Oracle EBS SSO Integration Procedure for R12.2

How to enable SSO for EBS for Active Directory and other SSO Integrations

How to enable SSO for Oracle EBS 12.2?

Oracle E-business Suite – EBS and LDAP SSO Integration is explained here with a simplified approach of SSOGEN SSO Solution. As Oracle EBS does not directly work with enterprise SSO such as Microsoft Active Directory Authentication, Single Sign On solution such as Oracle Access Manager – OAM or SSOgen is necessary to complete Oracle EBS Single Sign On with Microsoft Active Directory. Oracle OAM and Oracle Single Sign On – OSSO 10g are the traditional Single Sign On options for Oracle EBS. SSOgen is a modern, and NextGen Single Sign On solution that offers many benefits. Oracle EBS Authentication is greatly simplified with SSO Implementation, which allows users to perform SSO or Network ID or Active Directory Logins to Oracle EBS.

EBS SSO Integrations – LDAP and SSO Gateway options

Read more about EBS SSO Integrations with Active Directory, other LDAP Servers, Okta SSO, Azure ADFS, Shibboleth, PING, and MFA

Oracle EBS LDAP SSO Integration procedure

Oracle EBS 12.2 SSO Integration is detailed here with step by step instructions. If this is the first time enabling SSO on EBS, the following patches need to be applied. Also, make sure that FS Clone is complete and online patching cycle is NOT active.

Patch NamePatch NumberDescription
R12.2 EBS Patch20735848
EBS AccessGate24008856Check 2202932.1 for the latest patch

  • SSOGEN Support team sends out customer specific scripts for the registration. Please upload and to $NE_BASE/sso, and unzip
  • Oracle e-Business Suite AccessGate – EAG: fndauth.war deployment is now part of 12.2 WebLogic Domain itself, and it deployed to oaea_server1.
  • SSO Registration: Enable SSO on all Web Nodes
  • If there are DMZ/iSupplier nodes, please repeat the above step, with function dmzreg
  • Bounce all EBS Services on Web Tiers and test the SSO logins.
  • For deploying access gate, you may follow Oracle standard, ebs-create-oaea_resources. However, deployag script does call the same script for your convenience
$ cd $NE_BASE/sso
$ ls ssogen

If there are multiple Web Nodes configured for High Availability, the above script has to be run on all Web Tiers, with the node no# matching oaea_server#. For example:

Node1:  ./ssogen .. deployag node1
Node2:  ./ssogen .. deployag node2

Please use -managedsrvport flag to specify port number explicitly. For example: .

/ssogen .. deployag node1 -managedsrvport=6821

If deploag fails for any reason, please run undeployag to clean up the previous deployment, and run deployag to complete the deployment. This post-clone step may be necessary in some cases.

./ssogen ... undeployag
./ssogen ... deployag

Cleanup previous SSO LDAP references

Run Cleanup to register previous SSO/LDAP references in the databasae, FND_USER_PREFERENCES..etc

./ssogen ... cleanup

Register SSO with Oracle EBS

SSO Registration is the process in which EBS URL is registered with SSO for logins.

./ssogen ... reg 

Example: ./ssogen EBSDEV DEV Welcome1 reg
Restart all Oracle EBS Services and test SSO Login at /OA_HTML/AppsLogin

Disable SSO

  • Undeploy Oracle e-Business Suite AccessGate – EAG on all Web Nodes
  • Disable SSO on all Web Nodes
  • If there are DMZ/iSupplier nodes, please repeat the above step, with function dmzdereg
./ssogen ... undeployag [node1|node2]
./ssogen ... dereg

Bounce all Oracle EBS Services on Web Tiers and check the logins.

Oracle E-Business Suite Release 12 Single Sign-On Profile Options

Oracle EBS Single Sign On Profiles that matter most for Oracle EBS SSO Integration are shown below.

