R12 Istore SSO Whitepaper

WHITE PAPER User Management Integration with SSO/OID Servers
Author: Aravind Bairy
Creation Date: 26-12-2005 Last Updated: File URL: Version:

Approver Name Role Date
Copyright 2013 Oracle Corporation All Rights Reserved
This document is not a promise to deliver and may not be included as part of any contract.
1.
Document Control
1.1
Change Record
Date 26-Dec-2005
Author
Aravind Bairy
Version 1.0
Change Reference Created the document
Aravind Bairy
1.2
Contributors
Contributor
Role
Position
1.3
Reviewers
Name Raghu Koratagere Venkatesh Vinod Nagaraj
Role Project Lead Senior Development Manager
Position
Document Status In Progress In Progress
Date Reviewed
Comments Incorporated
1.4
Scope for this Document

This document provides details on the integration of Oracle iStore product with the Single Sign On architecture and the gist of the Oracle iStore features/capabilities and the necessary setups to achieve the same. This document is organized into 3 specific deployment options that the customer can choose and the Appendix section having the details about the setups necessary for each of the deployments.
1.5
1.5.1
Document Reference
Current Document References
Author
Document Name
URL https://metalink.oracle.com/metalink /plsql/f? p=130:14:3572430939971675332::: :p14_database_id,p14_docid,p14_sh ow_header,p14_show_help,p14_bla ck_frame,p14_font:NOT,261914.1,1 ,1,1,helvetica https://metalink.oracle.com/metalink /plsql/docs/10g-Implementation.pdf
Comments WHITE PAPER PUBLISHED
http://files.oraclecorp.com/conte Note:261914.1 - Integrating Oracle E-Business Suite Release 11i with Oracle Internet Directory and Oracle Single Sign-On
Note261914.1:PDF4 Integrating Oracle E-Business Suite Release 11i with Oracle Internet Directory and Oracle Single Sign-On (Build 3.2)
Note:207159.1 - Oracle Application Server with Oracle EBusiness Suite Release 11i Documentation Roadmap
https://metalink.oracle.com/metalink /plsql/f? p=130:14:3572430939971675332::: :p14_database_id,p14_docid,p14_sh ow_header,p14_show_help,p14_bla ck_frame,p14_font:NOT,207159.1,1 ,1,0,helvetica
WHITE PAPER PUBLISHED
1.5.2
Historical Document References
Author
Document Name
URL
Comments
Contents
1. Document Control.......................................................................................................2
1.1 Change Record.............................................................................................................................2 1.2 Contributors..................................................................................................................................2 1.3 Reviewers.....................................................................................................................................2 1.4 Scope for this Document..............................................................................................................2 1.5 Document Reference....................................................................................................................3 1.5.1 Current Document References...........................................................................................3 1.5.2 Historical Document References.......................................................................................3
2. Introduction.................................................................................................................6 3. Oracle iStore User Management ..............................................................................9

3.1 Deployment with SSO Disabled .................................................................................................9 3.2 Deployment with SSO Enabled; CAPS Disabled; Local User Creation Updation Allowed.....10 3.3 Deployment with SSO Enabled; CAPS Enabled; Local User Creation Updation Allowed......12 3.4 Deployment with SSO Enabled; CAPS Enabled; Local User Creation Updation Disabled......15 3.5 Summarizing Registration behavior for the different deployments...........................................17 3.6 More on Partial Registration......................................................................................................18
4. Appendix....................................................................................................................25
4.1 Integrating Oracle E-Business Suite with Oracle Single Sign On Server..................................26 4.1.1 Registering an application as a Partner Application in Oracle Single Sign On Server....26 4.1.2 Registering Oracle E-Business Suite as a Partner Application in Oracle Single Sign On Server. 27 4.1.3 Registering Oracle E-Buissness Suite with Oracle Single Sign On Server and Oracle Portal 33 4.2 Integrating Oracle E-Business Suite with Oracle Internet Directory Server.............................35 4.2.1 Oracle Internet Directory Provisioning Integration Service............................................36 4.2.2 Oracle Internet Directory Subscription List.....................................................................37 4.2.3 Oracle Internet Directory Provisioning Service Events..................................................37 4.2.4 Creating a profile from a provisioning template..............................................................38 4.2.5 Directory Integration Processing(DIP) Server Logs and Provisioning Profile Logs.......39 4.2.6 Sample Template file.......................................................................................................39 4.2.7 Migrating Data between Oracle E-Business Suite Release 11i and Oracle Internet Directory...................................................................................................................................39
4.2.8 E-Business Suite User Data Synch up to OID Synchronous and Asynchronous.........43 4.2.9 Synchronizing the Third-Party Repository with Oracle Internet Directory.....................43 4.3 Implementing Central Registration Provisioning System for Oracle E-Business Suite............44 4.4 Acronyms...................................................................................................................................46
2.
Introduction
This document contains information for integrating Oracle E-Business Suite Release 12.0 (and hence, Oracle iStore 12.0) with Oracle Application Server 10g. Benefits of this configuration include iStores support for the following services running on one or more standalone servers external to the existing Oracle E-Business Suite Release 12.0 environment, or running in separate ORACLE_HOMEs on existing servers:
Oracle Single Sign-On (SSO) 10.1.2.0.2 Oracle Internet Directory (OID) 10.1.2.0.2 Oracle Portal 10.1.2.0.2 Oracle Discoverer 10.1.2.0.2 Third-party single sign-on solutions Third-party Lightweight Directory Access Protocol (LDAP) directories
Oracle iStore has the User Management module capable of creating and maintaining customer user information. Two provisions of user creation in iStore can be Self-Service Registrations Delegated User Administration User Creations
When Single Sign On is not setup, iStore will create and maintain user data only locally in FND_USER table. However, when Oracle e-buissness suite is set up as a partner application with an Oracle Single Sign On Server, the user data shall be leveraged in the Oracle Internet Directory, which is an LDAP server available as a part of Oracle Application Server 10g Identity Management Infrastructure, apart from being stored locally in FND_USER table. Further, the direction and attributes for data synch ups between Oracle Internet Directory and FND_USER can be provisioned at the time of integrating the Oracle e-business suite with the Oracle Internet Directory Server. Implementing Single Sign-On (SSO) functionality for the E-Business Suite allows organizations to share one user definition throughout multiple parts of their enterprise. Typically, the common user definition is stored in a Lightweight Directory Access Protocol (LDAP) repository such as Oracle Internet Directory (OID). Oracle Internet Directory serves as a central repository for user credentials and other user information for all Oracle products, including Oracle Application Server 10g and Oracle Portal. This user information is periodically synchronized with the E-Business Suite instance through a combination of Oracle Workflow and Oracle Applications patches. Oracle Single Sign-on Software Development Kit (SSOSDK) release 9.0.2 or else mod_osso component is required to support Oracle Single Sign-On 10g integration with the E-Business Suite. It allows the E-Business Suite to register as a partner application to the Oracle Single SignOn Server, giving users the ability to access other registered partner applications with a single credential . As a partner application, the E-Business Suite also supports Single Sign-Off. E-Business suite users can simultaneously terminate a Single Sign-On session and log out of all active partner applications by logging out of whatever application they are working in. Selecting Logout in a partner application returns users to the Single Sign-Off page, where logout occurs.
Purpose
This paper discusses on the different deployment options available to the Oracle iStore customers with respect to the User Management with SSO Enabled and the features available for each of the deployment options. Also, it discusses on the pre-requisites and the setups necessary for these deployment options and the steps to integrate the Oracle E-Business instance with the Oracle Single Sign On Server and Oracle Internet Directory Server, in the Appendix part.
Audience
Customers who are currently having SSO-disabled setups This shall be an useful paper for such customers to know the features of SSO enables setups and the path to be taken to achieve the same in R12. Early Adaptor Customers for SSO (Who are already having SSO-enabled setups) to know the new capabilities of iStore User Management with respect to SSO. New R12 Customers to know and compare the features available to them in Oracle iStore and choose the deployment that best suits their need.
Definitions Oracle Single Sign On Server

An authenticating server available as part of the Oracle Application Server Infrastructure bundle, capable of handling authentication services for multiple partner applications registered with it. With multiple Oracle E-Buissness Suite instances and other applications registered as Partner Applications in the Single Sign On Server, visiting users can be allowed to access all the registered partner applications, by logging in only once.
Oracle Internet Directory Server

A robust, integrated and scalable identity management LDAP server, which is also available as part of the Oracle Application Server Infrastructure bundle, responsible for storage of user data and allowing Administrators and other users to perform user management activities, such as account creation, modification and deletion at the enterprise level.
Partial Registrations
Authenticated users in iStore, if found incomplete (missing personal data or an account to do transactions or was earlier rejected for a partial registration), will be taken to Confirm Registration (henceforth termed, Partial Registration), where in the user can select an available usertype that is listed based on a combination of the users known data and further complete (confirm) registration as per the selected usertype. Once the users partial registration request is approved, he will be able to browse through iStore and perform the necessary transactions in iStore. Note: Partial Registration feature is always available, immaterial of whether the system is integrated with SSO or not.
Central Account Provisioning System

A central registration module is a custom solution to be implemented and plugged-in to the Oracle E-Buissness suite to centrally enforce adherence of new registrations to corporate policies, like, Username Policies, Password Policies and Identity Verification Policies and to capture all the application-independent information centrally and further create users in the appropriately repository, be it a 3rd party LDAP Server or in OID or in FND_USER. All applications route the self-service user account creation requests to the Central Account Provisioning System.
Local User Creation and Updation Allowed

Central Account Provisioning Registration necessitates a profile to control whether the updates to User details can be decentralized in individual products or whether only the central account provisioning shall allow for user creation or updation. The profile, Applications SSO User Creation and Updation Allowed is used for this purpose. If it is set as Disabled, updates to user details in local applications, inclusive of iStore, will not be allowed.
Assumptions
3.
3.1
Oracle iStore User Management

