Oracle EBS SSO Integration Procedure for R12.2

How to enable SSO for EBS for Active Directory and other SSO Integrations

How to enable SSO for Oracle EBS 12.2?

 

Oracle E-business Suite – EBS and LDAP SSO Integration is explained here with a simplified approach of SSOGEN SSO Solution. As Oracle EBS does not directly work with enterprise SSO such as Microsoft Active Directory Authentication, Single Sign On solution such as Oracle Access Manager – OAM or SSOgen is necessary to complete Oracle EBS Single Sign On with Microsoft Active Directory.

Oracle OAM and Oracle Single Sign On – OSSO 10g are the traditional Single Sign On options for Oracle EBS.

SSOgen is a modern, and NextGen Single Sign On solution that offers many benefits. Oracle EBS Authentication is greatly simplified with SSO Implementation, which allows users to perform SSO or Network ID or Active Directory Logins to Oracle EBS. SSOgen does not need need OID or OAM or IDCS to accomplish EBS SSO Integration.

EBS SSO Integrations – LDAP and SSO Gateway options

Read more about EBS SSO Integrations with Active Directory, other LDAP Servers, Okta SSO, Azure ADFS, Shibboleth, PING, and MFA

Oracle EBS LDAP SSO Integration procedure

Oracle EBS 12.2 SSO Integration is detailed here with step by step instructions. If this is the first time enabling SSO on EBS, the following patches need to be applied. Also, make sure that FS Clone is complete and online patching cycle is NOT active.

Patch NamePatch NumberDescription
R12.2 EBS Patch20735848
EBS AccessGate24008856Check 2202932.1 for the latest patch

  • SSOGEN Support team sends out customer specific scripts for the registration. Please upload ssogen.zip and ssogen_modules.zip to $NE_BASE/sso, and unzip ssogen.zip
  • Oracle e-Business Suite AccessGate – EAG: fndauth.war deployment is now part of 12.2 WebLogic Domain itself, and it deployed to oaea_server1.
  • SSO Registration: Enable SSO on all Web Nodes
  • If there are DMZ/iSupplier nodes, please repeat the above step, with function dmzreg
  • Bounce all EBS Services on Web Tiers and test the SSO logins.
  • For deploying access gate, you may follow Oracle standard, adProvisionEBS.pl ebs-create-oaea_resources. However, deployag script does call the same script for your convenience
$ cd $NE_BASE/sso
$ ls
ssogen.zip ssogen
$

If there are multiple Web Nodes configured for High Availability, the above script has to be run on all Web Tiers, with the node no# matching oaea_server#. For example:

Node1:  ./ssogen .. deployag node1
Node2:  ./ssogen .. deployag node2

Please use -managedsrvport flag to specify port number explicitly. For example: .

/ssogen .. deployag node1 -managedsrvport=6821

If deploag fails for any reason, please run undeployag to clean up the previous deployment, and run deployag to complete the deployment. This post-clone step may be necessary in some cases.

./ssogen ... undeployag
./ssogen ... deployag

Cleanup previous SSO LDAP references

Run Cleanup to register previous SSO/LDAP references in the databasae, FND_USER_PREFERENCES..etc

./ssogen ... cleanup

Register SSO with Oracle EBS

SSO Registration is the process in which EBS URL is registered with SSO for logins.

./ssogen ... reg 

Example: ./ssogen EBSDEV DEV Welcome1 reg
Restart all Oracle EBS Services and test SSO Login at /OA_HTML/AppsLogin

Disable SSO

  • Undeploy Oracle e-Business Suite AccessGate – EAG on all Web Nodes
  • Disable SSO on all Web Nodes
  • If there are DMZ/iSupplier nodes, please repeat the above step, with function dmzdereg
./ssogen ... undeployag [node1|node2]
./ssogen ... dereg

Bounce all Oracle EBS Services on Web Tiers and check the logins.

Oracle E-Business Suite Release 12 Single Sign-On Profile Options

Oracle EBS Single Sign On Profiles that matter most for Oracle EBS SSO Integration are shown below.

EBS Release12.2.x
EBS SSO URLhttp://ebs.example.com:8000/OA_HTML/AppsLogin
EBS Backdoor/Local Loginhttp://ebs.example.com:8000/OA_HTML/AppsLocalLogin.jsp
Application Authenticate Agenthttp://ebs.example.com:8000/accessgate/
Applications SSO TypeSSWA w/SSO
Applications SSO Auto Link UserEnabled
Application SSO LDAP SynchronizationDisabled
Applications Override SSO Server LanguageOverride SSO Server Language
Applications SSO User Creation and Updation AllowedEnabled
Applications SSO Login TypesBOTH

Oracle EBS SSO Troubleshooting

Application SSO LDAP Synchronization profile may impact user creation process

ORA-20001: Unable to call fnd_ldap_wrapper.create_user due to following reason: Oracle Internet Directory is not registered correctly.

Please make sure that system profile Application SSO LDAP Synchronization is set to DISABLED. Also, ensure other SSO profiles are set as suggested above and that the system is not previously registered with another sso such as Oracle OAM, Oracle SSO, and Oracle OID/OUD. Please cleanup SSO preferences as documented above.