EBS Release12.2.x
EBS Backdoor/Local Login
Application Authenticate Agent
Applications SSO TypeSSWA w/SSO
Applications SSO Auto Link UserEnabled
Application SSO LDAP SynchronizationDisabled
Applications Override SSO Server LanguageOverride SSO Server Language
Applications SSO User Creation and Updation AllowedEnabled
Applications SSO Login TypesBOTH

Oracle EBS SSO Troubleshooting

Application SSO LDAP Synchronization profile may impact user creation process

ORA-20001: Unable to call fnd_ldap_wrapper.create_user due to following reason: Oracle Internet Directory is not registered correctly.

Please make sure that system profile Application SSO LDAP Synchronization is set to DISABLED. Also, ensure other SSO profiles are set as suggested above and that the system is not previously registered with another sso such as Oracle OAM, Oracle SSO, and Oracle OID/OUD. Please cleanup SSO preferences as documented above.

Error: Unable to link account. This E-Business Suite user account is marked as a local account.

More Infromation Requested
*Indicates required field
Your Oracle E-Business Suite account has not been linked with the Single Sign-On account that you just entered. Please enter you Oracle E-Business Suite information. The next time you sign on with your Single Sign-On account, it will automatically sign you on to the Oracle E-Business Suite using the following account information.

Applications SSO Login Types is set to Local for this user, 502662611. Profile “Applications SSO Login Types” should be set to either BOTH or SSO for SSO login to work. This profile is typically set to BOTH at Site Level, and it’s NOT set at the user level.

“Applications SSO Login Types” is typically set to Local to reset EBS Local password (in FND_USER table). If this profile “Applications SSO Login Types” is set to BOTH, Password change is not allowed. User Password field is greyed out in User Form. If this is the case, after password is reset, remove the user level value for this profile.

Oracle EBS SSO Troubleshooting - Unable to Link Account

Your Oracle E-Business Suite account has not been linked with the Single Sign-On account.

Your Oracle E-Business Suite account has not been linked with the Single Sign-On account.

More Information Requested:

Your Oracle E-Business Suite account has not been linked with the Single Sign-On account that you just entered. Please enter your Oracle E-Business Suite information. The next time you sign on with your Single Sign-On account, it will automatically sign you on to the Oracle E-Business Suite using the following account information.

This Autolink page is thrown when EBS can not find the user name by the GUID sent by the SSO Server. EBS instance has previously been registered with another SSO or user has manually linked to another user by submitting another user name and password in this page. SSS User SSO7 has got previous GUID value in FND_USER table. This user has to be unlinked, by updating GUID null, which enables EBS Autolink feature to populate the right GUID value during the next SSO login.

SQL> select user_name,end_date,user_guid from fnd_user where user_name='SSO7';
SSO7    B31318AC7A93622BC050A3C0250108F2

SQL>update fnd_user set user_guid = null where user_name='SSO7' ;

1 row updated.

SQL>commit ;
Commit complete.

SQL> select user_name,end_date,user_guid from fnd_user where user_name='SSO7' ;

Please suggest the user to re-try the sso login

SQL> select user_name,end_date,user_guid from fnd_user where user_name='SSO7' ;
SSO7  B34C930A342BBE63D140A8C046014980

Verify Oracle EBS SSO Profiles

The following profiles are very important for EBS SSO Functionality:

select fpot.user_profile_option_name, fpov.profile_option_value,fpov.last_update_date,fu.user_name
from apps.fnd_profile_options fpo, apps.fnd_profile_options_tl fpot, apps.fnd_profile_option_values fpov, apps.fnd_user fu
where fpo.profile_option_id = fpov.profile_option_id
and fpov.level_id=10001
and fpov.last_updated_by=fu.user_id
and fpo.profile_option_name=fpot.profile_option_name
and fpot.language='US'
and fpo.profile_option_name in(
order by 1;

Make sure that the output matches to the following profile values:

SQL> /
Application Authenticate Agent

Application Framework Agent

Application SSO LDAP Synchronization

Applications Override SSO Server Language

Applications SSO Allow Multiple Accounts

Applications SSO Auto Link User

Applications SSO Linking Source of Truth

Applications SSO Login Types

Applications SSO Type

Applications SSO User Creation and Updation Allowed

10 rows selected.

