Password Management with Oracle Internet Directory
By Steven Chan - EBS-Oracle on Aug 02, 2006
User password resets - the bane of every sysadmin. Automating this tedium is a major benefit of integrating your E-Business Suite environment with Oracle Application Server 10g. By delegating user authentication to Single Sign-On 10g and Oracle Internet Directory 10g, you can take advantage of the latter's automatic password reset capabilities.
In a standard E-Business Suite environment, user passwords are stored and encrypted in the user's records in the E-Business Suite's FND_USER directory.
When an E-Business Suite environment is integrated with Single Sign-On and Oracle Internet Directory, Apps user accounts are linked to Oracle Internet Directory user accounts like this:
Where Does The User Log In?
When a user's E-Business Suite account is linked to an account in Oracle Internet Directory, sysadmins have the option of specifying how the user can log into the E-Business Suite. This can be specified for each individual user.
Available options are:
- Users can log in externally via Single Sign-On
- Users can bypass Single Sign-On and log in locally to the E-Business Suite
- Users can log in via both of the methods above
In the external scenario, all user authentication is handled by Single Sign-On and Oracle
Internet Directory. For so-called external users, passwords are stored exclusively in Oracle Internet Directory. Single Sign-On displays a login screen and collects the user's userid and password, and Oracle Internet Directory checks that those credentials match the user's entry within the Oracle Internet Directory LDAP user directory.
After users successfully log into Single Sign-On, they receive security tokens that the E-Business Suite recognizes and uses to establish their E-Business Suite session, based on a chain of trust that looks like this:
The E-Business Suite uses those Single Sign-On security tokens in place of checking for a password. So, it doesn't need to store user passwords for external users at all.
No More Manual Password Changes
So, in a refreshing switch for veteran Apps sysadmins, all external users can reset their own passwords using Oracle Internet Directory's Delegated Administration Service. This represents the end of the era of manual password resets for Apps users.
Logging Into The E-Business Suite Directly
There are specific users that must always be able to log into the E-Business Suite directly. These users include Apps DBAs or system administrators, who still need to be able to get into Apps even if the external Single Sign-On and Oracle Internet Directory instances are unavailable due to maintenance windows.
These are considered to be local users, so their passwords are always stored in the E-Business Suite's FND_USER directory, not Oracle Internet Directory. Passwords for these users still need to be maintained manually using the regular E-Business Suite security forms that you know and love.
A Tricky Case: "Both"
There might be a subset of users who need to be able to access the E-Business Suite via Single Sign-On as well as locally. These users would be given access to both login methods, which means that passwords must be stored in both locations: Oracle Internet Directory and the E-Business Suite's FND_USER directory.
The password management overhead is higher for these users, so you'll want to use this option very sparingly:
- Password changes made in the E-Business Suite are automatically sent to Oracle Internet Directory
- Password changes made in Oracle Internet Directory must be manually repeated in the E-Business Suite using the E-Business Suite security forms
Password Management With Third-Party Integrations
That's enough for today, but look out for a future article discussing password management when you integrate the E-Business Suite with a third-party LDAP directory or single sign-on solution. Stay tuned.
Note: Everything in this article applies equally to both Release 11i and 12 environments.
- Identity Management in Release 12
- In-Depth: Using OracleAS 10g with E-Business Suite Release 11
- In-Depth: Using Single Sign-On 10g with E-Business Suite Release 11i
- In-Depth: Using Third-Party Identity Managers with the E-Business Suite Release 11i