EBS Support Informat... | Main | Internet Explorer 9...

Why Does EBS Integration with Oracle Access Manager Require Oracle Internet Directory?
By Steven Chan (Oracle Development) on Aug 03, 2011 The E-Business Suite has its own security and user-management capabilities. You can use the EBusiness Suite's native features to authenticate users, authorize users (i.e. assign responsibilities to them), and manage your EBS user repository. The majority of E-Business Suite system administrators simply use these built-in capabilities for enabling access to the E-Business Suite. When EBS built-in capabilities aren't enough Some organisations have third-party user authentication systems in place. These include CA Netegrity SiteMinder, Windows Kerberos, and others. These organisations frequently use thirdparty LDAP directory solutions such as Microsoft Active Directory, OpenLDAP, and others. We don't certify the E-Business Suite with those third-party products directly, and we don't have any plans to do so. This article is intended to explain why Oracle Internet Directory (OID) is required when integrating with Oracle Access Manager (OAM), but you can safely infer that the same requirements prevent the use of third-party authentication products directly with the EBusiness Suite. It's possible to integrate the E-Business Suite with those third-party solutions via Oracle Access Manager and Oracle Internet Directory. See these articles:

In-Depth: Using Third-Party Identity Managers with E-Business Suite Release 12 In-Depth: Using Third-Party Identity Managers with the E-Business Suite Release 11i

Before going on, I'd recommend reading one of those two third-party integration articles. If you don't have those concepts under your belt, the rest of this article isn't going to make much sense.

Why does EBS require OID with OAM? Oracle Access Manager itself doesn't require Oracle Internet Directory. However, Oracle Internet Directory is a mandatory requirement when Oracle Access Manager is integrated with the E-Business Suite. Why? The short answer is that the E-Business Suite has hardcoded dependencies on Oracle Internet Directory for this configuration. These dependencies mean that you cannot replace Oracle Internet Directory with any third-party LDAP directory for this particular configuration. There are two cases of hardcoded dependencies on Oracle Internet Directory: 1. Reliance on Oracle GUIDs From the articles linked above, you know that user authentication is handled by Oracle Access Manager, and user authorization is handled by the E-Business Suite itself. This means that there are two different user namespaces. These namespaces must be linked and coordinated somehow, to ensure that a particular user logging in via Oracle Access Manager is the same user represented within the E-Business Suite's own internal FNDUSER repository.

We associate externally-managed Oracle Access Manager users with internally-managed EBusiness Suite users via a Global Unique Identifier (GUID). These Global Unique Identifiers are generated exclusively by Oracle Internet Directory. The E-Business Suite has hardcoded functions to handle the mapping of these Global Unique Identifiers between Oracle Access Manager and the E-Business Suite. These mapping functions are specific to Oracle Internet Directory; it isn't possible to replace Oracle Internet Directory with a generic third-party LDAP directory and still preserve this functionality. 2. Synchronous user account creation The E-Business Suite is predominantly used internally within an organisation. Certain EBusiness Suite application modules can be made visible to users outside of an organisation. These include iStore, iRecruitment, iSupplier, and other application modules where the users aren't necessarily restricted to an organisation's own employees. Users of some of those application modules expect to be able to register for a new account and use it immediately. This makes sense. If you're posting job openings via iRecruitment, potential applicants shouldn't need to hold off on submitting their resumes while your E-Business Suite sysadmin creates an account manually, assigns EBS responsibilities, and emails them the account login details. They'll be long gone before that happens. This means that EBS application modules that support self-registration must create user accounts synchronously. A new account must be created within the E-Business Suite and the externalized directory at the same time, on demand. The E-Business Suite has hardcoded dependencies upon Oracle Internet Directory function calls that handle these synchronous account creation tasks. These function calls are specific to Oracle Internet Directory; it isn't possible to replace Oracle Internet Directory with a generic third-party LDAP directory and still preserve this functionality. Sun is setting for Oracle Single Sign-On The older articles linked above refer to Oracle Single Sign-On. All conceptual references to Oracle Single Sign-On apply equally to Oracle Access Manager. Oracle Access Manager offers the same capabilities as Oracle Single Sign-On when integrated with the E-Business Suite. You may have noticed that I have specifically been referring to Oracle Access Manager rather than Oracle Single Sign-On in this article. There's a very good reason for this. The Fusion Middleware Lifetime Support Policy shows that Premier Support for Oracle Single Sign-On 10gR2 ends on December 2011. If you're using Portal 11gR1, Forms & Reports 11gR1, or Discoverer 11gR1, Premier Support for Oracle Single Sign-On 10gR2 is extended to December 2012.

