The logon process by which users are authorized to access Oracle E-Business Suite is significantly modified in an environment where Oracle Access Manager (and the associated Oracle E-Business Suite AccessGate) have been integrated. This section discusses the key changes, in particular the use of profile options.
In a standalone Oracle E-Business Suite environment, all users and system administrators connect by using Oracle E-Business Suite's AppsLogin page. This page redirects users to an Oracle E-Business Suite login page that authenticates their userid and password against the FND_USER table. Oracle E-Business Suite then determines the user's authorization by looking up the application responsibilities against entries in the FND_USER table.
In an environment where Oracle E-Business Suite has been integrated with Oracle Access Manager and Oracle Directory Services, the following points apply:
End users connect to Oracle E-Business Suite using the AppsLogin page, which redirects them to the Oracle Access Manager login page. Oracle Access Manager authenticates the Oracle E-Business Suite user's userid and password against Oracle Directory Services, and redirects the user back to Oracle E-Business Suite, which then determines the user's authorizations by looking up application responsibilities against entries in the Oracle E-Business Suite FND_USER table.
System administrators and other selected users connect to Oracle E-Business Suite using Oracle E-Business Suite's AppsLocalLogin page, which authenticates their userid and password against the FND_USER table. Oracle E-Business Suite then determines the user's authorizations by looking up application responsibilities against entries in the FND_USER table. Users in this special user population have their credentials authenticated locally in Oracle E-Business Suite instead of externally in Oracle Access Manager and Oracle Directory Services.
The login process is controlled by a group of Oracle E-Business Suite profile options, which are described in more detail below.
The key components involved in the login process are as follows.
AppsLogin
<http://[host]:[port]/OA_HTML/AppsLogin>
The login route is determined by the profile option "Applications SSO Type" (APPS_SSO). If the Oracle E-Business Suite instance is integrated with Oracle Access Manager, this should be set to "SSWA w/SSO". The user is redirected to the Oracle E-Business Suite AccessGate login page, and after entering his credentials (username and password), he is authenticated against the LDAP server.
AppsLocalLogin
<http://[host]:[port]/OA_HTML/AppsLocalLogin.jsp>
The login route is determined by the profile option "Applications SSO Type" (APPS_SSO). If this site level profile is set to "SSWA", the user will be shown the local login page, and after entering his credentials (username and password), he is authenticated against the Oracle E-Business Suite instance.
Note: If APPS_SSO is set to SSWA, the user will be redirected to AppsLocalLogin.jsp regardless of whether or not OAM integration is in effect. When accessing AppsLocalLogin.jsp, the APPS_SSO profile is not used to determine the page to redirect to.
The login page for Oracle E-Business Suite Releases 12.2.4 and earlier is an Oracle Application Framework-based page, so the regions can be person. Administrators can personalize the page by setting the profile FND_PERSONALIZATION_REGION_LINK_ENABLED to 'Yes'.
Note: In Oracle E-Business Suite Release 12.2.5, the new login page is not an Oracle Application Framework-based page, therefore it is not personalized in the same manner, although the default items listed below are the same.
By default, all the regions on the login page are displayed. The following items may be personalized:
User Name
Password
Login button
Cancel button
Login Assistance Link
Register Here Link
Accessibility
Language Options
System Administrators can create custom login pages. The custom page will need to post to the servlet AuthenticateUser, which requires two attributes: username and password. Once the user is successfully authenticated, the servlet will redirect the user to a destination defined in requestUrl or the default APPSHOMEPAGE. If the authentication fails, the servlet will redirect the user to the login page with the error message in the parameter errCode.
To deploy a custom login page:
Place the new servlet in the OA_HTML directory.
Create a new function (FND_FORM_FUNCTION) - the web_html value of this function should be populated with file name of your new login page. The function code should begin with 'APPS_LOGIN'.
Assign this function to the APPS_LOGIN_DEFAULT menu. As this menu is already granted to all users (including guest), the grant flag is not needed.
Update the profile option APPS_LOGIN_FUNCTION with new function name. The drop-down for this profile will query only function codes starting with APPS_LOGIN.
