25 Things Apps DBA should know for Apps 11i/R12 Integration with OID/SSO

Check below 25 points which Apps DBA should know for Apps(11i/R12) integration with SSO/OID (Single Sign-On/Oracle Internet Directory)

1. If you change APPS password using FNDCPASS utility, update provisioning profile with new password using OIDPROVTOOL. (More on OID Scripts & Tools coming soon). This is required as APPS password is stored in provisioning profile in OID.

2. If you clone E-Business Suite Instance,
——2.1 Deregister old E-Business Suite details from target OID Instance,
——2.2 Deregister Integration details from cloned target E-Business Suite instance
——2.3 Reregister target E-Business Suite Instance to target OID and SSO instance
(More on cloning Oracle Apps instance integrated with OID/SSO coming soon)

3. Session Idle Timeout value in E-Business/Apps is set to 30 minute by default but there is NO Session Idle timeout value set on SSO (There is Global Timeout value set to 8 hours in Oracle SSO which is different from Idle Timeout). If session is Idle for more than 30 minutes in Apps/E-Business suite, users will be redirected to SSO and user can get back to Apps “without” entering username password as user session cookie is still valid on SSO Server .
For global Idle Session time out to work properly set Idle timeout value to required value in Oracle SSO server and match that with E-Business Suite Instance.

4. User with Name USER1 in FND_USERS can be linked to username USER2 in OID , so username need not to be same. Users in E-Business Suite/Apps are linked to Users in OID/SSO via GUID.

5. User mapping between OID & E-Business/Apps -> Login name in OID is identified by attribute “orclcommonnicknameattribute” which by default is “uid“. To understand this better, think of user User “Atul Kumar” in OID with various attribute like first name, lastname, phonenumber, cn, sn, uid …. If for “Atul Kumar” value of attribute uid is set to “akumar” then user should use “akumar” to login.
This “akumar” (value of attribute “uid”) is mapped to USER_NAME column of table FND_USER and “orclguid” attribute in OID should have same value as USER_GUID column value in FND_USER table. As mentioned in point 4, users in OID & Apps are linked via GUID and this value should be same. (More on user mapping and authentication flow with SSO coming soon )

6. Currently supported nickname attribute to be mapped to FND_USER table are “uid” and “mail

7. If naming convention of your users in OID is different from users in E-Business/Apps (like atul.kumar in OID but kumaratul in apps/E-Business Suite) then disable profile “Applications SSO Auto Link User

8. Not all attributes for users can be integrated/synchronized from OID to E-Business Suite or Vice Versa. For list of attributes supported currently (as of build 5) check Appendix C on Page 88 of Integration guide.

9. Updates to email ID in Oracle Internet Directory are not correctly reflected in the E-Business Suite HZ_CONTACT_POINTS in TCA unless the PERSON_PARTY_ID foreign key in the FND_USER table has been defined. Furthermore, if PERSON_PARTY_ID is changed i.e. user is linked to another person in TCA, information stored in OID can overwrite this other person’s information during provisioning.

10. As of build 5, logout from OAM (Oracle Application Manager) results in page not found, though users can logout successfully from professional forms and self service web applications.

11. Users can be provisioned from E-Business/11i/R12 (FND_USER) to OID, OID to E-Business Suite, and two way. (How to find current user provisioning direction coming soon in OID Scripts post)

12. User Provisioning from TCA (Trading Community Architecture) to OID is not yet supported (as of build 5). Provisioning of HR to OID, FND_USER to OID or from OID to FND_USER is supported.

13. If provisioning profile includes password to be provisioned from E-Business Suite/Apps to OID, password policy in E-Business Suite should be atleast as restrictive as OID else when you create user in E-Business Suite/Apps without password not not in line with password policy, you will get non descriptive error message.

