r12 istore sso whitepaper

WHITE PAPER

User Management Integration with SSO/OID Servers

Author: Aravind Bairy

Creation Date: 26-12-2005

Last Updated:

File URL:

Version:

Approver Name Role Date

Copyright 2023 Oracle Corporation All Rights Reserved

This document is not a promise to deliver and may not be included as part of any contract.

1. Document Control

1.1 Change Record

Date Author Version Change ReferenceAravind Bairy

26-Dec-2005 Aravind Bairy 1.0 Created the document

1.2 Contributors

Contributor Role Position

1.3 Reviewers

Name Role Position Document Status Date Reviewed Comments Incorporated

Raghu Koratagere Project Lead In ProgressVenkatesh Vinod Nagaraj

Senior Development Manager

In Progress

1.4 Scope for this Document

This document provides details on the integration of Oracle iStore product with the Single Sign On architecture and the gist of the Oracle iStore features/capabilities and the necessary setups to achieve the same. This document is organized into 3 specific deployment options that the customer can choose and the Appendix section having the details about the setups necessary for each of the deployments.

1.5 Document Reference

1.5.1 Current Document References

Author Document Name URL Comments

http://files.oraclecorp.com/Note:261914.1 - Integrating Oracle E-Business Suite Release 11i with Oracle Internet Directory and Oracle Single Sign-On

https://metalink.oracle.com/metalink/plsql/f?p=130:14:3572430939971675332::::p14_database_id,p14_docid,p14_show_header,p14_show_help,p14_black_frame,p14_font:NOT,261914.1,1,1,1,helvetica

WHITE PAPERPUBLISHED

Note261914.1:PDF4 Integrating Oracle E-Business Suite Release 11i with Oracle Internet Directory and Oracle Single Sign-On (Build 3.2)

https://metalink.oracle.com/metalink/plsql/docs/10g-Implementation.pdf

Note:207159.1 - Oracle Application Server with Oracle E-Business Suite Release 11i Documentation Roadmap

https://metalink.oracle.com/metalink/plsql/f?p=130:14:3572430939971675332::::p14_database_id,p14_docid,p14_show_header,p14_show_help,p14_black_frame,p14_font:NOT,207159.1,1,1,0,helvetica

WHITE PAPERPUBLISHED

1.5.2 Historical Document References

Author Document Name URL Comments

Contents

1. Document Control..................................................................................................2

1.1 Change Record.........................................................................................................................2

1.2 Contributors..............................................................................................................................2

1.3 Reviewers.................................................................................................................................2

1.4 Scope for this Document..........................................................................................................2

1.5 Document Reference................................................................................................................3

1.5.1 Current Document References.......................................................................................31.5.2 Historical Document References....................................................................................3

2. Introduction............................................................................................................6

3. Oracle iStore User Management..........................................................................9

3.1 Deployment with SSO Disabled...............................................................................................9

3.2 Deployment with SSO Enabled; CAPS Disabled; Local User Creation Updation Allowed. 10

3.3 Deployment with SSO Enabled; CAPS Enabled; Local User Creation Updation Allowed. .12

3.4 Deployment with SSO Enabled; CAPS Enabled; Local User Creation Updation Disabled. .15

3.5 Summarizing Registration behavior for the different deployments.......................................17

3.6 More on Partial Registration..................................................................................................18

4. Appendix...............................................................................................................25

4.1 Integrating Oracle E-Business Suite with Oracle Single Sign On Server..............................26

4.1.1 Registering an application as a Partner Application in Oracle Single Sign On Server.26

4.1.2 Registering Oracle E-Business Suite as a Partner Application in Oracle Single Sign On Server..................................................................................................................................274.1.3 Registering Oracle E-Buissness Suite with Oracle Single Sign On Server and Oracle Portal 33

4.2 Integrating Oracle E-Business Suite with Oracle Internet Directory Server..........................35

4.2.1 Oracle Internet Directory Provisioning Integration Service........................................364.2.2 Oracle Internet Directory Subscription List.................................................................374.2.3 Oracle Internet Directory Provisioning Service Events..............................................374.2.4 Creating a profile from a provisioning template..........................................................384.2.5 Directory Integration Processing(DIP) Server Logs and Provisioning Profile Logs...394.2.6 Sample Template file...................................................................................................39

4.2.7 Migrating Data between Oracle E-Business Suite Release 11i and Oracle Internet Directory...................................................................................................................................394.2.8 E-Business Suite User Data Synch up to OID – Synchronous and Asynchronous......434.2.9 Synchronizing the Third-Party Repository with Oracle Internet Directory.................43

4.3 Implementing Central Registration Provisioning System for Oracle E-Business Suite.........44

4.4 Acronyms...............................................................................................................................46

2. Introduction

This document contains information for integrating Oracle E-Business Suite Release 12.0 (and hence, Oracle iStore 12.0) with Oracle Application Server 10g. Benefits of this configuration include iStore’s support for the following services running on one or more standalone servers external to the existing Oracle E-Business Suite Release 12.0 environment, or running in separate ORACLE_HOMEs on existing servers:

Oracle Single Sign-On (SSO) 10.1.2.0.2

Oracle Internet Directory (OID) 10.1.2.0.2

Oracle Portal 10.1.2.0.2 Oracle Discoverer 10.1.2.0.2

Third-party single sign-on solutions

Third-party Lightweight Directory Access Protocol (LDAP) directories

Oracle iStore has the User Management module capable of creating and maintaining customer user information. Two provisions of user creation in iStore can be

Self-Service Registrations

Delegated User Administration User Creations

When Single Sign On is not setup, iStore will create and maintain user data only locally in FND_USER table. However, when Oracle e-buissness suite is set up as a partner application with an Oracle Single Sign On Server, the user data shall be leveraged in the Oracle Internet Directory, which is an LDAP server available as a part of Oracle Application Server 10g Identity Management Infrastructure, apart from being stored locally in FND_USER table. Further, the direction and attributes for data synch ups between Oracle Internet Directory and FND_USER can be provisioned at the time of integrating the Oracle e-business suite with the Oracle Internet Directory Server.

Implementing Single Sign-On (SSO) functionality for the E-Business Suite allows organizations to share one user definition throughout multiple parts of their enterprise. Typically, the common user definition is stored in a Lightweight Directory Access Protocol (LDAP) repository such as Oracle Internet Directory (OID). Oracle Internet Directory serves as a central repository for user credentials and other user information for all Oracle products, including Oracle Application Server 10g and Oracle Portal. This user information is periodically synchronized with the E-Business Suite instance through a combination of Oracle Workflow and Oracle Applications patches.

Oracle Single Sign-on Software Development Kit (SSOSDK) release 9.0.2 or else mod_osso component is required to support Oracle Single Sign-On 10g integration with the E-Business Suite. It allows the E-Business Suite to register as a partner application to the Oracle Single Sign-On Server, giving users the ability to access other registered partner applications with a single credential .

As a partner application, the E-Business Suite also supports Single Sign-Off. E-Business suite users can simultaneously terminate a Single Sign-On session and log out of all active partner applications by logging out of whatever application they are working in. Selecting Logout in a partner application returns users to the Single Sign-Off page, where logout occurs.

http://download-west.oracle.com/docs/cd/A97335_01/integrate.102/a87449/wf/wftop.htm

Purpose

This paper discusses on the different deployment options available to the Oracle iStore customers with respect to the User Management with SSO Enabled and the features available for each of the deployment options. Also, it discusses on the pre-requisites and the setups necessary for these deployment options and the steps to integrate the Oracle E-Business instance with the Oracle Single Sign On Server and Oracle Internet Directory Server, in the Appendix part.

Audience

Customers who are currently having SSO-disabled setups – This shall be an useful paper for such customers to know the features of SSO enables setups and the path to be taken to achieve the same in R12.

Early Adaptor Customers for SSO (Who are already having SSO-enabled setups) – to know the new capabilities of iStore User Management with respect to SSO.

New R12 Customers – to know and compare the features available to them in Oracle iStore and choose the deployment that best suits their need.

Definitions

Oracle Single Sign On Server

An authenticating server available as part of the Oracle Application Server Infrastructure bundle, capable of handling authentication services for multiple partner applications registered with it. With multiple Oracle E-Buissness Suite instances and other applications registered as Partner Applications in the Single Sign On Server, visiting users can be allowed to access all the registered partner applications, by logging in only once.

Oracle Internet Directory Server

A robust, integrated and scalable identity management LDAP server, which is also available as part of the Oracle Application Server Infrastructure bundle, responsible for storage of user data and allowing Administrators and other users to perform user management activities, such as account creation, modification and deletion at the enterprise level.

Partial Registrations

Authenticated users in iStore, if found incomplete (missing personal data or an account to do transactions or was earlier rejected for a partial registration), will be taken to Confirm Registration (henceforth termed, Partial Registration), where in the user can select an available usertype that is listed based on a combination of the user’s known data and further complete (confirm) registration as per the selected usertype. Once the user’s partial registration request is approved, he will be able to browse through iStore and perform the necessary transactions in iStore.

Note: Partial Registration feature is always available, immaterial of whether the system is integrated with SSO or not.