Error: Unable to link account. This E-Business Suite user account is marked as a local account.

More Infromation Requested
*Indicates required field
Your Oracle E-Business Suite account has not been linked with the Single Sign-On account that you just entered. Please enter you Oracle E-Business Suite information. The next time you sign on with your Single Sign-On account, it will automatically sign you on to the Oracle E-Business Suite using the following account information.

Solution:
Applications SSO Login Types is set to Local for this user, 502662611. Profile “Applications SSO Login Types” should be set to either BOTH or SSO for SSO login to work. This profile is typically set to BOTH at Site Level, and it’s NOT set at the user level.

“Applications SSO Login Types” is typically set to Local to reset EBS Local password (in FND_USER table). If this profile “Applications SSO Login Types” is set to BOTH, Password change is not allowed. User Password field is greyed out in User Form. If this is the case, after password is reset, remove the user level value for this profile.

Oracle EBS SSO Troubleshooting - Unable to Link Account

Your Oracle E-Business Suite account has not been linked with the Single Sign-On account.

Your Oracle E-Business Suite account has not been linked with the Single Sign-On account.

More Information Requested:

Your Oracle E-Business Suite account has not been linked with the Single Sign-On account that you just entered. Please enter your Oracle E-Business Suite information. The next time you sign on with your Single Sign-On account, it will automatically sign you on to the Oracle E-Business Suite using the following account information.

This Autolink page is thrown when EBS can not find the user name by the GUID sent by the SSO Server. EBS instance has previously been registered with another SSO or user has manually linked to another user by submitting another user name and password in this page. SSS User SSO7 has got previous GUID value in FND_USER table. This user has to be unlinked, by updating GUID null, which enables EBS Autolink feature to populate the right GUID value during the next SSO login.

SQL> select user_name,end_date,user_guid from fnd_user where user_name='SSO7';
USER_NAME END_DATE USER_GUID
SSO7    B31318AC7A93622BC050A3C0250108F2

SQL>update fnd_user set user_guid = null where user_name='SSO7' ;

1 row updated.

SQL>commit ;
Commit complete.

SQL> select user_name,end_date,user_guid from fnd_user where user_name='SSO7' ;
USER_NAME   END_DATE USER_GUIDSSO7

Please suggest the user to re-try the sso login

SQL> select user_name,end_date,user_guid from fnd_user where user_name='SSO7' ;
USER_NAME END_DATE USER_GUID
SSO7  B34C930A342BBE63D140A8C046014980

Verify Oracle EBS SSO Profiles

The following profiles are very important for EBS SSO Functionality:

select fpot.user_profile_option_name, fpov.profile_option_value,fpov.last_update_date,fu.user_name
from apps.fnd_profile_options fpo, apps.fnd_profile_options_tl fpot, apps.fnd_profile_option_values fpov, apps.fnd_user fu
where fpo.profile_option_id = fpov.profile_option_id
and fpov.level_id=10001
and fpov.last_updated_by=fu.user_id
and fpo.profile_option_name=fpot.profile_option_name
and fpot.language='US'
and fpo.profile_option_name in(
'APPS_FRAMEWORK_AGENT',
'APPS_AUTH_AGENT',
'APPS_SSO',
'APPS_SSO_LOCAL_LOGIN',
'APPS_SSO_AUTO_LINK_USER',
'APPS_SSO_ALLOW_MULTIPLE_ACCOUNTS',
'APPS_SSO_USER_CREATE_UPDATE',
'APPS_SSO_LDAP_SYNC',
'APPS_SSO_LINK_TRUTH_SRC',
'FND_OVERRIDE_SSO_LANG')
order by 1;

Make sure that the output matches to the following profile values:

SQL> /
Application Authenticate Agent
http://demoebs.ssogen.com:8000/accessgate
10-APR-17
ANONYMOUS

Application Framework Agent
http://demoebs.ssogen.com:8000
10-APR-17
ANONYMOUS

Application SSO LDAP Synchronization
N
20-MAY-17
ANONYMOUS

Applications Override SSO Server Language
ENABLED
26-AUG-16
SYSADMIN

Applications SSO Allow Multiple Accounts
N
19-JUL-06
ORACLE12.2.0

Applications SSO Auto Link User
Y
26-AUG-16
SYSADMIN

Applications SSO Linking Source of Truth
OID
19-JUL-06
ORACLE12.2.0

Applications SSO Login Types
BOTH
26-AUG-16
SYSADMIN

Applications SSO Type
SSWA_SSO
05-JUN-17
ANONYMOUS

Applications SSO User Creation and Updation Allowed
Y
19-JUL-06
ORACLE12.2.0

10 rows selected.
SQL>

Check EBS User for end date

select user_name,end_date,user_guid from fnd_user where user_name='&EBS_SSO_USER_NAME';

When in doubt, update the GUID to null so that it gets set during the SSO login:

update fnd_user set user_guid=null where user_name='&EBS_SSO_USER_NAME' ;

