WebSEAL forms SSO into Oracle EBS v12

Integration Update 04/03/14:

An alternative Forms SSO method has been documented here:
https://philipnye.com/posts/oracle-ebs-r12-forms-sso-mk-ii/

Background

I was asked to look at the configuration for Forms SSO into Oracle E-business suite. They had updated from version 11 to version 12 and it wasn’t working with their old fsso.conf.

After some analysis, it seemed that the javascript on the login form was adding an additional value to the form before submitting.

The one on the left is with Javascript submit enabled, and on the right, with the onclick event disabled.

45566202-DifferencesThe subtle variation I can see is:
_FORM_SUBMIT_BUTTON

 

So, with a bit of Firebug magic, I tweaked the value of this to see if it was indeed the difference, and it was.

So I updated the fsso.conf with the additional static variable, and it all started working!

 

[forms-sso-login-pages]
login-page-stanza = oracle-login-page

[oracle-login-page]
login-page = /OA_HTML/RF.jsp?function_id=1032925*
login-form-action = *
gso-resource = oraclesso
argument-stanza = args-for-login-page-one

[args-for-login-page-one]
usernameField = gso:username
passwordField = gso:password
_FORM_SUBMIT_BUTTON = string:SubmitButton

EDIT (17/01/14):
It’s come to my attention that Oracle has introduced some new security features for CSRF amongst other things. This means that the if you follow the Oracle hardening guidlines, Javascript is necessary to make the login form work. Naturally this breaks the Forms SSO capabilities in WebSEAL.

The following settings were changed in the Oracle EBS Profiles to disable the need for javascript and the submission of a random string with a login:

OLD Settings:
Profile Name            Set Value at Site Level
FND: Diagnostics            N
FND Validation Level            ERROR
FND Function Validation Level        ERROR
Framework Validation Level         ERROR
Restrict text input            Y

The above profile settings are explained here:

http://appsdbastuff.blogspot.ae/2011/07/secure-configuration-of-oracle-e.html

By setting these profile parameters as follows prevents the Oracle EBS HTML Logon form requiring to submit the 8 character alpha-numeric dynamic string:

NEW Settings:
Profile Name            Set Value at Site Level
FND: Diagnostics            N
FND Validation Level            NONE
FND Function Validation Level        NONE
Framework Validation Level         NONE
Restrict text input            Y

 

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w
Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

WordPress.com.

Up ↑

%d bloggers like this: