Issue:
EBS Local Login url is working fine. When accessing sso url,
users are getting error as below appended to the url. And login page will be blank.
Assumptions:
All SSO setups and profiles are fine. along with “Applications SSO Auto Link User” is already “Enabled” but
its not helping. "Applications SSO Login Types" is already set to "BOTH"
Reason :
One of the reason can be : OAM Authentication is fine but during authorization process,
OAM is unable to map guid from oid to user_guid in fnd_user. This can be due to user_guid being null in fnd_user table.
As per the process, when user logins for the first time, user_guid need to be populated automatically (from oid)
Workaround :
Query guid from oid and update fnd_user table with that.
ldapsearch -h oidhost.online.org -p 3060 -D "cn=orcladmin" -w orcladmpwd -b "cn=Users,dc=dc,dc=online,dc=org" -s sub "(uid=$1)" orclsamaccountname krbprincipalname mail orcluserprincipalname orclguid
Pass userid to this command which gives guid along with other details.
Update fnd_user table with above guid :
update
fnd_user set
user_guid='' where user_name like '';
Solution:
As per the process, when user logins for the first time, user_guid need to be populated automatically.
So, why is this not happening. This can be due to binding issue from oid to EBS.
You can verify as below :
"AppsDN" user is a special administration account
which ebs uses to connect to OID for integration tasks when
integrating with OID.
- Determine the 'AppsDN' username/password connected to EBS
as apps user
select fnd_preference.get('#INTERNAL',
'LDAP_SYNCH','USERNAME') Apps_Instance_OID_Account from dual;
Output : orclapplicationcommonname=ebsinstancename,cn=ebusiness,cn=products,cn=oraclecontext,dc=dc,dc=online,dc=org
select fnd_preference.eget('#INTERNAL',
'LDAP_SYNCH','EPWD','LDAP_PWD') Password from dual;
Output : testpass
** This is the password which you gave when registering oid with EBS for the prompt :
"Enter the instance password that you would like to register this application instance with?"
Use the above outputs and test the bind as below from EBS:
ldapbind -D orclapplicationcommonname=ebsinstancename,cn=ebusiness,cn=products,cn=oraclecontext,dc=dc,dc=online,dc=org
-w testpass -h idhost.online.org -p 3060
(idhost.online.org is the server where oid is installed)
ldap_bind: Invalid
credentials
ldap_bind:
additional info: Password Policy Error :9000: GSL_PWDEXPIRED_EXCP :Your
Password has expired. Please contact the Administrator to change your password.
Note :
To resolve this, password need to be updated in ODSM (default port 7005 for odsm):
Go to “Data Browser” -> “Root” -> dc=org ->
dc=online -> dc=dc -> cn=OracleContext -> cn=Products ->
cn=EBusiness -> select respective orclApplicationCommonName
in this case, "ebsinstancename"
In the right window, update “userpassword” with password (result of abov query) and click apply.
Then, check the bind again:
ldapbind -D orclapplicationcommonname=ebsinstancename,cn=ebusiness,cn=products,cn=oraclecontext,dc=dc,dc=online,dc=org
-w testpass -h idhost.online.org -p 3060
bind successful
Navigation to update the password :
How to test:
Nullify a user guid in EBS :
update fnd_user set
user_guid=null where user_name like 'USER1';
Access EBS SSO URL : For ex, http://ebsinstancename.online.org
Once Home page is shown, check the user_guid column from
fnd_user table, it should be populated same as from oid.
select user_guid from fnd_user where user_name like
'USER1';