EBS R12 integrated with SSO (OAM/OSSO) prompting for username / password again : Your Oracle E-Business Suite account has not been linked

This post covers issue encountered during EBS logon using Oracle Access Manager (OAM) as Single Sign-On Engine.
Issue:  User trying to access EBS (integrated with OAM for SSO) is re-directed to login page (deployed on EBS AccessGate) . On typing username password, user is redirected to EBS page with message “Your Oracle E-Business Suite Account has not been linked with the Single Sign-On Account that you just entered. Please enter your Oracle E-Business Suite information.”




First understand how SSO user (user stored in OID) is linked to EBS User (FND_USER).
1. Oracle Access Manager (OAM) by default validates username/password against weblogic’s embedded LDAP server. During EBS integration you point OAM to OID for username password validation. To change OAM 11.1.1.3 identity store to OID click here  and for OAM 11.1.1.5 to OID integration steps click here
2. OID contains username/password and also referred as SSO user or SSO Account.
3. Users are synced between OID and EBS (FND_USER and optionally HR & TCA account) either using DIP or OIM (EBS UM connector). More on Oracle EBS integration with OIM using EBS-UM connector later
4. User in EBS is linked with OID using value in column USER_GUID from table FND_USER in EBS with attribute ORCLGUID in OID.
5. If for any user
i) USER_NAME in FND_USER table matches with UID attribute in OID
and
ii) USER_GUID is NULL in FND_USER for this user
and
iii) EBS Profile Option Applications SSO User Auto Link is set to enbaled
then EBS AccessGate will update USER_GUID (in FND_USER table) from ORCLGUID value retrieved from OID. This process is called Auto Linking of EBS user with OID.

Coming back to our issue –  After OAM Logon user is redirected to EBS page with message “Your Oracle E-Business Suite Account has not been linked with the Single Sign-On Account that you just entered. Please enter your Oracle E-Business Suite information” could occur in following cases:
1. There is no user in EBS with USER_GUID (in FND_USER table) value same as ORCGUID in OID, and  EBS Profile Option Applications SSO User Auto Link is set to blank or disabled (auto link is disabled)
2. EBS Profile Option Applications SSO User Auto Link is set to enabled but there is no user in EBS with USER_NAME (in FND_USER table) value same as UID attribute in OID. This means user is not synced from OID to EBS.
3. There is user in EBS with USER_GUID (in FND_USER table) value same as ORCGUID in OID but user is end dated in EBS (END_DATE in FND_USER table) – In this case you should see message “Error Occurred” after typing username/password in EBSAccessGate logon page.


=========================================================================
UPDATED
===========================================================================

1)Ldap Synch is a new feature that allows synchronization between OIM and OID. So, basically we cannot see all that tables into OIM Schema, but we can also follow some of them as 'Recon Events’ and 'Recon Errors' table to be populated.

For example:

•select a.RE_key,C.USR_LOGIN,C.USR_EMAIL,C.USR_FIRST_NAME,C.USR_LAST_NAME,B.USR_KEY,B.UGP_KEY,B.RE_ENTITY_TYPE,B.RE_CHANGE_TYPE,B.RE_LINK_SOURCE,B.RE_NOTE,B.RE_REASON,to_char(B.RE_CREATE,'DD/MM/YYYY HH24:MI:SS') RE_CREATE,to_char(B.RE_MODIFY,'DD/MM/YYYY HH24:MI:SS') RE_MODIFY,B.RE_KEYFIELD,A.RECON_ACT_KEY,A.RECON_USR_EMAIL,A.RECON_ORG_NAME,A.RECON_USR_TYPE,A.RECON_USR_EMP_TYPE,A.RECON_USR_PASSWORD,A.RECON_ORCLGUID,A.RECON_GIVENNAME,A.RECON_SN,A.RECON_DESCRIPTION,A.RECON_CN,A.RECON_DN,A.RECON_CHGLOGATTR_IDXLST,D.RJ_NAME,D.RJ_JOB_STATUS,to_char(D.RJ_END_TIME,'DD/MM/YYYY HH24:MI:SS') END_TIME,to_char(D.RJ_START_TIME,'DD/MM/YYYY HH24:MI:SS') START_TIME, D.RJ_TOTAL_TIME from OIM.RA_LDAPUSER A, OIM.RECON_EVENTS B, OIM.USR C,OIM.RECON_JOBS D  where A.RE_KEY=B.RE_KEY and b.usr_key=c.usr_key and c.usr_email=‘Thiago.leoncio@server.com' and b.rj_key=d.rj_key order by RE_MODIFY desc

2)LDAP sync now is a mandatory element for OIM11G-OAM11G integration. In the integrated scenario LDAP sync provides complete password lifecycle management. Only Users and Roles (roles details, hierarchy parts, membership attribute) are the main elements. LDAP sync does not synchronize Organizations.

3)You can keep working with OIM Audit part, but only the features related of UPA_* tables

For example:

•select b.usr_login,a.field_name,a.field_old_value,a.field_new_value,a.create_date,a.update_date 

from OIM.usr b, OIM.upa_usr c, OIM.upa_fields a 

where 1=1

and c.usr_key=b.usr_key

and a.upa_usr_key = c.upa_usr_key

and upper(b.usr_email) like upper('%thiago.leoncio%') and upper(b.usr_login) like upper('%thiago.leoncio%')

order by a.upa_fields_key desc

4) OID Ldap sync you don't need to worry about policies(eg: access) , Synch is very straight forward process. And for example: from OID doing reconciliation to OIM we have Ldap User,Role, Hierarchy and Membership that do their job to make this 'synch process' pretty and simple. Then, from OIM to OID we have bunch of EventHandlers related that goes and send info to OID update them. Also, from reconciliation perspective, full reconciliation here works as it shows: doing a full update on OIM. And incremental one reconciles based on last changelog into OID, for example, if you do a simple ldapmodify against any user into OID, it will change changelog there.

5)OID connector adds the LDAP instance as a resource or target system in OIM. There are a number of actions you can attach around your target systems such as: Workflows, provisioning operations, approvals, requests etc.

6)OID LDAP sync can be setup while installation of Oracle Identity Manager, or if you prefer, late.

I hope this helps,

Piyush Prakash