EBS SSO屏蔽ApplLocalLogin.jsp登錄

 

注：以下僅爲個人測試及見解

 EBS 版本：11.5.10.2

 背景：SSO單點登錄時通過http://<host>.<domain>:<port>/登錄EBS，會自動跳轉至SSO統一登錄界面，

       但Oracle EBS預留了登錄後門，http://<host>.<domain>:<port>/OA_HTML/AppsLocalLogin.jsp，

       通過此URL仍然可以繞過SSO統一登錄界面，由EBS登錄界面進入系統。

 目的：是否可以屏蔽該URL，即使手工輸入該URL，也限制只能從SSO統一界面登錄EBS。

文檔參考：

Applications SSO Login Types (APPS_SSO_LOCAL_LOGIN)
o SSO – Login is only allowed through Single Sign-On. The password is set to ‘EXTERNAL’ after a single sign-on account and an application account are linked.
o LOCAL – Login is only allowed via Oracle E-Business Suite local login. Passwords must be retained in the Oracle E-Business Suite and the account cannot be linked to any Oracle Internet Directory user.
o BOTH – Login can be through both single sign-on and Oracle E-Business Suite. Since changes to the Oracle E-Business Suite password can be synchronized to Oracle Internet Directory, but not vice versa, a user’s Single Sign-On password will not necessarily be synchronized with his Oracle E-Business Suite password.

 

測試步驟：1、將Applications SSO Login Types（英文環境下設置系統預置文件）值設置爲“SSO”

          2、新建EBS用戶TEST1/ABC123

          3、同步至SSO

 測試結果： 1、同步SSO後，fnd_user表中encrypted_user_password與encrypted_foundation_password變更爲“EXTERNAL”

            2、輸入地址http://<host>.<domain>:<port>/OA_HTML/AppsLocalLogin.jsp，仍然可跳轉至EBS登錄界面

            3、用TEST1/ABC123登錄EBS，失敗

            4、通過SSO界面登錄，成功（用戶名/密碼爲SSO統一設置用戶名/密碼）

            5、通過SSO修改用戶密碼，同步至EBS，fnd_user中密碼值爲

            6、修改密碼後重復步驟4、5，結果一樣

            7、密碼不爲EXTERNAL的用戶仍然可以通過輸入URL方式從EBS直接登錄系統

 

 測試步驟：1、將Applications SSO Login Types（英文環境下設置系統預置文件）值設置恢復爲“BOTH”

           2、通過SSO將TEST1的密碼重置爲ABC1234

           3、同步至SSO

 測試結果：1、同步SSO後，fnd_user表中encrypted_user_password與encrypted_foundation_password不再爲“EXTERNAL”

           2、輸入地址http://<host>.<domain>:<port>/OA_HTML/AppsLocalLogin.jsp，仍然可跳轉至EBS登錄界面

           3、用TEST1/ABC123登錄EBS，成功

           4、通過SSO界面登錄，成功（用戶名/密碼爲SSO統一設置用戶名/密碼）

 

另，Matelink上對於R12中SSO登錄使用該預置文件一問詢的回覆

Able To Login Using AppsLocalLogin.jsp Inspite Of Applications SSO Login Types set to SSO [ID 468831.1]
		修改時間 28-NOV-2007     類型 PROBLEM     狀態 MODERATED

In this Document
  Symptoms
  Cause
  Solution
  References

---

This document is being delivered to you via Oracle Support's Rapid Visibility (RaV) process, and therefore has not been subject to an independent technical review.

Applies to:

Oracle Applications Technology Stack - Version: 12.0
This problem can occur on any platform.

Symptoms

On Release 12.0 :
Integrated Oracle E-Business Suite with SSO and OID, provisioning enabled from Applications to OID. Profile option "Applications SSO Login Types" is set to SSO to prevent users from using the local login URL :

http://<host>.<domain>:<port>/OA_HTML/AppsLocalLogin.jsp

Users are still able to login using the AppsLocalLogin.jsp inspite of the profile option "Applications SSO Login Types" being set to "SSO".

EXPECTED BEHAVIOR
It should not allow login using AppsLocalLogin.jsp and display proper error message.

-- Steps To Reproduce:
The issue can be reproduced at will with the following steps:

1. Create a test user from E-Business Suite and it should also be created in OID.
2. Encrypted_Foundation_Password and Encrypted_User_Password in FND_USER table is set to EXTERNAL.
3. User can login from the SSO login page as expected, but is also able to login successfully using AppsLocalLogin.jsp.

Cause

SSO users are able to create local sessions.

Fix is provided by version SessionMgr.java 120.36.12000000.7 which will be available in 12.0.4.

Solution

-- To implement the solution, please execute the following steps:
Please upgrade to Release 12.0.4 when it is available to download via Oracle Metalink.

1. Please ensure that you have taken a backup of your system before applying the recommended patch.
2. Always advisable to apply the patch in a test environment when available.
3. Retest the issue.
4. Migrate the solution as appropriate to other environments.