As I have mentioned earlier too in my Blog regarding our SSO Setup. Today I am trying to put that in this Blog so that whosoever planning to setup same in their environment will get benefitted out of it. I am going to put my document under few stages- one of them will going to be planning. Which I am going to describe in this post. This Phase will going to make you understand what is required in your setup and how to achieve this. I am going to take example of my setup and requirement, this might be possible that you too require this setup. But definately this will not going to be same for all of you.
-----------------------------------------------------------------------------------
Following is the requirement for us :
Integrate existing Oracle E-Business Suite Rel11i replacing existing Netegrity Siteminder as the authentication mechanism. Netegrity Siteminder uses enterprise Active Directory as the user directory. Install and configure Oracle10g Identity Management (10.1.4.0.1) to replace the Netegrity Siteminder as the authentication mechanism.
· Use Oracle10g Identity Management to provide Windows Native Authentication for a seamless user experience, and propagate windows authenticated user identity to Oracle10g Single Sign-On using kerberos protocol.
. Use Oracle10g Identity Management external authentication plug-in as the fallback mechanism for non-kereberos capable browsers authenticating to Oracle E-Business Suite Rel 11i applications.
-----------------------------------------------------------------------------------
To achieve the Oracle10g Single Sign-On integration the following activities need to be done:
1. Install Oracle10g Identity Management (10.1.4.0.1) server co-located with Identity MR database or distributed components.
2. Configure Oracle E-Business Suite Rel 11i using Metalink Note 233436.1 Section 6 “Implement Single Sign-On Support For the E-Business Suite”. This step configures Oracle E-Business to delegates authentication to Oracle10g Single Sign-On.
3. Bulk migrate / Synchronize minimal user information from enterprise Active Directory to Oracle Internet Directory using Oracle Directory Integration Platform (DIP).
4. Existing accounts in Active Directory and in Oracle E-Business Suite Rel 11i will need to have their FND_USERS.USER_GUID column values set to null. Enable the “Application SSO Auto Link User” or ‘link-on-the-fly’ feature to link the OID user identity with Oracle E-Business Suite Rel11i user account.
-----------------------------------------------------------------------------------
Now you might be wondering what is meant by User Account Auto-Link, Here you go :
1. In the single sign-on handshake between Oracle Single Sign-On and Oracle E-Business Suite, Oracle Single Sign-On returns the GUID of the authenticated user to Oracle E-Business Suite Release 11i.
2. Oracle E-Business Suite Release 11i uses the GUID to try to locate User’s Oracle E-Business Suite Release 11i application account.
3. If the user is trying to access Oracle E-Business Suite Release 11i for the first time, FND_USERS.USER_GUID column value is null. No application account will be found.
4. When the “Application SSO Auto Link User” is set to “Y”, Oracle E-Business Suite Release 11i will try to locate the user by the account name. If successful, it will link the two accounts by GUID. If not successful, it will redirect the user to “Account Link” page for username to associate.
-----------------------------------------------------------------------------------
Continue ........
Subscribe to:
Post Comments (Atom)
3 comments:
Hi Sandeep,
We have implemented Zero-sign on approach on 11i EBS. For this we have integrated 11i EBS with Oracle 10g Identitiy Management (OID) and which inturn has been integrated with Microsoft Active Directory. We then enabled WNA in our environment.
The setup is working fine but has only one issue. The SSO login is working absolutely fine (User is not asked for the password as his credentials are taken from the Windows login - Kerberos configured). But for the Apps Local Login, the users are able to login on an intermittent basis. For example at a moment if they are not able to login let say, but when they retry in 10 seconds, they would be able to login. Are you aware of this issue ??
Regards,
Raju Mogulapalli
1. From the menu bar, select Tools, then, from the Tools menu, select Internet Options.
2. In the Internet Options dialog box, select the Security tab.
3. On the Security tab page, select Local Intranet, then select Sites.
4. In the Local intranet dialog box, select Include all sites that bypass the proxy server; then click Advanced.
5. In the advanced version of the Local intranet dialog box, enter the URL of the OracleAS Single Sign-On middle tier. For example:
https://yourOIDserver.com:4445/
6. Click OK to exit the Local intranet dialog boxes.
7. In the Internet Options dialog box, select the Security tab; then choose Local intranet; then choose Custom Level.
8. In the Security Settings dialog box, scroll down to the User Authentication section and then select Automatic logon only in Intranet zone.
9. Click OK to exit the Security Settings dialog box.
10. From the menu bar, select Tools, then, from the Tools menu, select Internet Options.
11. In the Internet Options dialog box, select the Connections tab.
12. On the Connections tab page, choose LAN Settings.
13. Confirm that the correct address and port number for the proxy server are entered, then choose Advanced.
14. In the Proxy Settings dialog box, in the Exceptions section, enter the domain name for the OracleAS Single Sign-On server (yourserverSSO.com in the example).
15. Click OK to exit the Proxy Settings dialog box.
If you are using Internet Explorer 6.0, perform steps 1 through 15; then perform the following steps:
16. From the menu bar, select Tools, then, from the Tools menu, select Internet Options.
17. In the Internet Options dialog box, select the Advanced tab.
18. On the Advanced tab page, scroll down to the Security section.
19. Select Enable Integrated Windows Authentication (requires restart).
See if this helps.
Thanks
Sundeep
I will not acquiesce in on it. I assume nice post. Expressly the title-deed attracted me to study the unscathed story.
Post a Comment