Check below 25 points which Apps DBA should know for Apps(11i/R12) integration with SSO/OID (Single Sign-On/Oracle Internet Directory)
1. If you change APPS password using FNDCPASS utility, update provisioning profile with new password using OIDPROVTOOL. (More on OID Scripts & Tools coming soon). This is required as APPS password is stored in provisioning profile in OID.
2. If you clone E-Business Suite Instance,
——2.1 Deregister old E-Business Suite details from target OID Instance,
——2.2 Deregister Integration details from cloned target E-Business Suite instance
——2.3 Reregister target E-Business Suite Instance to target OID and SSO instance
(More on cloning Oracle Apps instance integrated with OID/SSO coming soon)
3. Session Idle Timeout value in E-Business/Apps is set to 30 minute by default but there is NO Session Idle timeout value set on SSO (There is Global Timeout value set to 8 hours in Oracle SSO which is different from Idle Timeout). If session is Idle for more than 30 minutes in Apps/E-Business suite, users will be redirected to SSO and user can get back to Apps “without” entering username password as user session cookie is still valid on SSO Server .
For global Idle Session time out to work properly set Idle timeout value to required value in Oracle SSO server and match that with E-Business Suite Instance.
4. User with Name USER1 in FND_USERS can be linked to username USER2 in OID , so username need not to be same. Users in E-Business Suite/Apps are linked to Users in OID/SSO via GUID.
5. User mapping between OID & E-Business/Apps -> Login name in OID is identified by attribute “orclcommonnicknameattribute” which by default is “uid“. To understand this better, think of user User “Atul Kumar” in OID with various attribute like first name, lastname, phonenumber, cn, sn, uid …. If for “Atul Kumar” value of attribute uid is set to “akumar” then user should use “akumar” to login.
This “akumar” (value of attribute “uid”) is mapped to USER_NAME column of table FND_USER and “orclguid” attribute in OID should have same value as USER_GUID column value in FND_USER table. As mentioned in point 4, users in OID & Apps are linked via GUID and this value should be same. (More on user mapping and authentication flow with SSO coming soon )
6. Currently supported nickname attribute to be mapped to FND_USER table are “uid” and “mail”
7. If naming convention of your users in OID is different from users in E-Business/Apps (like atul.kumar in OID but kumaratul in apps/E-Business Suite) then disable profile “Applications SSO Auto Link User”
8. Not all attributes for users can be integrated/synchronized from OID to E-Business Suite or Vice Versa. For list of attributes supported currently (as of build 5) check Appendix C on Page 88 of Integration guide.
9. Updates to email ID in Oracle Internet Directory are not correctly reflected in the E-Business Suite HZ_CONTACT_POINTS in TCA unless the PERSON_PARTY_ID foreign key in the FND_USER table has been defined. Furthermore, if PERSON_PARTY_ID is changed i.e. user is linked to another person in TCA, information stored in OID can overwrite this other person’s information during provisioning.
10. As of build 5, logout from OAM (Oracle Application Manager) results in page not found, though users can logout successfully from professional forms and self service web applications.
11. Users can be provisioned from E-Business/11i/R12 (FND_USER) to OID, OID to E-Business Suite, and two way. (How to find current user provisioning direction coming soon in OID Scripts post)
12. User Provisioning from TCA (Trading Community Architecture) to OID is not yet supported (as of build 5). Provisioning of HR to OID, FND_USER to OID or from OID to FND_USER is supported.
13. If provisioning profile includes password to be provisioned from E-Business Suite/Apps to OID, password policy in E-Business Suite should be atleast as restrictive as OID else when you create user in E-Business Suite/Apps without password not not in line with password policy, you will get non descriptive error message.
14. User can login to E-Business Suite Locally (NO SSO, directly from FND_USER) or to SSO (authentication via SSO) or BOTH. Set profile option “Applications SSO Login Types” to LOCAL or BOTH at userlevel and use
http(s)://(hostname).(domainname):(port)/ OA_HTML/ AppsLocalLogin.jsp
For SSO authentication use URL
http(s)://(hostname).(domainname):(port)/oa_servlets/AppsLogin
15. It is possible to register multiple E-Buisness Suite Instance (Test, Dev, UAT) to single OID/SSO Instance. (How to find list of E-Business Suite instance registered against OID, coming soon in OID Scripts)
16. If you have OID with multiple Realm (How to find default and all available realms in OID, coming soon in OID scripts), E-Business Suite/11i/R12 can be registered against default OID realm only (As of SSO build 5).