Extended Support is not available for Oracle Single Sign-On 10gR2. This is true regardless of whether you're using those other Fusion Middleware 11gR1 products or not. These support policy timelines for Oracle Single Sign-On are not affected by the E-Business Suite's own support timelines. There are no special exceptions from these Fusion Middleware support timelines for E-Business Suite customers. Given that the Oracle Single Sign-On is nearing its end-of-life, anyone considering a new external authentication solution for the E-Business Suite should use Oracle Access Manager at this point. If you're currently using Oracle Single Sign-On, I would recommend evaluating your plans for migrating to Oracle Access Manager as soon as possible. Related Articles

Oracle Access Manager 10gR3 Certified with E-Business Suite Oracle Access Manager 11.1.1.3 Certified with E-Business Suite 12 Oracle Internet Directory 11.1.1.4 Certified with E-Business Suite On Apps Tier Patching and Support: A Primer for E-Business Suite Users

Category: Oracle Tags: 11i 12 ebs faq fusion middleware oam oid primer security Permanent link to this entry EBS Support Informat... | Main | Internet Explorer 9... Comments:

Steven, Correct me if I'm wrong, but it seems you are saying that OID is required because: 1. EBS uses the OID GUID proprietary feature (as opposed to maintaining a mapping table or similar mechanism). 2. EBS uses a proprietary OID API to synchronously create a user in OID and in the EBS FND_USER table. The implied reason behind #1 and #2 is that EBS needs to maintain a list of users in FND_USER, even if the authentication is delegated to a third-party mechanism. None of these seem to be insurmountable technical problems... Is this just a matter of convenience for the EBS development team or is there more going on?

Thanks, Ara Posted by Ara on August 03, 2011 at 06:05 AM PDT # Ara, The code involved is rather complex, and the security and interoperability requirements are nontrivial. Very few software challenges are insurmountable, given sufficient time and resources. Neither of those are in abundant supply right now. We'd certainly like to reduce or remove those hardcoded dependencies entirely, but that's not in the cards in the short term. Regards, Steven Posted by Steven Chan on August 03, 2011 at 06:28 AM PDT # That's fair. Thanks for the reply. Ara Posted by Ara on August 03, 2011 at 06:31 AM PDT # Hi Steven, Nice article. One more question. What is the supported way of integrating kerberos with EBS. Many documents (infact all) state that for Kerberos user store should be AD for OAM. Now that we know that EBS requires OID, so how do we bring Kerberos into picture ? Would using OIDAD DIP synchronization with password plugin do the trick ? I'm looking for a supported method. Posted by romil on August 03, 2011 at 04:02 PM PDT # Hi, Romil, OAM can be integrated with Windows Kerberos. This integration is sometimes called Windows Native Authentication (WNA). This will also required OID to be synchronized with MS Active Directory. See the right "Using Third-Party..." article for your EBS release (links above) for more details about that. Regards, Steven Posted by Steven Chan on August 04, 2011 at 02:36 AM PDT # I have posted to the supplimental R12 SSO article.

