Password Management with Oracle Internet Directory

User password resets - the bane of every sysadmin.  Automating this tedium is a major benefit of integrating your E-Business Suite environment with Oracle Application Server 10g.  By delegating user authentication to Single Sign-On 10g and Oracle Internet Directory 10g, you can take advantage of the latter's automatic password reset capabilities.

But First, Some Basics About Account Management

In a standard E-Business Suite environment, user passwords are stored and encrypted in the user's records in the E-Business Suite's FND_USER directory.  

When an E-Business Suite environment is integrated with Single Sign-On and Oracle Internet Directory, Apps user accounts are linked to Oracle Internet Directory user accounts like this:

Link Apps Account to OID 2:

Where Does The User Log In?

When a user's E-Business Suite account is linked to an account in Oracle Internet Directory,  sysadmins have the option of specifying how the user can log into the E-Business Suite.  This can be specified for each individual user.

Available options are:
  • Users can log in externally via Single Sign-On
  • Users can bypass Single Sign-On and log in locally to the E-Business Suite
  • Users can log in via both of the methods above
E-Business Suite Doesn't Need To Store A Password

In the external scenario, all user authentication is handled by Single Sign-On and Oracle
Internet Directory.  For so-called external users, passwords are stored exclusively in Oracle Internet Directory.  Single Sign-On displays a login screen and collects the user's userid and password, and Oracle Internet Directory checks that those credentials match the user's entry within the Oracle Internet Directory LDAP user directory.

After users successfully log into Single Sign-On, they receive security tokens that the E-Business Suite recognizes and uses to establish their E-Business Suite session, based on a chain of trust that looks like this:

SSO OID Apps Trust:

The E-Business Suite uses those Single Sign-On security tokens in place of checking for a password.  So, it doesn't need to store user passwords for external users at all. 

No More Manual Password Changes

So, in a refreshing switch for veteran Apps sysadmins, all external users can reset their own passwords using Oracle Internet Directory's Delegated Administration Service.  This represents the end of the era of manual password resets for Apps users.

Logging Into The E-Business Suite Directly

There are specific users that must always be able to log into the E-Business Suite directly.  These users include Apps DBAs or system administrators, who still need to be able to get into Apps even if the external Single Sign-On and Oracle Internet Directory instances are unavailable due to maintenance windows.

These are considered to be local users, so their passwords are always stored in the E-Business Suite's FND_USER directory, not Oracle Internet Directory.  Passwords for these users still need to be maintained manually using the regular E-Business Suite security forms that you know and love.

A Tricky Case:  "Both"

There might be a subset of users who need to be able to access the E-Business Suite via Single Sign-On as well as locally.  These users would be given access to both login methods, which means that passwords must be stored in both locations:  Oracle Internet Directory and the E-Business Suite's FND_USER directory. 

The password management overhead is higher for these users, so you'll want to use this option very sparingly:
  • Password changes made in the E-Business Suite are automatically sent to Oracle Internet Directory
  • Password changes made in Oracle Internet Directory must be manually repeated in the E-Business Suite using the E-Business Suite security forms
The asymmetry in the tasks above is because of this:  we can decrypt passwords stored in the E-Business Suite, which allows us to send them to Oracle Internet Directory.  Passwords in Oracle Internet Directory, however, are hashed, which prevents us from transmitting a copy to the E-Business Suite.

Password Management With Third-Party Integrations

That's enough for today, but look out for a future article discussing password management when you integrate the E-Business Suite with a third-party LDAP directory or single sign-on solution.  Stay tuned.


Note:  Everything in this article applies equally to both Release 11i and 12 environments.


Mark,Thanks for the feedback.  MS AD integration with Apps appears to be one of the most popular configurations.If all goes well, I'll have the third-party password integration article ready next week.I'll devote a separate article to the scenario where userids differ between the E-Business Suite, Oracle Internet Directory, and a third-party LDAP.  Thanks for the suggestion.  That's a potentially involved discussion, so I'll make sure that it gets the right level of attention.Regards,Steven 

Posted by Steven Chan on August 04, 2006 at 06:23 AM PDT #

Hi Steven,
I always like your articles concerning SSO and the Ebusiness suite. Our users would love to get rid of a few passwords. I'm looking forward to the article on integrating Ebiz ->SSO -> Third party LDAP (Microsoft AD). Could you also throw in the scenario where the usernames in the third party ldap are different than those in OID and Ebiz?


Posted by Mark on August 04, 2006 at 09:06 AM PDT #

Mark,I've just published a few new articles this week on these topics:Password Management with Third-Party SolutionsAliases, Maiden Names and NicknamesRegards,Steven 

Posted by Steven Chan on August 10, 2006 at 04:40 AM PDT #

Hi Steven,

We have implemented SSO for our 11i EBS through OID of version, we have completed all the steps for configuring SSO. My problem is, i have syncronised a user from my Microsoft Active Directory to OID and it automatically creatd the same user in EBS. But the naming converntion is different in all the three places such as

Microsoft AD Username: skumar

OID User name: siva kumar

EBS User name :

Due to this am not able to long to EBS through SSO login page on-fly,am not able to fix this issue, can you please help on this.