Check EBS User for end date

select user_name,end_date,user_guid from fnd_user where user_name='&EBS_SSO_USER_NAME';

When in doubt, update the GUID to null so that it gets set during the SSO login:

update fnd_user set user_guid=null where user_name='&EBS_SSO_USER_NAME' ;

Check User Level profile options for any suspicious profiles:

select fpot.user_profile_option_name, fpov.profile_option_value,fpov.last_update_date,fu1.user_name
from apps.fnd_profile_options fpo, apps.fnd_profile_options_tl fpot, apps.fnd_profile_option_values fpov, apps.fnd_user fu,apps.fnd_user fu1
where fpo.profile_option_id = fpov.profile_option_id
and fpov.level_id=10004
and fpov.level_value=fu.user_id
and fpov.last_updated_by=fu1.user_id
and fpo.profile_option_name=fpot.profile_option_name
and fpot.language='US'
and fu.user_name='&EBS_SSO_USER_NAME'
order by 1;

Oracle e-Business Suite AccessGate – EAG Troubleshooting

  • Verify the AccessGate version from /accessgate/style/EbusinessAccessGate.class
  • Check 2202932.1 for the latest patch if any AccessGate issues are observed
  • Enable Debug at the AccessGate and restart oaea_serverx
cat <<EOC > /tmp/oaealog
.level= ALL
java.util.logging.FileHandler.pattern = /tmp/fndauth%u.log
java.util.logging.FileHandler.limit = 10000000
java.util.logging.FileHandler.count = 1
java.util.logging.FileHandler.level = FINE
java.util.logging.FileHandler.formatter = java.util.logging.SimpleFormatter

cat <<EOC2 >> $INST_TOP/appl/admin/

For additional info, refer to How To Collect E-Business Suite 12.2 AccessGate LogFiles (Doc ID 1683163.1)

HTTP 400 – Bad Request Errors after enabling SSO

As SSO adds many cookies, you would see HTTP 400 in R12.1 & R12.2 when the apache request limits are reached.

Please suggest the customer to set the following limits in $CONTEXT_FILE , run autoconfig, and restart all services.


        <limitrequestfieldsize oa_var="s_limitrequestfieldsize">16384</limitrequestfieldsize>
        <limitrequestfields oa_var="s_limitrequestfields">128</limitrequestfields>
        <limitrequestbody oa_var="s_limitrequestbody">0</limitrequestbody>
        <limitrequestline oa_var="s_limitrequestline">16384</limitrequestline>


        <limitrequestfieldsize oa_var="s_limitrequestfieldsize">8190</limitrequestfieldsize>
        <limitrequestfields oa_var="s_limitrequestfields">64</limitrequestfields>
        <limitrequestbody oa_var="s_limitrequestbody">0</limitrequestbody>
        <limitrequestline oa_var="s_limitrequestline">8190</limitrequestline>

Related Oracle Notes:

  • EBS requests fail with “Size of a request header field exceeds server limit” [ID 1370626.1]
  • Lengthy Configurator URL : CZ Does Not Launch [ID 1374444.1]
  • Url Causes Http 400 Error [ID 1374260.1]

EBS R12 timeout problems

Check the following timeout variables in $CONTEXT_FILE:

  • s_sesstimeout
  • s_oc4j_sesstimeout
  • s_forms_time
  • s_ohstimeout

Check the following EBS profile options

  • ICX:Session Timeout
  • ICX: Limit connect
  • ICX: Limit time

Refer to the following Oracle Notes for more info:

  • R12: Forms Timeout More Than 2 Hrs Is Not Working After R12 Upgrade [ID 734077.1]
  • How to Change User Session Timeout in e-Business Suite R12 [ID 1067115.1]
  • User Sessions Get Timed Out Before Idle Time Parameter Values Are Reached [ID 1306678.1]
  • Self-Service Pages Are Failing After Changing the s_oc4j_sesstimeout [ID 780612.1]
  • How AutoConfig sets ICX: Session Timeout [ID 307149.1]
  • 11i/R12 How to Debug “Transaction Context Is Lost” or “You are trying to access a page that is no longer active” [ID 456906.1]
  • Random error Your login session has expired when using Load Balancing [ID 387306.1]