The install docs and NOTE IDs, seem to be missing the glue to enabling WNA and SSO with the EBS - OID integration. I have completed and confirmed that my EBS users can be synced from AD to OID, and in turn from OID to FND_USERS. Also, I can cofirm that I can set the OID attribute "userPassword" and get the EBS AccessGate 1.1 utility to validate against it for access of EBS. But I am missing the next piece, to allow my EBS Access Gate to pass those credentials to OAM and have OAM in turn authenticate against my external LDAP store (Active Directory). NOTE, that I have been driving my whole process from the following NOTE IDs: 1309013.1 - Integrating Oracle E-Business Suite with Oracle Access Manager 11g using Oracle E-Business Suite AccessGate 876539.1 - Using the Latest Oracle Internet Directory 11gR1 Patchset with Single Sign-on and Oracle E-Business Suite 975182.1 - Integrating Oracle E-Business Suite with Oracle Access Manager 10g using Oracle E-Business Suite AccessGate 376811.1 - Integrating Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On What have I missed? Posted by Paul L. Gonzalez on August 04, 2011 at 11:05 AM PDT # Hello, Paul, Glad to hear that you've gotten this far in your integration. I'm sorry to hear that you've encountered an issue with this. We can provide general conceptual guidance here, but I'm afraid that this blog isn't the best place to get technical support for specific issues like the one that you're working through. Your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our specialists engaged. Please feel free to forward your Service Request number to me if it gets stuck in the support process for some reason. Regards, Steven Posted by Steven Chan on August 05, 2011 at 03:27 AM PDT # Hi Paul, I just configured our R12 to using OID 11g, but I am using OSSO 10g instead of OAM. support notes that I have here are:

R12+OID+OSSO/OAM 876539.1 - Using the Latest Oracle Internet Directory 11gR1 Patchset with Single Sign-on and Oracle E-Business Suite Enable External authentication in OID 11g 1270329.1 - How to Setup Java External Authentication Plugins in OID 11g Enable WNA in OSSO 10g 345025.1 - SSO/WNA Quick Start Guide 338560.1 - How to use the 'ssoca wna...' command to configure SSO WNA And questions for Steven, what are other reasons that people should go to OAM rather than just the FM support policy? Are there any improvements or new feature in the OAM solution? Thanks, George Posted by George on August 05, 2011 at 04:09 AM PDT # Can we just have the synchronization with OID without the SSO? We want to start with the synchronization first and then do the SSO with OAM. Which profile options needs to be turned on and off. I think the important parameters for synchronization are Applications SSO Login Types - Both Applications SSO Type - SSWA w/SSO Application SSO LDAP Synchronization - Enabled This does let my users sync to OID however if i access my application url it try to go to the ssologin set in "Application Authenticate Agent". What value there will make it go to the applications local login as was the case before SSO registration. Thanks, Posted by Sagar on August 05, 2011 at 06:03 AM PDT # Sagar, If you wish to integrate Oracle Internet Directory directly with the E-Business Suite, you must also use either Oracle Access Manager or Oracle Single Sign-On. Alternately, you can use Oracle Identity Manager with the appropriate EBS connector to push updates from an external store into the E-Business Suite's native user repositories. For more information about Oracle Identity Manager, see: http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index-098451.html

Regards, Steven Posted by Steven Chan on August 05, 2011 at 06:32 AM PDT # Hi, I'm facing the same issue as Paul Gonzalez: I could not find a way to integrate eBS-OAM-WNA. The OAM documentation tends to suggest that AD is required as OAM user store for WNA to work, but the information in note 1309013.1 on the other hand suggests that for OAM11g and EBS Integration, OAM User Store must be OID. So it looks like that to enable eBS-OAM-WNA integration we have to use AD and OID at the same time as user data store, which does not seem possible to me. I've logged an SR to Oracle Support for this issue and they've opened an enhancement request but that's it, I did not receive anymore updates on the issue and if I'm not wrong Oracle is not allowed to tell if (and possibly when) the E.R. will be reviewed. Any clues? Posted by Frank on August 07, 2011 at 10:23 PM PDT # Note directed to Frank, So the integration does indeed work. To make it work you need to configure the External Authentication Plug-In for OID (Active Directory). Documentation can be found by following: Oracle Fusion Middleware Integration Guide for Oracle Identity Management 11g Release 1 (11.1.1) Part Number E10031-01: http://download.oracle.com/docs/cd/E12839_01/oid.1111/e10031/toc.htm Chapter #18: 18 Integrating with Microsoft Active Directory http://download.oracle.com/docs/cd/E12839_01/oid.1111/e10031/odip_actdir.htm#CHDBBAII Search For: Step 10: Configuring the Microsoft Active Directory External Authentication Plugin http://download.oracle.com/docs/cd/E12839_01/oid.1111/e10031/odip_actdir.htm#CHDJCIEE Inside of: 17 Configuring Synchronization with a Third-Party Directory http://download.oracle.com/docs/cd/E12839_01/oid.1111/e10031/odip_config_integration.htm

