Best Best Practices Practices FFor or

Implementing Implementing SSO SSO

on on EBS R12EBS R12

August 09

Milton Estrada

Technical Management Consultant

estradam@tusc.com

AgendaAgenda

� Overview

� Features and Supported Architectures

� Components and Build Versions

� Implement Single Sign-On Support for EBS R12

� Know Issues

August 09 / Slide 2 / EBSR12 SSO

� Know Issues

� Q/A

� References

OverviewOverview� This presentation will cover the integration of Oracle Application Server 10g Enterprise

Edition with Oracle E-Business Suite R12

� The following services running on external servers to EBS R12 are supported:� Oracle Single Sign-On (SSO) 10g

� Oracle Internet Directory (OID) 10g

� Oracle Portal 10g

� Oracle Discoverer 10g

� Oracle Web Cache 10g

� Third party single sign-on solutions

� Third party Lightweight Directory Access Protocol (LDAP) directories

August 09 / Slide 3 / EBS R12 SSO

� Third party Lightweight Directory Access Protocol (LDAP) directories

� These services may run:� One or more standalone servers external to existing EBS R12 environment

� In separate Oracle Homes on existing EBS R12 Servers

� These services may not run:� In the existing EBS R12 Application Server 10g 10.1.2 Oracle Home for the Forms and Reports

� In the existing EBS R12 Application Server 10g 10.1.3 Oracle Home for the Web and Java services

� For more information about EBS R12 Architectures see Oracle Applications Concepts, Release 12 (Part N0. B31450-01)

Features and Supported ArchitecturesFeatures and Supported Architectures� Accessing EBS R12 with SSO

� Oracle Application Server 10g (10.1.4.0.1), Oracle Internet Directory and Oracle Single Sign-On Server are required to enable SSO functionality for EBS R12

� Implementing SSO for EBS R12 allows organizations to share one user definition throughout multiple parts of the enterprise

� For EBS R12 mod_osso is used for SSO authentication, replacing SSO SDK used in previous versions

� SSO for EBS R12 also support Single Sign-Off, which allow users to simultaneously terminate all active partner applications

� Integration with Third-Party Access Management Systems and LDAP Directories� Organizations can use their existing third-party access management system to integrate with SSO.

August 09 / Slide 4 / EBS R12 SSO

� Organizations can use their existing third-party access management system to integrate with SSO. With this method SSO becomes a partner application to the third-party system, delegating the authentication process to it.

� Organizations that have standardized on third-party LDAP directories can optionally integrate that

with Oracle Internet Directory (OID).

Components and Build VersionsComponents and Build VersionsComponents listed below most be used when integrating EBS R12 with SSO

� Oracle E-Business Suite R12

Component Name Release

Oracle E-Business Release 12 12.0.X to 12.1.1.X

Oracle 10g Application Server 10.1.2

Oracle 10g Application Server 10.1.3

Oracle Developer 10g (Includes Oracle Forms) 10.1.2

August 09 / Slide 5 / EBS R12 SSO

• Oracle Application Server 10g Enterprise Edition

Component Name Release

Oracle Single Sign-On 10g 10.1.4.3.0

Oracle Internet Directory 10g 10.1.4.3.0

Oracle Portal 10g (optional) 10.1.4.2.0

Oracle Web Cache 10g (optional) 10.1.2.3.0

Oracle Discoverer 10g (optional) 10.1.2.3.0

Implement Single SignImplement Single Sign--On Support for EBS R12On Support for EBS R12� SSO Task 1: Install E-Business Suite SSO 10g Integration patch

� If you are using IBM/AIX for EBS R12, apply patch 5855635 to 10.1.3 Oracle Home

� SSO Task 2: Configure Oracle Identity Management 10g (10.1.4.x) Components with EBS R12� Chose registration type – Default (simple) or Advanced

� Compile Parameter List Check List

� Refresh environment settings

� Check that TWO_TASK variable is set correctly

� Run the Registration Scripto $FND_TOP/bin/txkrun.pl -script=SetSSOReg

� Restart Middle-Tier Services

August 09 / Slide 6 / EBS R12 SSO

� Restart Middle-Tier Services

� SSO Task 3: Validate that Single Sign-On is Working Correctly� Run the Diagnostic Utility

o Login locally to the E-Business Suite by opening http[s]://<server>[:port]/OA_HTML/AppsLocalLogin.jsp

o Launch Diagnostics

o Run SSO Diagnostics

o Run OID Diagnostics

� Verify SSO Integration with Oracle E-Business Suiteo http://[host]:[port]/OA_HTML/AppsLogin

� Verify that SSO is correctly integrated with OID

o $ORACLE_HOME/ldap/odi/log

Know IssuesKnow Issues• ORA-20001: Unable to call fnd_ldap_wrapper.update_user

� Update 10.1.3_OH/Apache/Apache/bin/iasobf file and set ORACLE_HOME variable

� Deregister/register instance again

• To stop “Customer” field from been populated disable following business views:� For business event oracle.apps.fnd.identity.add disable subscription

fnd_oid_subscriptions.hz_identity_add

� For business event oracle.apps.fnd.identity.modify disable subscription fnd_oid_subscriptions.hz_identity_modify

� For business event oracle.apps.fnd.subscription.add disable subscription fnd_oid_subscriptions.hz_subscription_add

August 09 / Slide 7 / EBS R12 SSO

fnd_oid_subscriptions.hz_subscription_add

• To allow a user to bypass SSO authentication� Set system profile option “Applications SSO Login Types” to “Local” at user level

� Use http://[host]:[port]/OA_HTML/AppsLogin URL

• When Cloning run command listed below on target instance before registering with SSO/OID

� $FND_TOP/bin/txkrun.pl -script=SetSSOReg -removereferences=Yes

Q/A

August 09 / Slide 8 / EBS R12 SSO

ReferencesReferences

� Oracle Metalink Note ID 376811.1 Titled “Integrating Oracle E-Business Suite Release 12 with 10g AS Oracle Internet Directory and Oracle Single Sign-On”

August 09 / Slide 9 / EBS R12 SSO