to the ‘Single Sign-On Account Settings’ page, showing the newly linked account.
Failure to verify the new account information will result in redirection back to the ‘Add Account’ page.
The first linked application account is marked as the default application account for the single sign-on account, and is the account the user will be logged into after Oracle Single Sign-On authentication. If required, the default account can be changed by making the appropriate selection on the ‘Single Sign-On Account Settings’ page.
After logging into Oracle E-Business Suite via Oracle Single Sign-On, a user can view all currently linked application accounts using the ‘Single Sign-On Account Settings’ page, and can if desired switch to another linked application account by selecting that account and clicking on ‘Make Current Account’. If this feature is disabled by the system administrator, the ‘Add Account’ button will not appear on the ‘Single Sign-On Account Settings’ page and users will not be permitted to link multiple application accounts to their single sign-on account.
Only one single sign-on account in Oracle Internet Directory may be linked to a given application account in Oracle E-Business Suite Release 12 at a time; simultaneous linking of multiple single sign-on accounts to a single application account is not supported.
Logging in via the Oracle Single Sign-On server login page, a user can pick the desired language preference from the browser. This preference will be passed from the Oracle Single Single-On server to Oracle E-Business Suite Release 12, which will honor the language choice if the language is supported.
OracleAS 10g and the E-Business Suite database server system clocks should be accurate, and kept synchronized. If the clocks are inaccurate or out-of-sync, user provisioning flows may be affected.
Be aware of the following points:
OracleAS 10g converts all times to GMT. If the orclStartDate attribute is defaulted, it will pick the system date and convert it to GMT.
Oracle Internet Directory does not support the time portion of dates; if you explicitly specify a date, it will be interpreted as the date on 12:00 midnight in the GMT time zone.
The Oracle E-Business Suite database server runs in the local time zone, so dates are also in the local time zone.
When a user is provisioned from Oracle Internet Directory, the dates are converted to the local time zone.
It may be necessary to switch the user management master from Oracle Internet Directory back to Oracle E-Business Suite for specific users. Credentials for these users will need to be switched back to being authenticated by FND_USER for local authentication. Special procedures to do this are necessary, because the FND User form as well as the User Preferences screen will not allow you to change the password once it has been set to “EXTERNAL”.
To preserve the password and allow users to locally log in to Oracle E-Business Suite via AppsLocalLogin.jsp, follow these steps:
Ensure that the profile option ‘Applications SSO Login Types’ (APPS_SSO_LOCAL_LOGIN) is set to either ‘LOCAL’ or ‘BOTH’ for users to whom you want to keep the local access.
Use the AFPASSWD utility or FNDCPASS utility to reset the user’s password. The new password then needs to be emailed to the user.
For more information about the AFPASSWD and FNDCPASS utilities, refer to the Applications DBA Duties chapter of Oracle E-Business Suite System Administrator's Guide - Configuration.
The default nickname used for login is “uid”, which can be verified in the Oracle Internet Directory Delegated Administration Service Configuration screen, Attribute for Login Name field. “uid” corresponds to User Name in the Oracle Internet Directory Delegated Administration Service Create User screen.
Changing the nickname attribute is generally not recommended, but other unique attributes such as email address can be used in special circumstances. The E-Business Suite currently supports setting of the nickname (login attribute) to either uid or mail.
The attribute set as the nickname in Oracle Internet Directory is mapped to the FND_USER.USER_NAME column in the Oracle E-Business Suite database. If the nickname is changed in Oracle Internet Directory, the Oracle E-Business Suite database must be restarted to force a refresh of the cached value.
Customizable Directory Information Trees (DIT) and Relative Distinguished Names (RDN) are now supported for use with Oracle E-Business Suite single sign-on environments.
In previous releases of Single Sign-On and E-Business Suite integration, the Oracle Internet Directory DIT and RDN were required to be the default values, as shown below:
UserCreateBase and UserSearchBase: cn=Users,<realm>
User RDN: the attribute cn
In this example, users provisioned from the Oracle E-Business Suite to Oracle Internet Directory are created with the distinguished name: “cn=<username>,cn=Users,<realm>”.
With E-Business Suite support for custom DITs and configurable RDNs, the following parameters can be defined at realm level:
Name Attribute (NickNameAttribute)
UserCreateBase: one or more DN where the user entries are located
Attribute for RDN
UserSearchBase: in the hierarchical path for all defined UserCreateBases, this is the location to start searching for users of a given username
Caution: Implementing the Custom DIT feature in an existing infrastructure is not recommended, as it may result in data corruption. If there is such a need, contact Oracle Support for details of how to migrate existing data safely.
The Custom DIT feature should not be confused with Multiple Realm support.
Custom DIT Configuration Steps
The Custom DIT feature requires the following configuration steps within Oracle Internet Directory and Oracle E-Business Suite.
In Oracle Internet Directory (see Oracle Internet Directory Administration Guide for details):
Create the new DIT structure.
Optionally, configure the CommonNameAttribute to be used for the RDN (the default is cn).
Specify a single UserSearchBase where all UserCreateBases can be located.
Caution: The current implementation supports only one UserSearchBase. Using more than one may result in incorrect operation.
In Oracle E-Business Suite:
Register the E-Business instance with the desired deployment template. Note that this feature is only relevant for the deployments provisioning users from Oracle E-Business Suite to Oracle Internet Directory.
From SQL*Plus, call the API fnd_oid_plug.setplugin to configure the E-Business Suite for use with the new User Repository.
For example:sql>fnd_oid_plug.setPlugin(default_user_repository=>'cn=new_repository,dc=us,dc=oracle,dc=com' );
The Oracle Internet Directory configuration attributes are now stored in E-Business Suite preferences. For configuration changes in OID to be picked up by E-Business Suite, the above API will need to be rerun to get the new values.
Note: Additional parameters to this API will be supported in future releases.
Stop and restart the application tier processes
Now, when new users are created in E-Business Suite, they will also be created in the OID User Repository. This will have no impact to the propagation of users from OID to E-Business Suite. Note, however, that the same “user” cannot be created in multiple user repositories.
The logon process by which users are authorized to access Oracle E-Business Suite is significantly modified in an environment where Oracle Single Sign-On has been integrated. This section discusses the key changes, in particular the use of profile options.
In a standalone Oracle E-Business Suite environment, all users and system administrators connect via Oracle E-Business Suite’s AppsLogin page. This page redirects users to an Oracle E-Business Suite login page that authenticates their userid and password against the FND_USER table. Oracle E-Business Suite then determines the user’s authorization by looking up the application responsibilities against entries in the FND_USER table.
In an environment where Oracle E-Business Suite has been integrated with an external OracleAS 10g instance, Oracle Single Sign-On, and Oracle Internet Directory, the following key points apply:
End users connect to Oracle E-Business Suite via the AppsLogin page, which redirects them to the Oracle Single Sign-On login page. Oracle Single Sign-On authenticates the Oracle E-Business Suite user’s userid and password against Oracle Internet Directory, and redirects the user back to Oracle E-Business Suite, which then determines the user’s authorizations by looking up application responsibilities against entries in the Oracle E-Business Suite FND_USER table.
System administrators and other selected users connect to Oracle E-Business Suite via Oracle E-Business Suite’s AppsLocalLogin page, which authenticates their userid and password against the FND_USER table. Oracle E-Business Suite then determines the user’s authorizations by looking up application responsibilities against entries in the FND_USER table. Users in this special user population have their credentials authenticated “locally” in Oracle E-Business Suite instead of “externally” in Oracle Single Sign-On and Oracle Internet Directory.
The login process is controlled by a group of Oracle E-Business Suite profile options, which are described in more detail below.
The key components involved in the login process are as follows.
AppsLogin
<http://[host]:[port]/OA_HTML/AppsLogin.jsp>
The login route is determined by the profile option "Applications SSO Type" (APPS_SSO). If the Oracle E-Business Suite instance is integrated with Oracle Single Sign-On, this should be set to "SSWA w/SSO". The user is redirected to the SSO Server login page, and after entering his credentials (username and password), he is authenticated against the LDAP server.
AppsLocalLogin
<http://[host]:[port]/OA_HTML/AppsLocalLogin.jsp>
The login route is determined by the profile option "Applications SSO Type" (APPS_SSO). If this site level profile is set to “SSWA”, the user will be shown the local login page, and after entering his credentials (username and password), he is authenticated against the E-Business instance.
In Release 11i the login page could be “customized” using the local login mask profile option. In Release 12, this profile option is obsolete. The new login page is an Oracle Framework-based page, so Framework personalization is used to “personalize” the regions. Administrators can personalize the page by setting the profile FND_PERSONALIZATION_REGION_LINK_ENABLED to 'Yes'.
By default, all the regions on the login page are displayed. The following items may be personalized:
User Name
Password
Login button
Cancel button
Login Assistance Link
Register Here Link
Accessibility
Language Options
System Administrators can create custom login pages. The custom page will need to post to the servlet AuthenticateUser, which requires two attributes: username and password. Once the user is successfully authenticated, the servlet will redirect the user to a destination defined in requestUrl or the default APPSHOMEPAGE. If the authentication fails, the servlet will redirect the user to the login page with the error message in the parameter errCode.
To deploy a custom login page:
Place the new servlet in the OA_HTML directory.
Create a new function (FND_FORM_FUNCTION) - the web_html value of this function should be populated with file name of your new login page. The function code should begin with ‘APPS_LOGIN’.
Assign this function to the APPS_LOGIN_DEFAULT menu. As this menu is already granted to all users (including guest), the grant flag is not needed.
Update the profile option APPS_LOGIN_FUNCTION with new function name. The drop-down for this profile will query only function codes starting with APPS_LOGIN.