Below is where your work will begin: Points to: (Configuring External Authentication Plug-ins) http://download.oracle.com/docs/cd/E12839_01/oid.1111/e10031/odip_config_integration.htm# BABCDHFF But be careful, as the documentation has flaws. You can find NOTE ID: 1074101.1, which points out the configuration issues with the documentation. Also, note that this NOTE ID is also incomplete. You should then follow: How to Configure or Setup Java External Authentication Plugins in OID 11g [ID 1270329.1]. I still have an outstanding SR open with support on running the command line configuration, but have been successful in completing the configuration using the ODSM UI. Posted by guest on August 07, 2011 at 11:28 PM PDT # Thanks for your response. As I mentioned before we do intend to use OAM for authentication but not at this point in time. Our goal is to establish the synchronization between EBS and OID now and do the SSO later. The configurations Applications SSO Login Types - Both Applications SSO Type - SSWA w/SSO suggests that we should be able to use what we were using before without any issues along with the synchronization. Is there any other configuration which can turn on and off the login redirection to "Application Authenticate Agent". It is logical to assume that EBS should treat both the SSO and Local login equally, and should be a matter of configuration. Can you please provide me some pointers on how that can be done. Thanks, Sagar Posted by Sagar on August 08, 2011 at 12:16 AM PDT # Any one here have done both EBS+OID(11g)+OSSO(10g) and EBS+OID(11g)+OAM(11g) configuration, and would like to share your experience with both solutions? We are upgrading our EBS 11i to R12 and also upgrade our sso solution from EBS+OID(10.1.2)+OSSO(10.1.2), our plan is to go with EBS(12.1.3)+OID(11g)+OSSO(10g),and upgrade it to EBS(12.2)+OID(11g)+OAM(11g) after the R12.2 comes out. Any comments on this plan?

And to Sagar, you can try this url to get into the local login: host.domain:port/OA_HTML/AppsLocalLogin.jsp Thanks, George Posted by guest on August 08, 2011 at 02:20 AM PDT # Frank, Paul, I'm sorry to hear that both of you are having issues with the OAM-Kerberos (WNA) and OIDActive Directory parts of your integration. Remember that this blog is written by E-Business Suite division staff. From our perspective, we certify the integration of the E-Business Suite with Oracle Access Manager and Oracle Internet Directory. The Identity Management team within the Fusion Middleware division handles the certification of Oracle Access Manager with Kerberos (WNA) and OID with Active Directory. Questions about that level of integration are best-directed to Oracle Identity Management Support since we don't work with that integration in the E-Business Suite division. I've forwarded your comments to our Identity Management team; I think it's important for them to hear that some customers are struggling with those integrations. It's unlikely that they'll comment here, though -- they generally don't participate in blogs like these. If either of you feel that your Service Requests are stuck, you should escalate them both directly with Oracle Support. (Frank -- Even if I had the enhancement request number, I'm not permitted to speculate about delivery dates, especially for a different team's product.) Regards, Steven Posted by Steven Chan on August 08, 2011 at 02:43 AM PDT # George, Local login url is fine but when we access a bookmarked url like http://host:port/OA_HTML/OA.jsp?OAFunc=OAHOMEPAGE it takes us to SSO login page if configured and gives out SSO registration error when no value present. Is there a way by which we are not redirected to this url and application local login comes into play. Thanks, Sagar