Central Account Provisioning System

A central registration module is a custom solution to be implemented and plugged-in to the Oracle E-Buissness suite to centrally enforce adherence of new registrations to corporate policies, like, Username Policies, Password Policies and Identity Verification Policies and to capture all the application-independent information centrally and further create users in the appropriately repository, be it a 3rd party LDAP Server or in OID or in FND_USER. All applications route the self-service user account creation requests to the Central Account Provisioning System.

Local User Creation and Updation Allowed

Central Account Provisioning Registration necessitates a profile to control whether the updates to User details can be decentralized in individual products or whether only the central account provisioning shall allow for user creation or updation. The profile, “Applications SSO User Creation and Updation Allowed” is used for this purpose. If it is set as ‘Disabled’, updates to user details in local applications, inclusive of iStore, will not be allowed.

Assumptions

3. Oracle iStore User Management

3.1 Deployment with SSO Disabled

Oracle iStore User Management is shipped with Single Sign On Feature being disabled. With this deployment,

A. The user accounts are created and maintained in FND_USER table only and hence is the source of truth for all user data.

B. Further, while creating a username, the prior-existence of the same username in the instance is checked only in FND_USER table

C. User may need to separately register in each of the installed applications to get the necessary access in that application. Also, the user details captured in each of the application specific registrations will be different.

D. The installed applications do not share the user identity and hence the user may need to reauthenticate with the specific credentials against each installed application. Further, all login requests from inside Oracle iStore are taken only to the E-Business Suite Application Local Login page.

E. However, authenticated but incomplete users visiting iStore will be taken to Confirm Registration (henceforth termed, Partial Registration), where in the user can select an available usertype that is listed based on a combination of the user’s known data and further complete (confirm) registration as per the selected usertype. Once the user request is approved, he will be able to browse through iStore and perform the necessary transactions in iStore.

F. Though SSO is disabled, newly created usernames will be created in reserve mode until they are approved. Once approved, they are committed; If rejected, the username is deleted and the same username can be re-used in another registration.

3.2 Deployment with SSO Enabled; CAPS Disabled; Local User Creation Updation Allowed

Necessary Setups:

1. Single Sign On Server and Oracle Internet Directory Servers are installed and integrated with the Oracle E-Business Suite as explained in Appendix A.

2. Bi-Directional User data synch up provisions have been setup as in Appendix B.

3. Ensure the profile values are set as below.

4. With Single Sign On and Oracle Internet Directory Setup and integrated with the Oracle E-Business Suite, all the user details will be stored in Oracle Internet Directory, which shall be the de-facto source of truth. Further, based on the Provisioning setup, the details are also synched to FND. Hence, the installed applications share the user identity available in the Oracle Internet Directory and hence the user may need to authenticate with the credentials only once and can access/browse the associated Partner Applications of the SSO Server.

5. With Local User Creation and Update allowed, local Registrations in iStore will be allowed.

6. Further, the username proposed by each registration is validated for its presence in both FND_USER and Oracle Internet Directory and based on whether the proposal is from Self-Service or Delegated User Management, appropriate action as specified below is taken.

Username in neither FND

Username in FND and OID

Username in FND but not in

Username in OID but not in FND

SSO CAPS Local User Creation and Update

Yes No Yes

Set profile “Applications SSO Type” to ‘SSWA w/SSO’

Ensure profile ‘Oracle Applications Central Registration URL’ is not set to any value.

Set profile ‘Applications SSO User Creation and Updation Allowed’ to ‘Enabled’

nor OID OID Re-linking is Not Allowed

Re-linking is Allowed

Self- Registration

Username creation allowed; Username created in FND and propagated to OID.

“Username already Used” Error Message is shown




Delegated UM

Username creation allowed; Username created in FND and propagated to OID.




Username creation allowed

Note: Re-linking can be enabled by the profile option “Link Applications user with OID user with same username” with value set as “Enabled”. Further, the subscription to trigger the synch up to OID must be enabled. This subscription will be enabled when the user synch up provisions are setup.

7. Though the users might have already been authenticated, incomplete users visiting iStore and accessing any secure page will be taken to Confirm Registration (henceforth termed, Partial Registration), where in the user can select an available usertype that is listed based on a combination of the user’s known data and further complete (confirm) registration as per the selected usertype. Once the user request is approved, he will be able to browse through iStore and perform the necessary transactions in iStore.

8. Newly created usernames in iStore or any other E-Business Application will be created in reserve mode until they are approved. As long as the username is in reserve (or, pending) mode, the user is forbidden access to any application. Only when the username request is approved, the username is committed; Else, if rejected, the username is released (deleted) and the same username can be re-used in another registration.

3.3 Deployment with SSO Enabled; CAPS Enabled; Local User Creation Updation Allowed

Necessary Setups:


2. Bi-Directional User data synch up provisions have been setup as in Appendix B.

3. Set up a demo war containing the jsp to render the UI for the Central Registration Page and the processing logic to create the username in OID. Deploy the same on the Oracle iAS server where OID is hosted. Refer Appendix C, for more details.



Yes Yes Yes


Ensure profile ‘Oracle Applications Central Registration URL’ is set to the URL as shown below

Set profile ‘Applications SSO User Creation and Updation Allowed’ to ‘Enabled’

Sample profile value for ‘Oracle Applications Central Registration URL’ can be

http://<oid server host name>:<oid server port number>/<application url context >/demo_umx_oid_reg.jsp?doneURL=:UMX_TARGET&cancelURL=:UMX_CANCEL

5. Clicking on Register link in iStore can have the below behaviour based on the appropriate scenario

a. If atleast one of Need Online Access Registration is enabled, and with Local Creation Or Updation allowed in iStore, a new Registration page having options to Register using CAPS or use ‘Need Online Access’ Registration will be shown. In iStore perspective, the latter usertypes shall be useful for giving online access to contacts, who have already placed an order through a sales representative. For further information on ‘Need Online Access’ Registration in iStore, refer the iStore R12 Implementation Guide.

b. If all the usertypes under Need Online Access Registration are disabled, then clicking on Register link, the user is directly taken to the CAPS Registration page pointed to by the ‘Oracle Applications Central Registration URL’ profile.

6. The usernames created in Central Registration pages must be created in OID by the custom implemented processing logic. Username thus created will be further propagated to the FND tables by the subscription that is setup during provisioning setup of OID server with Oracle E-Business Suite, as seen in Appendix B.

7. Further, when the username is created in OID, the custom implementation may raise the appropriate TCA events, the subscriptions attached to the same will further create the necessary details like Party Type of Person, Organization and Relationship in TCA. Writing custom procedures and linking them to the WF event to be raised by the CAPS registration can customize the details thus published in TCA.

8. Relating CAPS to Partial Registration

Please refer section 3.5 ‘More on Partial Registration’ to know the details of Partial Registration. Based on what records are created in CAPS, the behavior of such users when they access iStore will be as below.

CAPS created User Information Behavior in iStore

CAPS creates a OID username, but auto-provisioning to FND is NOT allowed (the subscription to synch the newly created username to FND is disabled).

Error Message “You do not have access to E-Business Applications. Please contact the System Administrator” is shown.

CAPS creates a OID username, auto-provisioning to FND is enabled but no TCA details published for the user.

1. if SSO is enabled, then, SSOManager.synchUserFromLDAP(username) is called to retrieve the possible information from OID and further publish this in TCA and set the person_party_id or Customer_id appropriately in FND_USER.

2. If SSO is disabled or, SSO is enabled but SSOManager.synchUserFromLDAP did not fetch any useful TCA data, then, User is treated as a User with No Party; Can browse non-secure pages in iStore; Upon accessing secure pages, he is taken to Partial Registration. Refer section 3.5 ‘More on Partial Registration’ for the usertypes shown in this case.

CAPS creates a OID username, auto-provisioning to FND is enabled and only Person Party record is published in TCA and further linked to the FND_USER record.

User is treated as a B2C User with No Account; Can browse non-secure pages in iStore; Upon accessing secure pages, he is taken to Partial Registration. Refer section 3.5 ‘More on Partial Registration’ for the usertypes shown in this case.

CAPS creates a OID username, auto-provisioning to FND is enabled and Person Party, Organization Party and Relationship Party w.r.t this Organization are published in TCA and further the Party Type of Party Relationship is linked to the username.

User is treated as a B2B User with No Account; Can browse non-secure pages in iStore; Upon accessing secure pages, he is taken to Partial Registration. Refer section 3.5 ‘More on Partial Registration’ for the usertypes shown in this case.

Since in this deployment, Local Creation Or Updation is allowed in iStore, the primary users of the Organization will be able to create new users or upgrade contacts as users and assign them accounts, roles, sites and also update the user’s password details.

The logged in user can change his user password from the My Profile screen directly.

3.4 Deployment with SSO Enabled; CAPS Enabled; Local User Creation Updation Disabled

Necessary Setups:


2. User data synch up provisions have been setup as in Appendix B.

3. Set up a demo war containing the jsp to render the UI for the Central Registration Page and the processing logic to create the username in OID. Deploy the same on the Oracle iAS server where OID is hosted. Refer Appendix C, for more details.