Note: In Oracle E-Business Suite Release 12, the Personal Home Page login (ICXINDEX.htm) is obsolete and has been replaced with AppsLocalLogin.jsp.
CRMLogin servlet and jtflogin.jsp
<http://[host]:[port]/oa_servlets/CRMLogin.jsp> http://[host]:[port]/OA_HTML/jtflogin.jsp
There is a new recommended login flow for the CRM System Administrator Console. You can use the servlet CRMLogin to log in. The servlet checks whether your system is SSO-enabled, and directs you to the appropriate login page. The old login page, jtflogin.jsp, is still supported, but is only recommended in cases where jtflogin.jsp has been customized.
OAMLogin
http://[host]:[port]/servlets/weboam/oam/oamLogin
You will be prompted for the Oracle E-Business Suite user account and password. Log in to an account that has System Administrator and Self-Service System Administrator responsibilities. Upon successful login, the OAM Console will show the Oracle E-Business Suite system to which you have connected.
The login process is determined by a group of Oracle E-Business Suite profile options, which are divided into several categories and described below. The major components involved in the logon process are as follows.
The profiles described in this category are all related to the login and logout process.
Features of this profile:
Available at site level only (cannot be set for individual users)
Updatable only by system administrators
Defined by the lookup type ‘APPS_SSO_TYPE’
Has a default value of ‘SSWA’
This profile determines the overall user login and authentication experience, as follows:
Profile Value | Login Via | Authentication | User directory | Integration model | Requires | Home Page |
---|---|---|---|---|---|---|
SSWA w/SSO | SSO login page | SSO server | OID | EBS is partner application to Oracle SSO | SSO SDK installed into EBS instance | Set by APPLICATIONS_HOME_PAGE profile |
Portal w/SSO | SSO login page | SSO server | OID | EBS and Portal are partner applications to SSO | SSO SDK installed into EBS instance | Portal home page |
SSWA | EBS login page | EBS | FND_USER | N/A | N/A | Set by APPLICATIONS_HOME_PAGE profile |
Note: In the above table, EBS = Oracle E-Business Suite; OID = Oracle Internet Directory; SSO = Oracle Single Sign-On; SSWA = Self-Service Web Applications.
If Oracle Portal is not in use, this profile determines the default home page for the application, which is the first page a user sees after logging into Oracle E-Business Suite.
Features of this profile:
Available at site level only (cannot be set for individual users)
Updatable only by system administrators
Default value is ‘Framework only’
Features of this profile:
Profile Value | Description |
---|---|
Framework only | Navigate to the Oracle E-Business Suite Release 12 home page |
Personal Home Page | Navigate to the existing personal home page |
Personal Home Page with Framework | Navigate to the existing personal home page. Clicking any responsibility will show the Navigator component that is a part of the Oracle E-Business Suite Release 12 home page |
This profile specifies which login page is used to perform local access to Oracle E-Business Suite. When the ‘Applications SSO type’ profile is set to ‘SSWA’, the application login servlet (AppsLogin) will redirect a user to the login page specified by this profile.
Features of this profile:
Available at site level only (cannot be set for individual users)
Updatable only by system administrators
Default value is ‘AppsLocalLogin.jsp’
This profile is used to specify Portal-related settings.
Note: For further details of using Oracle Portal with Oracle E-Business Suite, see My Oracle Support Knowledge Document 380484.1, Using Oracle Portal 10g with Oracle E-Business Suite Release 12.
Features of this profile:
Available at site level only (cannot be set for individual users)
Updatable only by system administrators
Defines the portal entry page
This profile can be used to specify where the user should be redirected after logging out of the Oracle E-Business Suite instance. Profile changes take effect for newly created sessions only.
Features of this profile:
Available at site and user level
Default value is NULL
May be any valid URL
Note: Product groups may programmatically set the post-logout URL, overriding any site or user level profile settings.
The profile options described in this category control how Oracle E-Business Suite user accounts are linked to single sign-on accounts.
This profile determines whether Oracle E-Business Suite Release 12 will automatically link an authenticated single sign-on account to an application account of the same account name, without prompting the user for authentication information for the application account during login.
Features of this profile:
Available at site level only (cannot be set for individual users)
Updatable only by system administrators
Has possible values of:
‘Enabled’ – Allow auto link
‘Disabled’ – Do not allow auto link (the default)
‘Create User and Link’ - To create and link user on-demand
This profile indicates whether the Oracle E-Business Suite Release 12 instance should link a newly-created Oracle E-Business Suite user to an existing Oracle Internet Directory account with the same name.
Available at site level only (cannot be set for individual users)
Updatable only by system administrators
Has possible values of:
‘Enabled’ – Link users with the same user name
‘Disabled’ – Do not link users with the same user name
This profile indicates whether the Oracle E-Business Suite Release 12 instance allows linking of one Oracle Internet Directory user to multiple Oracle E-Business Suite user accounts.
Features of this profile:
Available at site level only (cannot be set for individual users)
Updatable only by system administrators
Has possible values of:
'Y' – Allow multiple accounts to be linked
'N' – Do not allow multiple accounts to be linked (the default)
The ‘Link additional account’ operation uses this profile, which has the following implications:
If the APPS_SSO_ALLOW_MULTIPLE_ACCOUNTS profile is set to ‘Y’ in the ‘Single Sign-On Account Settings’ page (accessible from the ‘User Preferences’ page), the ‘Add Account’ button will be shown.
If the profile is set to the default value of ‘N’, the ‘Add Account’ button will not be shown, and the ‘Link account’ page will therefore not permit linking of multiple accounts.
The profile options in this category specify how passwords are managed in a Single Sign-On Oracle E-Business Suite environment.
Features of this profile:
Available at both site and user level (can be set for individual users)
Updatable only by system administrators
Determines whether a user’s password is managed:
Externally in Oracle Internet Directory
Locally in Oracle E-Business Suite
In both Oracle Internet Directory and Oracle E-Business Suite
Valid values are defined in the Lookup Type, ‘FND_SSO_LOCAL_LOGIN’:
'SSO' – Login is only allowed through Single Sign-On. The password is set to ‘EXTERNAL’ after a single sign-on account and an application account are linked.
'LOCAL' – Login is only allowed via Oracle E-Business Suite local login. Passwords must be retained in the Oracle E-Business Suite and the account cannot be linked to any Oracle Internet Directory user.
'BOTH' – Login can be through both single sign-on and Oracle E-Business Suite. Since changes to the Oracle E-Business Suite password can be synchronized to Oracle Internet Directory, but not vice versa, a user’s Single Sign-On password will not necessarily be synchronized with his Oracle E-Business Suite password.
The default site level value is ‘BOTH’. The user level values for ‘SYSADMIN’ and ‘GUEST’ accounts are set to ‘LOCAL’.
The ‘SYSADMIN’ and ‘GUEST’ user profile options should not be changed. The "SYSADMIN" user is a standard account that can only be used for local login, and cannot be used to log into Single Sign-On. Once a password is set to ‘EXTERNAL’ in Oracle E-Business Suite, it is no longer possible to use the original password to log in locally. For the password to be changed if the profile is updated to allow LOCAL access, the AFPASSWD utility or FNDCPASS utility will need to be run by a system administrator.
For more information about the AFPASSWD and FNDCPASS utilities, refer to the Applications DBA Duties chapter of Oracle E-Business Suite System Administrator's Guide - Configuration.
This profile stores the location of the page where Self-Service users can change their Oracle E-Business Suite password. The page specified should only allow the password to be changed by a user whose ‘APPS_SSO_LOCAL_LOGIN’ profile has the value of either ‘BOTH’ or ‘LOCAL’ (i.e. not ‘SSO’).
Features of this profile:
Available at site level only (cannot be set for individual users)
Updatable only by system administrators
Default value is ‘AppsChangePassword.jsp’
This profile points to the LDAP self-service user interface for password changes. When an Oracle E-Business Suite Self-Service change password page determines that a user’s password in stored in LDAP, it can redirect the user to the location stored in this profile.
For example, if the password is stored in Oracle Internet Directory, the change password page of Oracle Internet Directory’s Delegated Administration Service (DAS) may be specified:(http://<oid_host_name>[:<port>]/oiddas/ui/oracle/ldap/das/mypage/ChgPwdMyPage)
Features of this profile:
Available at site level only (cannot be set for individual users)
Updatable only by system administrators
The profile options in this category determine how provisioning (automatic updating of user accounts) is carried out on a Single Sign-On E-Business Suite environment.
This profile determines whether provisioning is enabled for a particular FND_USER account. User information associated with an FND_USER account will be provisioned with Oracle Internet Directory only if the APPS_SSO_LDAP_SYNC profile of the user is set to ‘Y’.
Features of this profile:
Available at site and user level (can be set for individual users)
System administrators can change setting at both site and user levels
End users can only change setting at user level (from ‘Account Setting’ page)
Default site level value is ‘Y’
User level values for ‘SYSADMIN’ and ‘GUEST’ accounts are set to ‘N’
The site level value is provided to obviate the need for every user to define a user level value, and has the following important characteristics:
Setting the site level value (to ‘Y’ or ‘N’) does not globally enable (or disable) provisioning.
Since provisioning with Oracle Internet Directory is the most common deployment scenario, this profile is shipped with a default site level value of ‘Y’.
For any user accounts that are not to be provisioned, this profile should be overridden with a user level value of ‘N’.
New users are provisioned between E-Business and Oracle Internet Directory (based on provisioning profile) regardless of this profile value. This profile only determines whether modifications to existing users are provisioned between E-Business and Oracle Internet Directory.