Posted by Sagar on August 08, 2011 at 04:10 AM PDT # Hi, Thank you all for your responses. We are aware that the integration works but our problem at the moment is about the encryption used on the Windows domain. Through another SR I've opened we have found out that we cannot enable WNA integration with OID 10g becase on Linux it does not support HMAC encryption but only DES (we are using HMAC and cannot change this setting). So we've been told to move to OAM because it supports HMAC encryption but then we've found out that the only way to enable OAM-EBS-WNA integration is to use OID and the external authentication plugin, and at this point we're back to the encryption problem... Anyway I understand that this is not the right blog to discuss this issue in detail. I will review the SR I've opened and eventually request an update. Best regards, Frank Posted by Frank on August 09, 2011 at 06:05 PM PDT # Hi Frank, We hit a brick wall and had to abort our SSO10g-EBS12.1-WNA implementation due to the SSO10g DES enryption limitation you mention. At that time were also told by Oracle product management that we should go for OAM11g as it supports WNA using EAS encryption; we plan to start this implementation soon but no details yet. Would be Interested in progress on your SR and if the limitation is solved in OID11g. Please post the bug# if relevant. Thanks. Posted by guest on September 16, 2011 at 01:04 AM PDT # So if you set up External Authentication Plugin in OID to AD, and I have accounts in OID that do not exist in AD, but are used for other applications protected by OAM through FORM based auth, with these still work, or does the External Auth plugin redirect ALL auth requests to AD? Posted by Alex on September 22, 2011 at 07:09 AM PDT # Hi, Alex, >...or does the External Auth plugin redirect ALL auth requests to AD?

I don't have any firsthand experience with this plug-in. However, strictly on first-principles, I cannot envision a situation where the plug-in can redirect some authentication requests -- but not others -- to AD. I'm hard-pressed to see how the plug-in would be able to tell one set of users apart from another. That said, I don't have any knowledge of this plug-in. For an authoritative answer, I'd recommend logging a formal Service Request with Oracle Internet Directory Support directly. Regards, Steven Posted by Steven Chan on September 22, 2011 at 09:55 AM PDT # Steven, Nice points on why OAM and EBS integration needs OID. And also provided headsup on de supoorting dates of Oracle Single Sign-On 10gR2 premier and extended support. Posted by Thiru on September 27, 2011 at 10:01 AM PDT # It looks like I'm hitting some encryption roadblocks too. I'm using the latest version of everyting (11g, 2008, etc) but I can't figure out if DES encryption is required by OAM. I'm seeing some docs and bugs say that it is; problem is that Windows 2008 doesn't come with DES and needs a patch to get it enabled. Has anyone gotten WNA working with a Win2008 DC in OAM 11g? And to answer my previous question, Yes, you can have both local and remote authentication in OID, as long as the accounts are in different OUs. For example if you enable Third Party Authentication on cn=Vendors,cn=Users,dc=blah,dc=com, only users belonging to this OU will be authenticated to AD. A user in cn=Users,dc=blah,dc=com will bind fine with her OID password. Posted by Alex on October 03, 2011 at 09:00 AM PDT # Hi Steven We are running a 12.1.3 HR Payroll setup and would like to implement a mechanism that basically allows our EBS passwords to be the same as our Windows network password (to save users having to remember 2). This is the only functionality we'll need at the moment. I was looking at linking the network passwords stored in Microsoft Active Directory with OID and then configuring SSO or OAM to do the EBS authentication. But you hinted above that another way of linking EBS and Windows authentication was via Oracle Identity Manager (sorry if I've misunderstood!).