Yes Yes Yes


Ensure profile ‘Oracle Applications Central Registration URL’ is set to the URL as shown below

Set profile ‘Applications SSO User Creation and Updation Allowed’ to ‘Disabled’

Sample profile value for ‘Oracle Applications Central Registration URL’ can be

http://<oid server host name>:<oid server port number>/<application url context >/demo_umx_oid_reg.jsp?doneURL=:UMX_TARGET&cancelURL=:UMX_CANCEL

5. Clicking on Register link in iStore will always take the user to the Central registration Page, as local creation of users is disabled. Hence the Registration Usertype listing page that was visible in the previous deployment will not be seen here.

6. Once the user registers in CAPS, the username will be created in OID and further propagated to FND, and the available details can also be published in TCA, as explained in the previous deployment.

7. Further, when the user who has registered in CAPS navigates to iStore, he will be taken to partial registration (Confirm Registration) and will be shown the probable upgrade paths, as mentioned in the table in 3.3.8.

8. Primary Users in iStore, though can create contacts, will not be able to upgrade these contacts as Users. i.e, the option to make this contact as user will be shown neither while creating a contact nor while updating the contact.

9. Primary Users cannot update ANY username related information of the existing users, namely the password, start date, and end date. They will be rendered read-only, immaterial of the approval status of the username. However, they will be able to update the contact details (or, personal Information) of the users.

Note: Update icon is enabled for only Approved and Rejected users in R12. Also, if at all there is a custom implemented approval flow built in the CAPS registration and if in such a setup, upon rejecting the username, the username is releasd and Rejection event is raised, and if the iStore seeded rejection subscription associated to this event is enabled, the rejected username will be converted as an inactive contact.

Also, if the username created in CAPS is approved, but a partial registration request made by such a user is rejected, then, such a user will still remain a valid user though with a rejected status, and hence will be allowable for update by the Primary User, though since local create Update is not allowed in this deployment, he will not be able to update the information pertaining to the username of the user.

10. Provisioning for self-update of passwords by logged in users in OID.

Since create or update of username in local applications like iStore is disabled, updating passwords directly in iStore shall not be allowed. Instead, an URL must be provided which will take the user to the central OID-DAS (Delegated Administration Service - a service of Oracle Internet Directory that performs user and group management functions) provided password handler page, as a non-administrative user. Below are the profile setups necessary for the same.

Profile At Level Value

Applications SSO Login Types

Site SSO or Both

Application SSO Change Password URL

Site http://<oid-server-name>:<oid-server-port>/ oiddas/ui/oracle/ldap/das/mypage/ChgPwdMyPage

With this setup, Under My Profile tab, instead of the 2 password fields, ‘Click here to update your password’ link will be shown and further, clicking on this link, the user will be taken to the OID-DAS password handler page, the URL of which is pointed out by the profile ‘Application SSO Change Password URL’.

3.5 Summarizing Registration behavior for the different deployments

Registration Usertype Listing - Default Registration Usertype Listing - with CAPS CAPS Registration Page

SSO CAPS Local Create Update Allowed At least one Need Online Access UT Enabled

Registration page behavior

Yes Yes Yes Yes “Registration Usertype Listing - with CAPS”

No Directly “CAPS Registration Page”

Yes Yes No Immaterial Directly “CAPS Registration Page”

Yes No Yes Immaterial “Registration Usertype Listing – Default”

Yes No No Immaterial Register link not shown. Accessing ibeCAcpSSOReg.jsp or ibeCRgdRegContainer.jsp, user is shown the error message “User Self Registration has been disabled in the system. Please contact the System Administrator for further assistance.” is shown.

3.6 More on Partial Registration

Authenticated users in iStore, if found incomplete (no contact data or does not have an account to do transactions or was earlier rejected for a partial registration), can browse public pages without being logged out and will be taken to Confirm Registration (henceforth termed, Partial Registration), where in the user can select an available usertype that is listed based on a combination of the user’s known data and further complete (confirm) registration as per the selected usertype. Once the user’s partial registration request is approved, he will be able to browse through iStore and perform the necessary transactions in iStore.

Note: Partial Registration feature is always available, immaterial of whether the system is integrated with SSO or not.

In the SSO implementations a user will do a SSO login from any portal application (inclusive of iStore) and later navigates to store. In this case, user will have an authenticated ICX session but may not have registered for Store. iStore treats such users not having access/incomplete access in store as a guest user and will show catalog and price of a walk-in user and allow user to add items to shopping cart. Whenever user tries to access any sensitive pages (e.g. checkout, profile) system will prompt user to do partial registration to become a valid store user.

The below table depicts the iStore behaviour in case of an incomplete user as against a Pending User or an Invalid User.

No Action Invalid User User with Pending approval

Incomplete User

1 User does Login Invalid Party error message and continue user action.

Pending approval error message and continue user action.

Login successful

2 Browse Catalog Yes Yes Yes

3 Catalog price list after login Guest price list Guest price list Guest price list

4 Site Selection Page All accessible sites All accessible sites All accessible sites

5 User navigates from non-secure to secure page (e.g. checkout)

Invalid Party error message and continue user action.

Pending approval error message and continue user action.

Partial registration

6 Guest cart behavior Guest cart should be preserved after login

Guest cart should be preserved after login

Merge guest cart after user does partial registration and auto-approval is “On”.

Preserve guest cart, if auto-approval is “Off”

The logic to determine whether the user is incomplete in iStore is as depicted in the below diagram.

The below table depicts the usertypes shown for confirming the user information, based on the known/available user information.

Known User information Usertypes shown for Partial Registration

User With No Party OR Incomplete B2C User All enabled user types

B2B user of a B2B company B2B Secondary and Partner Primary Usertypes

B2B user of a Partner company B2B Secondary and Partner Secondary Usertypes

Partner user of a Partner company Partner Secondary Usertypes only

Rejected Usernames

Both New Registrations and Partial Registration requests performed using a usertype that requires approval will be short-listed for the Primary Users to approve/reject.

In case of New Registrations, the username will be in reserved mode as long as the request for approval is pending. If the primary user rejects the registration request, the username will be released and this username can be used for registration by anybody.

In case of Partial Registrations, the username would have been already committed, much prior to the user performing the partial registration. Hence, upon rejection, the username will still remain in the system as committed, but, his access to e-business applications will stand rejected. Thus, though the user can still access other partner applications of the SSO Server, like Oracle Technology Network, the user will not be allowed to access any secure pages of e-business application. Doing so, he will be taken to Partial Registration again and only after approval of the new Partial Registration request, the user can do a transaction in iStore.

A Sample User Registration interaction. Assumption for this sample is that there are 2 specific Approvers designated at 2 levels for the Organization named ‘Oracle’ with Registry Id as ‘31175’.

1. User registers in iStore with username ‘ORACLE101’ for usertype IBE_BUSINESS requiring approval, with Organization Registry Id as ‘31175’, which is the Party number of the Organization named ‘Oracle’.

FND_USER

JTF_UM_USERTYPE_REG

HZ_PARTIES

HZ_CUST_ACCOUNTS

2. Either of the Approvers of the mentioned Organization will Reject the username request of ‘ORACLE101’

Select * from fnd_user where user_id=10001 -- No Record found

Select * from jtf_um_usertype_reg where user_id=10001 -- No Record found

HZ_PARTIES

user_id user_name start_date end_date customer_id 1001 ORACLE101 1/1/4712 1/1/4712 54321

Usertype_reg_id user_id usertype_id status_code effective_start_date effective_end_date2001 1001 10066 PENDING 24/12/2005

party_id party_name party_type status

54300 Oracle Organization A

54320 User 101 Person A

54321 user 101- Oracle Party Relationship A

cust_account_id account_number party_id

1234 7001 54300



54320 User 101 Person I

54321 user 101- Oracle Party Relationship I

3. Another User registers in iStore with the same username ‘ORACLE101’ for usertype IBE_BUSINESS requiring approval, with Organization Registry Id as ‘31175’, which is the Party number of the Organization named ‘Oracle’.

FND_USER

JTF_UM_USERTYPE_REG

HZ_PARTIES

HZ_CUST_ACCOUNTS

4. This time however, both the Approvers of the Organization, will Accept the username request of ‘ORACLE101’

FND_USER

JTF_UM_USERTYPE_REG

HZ_PARTIES

HZ_CUST_ACCOUNTS

HZ_CUST_ACCOUNT_ROLES

5. Any Primary User of the Organization revokes the account associated to the user ‘ORACLE101’


user_id user_name start_date end_date customer_id

1005 ORACLE101 1/1/4712 1/1/4712 54323

usertype_reg_id user_id usertype_id status_code effective_start_date effective_end_date2005 1005 10066 PENDING 25/12/2005






1234 7001 54300


1005 ORACLE101 26/12/2005 54323

usertype_reg_id user_id usertype_id status_code effective_start_date effective_end_date2005 1005 10066 APPROVED 25/12/2005






1234 7001 54300

cust_account_role_id cust_Account_id party_id status

205437 1234 54300 A


205437 1234 54300 I

6. User ‘ORACLE101’ logs in iStore and tries to perform a secure transaction; User is taken to Partial Registration, as the user does not have an account. User ‘ORACLE101’ completes the Confirm (or, Partial) registration again using ‘IBE_BUSINESS’ usertype, which will shortlist this user for approval again.