Deployment with SSO Disabled
Oracle iStore
authenticate
1. Register OR Delegated UM Create/Update
FND_USER
Oracle E-Business Suite
Oracle iStore User Management is shipped with Single Sign On Feature being disabled. With this deployment, A. B. C. D. The user accounts are created and maintained in FND_USER table only and hence is the source of truth for all user data. Further, while creating a username, the prior-existence of the same username in the instance is checked only in FND_USER table User may need to separately register in each of the installed applications to get the necessary access in that application. Also, the user details captured in each of the application specific registrations will be different. The installed applications do not share the user identity and hence the user may need to reauthenticate with the specific credentials against each installed application. Further, all login requests from inside Oracle iStore are taken only to the E-Business Suite Application Local Login page. However, authenticated but incomplete users visiting iStore will be taken to Confirm Registration (henceforth termed, Partial Registration), where in the user can select an available usertype that is listed based on a combination of the users known data and further complete (confirm) registration as per the selected usertype. Once the user request is approved, he will be able to browse through iStore and perform the necessary transactions in iStore. Though SSO is disabled, newly created usernames will be created in reserve mode until they are approved. Once approved, they are committed; If rejected, the username is deleted and the same username can be reused in another registration.
E.
F.
3.2
Deployment with SSO Enabled; CAPS Disabled; Local User Creation Updation Allowed
Oracle iStore
authenticate
1. Register OR Delegated UM Create/Update
FND_USER
Oracle Single Sign On Server Oracle Internet Directory
3. Synchup User Details like GUID From OID to FND
2. Synchup User Details from FND to OID
Necessary Setups: 1. 2. 3. SSO Yes Set profile Applications SSO Type to SSWA w/SSO Single Sign On Server and Oracle Internet Directory Servers are installed and integrated with the Oracle EBusiness Suite as explained in Appendix A. Bi-Directional User data synch up provisions have been setup as in Appendix B. Ensure the profile values are set as below. CAPS No Ensure profile Oracle Applications Central Registration URL is not set to any value. Local User Creation and Update Yes Set profile Applications SSO User Creation and Updation Allowed to Enabled
4.
With Single Sign On and Oracle Internet Directory Setup and integrated with the Oracle E-Business Suite, all the user details will be stored in Oracle Internet Directory, which shall be the de-facto source of truth. Further, based on the Provisioning setup, the details are also synched to FND. Hence, the installed applications share the user identity available in the Oracle Internet Directory and hence the user may need to authenticate with the credentials only once and can access/browse the associated Partner Applications of the SSO Server. With Local User Creation and Update allowed, local Registrations in iStore will be allowed. Further, the username proposed by each registration is validated for its presence in both FND_USER and Oracle Internet Directory and based on whether the proposal is from Self-Service or Delegated User Management, appropriate action as specified below is taken. Username in neither FND Username in FND and OID Username in FND but not in Username in OID but not in FND
5. 6.
nor OID SelfRegistration Username creation allowed; Username created in FND and propagated to OID. Username creation allowed; Username created in FND and propagated to OID. Username already Used Error Message is shown
OID Username already Used Error Message is shown
Re-linking is Not Allowed Username already Used Error Message is shown
Re-linking is Allowed Username already Used Error Message is shown Username creation allowed
Delegated UM
Username already Used Error Message is shown
Note: Re-linking can be enabled by the profile option Link Applications user with OID user with same username with value set as Enabled. Further, the subscription to trigger the synch up to OID must be enabled. This subscription will be enabled when the user synch up provisions are setup. 7. Though the users might have already been authenticated, incomplete users visiting iStore and accessing any secure page will be taken to Confirm Registration (henceforth termed, Partial Registration), where in the user can select an available usertype that is listed based on a combination of the users known data and further complete (confirm) registration as per the selected usertype. Once the user request is approved, he will be able to browse through iStore and perform the necessary transactions in iStore. Newly created usernames in iStore or any other E-Business Application will be created in reserve mode until they are approved. As long as the username is in reserve (or, pending) mode, the user is forbidden access to any application. Only when the username request is approved, the username is committed; Else, if rejected, the username is released (deleted) and the same username can be re-used in another registration.
8.
3.3
Deployment with SSO Enabled; CAPS Enabled; Local User Creation Updation Allowed
1. Register
Oracle iStore
authenticate
CAPS Registration
4. NOA or Delegated UM Create/Update 2. Create New User
FND_USER
3. Synchup User Details From OID to FND
5. Synchup User Details from FND to OID
Necessary Setups: 1. 2. 3. Single Sign On Server and Oracle Internet Directory Servers are installed and integrated with the Oracle E-Business Suite as explained in Appendix A. Bi-Directional User data synch up provisions have been setup as in Appendix B. Set up a demo war containing the jsp to render the UI for the Central Registration Page and the processing logic to create the username in OID. Deploy the same on the Oracle iAS server where OID is hosted. Refer Appendix C, for more details. Ensure the profile values are set as below.
4.
SSO Yes Set profile Applications SSO Type to SSWA w/SSO
CAPS Yes Ensure profile Oracle Applications Central Registration URL is set to the URL as shown below
Local User Creation and Update Yes Set profile Applications SSO User Creation and Updation Allowed to Enabled
Sample profile value for Oracle Applications Central Registration URL can be http://<oid server host name>:<oid server port number>/<application url context >/demo_umx_oid_reg.jsp?doneURL=:UMX_TARGET&cancelURL=:UMX_CANCEL 5. Clicking on Register link in iStore can have the below behaviour based on the appropriate scenario a. If atleast one of Need Online Access Registration is enabled, and with Local Creation Or Updation allowed in iStore, a new Registration page having options to Register using CAPS or use Need Online Access Registration will be shown. In iStore perspective, the latter usertypes shall be useful for giving online access to contacts, who have already placed an order through a sales representative. For further information on Need Online Access Registration in iStore, refer the iStore R12 Implementation Guide. If all the usertypes under Need Online Access Registration are disabled, then clicking on Register link, the user is directly taken to the CAPS Registration page pointed to by the Oracle Applications Central Registration URL profile.
b.
6.
The usernames created in Central Registration pages must be created in OID by the custom implemented processing logic. Username thus created will be further propagated to the FND tables by the subscription that is setup during provisioning setup of OID server with Oracle E-Business Suite, as seen in Appendix B. Further, when the username is created in OID, the custom implementation may raise the appropriate TCA events, the subscriptions attached to the same will further create the necessary details like Party Type of Person, Organization and Relationship in TCA. Writing custom procedures and linking them to the WF event to be raised by the CAPS registration can customize the details thus published in TCA. Relating CAPS to Partial Registration Please refer section 3.5 More on Partial Registration to know the details of Partial Registration. Based on what records are created in CAPS, the behavior of such users when they access iStore will be as below.
7.
8.
CAPS created User Information CAPS creates a OID username, but auto-provisioning to FND is NOT allowed (the subscription to synch the newly created username to FND is disabled). CAPS creates a OID username, auto-provisioning to FND is enabled but no TCA details published for the user.
Behavior in iStore Error Message You do not have access to E-Business Applications. Please contact the System Administrator is shown. 1. if SSO is enabled, then, SSOManager.synchUserFromLDAP(username) is called to retrieve the possible information from OID and further publish this in TCA and set the person_party_id or Customer_id appropriately in FND_USER. If SSO is disabled or, SSO is enabled but SSOManager.synchUserFromLDAP did not fetch any useful TCA data, then, User is treated as a User with No Party; Can browse non-secure pages in iStore; Upon accessing secure pages, he is taken to Partial Registration. Refer section 3.5 More on Partial Registration for the usertypes shown in this case.
2.
CAPS creates a OID username, auto-provisioning to FND is enabled and only Person Party record is published in TCA and further linked to the FND_USER record. CAPS creates a OID username, auto-provisioning to FND is enabled and Person Party, Organization Party and Relationship Party w.r.t this Organization are published in TCA and further the Party Type of Party Relationship is linked to the username.
User is treated as a B2C User with No Account; Can browse non-secure pages in iStore; Upon accessing secure pages, he is taken to Partial Registration. Refer section 3.5 More on Partial Registration for the usertypes shown in this case. User is treated as a B2B User with No Account; Can browse non-secure pages in iStore; Upon accessing secure pages, he is taken to Partial Registration. Refer section 3.5 More on Partial Registration for the usertypes shown in this case.
Since in this deployment, Local Creation Or Updation is allowed in iStore, the primary users of the Organization will be able to create new users or upgrade contacts as users and assign them accounts, roles, sites and also update the users password details. The logged in user can change his user password from the My Profile screen directly.
3.4
Deployment with SSO Enabled; CAPS Enabled; Local User Creation Updation Disabled
1. Register
Oracle iStore
authenticate
CAPS Registration
X
FND_USER 2. Create New User
3. Synchup User Details From OID to FND User Self-Password Update OID DAS
Necessary Setups: 1. 2. 3. Single Sign On Server and Oracle Internet Directory Servers are installed and integrated with the Oracle EBusiness Suite as explained in Appendix A. User data synch up provisions have been setup as in Appendix B. Set up a demo war containing the jsp to render the UI for the Central Registration Page and the processing logic to create the username in OID. Deploy the same on the Oracle iAS server where OID is hosted. Refer Appendix C, for more details. Ensure the profile values are set as below.
4.
SSO Yes Set profile Applications SSO Type to SSWA w/SSO
CAPS Yes Ensure profile Oracle Applications Central Registration URL is set to the URL as shown below
Local User Creation and Update Yes Set profile Applications SSO User Creation and Updation Allowed to Disabled
Sample profile value for Oracle Applications Central Registration URL can be http://<oid server host name>:<oid server port number>/<application url context >/demo_umx_oid_reg.jsp?doneURL=:UMX_TARGET&cancelURL=:UMX_CANCEL 5. Clicking on Register link in iStore will always take the user to the Central registration Page, as local creation of users is disabled. Hence the Registration Usertype listing page that was visible in the previous deployment will not be seen here. Once the user registers in CAPS, the username will be created in OID and further propagated to FND, and the available details can also be published in TCA, as explained in the previous deployment. Further, when the user who has registered in CAPS navigates to iStore, he will be taken to partial registration (Confirm Registration) and will be shown the probable upgrade paths, as mentioned in the table in 3.3.8. Primary Users in iStore, though can create contacts, will not be able to upgrade these contacts as Users. i.e, the option to make this contact as user will be shown neither while creating a contact nor while updating the contact. Primary Users cannot update ANY username related information of the existing users, namely the password, start date, and end date. They will be rendered read-only, immaterial of the approval status of the username. However, they will be able to update the contact details (or, personal Information) of the users.
6. 7.
8.
9.
Note: Update icon is enabled for only Approved and Rejected users in R12. Also, if at all there is a custom implemented approval flow built in the CAPS registration and if in such a setup, upon rejecting the username, the username is releasd and Rejection event is raised, and if the iStore seeded rejection subscription associated to this event is enabled, the rejected username will be converted as an inactive contact. Also, if the username created in CAPS is approved, but a partial registration request made by such a user is rejected, then, such a user will still remain a valid user though with a rejected status, and hence will be allowable for update by the Primary User, though since local create Update is not allowed in this deployment, he will not be able to update the information pertaining to the username of the user. 10. Provisioning for self-update of passwords by logged in users in OID. Since create or update of username in local applications like iStore is disabled, updating passwords directly in iStore shall not be allowed. Instead, an URL must be provided which will take the user to the central OID-DAS (Delegated Administration Service - a service of Oracle Internet Directory that performs user and group management functions) provided password handler page, as a non-administrative user. Below are the profile setups necessary for the same. Profile Applications SSO Login Types Application SSO Change Password URL At Level Site Site Value SSO or Both http://<oid-server-name>:<oid-server-port>/ oiddas/ui/oracle/ldap/das/mypage/ChgPwdMyPage
With this setup, Under My Profile tab, instead of the 2 password fields, Click here to update your password link will be shown and further, clicking on this link, the user will be taken to the OID-DAS password handler page, the URL of which is pointed out by the profile Application SSO Change Password URL.
3.5
Summarizing Registration behavior for the different deployments

