Thursday, January 22, 2009

Discoverer 10g login and password expiry in an SSO environment

Introduction

In an E-Business Suite 11i application, one can enable Password Expiration for users created locally using the DEFINE USER form. This value is stored in the PASSWORD_LIFESPAN_DAYS column. If the 11i application is integrated with Oracle Single Sign-On (SSO), the 11i SSO login mechanism ignores this column as expected because the password policy is defined in the LDAP Directory. However, this does not seem to be the case for Discoverer 10g SSO Login functionality. The Discoverer login code seems to be explicitly checking for 'PASSWORD_LIFESPAN_DAYS' column in the FND_USER table even though it is SSO enabled. This behavior is consistent in both Discoverer Plus and Viewer components.

For example, if FND_USER.PASSWORD_DATE is 22-NOV-08,FND_USER.PASSWORD_LIFESPAN_DAYS 30 and if SYSDATE is '22-JAN-09' for user JSMITH, the Discoverer Login will fail with the above error (whenever PASSWORD_LIFESPAN_DAYS is less than SYSDATE-PASSWORD_DATE) .

Solution

Update the PASSWORD_LIFESPAN_DAYS column to NULL for all rows in the FND_USER table after the 11i application is integrated with SSO.

2 comments:

CKS said...

Hi, how have you got your Discover configured for SSO.. Did you modify the mod_osso.conf file? Are you still getting the SSO window and then the BI login window? If now, how did you get around this?
Thanks,
CKS in TX

Srinivas Ramineni said...

CKS,

There seems to be a known issue with Discoverer access with SSO.

1) If you are Discoverer user with SSO, then first "login" to regular Oracle Applications login page.

2) Logout

3) Now login to Discoverer Viewer or Plus using SSO.

Subsequent Disco Viewer or Plus logins will be fine and you dont find another BI login window.

Hope that helps

-Srinivas Ramineni

Related Posts Plugin for WordPress, Blogger...