'The signing operation has failed' - common error with Password Based Signatures in Workflow Notifications
By Dilbagh on Oct 09, 2014
Oracle Workflow Notifications can be digitally signed in two ways.
- Password Based Signature
- X.509 Certificate Based Signature.
Following are the authentication mechanisms categorized based on whether or not a user subscribes to Single Sign-On (SSO).
- Pure E-Business Suite User (Otherwise called FND User)
- Pure SSO user
- Hybrid Mechanism (Both E-Business Suite and SSO)
Issues and Reasons
Time and again we have encountered a problem with Password Based signatures failing with the error: 'The signing operation has failed'. This happens when the notification is signed using SSO credentials i.e., the logged in user is an SSO user. The profile option APPS_SSO_LOCAL_LOGIN, controls the type of authentication mechanism to be used for a user at the time of user-creation. More information about SSO can be found here.
The possible values of this profile option are:
- LOCAL - Login is only allowed via Oracle E-Business Suite local login.
- SSO - Login is only allowed through Single Sign-On. The password is set to ‘EXTERNAL’ after a single sign-on account and an application account are linked.
- BOTH - Login can be through both Single Sign-On and Oracle E-Business Suite. (Please note this is only a separate authentication mechanism but not a different class of users created for it)
Now based on the type of login/authentication mechanism, the signing differs.
- For a FND User, the validation utility validates the credentials by fetching password from FND_USER table from ENCRYPTED_USER_PASSWORD column.
- For a pure SSO user, the ENCRYPTED_USER_PASSWORD column is set to 'EXTERNAL' in FND_USER table and the Validation utility fetches the password from OID to validate it.
- For a user using both types of authentication mechanisms, the Validation utility validates it as it does in the case of a FND User i.e., comparing the ENCRYPTED_USER_PASSWORD from FND_USER table. This implies that when the user uses authentication mechanism for both FND User and SSO user then the password for FND User is used for validation.
Also, it is to be noted that the password for SSO user is case sensitive and the password for FND user depends upon a profile option SIGNON_PASSWORD_CASE. In short:
- An SSO user password is case-sensitive.
- An FND User password is by default case insensitive. It depends upon the value of profile option 'SIGNON_PASSWORD_CASE' to have it case sensitive or case insensitive.
- For a user which uses both authentication mechanisms, the password for FND user is used for signing. It would be good if these passwords are maintained in sync.