If an existing user’s APPS_SSO_LOCAL_LOGIN profile has ‘LOCAL’ value, the user modifications are NOT provisioned regardless of this profile value. Profile APPS_SSO_LOCAL_LOGIN has higher precedence than APPS_SSO_LDAP_SYNC at user level.
Linking a single enterprise user account to multiple Oracle E-Business Suite (FND_USER) user accounts can potentially have undesirable consequences, such as data from one application overwriting data from another. Therefore, after the first FND_USER account is linked, all accounts subsequently linked to the same enterprise account will have the APPS_SSO_LDAP_SYNC user level profile value set to ‘N’. Users who still wish to change the user level value of this profile can do so via the ‘Single Sign-On Account Settings’ page.
This profile determines whether users created in Oracle Internet Directory are automatically created in E-Business and subscribed to the given E-Business instance. You can enable this profile to allow the automatic subscriptions for users created in Oracle Internet Directory.
Features of this profile:
Available at site level only
System administrators can change setting at site level
Default site level value is ‘Disabled’
The site level value is provided to obviate the need for every user to define a user level value, and has the following important characteristics:
Since typically a number of users from different sources are created in Oracle Internet Directory every minute, this profile is shipped with a default site level value of ‘Disabled’.
When profile 'Applications SSO Enable OID Identity Add Event' value is ‘Enabled’, users created in OID are automatically 1) created in E-Business and 2) subscribed to the E-Business instance.
When profile 'Applications SSO Enable OID Identity Add Event' value is ‘Disabled’, users created in OID will not be automatically created in E-Business. They can be created in E-Business (and subscribed to it) only after provsubtool or OIDDAS Edit Service Recipient page is used to subscribe existing users to the particular E-Business instance. See “Manual Subscription Management With Provsubtool”: Subscription Management for more details on provsubtool.
This profile is for Oracle internal use only.
This section describes how to configure an Oracle E-Business Suite Release 12 instance as a provisioning integrated application with Oracle Internet Directory release 10g. The goal is to keep user information synchronized between Oracle Internet Directory and Oracle E-Business Suite Release 12.
Bidirectional provisioning between Oracle E-Business Suite and Oracle Internet Directory is built around the Oracle Directory Integration Platform, as described further in the Oracle Internet Directory Release 10g Administrator’s Guide.
A key feature of this solution is the provisioning integration service, which enables automatic provisioning (updating between the systems) of account creation or changes of user attributes. The provisioning process between each Oracle E-Business Suite instance and Oracle Internet Directory is controlled by a provisioning profile.
When changes are made in Oracle Internet Directory that match an application's provisioning profile event subscription criteria, the Provisioning Integration Service is the agent that sends the relevant new data to that application. Going in the other direction, the Provisioning Integration Service filters changes coming from an application (according to the application’s provisioning profile’s permitted events criteria), and transmits applicable ones to Oracle Internet Directory.
One of the advantages of this solution is a high level of flexibility at deployment time, i.e. the provisioning profile is highly customizable. Configuration of the profile is carried out by either using the oidprovtool available in Oracle Application Server 10g, or by instantiating an LDIF template file that contains the requisite values for the particular deployment.
A number of sample template files are shipped with the Oracle E-Business Suite Single Sign-On Interoperability Patch.
Before a profile can be created, the relevant Oracle E-Business Suite instance must be registered with Oracle Internet Directory. This involves creating a unique application identity for the instance in Oracle Internet Directory.
Oracle E-Business Suite instances are created at the following location in the directory information tree (DIT): “cn=E-Business,cn=Products,cn=OracleContext, <Identity Management Realm>"
The created application identity (dn plus password) also needs to be stored in Oracle E-Business Suite. Note that the registered application identity and password can be used by the application administrator to connect to Oracle Internet Directory for certain tasks, such as querying the provisioned profile details between this application instance and Oracle Internet Directory.
CREATION, MODIFICATION, and DELETION events can be enabled or disabled individually. Four event types are currently used:
SUBSCRIPTION_ADD
IDENTITY_ADD
IDENTITY_MODIFY
IDENTITY_DELETE
Each of these is described below:
SUBSCRIPTION_ADD
This event is generated by either Oracle Internet Directory or Oracle E-Business Suite Release 12.
Oracle Internet Directory maintains a subscription list for each Oracle E-Business instance that has registered with Oracle Internet Directory. The subscription list maintains a list of all Single Sign-On user accounts that need to access the associated Oracle E-Business Suite instance.
Oracle Internet Directory and the associated Oracle E-Business Suite instance jointly maintain the accuracy of the subscription list.
When a Single Sign-On account is created in Oracle Internet Directory, and subsequently added to the subscription list of an Oracle E-Business Suite instance (see “Manual Subscription Management With Provsubtool” for how this is done), a SUBSCRIPTION_ADD event is generated in Oracle Internet Directory. If this event is enabled in the Oracle Internet Directory to Oracle E-Business Suite direction, a new application account will be created and linked to the single sign-on account.
When Oracle Internet Directory receives an IDENTITY_ADD event (see below) from an Oracle E-Business Suite instance, it adds the user to the subscription list of that Oracle E-Business Suite instance.
When Link-on-the-Fly is performed on an Oracle E-Business Suite Release 12 instance, the Oracle E-Business Suite instance will send a SUBSCRIPTION_ADD event to Oracle Internet Directory.
When an IDENTITY_MODIFY (see below) event is generated in Oracle Internet Directory, Oracle Internet Directory will check the subscription lists of all registered Oracle E-Business Suite Release 12 instances, and only send the event to an Oracle E-Business Release 12 instance if the modified user appears on its subscription list.
IDENTITY_ADD
This event is generated by either Oracle E-Business Suite or Oracle Internet Directory when a new user is created. If this event is enabled from Oracle E-Business Suite to Oracle Internet Directory direction, after Oracle Internet Directory receives this event, it will create an Oracle Single Sign-On account in Oracle Internet Directory and add the account to the subscription list of that Oracle E-Business Suite Release 12 instance. The other way, if this event is enabled from Oracle Internet Directory to E-Business Suite and profile ‘Applications SSO Enable OID Identity Add Event’ is ‘Enabled’, it has the same affect as SUBSCRIPTION_ADD event generated by Oracle Internet Directory.
IDENTITY_MODIFY
This event is generated by either Oracle Internet Directory or Oracle E-Business Suite when a user account is modified. If this event is enabled in either direction, the receiving system will apply the modification to the account on that system.
IDENTITY_DELETE
This event is generated by Oracle Internet Directory when an Oracle Single Sign-On account is deleted. If this event is enabled from the Oracle Internet Directory to Oracle E-Business Suite direction, after an Oracle E-Business Suite Release 12 instance receives this event, it will end-date the application account linked to the Oracle Single Sign-On account.
Provisioning Direction
Each event can be enabled in:
One direction:
From Oracle Internet Directory to Oracle E-Business Suite only
From Oracle E-Business Suite to Oracle Internet Directory only
Both directions:
From Oracle Internet Directory to Oracle E-Business Suite
From Oracle E-Business Suite to Oracle Internet Directory
Attribute List
For each direction, and each type of event, the list of provisioned attributes can be customized as required (removing an attribute from the attribute list would disable sending that attribute). The “Supported Attributes” section lists the attributes that are currently supported for each direction, and also as the mapping between Oracle Internet Directory attributes and application table and column names.
Polling Interval
By default, Oracle Internet Directory sends out provisioning events every 60 seconds; this value can be increased or decreased by using oidprovtool, or by editing the orclodipprofileschedule attribute value in the provisioning template (see below). The polling interval should be set with caution; provisioning that is not frequent enough for site activity may have an impact on operations, while provisioning that is more frequent than necessary will result in needless network traffic.
Once the values of the configurable variables for a profile have been decided, there are two methods available to create the profile in Oracle Internet Directory. The first is oidProvTool (see Appendix A of the Oracle Internet Directory Administrator’s Guide Release 10g). This tool must be invoked in the Application Server Release 10g instance. The second option is to instantiate an LDIF template, which captures the configuration choices. The instantiated templates can then be loaded into Oracle Internet Directory using the ldapmodify command. This method can also be carried out on an Application Server 10g instance used by Oracle E-Business Suite. The template method is described in detail below.
Creating a Profile From a Provisioning Template
Creating the provisioning profile consists of the following steps:
Create a suitable template based on deployment choices. The sample templates shipped can be used as examples and starting points.
Instantiate the template with deployment specific values, to generate an LDIF file.
Load the LDIF file into Oracle Internet Directory.
Once the LDIF file is loaded, Oracle Internet Directory will start sending and polling provisioning events to and from the Oracle E-Business Suite instance for which the profile was created. It takes the provisioning service approximately two minutes to detect that a new profile has been added or an existing one has changed. The new or updated profile is then read by the service.
The Oracle E-Business Suite Single Sign-On Consolidated Patchset includes four sample templates for creating provisioning profiles, based on the most common deployment scenarios:
ProvAppsToOID.tmp – Template for creating an Oracle E-Business Suite to Oracle Internet Directory (INBOUND) profile with CREATION, MODIFICATION, and DELETION events.
ProvOIDToApps.tmp – Template for creating an Oracle Internet Directory to Oracle E-Business Suite (OUTBOUND) profile with CREATION, MODIFICATION, and DELETION events.
ProvBiDirection.tmp – Template for creating a bidirectional (BOTH) provisioning profile with CREATION, MODIFICATION, and DELETION events.
ProvBiDiNoCreation.tmp – Template for creating a bidirectional profile, with MODIFICATION and DELETION events only.
To decide on the right template to use, an Oracle E-Business Suite administrator needs to determine the direction or directions of provisioning, and which provisioning events need to be enabled in each direction. The deployment scenarios discussed in this section may be used as a reference.
