Single Sign On (SSO) Server provides the mechanism for users to logon to Oracle Portal and Oracle Application Server applications by using a single username and password which is stored in the user's browser via a SSO cookie that has been authenticated against the SSO server. The components of Single Sign On (SSO) for Oracle 10gAS are the mod_osso module based in the OHS (Oracle HTTP Server) which is Oracle's version of the popular Apache 1.3 web server as well as metadata in the Oracle 10gAS infrastructure database.
How to Configure Single Sign On Server (SSO) for Oracle 10g Application Server
Our examples will user Oracle 10gAS (10.1.2.0.2) release on Linux (OEL 5.3) platform.
Single Sign On Server provides many customization options for both partner and external applications. Partner applications are authenticated directly from within Oracle 10gAS while external applications have their own username and password authentication which are registered to the SSO server. Portal is a partner application for example.
We have a few options here: POST, GET or BASIC AUTHENTICATION. Let's offer a brief explanation of these three methods below.
-POST allows data to be posted to the Single Sign On (SSO) server and submits login credentials within the body of the application form.
- GET presents the page request to the server and submits the login credentials in the application part of the URL
- BASIC AUTHENTICATION submits the login credentials within the application's
URL protected by HTTP basic authentication.
How to Access SSO Server from Oracle Portal
During installation for a midtier application server instance with Portal, Oracle automatically adds Portal as one of the new partner applications for SSO. We can access SSO server from Portal. Of note is to choose the second main section that shows Edit SSO Server Administration.
Single Sign On is simple to configure and administer. It is easier to manage and setup than the far more complex items within Oracle Identity Manage such as OID and SSL which require far more steps. To monitor SSO server components from the operating system, we can use the OPMN (Oracle Process Monitor and Notification) facility. The command to obtain a status check for all of the Oracle 10gAS components is to run opmnctl status as shown in the following example.
Here we want to make sure that OC4J_SECURITY, OID, OC4J_Portal, and OID are in Alive status or SSO Server will not function correctly. We will provide future discussions on Oracle Fusion Middleware topics for Troubleshooting Oracle 10gAS, Webcache, Performance tuning and additional topics on Identity Management as well as coverage of the newest member of the Oracle Application Server family: Weblogic.
-POST allows data to be posted to the Single Sign On (SSO) server and submits login credentials within the body of the application form.
- GET presents the page request to the server and submits the login credentials in the application part of the URL
- BASIC AUTHENTICATION submits the login credentials within the application's
URL protected by HTTP basic authentication.
How to Access SSO Server from Oracle Portal
During installation for a midtier application server instance with Portal, Oracle automatically adds Portal as one of the new partner applications for SSO. We can access SSO server from Portal. Of note is to choose the second main section that shows Edit SSO Server Administration.
Single Sign On is simple to configure and administer. It is easier to manage and setup than the far more complex items within Oracle Identity Manage such as OID and SSL which require far more steps. To monitor SSO server components from the operating system, we can use the OPMN (Oracle Process Monitor and Notification) facility. The command to obtain a status check for all of the Oracle 10gAS components is to run opmnctl status as shown in the following example.
Here we want to make sure that OC4J_SECURITY, OID, OC4J_Portal, and OID are in Alive status or SSO Server will not function correctly. We will provide future discussions on Oracle Fusion Middleware topics for Troubleshooting Oracle 10gAS, Webcache, Performance tuning and additional topics on Identity Management as well as coverage of the newest member of the Oracle Application Server family: Weblogic.
Interview Questions and Answer on SSO
SSO-Apps Integration expertise
Q. How to find if your E-Business Suite is integrated with SSO/OID (10g Identity Management)
- There are multiple ways to find out Apps 11i/R12 is integrated with SSO/OID
a) Check if SSOSDK schema exists (in Apps 11i/R12) and check table in SSOSDK schema
b) Check if log file exists at $OAD_TOP/rgf/$CONTEXT_NAME/sso
c) Profile option Option “Application SSO Types”
a) Check if SSOSDK schema exists (in Apps 11i/R12) and check table in SSOSDK schema
b) Check if log file exists at $OAD_TOP/rgf/$CONTEXT_NAME/sso
c) Profile option Option “Application SSO Types”