17. It is possible to link multiple E-Business Suite accounts to single SSO account but vice versa is not possible/supported. i.e. User1 and User2 in E-Business account can be linked to user3 in OID/SSO (For more
information Check Profile Option “Applications SSO Allow Multiple Accounts” )
18. It is possible to synch User Password from E-Business Suite to OID but vice versa is not allowed. This is because passwords in E-Buisness Suite/Apps/11i/R12 are encrypted but are hashed in OID.
19. If you are palnning to implement SSO Integration with E-Business /11i/R12 in enterprise where E-Business Suite and OID are already implemented and working independently, it is possible to bulkload user from OID to E-Business(Users which are already in OID but not in E-Business Suite) or from E-Busienss to OID (Users which are already in E-Business Suite but not in OID) and map common users.
20. For bulk migrating users from E-Business Suite to OID or from OID to E-Business Suite, check AppsUserExport, LDAPUserImport, ldifmigrator, bulkload.sh utility
21. When users are imported (initial load) from OID to E-Business/Apps 11i/R12 using LDAPUserImport, all user “attributes” can’t be imported.
22. If hashing method in OID is not MD5, bulkload of users to OID (initial set of users migrated from Apps/E-Business Suite) . (How to find default hasing method in OID, coming soon in OID Scripts..)
23. During initial load of users from E-Business Suite to OID (using bulkload.sh), password policy in OID is not verified . This is because E-Business Suite passwords are encrypted in dump file and bulk load tool can’t check passwords.
24. Oracle Application Server (SSO/OID) & Apps/E-Business Suite database server system clocks should be in synch else users will face issue during login/logoff
25.
Leave your comments on what you think is important for Apps/11i/R12 integration with OID/SSO to fill point no. 25
Related:
Management Questions for Apps Integration with OID/SSO
More on OID/SSO Integration with authentication & user provisioning flow coming soon…
Related Posts for Apps SSO/OID Integration
- 25 Things Apps DBA should know for Apps 11i/R12 Integration with OID/SSO
- Questions for Oracle Apps 11i & R12 Integration with 10g AS/SSO
- Oracle Single Sign-On Server for Apps DBA
- Clone Apps 11i/R12/12i integrated with SSO
- Notes/Docs to integrate Apps 11i with 10g AS Portal/OID/SSO
- Migrate Users to/from OID and Oracle Apps 11i/R12
- User created in Apps 11i/R12/12i not sync to OID
- Apps 11i/R12/12i Registration/Deregistration with OID/SSO : internals
- Error while running SSO registration on 11i : txkrun.pl -script=SetSSOReg
- How to Deregister SSO/OID from Oracle Apps 11i/R12/12i
- Error adding new User (11i) - unable to call fnd_ldap _wrapper .create_user
- Unable to call fnd_ldap_wrapper . create_user / update_user ORA-20001
Popularity: 14% [?]
Download R12 VMware Documentation
Good hands-on exercises (installation, patching, cloning), very experienced trainer worth for Money 
23 users commented in " 25 Things Apps DBA should know for Apps 11i/R12 Integration with OID/SSO "
Follow-up comment rss or Leave a TrackbackCan you have one eBusiness Suite instance linked to more than one OID/SSO instance. Looking to have internal users linked to SSO1/OID1, which delegates authentication to 3rd party LDAP and external (web) users authenticated by SSO2/OID2. Is this even possible?
You can link multiple E-Business Suite instance to one OID/SSO.
I have not tried this but don’t see any issues in configuring one E-Business suite to multiple OID/SSO instance. I don’t understand requirement of such setup
Yes you can configure E-Business suite with OID/SSO and then configure OID/SSO to third party access management server like Oblix COREid or Netscape access manager with its own ldap server like iPlanet or AD
you site has very good ready to use material keep up the good work.
We have production database 11.5.10.2 we have integrated with SSO we are decommissioning it next month we have a large number of users in that database how can we backup the user definition and it in the new database.
and wil1 be have any issues in the SSO integration
Ansar,
Your doubt is not clear .
Which one you are decommisioning (apps or sso) ?
which is new database ? r u putting any other thing with decommissioning ?