CRMLogin servlet and jtflogin.jsp
<http://[host]:[port]/oa_servlets/CRMLogin.jsp> http://[host]:[port]/OA_HTML/jtflogin.jsp
There is a new recommended login flow for the CRM System Administrator Console. You can use the servlet CRMLogin to log in. The servlet checks whether your system is SSO-enabled, and directs you to the appropriate login page. The old login page, jtflogin.jsp, is still supported, but is only recommended in cases where jtflogin.jsp has been customized.
Oracle Applications Manager Login
http://[host]:[port]/servlets/weboam/oam/oamLogin
Important: Here, "oam" refers to Oracle Applications Manager, not Oracle Access Manager.
You will be prompted for the Oracle E-Business Suite user account and password. Log in to an account that has System Administrator and Self-Service System Administrator responsibilities. Upon successful login, the Oracle Applications Manager Console will show the Oracle E-Business Suite system to which you have connected.
Lightweight Login Page
Oracle E-Business Suite Release 12.2.5 provides a lightweight login page in which system administrators can use as an alternative to the traditional Release 12 local login page.
The lightweight login page consists of 4 components:
HTML (AppsLocalLogin.jsp): includes the CSS and Javascript elements
login.css: formats the HTML page
login.js: Javascript to handle the page and the credentials posting
LoginService: to attend REST service calls related to the login page
To customize the login page style, create a file called "custom-login.css" in the same directory as the login.css file with the same owner and protection. The custom-login.css file will automatically be appended to login.css when the login page is displayed.
The login process is determined by a group of Oracle E-Business Suite profile options, which are divided into several categories and described below. The major components involved in the logon process are as follows.
The profiles described in this category are all related to the login and logout process.
Features of this profile:
Available at site level (cannot be set for individual servers or users). As of Release 12.2.6, this may also be set at the server level.
Updatable only by system administrators
Defined by the lookup type 'APPS_SSO_TYPE'
Has a default value of 'SSWA'
This profile determines the overall user login and authentication experience, as follows:
| Profile Value | Login Using | Authentication | User Directory | Integration Model | Requires | Home Page |
|---|---|---|---|---|---|---|
| SSWA w/SSO | OAM login page | Oracle Access Manager | Oracle Directory Services | Oracle E-Business Suite is partner application to Oracle SSO | Oracle E-Business Suite AccessGate installed into Oracle E-Business Suite instance | Set by APPLICATIONS_HOME_PAGE profile |
| Portal w/SSO | OAM login page | Oracle Access Manager | Oracle Directory Services | Oracle E-Business Suite is a partner application to SSO | Oracle E-Business Suite AccessGate installed into Oracle E-Business Suite instance | Portal home page |
| SSWA | Oracle E-Business Suite login page | Oracle E-Business Suite | FND_USER | N/A | N/A | Set by APPLICATIONS_HOME_PAGE profile |
Additional Information: In the above table, Oracle Directory Services = the LDAP directory with which Oracle E-Business Suite is integrated; OAM = Oracle Access Manager; SSWA = Self-Service Web Applications.
This profile determines the default home page for the application, which is the first page a user sees after logging into Oracle E-Business Suite.
Features of this profile:
Available at site and user level (can be set for individual users)
System administrators can change setting at both site and user levels
End users can change this from user level profiles
Default value is 'Framework only'
Note: If an end user changes the value for this profile option, that value overrides administrative-level personalization for the home page. In this case, those administrative-level personalizations will not be displayed for that user.
Features of this profile:
| Profile Value | Description |
|---|---|
| Framework Only | Displays the Home page from Release 12.2.3 and earlier, based on the value of profile option FND: Disable Configurable Home Page. |
| Framework Tree | Displays the Home page from Release 12.2.3 and earlier, based on the value of profile option FND: Disable Configurable Home Page. |
| Framework Simplified | Displays the Simple Home page from Release 12.2.4 and later. |
| None | Do not use a personal home page. |
This profile accepts a value of False or True to determine whether to display the Configurable Home page with the Tree-based Navigator or Home page with the flat list Navigator, respectively, when the Self Service Personal Home Page Mode profile is set to Framework Only or Framework Tree.
Note: The combination of values set for the Self-Service Personal Home Page Mode and FND: Disable Configurable Home Page profile options affect the appearance of the home page. For details on the behavior that results from the various profile option combinations, see the "Home Page Profile Options" section of the Oracle Application Framework Developer's Guide, available from My Oracle Support Knowledge Document 1315485.1.
