Oracle EBS SSO Integration Procedure for R12.2

How to enable SSO for EBS for Active Directory and other SSO Integrations

How to enable SSO for Oracle EBS 12.2?

 

Oracle E-business Suite – EBS and LDAP SSO Integration is explained here with a simplified approach of SSOGEN SSO Solution. As Oracle EBS does not directly work with enterprise SSO such as Microsoft Active Directory Authentication, Single Sign On solution such as Oracle Access Manager – OAM or SSOgen is necessary to complete Oracle EBS Single Sign On with Microsoft Active Directory.

Oracle OAM and Oracle Single Sign On – OSSO 10g are the traditional Single Sign On options for Oracle EBS.

SSOgen is a modern, and NextGen Single Sign On solution that offers many benefits. Oracle EBS Authentication is greatly simplified with SSO Implementation, which allows users to perform SSO or Network ID or Active Directory Logins to Oracle EBS. SSOgen does not need need OID or OAM or IDCS to accomplish EBS SSO Integration.

EBS SSO Integrations – LDAP and SSO Gateway options

Read more about EBS SSO Integrations with Active Directory, other LDAP Servers, Okta SSO, Azure ADFS, Shibboleth, PING, and MFA

Oracle EBS LDAP SSO Integration procedure

Oracle EBS 12.2 SSO Integration is detailed here with step by step instructions. If this is the first time enabling SSO on EBS, the following patches need to be applied. Also, make sure that FS Clone is complete and online patching cycle is NOT active.

Patch NamePatch NumberDescription
R12.2 EBS Patch20735848
EBS AccessGate24008856Check 2202932.1 for the latest patch

  • SSOGEN Support team sends out customer specific scripts for the registration. Please upload ssogen.zip and ssogen_modules.zip to $NE_BASE/sso, and unzip ssogen.zip
  • Oracle e-Business Suite AccessGate – EAG: fndauth.war deployment is now part of 12.2 WebLogic Domain itself, and it deployed to oaea_server1.
  • SSO Registration: Enable SSO on all Web Nodes
  • If there are DMZ/iSupplier nodes, please repeat the above step, with function dmzreg
  • Bounce all EBS Services on Web Tiers and test the SSO logins.
  • For deploying access gate, you may follow Oracle standard, adProvisionEBS.pl ebs-create-oaea_resources. However, deployag script does call the same script for your convenience
$ cd $NE_BASE/sso
$ ls
ssogen.zip ssogen
$

If there are multiple Web Nodes configured for High Availability, the above script has to be run on all Web Tiers, with the node no# matching oaea_server#. For example:

Node1:  ./ssogen .. deployag node1
Node2:  ./ssogen .. deployag node2

Please use -managedsrvport flag to specify port number explicitly. For example: .

/ssogen .. deployag node1 -managedsrvport=6821

If deploag fails for any reason, please run undeployag to clean up the previous deployment, and run deployag to complete the deployment. This post-clone step may be necessary in some cases.

./ssogen ... undeployag
./ssogen ... deployag

Cleanup previous SSO LDAP references

Run Cleanup to register previous SSO/LDAP references in the databasae, FND_USER_PREFERENCES..etc

./ssogen ... cleanup

Register SSO with Oracle EBS

SSO Registration is the process in which EBS URL is registered with SSO for logins.

./ssogen ... reg 

Example: ./ssogen EBSDEV DEV Welcome1 reg
Restart all Oracle EBS Services and test SSO Login at /OA_HTML/AppsLogin

Disable SSO

  • Undeploy Oracle e-Business Suite AccessGate – EAG on all Web Nodes
  • Disable SSO on all Web Nodes
  • If there are DMZ/iSupplier nodes, please repeat the above step, with function dmzdereg
./ssogen ... undeployag [node1|node2]
./ssogen ... dereg

Bounce all Oracle EBS Services on Web Tiers and check the logins.

Oracle E-Business Suite Release 12 Single Sign-On Profile Options

Oracle EBS Single Sign On Profiles that matter most for Oracle EBS SSO Integration are shown below.

EBS Release12.2.x
EBS SSO URLhttp://ebs.example.com:8000/OA_HTML/AppsLogin
EBS Backdoor/Local Loginhttp://ebs.example.com:8000/OA_HTML/AppsLocalLogin.jsp
Application Authenticate Agenthttp://ebs.example.com:8000/accessgate/
Applications SSO TypeSSWA w/SSO
Applications SSO Auto Link UserEnabled
Application SSO LDAP SynchronizationDisabled
Applications Override SSO Server LanguageOverride SSO Server Language
Applications SSO User Creation and Updation AllowedEnabled
Applications SSO Login TypesBOTH

Oracle EBS SSO Troubleshooting

Application SSO LDAP Synchronization profile may impact user creation process

ORA-20001: Unable to call fnd_ldap_wrapper.create_user due to following reason: Oracle Internet Directory is not registered correctly.

Please make sure that system profile Application SSO LDAP Synchronization is set to DISABLED. Also, ensure other SSO profile