FND_USER

JTF_UM_USERTYPE_REG

HZ_PARTIES


7. Either of the Approvers of the mentioned Organization will Reject the partial registration request of ‘ORACLE101’

FND_USER

JTF_UM_USERTYPE_REG

HZ_PARTIES


8. User ‘ORACLE101’ logs in iStore and tries to perform a secure transaction; User is taken to Partial Registration, as the user does not have an account. User ‘ORACLE101’ completes the Confirm (or, Partial) registration again using ‘IBE_BUSINESS’ usertype, which will shortlist this user for approval again.

FND_USER


1005 ORACLE101 26/12/2005 54323

usertype_reg_id user_id usertype_id status_code effective_start_date effective_end_date2005 1005 10066 APPROVED 25/12/2005 27/12/20052010 1005 10066 PENDING 27/12/2005






205437 1234 54300 I


1005 ORACLE101 26/12/2005 54323

usertype_reg_id user_id usertype_id status_code effective_start_date effective_end_date2005 1005 10066 APPROVED 25/12/2005 27/12/20052010 1005 10066 REJECTED 27/12/2005 27/12/2005






205437 1234 54300 I


1005 ORACLE101 26/12/2005 54323

JTF_UM_USERTYPE_REG

HZ_PARTIES


Now, if the user whose latest status is ‘Pending’, tries to access any iStore page, user is shown the Pending Approval Message.

9. The first Approver assigns an account, however, the second Approver will Reject the partial registration request of ‘ORACLE101’.

FND_USER

JTF_UM_USERTYPE_REG

HZ_PARTIES


10. User ‘ORACLE101’ logs in iStore and tries to perform a secure transaction; User is taken to Partial Registration, as the user though has an account, is rejected for access to e-business applications. User ‘ORACLE101’ completes the Confirm or, Partial) registration again using ‘IBE_BUSINESS’ usertype, which will shortlist this user for approval again.

FND_USER

JTF_UM_USERTYPE_REG

HZ_PARTIES

usertype_reg_id user_id usertype_id status_code effective_start_date effective_end_date2005 1005 10066 APPROVED 25/12/2005 27/12/20052010 1005 10066 REJECTED 27/12/2005 27/12/20052015 1005 10066 PENDING 2812/2005






205437 1234 54300 I


1005 ORACLE101 26/12/2005 54323

usertype_reg_id user_id usertype_id status_code effective_start_date effective_end_date2005 1005 10066 APPROVED 25/12/2005 27/12/20052010 1005 10066 REJECTED 27/12/2005 27/12/20052015 1005 10066 REJECTED 2812/2005 2812/2005






205437 1234 54300 A


1005 ORACLE101 26/12/2005 54323

usertype_reg_id user_id usertype_id status_code effective_start_date effective_end_date2005 1005 10066 APPROVED 25/12/2005 27/12/20052010 1005 10066 REJECTED 27/12/2005 27/12/20052015 1005 10066 REJECTED 2812/2005 28/12/20052020 1005 10066 PENDING 29/12/2005






11. Both the Approvers of the Organization, will Accept the username request of ‘ORACLE101’; Now, the user ‘ORACLE101’ can successfully perform any transaction in iStore.

FND_USER

JTF_UM_USERTYPE_REG

HZ_PARTIES


205437 1234 54300 A


1005 ORACLE101 26/12/2005 54323

usertype_reg_id user_id usertype_id status_code effective_start_date effective_end_date2005 1005 10066 APPROVED 25/12/2005 27/12/20052010 1005 10066 REJECTED 27/12/2005 27/12/20052015 1005 10066 REJECTED 2812/2005 2812/20052020 1005 10066 APPROVED 29/12/2005






205437 1234 54300 A

4. Appendix

The below deployments mentioned are for OracleAS 10g 10.1.2.0.2 or above.

Oracle 10g Application Server|-> Oracle 10g Application Server Infrastructure Instance

|-> Oracle Identity Management Infrastructure|-> OracleAS 10g Single Sign-On|-> Oracle Internet Directory|-> Oracle Directory Integration and Provisioning|-> Oracle Delegated Administration Service|-> Oracle Identity Management|-> OracleAS 10g Certificate Authority

Working together, these components, called the Infrastructure, manage the security life cycle of users and other network entities in an efficient, cost-effective way. To use OracleAS 10g to enable single sign-on for Release R12 environments, the below are required (at minimum):

"OracleAS Metadata Repository" option of the OracleAS Infrastructure 10g installation.

"Identity Management" option of the OracleAS Infrastructure 10g installation. As said above, the "Identity Management" option includes the Middle-Tier components for Oracle Internet Directory, Single Sign-On, and Delegated Administration Services.

The integration process consists of four phases:

1. Install Oracle Application Server 10g 10.1.2.0.2 Infrastructure Instance on a standalone server. This is explained in Appendix 4.1.

2. Migrate the existing E-Business Suite application tier server node to the latest version of Oracle Application Server 10g.

3. Synchronize user information between the standalone Infrastructure Instance server and the E-Business Suite environment. This is explained in Appendix 4.2.

4.1 Integrating Oracle E-Business Suite with Oracle Single Sign On Server

4.1.1 Registering an application as a Partner Application in Oracle Single Sign On Server.

1. Access Single Sign On home page using http://host:port/pls/Single_Sign_On_DAD , where host is the name of computer on which the single sign-on server is located, port is the port number of the server, and single_Sign_On_DAD is the database access descriptor for the single sign-on schema. The default DAD is orasso. The Access Partner Applications page appears.

2. Click Login in the upper right corner of the Access Partner Applications page. The single sign-on login page appears.

3. Login as orcladmin user and the password provided while installing Oracle iAS.

4. The single sign-on home page appears. To perform administrative functions, click SSO Server Administration. The below page is shown.

5. Select ‘Administer Partner Applications’ > ‘Add Partner Application’ and provide the necessary details as below and Create a new Partner Application.

A. Enter the application name, the home URL, success URL and Logout URL for this application. The home URL is the application's home page. The success URL refers to the URL to be redirected to upon successful login. It must correspond to the procedure that processes the user identification information from the SSO Server.

B. Specify the Valid Login Timeframe

C. Provide Application Administrator email address

6. Once the Partner Application is registered, the application id, the application token and the encryption key used by the SSO Server to identify this application are displayed. The application token must be used by the partner application when requesting authentication. Sample set of values is as below.

ID: 1CB41C17Token: 3F4I181F1CB41C17Encryption Key: B3DCFB64840E084FLogin URL: http://152.69.162.108:7777/pls/orasso/orasso.wwsso_app_admin.ls_loginSingle Sign-Off URL: http://152.69.162.108:7777/pls/orasso/orasso.wwsso_app_admin.ls_logout

4.1.2 Registering Oracle E-Business Suite as a Partner Application in Oracle Single Sign On Server.

Supported Architectures and Configurations

A. User Authentication can be by “SSO” or “External third-party Access manager” or “Native E-Business Suite”.

B. Source of truth of records can be “OID”, “External Third Party LDAP User Repository”.

C. User synch up directions can be “From R12 to OID” or “From POID to R12” or “From Third Party LDAP server to OID to R12”.

4.1.2.1 : Ensure the Oracle E-Business Suite is implemented using Oracle9i Application Server Release 1.0.2.2.2 Enterprise Edition or above as the tech stack. The same can be verified by executing the command

$iAS_HOME/Apache/Apache/bin/httpd –v

4.1.2.2: Install DBMS_LDAP on E-Business Suite Database-Tier Server Node

The Oracle database must be installed with the Oracle Internet Directory option to support synchronization of user information between Oracle Internet Directory and the E-Business Suite. Check your version-specific and platform-specific Database Installation Guide for details.

Check if the package DBMS_LDAP exists on the database tier server used by the E-Business Suite. Else, run $ORACLE_HOME/rdbms/admin/catldap.sql as SYSDBA, with the ORACLE_HOME environment variable pointing to the DB_ORACLE_HOME.

4.1.2.3: Install Oracle Application Server 10g 10.1.2.0.2 Enterprise Edition

Refer 4.1 for the components needed and the options to be selected for installing the Infrastructure instance of Oracle Application Server 10g 10.1.2.0.2 Enterprise Edition. Follow the Oracle Application Server 10g Installation Guide for your operating system platform for instructions on installing an OracleAS 10g infrastructure into its own ORACLE_HOME. Further, please note the below.

The Oracle Application Server 10g application server installation and the Oracle Application Server 10g infrastructure may reside on a single host or on separate hosts, though must be seperate ORACLE_HOMEs.

The Oracle Application Server 10g Infrastructure must not be installed in the Oracle E-Business Suite Release R12 database.

