Authentication
Authentication Options
PROCESSIT offers three supported methods for user authentication:
- Default identity service
- Custom PL/SQL authenticator
- WebLogic Active Directory or LDAP Authentication Provider
Default identity service
The default user authentication service used by PROCESSIT is IdentityServiceAuthenticationProvider, which is a custom provider that authenticates via the Identity Service and database connections for user implementations using the FND_EMPL and EMPL methods.
Custom PL/SQL authenticator
A custom PL/SQL authenticator lets you implement your own authentication provider using PL/SQL, provided the interface design matches the criteria set forth in PROCESSIT.
PROCESSIT contains custom configuration parameters related to custom PL/SQL authentication. You can add these to your custom PL/SQL package, to avoid hardcoding some of the key setup information into your procedure.
WebLogic Active Directory or LDAP Authentication Provider
WebLogic comes with a lot of predefined authentication providers. PROCESSIT is tested with the Active Directory / LDAP authentication. Please refer to http://docs.oracle.com/cd/E11035_01/wls100/secmanage/atn.html#wp1198953 for supported LDAP providers.
Authentication Provider Overview
Once you have configured a new authentication provider, restart the WebLogic server to make the changes take effect.
Configuration Parameters | IdentityService | Custom PL/SQL | WebLogic Authentication Provider (LDAP/AP) |
---|---|---|---|
D4_USER_IMPLEMENTATION | Employees / FND user joined with Employee | Employees / FND user joined with Employee | Employees, authenticating via Weblogic Security Realm / FND user joined with employee, authenticating via Weblogic Security Realm |
D4_USER_CUSTOM_AUTH_DB | N/A | Database hosting custom PL/SQL Function | N/A |
D4_USER_CUSTOM_AUTH_FUNCTION | N/A | Custom PLSQL Function Name | N/A |
D4_USER_CUSTOM_AUTH_LDAP_HOST | N/A | Customer Requested* | N/A |
D4_USER_CUSTOM_AUTH_LDAP_PORT | N/A | Customer Requested* | N/A |
D4_USER_CUSTOM_AUTH_LDAP_SEARCH_BASE | N/A | Customer Requested* | N/A |
*Customer Requested configuration parameters are not used by PROCESSIT, but available for customers to put their own configuration settings into.
Details on Custom Authentication
The System Administrator must configure an Authentication Provider in Weblogic following the guidelines set forth in Oracle's documentation. The provider must be set to SUFFICIENT and be the first provider in the list of Authentication Providers. Additional providers should also be set as SUFFICIENT as listed in our Weblogic authentication provider installation documentation.
The following parameters in PROCESSIT can be configured to contain server settings:
- Custom PL/SQL User Authentication LDAP Host: Ldap host name
- Custom PL/SQL User Authentication LDAP Port: Ldap port number (generally 389 or 3268)
- Custom PL/SQL User Authentication LDAP Search Base: Ldap search base DN
- Custom PL/SQL User Authentication Database: Select either the EBS or PROCESSIT database as the custom authentication host.
- Custom PL/SQL User Authentication Function specify the schema name and function name in the format
schema_name.function_name
, for example: D4.VALIDATE_LOGIN.
Authentication Function Details
The function must accept two input VARCHAR2 parameters: USER_NAME and PASSWORD.
It must return a single VARCHAR2 result of either Y, if the user exists and can be authenticated with the supplied user name and password, or N, if any error or authentication failure occurs. An example function signature:
FUNCTION VALIDATE_LOGIN(PI_USER_NAME VARCHAR2, PI_PASSWORD VARCHAR2 ) return VARCHAR2
If the parameters are not configured, the implementation defaults to authenticating via the standard Oracle EBS APPS.FND_WEB_SEC.VALIDATE_LOGIN function.
Details on WebLogic Provider
You must select from one of two additional user Implementations, FND user joined with employee, authenticating via Weblogic Security Realm or Employees, authenticating via Weblogic Security Realm.
Each of these user implementations corresponds with the previous user implementations, with the difference is that authentication happens via the provider you have configured. Users must exist in FND User / Employee with the same userid as in the configured provider.
Authenticating using one of these providers will not give you password expiration warnings or notices of account lockouts. You will only get an Authentication failed result under those conditions. Resolving those sorts of issues will need to be handled through the providers facilities, i.e. if you are authenticating via Active Directory, you will need to change your password in Active Directory.
External Documentation
The configuration is specific to each environment. There is a lot of documentation from Oracle and online as to configuring it.
See for instance: http://docs.oracle.com/cd/E11035_01/wls100/secmanage/atn.html