SSO Yes CAPS Yes Local Create Update Allowed Yes At least one Need Online Access UT Enabled Yes Registration page behavior Registration Usertype Listing - with CAPS Directly CAPS Registration Page Directly CAPS Registration Page Registration Usertype Listing Default Register link not shown. Accessing ibeCAcpSSOReg.jsp or ibeCRgdRegContainer.jsp, user is shown the error message User Self Registration has been disabled in the system. Please contact the System Administrator for further assistance. is shown.
No Yes Yes Yes Yes No No No Yes No Immaterial Immaterial Immaterial
Registration Usertype Listing - Default
Registration Usertype Listing - with CAPS
CAPS Registration Page
3.6
More on Partial Registration

Authenticated users in iStore, if found incomplete (no contact data or does not have an account to do transactions or was earlier rejected for a partial registration), can browse public pages without being logged out and will be taken to Confirm Registration (henceforth termed, Partial Registration), where in the user can select an available usertype that is listed based on a combination of the users known data and further complete (confirm) registration as per the selected usertype. Once the users partial registration request is approved, he will be able to browse through iStore and perform the necessary transactions in iStore. Note: Partial Registration feature is always available, immaterial of whether the system is integrated with SSO or not. In the SSO implementations a user will do a SSO login from any portal application (inclusive of iStore) and later navigates to store. In this case, user will have an authenticated ICX session but may not have registered for Store. iStore treats such users not having access/incomplete access in store as a guest user and will show catalog and price of a walk-in user and allow user to add items to shopping cart. Whenever user tries to access any sensitive pages (e.g. checkout, profile) system will prompt user to do partial registration to become a valid store user. The below table depicts the iStore behaviour in case of an incomplete user as against a Pending User or an Invalid User.
No 1
Action User does Login
Invalid User Invalid Party error message and continue user action. Yes Guest price list All accessible sites Invalid Party error message and continue user action. Guest cart should be preserved after login
User with Pending approval Pending approval error message and continue user action. Yes Guest price list All accessible sites Pending approval error message and continue user action. Guest cart should be preserved after login
Incomplete User Login successful
2 3 4 5
Browse Catalog Catalog price list after login Site Selection Page User navigates from nonsecure to secure page (e.g. checkout) Guest cart behavior
Yes Guest price list All accessible sites Partial registration
Merge guest cart after user does partial registration and auto-approval is On. Preserve guest cart, if autoapproval is Off
The logic to determine whether the user is incomplete in iStore is as depicted in the below diagram.
N o n e o f t h e s ta tp p ro v, e d 'a u s is ' a n d a t le a s t o'pneen isi 'n g d N N Does c u s to m_id r e e x is t ? Y B2B o r 2C B u s e?r B2B N A r e t h e p e rs o n p a rt y , o r g a n iz a t io n a n d r e l a tio n s h ip a l l? a c t ivN D is p l a y c o r re s p o d e n t e p a rt y e r ro r Y w h a t is t h e a p p ro v a l s t a t u s f o r iS to r e u s e r ? p e s ty B2C D oes p e r s o n a r t_id _p y e x is t ? Y I n te r n a l U s e r D i s p la y in v a lid p e r s o n p a r t y e rr o r N Is th e p e rs o n p a r t y a c? iv e Y t
D i s p la y p e n d in g a p p ro v al m e s s a g e t h is in c lu d e s t h e r e is n o s t a t u s r, o w le a s t o n e at s t a tu s 'a p p ro v',eodr is a ll o f th e m 'r e rje c te d a e '
a t le a s t o n e o f t h e s ta t u s 'a p p r o v' e d is
s t a rt
w h a t is th e D o e s u se r a p p ro v a l s t a tu s f o th e r s h a v e v a lid T C A r iS t o r e u s e r ? p e s ty a c c o u?n t
A re a ll th e s t a t u s a re'r e je c te d ' Y
U s e r is B 2C p a r ty
Is S S O D is a b l e d a n d a tle a s t o n e J T A re c o rd e x is t in g ?
Is S S O E n a b le d ?
Y D i s p la y th e u s e r ty p e d is p la y t'Ih e c t iv e na s e le c tio n p a g e w i th a ll A c c o u' mt e s s a g e n a v a il a b le u s e r ty p e s U s e r re m a in s a s BC 2
N D is p la y t h e u s e r ty p e s e l e c t io n p a isep l a y theeje c t'e d dg 'r w i th o n ly Bu s e r 2C m essag e ty p e s
D i s p la y p e n d in g a p p ro v a l m e s s a g e
u s e r s e le c t s a u se r ty p e
B2C
o th e rs
N o n e o f th e s ta t p p r is v,'e d 'a u s o a n d a t le a s t o'pneen is in g d' A re a l l th e s t a t u s a re're j e c t 'e d Y a t le a s t o n e o f t h e s t a t u s 'a p p r o v' e d is p a r tn e r N Y is S S O E n a?b le d B2B
D i s p la y t h e B 2C U s e r f il le s in r e g is t r a t io n p a g e w ith th e m is s n g e x is t in g d a ta p o p u la t e d f o rm a t io n in
A s s ig n E n r o llm e n t su s e r b e c o m e s fo r t h is u s e rt y p e a n d v a l id iS t o r e a a s s ig n A c c o u n t B2C u s e r
th is in c lu d e s th e re is n o D o e s u s e r s ta t u s r, o w le a s t o n e h a v e v a l id T C A at s ta t u s 'a p p r o v',eodr is a c c o u? t n a ll o f t h e m 're je c t 'e d a re Is S S O D i s a b le d a n d a tle a s t o n e J T A re c o r d e x is ti ? g n
u p d a t e th e a s s ig n E n ro llm e n ts u s e r c o m p le t e s u s e r b e c o m e s a v a l id th e 2B B c u s t o m_id r to t h e fo r t h is u s e r t y p e a n d e iS t o r e2B u s e r B _r re g is t ra t io n f lo w p a r ty e l a tio n s h ip id a s s ig n A c c o u n t u s e r c o m p le te s t h e p a r tn e r r e g is tr a tio n f lo w u p d a te th e c u s to m_id r to th e e p a r t_r e la ti o n s h ip i d y a s s i g n E n ro llm e n t s u s e r b e c o m e s a v a lid fo r t h is u s e r t y p e a n d iS t o r e p a r tn e r u s e r a s s ig n A c c o u n t
N Y d is p l a y th e I n v a lid A c c o u' mt e s s a g e n d i s p la y t'reeje c te d h ' m essage P a rt n e r P ro f ile e x is t ? N N is u s e r a c o m p le te P a r te r U?s e r
N U s e r d o e s n t h a v e a c c e s s to a s e le c te d s i te o r a n y s it?e s N
PRM API
y P V e r m i s s io n _p e x is t ? y D is p la y t h e u s e r t y p e D i s p la y th e u s e r ty p e D is p la y th e u s e r ty p e s e le c t io n p a g e w i th s e le c t io n p a g e w it h s e le c t io n p a g e w i th u s e r ty p e s m a p p e d t o u s e r t y p e s m a p p e d t o u s e r ty p e s m a p p e d to p a r t n e r c o n ta c t a n d B2B c o n ta c t a n d p a rt n e r c o n ta c t B2B c o n t a c t p a rt n e r p rim a ry B2B C o n t a c t D is p la y th e B 2B C o n ta c t r e g is t r a t io n p a g e w it h e x is tin g d a t a p o p u la t e d D is p la y th e P a r tn e r P r im a r y r e g is t ra t io n p a g e w it h e x is tin g d a t a p o p u la t e d N
Y Y W e o n ly d o th i s c h e c k i n R 2f o r p a rt n e r p r ic e 1 l is t
Is u s e r 2B? a B
U s e r s e e s th e l s it e s o r e n t e r s s e le c te d s i te
N U s e r f il le s in th e m is s n g in fo r m a t io n N
B2B c o n t a c t
B2B o r g h a s a n y p r im a ry u s e rs ?
P a r tn e r P r im a r y
U s e r f il le s in th e m is s in g in f o rm a tio n
D is p la y e rr o r m e s s a g e D is p la y e r r o r m e s s a g e a lo n g w i th th e m a in a d m anlo n g w it h t h e p r im a ry i u s e rs e m a il a d d r e s s e e m a il a d d r e s s
P a r tn e r c o n ta c t P a r tn e r C o n ta c t
D is p la y th e P a r tn e r C o n ta c t re g is tr a ti o n p a g e w it h e x is tin g d a t a p o p u la t e d
The below table depicts the usertypes shown for confirming the user information, based on the known/available user information. Known User information User With No Party OR Incomplete B2C User B2B user of a B2B company B2B user of a Partner company Partner user of a Partner company Usertypes shown for Partial Registration All enabled user types B2B Secondary and Partner Primary Usertypes B2B Secondary and Partner Secondary Usertypes Partner Secondary Usertypes only
Rejected Usernames Both New Registrations and Partial Registration requests performed using a usertype that requires approval will be short-listed for the Primary Users to approve/reject. In case of New Registrations, the username will be in reserved mode as long as the request for approval is pending. If the primary user rejects the registration request, the username will be released and this username can be used for registration by anybody. In case of Partial Registrations, the username would have been already committed, much prior to the user performing the partial registration. Hence, upon rejection, the username will still remain in the system as committed, but, his access to e-business applications will stand rejected. Thus, though the user can still access other partner applications of the SSO Server, like Oracle Technology Network, the user will not be allowed to access any secure pages of e-business application. Doing so, he will be taken to Partial Registration again and only after approval of the new Partial Registration request, the user can do a transaction in iStore. A Sample User Registration interaction. Assumption for this sample is that there are 2 specific Approvers designated at 2 levels for the Organization named Oracle with Registry Id as 31175. 1. User registers in iStore with username ORACLE101 for usertype IBE_BUSINESS requiring approval, with Organization Registry Id as 31175, which is the Party number of the Organization named Oracle.
user_id 1001 JTF_UM_USERTYPE_REG user_name start_date end_date customer_id 1/1/4712 54321 FND_USER
ORACLE101 1/1/4712
Usertype_reg_id 2001 party_id 54300 54320 54321
user_id 1001
usertype_id 10066
status_code PENDING status A A A
effective_start_date 24/12/2005
effective_end_date
party_name Oracle User 101
party_type Organization Person
HZ_PARTIES
user 101- Oracle Party Relationship
cust_account_id account_number party_id 1234 7001 54300
HZ_CUST_ACCOUNTS
2.
Either of the Approvers of the mentioned Organization will Reject the username request of ORACLE101 Select * from fnd_user where user_id=10001 -- No Record found Select * from jtf_um_usertype_reg where user_id=10001 -- No Record found
party_id 54300 54320 54321 party_name Oracle User 101 party_type Organization Person status A I I HZ_PARTIES
3.
Another User registers in iStore with the same username ORACLE101 for usertype IBE_BUSINESS requiring approval, with Organization Registry Id as 31175, which is the Party number of the Organization named Oracle.
user_id 1005 JTF_UM_USERTYPE_REG
user_name
start_date end_date customer_id 1/1/4712 54323
FND_USER
ORACLE101 1/1/4712
usertype_reg_id 2005 party_id 54300 54322 54323
user_id 1005
usertype_id 10066
status_code PENDING status A A A
effective_end_date
HZ_PARTIES
cust_account_id account_number party_id 1234 7001 54300
HZ_CUST_ACCOUNTS
4.
This time however, both the Approvers of the Organization, will Accept the username request of ORACLE101
FND_USER
user_id 1005
user_name
start_date end_date customer_id 54323
ORACLE101 26/12/2005
JTF_UM_USERTYPE_REG
usertype_reg_id user_id 2005 1005
usertype_id 10066
status_code APPROVED
effective_end_date
HZ_PARTIES
party_id 54300 54322 54323
status A A A HZ_CUST_ACCOUNTS
cust_account_id account_number party_id 1234 HZ_CUST_ACCOUNT_ROLES 7001 54300
cust_account_role_id 205437
cust_Account_id 1234
party_id 54300
status A
5.
Any Primary User of the Organization revokes the account associated to the user ORACLE101
HZ_CUST_ACCOUNT_ROLES cust_account_role_id 205437 cust_Account_id 1234 party_id 54300 status I
6.
User ORACLE101 logs in iStore and tries to perform a secure transaction; User is taken to Partial Registration, as the user does not have an account. User ORACLE101 completes the Confirm (or, Partial) registration again using IBE_BUSINESS usertype, which will shortlist this user for approval again.
FND_USER
user_id 1005
user_name
start_date end_date customer_id 54323
ORACLE101 26/12/2005
JTF_UM_USERTYPE_REG
usertype_reg_id 2005 2010 party_id 54300 54322 54323
user_id 1005 1005
usertype_id 10066 10066
status_code APPROVED PENDING party_type
effective_start_date 25/12/2005 27/12/2005 status A A A status I
effective_end_date 27/12/2005
HZ_PARTIES
Organization Person
user 102- Oracle Party Relationship cust_Account_id 1234 party_id 54300
HZ_CUST_ACCOUNT_ROLES
7.
Either of the Approvers of the mentioned Organization will Reject the partial registration request of ORACLE101
FND_USER user_id 1005 user_name start_date end_date customer_id 54323 ORACLE101 26/12/2005
JTF_UM_USERTYPE_REG
usertype_reg_id 2005 2010
user_id usertype_id status_code effective_start_date effective_end_date 1005 10066 APPROVED 25/12/2005 27/12/2005 1005 10066 REJECTED 27/12/2005 27/12/2005
HZ_PARTIES
party_id 54300 54322 54323
status A A A
party_id 54300
status I
8.
User ORACLE101 logs in iStore and tries to perform a secure transaction; User is taken to Partial Registration, as the user does not have an account. User ORACLE101 completes the Confirm (or, Partial) registration again using IBE_BUSINESS usertype, which will shortlist this user for approval again.
JTF_UM_USERTYPE_REG usertype_reg_id 2005 2010 2015 HZ_PARTIES user_id 1005 1005 1005 usertype_id 10066 10066 10066 status_code APPROVED REJECTED PENDING effective_start_date effective_end_date 25/12/2005 27/12/2005 27/12/2005 27/12/2005 2812/2005
party_id 54300 54322 54323
status A A A
party_id 54300
status I
Now, if the user whose latest status is Pending, tries to access any iStore page, user is shown the Pending Approval Message.
9.
The first Approver assigns an account, however, the second Approver will Reject the partial registration request of ORACLE101.
JTF_UM_USERTYPE_REG
usertype_reg_id 2005 2010 2015
user_id 1005 1005 1005
usertype_id 10066 10066 10066
status_code APPROVED REJECTED REJECTED
effective_start_date 25/12/2005 27/12/2005 2812/2005
effective_end_date 27/12/2005 27/12/2005 2812/2005
HZ_PARTIES
party_id 54300 54322 54323
status A A A
party_id 54300
status A
10. User ORACLE101 logs in iStore and tries to perform a secure transaction; User is taken to Partial Registration, as the user though has an account, is rejected for access to e-business applications. User ORACLE101 completes the Confirm or, Partial) registration again using IBE_BUSINESS usertype, which will shortlist this user for approval again.
JTF_UM_USERTYPE_REG
usertype_reg_id 2005 2010 2015 2020 party_id 54300 54322 54323
user_id 1005 1005 1005 1005
usertype_id 10066 10066 10066 10066
status_code APPROVED REJECTED REJECTED PENDING party_type Organization Person
effective_start_date 25/12/2005 27/12/2005 2812/2005 29/12/2005 status A A A
effective_end_date 27/12/2005 27/12/2005 28/12/2005
HZ_PARTIES
party_id 54300
status A
11. Both the Approvers of the Organization, will Accept the username request of ORACLE101; Now, the user ORACLE101 can successfully perform any transaction in iStore.
JTF_UM_USERTYPE_REG
usertype_reg_id 2005 2010 2015 2020 party_id 54300 54322 54323
user_id 1005 1005 1005 1005
usertype_id 10066 10066 10066 10066
status_code APPROVED REJECTED REJECTED APPROVED party_type Organization Person
effective_start_date effective_end_date 25/12/2005 27/12/2005 27/12/2005 27/12/2005 2812/2005 2812/2005 29/12/2005 status A A A
HZ_PARTIES
party_id 54300
status A
4.
Appendix
The below deployments mentioned are for OracleAS 10g 10.1.2.0.2 or above. Oracle 10g Application Server |-> Oracle 10g Application Server Infrastructure Instance |-> Oracle Identity Management Infrastructure |-> OracleAS 10g Single Sign-On |-> Oracle Internet Directory |-> Oracle Directory Integration and Provisioning |-> Oracle Delegated Administration Service |-> Oracle Identity Management |-> OracleAS 10g Certificate Authority Working together, these components, called the Infrastructure, manage the security life cycle of users and other network entities in an efficient, cost-effective way. To use OracleAS 10g to enable single sign-on for Release R12 environments, the below are required (at minimum): "OracleAS Metadata Repository" option of the OracleAS Infrastructure 10g installation.
"Identity Management" option of the OracleAS Infrastructure 10g installation. As said above, the "Identity Management" option includes the Middle-Tier components for Oracle Internet Directory, Single Sign-On, and Delegated Administration Services. The integration process consists of four phases: 1. 2. 3. Install Oracle Application Server 10g 10.1.2.0.2 Infrastructure Instance on a standalone server. This is explained in Appendix 4.1. Migrate the existing E-Business Suite application tier server node to the latest version of Oracle Application Server 10g. Synchronize user information between the standalone Infrastructure Instance server and the E-Business Suite environment. This is explained in Appendix 4.2.
4.1
Integrating Oracle E-Business Suite with Oracle Single Sign On Server
4.1.1
Registering an application as a Partner Application in Oracle Single Sign On Server.