The application server installation and the infrastructure must not be installed in the ORACLE_HOME of an existing Oracle E-Business Suite Release R12 application-tier server node

Follow the below steps to test the Oracle Application Server 10g Identity Management infrastructure.

i. Start Oracle Internet Directory Delegated Administration Services by going to:

ii. http://<host_name>.<domain>:<Infrastructure http port number>/oiddas

iii. Log in using the orcladmin userid

iv. Navigate to Directory > Create and create a test userid, supplying a password and other user information. Click Submit. Log out.

v. Log into Oracle Internet Directory Delegated Administration Services using the newly created test userid.

4.1.2.4: Install E-Business Suite SSO 10g Integration Patch

Build 3.1 E-Business Suite SSO 10g Integration patch is NOT required to be explicitely applied on Release12.0, as the Build 3.1 patch is included in release 12.0

4.1.2.5: Run Registration Script – txkrun.sql

4.1.2.5.1: Prepare the Parameter Checklist as below:

# Parameter Description Example Comments

1Hostname of Oracle Application Server Infrastructure database

myias.company.com Fully qualified name recommended

2Port of Oracle Application Server Infrastructure database

1521

3Database SID of Oracle Application Server Infrastructure database

iasinfra

6Password of Oracle Application Server Infrastructure database user, "ORASSO"

C8atE7O0

Run command on Oracle Internet Directory server:

$ORACLE_HOME/bin/ldapsearch -h <oid_host> -p <oid_port> -D "cn=orcladmin" -w <password> -b "cn=IAS,cn=Products,cn=OracleContext" -s sub -v "OrclresourceName=orasso" | grep orclpasswordattribute

9Password of Oracle Internet Directory admin user, "orcladmin"

welcome123

4 LDAP port of Oracle Internet Directory 3060

5Password of Oracle E-Business Suite database user, "APPS"

apps

7Password of Oracle E-Business Suite database user, "SYSTEM"

manager

8Password of E-Business Suite database user, "SSOSDK"

ssosdkIf the user does not exist, a new user will be created with this password.

10Password that you would like to register your E-Business Suite instance with Oracle Internet Directory

welcome1

This is the master password used to register the E-Business Suite instance in Oracle Internet Directory. Release 12 services use this password at a later time for certain security validations. This is a critical password governing communications from the E-Business Suite instance to Oracle Internet Directory, and it should be made as secure as possible.

11The Name with the fully qualified path of the Provisioning Profile Template

-provtmp = $FND_TOP/admin/template/ProvOIDToApps.tmp

By default the Bidirectional template, ProvBiDirection.tmp, is chosen for you. If you want to use a different template, you can override this with the "-provtmp" parameter

4.1.2.5.2: As the owner of the application-tier file system, source the file $APPL_TOP/APPS<context_name>.env to set the environment correctly

4.1.2.5.3: Ensure perl from the <iAS_ORACLE_HOME>/bin directory is in the path. Run perl -v to ensure the version is higher than 5.005.

http://metalink.oracle.com/metalink/plsql/ml2_documents.showNOT?p_id=261914.1


4.1.2.5.4. Run the registration script

A perl script <FND_TOP>/patch/115/bin/txkrun.pl is used to register Oracle E-Business Suite instance with Oracle Single Sign-On and Oracle Internet Directory. <FND_TOP>/patch/115/bin/txkrun.pl internally uses <FND_TOP>/patch/115/bin/txkSetSSOReg.pl for this purpose.

This utility can be used to register as well as de-register the E-Buissness Suite Integration with the Oracle SSO/OID Servers.

This utility should be run from one of the Oracle E-Business Suite Release R12 application tier server nodes to register both SSO and OID in the Oracle Application Server 10g infrastructure database.

Source the file $APPL_TOP/APPS<CONTEXT_NAME>.env to set the environment correctly. Further, run one of the below commands, based on the need type.

Need Type Interactive Mode Command

Non-Interactive Mode Command Comments

Register both SSO and OID

txkrun.pl -script=SetSSOReg

txkrun.pl -script=SetSSOReg -register=Yes

-appspass=apps -infradbhost=ap627atg

-infradbport=1521 -infradbsid=infra1

-orassopass=C8atE7O0 -systempass=manager

-ssosdkpass=ssosdk -orcladminpass=welcome123

-instpass=welcome123 -ldapport=3060

-appname="EBiz test" -svcname="This is the test instance for EBusiness"

Use this option when registering Partner application with Oracle Single Sign-On and Oracle E-Business Suite 11i as a provisioning application with Oracle Internet Directory.

Creates a single SSO partner application and Listener Token is set to the site level value of profile option, Applications Database ID (APPS_DATABASE_ID)

Registers E-Business Suite with OID using the ProvBiDirection.tmp provisioning profile. This will enable Bidirectional user synchronization with user creation

Register only SSO

txkrun.pl -script=SetSSOReg -registersso=Yes


-deregistersso=Yes

-appspass=apps

-orassopass=C8atE7O0

-ssosdkpass=ssosdk

Use this option when registering only the SSO partner application with Oracle Single Sign-On. This option can be used:

To register separate E-Business Suite application tier server nodes as individual partner applications in a DMZ deployment.

To register the E-Business Suite instance when you have installed OracleAS 10g Single Sign-On Server on a different node than OracleAS 10g Oracle Internet Directory

Register only OID

txkrun.pl -script=SetSSOReg -registeroid=Yes


-registeroid=Yes -appspass=apps

Use this option when registering and deregistering Oracle E-business Suite 11i as a provisioning



-infradbhost=ap627atg -orcladminpass=welcome123

-instpass=welcome123 -ldapport=3060

-appname="EBiz test" -svcname="This is the test instance for EBusiness"

application with Oracle Internet Directory. This option can be used:

To deregister an unsuccessful OID registration/deregistration that may have failed during a combined SSO/OID registration

To selectively register/deregister your E-Business Suite instance against OID

To register the E-Business Suite instance when you have installed Oracle Internet Directory on a different node than OracleAS 10g Single Sign-On Server

De-Register both SSO and OID

txkrun.pl -script=SetSSOReg -registersso=Yes


-registersso=Yes -appspass=apps

-infradbhost=ap627atg -infradbport=1521

-infradbsid=infra1 -orassopass=C8atE7O0

-systempass=manager -ssosdkpass=ssosdk

Use this option when deregistering Partner application with Oracle Single Sign-On and Oracle E-Business Suite 11i as a provisioning application with Oracle Internet Directory.

De-Register only SSO

txkrun.pl -script=SetSSOReg -deregistersso=Yes


-deregistersso=Yes

-appspass=apps

-orassopass=C8atE7O0

-ssosdkpass=ssosdk

Same as “Register only SSO”

De-Register only OID

txkrun.pl -script=SetSSOReg -deregisteroid=Yes


-deregisteroid=Yes

-appspass=apps

-orcladminpass=welcome123

Same as “Register only OID”

Execute the above commands with ‘-provtmp’ option, if you want to use a different provisioning template, as shown below.

<FND_TOP>/patch/115/bin/txkrun.pl -script=SetSSOReg -provtmp=$FND_TOP/admin/template/<TemplName>

where <TemplName> corresponds to the provisioning template that you wish to use.

Eg, txkrun.pl -script=SetSSOReg -provtmp=$FND_TOP\admin\template\ProvOIDtoApps.tmp

Different provisioning template options seeded out of the box are as below

Template Usage

ProvAppsToOID.tmp To Setup user creation and updation synchronization to happen only from FND to OID.

ProvBiDiNoCreation.tmp To Setup user updation bi-directional synchronization between FND and OID and to restrict synchronization of user creations in FND over to OID.

ProvBiDirection.tmp Default template used. To Setup user creation and updation bi-directional synchronization between FND and OID.

ProvOIDToApps.tmp To Setup user creation and updation synchronization to happen only from OID to FND.

To simplify the registration process, the txkrun.pl script defaults many parameters, which sets up a configuration as below that meets the needs of most users. Further, for any of the commands used, provide the appropriate values from the parameter list prepared above, for the parameters prompted by the script.

When the registration script completes successfully, it will print the following line:

End of <FND_TOP>/patch/115/bin/txkSetSSOReg.pl: No errors encountered.

If you do not see this confirmation, examine the following file to investigate the problem:

$APPLRGF/sso/txkSetSSOReg_[timestamp].log

4.1.2.6: Stop and Start the Oracle HTTP Server used by the Oracle E-Business Suite under concern.

4.1.2.7: Verify and Validate the Single Sign On Setup

4.1.2.7.1: Run the Diagnostic Utility

Login as user "sysadmin" to the E-Business Suite locally using this URL:

http[s]://<server>[:port]/OA_HTML/AppsLocalLogin.jsp Where <server> and <port> reflect the correct values for your environment.

Select the responsibility "CRM HTML Administration" and select the function "Diagnostics" from the Navigator's right pane.

4.1.2.7.1.1: SSO Diagnostics

Click on the "Basic" tab Choose "Application Object Library" from the Applications list.

Click on "SSO Setup Tests" - Click on "Run Without Pre-Requisite".