14. User can login to E-Business Suite Locally (NO SSO, directly from FND_USER) or to SSO (authentication via SSO) or BOTH. Set profile option “Applications SSO Login Types” to LOCAL or BOTH at userlevel and use

http(s)://(hostname).(domainname):(port)/ OA_HTML/ AppsLocalLogin.jsp

For SSO authentication use URL
http(s)://(hostname).(domainname):(port)/oa_servlets/AppsLogin

15. It is possible to register multiple E-Buisness Suite Instance (Test, Dev, UAT) to single OID/SSO Instance. (How to find list of E-Business Suite instance registered against OID, coming soon in OID Scripts)

16. If you have OID with multiple Realm (How to find default and all available realms in OID, coming soon in OID scripts), E-Business Suite/11i/R12 can be registered against default OID realm only (As of SSO build 5).

17. It is possible to link multiple E-Business Suite accounts to single SSO account but vice versa is not possible/supported. i.e. User1 and User2 in E-Business account can be linked to user3 in OID/SSO (For more
information Check Profile Option “Applications SSO Allow Multiple Accounts
)

18. It is possible to synch User Password from E-Business Suite to OID but vice versa is not allowed. This is because passwords in E-Buisness Suite/Apps/11i/R12 are encrypted but are hashed in OID.

19. If you are palnning to implement SSO Integration with E-Business /11i/R12 in enterprise where E-Business Suite and OID are already implemented and working independently, it is possible to bulkload user from OID to E-Business(Users which are already in OID but not in E-Business Suite) or from E-Busienss to OID (Users which are already in E-Business Suite but not in OID) and map common users.

20. For bulk migrating users from E-Business Suite to OID or from OID to E-Business Suite, check AppsUserExport, LDAPUserImport, ldifmigrator, bulkload.sh utility

21. When users are imported (initial load) from OID to E-Business/Apps 11i/R12 using LDAPUserImport, all user “attributes” can’t be imported.

22. If hashing method in OID is not MD5, bulkload of users to OID (initial set of users migrated from Apps/E-Business Suite) . (How to find default hasing method in OID, coming soon in OID Scripts..)

23. During initial load of users from E-Business Suite to OID (using bulkload.sh), password policy in OID is not verified . This is because E-Business Suite passwords are encrypted in dump file and bulk load tool can’t check passwords.

24. Oracle Application Server (SSO/OID) & Apps/E-Business Suite database server system clocks should be in synch else users will face issue during login/logoff

25.

Leave your comments on what you think is important for Apps/11i/R12 integration with OID/SSO to fill point no. 25

Related:
Management Questions for Apps Integration with OID/SSO

 

If you have not yet downloaded FREE eBook – 7 Docs every Oracle Apps DBA must read for EBS R12 integration with OAM/OID for SSO get a copy in your Email

banner__

Share This Post with Your Friends over Social Media!

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Oracle Gold Partner specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

33 comments
Manohar says January 24, 2008

Can you have one eBusiness Suite instance linked to more than one OID/SSO instance. Looking to have internal users linked to SSO1/OID1, which delegates authentication to 3rd party LDAP and external (web) users authenticated by SSO2/OID2. Is this even possible?

Reply
Atul says January 24, 2008

You can link multiple E-Business Suite instance to one OID/SSO.

I have not tried this but don’t see any issues in configuring one E-Business suite to multiple OID/SSO instance. I don’t understand requirement of such setup

Yes you can configure E-Business suite with OID/SSO and then configure OID/SSO to third party access management server like Oblix COREid or Netscape access manager with its own ldap server like iPlanet or AD

Reply
ansar says March 28, 2008

you site has very good ready to use material keep up the good work.

We have production database 11.5.10.2 we have integrated with SSO we are decommissioning it next month we have a large number of users in that database how can we backup the user definition and it in the new database.

and wil1 be have any issues in the SSO integration

Reply
Atul says March 30, 2008

Ansar,
Your doubt is not clear .

Which one you are decommisioning (apps or sso) ?

which is new database ? r u putting any other thing with decommissioning ?

Reply
Dinesh says June 13, 2008

Hi Atul

We are implementing SSO with R12. while provisioning from OID to R12 , Additions and Deletes are getting propagated but updates in OID are not getting propagated to EBS.

When I disable a user in OID , it does not end date a user in FND_USER and same is with email address.

Any thoughts …..

Reply
Atul says June 14, 2008

Dinesh,
Check in provisioning profile (OID to Apps) if updates is included in profile or not.