For example, if the Oracle E-Business Suite instance only needs to send events to Oracle Internet Directory, then an INBOUND provisioning profile should be created. If the Oracle E-Business Suite instance only needs to receive provisioning events from Oracle Internet Directory, then an OUTBOUND profile should be created.
If provisioning events may need to be sent in both directions, a bidirectional profile (BOTH) should be created.
Oracle recommends that the base provisioning profile templates provided with the E-Business Suite should be used if possible. Subject to available Oracle resources and expertise, Oracle will provide best-efforts support for customizations to the standard provisioning profile templates. Because of the difficulties inherent in reproducing all aspects of a particular customized environment, customers may wish to engage Oracle Consulting for assistance with specific customization requirements and issues. Customers needing additional functionality are invited to log enhancement requests for future releases of this integration.
Example Template File
To more easily illustrate the structure of a template file, and illustrate additional configuration options, the following template file for a bidirectional provisioning profile has had comments and additional white space added.
# This section contains the MAIN profile entry. # dn: orclODIPProfileName=%s_GUID_IdentityRealm%_%s_GUID_Application%, cn=Provisioning Profiles, cn=Changelog Subscriber, cn=Oracle Internet Directory # -- DN of the main profile. # changetype: add # orclodipprovisioningorgguid: %s_GUID_IdentityRealm% -- GUID of the realm DN. # orclodipprofileexecgroupid: 0 -- For scalability issues. Not used # -- by default. # orclodipprofileschedule: 60 -- Sets event propagation interval in # -- seconds. # orclodipprofilemaxeventsperschedule: 100 -- Maximum number of events allowed in # -- one schedule. # orclodipprofileinterfacename: %PACKAGE_NAME% -- Package in which the procedures are # -- installed. # orclversion: 2.0 -- Internal identifier. DO NOT CHANGE. # orclstatus: ENABLED -- Used to temporarily enable or disable a profile. # orclodipprofileinterfaceconnectinformation: %DBHOST%:%DBLSNRPORT%:%DBSID%:%DBUSER%:%DBPASSWORD% -- Remote database # -- connection information # orclodipprofileinterfacetype: PLSQL -- Interface type, always PLSQL. orclodipprovisioningappname: %s_AppName% -- Application name of the # -- Oracle E-Business Suite instance # orclodipprovisioningorgname: %s_IdentityRealmName% -- Realm name # orclodipprofilename: %s_GUID_IdentityRealm%_%s_GUID_Application% -- Profile name. # orclodipprofilemaxretries: 5 -- Maximum retries before giving up as failure. # orclodipprofilemaxerrors: 50 -- Maximum errors before giving up as failure. # orclodipprofiledebuglevel: 0 -- Specify level of tracing of this profile. # orclodipprofilemaxeventsperinvocation: 1 -- Not used at present. # orclodipprofileinterfaceversion: 2.0 -- Internal identifier. DO NOT CHANGE. # orclodipprovisioningappguid: %s_GUID_Application% -- GUID of the Oracle # -- E-Business Suite Release 12 # -- application DN. objectclass: top objectclass: orclODIPProvisioningIntegrationProfileV2 objectclass: orclODIPIntegrationProfile # # The following section contains the INBOUND properties of the profile. # It is a child of the MAIN profile entry. # # It is possible to selectively turn the INBOUND capability ON or OFF by modifying # the “orclstatus” attribute of the INBOUND profile only. # # The attribute “orclodipprovisioningeventpermittedoperations” indicates the list of # events allowed for this profile. If the Oracle E-Business Suite instance sends any # other event, it will be rejected. This capability is used by the administrator to # assign different privileges to the different Oracle E-Business Suite instances. For # example, the profile of the HR instance might be given the privilege to accept # IDENTITY_ADD/MODIFY/DELETE events, but the Financials instance might not be given # these privileges. The administrator needs to decide the privileges needed by each # Oracle E-Business Suite instance, and set up the profile accordingly. # # This attribute is meant for INBOUND Events only (multi-valued), and is used to # define the types of EVENT an application is privileged to send to the Provisioning # Integration Service. # # Format: # Event_Object: Affected Domain:Operation(Attributes,…) # Example (1) IDENTITY:cn=users,dc=acme,dc=com:ADD(*) # This means that IDENTITY_ADD event is allowed for the specified domain and all # attributes are also allowed. # # Example (2) IDENTITY:cn=users,dc=acme,dc=com:MODIFY(cn,sn.mail,telephonenumber) # This means that IDENTITY_MODIFY is allowed only for the attributes in the list. # Any extra attributes will be silently ignored. # # The attribute “orclodipprovisioningeventmappingrules” is used to organize # categories of Oracle Internet Directory user into separate containers, if this is # required. Specifically, it maps the type of object received from an application # with a qualifying filter condition, in order to determine the domain of interest # for this event. It is a multi-valued attribute, for use with INBOUND events only. # # Format: # OBJECT_TYPE: Filter condition: Domain Of Interest # Multiple rules are allowed. # # Example 1 # FND:cn=usersdc=us,dc=oracle,dc=com # This means that if the object type received is “FND”, the event is meant for the # domain “cn=users,dc=us,dc=oracle,dc=com”. # # Example 2 # EMP:l=AMERICA:l=AMER,cn=users,dc=acme,dc=com # This means that if the object type received is “EMP”, and the event has the # attribute l (locality) # and its value is “AMERICA” , the event is meant for the # domain “l=AMER,cn=users,dc=acme,dc=com”. # dn: cn=ApplicationToOID, orclODIPProfileName=%s_GUID_IdentityRealm%_%s_GUID_Application%,cn=Provisioning Profiles, cn=Changelog Subscriber, cn=Oracle Internet Directory # -- DN of the INBOUND profile changetype: add orclodipprovisioningeventpermittedoperations: IDENTITY:%s_IdentityRealm%:ADD(cn,sn,mail,userpassword,description) # -- Attributes allowed for IDENTITY_ADD event # orclodipprovisioningeventpermittedoperations: IDENTITY:%s_IdentityRealm%:MODIFY(cn,sn,mail,userpassword,description) # -- Attributes allowed for IDENTITY_MODIFY event # orclodipprovisioningeventpermittedoperations: IDENTITY:%s_IdentityRealm%:DELETE # -- IDENTITY_DELETE event # orclodipprovisioningeventpermittedoperations: SUBSCRIPTION:%s_IdentityRealm%:ADD(*) # -- SUBSCRIPTION_ADD event # orclodipprovisioningeventpermittedoperations: SUBSCRIPTION:%s_IdentityRealm%:MODIFY(*) # –- NOT USED # orclodipprovisioningeventpermittedoperations: SUBSCRIPTION:%s_IdentityRealm%:DELETE # -- NOT USED # orclstatus: ENABLE -- Used to temporarily enable or disable the # -- INBOUND profile. # objectclass: top objectclass: orclODIPProvisioningIntegrationInBoundProfileV2 orclodipprofilelastappliedappeventid: 0 orclodipprovisioningeventmappingrules: FND::cn=users,%s_IdentityRealm% orclodipprovisioningeventmappingrules: HR::cn=users,%s_IdentityRealm% orclodipprovisioningeventmappingrules: TCA::cn=users,%s_IdentityRealm% orclodipprovisioningappguid: %s_GUID_Application% cn: ApplicationToOID # # The following section contains the OUTBOUND properties of the profile. # Like the INBOUND section, it is a child of the MAIN profile entry. # # It is possible to selectively turn the OUTBOUND capability ON or OFF by modifying # the “orclstatus” attribute of the OUTBOUND profile only. # # The attribute “orclodipprovisioningeventsubscription” lists the events and # attributes for this profile. It is for use with multi-valued OUTBOUND events for # which the DIP server should send notification to this application. Oracle Internet # Directory will transfer only those events and attributes specified in the profile. # This attribute is for use by the administrator. # # The format of this string is: # "[USER]GROUP]:[Domain of interest>]:[DELETE]ADD]MODIFY(<comma-separated list of # attributes>)]" # # Multiple values may be specified by listing the parameter multiple times, each with # a different value. There are no default values. # dn: cn=OIDToApplication, orclODIPProfileName=%s_GUID_IdentityRealm%_%s_GUID_Application%,cn=Provisioning Profiles, cn=Changelog Subscriber, cn=Oracle Internet Directory # -- DN of the OUTBOUND profile changetype: add orclsubscriberdisable: 0 orclodipprovisioningeventsubscription: IDENTITY:%s_IdentityRealm%:ADD(cn,sn,mail,userpassword,description) orclodipprovisioningeventsubscription: IDENTITY:%s_IdentityRealm%:MODIFY(cn,sn,mail,userpassword,description) orclodipprovisioningeventsubscription: IDENTITY:%s_IdentityRealm%:DELETE orclodipprovisioningeventsubscription: SUBSCRIPTION:%s_IdentityRealm%:ADD(*) orclodipprovisioningeventsubscription: SUBSCRIPTION:%s_IdentityRealm%:MODIFY(*) orclodipprovisioningeventsubscription: SUBSCRIPTION:%s_IdentityRealm%:DELETE orcllastappliedchangenumber: %s_LastChange% -- Event number. All events up to this # -- number have already been sent. orclodipprovisioningappguid: %s_GUID_Application% orclstatus: ENABLED objectclass: top objectclass: orclODIPProvisioningIntegrationOutBoundProfileV2 objectclass: orclChangeSubscriber cn: OIDToApplication
The monitoring and other administration tasks for the provisioning process are normally performed by Oracle Internet Directory system administrators. Refer to Oracle Internet Directory Release 10g Administrator’s Guide for more details.