All the tests should complete successfully Click on the "Report" icon for each test and verify the results

4.1.2.7.1.2: OID Diagnostics

Click on "OID Setup" - Click on "Run Without Pre-Requisite"

All the tests should complete successfully

Click on the "Report" icon for each test and verify the results

4.1.2.7.2: Manual Verification

4.1.2.7.2.1 Verify that your Oracle E-Business Suite instance is correctly integrated with Oracle Single Sign-on server.

Request the E-Business Suite login link, of the form:

http://[host]:[port]/oa_servlets/AppsLogin

where <server> and <port> reflect the correct values for your environment.

Or, access the iStore Login linkas below

http://[host]:[port]/OA_HTML/ibeCAcpSSOLogin.jsp

This should direct you to the Single Sign-On Login screen.

Enter the username and password for a valid account in Oracle Internet Directory. You should be directed to either the Oracle E-Business Suite home page or a page that shows "More Information Requested".

Click on the logout link on whichever of the pages that you see. You should now be directed to the Single Sign-On Logout page. If so, then Single Sign-On integration has been carried out correctly.

4.1.2.7.2.2 Verify that the Oracle E-Business Suite instance is correctly integrated with Oracle Internet Directory.

Check that there are no errors in the Oracle Internet Directory log files for the E-Business Suite instance just configured. These files are on the machine that hosts Oracle Internet Directory, under $ORACLE_HOME/ldap/odi/log. The files for provisioning from Oracle Internet Directory to E-Business Suite end with _E.aud and _E.trc. The files for provisioning from E-Business Suite to Oracle Internet Directory end with _I.aud and _I.trc.

Depending on how provisioning has been configured, try to create a user from either E-Business Suite or Oracle Internet Directory. If you used the simple registration process with the default profile, you may create a user in either E-Business Suite or Oracle Internet Directory and see the newly provisioned user appear in the other system within about two minutes. The user details should also be visible in the relevant .aud log file mentioned above. If so, then provisioning configuration for Oracle Internet Directory has been performed correctly.

4.1.3 Registering Oracle E-Buissness Suite with Oracle Single Sign On Server and Oracle Portal

Use of Oracle Portal is optional. However, Oracle Single Sign-On is a mandatory prerequisite for Oracle Portal.

Oracle Portal can optionally be implemented to provide a single customized portal that allows access to one or more E-Business Suite instances. As part of Oracle9i Application Server, Oracle Portal can provide users with corporate and customized personal home pages accessible via Web browsers.

Oracle Portal may be configured to access one or more E-Business Suite environments. Oracle Portal users may add links to their home pages to access E-Business Suite modules, and may display some information (for example, Oracle Workflow notifications) directly on their home pages. E-Business Suite links and data are delivered to Oracle Portal via portlets. Portlets can be displayed on customized Oracle Portal home pages. Portlets installed on an E-Business Suite instance communicate with Oracle Portal via Web providers. E-Business Suite Web providers are registered in the Portal Repository.

4.1.3.1 Generating a Site2pstoretoken For Portal Login With wwsec_sso_enabler.generate_redirect

Pre-requisite: 'Oracle Portal 10g Server’ (10.1.2.0.2 or above) is registered as a Partner Application with the SSO Server. Use of Oracle Portal is optional. However, Oracle Single Sign-On is a mandatory prerequisite for Oracle Portal. Further, to integrate R12 witrh Oracle Portal, Portal and Wireless option of the Oracle Application Server 10g (middle tier) installation must be selected in order to integrate with the Oracle Portal 10g Server.

4.1.3.1.1 Create a schema in the SSO database instance to contain the SSO SDK packages. Do not install the SSO 9.0.2 SDK packages into the Portal or ORASSO schemas.

For example:

sqlplus "sys/<sys password>[@tnsalias] as sysdba"SQL> create user sso_sdk902 identified by sso_sdk902SQL> grant connect, resource to sso_sdk902

4.1.3.1.2 Load the SDK PL/SQL packages

To use the SSO SDK, unzip the $ORACLE_HOME/sso/lib/ssosdk902.zip file into any directory. Change directory to the unzipped SDK packages directory and run

sqlplus sso_sdk902/sso_sdk902[@tnsalias]SQL> @loadsdk

4.1.3.1.3 Register the Portal partner application with the SDK schema. In the SDK packages directory run:

sqlplus sso_sdk902/sso_sdk902[@tnsalias]SQL> @regapp

Enter the below values:

Partner Application ConfigurationEnter value for listener_token: ap608opsadm.us.oracle.com:18670Enter value for site_id: 1CB41C17Enter value for site_token: 3F4I181F1CB41C17Enter value for login_url: http://ap608opsadm.us.oracle.com:18670/pls/orasso/orasso.wwsso_app_admin.ls_loginEnter value for encryption_key: B3DCFB64840E084FEnter value for ip_check: N

The output of the script will be as below:

Registration successful.Listener token: ap608opsadm.us.oracle.com:18670Site id: 1CB41C17

http://ap608opsadm.us.oracle.com:18670/pls/orasso/orasso.wwsso_app_admin.ls_login

Site token: 3F4I181F1CB41C17Encryption key: B3DCFB64840E084FLogin URL: http://ap608opsadm.us.oracle.com:18670/pls/orasso/orasso.wwsso_app_admin.ls_loginLogout URL: http://ap608opsadm.us.oracle.com:18670/pls/orasso/orasso.wwsso_app_admin.ls_logoutIP check: N------------------------------------------------PL/SQL procedure successfully completed.Commit complete.

4.1.3.1.4 Create a function in the SDK schema to retrieve the site2pstoretoken value.

Example : sqlplus sso_sdk902/sso_sdk902[@tnsalias]

create or replace function get_site2pstoretoken(p_req in varchar2, p_cancel in varchar2) return varchar2 is v_site2pstoretoken varchar2(4032); v_requested_url varchar2(4032); v_cancel_url varchar2(4032);begin -- if requested url and cancel url are null, specify defaults v_requested_url := nvl(p_req, ‘http://www-apps.us.oracle.com:1100/owa/3rdpartysite/index_metalink.html’); v_cancel_url := nvl(p_cancel, ‘http://www-apps.us.oracle.com:1100/owa/3rdpartysite/index.html’); -- generate site2pstoretoken for the Portal site v_site2pstoretoken := wwsec_sso_enabler.generate_redirect( p_lsnr_token => ‘ap608opsadm.us.oracle.com:18670’, p_url_requested => v_requested_url, p_url_cancel => v_cancel_url); return v_site2pstoretoken;end;/

4.1.3.1.5 Retrieve the login URL for the Partner Application

SQL> set serveroutput onSQL> exec dbms_output.put_line(length(get_site2pstoretoken(null,null)));SQL> declare

myVar varchar2(100);begin

myVar := substr(get_site2pstoretoken(null,null),0,100);dbms_output.put_line(myVar);

end;

http://www-apps.us.oracle.com:1100/owa/3rdpartysite/index.html

http://www-apps.us.oracle.com:1100/owa/3rdpartysite/index_metalink.html

http://ap608opsadm.us.oracle.com:18670/pls/orasso/orasso.wwsso_app_admin.ls_logout

http://ap608opsadm.us.oracle.com:18670/pls/orasso/orasso.wwsso_app_admin.ls_login

4.2 Integrating Oracle E-Business Suite with Oracle Internet Directory Server

Refer Appendix A for registering Oracle E-Business Suite R12 with Oracle Internet Directory Server Release 10g.

This section describes more on how to configure an Oracle E-Business Suite Release 12.0 instance as a provisioning integrated application with Oracle Internet Directory Release 10g, so as to achieve user information synchronization between the E-Business Suite and the Oracle Internet Directory Server.

4.2.1 Oracle Internet Directory Provisioning Integration Service

Bidirectional provisioning between Oracle E-Business Suite and Oracle Internet Directory is built around the "Oracle Directory Integration Platform" which has the "provisioning integration service" that enables automatic provisioning (updating between the systems) of account creation or changes of user attributes. The provisioning process between each Oracle E-Business Suite instance and Oracle Internet Directory is controlled by a provisioning profile.

When changes are made in Oracle Internet Directory that match an application's provisioning profile event criteria, the Provisioning Integration Service is the agent that sends the relevant new data to that application. Going in the other direction, the Provisioning Integration Service filters changes coming from an application (according to the application’s provisioning profile’s permitted events criteria), and transmits applicable ones to Oracle Internet Directory.

The provisioning profile is highly customizable. Configuration of the profile is carried out by one of the below options

Using oidprovtool available in Oracle Application Server 10g or

Instantiating an LDIF template file that contains the requisite values for the particular deployment and further, loaded into Oracle Internet Directory using the ldapmodify command. This method can also be carried out on an iAS 1.0.2.2.2 instance on which an Oracle E-Business Suite runs.

A number of sample template files are shipped with the Oracle E-Business Suite Release 12.0. These can be located at <FND_TOP>/admin/templates.

4.2.2 Oracle Internet Directory Subscription List

Oracle Internet Directory maintains a subscription list for each Oracle E-Business instance that has registered with Oracle Internet Directory. The subscription list maintains a list of all Single Sign-On user accounts that need to access the associated Oracle E-Business Suite instance. Oracle Internet Directory and the associated Oracle E-Business Suite instance jointly maintain the accuracy of the subscription list.

