Oracle EBS SSO with Active Directory and LDAP Servers

Oracle EBS LDAP SSO Integrations

Oracle EBS and LDAP SSO Integration

Oracle E-business Suite – EBS and LDAP SSO Integration is explained here with a simplified approach of SSOGEN SSO Solution. As Oracle EBS does not directly work with enterprise SSO such as Microsoft Active Directory authentication, Single Sign On solution such as Oracle Access Manager – OAM or SSOgen is necessary to complete Oracle EBS Single Sign On with Microsoft Active Directory. Oracle OAM and Oracle Single Sign On – OSSO 10g are the traditional Single Sign On options for Oracle EBS. SSOgen is a modern, and NextGen Single Sign On solution that offers many benefits.

Oracle EBS LDAP SSO – Supported Directory Servers

Oracle EBS LDAP SSO is compatible with most of the popular LDAP Directory Servers in the market today. In addition to Windows Native Authentication / Kerberos / Desktop Authentication, SSOgen authenticates the users with any directory server that supports LDAP versions 2 and 3. Here is a quick list of compatible LDAP Servers with SSOgen for Oracle EBS Authentication.

Active Directory

RadiantLogic

UnboundID

OpenDS

OpenDJ

CA Directory

IBM Directory

NetIQ

OpenLDAP

SLAPD

389 Directory Server

Apache Directory

Oracle Internet Directory

Oracle Directory Server

Oracle Unified Directory

Complete SSO for Oracle EBS, PeopleSoft, JDEdwards, and SAP

Oracle EBS SSO Gateway Integrations

Read more about EBS SSO Integrations with Okta, Azure ADFS, On-prem ADFS, and more

Oracle EBS LDAP SSO Integration procedure

Oracle EBS 12.2 SSO Integration is detailed here with step by step instructions. If this is the first time enabling SSO on EBS, the following patches need to be applied. Also, make sure that FS Clone is complete and online patching cycle is NOT active.

Patch Name Patch Number Description
R12.2 EBS Patch 20735848
EBS AccessGate 24008856 Check 2202932.1 for the latest patch

  • SSOGEN Support team sends out customer specific scripts for the registration. Please upload ssogen.zip and ssogen_modules.zip to $NE_BASE/sso, and unzip ssogen.zip
  • EBS AccessGate: fndauth.war deployment is now part of 12.2 WebLogic Domain itself, and it deployed to oaea_server1.
  • SSO Registration: Enable SSO on all Web Nodes
  • If there are DMZ/iSupplier nodes, please repeat the above step, with function dmzreg
  • Bounce all EBS Services on Web Tiers and test the SSO logins.
  • For deploying access gate, you may follow Oracle standard, adProvisionEBS.pl ebs-create-oaea_resources. However, deployag script does call the same script for your convenience
$ cd $NE_BASE/sso
$ ls
ssogen_modules.zip ssogen.zip ssogen
$

If there are multiple Web Nodes configured for High Availability, the above script has to be run on all Web Tiers, with the node no# matching oaea_server#. For example:

Node1:  ./ssogen .. deployag node1
Node2:  ./ssogen .. deployag node2

Please use -managedsrvport flag to specify port number explicitly. For example: .

/ssogen .. deployag node1 -managedsrvport=6821

If deploag fails for any reason, please run undeployag to clean up the previous deployment, and run deployag to complete the deployment. This post-clone step may be necessary in some cases.

./ssogen ... undeployag
./ssogen ... deployag

Cleanup previous SSO LDAP references

Run Cleanup to register previous SSO/LDAP references in the databasae, FND_USER_PREFERENCES..etc

./ssogen ... cleanup

Register SSO with Oracle EBS

SSO Registration is the process in which EBS URL is registered with SSO for logins.

./ssogen ... reg 

Example: ./ssogen EBSDEV DEV Welcome1 reg
Restart all Oracle EBS Services and test SSO Login at /OA_HTML/AppsLogin

Disable SSO

  • Undeploy EBS AccessGate on all Web Nodes
  • Disable SSO on all Web Nodes
  • If there are DMZ/iSupplier nodes, please repeat the above step, with function dmzdereg
./ssogen ... undeployag [node1|node2]
./ssogen ... dereg

Bounce all Oracle EBS Services on Web Tiers and check the logins.

Oracle EBS SSO Profiles

Single Sign On Profiles that matter most for Oracle EBS are shown below.

EBS Release 12.2.x
EBS SSO URL http://ebs.example.com:8000/OA_HTML/AppsLogin
EBS Backdoor/Local Login http://ebs.example.com:8000/OA_HTML/AppsLocalLogin.jsp
Application Authenticate Agent http://ebs.example.com:8000/accessgate/
Applications SSO Type SSWA w/SSO
Applications SSO Auto Link User Enabled
Application SSO LDAP Synchronization Disabled
Applications Override SSO Server Language Override SSO Server Language
Applications SSO User Creation and Updation Allowed Enabled
Applications SSO Login Types BOTH

Oracle EBS SSO Troubleshooting

ORA-20001: Unabled to call fnd_ldap_wrapper.create_user due to following reason: Oracle Internet Directory is not registered correctly.