1. Access Single Sign On home page using http://host:port/pls/Single_Sign_On_DAD , where host is the name of computer on which the single sign-on server is located, port is the port number of the server, and single_Sign_On_DAD is the database access descriptor for the single sign-on schema. The default DAD is orasso. The Access Partner Applications page appears. 2. Click Login in the upper right corner of the Access Partner Applications page. The single sign-on login page appears. 3. Login as orcladmin user and the password provided while installing Oracle iAS.
4. The single sign-on home page appears. To perform administrative functions, click SSO Server Administration. The below page is shown.
5. Select Administer Partner Applications > Add Partner Application and provide the necessary details as below and Create a new Partner Application. A. Enter the application name, the home URL, success URL and Logout URL for this application. The home URL is the application's home page. The success URL refers to the URL to be redirected to upon successful login. It must correspond to the procedure that processes the user identification information from the SSO Server. B. Specify the Valid Login Timeframe C. Provide Application Administrator email address 6. Once the Partner Application is registered, the application id, the application token and the encryption key used by the SSO Server to identify this application are displayed. The application token must be used by the partner application when requesting authentication. Sample set of values is as below. ID: 1CB41C17 Token: 3F4I181F1CB41C17 Encryption Key: B3DCFB64840E084F Login URL: http://152.69.162.108:7777/pls/orasso/orasso.wwsso_app_admin.ls_login Single Sign-Off URL: http://152.69.162.108:7777/pls/orasso/orasso.wwsso_app_admin.ls_logout
4.1.2
Registering Oracle E-Business Suite as a Partner Application in Oracle Single Sign On Server.
Supported Architectures and Configurations A. User Authentication can be by SSO or External third-party Access manager or Native EBusiness Suite. B. Source of truth of records can be OID, External Third Party LDAP User Repository. C. User synch up directions can be From R12 to OID or From POID to R12 or From Third Party LDAP server to OID to R12. 4.1.2.1 : Ensure the Oracle E-Business Suite is implemented using Oracle9i Application Server Release 1.0.2.2.2 Enterprise Edition or above as the tech stack. The same can be verified by executing the command $iAS_HOME/Apache/Apache/bin/httpd v 4.1.2.2: Install DBMS_LDAP on E-Business Suite Database-Tier Server Node The Oracle database must be installed with the Oracle Internet Directory option to support synchronization of user information between Oracle Internet Directory and the E-Business Suite. Check your version-specific and platform-specific Database Installation Guide for details. Check if the package DBMS_LDAP exists on the database tier server used by the E-Business Suite. Else, run $ORACLE_HOME/rdbms/admin/catldap.sql as SYSDBA, with the ORACLE_HOME environment variable pointing to the DB_ORACLE_HOME. 4.1.2.3: Install Oracle Application Server 10g 10.1.2.0.2 Enterprise Edition Refer 4.1 for the components needed and the options to be selected for installing the Infrastructure instance of Oracle Application Server 10g 10.1.2.0.2 Enterprise Edition. Follow the Oracle Application Server 10g Installation Guide for your operating system platform for instructions on installing an OracleAS 10g infrastructure into its own ORACLE_HOME. Further, please note the below. The Oracle Application Server 10g application server installation and the Oracle Application Server 10g infrastructure may reside on a single host or on separate hosts, though must be seperate ORACLE_HOMEs. The Oracle Application Server 10g Infrastructure must not be installed in the Oracle EBusiness Suite Release R12 database. The application server installation and the infrastructure must not be installed in the ORACLE_HOME of an existing Oracle E-Business Suite Release R12 application-tier server node
Follow the below steps to test the Oracle Application Server 10g Identity Management infrastructure. i. ii. iii. Start Oracle Internet Directory Delegated Administration Services by going to: http://<host_name>.<domain>:<Infrastructure http port number>/oiddas Log in using the orcladmin userid
iv. Navigate to Directory > Create and create a test userid, supplying a password and other user information. Click Submit. Log out. v. Log into Oracle Internet Directory Delegated Administration Services using the newly created test userid.
4.1.2.4: Install E-Business Suite SSO 10g Integration Patch Build 3.1 E-Business Suite SSO 10g Integration patch is NOT required to be explicitely applied on Release12.0, as the Build 3.1 patch is included in release 12.0
4.1.2.5: Run Registration Script txkrun.sql 4.1.2.5.1: Prepare the Parameter Checklist as below: # 1 Parameter Description Hostname of Oracle Application Server Infrastructure database Port of Oracle Application Server Infrastructure database Database SID of Oracle Application Server Infrastructure database Example myias.company.com Comments Fully qualified name recommended
2 3
1521 iasinfra Run command on Oracle Internet Directory server:
Password of Oracle Application Server Infrastructure database user, "ORASSO"
C8atE7O0
$ORACLE_HOME/bin/ldapsearch -h <oid_host> -p <oid_port> -D "cn=orcladmin" -w <password> -b "cn=IAS,cn=Products,cn=OracleContext" -s sub -v "OrclresourceName=orasso" | grep orclpasswordattribute
9 4 5 7 8
Password of Oracle Internet Directory admin welcome123 user, "orcladmin" LDAP port of Oracle Internet Directory Password of Oracle E-Business Suite database user, "APPS" Password of Oracle E-Business Suite database user, "SYSTEM" 3060 apps manager If the user does not exist, a new user will be created with this password. This is the master password used to register the E-Business Suite instance in Oracle Internet Directory. Release 12 services use this password at a later time for certain security validations. This is a critical password governing communications from the E-Business Suite instance to Oracle Internet Directory, and it should be made as secure as possible. By default the Bidirectional template, ProvBiDirection.tmp, is chosen for you. If you want to use a different template, you can override this with the "-provtmp" parameter
Password of E-Business Suite database user, ssosdk "SSOSDK"
10
Password that you would like to register your E-Business Suite instance with Oracle Internet Directory
welcome1
11
The Name with the fully qualified path of the Provisioning Profile Template
-provtmp = $FND_TOP/admin/templat e/ ProvOIDToApps.tmp
4.1.2.5.2: As the owner of the application-tier file system, source the file $APPL_TOP/APPS<context_name>.env to set the environment correctly 4.1.2.5.3: Ensure perl from the <iAS_ORACLE_HOME>/bin directory is in the path. Run perl -v to ensure the version is higher than 5.005. 4.1.2.5.4. Run the registration script A perl script <FND_TOP>/patch/115/bin/txkrun.pl is used to register Oracle E-Business Suite instance with Oracle Single Sign-On and Oracle Internet Directory. <FND_TOP>/patch/115/bin/txkrun.pl internally uses <FND_TOP>/patch/115/bin/txkSetSSOReg.pl for this purpose. This utility can be used to register as well as de-register the E-Buissness Suite Integration with the Oracle SSO/OID Servers. This utility should be run from one of the Oracle E-Business Suite Release R12 application tier server nodes to register both SSO and OID in the Oracle Application Server 10g infrastructure database. Source the file $APPL_TOP/APPS<CONTEXT_NAME>.env to set the environment correctly. Further, run one of the below commands, based on the need type. Need Type Register both SSO and OID Interactive Mode Command txkrun.pl -script=SetSSOReg Non-Interactive Mode Command
txkrun.pl -script=SetSSOReg -register=Yes -appspass=apps -infradbhost=ap627atg -infradbport=1521 -infradbsid=infra1 -orassopass=C8atE7O0 -systempass=manager -ssosdkpass=ssosdk -orcladminpass=welcome123 -instpass=welcome123 -ldapport=3060 -appname="EBiz test" -svcname="This is the test instance for EBusiness"
Comments Use this option when registering Partner application with Oracle Single Sign-On and Oracle EBusiness Suite 11i as a provisioning application with Oracle Internet Directory. Creates a single SSO partner application and Listener Token is set to the site level value of profile option, Applications Database ID (APPS_DATABASE_ID) Registers E-Business Suite with OID using the ProvBiDirection.tmp provisioning profile. This will enable Bidirectional user synchronization with user creation
Register only SSO
txkrun.pl -script=SetSSOReg -registersso=Yes
txkrun.pl -script=SetSSOReg -deregistersso=Yes -appspass=apps -orassopass=C8atE7O0 -ssosdkpass=ssosdk
Use this option when registering only the SSO partner application with Oracle Single Sign-On. This option can be used: To register separate EBusiness Suite application tier server nodes as individual partner applications in a DMZ deployment. To register the E-Business Suite instance when you have installed OracleAS 10g Single Sign-On Server on a different node
than OracleAS 10g Oracle Internet Directory Register only OID txkrun.pl -script=SetSSOReg -registeroid=Yes
txkrun.pl -script=SetSSOReg -registeroid=Yes -appspass=apps -infradbhost=ap627atg -orcladminpass=welcome123 -instpass=welcome123 -ldapport=3060 -appname="EBiz test" -svcname="This is the test instance for EBusiness"
Use this option when registering and deregistering Oracle Ebusiness Suite 11i as a provisioning application with Oracle Internet Directory. This option can be used: To deregister an unsuccessful OID registration/deregistration that may have failed during a combined SSO/OID registration To selectively register/deregister your EBusiness Suite instance against OID To register the E-Business Suite instance when you have installed Oracle Internet Directory on a different node than OracleAS 10g Single Sign-On Server
De-Register both SSO and OID
txkrun.pl -script=SetSSOReg -registersso=Yes