Atul

Reply
Dinesh says June 16, 2008

Thanks Atul for the response

Yes , Updates are included in the profile. I also see that events are being submitted succssfully in the logfiles. Here is the response from oracle

————————————–

If you simply disable the user from OID the account start and end date will not be updated, and users w
ith local access to the applications will not be affected.if on the other hand t
he user account is deleted from the Oracle Internet Directory the user will be e
nd-dated in Oracle E-Business Suite, in order to maintain an audit trail.
———————————————-

Please advise if that is the case. Any ideas how we can implement this

Thanks

Reply
Atul Kumar says June 17, 2008

Dinesh,
Yes that’s true check page 77 of guide (You should login to metalink first to access this guide) https://metalink.oracle.com/metalink/plsql/docs/10g-Implementation.pdf

Soltion (Bit Tricky)
You can customize by creating workflow subscription (Check page 62 of above guide)

Reply
lakshmikanthan says July 31, 2008

Hi all,
I need a document for SSO/OID installation.
for portal integration
thank you
lakshmi

Reply
Jaya Prakash.Bhuma says December 12, 2008

Hi Guys

Iam Jaya Prakash, Iam having one query, i had cloned E-Buz from production to UAT Instance, with Deregistering OID server.

And when Am Tring to Integrating UAT E-Biz with UAT OID server, Iam Not able to Register

Reply
Jaya Prakash.Bhuma says December 12, 2008

Can Any help to resolve this Issue

Reply
Jaya Prakash.Bhuma says December 12, 2008

can anyone help me Resolve this Issue

Regards
JP

Reply
Atul Kumar says December 12, 2008

Jaya,
What error message you are getting while registering UAT ebiz with UAT OID

Reply
Kumar says December 18, 2008

Hi atul,

1)Iam having issue that My Production is integrated with SSO server,

2)My have done cloning from PROD to test without Deregistering SSO before cloning

3)Now Cloned Instance needs to Integrte with New SSO server

4)when I trying to Register cloned Instace to SSO server, In log file is showing PROD Information

Can Any one help to resolve this issue

Regards
Kumar

Reply
vivek says March 18, 2009

Hi,
You Can Remove the references instead of trying to deregister. check for syntax for removing references..
–Vivek

Reply
ashish says September 14, 2009

Hi Atul,

We wish to integrate Oracle Apps R12 (financials)just with OID 10g to ensure data synchronization.

For authentication, we will be dependent upon Oracle Apps’s default functionality and we do not need any third party access management sysetm.

Could you please guide me to get an document related to this scenario?

Reply
ashish says September 14, 2009

Hi Atul,

We wish to integrate Oracle Apps R12 (financials)just with OID 10g to ensure data synchronization bothways.

For authentication, we will be dependent upon Oracle Apps’s default functionality and we do not need any third party access management sysetm.

1. Could you please guide me to get an document related to this scenario?
2. For this requirement of just user provisioining bothways, can we skip SSO?

Reply
ashish says September 14, 2009

Hi Atul,

We wish to integrate Oracle Apps R12 (financials)just with OID 10g to ensure data synchronization bothways.

For authentication, we will be dependent upon Oracle Apps’s default functionality and we do not need any third party access management sysetm.

1. Could you please guide me to get an document related to this scenario?
2. For this requirement of user provisioning bothways, can we skip with SSO?

Reply
Atul Kumar says September 14, 2009

@Ashish

1. Could you please guide me to get an document related to this scenario?
http://onlineappsdba.com/index.php/2008/03/17/notesdocs-to-integrate-apps-11i-with-10g-as-portaloidsso/
https://metalink.oracle.com/metalink/plsql/docs/10g-Implementation.pdf (Useful to understand concepts and valid for R12 as well)
— 376811.1 Integrating Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On

2. For this requirement of just user provisioining bothways, can we skip SSO?
— Yes you can integrate just OID (and No SSO) – Get confirmation from support
— From Note 376811.1

$FND_TOP/bin/txkrun.pl -script=SetSSOReg -registersso=no -registeroid=yes

Reply
ashish says September 14, 2009

Hi Atul, Unfortunately the following document is not available. Could you please give me other link or suggest any other way to get the document.
https://metalink.oracle.com/metalink/plsql/docs/10g-Implementation.pdf

Reply
Atul Kumar says September 14, 2009

@ Ashish,
To access above doc , first login to Metalink and then in same browser type this URL (You should be able to access this Guide. I tried this and its accessible)

Atul

Reply
ashish says September 14, 2009

Got it Atul,

Thanks a zillion!!