Each of the following sections is denoted with OID (for topics related to OID) or EBS (for topics related to E-Business Suite).
The main DIP log file is located in the $ORACLE_HOME/ldap/log/odisrv<instance number>.log directory. The <instance number> is a unique integer id, e.g. 1, assigned by a system administrator when specifying the instance parameter as part of the oidctl command line used to start the DIP server.
The provisioning profile logs are located in the $ORACLE_HOME/ldap/odi/log directory. Each log file name is of the form: <ApplicationName>_<RealmName>_[I/E].[trc/aud].
where:
I = INBOUND provisioning event (from Oracle E-Business Suite to Oracle Internet Directory)
E = OUTBOUND provisioning event (from Oracle Internet Directory to Oracle E-Business Suite)
.trc = Trace file, which grows until the file size is approximately 10MB. When the maximum file size is reached, the current trace file is backed up (and a timestamp appended) and a new trace file started. All old trace files are kept in the same directory.
.aud = Audit file, which records all the events from the time the profile was created and therefore grows continually. This file consequently needs to be archived periodically. The system administrator needs institute a policy to back up and archive audit files. This will involve temporarily disabling the profile, archiving the audit file, then re-enabling the profile. If archiving is not required, the old audit file can simply be deleted.
Note: For more information, refer to Oracle Internet Directory Release 10g Administrator’s Guide.
Use the oidProvTool. Refer to the Oracle Internet Directory Administrator’s Guide, Release 10g for usage of this tool.
If any properties of the provisioning profile are to be changed, the following steps must be performed.
Delete the existing profile, using oidProvTool.
Use oidProvTool to create a new profile that suits the current requirements.
The DIP server may take approximately two minutes to detect changes to the provisioning profile entries, i.e. read the new profile configuration entry and then begin processing events based on the new configuration.
Customization of data synchronized between Oracle Internet Directory and the Oracle E-Business Suite can be achieved by creating custom Workflow Business Event Subscriptions.
The required steps are:
Create the procedure that creates or updates the desired attributes. See example code below.
Create a new subscription for the relevant Workflow Business Event. Listed below are the Business Events provided, and how they are used:
oracle.apps.global.user.change – this event is raised whenever a FND_USER is updated by any source.
oracle.apps.fnd.identity.add – this event is raised whenever the E-Business Suite instance receives an IDENTITY_ADD event from OID, i.e. when a new user is created in OID.
oracle.apps.fnd.identity.modify – this event is raised whenever the E-Business Suite instance receives an IDENTITY_MODIFY event from OID, i.e. when a user is updated in OID.
oracle.apps.fnd.identity.delete – this event is raised whenever the E-Business Suite instance receives an IDENTITY_DELETE event from OID, i.e. when a user is deleted from OID.
oracle.apps.fnd.subscription.add – this event is raised whenever the E-Business Suite instance receives a SUBSCRIPTION_ADD event from OID, i.e. when a user added to the subscription list in OID.
oracle.apps.fnd.subscription.delete – this event is raised whenever the E-Business Suite instance receives a SUBSCRIPTION_DELETE event from OID, i.e. when a user is deleted from the subscription list in OID. Currently, this subscription does nothing in the E-Business Suite. Administrators may customize this behavior by adding their own subscriptions.
oracle.apps.fnd.ondemand.create – this event is raised when a user is created on demand from SSO.
create or replace package custom_update_user AS function disable_fnd_user (p_subscription_guid in raw, p_event in out nocopy wf_event_t) return varchar2; end custom_update_user; create or replace package body custom_update_user as function disable_fnd_user (p_subscription_guid in raw, p_event in out nocopy wf_event_t) return varchar2 is l_event_name varchar2(256); l_event_key varchar2(256); l_change_source varchar2(256); l_change_source varchar2(256); l_orcl_guid fnd_user.user_guid%type; l_ent_type varchar2(256); l_oid_user_enabled boolean; l_end_date date; if (p_event.GetValueForParameter('CHANGE_SOURCE') = 'OID') then l_event_key := p_event.GetEventKey(); l_ent_type := wf_entity_mgr.get_entity_type(p_event.GetEventName()); l_orcl_guid := wf_entity_mgr.get_attribute_value(l_ent_type, l_event_key, 'ORCLGUID'); l_end_date := wf_entity_mgr.get_attribute_value(l_ent_type, l_event_key, 'ORCLACTIVEENDDATE'); if (l_end_date <= sysdate) then fnd_user_pkg.DisableUser(username => l_event_key); end if; end if; return(wf_rule.default_rule(p_subscription_guid, p_event)); exception when others then return(wf_rule.error_rule(p_subscription_guid, p_event)); end disable_fnd_user; end custom_update_user;
Oracle Internet Directory provisioning events are processed in the E-Business Suite using Workflow Business Events. The Workflow Business Events have subscriptions that are enabled by default and if disabled will change the default behavior. The event subscriptions that an administrator may want to disable are:
Event: oracle.apps.fnd.identity.add Subscription: assign_def_resp
This event subscription will add the default responsibility “Preferences” when provisioning a new user from Oracle Internet Directory to Oracle E-Business Suite.
Event: oracle.apps.fnd.identity.add Subscription: hz_identity_add
This event subscription will create TCA records when provisioning a new user from Oracle Internet Directory to Oracle E-Business Suite.
Event: oracle.apps.fnd.identity.modify Subscription: hz_identity_modify
This event subscription will modify TCA records when updates are made to a user in Oracle Internet Directory.
Data is synchronized between Oracle Internet Directory and E-Business Suite using a Workflow attribute cache. The data resides in this table until manually removed by the System Administrator. It is recommended that periodically the API WF_ENTITY_MGR.FLUSH_CACHE should be executed to remove obsolete data. This API deletes cached records that match the specified entity information provided. When passing a specific entity_type (for example, ‘USER’), the specific entity_key_value should also be passed. The special entity_type “*ALL*” will truncate the entire table.
Parameters for procedure wf_entity_mgr.flush_cache
Name | Type | Direction | Default | Description |
---|---|---|---|---|
p_entity_type | varchar2 | In | Null | Entity type to be deleted, for example ‘USER’ |
p_entity_key_value | varchar2 | In | Null | Entity value to be deleted, for example ‘SCOTT’ |
The APPS database account password is used to register a provisioning profile in Oracle Internet Directory for a specific Oracle E-Business Suite instance. If the APPS database account password for that instance is changed using the AFPASSWD utility or FNDCPASS utility, the Oracle Internet Directory provisioning profile must to be updated with the new information. This can be done by running the Oracle Internet Directory oidprovtool command-line utility.
For more information about the AFPASSWD and FNDCPASS utilities, refer to the Applications DBA Duties chapter of Oracle E-Business Suite System Administrator's Guide - Configuration.
The command syntax for this tool is:
oidprovtool operation=modify \ ldap_host=<OID Server hostname> ldap_port=<OID Server Port> \ ldap_user_dn="cn=orcladmin" ldap_user_password=<orcladmin Password> \ application_dn="<The LDAP distinguished name of the application>" \ interface_connect_info=<E-Business Suite connect info of the format, host:port:Sid:username:password>
For example:
oidprovtool operation=modify \ ldap_host=infra30qa ldap_port=3060 \ ldap_user_dn=cn="orcladmin" ldap_user_password=welcome1 \ application_dn="orclApplicationCommonName=ebizqa,cn=EBusiness,cn=Products,cn=OracleContext,dc=us,dc=oracle,dc=com" \ interface_connect_info=ebiz30qa:1521:ebizqa:apps:welcome2
Example output:
orclODIPProfileName=EA3EFF8640819A51F0301990304E5D0B_EA960F743D5D7552F0301990304E34B3, cn=Provisioning Profiles, cn=Changelog Subscriber,cn=Oracle Internet Directory The Provisioning Profile for the Application has been modified.
For further details about the oidprovtool utility, see: Oracle Internet Directory Administrator's Guide 10g, Appendix A.
Depending on how your E-Business Suite Single Sign-On profile options have been configured, it may be necessary to manage subscriptions for some of your users manually.
The Oracle Internet Directory provsubtool command-line utility is used to manage application-specific subscription lists in Oracle Internet Directory. The tool can be used by the application administrator or the Identity Management Realm administrator (such as orcladmin).
In case you do not have execute permission to the tool shipped as $ORACLE_HOME/ldap/odi/bin/provsubtool.orc, the file should be copied to $ORACLE_HOME/bin or another suitable location for which you have both write and execute permissions.
Specific uses of this tool are to:
Add or remove users from application-specific subscription lists in bulk mode or batch mode.
Add users to the application-specific subscription lists when ‘Applications SSO Enable OID Identity Add Event’ profile value is ‘Disabled’. This profile controls the automatic subscription for users created in Oracle Internet Directory.
List the memberships of a particular subscription list for an application.
Read from a file of a list of simple user login names (nickname attribute values) or user DNs and add or remove them from the appropriate subscription list as specified.