Q. If Single Sign-On server & OID is down, can users still login ?
Yes, use localLogin
Yes, use localLogin
Q. Name few Profile Option w.r.t. SSO Integration
- Application SSO Types
- Application SSO login types
- Application SSO Auto link User
- Application SSO Types
- Application SSO login types
- Application SSO Auto link User
Q. Which SSO build version you are currently working ?
- Build 1, 2.1, 2.2, 3, 3.1, 4, 5, 6
- Build 1, 2.1, 2.2, 3, 3.1, 4, 5, 6
Q. What is OID version you used for Apps-SSO/OID Integration ?
Latest certified OID version is 10.1.4.0.1 (Other certified were 10.1.2.0.2, 9.0.4 )
Latest certified OID version is 10.1.4.0.1 (Other certified were 10.1.2.0.2, 9.0.4 )
Q. What was direction of User synchronization ?
- From OID to Apps
- Apps to OID
- Bidirectional
- From OID to Apps
- Apps to OID
- Bidirectional
Q. What extra steps you need to do after changing apps password in SSO Integrated Apps Instances ?
- Update provisioning profile in OID with new apps password
- Update provisioning profile in OID with new apps password
Q. If new users created is not able to login, how will you troubleshoot ?
- Check if user exist in both Apps (FND_USER) and OID (If not check if user provisioning is working fine)
- If user exist check Password (in FND_USER) is set to External (If set to LOCAL user should try AppsLocalLogin.jsp)
- Check if user exist in both Apps (FND_USER) and OID (If not check if user provisioning is working fine)
- If user exist check Password (in FND_USER) is set to External (If set to LOCAL user should try AppsLocalLogin.jsp)
Q. User is currently set to Login via SSO, what steps you need to do to change user for Local Login
(AppsLocalLogin.jsp)
- Set Profile Option “Applications SSO Login Types” to LOCAL or BOTH
- Reset User Password using FNDCPASS
- Login using URL /OA_HTML/AppsLocalLogin.jsp
- Set Profile Option “Applications SSO Login Types” to LOCAL or BOTH
- Reset User Password using FNDCPASS
- Login using URL /OA_HTML/AppsLocalLogin.jsp
Q. Where is log file for Apps Registration to SSO/OID ?
$APPLRGF/sso ($COMMON_TOP/rgf/$CONTEXT_NAME/sso)
$APPLRGF/sso ($COMMON_TOP/rgf/$CONTEXT_NAME/sso)
Q. Where is log file for User Provisioning ?
On OID Node under $ORACLE_HOME/ldap/odi/log
On OID Node under $ORACLE_HOME/ldap/odi/log
Q. How you clone Oracle Apps (11i/R12) Instance Integrated with OID/SSO
On Apps
- Clone E-Business Suite using Rapid Clone
- Clone E-Business Suite using Rapid Clone
On OID/SSO
- Migrate User/Groups from source to target using ldifwrite & bulkload.sh
- Migrate Password Policy, DAS Admin Group and finally Register target Apps to Target OID/SSO
- Migrate User/Groups from source to target using ldifwrite & bulkload.sh
- Migrate Password Policy, DAS Admin Group and finally Register target Apps to Target OID/SSO
Q. What is mapping file w.r.t. User provisioning between Apps & OID and what is default location of oracle shipped
mapping file in Apps ?
- $FND_TOP/admin/template/*.tmp
- $FND_TOP/admin/template/*.tmp
Q. What is ODISRV in OID ?
ODISRV stands for Directory Integration Server and used during user provisioning between Apps and OID
ODISRV stands for Directory Integration Server and used during user provisioning between Apps and OID
Q. How to load initial Set of user from Apps to OID or Vice-Versa ?
From Apps to OID
- Create intermediate LDIF file
- Using ldifmigrator create final LDIF file
- Use bulkload to load ldif file containing users to OID
- Finally create subscription for bulkloaded users
From Apps to OID
- Create intermediate LDIF file
- Using ldifmigrator create final LDIF file
- Use bulkload to load ldif file containing users to OID
- Finally create subscription for bulkloaded users
From OID to Apps
- Use ldifwrite to create dump of users into LDIF file
- Using LDAPUserImport to import user to app
- Use ldifwrite to create dump of users into LDIF file
- Using LDAPUserImport to import user to app
For more information about this click here.
NOTE: The following steps are specific for Oracle Linux, and EBS 11.5.10.2.
a) Apply 5903765: 11i.ATG_PF.H.RUP6. For more details click here.
b) Apply Patch 5502871: afscssodmz.sql fails when SSOSDK schema absent while applying 4775907
c) Apply Patch 6117031: 11i.ATG_PF.H RUP6 SSO 10g Integration
For cheching if all the prerequisite patches are installed you can run AutoPatch using prerequisite checking:
$ adpatch options=prereq
d) Use AD Administration (adadmin) and complete the following tasks:
- Generate message files
- Compile APPS schema(s)
- Compile flexfield data in AOL tables
- Compile Menu Information
Restart the middle tier services.
e) Check the connection to the apps database
sqlplus <apps user>/<apps password>@<apps Db alias>
f) Run the Registration script: A perl script is used to register Oracle E-Business Suite instance with Oracle Single Sign-On and Oracle Internet Directory. This registration process allows the E-Business Suite to delegate user authentication to Oracle Single Sign-On, and for user information to be synchronized between Oracle Internet Directory and the E-Business Suite.