txkrun.pl -script=SetSSOReg -registersso=Yes -appspass=apps -infradbhost=ap627atg -infradbport=1521 -infradbsid=infra1 -orassopass=C8atE7O0 -systempass=manager -ssosdkpass=ssosdk
Use this option when deregistering Partner application with Oracle Single Sign-On and Oracle EBusiness Suite 11i as a provisioning application with Oracle Internet Directory.
De-Register only SSO
txkrun.pl -script=SetSSOReg -deregistersso=Yes
txkrun.pl -script=SetSSOReg -deregistersso=Yes -appspass=apps -orassopass=C8atE7O0 -ssosdkpass=ssosdk
Same as Register only SSO
De-Register only OID
txkrun.pl -script=SetSSOReg -deregisteroid=Yes
txkrun.pl -script=SetSSOReg -deregisteroid=Yes -appspass=apps -orcladminpass=welcome123
Same as Register only OID
Execute the above commands with -provtmp option, if you want to use a different provisioning template, as shown below. <FND_TOP>/patch/115/bin/txkrun.pl -script=SetSSOReg -provtmp=$FND_TOP/admin/template/<TemplName> where <TemplName> corresponds to the provisioning template that you wish to use.
Eg, txkrun.pl -script=SetSSOReg -provtmp=$FND_TOP\admin\template\ProvOIDtoApps.tmp Different provisioning template options seeded out of the box are as below Template ProvAppsToOID.tmp ProvBiDiNoCreation.tmp Usage To Setup user creation and updation synchronization to happen only from FND to OID. To Setup user updation bi-directional synchronization between FND and OID and to restrict synchronization of user creations in FND over to OID. Default template used. To Setup user creation and updation bidirectional synchronization between FND and OID. To Setup user creation and updation synchronization to happen only from OID to FND.
ProvBiDirection.tmp
ProvOIDToApps.tmp
To simplify the registration process, the txkrun.pl script defaults many parameters, which sets up a configuration as below that meets the needs of most users. Further, for any of the commands used, provide the appropriate values from the parameter list prepared above, for the parameters prompted by the script. When the registration script completes successfully, it will print the following line: End of <FND_TOP>/patch/115/bin/txkSetSSOReg.pl: No errors encountered. If you do not see this confirmation, examine the following file to investigate the problem: $APPLRGF/sso/txkSetSSOReg_[timestamp].log
4.1.2.6: Stop and Start the Oracle HTTP Server used by the Oracle E-Business Suite under concern. 4.1.2.7: Verify and Validate the Single Sign On Setup 4.1.2.7.1: Run the Diagnostic Utility Login as user "sysadmin" to the E-Business Suite locally using this URL: http[s]://<server>[:port]/OA_HTML/AppsLocalLogin.jsp Where <server> and <port> reflect the correct values for your environment. Select the responsibility "CRM HTML Administration" and select the function "Diagnostics" from the Navigator's right pane. 4.1.2.7.1.1: SSO Diagnostics Click on the "Basic" tab Choose "Application Object Library" from the Applications list. Click on "SSO Setup Tests" - Click on "Run Without Pre-Requisite". All the tests should complete successfully Click on the "Report" icon for each test and verify the results 4.1.2.7.1.2: OID Diagnostics Click on "OID Setup" - Click on "Run Without Pre-Requisite"
All the tests should complete successfully Click on the "Report" icon for each test and verify the results 4.1.2.7.2: Manual Verification 4.1.2.7.2.1 Verify that your Oracle E-Business Suite instance is correctly integrated with Oracle Single Sign-on server. Request the E-Business Suite login link, of the form: http://[host]:[port]/oa_servlets/AppsLogin where <server> and <port> reflect the correct values for your environment. Or, access the iStore Login linkas below http://[host]:[port]/OA_HTML/ibeCAcpSSOLogin.jsp This should direct you to the Single Sign-On Login screen. Enter the username and password for a valid account in Oracle Internet Directory. You should be directed to either the Oracle E-Business Suite home page or a page that shows "More Information Requested". Click on the logout link on whichever of the pages that you see. You should now be directed to the Single Sign-On Logout page. If so, then Single Sign-On integration has been carried out correctly. 4.1.2.7.2.2 Verify that the Oracle E-Business Suite instance is correctly integrated with Oracle Internet Directory. Check that there are no errors in the Oracle Internet Directory log files for the E-Business Suite instance just configured. These files are on the machine that hosts Oracle Internet Directory, under $ORACLE_HOME/ldap/odi/log. The files for provisioning from Oracle Internet Directory to E-Business Suite end with _E.aud and _E.trc. The files for provisioning from E-Business Suite to Oracle Internet Directory end with _I.aud and _I.trc. Depending on how provisioning has been configured, try to create a user from either EBusiness Suite or Oracle Internet Directory. If you used the simple registration process with the default profile, you may create a user in either E-Business Suite or Oracle Internet Directory and see the newly provisioned user appear in the other system within about two minutes. The user details should also be visible in the relevant .aud log file mentioned above. If so, then provisioning configuration for Oracle Internet Directory has been performed correctly.
4.1.3
Registering Oracle E-Buissness Suite with Oracle Single Sign On Server and Oracle Portal
Use of Oracle Portal is optional. However, Oracle Single Sign-On is a mandatory prerequisite for Oracle Portal. Oracle Portal can optionally be implemented to provide a single customized portal that allows access to one or more E-Business Suite instances. As part of Oracle9i Application Server, Oracle Portal can provide users with corporate and customized personal home pages accessible via Web browsers. Oracle Portal may be configured to access one or more E-Business Suite environments. Oracle Portal users may add links to their home pages to access E-Business Suite modules, and may display some information (for example, Oracle Workflow notifications) directly on their home pages. E-Business Suite links and data are delivered to Oracle Portal via portlets. Portlets can be displayed on customized Oracle Portal home pages. Portlets installed on an E-Business Suite instance communicate with Oracle Portal via Web providers. EBusiness Suite Web providers are registered in the Portal Repository. 4.1.3.1 Generating a Site2pstoretoken For Portal Login With wwsec_sso_enabler.generate_redirect Pre-requisite: 'Oracle Portal 10g Server (10.1.2.0.2 or above) is registered as a Partner Application with the SSO Server. Use of Oracle Portal is optional. However, Oracle Single Sign-On is a mandatory prerequisite for Oracle Portal. Further, to integrate R12 witrh Oracle Portal, Portal and Wireless option of the Oracle Application Server 10g (middle tier) installation must be selected in order to integrate with the Oracle Portal 10g Server. 4.1.3.1.1 Create a schema in the SSO database instance to contain the SSO SDK packages. Do not install the SSO 9.0.2 SDK packages into the Portal or ORASSO schemas. For example: sqlplus "sys/<sys password>[@tnsalias] as sysdba" SQL> create user sso_sdk902 identified by sso_sdk902 SQL> grant connect, resource to sso_sdk902 4.1.3.1.2 Load the SDK PL/SQL packages To use the SSO SDK, unzip the $ORACLE_HOME/sso/lib/ssosdk902.zip file into any directory. Change directory to the unzipped SDK packages directory and run sqlplus sso_sdk902/sso_sdk902[@tnsalias] SQL> @loadsdk 4.1.3.1.3 Register the Portal partner application with the SDK schema. In the SDK packages directory run: sqlplus sso_sdk902/sso_sdk902[@tnsalias] SQL> @regapp Enter the below values: Partner Application Configuration Enter value for listener_token: ap608opsadm.us.oracle.com:18670 Enter value for site_id: 1CB41C17 Enter value for site_token: 3F4I181F1CB41C17 Enter value for login_url: http://ap608opsadm.us.oracle.com:18670/pls/orasso/orasso.wwsso_app_admin.ls_login Enter value for encryption_key: B3DCFB64840E084F Enter value for ip_check: N The output of the script will be as below: Registration successful. Listener token: ap608opsadm.us.oracle.com:18670 Site id: 1CB41C17
Site token: 3F4I181F1CB41C17 Encryption key: B3DCFB64840E084F Login URL: http://ap608opsadm.us.oracle.com:18670/pls/orasso/orasso.wwsso_app_admin.ls_login Logout URL: http://ap608opsadm.us.oracle.com:18670/pls/orasso/orasso.wwsso_app_admin.ls_logout IP check: N -----------------------------------------------PL/SQL procedure successfully completed. Commit complete. 4.1.3.1.4 Create a function in the SDK schema to retrieve the site2pstoretoken value. Example : sqlplus sso_sdk902/sso_sdk902[@tnsalias] create or replace function get_site2pstoretoken(p_req in varchar2, p_cancel in varchar2) return varchar2 is v_site2pstoretoken varchar2(4032); v_requested_url varchar2(4032); v_cancel_url varchar2(4032); begin -- if requested url and cancel url are null, specify defaults v_requested_url := nvl(p_req, http://wwwapps.us.oracle.com:1100/owa/3rdpartysite/index_metalink.html); v_cancel_url := nvl(p_cancel, http://wwwapps.us.oracle.com:1100/owa/3rdpartysite/index.html); -- generate site2pstoretoken for the Portal site v_site2pstoretoken := wwsec_sso_enabler.generate_redirect( p_lsnr_token => ap608opsadm.us.oracle.com:18670, p_url_requested => v_requested_url, p_url_cancel => v_cancel_url); return v_site2pstoretoken; end; / 4.1.3.1.5 Retrieve the login URL for the Partner Application SQL> set serveroutput on SQL> exec dbms_output.put_line(length(get_site2pstoretoken(null,null))); SQL> declare myVar varchar2(100); begin myVar := substr(get_site2pstoretoken(null,null),0,100); dbms_output.put_line(myVar); end;
4.2
Integrating Oracle E-Business Suite with Oracle Internet Directory Server
Refer Appendix A for registering Oracle E-Business Suite R12 with Oracle Internet Directory Server Release 10g. This section describes more on how to configure an Oracle E-Business Suite Release 12.0 instance as a provisioning integrated application with Oracle Internet Directory Release 10g, so as to achieve user information synchronization between the E-Business Suite and the Oracle Internet Directory Server.
authenticate
Oracle iStore
Oracle Single Sign On Server