Check User Level profile options for any suspicious profiles:

select fpot.user_profile_option_name, fpov.profile_option_value,fpov.last_update_date,fu1.user_name
from apps.fnd_profile_options fpo, apps.fnd_profile_options_tl fpot, apps.fnd_profile_option_values fpov, apps.fnd_user fu,apps.fnd_user fu1
where fpo.profile_option_id = fpov.profile_option_id
and fpov.level_id=10004
and fpov.level_value=fu.user_id
and fpov.last_updated_by=fu1.user_id
and fpo.profile_option_name=fpot.profile_option_name
and fpot.language='US'
and fu.user_name='&EBS_SSO_USER_NAME'
order by 1;

Oracle e-Business Suite AccessGate – EAG Troubleshooting

  • Verify the AccessGate version from http://demoebs.ssogen.com:8000 /accessgate/style/EbusinessAccessGate.class
  • Check 2202932.1 for the latest patch if any AccessGate issues are observed
  • Enable Debug at the AccessGate and restart oaea_serverx
cat <<EOC > /tmp/oaealog
handlers=java.util.logging.FileHandler
.level= ALL
java.util.logging.FileHandler.pattern = /tmp/fndauth%u.log
java.util.logging.FileHandler.limit = 10000000
java.util.logging.FileHandler.count = 1
java.util.logging.FileHandler.level = FINE
java.util.logging.FileHandler.formatter = java.util.logging.SimpleFormatter
oracle.apps.fnd.ext.common.level=FINE
oracle.apps.fnd.ext.common.server.level=FINE
EOC

cat <<EOC2 >> $INST_TOP/appl/admin/oaea_wls.properties
LOG_CONFIG_FILE=/tmp/oaealog
EOC2

For additional info, refer to How To Collect E-Business Suite 12.2 AccessGate LogFiles (Doc ID 1683163.1)

HTTP 400 – Bad Request Errors after enabling SSO

As SSO adds many cookies, you would see HTTP 400 in R12.1 & R12.2 when the apache request limits are reached.

Please suggest the customer to set the following limits in $CONTEXT_FILE , run autoconfig, and restart all services.

R12.2:

        <limitrequestfieldsize oa_var="s_limitrequestfieldsize">16384</limitrequestfieldsize>
        <limitrequestfields oa_var="s_limitrequestfields">128</limitrequestfields>
        <limitrequestbody oa_var="s_limitrequestbody">0</limitrequestbody>
        <limitrequestline oa_var="s_limitrequestline">16384</limitrequestline>

R12.1:

        <limitrequestfieldsize oa_var="s_limitrequestfieldsize">8190</limitrequestfieldsize>
        <limitrequestfields oa_var="s_limitrequestfields">64</limitrequestfields>
        <limitrequestbody oa_var="s_limitrequestbody">0</limitrequestbody>
        <limitrequestline oa_var="s_limitrequestline">8190</limitrequestline>

Related Oracle Notes:

  • EBS requests fail with “Size of a request header field exceeds server limit” [ID 1370626.1]
  • Lengthy Configurator URL : CZ Does Not Launch [ID 1374444.1]
  • Url Causes Http 400 Error [ID 1374260.1]

EBS R12 timeout problems

Check the following timeout variables in $CONTEXT_FILE:

  • s_sesstimeout
  • s_oc4j_sesstimeout
  • s_forms_time
  • s_ohstimeout

Check the following EBS profile options

  • ICX:Session Timeout
  • ICX: Limit connect
  • ICX: Limit time

Refer to the following Oracle Notes for more info:

  • R12: Forms Timeout More Than 2 Hrs Is Not Working After R12 Upgrade [ID 734077.1]
  • How to Change User Session Timeout in e-Business Suite R12 [ID 1067115.1]
  • User Sessions Get Timed Out Before Idle Time Parameter Values Are Reached [ID 1306678.1]
  • Self-Service Pages Are Failing After Changing the s_oc4j_sesstimeout [ID 780612.1]
  • How AutoConfig sets ICX: Session Timeout [ID 307149.1]
  • 11i/R12 How to Debug “Transaction Context Is Lost” or “You are trying to access a page that is no longer active” [ID 456906.1]
  • Random error Your login session has expired when using Load Balancing [ID 387306.1]

Load Balancer URL Redirection issues

The following context variables should be set correctly for the load balancer URL to function:

  • s_webentryhost
  • s_webentrydomain
  • s_active_webport
  • s_webentryurlprotocol
  • s_url_protocol
  • s_local_url_protocol
  • s_login_page
  • s_enable_sslterminator
  • s_external_url

SSL Termination/Redirection issues

egrep ‘s_web|s_active_webport|s_login_page|s_enable_sslterminator|s_url_protocol|s_local_url_protocol|s_login’ $CONTEXT_FILE egrep ‘s_web’ $CONTEXT_FILE

When SSL is terminated at the load balancer, the following values are needed in EBS:

  • s_webentryhost=demoebs
  • s_webentrydomain=ssogen.com
  • s_webentryurlprotocol=https
  • s_active_webport=443
  • s_enable_sslterminator= { remove # }
  • s_login_page=https://demoebs.ssogen.com:443/OA_HTML/AppsLogin
  • s_external_url=https://demoebs.ssogen.com:443