$ORACLE_HOME/ldap/odi/bin/provsubtool.orc is used to manage application-specific subscription lists in Oracle Internet Directory. Users from application-specific subscription lists can be added or removed in bulk mode or batch ode or, individually. For Example,

provsubtool ldap_host=myladp.oracle.com ldap_port=389 app_dn="orclapplicationcommonname=Financials,cn=EBusiness,cn=Products,cn=OracleContext,dc=ganseycorp,dc=com" realm_dn=”dc=orclcorp,dc=com” list_name=ACCOUNTS operation=ADD file_name=subscr_members.lst file_type=0 app_pwd=test123

The operation can be ADD, REMOVE or LIST.

4.2.3 Oracle Internet Directory Provisioning Service Events

OID server uses the below four Provisioning Events for setting up user synchronization.

IDENTITY_ADD – Either Oracle E-Business Suite or Oracle Internet Directory generates this event, when a new user is created. If this event is enabled from Oracle E-Business Suite to Oracle Internet Directory direction, after Oracle Internet Directory receives this event, it will create an Oracle Single Sign-On account in Oracle Internet Directory and add the account to the subscription list of that Oracle E-Business Suite Release 12 instance. In the other direction, if this event is enabled from Oracle Internet Directory to E-Business Suite and profile ‘Applications SSO Enable OID Identity Add Event’ is ‘Enabled’, it has the same affect as SUBSCRIPTION_ADD event generated by Oracle Internet Directory.

IDENTITY_MODIFY – Either Oracle Internet Directory or Oracle E-Business Suite generates this event when a user account is modified. If this event is enabled in either direction, the receiving system will apply the modification to the account on that system.

IDENTITY_DELETE – Oracle Internet Directory generates this event when an Oracle Single Sign-On account is deleted. If this event is enabled from the Oracle Internet Directory to Oracle E-Business Suite direction, after an Oracle E-Business Suite Release 11i instance receives this event, it will end-date the application account linked to the Oracle Single Sign-On account.

SUBSCRIPTION_ADD - When a Single Sign-On account is created in Oracle Internet Directory, and subsequently added to the subscription list of an Oracle E-Business Suite instance, a SUBSCRIPTION_ADD event is generated in Oracle Internet Directory. If this event is enabled in the Oracle Internet Directory to Oracle E-Business Suite direction, a new application account will be created and linked to the single sign-on account. When Oracle Internet Directory receives an IDENTITY_ADD event from an Oracle E-Business Suite instance, it adds the user to the subscription list of that Oracle E-Business Suite instance. When Link-on-the-Fly is performed on an Oracle E-Business Suite Release 11i instance, the Oracle E-Business Suite instance will send a SUBSCRIPTION_ADD event to Oracle Internet Directory. When an IDENTITY_MODIFY event is generated in Oracle Internet Directory, Oracle Internet Directory will check the subscription lists of all registered Oracle E-Business Suite Release 11i instances, and only sends the event to an Oracle E-Business Release 11i instance if the modified user appears on its subscription list.

Further, the direction of event propagation can be either Single (OID to EBiz or Ebiz to OID) or bi-directional. For each direction, and each type of event, the list of provisioned attributes can be customized as required (removing an attribute from the attribute list would disable sending that attribute).

By default, Oracle Internet Directory sends out provisioning events every 60 seconds; this value can be increased or decreased by using oidprovtool, or by editing the orclodipprofileschedule attribute value in the provisioning template.

4.2.4 Creating a profile from a provisioning template

Creating the provisioning profile consists of the following steps:

4.2.4.1. Create a suitable template based on deployment choices. Please refer to the sample templates shipped, available at <FND_TOP>/admin/templates.

4.2.4.2. Instantiate the template with deployment specific values, to generate an LDIF file

4.2.4.3. Load the LDIF file into Oracle Internet Directory using the ldapmodify command. Once the LDIF file is loaded, Oracle Internet Directory will start sending and polling provisioning events to and from the Oracle E-Business Suite instance for which the profile was created. It takes the provisioning service approximately two minutes to detect that a new profile has been added or an existing one has changed.

Sample Template (<FND_TOP>/admin/templates) Usage

ProvAppsToOID.tmp To Setup user creation and updation synchronization to happen only from FND to OID. Template for creating an Oracle E-Business Suite to Oracle Internet Directory (INBOUND) profile with CREATION, MODIFICATION, and DELETION events.

ProvBiDiNoCreation.tmp To Setup user updation bi-directional synchronization between FND and OID and to restrict synchronization of user creations in FND over to OID. Template for creating a bidirectional profile, with MODIFICATION and DELETION events only.

ProvBiDirection.tmp Default template used. To Setup user creation and updation bi-directional synchronization between FND and OID. Template for creating a bidirectional (BOTH) provisioning profile with CREATION, MODIFICATION, and DELETION events.

ProvOIDToApps.tmp To Setup user creation and updation synchronization to happen only from OID to FND. Template for creating an Oracle Internet Directory to Oracle E-Business Suite (OUTBOUND) profile with CREATION, MODIFICATION, and DELETION events.

If the Oracle E-Business Suite instance only needs to send events to Oracle Internet Directory, then an INBOUND provisioning profile should be created.

If the Oracle E-Business Suite instance only needs to receive provisioning events from Oracle Internet Directory, then an OUTBOUND profile should be created.

If provisioning events may need to be sent in both directions, a bidirectional profile (BOTH) should be created.

4.2.5 Directory Integration Processing(DIP) Server Logs and Provisioning Profile Logs

The main DIP log file is located in the $ORACLE_HOME/ldap/log/odisrv<instance number>.log directory. The <instance number> being a unique integer id

The provisioning profile logs are located in the $ORACLE_HOME/ldap/odi/log directory.

Each log file name is of the form:

<ApplicationName>_<RealmName>_[I/E].[trc/aud]

Where:

I = INBOUND provisioning event (from Oracle E-Business Suite to Oracle Internet Directory)

E = OUTBOUND provisioning event (from Oracle Internet Directory to Oracle E-Business Suite)

.trc = Trace file, , which grows till the file size is ~ 10MB. When that happens, the current trace file is backed up (and a timestamp appended) and a new trace file started.

.aud = Audit file, which records all the events from the time the profile was created and therefore grows continually. This file consequently needs to be archived periodically.

4.2.6 Sample Template file

4.2.7 Migrating Data between Oracle E-Business Suite Release 11i and Oracle Internet Directory

4.2.7.1 Migrating Existing Application Accounts in Oracle E-Business Suite Release 12 to Oracle Internet Directory

4.2.7.1.1. For all users who shall not be migrated, set profile

"Applications SSO LDAP Synchronization" (APPS_SSO_LDAP_SYNC) to 'Y' at user level so that the account will not be migrated i.e. the account is marked to not to synchronize with Oracle Internet Directory

Or,

"Applications SSO Login Types" (APPS_SSO_LOCAL_LOGIN) – An account will not be migrated if the user level profile value of the account is ‘LOCAL’.

4.2.7.1.2. Use AppsUserExport to extract application user information into an intermediate LDIF file

The mapping between FND_USER columns and Oracle Internet Directory attributes is shown below.

FND_USER column name Oracle Internet Directory attribute name

user_name sn

description description

start_date orcl ActiveStartDate

start_date/end_date orclIsEnabled

encrypted_user_password userPassword

user_guid orclGuid

end_date orclActiveEndDate

email_address mail

fax facsimileTelephoneNumber

$APPL_TOP/java oracle.apps.fnd.oid.AppsUserExport [-v] –dbc <dbcfile> -o <outputfile> -pwd <apps schema pwd> -g [-l <logfile>]

where:

[-v] Runs in verbose mode <dbcfile> Full path to the Applications dbcfile

<outputfile> intermediate LDIF file <apps schema pwd> Apps schema password

-g To create and copy users GUIDs to OID <logfile> log file (default is <outputfile>.log)

4.2.7.1.3. Converting AppsUserExport generated Intermediate LDIF File to final LDIF

4.2.7.1.3.1 Temporarily disable any provisioning profile with profile mode as 'OUTBOUND' or 'BOTH' at the OID using oidprovtool as below.

oidprovtool operation=disable ldap_host=beta.ganseycorp.com ldap_port=3060 ldap_user_dn=cn=orcladmin ldap_user_password=l1ghth0use application_dn=”orclApplicationCommonName=beta,cn=EBusiness,cn=Products,cn=OracleContext,dc=us,dc=ganseycop,dc=com” profile_mode=BOTH

4.2.7.1.3.2. As Oracle Internet Directory Administrator, run 'ldifmigrator' to change the below 2 attributes in the LDIF file.

s_UserContainerDN -- DN of the entry under which all users are added, for example cn=users,dc=us,dc=oracle,dc=com

s_UserNicknameAttribute – The nickname attribute used for user entries in the subscriber, for example uid

For example:

ldifmigrator "input_file=data.txt" "output_file=data.ldif"

"s_UserContainerDN=cn=users,dc=us,dc=oracle,dc=com"

"s_UserNicknameAttribute=uid"

4.2.7.1.4. Stop the OID processes before using the bulkload utility to load the ldif file.

$ORACLE_HOME/opmn/bin/opmnctl stopall

4.2.7.1.5. Loading LDIF file into Oracle Internet Directory using 'bulkload'

4.2.7.1.5.1. Run the bulkload utility with the – check option to verify there are no duplicate users.

For example:

bulkload.sh –connect <connect string> -check <fully qualified path to ldiffile>

4.2.7.1.5.2. Check the log file for duplicate users. If the log file indicates duplicate users, manually remove these users from the ldif file.