IDENTITY_ADD IDENTITY_MODIFY IDENTITY_DELETE SUBSCRIPTION_ADD IDENTITY_ADD IDENTITY_MODIFY IDENTITY_DELETE SUBSCRIPTION_ADD Provisioning Profile for B Provisioning Integration Service Subscription List for A
IDENTITY_ADD IDENTITY_MODIFY IDENTITY_DELETE
Oracle E-Business Suite Instance A

FND_USER
Oracle Directory Integration Platform
Provisioning Profile for A
Oracle Internet Directory
Oracle E-Business Suite Instance B
Load Subscription txt
Subscription List for B
Load Provisioning Template
provsubtool
oidprovtool
4.2.1
Oracle Internet Directory Provisioning Integration Service

Bidirectional provisioning between Oracle E-Business Suite and Oracle Internet Directory is built around the "Oracle Directory Integration Platform" which has the "provisioning integration service" that enables automatic provisioning (updating between the systems) of account creation or changes of user attributes. The provisioning process between each Oracle E-Business Suite instance and Oracle Internet Directory is controlled by a provisioning profile. When changes are made in Oracle Internet Directory that match an application's provisioning profile event criteria, the Provisioning Integration Service is the agent that sends the relevant new data to that application. Going in the other direction, the Provisioning Integration Service filters changes coming from an application (according to the applications provisioning profiles permitted events criteria), and transmits applicable ones to Oracle Internet Directory. The provisioning profile is highly customizable. Configuration of the profile is carried out by one of the below options Using oidprovtool available in Oracle Application Server 10g or
Instantiating an LDIF template file that contains the requisite values for the particular deployment and further, loaded into Oracle Internet Directory using the ldapmodify command. This method can also be carried out on an iAS 1.0.2.2.2 instance on which an Oracle E-Business Suite runs. A number of sample template files are shipped with the Oracle E-Business Suite Release 12.0. These can be located at <FND_TOP>/admin/templates.
4.2.2
Oracle Internet Directory Subscription List

Oracle Internet Directory maintains a subscription list for each Oracle E-Business instance that has registered with Oracle Internet Directory. The subscription list maintains a list of all Single Sign-On user accounts that need to access the associated Oracle E-Business Suite instance. Oracle Internet Directory and the associated Oracle E-Business Suite instance jointly maintain the accuracy of the subscription list. $ORACLE_HOME/ldap/odi/bin/provsubtool.orc is used to manage application-specific subscription lists in Oracle Internet Directory. Users from application-specific subscription lists can be added or removed in bulk mode or batch ode or, individually. For Example, provsubtool ldap_host=myladp.oracle.com ldap_port=389 app_dn="orclapplicationcommonname=Financials,cn=EBusiness,cn=Products,cn=OracleContext,dc= ganseycorp,dc=com" realm_dn=dc=orclcorp,dc=com list_name=ACCOUNTS operation=ADD file_name=subscr_members.lst file_type=0 app_pwd=test123 The operation can be ADD, REMOVE or LIST.
4.2.3
Oracle Internet Directory Provisioning Service Events

