Check below 25 points which Apps DBA should know for Apps(11i/R12) integration with SSO/OID (Single Sign-On/Oracle Internet Directory)
1. If you change APPS password using FNDCPASS utility, update provisioning profile with new password using OIDPROVTOOL. (More on OID Scripts & Tools coming soon). This is required as APPS password is stored in provisioning profile in OID.
2. If you clone E-Business Suite Instance,
——2.1 Deregister old E-Business Suite details from target OID Instance,
——2.2 Deregister Integration details from cloned target E-Business Suite instance
——2.3 Reregister target E-Business Suite Instance to target OID and SSO instance
(More on cloning Oracle Apps instance integrated with OID/SSO coming soon)
3. Session Idle Timeout value in E-Business/Apps is set to 30 minute by default but there is NO Session Idle timeout value set on SSO (There is Global Timeout value set to 8 hours in Oracle SSO which is different from Idle Timeout). If session is Idle for more than 30 minutes in Apps/E-Business suite, users will be redirected to SSO and user can get back to Apps “without” entering username password as user session cookie is still valid on SSO Server .
For global Idle Session time out to work properly set Idle timeout value to required value in Oracle SSO server and match that with E-Business Suite Instance.
4. User with Name USER1 in FND_USERS can be linked to username USER2 in OID , so username need not to be same. Users in E-Business Suite/Apps are linked to Users in OID/SSO via GUID.
5. User mapping between OID & E-Business/Apps -> Login name in OID is identified by attribute “orclcommonnicknameattribute” which by default is “uid“. To understand this better, think of user User “Atul Kumar” in OID with various attribute like first name, lastname, phonenumber, cn, sn, uid …. If for “Atul Kumar” value of attribute uid is set to “akumar” then user should use “akumar” to login.
This “akumar” (value of attribute “uid”) is mapped to USER_NAME column of table FND_USER and “orclguid” attribute in OID should have same value as USER_GUID column value in FND_USER table. As mentioned in point 4, users in OID & Apps are linked via GUID and this value should be same. (More on user mapping and authentication flow with SSO coming soon )
6. Currently supported nickname attribute to be mapped to FND_USER table are “uid” and “mail”
7. If naming convention of your users in OID is different from users in E-Business/Apps (like atul.kumar in OID but kumaratul in apps/E-Business Suite) then disable profile “Applications SSO Auto Link User”
8. Not all attributes for users can be integrated/synchronized from OID to E-Business Suite or Vice Versa. For list of attributes supported currently (as of build 5) check Appendix C on Page 88 of Integration guide.
9. Updates to email ID in Oracle Internet Directory are not correctly reflected in the E-Business Suite HZ_CONTACT_POINTS in TCA unless the PERSON_PARTY_ID foreign key in the FND_USER table has been defined. Furthermore, if PERSON_PARTY_ID is changed i.e. user is linked to another person in TCA, information stored in OID can overwrite this other person’s information during provisioning.
10. As of build 5, logout from OAM (Oracle Application Manager) results in page not found, though users can logout successfully from professional forms and self service web applications.
11. Users can be provisioned from E-Business/11i/R12 (FND_USER) to OID, OID to E-Business Suite, and two way. (How to find current user provisioning direction coming soon in OID Scripts post)
12. User Provisioning from TCA (Trading Community Architecture) to OID is not yet supported (as of build 5). Provisioning of HR to OID, FND_USER to OID or from OID to FND_USER is supported.
13. If provisioning profile includes password to be provisioned from E-Business Suite/Apps to OID, password policy in E-Business Suite should be atleast as restrictive as OID else when you create user in E-Business Suite/Apps without password not not in line with password policy, you will get non descriptive error message.
14. User can login to E-Business Suite Locally (NO SSO, directly from FND_USER) or to SSO (authentication via SSO) or BOTH. Set profile option “Applications SSO Login Types” to LOCAL or BOTH at userlevel and use
http(s)://(hostname).(domainname):(port)/ OA_HTML/ AppsLocalLogin.jsp
For SSO authentication use URL
15. It is possible to register multiple E-Buisness Suite Instance (Test, Dev, UAT) to single OID/SSO Instance. (How to find list of E-Business Suite instance registered against OID, coming soon in OID Scripts)
16. If you have OID with multiple Realm (How to find default and all available realms in OID, coming soon in OID scripts), E-Business Suite/11i/R12 can be registered against default OID realm only (As of SSO build 5).
17. It is possible to link multiple E-Business Suite accounts to single SSO account but vice versa is not possible/supported. i.e. User1 and User2 in E-Business account can be linked to user3 in OID/SSO (For more
information Check Profile Option “Applications SSO Allow Multiple Accounts” )
18. It is possible to synch User Password from E-Business Suite to OID but vice versa is not allowed. This is because passwords in E-Buisness Suite/Apps/11i/R12 are encrypted but are hashed in OID.
19. If you are palnning to implement SSO Integration with E-Business /11i/R12 in enterprise where E-Business Suite and OID are already implemented and working independently, it is possible to bulkload user from OID to E-Business(Users which are already in OID but not in E-Business Suite) or from E-Busienss to OID (Users which are already in E-Business Suite but not in OID) and map common users.
20. For bulk migrating users from E-Business Suite to OID or from OID to E-Business Suite, check AppsUserExport, LDAPUserImport, ldifmigrator, bulkload.sh utility
21. When users are imported (initial load) from OID to E-Business/Apps 11i/R12 using LDAPUserImport, all user “attributes” can’t be imported.
22. If hashing method in OID is not MD5, bulkload of users to OID (initial set of users migrated from Apps/E-Business Suite) . (How to find default hasing method in OID, coming soon in OID Scripts..)
23. During initial load of users from E-Business Suite to OID (using bulkload.sh), password policy in OID is not verified . This is because E-Business Suite passwords are encrypted in dump file and bulk load tool can’t check passwords.
24. Oracle Application Server (SSO/OID) & Apps/E-Business Suite database server system clocks should be in synch else users will face issue during login/logoff
Leave your comments on what you think is important for Apps/11i/R12 integration with OID/SSO to fill point no. 25
If you have not yet downloaded FREE eBook – 7 Docs every Oracle Apps DBA must read for EBS R12 integration with OAM/OID for SSO get a copy in your Email
Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Oracle Gold Partner specialising in Design, Implement, and Trainings.