Success stories of NW single sign-on

Similar Messages

• IRecuritment: Resume Parsing with Single Sign on (SSO)

  Application Version:11.5.9
  RDBMS Version:9.2.0.7
  Patch Level:IRC.D, HR_PF.G
  Problem Description/Question:
  Anyone successfully parsed resumes with Single Sign On enabled. We are unable to parse resume with SSO. If I disable the SSO the parsing is working fine. With the SSO enabled resume parsing giving the following error:
  javax.net.ssl.SSLException: SSL handshake failed: X509CertChainIncompleteErr
  Pl. let me know if you have any suggestions/work around to resolve the issue. Client is going to live in 3 weeks. Any help is appreciated.
  Thanks,
  V

  Hi Rainer,
  you can find this setting in your Internet Explorer. Use Tools -> Internet Options -> Advanced. In the section "Security", check "Enable Integrated Windows Authentication (requires restart)" and restart your browser.
  If the error still persists Note
  934138 might be useful. 
  Hope this will help out.
  Regards,
  André

• OBIEE 11G with Single Sign-On and Active Directory

  Hi guys,
  Release Version: Oracle Business Intelligence 11.1.1.5.0
  Patch applied: 11.1.1.5.0 BP3 (Patch 13832750)
  OBIEE Server operating system: Windows Server 2008 SP2 (32-bits Operating System).
  We are trying to configure Single Sign-On according to TechNote_WNA_SSO_AD_V4.0.doc.
  Our krb5login.conf:
  com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  principal="[email protected]"
  keyTab=cgdkobi2.keytab
  useKeyTab=true
  storeKey=true
  debug=true
  com.sun.security.jgss.krb5.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  principal="[email protected]"
  keyTab=cgdkobi2.keytab
  useKeyTab=true
  storeKey=true
  debug=true
  We generate de keytab file:
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.24\bin\ktab.exe -k cgdkobi2.keytab -a [email protected]
  Password for [email protected]:XXXXXXX
  Done!
  Service key for [email protected] is saved in cgdkobi2.keytab
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.2-4\bin\kinit -k -t cgdkobi2.keytab cgdkobi2
  New ticket is stored in cache file C:\Users\cgdkobi2\krb5cc_cgdkobi2
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.2-4\bin\klist -k -t cgdkobi2.keytab
  Key tab: cgdkobi2.keytab, 1 entry found.
  [1] Service principal: [email protected]
  KVNO: 1
  Time stamp: Mar 15, 2013 10:34
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>klist
  Current LogonId is 0:0x406163f5
  Cached Tickets: (0)
  We re-start the services and logon into analytics web and SSO doesn't work but there's not an error. It runs successfully with and Active Directoy user and password. Seems like SSO wasn't enabled, but I checked is enabled.
  Any suggestion?
  Thanks in advanced

  Follow the posts : OBI 11.1.1.6.SSO and You are not currently signed in to Oracle BI Server" for OBIEE 11.1.1.6 SSO do the troubleshooting mentioned there.
  Also check your logs for error like the one below:
  [2012-03-09T16:42:36.000-05:00] [OBIPS] [NOTIFICATION:1] [] [saw.securitysubsystem.checkauthentication.runimpl] [ecid: 6c98b5cce1f24814:2a613331:135f95fbdff:-8000-0000000000005b7a,0:1:1] [tid: 5932] Authentication Failure.
  Odbc driver returned an error (SQLDriverConnectW).
  State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
  [nQSError: 43113] Message returned from OBIS.
  [nQSError: 13039] The impersonator does not exist in the BI Security Service. (08004)[[
  If you are getting this when you login to OBIEE :      You are not currently signed in to Oracle BI Server"
  then you need to apply this patch : 13553428 QA:BLK:DELIVER TO CORP. OID LDAP USERS FAILED WITH IMPERSONATOR DOES'NT EXIST. 11.1.1.6.0 Generic Platform (American English) General Oracle BI Suite EE Apr 5, 2012 799.4 KB
  Let us know the updates. Hope this helps. Mark if it does.!
  Thanks,
  SVS