Load Balancer URL Redirection issues

The following context variables should be set correctly for the load balancer URL to function:

  • s_webentryhost
  • s_webentrydomain
  • s_active_webport
  • s_webentryurlprotocol
  • s_url_protocol
  • s_local_url_protocol
  • s_login_page
  • s_enable_sslterminator
  • s_external_url

SSL Termination/Redirection issues

egrep ‘s_web|s_active_webport|s_login_page|s_enable_sslterminator|s_url_protocol|s_local_url_protocol|s_login’ $CONTEXT_FILE egrep ‘s_web’ $CONTEXT_FILE

When SSL is terminated at the load balancer, the following values are needed in EBS:

  • s_webentryhost=demoebs
  • s_webentryurlprotocol=https
  • s_active_webport=443
  • s_enable_sslterminator= { remove # }
  • s_login_page=
  • s_external_url=

Oracle EBS – SSO Login throws HTTP 500 after authentication

Oracle e-Business Suite EBS AccessGate – EAG Log files show: java.lang.NoClassDefFoundError: oracle/ias/cache/ObjectNotFoundException

<26-Oct-2018 17:06:34 o'clock BST> <Error> <ServletContext-/ebsauth_payptt> <BEA-000000> <Context intialization failed
java.lang.NoClassDefFoundError: oracle/ias/cache/ObjectNotFoundException
        at oracle.apps.fnd.ext.sso.FndSsoConfigListener.contextInitialized(Unknown Source)
        at weblogic.servlet.internal.EventsManager$
        at weblogic.servlet.internal.EventsManager.notifyContextCreatedEvent(
        Truncated. see log file for complete stacktrace
Caused By: java.lang.ClassNotFoundException: oracle.ias.cache.ObjectNotFoundException
        at weblogic.utils.classloaders.GenericClassLoader.findLocalClass(
        at weblogic.utils.classloaders.GenericClassLoader.findClass(
        at weblogic.utils.classloaders.ChangeAwareClassLoader.findClass(
        at java.lang.ClassLoader.loadClass(
        at java.lang.ClassLoader.loadClass(
        Truncated. see log file for complete stacktrace

Reason: EAG WebLogic Domain does not have JRF (Java Required Files) enabled during the initial creation. oracle/ias/cache libraries are included in Oracle JRF Jar files.
Solution: Recreate the WebLogic Domain with JRF included.

Oracle iSupplier DMZ Configuration

SSO Login is not working for Oracle iSupplier DMZ

Make sure that EBS DMZ is properly set up, as documented in Oracle E-Business Suite R12 Configuration in a DMZ (Doc ID 380490.1)

1. sqlplus apps/apps@/patch/115/sql/txkChangeProfH.sql SERVRESP
2. Set system profile Node Trust Level to External at DMZ Node level
3. Check the context values in DMZ Context file and run auto config.
s_enable_sslterminator= { remove # ; if SSL is terminated in load balancer}

4. Verify the following profile options for the products installed in EBS:

Oracle iSupplier
POS: External URL
POS: Internal URL

Oracle Sourcing Supplier
PON: External Applications Framework Agent
PON: External login URL

Oracle iProcurement
Self Registered Employee Default Responsibility
Self Registered New User Default Responsibility

5. Verify Hierarchy Type for the following profiles. Hierarchy type should be properly set by txkChangeProfH.sql SERVRESP from the first step.