Reply
Nandini says August 2, 2010

Hi,

Please give me information regarding from where data flows into fnd_user table.

Reply
sanjay says February 7, 2012

Hi Atul

If I registered multiple EBS instances with single instance Of OID, How access across instances works. what I mean does OID has multiple entry for each user per instance?

TEST100 user created in LDAP synch to OID, and He is getting synch with all the registered EBS instances , since provision is from OID – FND_USERS.

BUT TEST100 should be able access only TEST and QA and not PROD instance ? How this works?

Reply
Atul Kumar says February 8, 2012

No User will be only under single place which all registered EBS instances can use.

If you do not want two EBS instances to used by same user then register different OID.

So for Test & QA ebs use one OID and for PROD instance use second OID (Prod OID)

Reply
sanjay says February 8, 2012

Thanks for earlier reply one follow up question
I have following configuration

10g OSSO , 11g OID and EBD R12

1. 10g OSSO has separate host for database and web tier ( we call infrastructure host)

2. Actual LDAP services are unning on 11g OID

So When I run following

$FND_TOP/bin/txkrun.pl -script=SetSSOReg

What is first value do u provide ..

Hostname of Oracle Application Server Infrastructure database ?

Thanks
sanjay

Reply
Atul Kumar says February 14, 2012

@ Sanjay,
Use server details which hosts 10g OSSO schema for infrastructure host

Reply
viJay says February 22, 2012

Hi Atul,

we cloned an R12 production instance to test. During this process the Ebiz team forgot to deregister the earlier instance in test. After cloning they de-registered and registered. The sso is happening but there is an issue with OID. Below is the error we encountered while accessing. Please suggest how can we proceed.

Make sure that the Oracle Internet Directory Server specified in OIDhost, OIDsslport is up and running.
Base Exception : oracle.ias.repository.schema.SchemaException:
Unable to Create orclApplicationCommonName=zion,cn=Ebiz,cn=Products,cn=OracleContext,dc=test,dc=com in Oracle Internet Directory Server
ldap://new.test.com:10938/. Base Exception : oracle.ias.repository.schema.SchemaException: Unable to save Attribute for the cn=OracleDASCreateUser, cn=Groups,cn=OracleContext in Oracle Internet Directory Server ldap://new.test.com:10938/. Base Exception : javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 – Constraint Violation]; remaining name ‘cn=OracleDASCreateUser, cn=Groups,cn=OracleContext’

Regards,
vijay.

Reply
Taylor says March 14, 2013

Can users be maintained when taking a clone for EBS 11i? I have always been told that while a download of fnd_users in the target can be taken pre-clone and then uploaded post-clone, that the per tables can not be maintained due to their tree structure. Is that accurate? If the HR tables can be maintained, then couldn’t the person_party_id be maintained which allow the user to be linked to a person record post clone? Every time I request to maintain users, I receive fnd_users that are not assigned (or linked) to person records. There must be a way to maintain the per tables. The user is rendered useless in the app without the person linkage.

Thoughts?

Reply
Mitra says September 25, 2013

Hello Atul,
We have a situation to pull in the data into our Datawarehouse from both R12 and 11i instances for BI/ Reporting. While 11i instances contain the historical data, R12 after Conversion will contain a last one year data, we are using ODI for integration. How do we load the same target warehouse with data from the 11i instances and 12 both? ( While the adapters provided to us in ODI for 11i and 12).
Is this a good approach ?
Thanks
Mitra

Reply
3mcs says May 4, 2015

10g OSSO has separate host for database and web tier ( we call infrastructure host)

Reply
Add Your Reply