EBS SSO屏蔽ApplLocalLogin.jsp登录

nihaogirl

注：以下仅为个人测试及见解
 EBS 版本：11.5.10.2
 背景：SSO单点登录时通过http://<host>.<domain>:<port>/登录EBS，会自动跳转至SSO统一登录界面，
       但Oracle EBS预留了登录后门，http://<host>.<domain>:<port>/OA_HTML/AppsLocalLogin.jsp，
       通过此URL仍然可以绕过SSO统一登录界面，由EBS登录界面进入系统。
 目的：是否可以屏蔽该URL，即使手工输入该URL，也限制只能从SSO统一界面登录EBS。
文档参考：
Applications SSO Login Types (APPS_SSO_LOCAL_LOGIN)
o SSO – Login is only allowed through Single Sign-On. The password is set to ‘EXTERNAL’ after a single sign-on account and an application account are linked.
o LOCAL – Login is only allowed via Oracle E-Business Suite local login. Passwords must be retained in the Oracle E-Business Suite and the account cannot be linked to any Oracle Internet Directory user.
o BOTH – Login can be through both single sign-on and Oracle E-Business Suite. Since changes to the Oracle E-Business Suite password can be synchronized to Oracle Internet Directory, but not vice versa, a user’s Single Sign-On password will not necessarily be synchronized with his Oracle E-Business Suite password.
 
测试步骤：1、将Applications SSO Login Types（英文环境下设置系统预置文件）值设置为“SSO”          2、新建EBS用户TEST1/ABC123
          3、同步至SSO
 测试结果： 1、同步SSO后，fnd_user表中encrypted_user_password与encrypted_foundation_password变更为“EXTERNAL”
            2、输入地址http://<host>.<domain>:<port>/OA_HTML/AppsLocalLogin.jsp，仍然可跳转至EBS登录界面
            3、用TEST1/ABC123登录EBS，失败
            4、通过SSO界面登录，成功（用户名/密码为SSO统一设置用户名/密码）
            5、通过SSO修改用户密码，同步至EBS，fnd_user中密码值为
            6、修改密码后重复步骤4、5，结果一样
            7、密码不为EXTERNAL的用户仍然可以通过输入URL方式从EBS直接登录系统
 
 测试步骤：1、将Applications SSO Login Types（英文环境下设置系统预置文件）值设置恢复为“BOTH”           2、通过SSO将TEST1的密码重置为ABC1234
           3、同步至SSO
 测试结果：1、同步SSO后，fnd_user表中encrypted_user_password与encrypted_foundation_password不再为“EXTERNAL”
           2、输入地址http://<host>.<domain>:<port>/OA_HTML/AppsLocalLogin.jsp，仍然可跳转至EBS登录界面           3、用TEST1/ABC123登录EBS，成功
           4、通过SSO界面登录，成功（用户名/密码为SSO统一设置用户名/密码）
 
另，Matelink上对于R12中SSO登录使用该预置文件一问询的回复

Able To Login Using AppsLocalLogin.jsp Inspite Of Applications SSO Login Types set to SSO [ID 468831.1]
	修改时间 28-NOV-2007     类型 PROBLEM     状态 MODERATED

　　In this Document
  Symptoms
  Cause
  Solution
  References

This document is being delivered to you via Oracle Support's Rapid Visibility (RaV) process, and therefore has not been subject to an independent technical review.

Applies to:
Oracle Applications Technology Stack - Version: 12.0
This problem can occur on any platform.
Symptoms
　　On Release 12.0 :
Integrated Oracle E-Business Suite with SSO and OID, provisioning enabled from Applications to OID. Profile option "Applications SSO Login Types" is set to SSO to prevent users from using the local login URL :
　　http://<host>.<domain>:<port>/OA_HTML/AppsLocalLogin.jsp
　　Users are still able to login using the AppsLocalLogin.jsp inspite of the profile option "Applications SSO Login Types" being set to "SSO".
　　EXPECTED BEHAVIOR
It should not allow login using AppsLocalLogin.jsp and display proper error message.

-- Steps To Reproduce:
The issue can be reproduced at will with the following steps:
　　1. Create a test user from E-Business Suite and it should also be created in OID.
2. Encrypted_Foundation_Password and Encrypted_User_Password in FND_USER table is set to EXTERNAL.
3. User can login from the SSO login page as expected, but is also able to login successfully using AppsLocalLogin.jsp.
Cause
SSO users are able to create local sessions.

Fix is provided by version SessionMgr.java 120.36.12000000.7 which will be available in 12.0.4.
Solution
-- To implement the solution, please execute the following steps:
Please upgrade to Release 12.0.4 when it is available to download via Oracle Metalink.

1. Please ensure that you have taken a backup of your system before applying the recommended patch.
2. Always advisable to apply the patch in a test environment when available.
3. Retest the issue.
4. Migrate the solution as appropriate to other environments.