On UNIX, you can split the command over multiple command lines, by entering the '\' continuation character followed by <Return>. Execute the following command if you want to use the default (simple) registration that uses the bidirectional provisioning template, ProvBiDirection.tmp:
[applmgr@apps bin]$ which txkrun.pl
/APPS_MI/visappl/fnd/11.5.0/bin/txkrun.pl
f) Run the Registration script: A perl script is used to register Oracle E-Business Suite instance with Oracle Single Sign-On and Oracle Internet Directory. This registration process allows the E-Business Suite to delegate user authentication to Oracle Single Sign-On, and for user information to be synchronized between Oracle Internet Directory and the E-Business Suite.
On UNIX, you can split the command over multiple command lines, by entering the '\' continuation character followed by <Return>. Execute the following command if you want to use the default (simple) registration that uses the bidirectional provisioning template, ProvBiDirection.tmp:
[applmgr@apps bin]$ which txkrun.pl
/APPS_MI/visappl/fnd/11.5.0/bin/txkrun.pl
[applmgr@apps bin]$ txkrun.pl -script=SetSSOReg
Enter the host name where Oracle iAS Infrastructure database is installed ? mw.localdomain
Enter the Oracle iAS Infrastructure database port number ? 1521
Enter the Oracle iAS Infrastructure database SID ? oasdb1
Enter the LDAP Port on Oracle Internet Directory server ? 389
Enter Oracle E-Business apps database user password ? apps
Enter Oracle iAS Infrastructure database ORASSO schema password ? orasso
Enter Oracle E-Business SYSTEM database user password ? manager
Enter E-Business Suite existing SSOSDK schema password or choose a password to use with the new SSOSDK schema if the schema does not exist ? ssosdk
Enter the Oracle Internet Directory Administrator (orcladmin) Bind password ? q1234
Enter the instance password that you would like to register this application instance with ? q1234
*** ALL THE FOLLOWING FILES ARE REQUIRED FOR RESOLVING RUNTIME ERRORS
*** Log File = /APPS_MI/viscomn/rgf/VIS_apps/sso/txkSetSSOReg_Sun_Apr_27_14_31_16_2008.log
Program : /APPS_MI/visappl/fnd/11.5.0/patch/115/bin/txkSetSSOReg.pl started @ Sun Apr 27 14:37:57 2008
*** Log File = /APPS_MI/viscomn/rgf/VIS_apps/sso/txkSetSSOReg_Sun_Apr_27_14_31_16_2008.log
######################## WARNING ########################################
This application works with SSOSDK version 9.0.2 or higher. If lower version
(3.0.9) of SSOSDK was installed in your system and you have a registered
partner application, this process will remove the 3.0.9 version of the SSOSDK
schema and install the 9.0.2 version.
######################## WARNING ########################################
Beginning input parameter validation for SSO registration.
Beginning loading SSO SDK into database if necessary.
Loading of SSO SDK into database completed successfully.
Input parameter validation for SSO registration completed.
Beginning input parameter validation for OID registration.
Input parameters validation for OID registration completed.
BEGIN SSO REGISTRATION:
Beginning to register partner application.
Partner application has been registered successfully.
Single Sign-On partner application registered successfully.
BEGIN OID REGISTRATION:
Beginning to register Application and Service containers if necessary.
Application and Service containers were created successfully.
Beginning to register application in Oracle Internet Directory.
Registration of application in Oracle Internet Directory completed successfully.
Beginning to register instance password in Oracle Internet Directory.
Registration of instance password in Oracle Internet Directory completed successfully.
Beginning to test application registration in Oracle Internet Directory.
Testing of application registration in Oracle Internet Directory completed successfully.
Beginning to register provisioning profile in Oracle Internet Directory.
Registration of provisioning profile in Oracle Internet Directory completed successfully.
Application is now registered successfully with provisioning in Oracle Internet Directory.
End of /APPS_MI/visappl/fnd/11.5.0/patch/115/bin/txkSetSSOReg.pl : No Errors encountered
No comments:
Post a Comment