OID server uses the below four Provisioning Events for setting up user synchronization. IDENTITY_ADD Either Oracle E-Business Suite or Oracle Internet Directory generates this event, when a new user is created. If this event is enabled from Oracle E-Business Suite to Oracle Internet Directory direction, after Oracle Internet Directory receives this event, it will create an Oracle Single Sign-On account in Oracle Internet Directory and add the account to the subscription list of that Oracle E-Business Suite Release 12 instance. In the other direction, if this event is enabled from Oracle Internet Directory to E-Business Suite and profile Applications SSO Enable OID Identity Add Event is Enabled, it has the same affect as SUBSCRIPTION_ADD event generated by Oracle Internet Directory. IDENTITY_MODIFY Either Oracle Internet Directory or Oracle E-Business Suite generates this event when a user account is modified. If this event is enabled in either direction, the receiving system will apply the modification to the account on that system. IDENTITY_DELETE Oracle Internet Directory generates this event when an Oracle Single SignOn account is deleted. If this event is enabled from the Oracle Internet Directory to Oracle E-Business Suite direction, after an Oracle E-Business Suite Release 11i instance receives this event, it will end-date the application account linked to the Oracle Single Sign-On account. SUBSCRIPTION_ADD - When a Single Sign-On account is created in Oracle Internet Directory, and subsequently added to the subscription list of an Oracle E-Business Suite instance, a SUBSCRIPTION_ADD event is generated in Oracle Internet Directory. If this event is enabled in the Oracle Internet Directory to Oracle E-Business Suite direction, a new application account will be created and linked to the single sign-on account. When Oracle Internet Directory receives an IDENTITY_ADD event from an Oracle E-Business Suite instance, it adds the user to the subscription list of that Oracle EBusiness Suite instance. When Link-on-the-Fly is performed on an Oracle EBusiness Suite Release 11i instance, the Oracle E-Business Suite instance will send a SUBSCRIPTION_ADD event to Oracle Internet Directory. When an IDENTITY_MODIFY event is generated in Oracle Internet Directory, Oracle Internet Directory will check the subscription lists of all registered Oracle EBusiness Suite Release 11i instances, and only sends the event to an Oracle EBusiness Release 11i instance if the modified user appears on its subscription list.
Further, the direction of event propagation can be either Single (OID to EBiz or Ebiz to OID) or bidirectional. For each direction, and each type of event, the list of provisioned attributes can be customized as required (removing an attribute from the attribute list would disable sending that attribute). By default, Oracle Internet Directory sends out provisioning events every 60 seconds; this value can be increased or decreased by using oidprovtool, or by editing the orclodipprofileschedule attribute value in the provisioning template.
4.2.4
Creating a profile from a provisioning template

Creating the provisioning profile consists of the following steps: 4.2.4.1. Create a suitable template based on deployment choices. Please refer to the sample templates shipped, available at <FND_TOP>/admin/templates. 4.2.4.2. Instantiate the template with deployment specific values, to generate an LDIF file 4.2.4.3. Load the LDIF file into Oracle Internet Directory using the ldapmodify command. Once the LDIF file is loaded, Oracle Internet Directory will start sending and polling provisioning events to and from the Oracle E-Business Suite instance for which the profile was created. It takes the provisioning service approximately two minutes to detect that a new profile has been added or an existing one has changed. Sample Template (<FND_TOP>/admin/templates) ProvAppsToOID.tmp Usage To Setup user creation and updation synchronization to happen only from FND to OID. Template for creating an Oracle EBusiness Suite to Oracle Internet Directory (INBOUND) profile with CREATION, MODIFICATION, and DELETION events. To Setup user updation bi-directional synchronization between FND and OID and to restrict synchronization of user creations in FND over to OID. Template for creating a bidirectional profile, with MODIFICATION and DELETION events only. Default template used. To Setup user creation and updation bidirectional synchronization between FND and OID. Template for creating a bidirectional (BOTH) provisioning profile with CREATION, MODIFICATION, and DELETION events. To Setup user creation and updation synchronization to happen only from OID to FND. Template for creating an Oracle Internet Directory to Oracle E-Business Suite (OUTBOUND) profile with CREATION, MODIFICATION, and DELETION events.
ProvBiDiNoCreation.tmp
ProvBiDirection.tmp
ProvOIDToApps.tmp
If the Oracle E-Business Suite instance only needs to send events to Oracle Internet Directory, then an INBOUND provisioning profile should be created. If the Oracle E-Business Suite instance only needs to receive provisioning events from Oracle Internet Directory, then an OUTBOUND profile should be created. If provisioning events may need to be sent in both directions, a bidirectional profile (BOTH) should be created.
4.2.5
Directory Integration Processing(DIP) Server Logs and Provisioning Profile Logs

The main DIP log file is located in the $ORACLE_HOME/ldap/log/odisrv<instance number>.log directory. The <instance number> being a unique integer id The provisioning profile logs are located in the $ORACLE_HOME/ldap/odi/log directory. Each log file name is of the form: <ApplicationName>_<RealmName>_[I/E].[trc/aud] Where: I = INBOUND provisioning event (from Oracle E-Business Suite to Oracle Internet Directory) E = OUTBOUND provisioning event (from Oracle Internet Directory to Oracle E-Business Suite) .trc = Trace file, , which grows till the file size is ~ 10MB. When that happens, the current trace file is backed up (and a timestamp appended) and a new trace file started. .aud = Audit file, which records all the events from the time the profile was created and therefore grows continually. This file consequently needs to be archived periodically.
4.2.6
Sample Template file
4.2.7
Migrating Data between Oracle E-Business Suite Release 11i and Oracle Internet Directory
4.2.7.1 Migrating Existing Application Accounts in Oracle E-Business Suite Release 12 to Oracle Internet Directory
Oracle iStore
authenticate Oracle Single Sign On Server

FND_USER 5. Extract Usernames
1. AppsUserExport
Username list
IDENTITY_ADD IDENTITY_MODIFY
LDIF File
Provisioning Integration Service
IDENTITY_DELETE
6. provsubtool
Subscription List for B
2. ldifmigrator
Final LDIF File
3. bulkload 4. ldapadd
4.2.7.1.1. For all users who shall not be migrated, set profile "Applications SSO LDAP Synchronization" (APPS_SSO_LDAP_SYNC) to 'Y' at user level so that the account will not be migrated i.e. the account is marked to not to synchronize with Oracle Internet Directory Or, "Applications SSO Login Types" (APPS_SSO_LOCAL_LOGIN) An account will not be migrated if the user level profile value of the account is LOCAL. 4.2.7.1.2. Use AppsUserExport to extract application user information into an intermediate LDIF file The mapping between FND_USER columns and Oracle Internet Directory attributes is shown below. FND_USER column name user_name description start_date orcl start_date/end_date encrypted_user_password user_guid end_date email_address fax Oracle Internet Directory attribute name sn description ActiveStartDate orclIsEnabled userPassword orclGuid orclActiveEndDate mail facsimileTelephoneNumber
$APPL_TOP/java oracle.apps.fnd.oid.AppsUserExport [-v] dbc <dbcfile> -o <outputfile> -pwd <apps schema pwd> -g [-l <logfile>] where: [-v] Runs in verbose mode <outputfile> intermediate LDIF file <dbcfile> Full path to the Applications dbcfile <apps schema pwd> Apps schema password
-g To create and copy users GUIDs to OID <logfile> log file (default is <outputfile>.log)
4.2.7.1.3. Converting AppsUserExport generated Intermediate LDIF File to final LDIF 4.2.7.1.3.1 Temporarily disable any provisioning profile with profile mode as 'OUTBOUND' or 'BOTH' at the OID using oidprovtool as below.
oidprovtool operation=disable ldap_host=beta.ganseycorp.com ldap_port=3060 ldap_user_dn=cn=orcladmin ldap_user_password=l1ghth0use application_dn=orclApplicationCommonName=beta,cn=EBusiness,cn=Products,cn =OracleContext,dc=us,dc=ganseycop,dc=com profile_mode=BOTH 4.2.7.1.3.2. As Oracle Internet Directory Administrator, run 'ldifmigrator' to change the below 2 attributes in the LDIF file. s_UserContainerDN -- DN of the entry under which all users are added, for example cn=users,dc=us,dc=oracle,dc=com s_UserNicknameAttribute The nickname attribute used for user entries in the subscriber, for example uid For example: ldifmigrator "input_file=data.txt" "output_file=data.ldif" "s_UserContainerDN=cn=users,dc=us,dc=oracle,dc=com" "s_UserNicknameAttribute=uid" 4.2.7.1.4. Stop the OID processes before using the bulkload utility to load the ldif file. $ORACLE_HOME/opmn/bin/opmnctl stopall 4.2.7.1.5. Loading LDIF file into Oracle Internet Directory using 'bulkload' 4.2.7.1.5.1. Run the bulkload utility with the check option to verify there are no duplicate users. For example: bulkload.sh connect <connect string> -check <fully qualified path to ldiffile> 4.2.7.1.5.2. Check the log file for duplicate users. If the log file indicates duplicate users, manually remove these users from the ldif file. 4.2.7.1.5.3. Rerun the bulkload utility with the check option to verify all duplicates have been successfully removed. 4.2.7.1.5.4. Once all duplicates are removed, run the bulkload utility without the check option to load the users. For example: bulkload.sh connect <connect string> -generate load <fully qualified path to the ldif file> 4.2.7.1.6. Instead of bulkload(Steps 4.2.7.1.5.1-4.2.7.1.5.4), for small amounts of data, you may also use the ldapadd tool. For example: ldapadd -h <ldaphost> -p <ldapport> -D "cn=orcladmin" -w <password> -f data.ldif -v 4.2.7.1.7. The bulkload tool does not automatically subscribe users to the parent E-Business instance. Hence, to add these users to the subscription list for this E-Busisness instance, follow the below steps. 4.2.7.1.7.1. Extract the output of the below file to a txt file
select user_name from fnd_user where FND_profile.VALUE_SPECIFIC('APPS_SSO_LOCAL_LOGIN',user_id)<>'LOCA L' and FND_profile.VALUE_SPECIFIC('APPS_SSO_LDAP_SYNC', user_id)='Y' 4.2.7.1.7.2. Run provsubtool as mentioned in the section titled "Oracle Internet Directory Subscription List". 4.2.7.2 Migrating Existing Accounts from Oracle Internet Directory to Oracle E-Business Suite Release 12
authenticate Oracle Single Sign On Server
Oracle iStore

FND_USER
Provisioning Integration Service Subscription List for B
IDENTITY_DELETE
LDAPUserImport
IDENTITY_DELETE
Final LDIF File
ldifwrite
4.2.7.2.1. Export Oracle Internet Directory users into LDIF file using ldifwrite Syntax: ldifwrite c <db connect string> -b <base dn> -f <LDIF file> Example: ldifwrite -c asdb -b "cn=Users,dc=us,dc=oracle,dc=com" -f output.ldif 4.2.7.2.2. Import LDAP Users into Oracle E-Business Suite using LDAPUserImport $APPL_TOP/java oracle.apps.fnd.oid.LDAPUserImport [-v] dbc <dbcfile> -f <ldiffile> -n <nicknameattribute> [-l <logfile> [-v] Runs in verbose mode <dbcfile> Full path to the Applications dbcfile <ldiffile> The LDIF file <nicknameattribute> Name of the attribute used as the nicknameattribute in OID <logfile> The log file (default is LDAPUserImport.log) For example: $APPL_TOP/java oracle.apps.fnd.oid.LDAPUserImport -v -dbc $FND_TOP/secure/myebiz.dbc -f users.ldif -n uid -l users.log
If the OID user already exists in the E-Business instance the duplicate record will be ignored, the log file will be updated with a reference to the duplicate record, and processing will continue to the next OID record.
4.2.8
E-Business Suite User Data Synch up to OID Synchronous and Asynchronous