Parameter Name | Required or Optional | Default Value | Parameter Description |
---|---|---|---|
LDAP_HOST | Optional | Local host | LDAP server host |
LDAP_PORT | Optional | 389 | LDAP Server port |
APP_DN | Required | None | Application Identity DN, for example: orclapplicationcommonname=Financials,cn=EBusiness,cn=Products,cn=OracleContext,<Identity Realm> |
APP_PWD | Required | None | Application DN password |
REALM_DN | Required | None | DN of the identity Management Realm, for example: dc=ganseycorp,dc=com |
LIST_NAME | Optional | ACCOUNTS | The Subscription List Name. By default, ACCOUNTS is created for Oracle E-Business Suite instances. |
OPERATION | Required | None | ADD, REMOVE, LIST. The LIST option will list all the current members of the subscription list. |
FILE_NAME | Optional | members.lst | File containing the user list either as simple names or DNs |
FILE_TYPE | Optional | 0 | 0 = Simple Names 1 = DNs |
LOG_FILE | Optional | report.log | Output log file. The output from the command is written to a file specified by the parameter "LOG_FILE”. If no filename is specified, the default of report.log is used. |
DEBUG | Optional | 0 | Debugging On/Off ( 0 or 1) |
MAX_ERRORS | Optional | 1000 | Abort operation after this number of errors have occurred. If the numbers of errors exceed the value specified by the “MAX_ERRORS” parameter (during a bulk operation when trying to add many users together in a batch), the command will fail. |
For a Financials E-Business Suite instance registered in Oracle Internet Directory as: orclapplicationcommonname=Financials,cn=EBusiness,cn=Products,cn=OracleContext,<Identity Realm> for the ID realm: dc=ganseycorp,dc=com
To add a user whose nickname is "john.smith" to the default subscription list "ACCOUNTS", you would add the line "john.smith" (without the quotes) to an input file, in this case with the default name of members.lst, and then execute the command:
provsubtool ldap_host=LDAP_HOST ldap_port=LDAP_PORT \ app_dn="orclapplicationcommonname=Financials,cn=EBusiness,\ cn=Products,cn=OracleContext,dc=ganseycorp,dc=com" \ realm_dn=”dc=ganseycorp,dc=com” list_name=ACCOUNTS \ operation=ADD \ file_name=members.lst file_type=0 \ app_pwd=tea4two
To remove a user, you would follow the same procedure, simply substituting the operation REMOVE for the operation ADD:
provsubtool ldap_host=LDAP_HOST ldap_port=LDAP_PORT \ app_dn="orclapplicationcommonname=Financials,cn=EBusiness,cn=Products,cn=OracleContext,dc=ganseycorp,dc=com" \ realm_dn=”dc=ganseycorp,dc=com” list_name=ACCOUNTS \ operation=REMOVE \ file_name=members.lst file_type=0 \ app_pwd=tea4two
The Oracle E-Business Suite Release 12 user migration utilities include:
A tool (AppsUserExport) to export existing application accounts from Oracle E-Business Suite Release 12 into an intermediate LDIF file. This tool is invoked from the command line.
A tool (LDAPUserImport) to read an LDIF file creates new Oracle E-Business Suite application accounts as needed, and import the data. This tool is invoked from the command line. LDAPUserImport is provided for bulk migration of existing Oracle Internet Directory accounts into Oracle E-Business Suite Release 12.
See below for details of the migration process between Oracle E-Business Suite Release 12 and Oracle Internet Directory, and the usage of these tools.
An Oracle E-Business Suite administrator can use AppsUserExport to export a selected set of application accounts from the Oracle E-Business Suite native user directory (FND_USER) into an intermediate LDIF file. An Oracle Internet Directory administrator then uses the Oracle Internet Directory ldifmigrator utility to convert this intermediate LDIF file into a final LDIF file, based on Oracle Internet Directory deployment choices. The Oracle Internet Directory administrator then loads the final LDIF file into Oracle Internet Directory using the bulkload utility. In OID 10g (10.1.4.0.1), the bulk tools were rewritten as C executables, replacing the shell scripts employed in previous releases.
The migration process and intermediate LDIF format are explained further in the section Migrating Data from Other Directories in Oracle Internet Directory Administrator's Guide, Release 10g. In addition, usage of the ldifmigrator tool is described in Oracle Identity Management User Reference, Release 10g.
The next section focuses on application-specific tasks.
Task 1: Exporting Application Accounts into Intermediate LDIF File
Determine which accounts to migrate
Having determined which accounts to export, the application administrator can then specify whether an account is migrated by utilizing the following profiles:
Applications SSO Login Types (APPS_SSO_LOCAL_LOGIN) – An account will not be migrated if the user level profile value of the account is ‘LOCAL’, i.e. the account is a local account.
Applications SSO LDAP Synchronization (APPS_SSO_LDAP_SYNC) – An account will not be migrated if the user level profile value of the account is ‘N’, i.e. the account is marked to not synchronize with Oracle Internet Directory.
Oracle E-Business Suite ships a number of standard accounts, such as SYSADMIN and GUEST. These accounts should not be migrated. To enforce this, the SYSADMIN and GUEST accounts are pre-seeded with Applications SSO Login Types (APPS_SSO_LOCAL_LOGIN) set to ‘LOCAL’ and Applications SSO LDAP Synchronization (APPS_SSO_LDAP_SYNC) set to ‘N’. Administrators should check whether there are any additional accounts that should not be migrated, especially accounts with user_id less than 10 (you can check with the query select user_name from FND_USER where user_id < 10). These standard accounts can only be used for local login, and cannot be used to log in via Single Sign-On.
Use AppsUserExport to extract user information
Use the AppsUserExport tool to extract application user information into an intermediate LDIF file. This tool is invoked from the command line.
Note: The list of attributes migrated to Oracle Internet Directory from the E-Business Suite is currently limited to those listed in “Supported Attributes”.
To invoke the AppsUserExport tool, ensure your environment is set up correctly, and use the following syntax. Note that all parameters can if desired be entered on the same command line; they are shown here on different lines (using the UNIX ‘\’ continuation character) for clarity.
java oracle.apps.fnd.oid.AppsUserExport \ [-v] –dbc <dbcfile> \ -o <outputfile> \ -pwd <apps schema pwd> \ -g [-l <logfile>]
where:
[-v] - Run in verbose mode
<dbcfile> - Full path to the dbcfile
<outputfile> - Intermediate LDIF file
<apps schema pwd> - Apps schema password
-g - Create and copy users GUIDs to OID
<logfile> - Log file (default is <outputfile>.log)
For example:
java oracle.apps.fnd.oid.AppsUserExport \ -v \ -dbc $FND_SECURE/myebiz.dbc \ -o users.txt \ -pwd welcome \ -g \ -l users.log
Warning: The resulting data file and log file may contain confidential information, such as the start and end dates for a user’s account, and should therefore be secured appropriately.
Task 2: Converting Intermediate LDIF File to Final LDIF File
Before performing loading data into Oracle Internet Directory, the Oracle Internet Directory administrator needs to ensure that:
The extracted data file is copied from the Oracle E-Business Suite instance to Oracle Internet Directory.
If the provisioning profile has been set up for the Oracle E-Business Suite instance and the profile mode is either OUTBOUND or BOTH (i.e. you have enabled any provisioning events from Oracle Internet Directory to Oracle E-Business Suite), the profile will need to be temporarily disabled during the migration process.
To convert the intermediate LDIF file to the final LDIF format:
The intermediate LDIF file created by AppsUserExport has two variables that an Oracle Internet Directory administrator needs to instantiate using the Oracle Internet Directory ldifmigrator utility:
s_UserContainerDN – DN of the entry under which all users are added, for example cn=users,dc=us,dc=oracle,dc=com.
s_UserNicknameAttribute – The nickname attribute used for user entries in the subscriber, for example uid.
For example:
ldifmigrator "input_file=data.txt" \ "output_file=data.ldif" \ "s_UserContainerDN=cn=users,dc=us,dc=oracle,dc=com" \ "s_UserNicknameAttribute=uid"
Important: Note that the variable names above are case sensitive.
If you encounter problems running any of the Oracle Internet Directory command line tools such as oidprovtool or ldapsearch, refer to the Oracle Internet Directory Administrator's Guide for more information.
Task 3: Loading Final LDIF file into Oracle Internet Directory
Once the final LDIF file has been generated, the user data is ready to be loaded into Oracle Internet Directory using the Oracle Internet Directory bulkload tool. This section describes the minimum command-line options required to perform this task; note that additional options exist for more advanced requirements.
Note: For further details, see the section Using Bulk Tools in Oracle Internet Directory Administrator's Guide, Release 10g.
Before performing a bulk load:
Use oidprovtool with operation=DISABLE to disable the profile before the migration is started. For example:
oidprovtool operation=disable \ ldap_host=beta.ganseycorp.com \ ldap_port=3060 \ ldap_user_dn=cn=orcladmin \ ldap_user_password=l1ghth0use \ application_dn=”orclApplicationCommonName=beta,cn=EBusiness,cn=Products,cn=OracleContext,dc=us,dc=ganseycorp,dc=com” \ profile_mode=BOTH
Important: Do not add spaces after any of the commas in the application_dn parameter.
Before using the bulkload utility to load the LDIF file, stop all OID processes by running the command:
$ORACLE_HOME/opmn/bin/opmnctl stopall
Note the OID password, which should be the same as the instance and orcladmin passwords. You will be prompted for this when running the utility.
If the OID processes were started manually, using either the oidmon command or the oidctl command, use the applicable manual step below confirm that the processes have stopped:
On UNIX, run the command$ORACLE_HOME/ldap/bin/ldapcheck.
On Windows, use Task Manager to view and if necessary stop the processes.
You must ensure that no OID processes are running before continuing with the bulkload command. If any other OID processes such as odisrv are still running, stop them manually using the command:
oidctl connect=<SID> server=<servername> instance=<#> stop
The user namespaces contained in an LDIF file that is to be bulk loaded must be unique and non-overlapping. When bulk loading users into OID, the potential for collisions (duplicate users) exists. Collisions can result when integrating multiple sources into a single OID instance, or by running the bulkload utility more than once for the same LDIF file. As collisions can lead to numerous problems, you should follow the steps below to ensure that they do not occur:
Run the bulkload utility with the check and generate options to verify that there are no duplicate users. For example:
bulkload connect=<connect string> check=true generate=true file=<full path to LDIF file>
Check the log file for duplicate users.