So to achieve what we need here, would OIM be a better alternative to using OID / OAM (or SSO)? And are there any useful note IDs guiding how to configure this? We're looking at the most straight forward configuration and on the face of it 2 products (OID / OAM) seems more complicated than 1 (OIM). Your thoughts would be appreciated. Regards Dave. Posted by dave on October 12, 2011 at 09:18 PM PDT # Hi Dave, If all you want to do is match up the users and passwords, you should be able to do that using OIM and the OIM Connectors for EBS. You can learn more about it at http://www.oracle.com/technetwork/testcontent/oimconnectordatasheet-oracleebs-1-130994.pdf and at http://download.oracle.com/docs/cd/E11223_01/index.htm . This is certainly an alternative to using OID, but is much more powerful, and therefore a bit more complex (and probably more expensive) than just using OID and Server Chaining. The OIM and the OIM Connectors for EBS will allow you to provision accounts to multiple sources, but it does NOT provide you with SSO capabilities. The two are mutually exclusive. So if that feature is important to you, you will also need OAM and that integration will require OID, as described in this post. Cheers, Keith Posted by Keith M Swartz on October 13, 2011 at 03:42 AM PDT # I just finished setting up EBS with OID backend and OID External Authorization plugin connected to AD. This works great, people can log into EBS using an OID account (which has the same uid as AD's sAMAccountName) and their AD passwords. I would say it's going to be much easier setting up the External Auth plugin to allow AD passwords on OID objects, than setting up OIM to sync the passwords. We also had to setup a DIP profile to sync some AD attributes required for the ext. auth plugin to work, like DN to orclSourceOjbectDN, principlanname, orclsamaccountname, etc... Posted by ALex on October 13, 2011 at 04:11 AM PDT # Would it be possible to create a different type of authentication integration. I would like to see a similar integration to what is done in PeopleSoft where we have PeopleTools code which changes the default authentication to check for the presence of an HTTP_Header Variable or

Cookie to identify a user that was previously authenticated by a SiteMinder or Oracle Access Manager. If this token is present, PeopleSoft creates a session for that user instead of challenging the user. Many access management systems integrate with applications in this way. Does EBS have any hooks (like people tools) which would allow us to accomplish this integration? Posted by Mike Terra on October 14, 2011 at 04:21 AM PDT # Hi Mike, From an end user perspective, our current implementation should be able to achieve the same end result. However, if the intent is to hardwire a custom integration, then I'm afraid today the only answer is to do it through OAM. Unfortunately, we don't have any plans to incorporate changes on the level you suggest, as this would require a significant rewriting effort, and right now, we are trying to focus our efforts on filling other functional gaps that exist in this space. Thanks very much, Keith Posted by Keith M Swartz on October 14, 2011 at 10:03 AM PDT # Hi Keith, Could you elaborate on "Do it with through OAM." The OAM integration still requires OID. What I'm looking for is a way to achieve SSO to EBS without the use of OID. For example, if I want to have SSO to SAP, PeopleSoft, SharePoint, etc it does not require that those applications store their data in a specific directory. I'm proposing that OAM could simply pass a token to EBS which it could consume and map to a user in FND_USERS and then create a session for this user. What I'm hearing is that this type of integration is impossible today as no hooks exist into the EBS's native authentication. Posted by Mike Terra on October 16, 2011 at 01:44 AM PDT # Mike, I am saying that if you want to use a third-party SSO, you must configure EBS to use OAM, and OAM to trust the headers of that third-party SSO. You are correct: we do not support the use of EBS native authentication with third-party software, mainly because it wouldn't work. That is why we have single sign-on integration. This meets those needs.

Unfortunately, there is no supported way to achieve what you are trying to do today -- that's part of what this blog post is trying to lay out. Any SSO solution with EBS requires the use of OAM (or OSSO, but this is nearing end-of-life), and those, in turn, require that you use OID when configuring with EBS. Thanks, Keith Posted by Keith M Swartz on October 16, 2011 at 05:40 AM PDT # Not to reopen this topic, but... EBS 12.2 will be based on Weblogic 11g. That means, theoretically, that the whole security infrastructure could be revamped to take advantage of the Oracle Platform Security Services (OPSS) framework. It also means that, theoretically, EBS 12.2 could be set up to authenticate against Windows AD/Kerberos directly and bypass the whole OID/OAM/AccessGate morass of servers. Any clue whether this is in the cards? We are in the middle of upgrading our security infrastructure and this would be critical information for us. Thanks, Ara Posted by Ara on December 06, 2011 at 04:42 AM PST # Ara, At this point, our EBS 12.2 efforts are focussed on ensuring that all of our 240 EBS products, as well as our installation, cloning, systems configuration tools work with WLS. Other security-related enhancements are theoretically possible, but would require deep changes to fundamental parts of the existing E-Business Suite security model. There is little enthusiasm for this. Our standing recommendation is that you should plan on using Oracle Access Manager and Oracle Internet Directory if you wish to bridge the E-Business Suite with Microsoft Kerberos and Active Directory. Regards, Steven Posted by Steven Chan on December 06, 2011 at 05:28 AM PST # Well, that is helpful to know. Thanks!