This profile specifies which login page is used to perform local access to Oracle E-Business Suite. When the 'Applications SSO type' profile is set to 'SSWA', the application login servlet (AppsLogin) will redirect a user to the login page specified by this profile.
Features of this profile:
Available at site level only (cannot be set for individual users)
Updatable only by system administrators
Default value is 'AppsLocalLogin.jsp'
This profile is used to specify Oracle Portal-related settings.
Features of this profile:
Available at site level only (cannot be set for individual users)
Updatable only by system administrators
Defines the portal entry page
This profile can be used to specify where the user should be redirected after logging out of the Oracle E-Business Suite instance. Profile changes take effect for newly created sessions only.
Features of this profile:
Available at site and user level
Default value is NULL
May be any valid URL
Note: Product groups may programmatically set the post-logout URL, overriding any site or user level profile settings.
The profile options described in this category control how Oracle E-Business Suite user accounts are linked to single sign-on accounts.
This profile determines whether Oracle E-Business Suite Release 12.2 will automatically link an authenticated single sign-on account to an application account of the same account name, without prompting the user for authentication information for the application account during login.
Features of this profile:
Available at site level only (cannot be set for individual users)
Updatable only by system administrators
Has possible values of:
'Enabled' - Allow auto link
'Disabled' - Do not allow auto link (the default)
'Create User and Link' - To create and link user on-demand
When automatic linking is enabled for users, they must meet two criteria: have the same name as the SSO user, and a USER_GUID of null or 1. FND Users with a different name, or with a USER_GUID that is not null and not 1, cannot be linked in this way.
Note: As the user with GUID=1 cannot be linked on the fly, the only way to link this user is with APPS_SSO_AUTO_LINK_USER.
This profile indicates whether the Oracle E-Business Suite Release 12.2 instance should link a newly-created Oracle E-Business Suite user to an existing Oracle Directory Services account with the same name.
Available at site level only (cannot be set for individual users)
Updatable only by system administrators
Has possible values of:
'Enabled' - Link users with the same user name
'Disabled' - Do not link users with the same user name
This profile indicates whether the Oracle E-Business Suite Release 12.2 instance allows linking of one Oracle Directory Services user to multiple Oracle E-Business Suite user accounts.
Features of this profile:
Available at site level only (cannot be set for individual users)
Updatable only by system administrators
Has possible values of:
'Y' - Allow multiple accounts to be linked
'N' - Do not allow multiple accounts to be linked (the default)
The 'Link additional account' operation uses this profile, which has the following implications:
If the APPS_SSO_ALLOW_MULTIPLE_ACCOUNTS profile is set to 'Y' in the 'Single Sign-On Account Settings' page (accessible from the 'User Preferences' page), the 'Add Account' button will be shown.
If the profile is set to the default value of 'N', the 'Add Account' button will not be shown, and the 'Link account' page will therefore not permit linking of multiple accounts.
The profile options in this category specify how passwords are managed in a single sign-on Oracle E-Business Suite environment.
Features of this profile:
Available at both site and user level (can be set for individual users)
Updatable only by system administrators
Determines whether a user's password is managed:
Externally in Oracle Directory Services
Locally in Oracle E-Business Suite
In both Oracle Directory Services and Oracle E-Business Suite
Valid values are defined in the Lookup Type, 'FND_SSO_LOCAL_LOGIN':
'SSO' - Login is only allowed through single sign-on. The password is set to 'EXTERNAL' after a single sign-on account and an application account are linked.
'LOCAL' - Login is only allowed through Oracle E-Business Suite local login. Passwords must be retained in the Oracle E-Business Suite and the account cannot be linked to any Oracle Directory Services user.
'BOTH' - Login can be through both single sign-on and Oracle E-Business Suite. Since changes to the Oracle E-Business Suite password can be synchronized to Oracle Directory Services, but not vice versa, a user's single sign-on password will not necessarily be synchronized with his Oracle E-Business Suite password.
The default site level value is 'BOTH'. The user level value, applicable for example to the 'SYSADMIN' and 'GUEST' accounts, is set to 'LOCAL'.
The 'SYSADMIN' and 'GUEST' user profile options should not be changed. The 'SYSADMIN' user is a standard account that can only be used for local login, and cannot be used to log in using single sign-on. Once a password is set to 'EXTERNAL' Oracle E-Business Suite, it is no longer possible to use the original password to log in locally. For the password to be changed if the profile is updated to allow LOCAL access, the AFPASSWD utility or FNDCPASS utility will need to be run by a system administrator.