If the log file indicates duplicate users, manually remove these users from the LDIF file.
Rerun Step 1 to verify all duplicates have been successfully removed.
Once all duplicates are removed, run the bulkload utility with the –load option to load the users.
For example:
bulkload connect=<connect string> load=true file=<full path to LDIF file>
Note: For further details of the bulkload utility, see the relevant version of Oracle Internet Directory Administrator's Guide 10g. The above examples are for OID 10.1.4.
Importing Multiple LDIF Files
It is possible to use bulkload to import multiple LDIF files. The most common scenario is one in which multiple LDIF files are generated from different Oracle E-Business Suite instances. Consolidating user information from each Oracle E-Business Suite instance into a single Oracle Internet Directory can reduce the administrative overhead of managing multiple user repositories.
The user namespaces from each Oracle E-Business Suite instance’s LDIF file must be unique and non-overlapping. For example, if username "John.Brown" exists in the LDIF file to be imported from Oracle E-Business Suite instance A, it must not exist in the LDIF file to be imported from Oracle E-Business Suite instance B. If these usernames do not correspond to the same user, then the username should be updated in Oracle E-Business Suite instance B. This will both distinguish between the two users and eliminate the duplication. Otherwise, the username must be removed from the LDIF file from instance B.
Once the LDIF file for Oracle E-Business Suite instance A has been bulk loaded into OID, then the procedure should be done for the LDIF file for Oracle E-Business Suite instance B. By removing the duplicate users from the LDIF file, only the unique users from Oracle E-Business Suite instance B should bulk-loaded into OID. If a third Oracle E-Business Suite instance is to be bulk-loaded, the same procedure should be carried out: after removing the duplicate users from the LDIF file, only the users unique to Oracle E-Business Suite instance C will be bulk-loaded into OID.
Using ldapadd instead of bulkload
For small amounts of data, you may use the ldapadd tool instead of the bulkload tool. For example:ldapadd -h <ldaphost> -p <ldapport> -D "cn=orcladmin" -w <password> -f data.ldif -v
The main practical difference between these two tools is that bulkload is optimized for rapid processing of large numbers (possibly hundreds of thousands) of userid changes, whereas ldapadd is intended for making a small number of changes one by one.
For further details about using ldapadd, see Oracle Internet Directory Administrator's Guide, Release 10g.
Sample Intermediate LDIF File
The following sample is an excerpt from an intermediate LDIF file:
# user name = 001 dn:: Y249MDAxLCAlc19Vc2VyQ29udGFpbmVyRE4l sn:: MDAx %s_UserNicknameAttribute%:: MDAx description:: VGVzdGluZyBPSUQgc3luYw== mail:: MDAxQG9yYWNsZS5jb20= facsimileTelephoneNumber:: NjUwLTU1NS0xMTEx orclActiveStartDate: 2003040316242131 orclIsEnabled: ENABLED userPassword: {MD5}IB8AtcpdZaHBGOXjJDFRTA== orclGuid: B9A5009B1603A500E030028A9F9E7C98 objectClass: inetOrgPerson objectClass: orclUserV2
Password Restrictions and Bulk Loading
Passwords stored in Oracle Internet Directory are case-sensitive. Mixed-case passwords in Oracle E-Business Suite are migrated with the case preserved.
The passwords in the LDIF file are encrypted using the MD5 hashing method If errors occur while importing the LDIF file into OID check the hashing method used by OID. If is not MD5, using ODM reset the import hashing method to MD5 and try importing the LDIF file.
When you export users from Oracle E-Business Suite and create an LDIF file, the passwords are encrypted and so the bulk loader cannot verify if they follow OID password policy. Therefore, the password policy cannot be enforced when such users are bulk-loaded into Oracle Internet Directory.
Task 4: Update lastchangenumber and Restart OID Processes
1. Start all OID processes
$ORACLE_HOME/opmn/bin/opmnctl startall
Update the lastchangenumber attribute of the profile.
First, find the current last change number in Oracle Internet Directory with the ldapsearch command:
$ORACLE_HOME/bin/ldapsearch -h <host> -p <port> -D <bindDN> \ -w <bindDN pwd> -s base -b "" "objectclass=*" \ lastchangenumber
Next, use the oidprovtool command to update the lastchangenumber attribute to the number n that was discovered in the last step:
oidprovtool operation=MODIFY \ ldap_host=<ldap_host> \ ldap_port=<ldap_port> \ ldap_user_dn=<user to connect to LDAP> \ ldap_user_password=<user password> \ application_dn=<dn of the registered app for which the profile is modified> \ orclLastAppliedChangeNumber=<n>
For example:
oidprovtool operation=MODIFY \ ldap_host=beta.ganseycorp.com \ ldap_port=3060 \ ldap_user_dn=cn=orcladmin \ ldap_user_password=l1ghth0use \ application_dn=”orclApplicationCommonName=beta,cn=EBusiness,cn=Products,cn=OracleContext,dc=ganseycorp,dc=com” \ orclLastAppliedChangeNumber=100
Use oidprovtool with operation=ENABLE to enable the profile.
Task 5: Create Subscriptions for Bulkloaded Users
The bulkload tool does not automatically subscribe users to the parent Oracle E-Business Suite instance. To create the subscriptions for your bulkloaded users, run the following SQL statement on your Oracle E-Business Suite database:
select user_name from FND_USER where FND_profile.VALUE_SPECIFIC('APPS_SSO_LOCAL_LOGIN', user_id)<>'LOCAL' and FND_profile.VALUE_SPECIFIC('APPS_SSO_LDAP_SYNC', user_id)='Y'
You can save the results of this query in a text file using your SQL client's capabilities. For example, in SQL Navigator you can save results in a delimited file with a .lst extension, using "<none>" as the quote character. See the section “Manual Subscription Management With Provsubtool” for details on how to run provsubtool to add these users to the subscription list.
The LDAPUserImport command-line utility takes an LDIF file generated from Oracle Internet Directory, and inserts appropriate data into the Oracle E-Business Suite schema. It can be used for bulk migration of existing accounts from Oracle Internet Directory to Oracle E-Business Suite. LDAPUserImport updates both FND and TCA schema.
Warning: Importing user accounts and related information into Oracle E-Business Suite is a resource-intensive operation that may take a significant amount of time, as large amounts of business events and DML statements are issued in the process.
Task 1: Export Oracle Internet Directory users into LDIF file Using ldifwrite
The Oracle Internet Directory ldifwrite command-line utility is used to create an LDIF file that can be loaded into the Oracle E-Business Suite schema via the LDAPUserImport command-line utility.
Syntax and usage details for ldifwrite are described in Oracle Internet Directory Administrator's Guide, Release 10g.
General syntax of the command is:
ldifwrite –c <db connect string> -b <base dn> -f <LDIF file>
Example: ldifwrite -c asdb -b "cn=Users,dc=us,dc=oracle,dc=com" -f output.ldif
Note: Do not modify the output file output.ldif in any way before proceeding with Task 2 below.
Task 2: Import LDAP Users into Oracle E-Business Suite using LDAPUserImport
The LDAPUserImport tool is run from the command line via the following steps:
Note: The list of attributes migrated to the Oracle E-Business Suite from Oracle Internet Directory is limited to those described later in “Supported Attributes”.
Ensure the environment is set up properly.
Invoke the LDAPUserImport tool with the following syntax: Note that all parameters can be entered on the same command line; for clarity, they are shown on different lines here (using the UNIX ‘\’ continuation character).
java oracle.apps.fnd.oid.LDAPUserImport \ [-v] \ –dbc <dbcfile> \ -f <ldiffile> \ -n <nicknameattribute> \ [-l <logfile>]
where:
[-v] - Run in verbose mode
<dbcfile> - Full path to the dbc file
<ldiffile> - LDIF file
<nicknameattribute> - Name of the attribute used as the nicknameattribute in OID
<logfile> - Log file (default is LDAPUserImport.log)
For example:
java oracle.apps.fnd.oid.LDAPUserImport \ -v \ -dbc $FND_SECURE/myebiz.dbc \ -f users.ldif \ -n uid \ -l users.log
If the OID user already exists in the Oracle E-Business instance the duplicate record will be ignored, the log file will be updated with a reference to the duplicate record, and processing will continue to the next OID record.
Enabling and disabling events for users are raised and consumed differently in Oracle Internet Directory and E-Business Suite.
New user accounts whose start date are in the future or end date in the past are currently not provisioned from E-Business to Oracle Internet Directory. Such pending user accounts have a corresponding place holder record created in the Oracle Internet Directory: this record is either deleted or activated once the account request has been processed.
Important: The IDENTITY_MODIFY event must be enabled in Oracle Internet Directory to allow users to be enabled at the time of approval.
If an existing E-Business user account is end-dated, the corresponding Oracle Internet Directory account is not affected. This is because the Oracle Internet Directory user may still require access to other partner applications. If no such access is needed, the relevant account will need to be disabled within Oracle Internet Directory.
The status of an account in Oracle Internet Directory is propagated to Oracle E-Business Suite as being either enabled or disabled. The application account start and end date are not updated, and users with local access to the applications should not be affected.
The default functionality can be customized by creating a Workflow subscription for the event oracle.apps.fnd.identity.modify. See section “Creating Custom Workflow Subscriptions“ for details.
User accounts deleted from the Oracle Internet Directory are end-dated in Oracle E-Business Suite, in order to maintain an audit trail.
The Oracle HR Agent can be utilized to manage Oracle Human Resources employees in Oracle Internet Directory, or to create E-Business Suite accounts automatically for new employees.