IBE_USER_PVT.create_user |->FND_USER_PKG.createPendingUser |->FND_USER_PKG.createUserIdParty |->FND_USER_PKG.createUserIdInternal |->FND_WEB_SEC.create_user |->Insert into FND_USER |-> FND_LDAP_WRAPPER.create_user |-> FND_LDAP_USER.create_user |-> FND_LDAP_USER.create_user |->FND_SSO_REGISTRATION.is_operation_allowed |->FND_LDAP_USER.create_user |->FND_LDAP_USER.create_user_nodes |->FND_LDAP_USER.create_user_subscription |->FND_USER_PKG.updateUserInternal |-> update fnd_user for GUID, start_date,end_date as GMISS_DATE |-> FND_USER_PKG.user_synch |-> Raise oracle.apps.global.user.change event
Triggers Synchronous subscription OID Provisioning Integration Layer

WF_OID.user_change |->FND_OID_UTIL.entity_changes |->Raise IDENTITY_MODIFY event
FND_LDAP_WRAPPER.create_user does a synchronous creation of the username in OID and further adds the username to the subscription list of this E-Business Instance maintained by the Directory Provisioning Integration Service. Note : This synchronous OID user creation API needs the DBMS_LDAP package to be installed in the EBusiness database instance, as mentioned in Section 4.1.2.2. FND_USER_PKG.user_synch API raises the oracle.apps.global.user.change event which will trigger the subscription WF_OID.user_change in the OID instance synchronously causing the IDENTITY_MODIFY event to be queued up which will however be processed asynchronously.
4.2.9
Synchronizing the Third-Party Repository with Oracle Internet Directory

Organizations that have standardized on third-party Lightweight Directory Access Protocol (LDAP) directories can optionally integrate them with Oracle Internet Directory. Oracle Internet Directory synchronizes with third-party metadirectory solutions.
4.3
Implementing Central Registration Provisioning System for Oracle E-Business Suite

Steps needed to setup CAPS Registration Pre-requisite: The environment should have already been SSO Enabled and further integrated with the OID Server for user synch up. 1. 2. Prepare a jsp, say, 'demo_umx_oid_reg.jsp' to display the UI for the Central Registration and to further validate the fields and call the API mentioned in Step2 to create the user. Create a java API to accept the fields captured in the UI and further create the username. ORACLE_HOME\jlib\ldapjclnt10.jar has the utility APIs to create the username in OID, where, ORACLE_HOME refers to the Oracle Application Server 10g installation home directory. A Sample java class to create the user details is provided below.
import javax.naming.directory.InitialDirContext; import javax.naming.NamingException;
import oracle.ldap.util.LDIF; import oracle.ldap.util.ModPropertySet; import oracle.ldap.util.RootOracleContext; import oracle.ldap.util.Subscriber; import oracle.ldap.util.User; import oracle.ldap.util.Util; import oracle.ldap.util.UtilException; import oracle.ldap.util.jndi.ConnectionUtil;
public class MyOIDUserManager{ // The host name and port of OID server used for EBS integration static String ldap_host="152.69.162.108"; static String ldap_port="389"; // The user name and the password of the super user in the OID server used for EBS integration. static String ldap_suname="cn=orcladmin,cn=users, dc=69,dc=162,dc=108"; static String ldap_supwd="welcome1";
public static void createUser(String firstName, String email, String uname, String pwd) throws UtilException, NamingException{ InitialDirContext ctx = ConnectionUtil.getDefaultDirCtx( ldap_host, ldap_port, ldap_suname,ldap_supwd);
Subscriber sub = null; // Using RootOracleContext to fetch the default realm sub = new RootOracleContext( ctx ).getSubscriber(ctx, Util.IDTYPE_DEFAULT, null, new String[] {"*"}); // Create ModPropertySet object to define all the attributes and their values. ModPropertySet mps = new ModPropertySet(); //required mps.addProperty(LDIF.ATTRIBUTE_CHANGE_TYPE_ADD,"cn", uname ); if (firstName != null ) mps.addProperty(LDIF.ATTRIBUTE_CHANGE_TYPE_ADD,"givenName", firstName ); mps.addProperty(LDIF.ATTRIBUTE_CHANGE_TYPE_ADD,"sn", "test"); if ( email != null ) mps.addProperty(LDIF.ATTRIBUTE_CHANGE_TYPE_ADD,"mail", email ); mps.addProperty(LDIF.ATTRIBUTE_CHANGE_TYPE_ADD,"uid", uname ); mps.addProperty(LDIF.ATTRIBUTE_CHANGE_TYPE_ADD,"userpassword", pwd ); // Create user by specifying the nickname and the ModPropertySet just defined User newUser = sub.createUser( ctx, mps, true ); } }
3. 4.
Prepare a new war file, say, 'webapp.war', containing the display jsp 'demo_umx_oid_reg.jsp' and the associated images and containing the above created java class MyOIDUserManager inside WEB-INF folder. On any Application Server 10g instance (Preferably, where the OID Server is deployed), create a OC4J instance name UMX_REGISTRATION and deploy the web application 'webapp.war' in that instance and start the OC4J instance. Application Name: OIDSync Map to URL: /OIDSync
5.
Set the profile option "Oracle Applications Central Registration URL" (APPS_CENTRAL_REGISTER_URL) with this value: http://<hostname of the oid server>:<port number>/<Application which it mapped to urlas>/demo_umx_oid_reg.jsp?doneURL=:UMX_TARGET &cancelURL=:UMX_CANCEL
6. 7.
Restart the Apps Apache Listener Test the CAPS setup: Click on Register link in iStore and proceed to CAPS Registration. Input the necessary details and create the user. User should be created in OID. Further, based on the provisioning profile implemented, user details may be synched up to FND.
4.4
Acronyms
Acronym SSO OID CAPS Expanded Meaning Single Sign On Oracle Internet Directory Central Account Provisioning System
DAS
Delegated Administration Services. Provides proxy based administration of OID directory information by users and application administrators

R12 Istore SSO Whitepaper

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

R12 Istore SSO Whitepaper

Încărcat de

Drepturi de autor:

Formate disponibile

WHITE PAPER User Management Integration with SSO/OID Servers

Author: Aravind Bairy

Creation Date: 26-12-2005 Last Updated: File URL: Version:

Copyright 2013 Oracle Corporation All Rights Reserved

Change Reference Created the document

Name Raghu Koratagere Venkatesh Vinod Nagaraj

Role Project Lead Senior Development Manager

Document Status In Progress In Progress

Scope for this Document

Comments WHITE PAPER PUBLISHED

https://metalink.oracle.com/metalink /plsql/f? p=130:14:3572430939971675332::: :p14_database_id,p14_docid,p14_sh ow_header,p14_show_help,p14_bla ck_frame,p14_font:NOT,207159.1,1 ,1,0,helvetica

WHITE PAPER PUBLISHED

Historical Document References

2. Introduction.................................................................................................................6 3. Oracle iStore User Management ..............................................................................9

Definitions Oracle Single Sign On Server

Oracle Internet Directory Server

Central Account Provisioning System

Local User Creation and Updation Allowed

Oracle iStore User Management

1. Register OR Delegated UM Create/Update

Oracle E-Business Suite

1. Register OR Delegated UM Create/Update

Oracle E-Business Suite

Oracle Single Sign On Server Oracle Internet Directory

3. Synchup User Details like GUID From OID to FND

2. Synchup User Details from FND to OID

OID Username already Used Error Message is shown

Re-linking is Not Allowed Username already Used Error Message is shown

Username already Used Error Message is shown

Username already Used Error Message is shown

Username already Used Error Message is shown

4. NOA or Delegated UM Create/Update 2. Create New User

Oracle E-Business Suite

Oracle Single Sign On Server Oracle Internet Directory

3. Synchup User Details From OID to FND

5. Synchup User Details from FND to OID

SSO Yes Set profile Applications SSO Type to SSWA w/SSO

Oracle E-Business Suite

Oracle Single Sign On Server Oracle Internet Directory

SSO Yes Set profile Applications SSO Type to SSWA w/SSO

Summarizing Registration behavior for the different deployments

No Yes Yes Yes Yes No No No Yes No Immaterial Immaterial Immaterial

Registration Usertype Listing - Default

Registration Usertype Listing - with CAPS

CAPS Registration Page

More on Partial Registration

Action User does Login

Incomplete User Login successful

Yes Guest price list All accessible sites Partial registration

D i s p la y p e n d in g a p p ro v al m e s s a g e t h is in c lu d e s t h e r e is n o s t a t u s r, o w le a s t o n e at s t a tu s 'a p p ro v',eodr is a ll o f th e m 'r e rje c te d a e '

Y D i s p la y th e u s e r ty p e d is p la y t'Ih e c t iv e na s e le c tio n p a g e w i th a ll A c c o u' mt e s s a g e n a v a il a b le u s e r ty p e s U s e r re m a in s a s BC 2

N D is p la y t h e u s e r ty p e s e l e c t io n p a isep l a y theeje c t'e d dg 'r w i th o n ly Bu s e r 2C m essag e ty p e s

th is in c lu d e s th e re is n o D o e s u s e r s ta t u s r, o w le a s t o n e h a v e v a l id T C A at s ta t u s 'a p p r o v',eodr is a c c o u? t n a ll o f t h e m 're je c t 'e d a re Is S S O D i s a b le d a n d a tle a s t o n e J T A re c o r d e x is ti ? g n

N Y d is p l a y th e I n v a lid A c c o u' mt e s s a g e n d i s p la y t'reeje c te d h ' m essage P a rt n e r P ro f ile e x is t ? N N is u s e r a c o m p le te P a r te r U?s e r

Usertype_reg_id 2001 party_id 54300 54320 54321

status_code PENDING status A A A

party_name Oracle User 101

party_type Organization Person

user 101- Oracle Party Relationship

cust_account_id account_number party_id 1234 7001 54300

user 101- Oracle Party Relationship

user_id 1005 JTF_UM_USERTYPE_REG

start_date end_date customer_id 1/1/4712 54323