User Profile Name
Internal Name
1. Applications Web AgentAPPS_WEB_AGENT
2. Applications Servlet AgentAPPS_SERVLET_AGENT
3. Applications JSP AgentAPPS_JSP_AGENT
4. Applications Framework AgentAPPS_FRAMEWORK_AGENT
6. ICX: Oracle Discoverer LauncherICX_DISCOVERER_LAUNCHER
7. ICX: Oracle Discoverer Viewer LauncherICX_DISCOVERER_VIEWER_LAUNCHER
8. Applications Help Web AgentHELP_WEB_AGENT
9. Applications PortalAPPS_PORTAL
10. BOM:Configurator URL of UI ManagerCZ_UIMGR_URL

OAEA error message after 12.2.6 upgrade


Error message in the browser: URL Validation Failed
URL: /OA_HTML/jsp/fnd/fnderror.jsp?text=Exception+while+updating+user+session.

oracle.apps.fnd.ext.sso.FndSsoException: Exception while updating user session.
        at oracle.apps.fnd.ext.sso.FndSsoFilter.doFilter(Unknown Source)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(
        at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(
        at weblogic.servlet.internal.WebAppServletContext$
        at weblogic.servlet.internal.WebAppServletContext.securedExecute(
        at weblogic.servlet.internal.WebAppServletContext.execute(
Caused by: java.lang.IllegalArgumentException: Illegal empty string argument
        at oracle.apps.fnd.util.PreCondition.assertNotNull(
        at oracle.apps.fnd.util.PreCondition.assertNotNullOrEmpty(
        at oracle.apps.fnd.util.PreCondition.assertNotNullOrEmpty(	  

Cause: EBS has been upgraded to 12.2.6 and latest EAG patch wasn’t applied.

Solution: Issue has been fixed after applying 24008856 and performing undeploy and deploy of accessgate.

Issue# 2: We have seen similar issues, when previous 12.1 SSO registration is not cleaned up before upgrading to 12.2.

In this case, we have to run cleanup or $FND_TOP/bin/ -script=SetSSOReg -removereferences=yes to remove previous SSO/LDAP registration and proceed with SSOGen Registration

How does this profile work? Applications SSO Login Types – APPS_SSO_LOCAL_LOGIN

After enabling SSO in Oracle EBS, default EBS URL, /OA_HTML/AppsLogin is SSO enabled. Backdoor URL / Local Login for Non-SSO users such as SYSADMIN is still allowed through Local Login URL /OA_HTML/AppsLocalLogin.jsp. However, some of the user logins are not working through Backdoor URL / Local Login URL.

System Profile, Applications SSO Login Types, APPS_SSO_LOCAL_LOGIN, is set to SSO.

System Profile, Applications SSO Login Types, APPS_SSO_LOCAL_LOGIN should be set to BOTH or LOCAL for local login to succeed at User Level (for example SYSADMIN). Applications SSO Login Types: LOCAL allows that only Local Logins through /OA_HTML/AppsLocalLogin.jsp. SSO allows SSO logins through /OA_HTML/AppsLogin only. BOTH allows both SSO logins and Local Logins.

Unable to change EBS Password in Password Field in FND User Form – Grayed out

Unable to set the EBS Local Passwords after enabling SSO. EBS Passwords are typically stored in FND_USER table.

System Profile, Applications SSO Login Types, APPS_SSO_LOCAL_LOGIN, is set to SSO.

System Profile, Applications SSO Login Types, APPS_SSO_LOCAL_LOGIN should be set to BOTH or LOCAL to set EBS password at user Level or site level. We recommend BOTH at site level, which allows password changes, and local logins.

Questions? Leave a Comment Below!


  1. Hello,

    Can it be implemented with EBS R12.1.3?


  2. Yes, SSOGen works for all EBS version that support SSO (11i, 12.1, and 12.2). Thanks!

  3. Hello,

    I am Oracle Apps DBA.

    We are interested in implementing EBS SSO Configuration using your product.

    Is it possible to have a presentation, so have better understanding of how much effort, time and testing will be involved for this project.?

    Thank you,

  4. Of course, we will contact you shortly. Thanks for the interest!

  5. Hi,

    We’re interested in solutions that could replace Oracle SSO with an alternate solution that doesn’t involve Oracle Access Manager. We have several other applications that would also require single sign on within the same system boundary.

    What is the licencing model and cost of implementing your product? Do you have any further documentation on what is involved in a implementation?


    • Thanks for the interest, Tim. Our team would reach out to you.