Posted by Ara on December 06, 2011 at 05:37 AM PST # Steve, I am planning to integrate EBS R12 with OAM 11g using the EBS accessgate approach. However I do not intent to use Sync between EBS and OID. OID and EBS will be populated with users from different sources. Do I still have to register OID with EBS for the SSO to work? Logically I do not see any problem with EBS accessgate creating an EBS session for me. However don't know if EBS is internally using OID for other purpose than Sync when SSO is configured. Thanks, Sagar Posted by guest on February 16, 2012 at 08:48 AM PST # Sagar, Thank you for your inquiry. Due to underlying dependencies, Oracle Internet Directory is a mandatory requirement when Oracle Access Manager is integrated with Oracle E-Business Suite. As per this blog article, the dependencies are as follows: 1) Reliaance on Oracle GUIDs 2) Synchronous user account creation You will need to perform the required OID integration as per the documentation. Please refer to this blog article and the following references for additional details: https://blogs.oracle.com/stevenChan/entry/oracle_access_manager_11_11 https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1309013.1 Regards, ~ep Posted by Elke Phelps (Oracle Development) on February 16, 2012 at 09:38 AM PST # ep, Here is my take on the two important considerations you have enlisted 1)Reliance on Oracle GUIDs OAM will still be using OID as its user store and passing ORCL_GUID to EBS accessgate for the account linking. 2)Synchronous user account creation I am not at all intersted in synchronization between EBS and OID. The user creation process in EBS will remain as it is in without SSO.

Am I still missing something here? I am still not able to understand why registration of OID is required in my case. Thanks, Sagar Posted by Sagar on February 16, 2012 at 10:33 AM PST # Sagar, Let me further clarify the dependency. The Oracle Global Unique Identifier(GUID)is used by Oracle E-Business Suite to guarantee uniqueness. It is used to "link accounts" from Oracle Internet Diretory to the E-Business Suite (FND_USER). Oracle Internet Directory and FND_USER must be kept synchronized. Regards, ~ep Posted by guest on February 17, 2012 at 08:41 AM PST # ep, I understand the requirement that FND_USER and OID must be kept synchronized. However what i don't understand is why EBS to OID sync be used for that? I can always create EBS and OID user from an external provisioning tool(e.g. OIM)and keep them in sync. The other things mentioned in your comments "The Oracle Global Unique Identifier(GUID)is used by Oracle E-Business Suite to guarantee uniqueness" Why does it need OID registration for that? It is used to "link accounts" from Oracle Internet Directory to the E-Business Suite (FND_USER) Totally agree on this. However this account linking is done by EBS Accessgate, which directly writes the orclguid in EBS database. EBS accessgate gets the information about guid from OAM. Where is the direct dependency of EBS on OID? As mentioned earlier if I don't need synchronization between EBS and OID why do I need OID registration in EBS? Thanks, Sagar Posted by guest on February 24, 2012 at 07:33 AM PST # Sagar,

Answers to your additional questions are provided below. >>why EBS to OID sync be used for that? >>Why does it need OID registration for that? User credentials must be synchronized between OID and E-Business Suite. EBS has code that is specific to OID that makes it a mandatory integration component. The synchronization provides the link (GUID) between an OID account and an EBS account. >>Where is the direct dependency of EBS on OID? The synchronization process between OID and EBS links the accounts via the GUID. Synchronization events are raised via the Workflow-based Business Event system whenever users are added or modified. It is the dependency on the GUID that makes OID mandatory. EBS AccessGate does not perform the synchronization of the accounts between OID and EBS (FND_USER). EBS AccessGate is passed information from WebGate and then looks up the EBS user based upon the GUID stored in OID. >>why do I need OID registration in EBS? The E-Business Suite has hardcoded functions to handle the mapping of the GUID between Oracle Access Manager and the E-Business Suite. These mapping functions are specific to Oracle Internet Directory. Thanks. Elke Posted by Elke Phelps (Oracle Development) on February 25, 2012 at 01:52 PM PST #