4.2.7.1.5.3. Rerun the bulkload utility with the –check option to verify all duplicates have been successfully removed.

4.2.7.1.5.4. Once all duplicates are removed, run the bulkload utility without the –check option to load the users.

For example:

bulkload.sh –connect <connect string> -generate –load <fully qualified path to the ldif file>

4.2.7.1.6. Instead of bulkload(Steps 4.2.7.1.5.1-4.2.7.1.5.4), for small amounts of data, you may also use the ldapadd tool.

For example:

ldapadd -h <ldaphost> -p <ldapport> -D "cn=orcladmin" -w <password> -f data.ldif -v

4.2.7.1.7. The bulkload tool does not automatically subscribe users to the parent E-Business instance. Hence, to add these users to the subscription list for this E-Busisness instance, follow the below steps.

4.2.7.1.7.1. Extract the output of the below file to a txt file

select user_name from fnd_user where FND_profile.VALUE_SPECIFIC('APPS_SSO_LOCAL_LOGIN',user_id)<>'LOCAL' and FND_profile.VALUE_SPECIFIC('APPS_SSO_LDAP_SYNC', user_id)='Y'

4.2.7.1.7.2. Run provsubtool as mentioned in the section titled "Oracle Internet Directory Subscription List".

4.2.7.2 Migrating Existing Accounts from Oracle Internet Directory to Oracle E-Business Suite Release 12

4.2.7.2.1. Export Oracle Internet Directory users into LDIF file using ldifwrite

Syntax: ldifwrite –c <db connect string> -b <base dn> -f <LDIF file>

Example: ldifwrite -c asdb -b "cn=Users,dc=us,dc=oracle,dc=com" -f output.ldif

4.2.7.2.2. Import LDAP Users into Oracle E-Business Suite using LDAPUserImport

$APPL_TOP/java oracle.apps.fnd.oid.LDAPUserImport

[-v] –dbc <dbcfile> -f <ldiffile> -n <nicknameattribute> [-l <logfile>

[-v] Runs in verbose mode

<dbcfile> Full path to the Applications dbcfile

<ldiffile> The LDIF file

<nicknameattribute> Name of the attribute used as the nicknameattribute in OID

<logfile> The log file (default is LDAPUserImport.log)

For example:

$APPL_TOP/java oracle.apps.fnd.oid.LDAPUserImport

-v -dbc $FND_TOP/secure/myebiz.dbc -f users.ldif -n uid -l users.log

If the OID user already exists in the E-Business instance the duplicate record will be ignored, the log file will be updated with a reference to the duplicate record, and processing will continue to the next OID record.

4.2.8 E-Business Suite User Data Synch up to OID – Synchronous and Asynchronous

IBE_USER_PVT.create_user

|->FND_USER_PKG.createPendingUser

|->FND_USER_PKG.createUserIdParty

|->FND_USER_PKG.createUserIdInternal

|->FND_WEB_SEC.create_user

|->Insert into FND_USER

|-> FND_LDAP_WRAPPER.create_user

|-> FND_LDAP_USER.create_user

|-> FND_LDAP_USER.create_user

|->FND_SSO_REGISTRATION.is_operation_allowed

|->FND_LDAP_USER.create_user

|->FND_LDAP_USER.create_user_nodes

|->FND_LDAP_USER.create_user_subscription

|->FND_USER_PKG.updateUserInternal

|-> update fnd_user for GUID, start_date,end_date as GMISS_DATE

|-> FND_USER_PKG.user_synch

|-> Raise oracle.apps.global.user.change event

WF_OID.user_change

|->FND_OID_UTIL.entity_changes

|->Raise IDENTITY_MODIFY event

FND_LDAP_WRAPPER.create_user does a synchronous creation of the username in OID and further adds the username to the subscription list of this E-Business Instance maintained by the Directory Provisioning Integration Service. Note : This synchronous OID user creation API needs the DBMS_LDAP package to be installed in the E-Business database instance, as mentioned in Section 4.1.2.2.

FND_USER_PKG.user_synch API raises the oracle.apps.global.user.change event which will trigger the subscription WF_OID.user_change in the OID instance synchronously causing the IDENTITY_MODIFY event to be queued up which will however be processed asynchronously.

4.2.9 Synchronizing the Third-Party Repository with Oracle Internet Directory

Organizations that have standardized on third-party Lightweight Directory Access Protocol (LDAP) directories can optionally integrate them with Oracle Internet Directory. Oracle Internet Directory synchronizes with third-party metadirectory solutions.

Triggers Synchronous subscriptionOID Provisioning Integration Layer

4.3 Implementing Central Registration Provisioning System for Oracle E-Business Suite

Steps needed to setup CAPS Registration

Pre-requisite: The environment should have already been SSO Enabled and further integrated with the OID Server for user synch up.

1. Prepare a jsp, say, 'demo_umx_oid_reg.jsp' to display the UI for the Central Registration and to further validate the fields and call the API mentioned in Step2 to create the user.

2. Create a java API to accept the fields captured in the UI and further create the username. ORACLE_HOME\jlib\ldapjclnt10.jar has the utility APIs to create the username in OID, where, ORACLE_HOME refers to the Oracle Application Server 10g installation home directory.

A Sample java class to create the user details is provided below.

import javax.naming.directory.InitialDirContext;

import javax.naming.NamingException;

import oracle.ldap.util.LDIF;

import oracle.ldap.util.ModPropertySet;

import oracle.ldap.util.RootOracleContext;

import oracle.ldap.util.Subscriber;

import oracle.ldap.util.User;

import oracle.ldap.util.Util;

import oracle.ldap.util.UtilException;

import oracle.ldap.util.jndi.ConnectionUtil;

public class MyOIDUserManager{

// The host name and port of OID server used for EBS integration

static String ldap_host="152.69.162.108";

static String ldap_port="389";

// The user name and the password of the super user in the OID server used for EBS integration.

static String ldap_suname="cn=orcladmin,cn=users, dc=69,dc=162,dc=108";

static String ldap_supwd="welcome1";

public static void createUser(String firstName, String email, String uname, String pwd) throws UtilException, NamingException{

InitialDirContext ctx = ConnectionUtil.getDefaultDirCtx( ldap_host, ldap_port, ldap_suname,ldap_supwd);

Subscriber sub = null;

// Using RootOracleContext to fetch the default realm

sub = new RootOracleContext( ctx ).getSubscriber(ctx, Util.IDTYPE_DEFAULT, null, new String[] {"*"});

// Create ModPropertySet object to define all the attributes and their values.

ModPropertySet mps = new ModPropertySet();

//required

mps.addProperty(LDIF.ATTRIBUTE_CHANGE_TYPE_ADD,"cn", uname );

if (firstName != null ) mps.addProperty(LDIF.ATTRIBUTE_CHANGE_TYPE_ADD,"givenName", firstName );

mps.addProperty(LDIF.ATTRIBUTE_CHANGE_TYPE_ADD,"sn", "test");

if ( email != null ) mps.addProperty(LDIF.ATTRIBUTE_CHANGE_TYPE_ADD,"mail", email );

mps.addProperty(LDIF.ATTRIBUTE_CHANGE_TYPE_ADD,"uid", uname );

mps.addProperty(LDIF.ATTRIBUTE_CHANGE_TYPE_ADD,"userpassword", pwd );

// Create user by specifying the nickname and the ModPropertySet just defined

User newUser = sub.createUser( ctx, mps, true );

}

}

3. Prepare a new war file, say, 'webapp.war', containing the display jsp 'demo_umx_oid_reg.jsp' and the associated images and containing the above created java class MyOIDUserManager inside WEB-INF folder.

4. On any Application Server 10g instance (Preferably, where the OID Server is deployed), create a OC4J instance name UMX_REGISTRATION and deploy the web application 'webapp.war' in that instance and start the OC4J instance.

Application Name: OIDSync Map to URL: /OIDSync

5. Set the profile option "Oracle Applications Central Registration URL" (APPS_CENTRAL_REGISTER_URL) with this value:

http://<hostname of the oid server>:<port number>/<Application which it mapped to urlas>/demo_umx_oid_reg.jsp?doneURL=:UMX_TARGET &cancelURL=:UMX_CANCEL

6. Restart the Apps Apache Listener

7. Test the CAPS setup: Click on ‘Register’ link in iStore and proceed to CAPS Registration. Input the necessary details and create the user. User should be created in OID. Further, based on the provisioning profile implemented, user details may be synched up to FND.

4.4 Acronyms

Acronym Expanded Meaning

SSO Single Sign On

OID Oracle Internet Directory

CAPS Central Account Provisioning System

DAS Delegated Administration Services. Provides proxy based administration of OID directory information by users and application administrators

r12 istore sso whitepaper

Documents