Important: Regardless of whether the user credentials are correct, a 'LOCAL' user cannot be linked on the fly, and the linking page will display the error: FND-9921: Unable to link account. This E-Business Suite user account is marked as a local account. The user can then choose to enter a different (non-local) account to link to.
For more information about the AFPASSWD and FNDCPASS utilities, refer to the "Basic DBA Tasks" chapter of the Oracle E-Business Suite Maintenance Guide.
This profile stores the location of the page where Self-Service users can change their Oracle E-Business Suite password. The page specified should only allow the password to be changed by a user whose 'APPS_SSO_LOCAL_LOGIN' profile has the value of either 'BOTH' or 'LOCAL' (i.e. not 'SSO').
Note: For 'SSO' and 'Both' users an API is used to determine whether the password can be changed locally, or if the APPS_SSO_CHANGE_PWD URL should be used. The criteria are whether the password can be synchronized to OID.
Features of this profile:
Available at site level only (cannot be set for individual users)
Updatable only by system administrators
Default value is 'AppsChangePassword.jsp'
This profile points to the LDAP self-service user interface for password changes. When an Oracle E-Business Suite Self-Service change password page determines that a user's password in stored in LDAP, it can redirect the user to the location stored in this profile. For example, the password may be stored in Oracle Identity Management.
Features of this profile:
Available at site level only (cannot be set for individual users)
Updatable only by system administrators
The profile options in this category determine how provisioning (automatic updating of user accounts) is carried out in a single sign-on Oracle E-Business Suite environment.
This profile determines whether provisioning is enabled for a particular FND_USER account. User information associated with an FND_USER account will be provisioned with Oracle Directory Services only if the APPS_SSO_LDAP_SYNC profile of the user is set to 'Y'.
Features of this profile:
Available at site and user level (can be set for individual users)
System administrators can change setting at both site and user levels
End users can change this from user level profiles.
Default site level value is 'Y'
User level values for 'SYSADMIN' and 'GUEST' accounts are set to 'N'
The site level value is provided to obviate the need for every user to define a user level value, and has the following important characteristics:
Setting the site level value (to 'Y' or 'N') does not globally enable (or disable) provisioning.
Since provisioning with Oracle Directory Services is the most common deployment scenario, this profile is shipped with a default site level value of 'Y'.
For any user accounts that are not to be provisioned, this profile should be overridden with a user level value of 'N'.
To provision users from FND to Oracle Directory Services, APPS_SSO_LDAP_SYNC needs to be enabled and the Oracle Directory Services provisioning profile set.
If an existing user's APPS_SSO_LOCAL_LOGIN profile has 'LOCAL' value, the user modifications are not provisioned, regardless of this profile value. Profile APPS_SSO_LOCAL_LOGIN has higher precedence than APPS_SSO_LDAP_SYNC at user level.
Important: Linking a single enterprise user account to multiple Oracle E-Business Suite (FND_USER) user accounts can have undesirable consequences, such as data from one application overwriting data from another. Therefore, after the first FND_USER account is linked, all accounts subsequently linked to the same enterprise account will have the APPS_SSO_LDAP_SYNC user level profile value set to 'N'. Users who still wish to change the user level value of this profile can do so by using the 'Single Sign-On Account Settings' page.
This profile determines whether users created in Oracle Directory Services are automatically created in Oracle E-Business Suite and subscribed to the given Oracle E-Business Suite instance. You can enable this profile to allow the automatic subscriptions for users created in Oracle Directory Services.
Features of this profile:
Available at site level only (avoids the need for every user to define a user level value)
System administrators can change setting at site level
Default site level value is 'Disabled'
The default site level value of 'Disabled' means that users created in Oracle Directory Services will not be automatically created in Oracle E-Business Suite. The reason for this is that significant numbers of users from different sources may be created in Oracle Directory Services quite rapidly, and typically not all will also need to be created in Oracle E-Business Suite.
When the profile 'Applications SSO Enable OID Identity Add Event' value is set to 'Enabled', users created in Oracle Directory Services are automatically both created in Oracle E-Business Suite and subscribed to the Oracle E-Business Suite instance.
This profile is for Oracle internal use only.