EBS SSO屏蔽ApplLocalLogin.jsp登入

 

註：以下僅為個人測試及見解

 EBS 版本：11.5.10.2 背景：SSO單點登入時通過http://<host>.<domain>:<port>/登入EBS，會自動跳轉至SSO統一登入介面，       但Oracle EBS預留了登入後門，http://<host>.<domain>:<port>/OA_HTML/AppsLocalLogin.jsp，       通過此URL仍然可以繞過SSO統一登入介面，由EBS登入介面進入系統。 目的：是否可以屏蔽該URL，即使手工輸入該URL，也限制只能從SSO統一介面登入EBS。文檔參考：Applications SSO Login Types (APPS_SSO_LOCAL_LOGIN)
o SSO – Login is only allowed through Single Sign-On. The password is set to ‘EXTERNAL’ after a single sign-on account and an application account are linked.
o LOCAL – Login is only allowed via Oracle E-Business Suite local login. Passwords must be retained in the Oracle E-Business Suite and the account cannot be linked to any Oracle Internet Directory user.
o BOTH – Login can be through both single sign-on and Oracle E-Business Suite. Since changes to the Oracle E-Business Suite password can be synchronized to Oracle Internet Directory, but not vice versa, a user’s Single Sign-On password will not necessarily be synchronized with his Oracle E-Business Suite password. 測試步驟：1、將Applications SSO Login Types（英文環境下設定系統預置檔案）值設定為“SSO”          2、建立EBS使用者TEST1/ABC123          3、同步至SSO 測試結果： 1、同步SSO後，fnd_user表中encrypted_user_password與encrypted_foundation_password變更為“EXTERNAL”            2、輸入地址http://<host>.<domain>:<port>/OA_HTML/AppsLocalLogin.jsp，仍然可跳轉至EBS登入介面            3、用TEST1/ABC123登入EBS，失敗            4、通過SSO介面登入，成功（使用者名稱/密碼為SSO統一設定使用者名稱/密碼）            5、通過SSO修改使用者密碼，同步至EBS，fnd_user中密碼值為            6、修改密碼後重複步驟4、5，結果一樣            7、密碼不為EXTERNAL的使用者仍然可以通過輸入URL方式從EBS直接登入系統  測試步驟：1、將Applications SSO Login Types（英文環境下設定系統預置檔案）值設定恢複為“BOTH”           2、通過SSO將TEST1的密碼重設為ABC1234           3、同步至SSO 測試結果：1、同步SSO後，fnd_user表中encrypted_user_password與encrypted_foundation_password不再為“EXTERNAL”           2、輸入地址http://<host>.<domain>:<port>/OA_HTML/AppsLocalLogin.jsp，仍然可跳轉至EBS登入介面           3、用TEST1/ABC123登入EBS，成功           4、通過SSO介面登入，成功（使用者名稱/密碼為SSO統一設定使用者名稱/密碼）  另，Matelink上對於R12中SSO登入使用該預置檔案一問詢的回複

Able To Login Using AppsLocalLogin.jsp Inspite Of Applications SSO Login Types set to SSO [ID 468831.1]
		修改時間 28-NOV-2007     類型 PROBLEM     狀態 MODERATED

In this Document
  Symptoms
  Cause
  Solution
  References

This document is being delivered to you via Oracle Support's Rapid Visibility (RaV) process, and therefore has not been subject to an independent technical review.

Applies to:

Oracle Applications Technology Stack - Version: 12.0
This problem can occur on any platform.
Symptoms

On Release 12.0 :
Integrated Oracle E-Business Suite with SSO and OID, provisioning enabled from Applications to OID. Profile option "Applications SSO Login Types" is set to SSO to prevent users from using the local login URL :

http://<host>.<domain>:<port>/OA_HTML/AppsLocalLogin.jsp

Users are still able to login using the AppsLocalLogin.jsp inspite of the profile option "Applications SSO Login Types" being set to "SSO".

EXPECTED BEHAVIOR
It should not allow login using AppsLocalLogin.jsp and display proper error message.

-- Steps To Reproduce:
The issue can be reproduced at will with the following steps:

1. Create a test user from E-Business Suite and it should also be created in OID.
2. Encrypted_Foundation_Password and Encrypted_User_Password in FND_USER table is set to EXTERNAL.
3. User can login from the SSO login page as expected, but is also able to login successfully using AppsLocalLogin.jsp.

Cause

SSO users are able to create local sessions.

Fix is provided by version SessionMgr.java 120.36.12000000.7 which will be available in 12.0.4.
Solution

-- To implement the solution, please execute the following steps:
Please upgrade to Release 12.0.4 when it is available to download via Oracle Metalink.

1. Please ensure that you have taken a backup of your system before applying the recommended patch.
2. Always advisable to apply the patch in a test environment when available.
3. Retest the issue.
4. Migrate the solution as appropriate to other environments.