Please make sure that SSO profiles are set as suggested above and that the system is not previously registered with another sso such as Oracle OAM, Oracle SSO, and Oracle OID/OUD. Please cleanup SSO preferences as documented above.

Your Oracle E-Business Suite account has not been linked with the Single Sign-On account.

Your Oracle E-Business Suite account has not been linked with the Single Sign-On account.

More Information Requested:

Your Oracle E-Business Suite account has not been linked with the Single Sign-On account that you just entered. Please enter your Oracle E-Business Suite information. The next time you sign on with your Single Sign-On account, it will automatically sign you on to the Oracle E-Business Suite using the following account information.

This Autolink page is thrown when EBS can not find the user name by the GUID sent by the SSO Server. EBS instance has previously been registered with another SSO or user has manually linked to another user by submitting another user name and password in this page. SSS User SSO7 has got previous GUID value in FND_USER table. This user has to be unlinked, by updating GUID null, which enables EBS Autolink feature to populate the right GUID value during the next SSO login.

SQL> select user_name,end_date,user_guid from fnd_user where user_name='&11i_SSO_USER_NAME';

Enter value for 11i_sso_user_name: SSO7

old   1: select user_name,end_date,user_guid from fnd_user where user_name='&11i_SSO_USER_NAME'

new   1: select user_name,end_date,user_guid from fnd_user where user_name='SSO7'

USER_NAME
END_DATE USER_GUID

SSO7
B31318AC7A93622BE040A8C0450108F2

SQL> update fnd_user set user_guid = null where user_name='SSO7' ;

1 row updated.

SQL> commit ;

Commit complete.

SQL> select user_name,end_date,user_guid from fnd_user where user_name='SSO7' ;

USER_NAME
END_DATE USER_GUID
SSO7

Please suggest the user to re-try the sso login

SQL> select user_name,end_date,user_guid from fnd_user where user_name='SSO7' ;

USER_NAME
END_DATE USER_GUID

SSO7
B34C930A752BBE63E040A8C046014980

Oracle EBS – SSO Login throws HTTP 500 after authentication

EBS AccessGate – EAG Log files show: java.lang.NoClassDefFoundError: oracle/ias/cache/ObjectNotFoundException

<26-Oct-2018 17:06:34 o'clock BST> <Error> <ServletContext-/ebsauth_payptt> <BEA-000000> <Context intialization failed
java.lang.NoClassDefFoundError: oracle/ias/cache/ObjectNotFoundException
        at oracle.apps.fnd.ext.sso.FndSsoConfigListener.contextInitialized(Unknown Source)
        at weblogic.servlet.internal.EventsManager$FireContextListenerAction.run(EventsManager.java:481)
        at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
        at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
        at weblogic.servlet.internal.EventsManager.notifyContextCreatedEvent(EventsManager.java:181)
        Truncated. see log file for complete stacktrace
Caused By: java.lang.ClassNotFoundException: oracle.ias.cache.ObjectNotFoundException
        at weblogic.utils.classloaders.GenericClassLoader.findLocalClass(GenericClassLoader.java:297)
        at weblogic.utils.classloaders.GenericClassLoader.findClass(GenericClassLoader.java:270)
        at weblogic.utils.classloaders.ChangeAwareClassLoader.findClass(ChangeAwareClassLoader.java:64)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
        Truncated. see log file for complete stacktrace
> 

Reason: EAG WebLogic Domain does not have JRF (Java Required Files) enabled during the initial creation. oracle/ias/cache libraries are included in Oracle JRF Jar files.
Solution: Recreate the WebLogic Domain with JRF included.

Custom SSO Requirements?

Write us about your custom SSO requirements for Oracle EBS and other ERP Systems

11 Comments

  1. Hello,

    Can it be implemented with EBS R12.1.3?

    Thanks,
    Lina

    Reply
  2. Yes, SSOGen works for all EBS version that support SSO (11i, 12.1, and 12.2). Thanks!

    Reply
  3. Hello,

    I am Oracle Apps DBA.

    We are interested in implementing EBS SSO Configuration using your product.

    Is it possible to have a presentation, so have better understanding of how much effort, time and testing will be involved for this project.?

    Thank you,
    Lina

    Reply
  4. Of course, we will contact you shortly. Thanks for the interest!

    Reply
  5. Hi,

    We’re interested in solutions that could replace Oracle SSO with an alternate solution that doesn’t involve Oracle Access Manager. We have several other applications that would also require single sign on within the same system boundary.

    What is the licencing model and cost of implementing your product? Do you have any further documentation on what is involved in a implementation?

    Thanks

    Reply
    • Thanks for the interest, Tim. Our team would reach out to you.

      Reply
  6. Will SSOGEN supports Azure or saml authentication for EBS SSO solution ?

    Reply
  7. This process works the same way for 11i and 12.1?

    Reply
  8. Is this supported for 12.1.3?

    Reply
  9. Yes, 12.1.3 is supported for SSO. Please let us know your queries at info@ssogen.com

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Completely Free POC

Contact us to inquire about our free proof of concept for 30 days

Learn More?

Learn more about product features, unique benefits, and cost savings