Hi Atul
We are implementing SSO with R12. while provisioning from OID to R12 , Additions and Deletes are getting propagated but updates in OID are not getting propagated to EBS.
When I disable a user in OID , it does not end date a user in FND_USER and same is with email address.
Any thoughts …..
Dinesh,
Check in provisioning profile (OID to Apps) if updates is included in profile or not.
Atul
Thanks Atul for the response
Yes , Updates are included in the profile. I also see that events are being submitted succssfully in the logfiles. Here is the response from oracle
————————————–
If you simply disable the user from OID the account start and end date will not be updated, and users w
ith local access to the applications will not be affected.if on the other hand t
he user account is deleted from the Oracle Internet Directory the user will be e
nd-dated in Oracle E-Business Suite, in order to maintain an audit trail.
———————————————-
Please advise if that is the case. Any ideas how we can implement this
Thanks
Dinesh,
Yes that’s true check page 77 of guide (You should login to metalink first to access this guide) https://metalink.oracle.com/metalink/plsql/docs/10g-Implementation.pdf
Soltion (Bit Tricky)
You can customize by creating workflow subscription (Check page 62 of above guide)
Hi all,
I need a document for SSO/OID installation.
for portal integration
thank you
lakshmi
Lakshmi check this
http://onlineappsdba.com/index.php/2008/03/17/notesdocs-to-integrate-apps-11i-with-10g-as-portaloidsso/
Hi Guys
Iam Jaya Prakash, Iam having one query, i had cloned E-Buz from production to UAT Instance, with Deregistering OID server.
And when Am Tring to Integrating UAT E-Biz with UAT OID server, Iam Not able to Register
Can Any help to resolve this Issue
can anyone help me Resolve this Issue
Regards
JP
Jaya,
What error message you are getting while registering UAT ebiz with UAT OID
Hi atul,
1)Iam having issue that My Production is integrated with SSO server,
2)My have done cloning from PROD to test without Deregistering SSO before cloning
3)Now Cloned Instance needs to Integrte with New SSO server
4)when I trying to Register cloned Instace to SSO server, In log file is showing PROD Information
Can Any one help to resolve this issue
Regards
Kumar
Hi,
You Can Remove the references instead of trying to deregister. check for syntax for removing references..
–Vivek
Hi Atul,
We wish to integrate Oracle Apps R12 (financials)just with OID 10g to ensure data synchronization.
For authentication, we will be dependent upon Oracle Apps’s default functionality and we do not need any third party access management sysetm.
Could you please guide me to get an document related to this scenario?
Hi Atul,
We wish to integrate Oracle Apps R12 (financials)just with OID 10g to ensure data synchronization bothways.
For authentication, we will be dependent upon Oracle Apps’s default functionality and we do not need any third party access management sysetm.
1. Could you please guide me to get an document related to this scenario?
2. For this requirement of just user provisioining bothways, can we skip SSO?
Hi Atul,
We wish to integrate Oracle Apps R12 (financials)just with OID 10g to ensure data synchronization bothways.
For authentication, we will be dependent upon Oracle Apps’s default functionality and we do not need any third party access management sysetm.
1. Could you please guide me to get an document related to this scenario?
2. For this requirement of user provisioning bothways, can we skip with SSO?
@Ashish
1. Could you please guide me to get an document related to this scenario?
– http://onlineappsdba.com/index.php/2008/03/17/notesdocs-to-integrate-apps-11i-with-10g-as-portaloidsso/
– https://metalink.oracle.com/metalink/plsql/docs/10g-Implementation.pdf (Useful to understand concepts and valid for R12 as well)
– 376811.1 Integrating Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On
2. For this requirement of just user provisioining bothways, can we skip SSO?
– Yes you can integrate just OID (and No SSO) - Get confirmation from support
– From Note 376811.1
$FND_TOP/bin/txkrun.pl -script=SetSSOReg -registersso=no -registeroid=yes
Hi Atul, Unfortunately the following document is not available. Could you please give me other link or suggest any other way to get the document.
https://metalink.oracle.com/metalink/plsql/docs/10g-Implementation.pdf
@ Ashish,
To access above doc , first login to Metalink and then in same browser type this URL (You should be able to access this Guide. I tried this and its accessible)
Atul
Got it Atul,
Thanks a zillion!!
Leave A Reply