Posted by manju on May 13, 2010 at 07:26 PM PDT #

Hi, Manju,

If your namespaces between all three user repositories are unique, then you cannot use any automatic provisioning tool, I'm afraid. There's no way that any tool will know that "skumar" maps to "siva kumar" which maps to ""

This uniqueness will make your user provisioning very complex.

You have the option of allowing your users to manually link dissimilar userids between EBS and OID upon first login. Look up "linking" in Note 261914.1.

However, I do not see any simple way of linking your OID namespace to MS AD.

I think that you need to reevaluate your organizational user provisioning strategy. The whole purpose of a single sign-on system is to have a single source of truth for user definitions. As it stands today, you have three sources of truth. You will need to reconcile that at a business process level before implementing the technology components.


Posted by Steven Chan on May 14, 2010 at 07:23 AM PDT #

Hi Steve,
Are there any new options with OID 11g / eBus 12 for automating the provisioning of OID password changes into the application? I was wondering if this could be enabled by using a reversible encryption policy within OID?

Many thanks,

Posted by Bernie Jones on February 13, 2012 at 05:10 AM PST #

Hi, Bernie,

I don't think I understand the requirement that you've alluded to.

When the E-Business Suite is integrated with Oracle Internet Directory, passwords for externally-authenticated users (i.e. users who are not flagged as using "Local authentication") are stored exclusively in Oracle Internet Directory. There is no requirement to provision those passwords back into the E-Business Suite.


Posted by Steven Chan on February 13, 2012 at 11:37 AM PST #

Sorry Stephen I should have explained better.

We will have several hundred eBus apps integrated and, in the event of a failure of the OAM/OID SSO stack wondered whether using local logins as a temporary, fallback solution would work. However, this would only be practical if the local passwords were automatically kept aligned with those in OID as manually resetting local passwords and notifying all users would not be viable.


Posted by Bernie on February 14, 2012 at 02:33 AM PST #

Hi, Bernie,

Ah, I see. However, I suspect that the proposed approach might not be practical. If your central Oracle Access Manager/Oracle Internet Directory instance fails, you will need to ensure that all of your EBS users manually log-in using a different URL (the local log-in URL).

A better approach would be to ensure that you have a failover site for your OAM/OID instance.


Posted by Steven Chan on February 14, 2012 at 03:37 PM PST #

Hi Steven,
Our EBS 12.1.3 is integrated with OID/SSO It works great!
My question is can we use Oracle User Management (UMX)
for self-service password resets? Or do we have to use DAS that
ships with the SSO server?

Also, regarding UMX, can it be configured for self-registration
and customized to capture and save three (3) security
questions/responses which would be used for password resets?
Or would we need to write custom UIs on the SSO server?


Posted by Mike on March 06, 2012 at 05:42 PM PST #


Apologies for the delayed response.

To answer our questions:
1) From EBS you should use our APIs to determine the change password page to display. Depending on your deployment DAS may be required
2) UMX cannot be configured for self-registration.
3) We strongly recommend against customizations to security aspects of E-Business Suite; therefore, while it may be possible to develop the customization as suggested, we do not recommend it.

Thanks for the inquiries.

Posted by Elke Phelps (Oracle Development) on March 29, 2012 at 06:20 AM PDT #


We are currently using Oracle EBS 12.1.3 configured with OAM/OAD with third party (iPlanet) authentication. If we decide to forgo single sign-on, any way to migrate user passwords (ldif with password has from iPlanet) into Oracle EBS fnd_user table? I understand the ldip has the password hash and that the fnd_user has the password in encrypted format. Just evaluating our options so that users can still login using same passwords when we change to local login.


Posted by Hiren Desai on May 23, 2016 at 03:36 PM PDT #

Hello, Hiren,

I don't think it's possible to migrate passwords from an external LDAP directory into an EBS environment due to differences in hashing and salting algorithms.


Posted by Steven Chan on May 23, 2016 at 11:40 PM PDT #

I have a custom form which is validating the applications password using the oracle api. Now the SSO Login is implemented and the password is not available in FND_USER. So, how do i validate the password ? Is there any way i can do that ?

Posted by guest on June 16, 2016 at 05:13 PM PDT #

Hello, Guest,

I wouldn't advise building a custom login form for EBS. Doing so may expose your environment to security issues. We can connect you with someone in Oracle Consulting who may be able to assist you with custom development, if you wish.


Posted by Steven Chan on June 24, 2016 at 03:59 PM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed


« June 2016