An E-Business Suite user is someone who needs to be able to log into the E-Business Suite. That user might need to file expense reports, view payslips, or file purchase requisitions. All E-Business Suite users have userids and records in the FND_USER repository, and have associated responsibilities that govern the functions and data that they can access.
An employee is someone whose information is managed by the Human Resources module in the E-Business Suite. Oracle Human Resources tracks information such as employee numbers, manager hierarchies, and other personally identifiable information like birthdates.
Not all employees are users, and vice versa. For example, a retailer might use the E-Business Suite's Human Resources modules to manage employee information for their cashiers, but those cashiers may not be authorized to log into Oracle E-Business Suite at all.
From an organizational standpoint, this distinction enables the HR department to manage employees and the IT department to manage E-Business Suite accounts. Following on from the example above, what about a scenario where the cashiers are permitted to view their payslips via the Self-Service Human Resources module? In such a case, the same person would be represented both in the Human Resources module, and in the E-Business Suite FND_USER repository. For E-Business Suite environments that are not integrated with Oracle Internet Directory, user records need to be individually maintained in each location.
It is possible to use the Oracle Internet Directory Human Resources connector to push employee information from Oracle HR to Oracle Internet Directory. Reference Oracle Identity Management Integration Guide 10g for more information.
It is possible to use the Oracle Internet Directory Human Resources connector to push employee information from Oracle HR to Oracle Internet Directory:
Note: Refer to Oracle Identity Management Integration Guide 10g for more information.
A subset of employee data can be exported from Oracle Human Resources into Oracle Internet Directory. The connector includes both a prepackaged integration profile, and an Oracle Human Resources agent that handles communication with Oracle Internet Directory.
The Oracle Human Resources connector can be scheduled to run at any time, configuring it to extract incremental changes from the Oracle Human Resources system.
Administrators can set and modify mapping between column names in Oracle Human Resources and attributes in Oracle Internet Directory. Since it is possible to provision users from Oracle Internet Directory to E-Business Suite, the following flow can be configured:
This architecture would support a business flow where a new employee is registered in E-Business Suite Human Resources by the HR department. That employee's information is then propagated via Oracle Internet Directory to FND_USER, where an IT administrator grants the appropriate E-Business Suite responsibilities to the user account.
Important: The opposite direction is not supported. It is not possible to have an employee created in Oracle HR based upon a new user entry in Oracle Internet Directory.
The following two tables list, respectively, the attributes that may be provisioned from Oracle Internet Directory to Oracle E-Business Suite, and from Oracle E-Business Suite to Oracle Internet Directory.
Note: This is a subset of the attributes listed in the provisioning templates. Additional attributes are planned for future releases.
Attributes Provisioned from Oracle Internet Directory to Oracle E-Business Suite
Oracle Internet Directory Attribute name | FND_USER Column Name | TCA Table and Column Names |
---|---|---|
UID and [nickname]* | USER_NAME | |
DESCRIPTION | DESCRIPTION | |
FACSIMILETELEPHONENUMBER | FAX | |
EMAIL_ADDRESS | HZ_CONTACT_POINTS.EMAIL_ADDRESS (CONTACT_POINT_TYPE is 'EMAIL’) | |
SN | HZ_PARTIES.PERSON_LAST_NAME | |
TELEPHONENUMBER | HZ_CONTACT_POINTS.RAW_PHONE_NUMBER (CONTACT_POINT_TYPE is ‘PHONE’ and CONTACT_POINT_PURPOSE is ‘BUSINESS’ | |
STREET | HZ_LOCATIONS. ADDRESS1 | |
POSTALCODE | HZ_LOCATIONS.POSTAL_CODE | |
PHYSICALDELIVERYOFFICENAME | HZ_PARTY_SITES.MAILSTOP | |
ST | HZ_LOCATIONS.STATE | |
L | HZ_LOCATIONS.CITY | |
GIVENNAME | HZ_PARTIES.PERSON_FIRST_NAME | |
HOMEPHONE | HZ_CONTACT_POINTS.PHONE_NUMBER (CONTACT_POINT_TYPE is ‘PHONE’ and CONTACT_POINT_PURPOSE is 'PERSONAL') | |
C | HZ_LOCATIONS.COUNTRY |
* Refer to “Recommended Nickname (Login Attribute) Setting” for more information
Attributes Provisioned from Oracle E-Business Suite to Oracle Internet Directory
FND_USER | Oracle Internet Directory |
---|---|
USER_NAME | UID and [nickname]* |
DESCRIPTION | DESCRIPTION |
EMAIL_ADDRESS | |
FAX | FACSIMILETELEPHONENUMBER |
END_DATE | ORCLACTIVEENDDATE |
START_DATE | ORCLACTIVESTARTDATE |
START_DATE/END_DATE | ORCLISENABLED |
ENCRYPTED_USER_PASSWORD | USERPASSWORD |
* Refer to “Recommended Nickname (Login Attribute) Setting” for more information. Also refer to “Configuring Directory Integration Platform Provisioning Templates” for details of the provisioning process.
This section lists some resources for additional information.
My Oracle Support Knowledge Document 376811.1, Installing Oracle Application Server 10g with Oracle E-Business Suite Release 12.
Mandatory installation steps required to integrate Oracle Application Server 10g with the E-Business Suite. All the steps in this note must be completed before executing the steps in this chapter.
My Oracle Support Knowledge Document 380487.1,Oracle Application Server 10g with Oracle E-Business Suite Release 12 Troubleshooting.
This document describes issues that users may encounter when installing Oracle Application Server 10g (Oracle AS 10g) in an existing Oracle E-Business Suite Release 12 environment. As well as solutions or workarounds for these issues, general problem-solving hints and tips are provided that will assist with administrative activities in an enterprise single sign-on environment.
My Oracle Support Knowledge Document 380482.1, Oracle Application Server 10g with Oracle E-Business Suite Release 12 Documentation Roadmap
This document lists documentation that may be useful when installing or upgrading Oracle Application Server with Oracle E-Business Suite Release 12 environments.
Common Name. May include a user name.
DN
Distinguished Name The DN uniquely identifies a user in the directory. It comprises all of the individual names of the parent entries, back to the root.
DIP
Directory Integration Platform, the infrastructure that keeps user information bidirectional synchronized between Oracle Internet Directory, Oracle E-Business Suite Release 12, and third-party LDAP servers.
DIT
Directory information tree. A hierarchical tree-like structure consisting of the DNs of the entries.
GUID
Global Unique Identifier, a token used to identify a user’s accounts in multiple systems during the single sign-on and enterprise level user management processes.
Identity Management Realm
A collection of identities, all of which are governed by the same administrative policies. In an enterprise, all employees having access to the intranet may belong to one realm, while all external users who access the public applications of the enterprise may belong to another realm. An identity management realm is represented in the directory by a specific entry with a special object class associated with it.
LDAP
The Lightweight Directory Access Protocol is a Internet-standard protocol and schema for user directories, and has gained widespread acceptance. LDAP was conceived as a standard, extensible directory access protocol for communication between suitably configured clients and servers. As a lightweight implementation of the International Standardization Organization (ISO) X.500 standard for directory services, LDAP requires a minimal amount of networking software on the client side, which makes it particularly attractive for Internet-based, thin client applications. Currently Oracle E-Business Suite Release 12 is certified to synchronize directly with Oracle Internet Directory only. However, Oracle Internet Directory can itself synchronize with one or more external, third-party user directories.
Oracle Internet Directory
Oracle Internet Directory is a general-purpose directory service runs as an application on the Oracle database and enables retrieval of information about dispersed users and network resources. It combines LDAP Version 3 with the high performance, scalability, robustness, and availability of the Oracle database. It communicates with the database (which may be on the same or on a different operating system) via Oracle Net, Oracle's operating system-independent database connectivity solution. As noted above, Oracle E-Business Suite is certified to synchronize directly with Oracle Internet Directory only, but Oracle Internet Directory can itself synchronize with one or more external, third-party user directories. For more information, see Oracle Internet Directory Release 10g Administrator's Guide.
Oracle Single Sign-On Server
A single sign-on solution provided by Oracle, which provides support for web-based applications including Oracle E-Business Suite.
Nickname Attribute
The attribute used to uniquely identify a user in the entire directory. The default value for this is uid. Oracle E-Business Suite uses this to resolve a simple user name to the complete distinguished name. The user nickname attribute cannot be multi-valued--that is, a given user cannot have multiple nicknames stored under the same attribute name.
Partner Application
An application that works within the Oracle Single Sign-On Server framework. It is designed (or has been modified) to delegate responsibility for user authentication to the Oracle Single Sign-On Server. Oracle E-Business Suite Release 12 can be deployed as a partner application.
Provisioning
Refers to the process by which user information is synchronized between Oracle Internet Directory and Oracle E-Business Suite. How provisioning is set up depends both on site requirements and the configuration in use.
Provisioning Profile
Metadata that controls details of the provisioning process between Oracle Internet Directory and an Oracle E-Business Suite instance. A provisioning profile is required for each application that sends or receives provisioning events to or from Oracle Internet Directory.
Single Sign-On
Technology that allows a user to sign on once and gain access to multiple applications, instead of having to sign on to each application separately. In the context of Oracle E-Business Suite Release 12, refers to use of the Oracle Single Sign-On server to perform authentication, rather than the native FND_USER table.
Users
Individuals who have access to one or more software applications at a particular enterprise. Users are "global" entities, i.e. their existence and attributes exist outside the context of any particular software application.
User Directory
Software services that store the list of users and their attributes. Oracle E-Business Suite currently has its own proprietary user directory (the FND_USER table). There are also general purpose user directories that manage user information and expose it to integrated applications through a standard interface.
The Lightweight Directory Access Protocol (LDAP, see above for definition) is an example of a user directory.