• Single Sign-On and VPDs

  Hi - we're trying to implement a VPD on our company database at the moment and were wondering if a single sign-on architecture on our middle tier could be successfully tied to a VPD on the database tier. We have a number of clients, both internal and external, who will be accessing the database via the web and we need to control who sees what. Could you advise on the feasibility of this approach? Thanks

  Hi Derick,
  I want to make our discussion into 2 parts
  1) Sign on
  2) Viewing data based on the Heirarchy
  1)Before discussing about the Sign on i want to know which connectivity you are using ? Live offcie or QaaWS.
  2) We can make the second point possible in two ways One is with providing restriction at universe level
  and the other one is through the use of flash variables.
  Using flash variables:
  The main idea of using flash variables is reading the User ID from BO authentication and based on that we fetch the Heirarchy level of that user. Then we use some excel logic to hide the data from Low level heirarchy(Here we use Dynamic Visibility for components).
  I hope this is what you ar looking for....
  If so i have more points to acheive such scenario.
  Please provide the your BO environment details, such that it will be easy to identify the better best wat to acheve it.
  Regards,
  AnjaniKumar C.A.

• Single sign-on and custom DBLoginModule

  Hi,
  I need help in making sso work. I have Application Server version 10.1.3.1.0, I've developed application in JDeveloper 10.1.3.3. that uses form based login and when deployed to server I can normally login/logout. Now I want to enable single sign on, so I've changed security provider of javasso to the one I'm using in my application (oracle.sample.dbloginmodule.DBProcLM.DBProcOraDataSourceLoginModule) and started javasso, added my application to participating applications, and restarted the instance.
  When I try to access my application, login page of javasso is shown but I cannot login, always get incorrect username/password. The strange thing is that logs are empty, so i guess that dblogin module is never fired.
  Also I've changed my login method so it supports identity callback, like described in here .
  This Re: Custom Login Module and JavaSSO said that orion-application.xml of my application and javasso should be the same, I haven't figured out what should I do with javasso orion-application.xml and how sould it look like.
  this is orion-application.xml of my application
  <?xml version = '1.0' encoding = 'windows-1250'?>
  <orion-application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd">
  <library path="./adf"></library>
  <jazn location="./jazn-data.xml" provider="XML"/>
      <data-sources path="./data-sources.xml"/>
  <jazn-loginconfig>
       <application>
            <name>secure-web-app</name>
            <login-modules>
                 <login-module>
                      <class>oracle.sample.dbloginmodule.DBProcLM.DBProcOraDataSourceLoginModule</class>
                      <control-flag>required</control-flag>
                      <options>
                           <option>
                                <name>data_source_name</name>
                                <value>jdbc/WMSPortalDS</value>
                           </option>
                           <option>
                                <name>debug</name>
                                <value>true</value>
                           </option>
                           <option>
                                <name>plsql_procedure</name>
                                <value>PK_SECURITY.GET_USER_AUTHENTICATION</value>
                           </option>
                           <option>
                                <name>log_level</name>
                                <value>ALL</value>
                           </option>
                      </options>
                 </login-module>
            </login-modules>
       </application>
  </jazn-loginconfig>        
  </orion-application>this is orion-application.xml of javasso
  <?xml version = '1.0' encoding = 'utf-8'?>
  <orion-application
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd"
      schema-major-version="10"
      schema-minor-version="0"
      component-classification="internal">
  <security-role-mapping name="{{PUBLIC}}">
      <group name="{{PUBLIC}}" />
  </security-role-mapping>
  <jazn provider="XML">
  </jazn>
  </orion-application>Please help, this is very urgent to me, all advices and guide lines are more than welcome.
  Thanks in advance,
  Tomislav.

  To be clear maybe someone will help.
  I have a cluster topology, with one application server and 3 oc4j instances.
  I've done following steps and without success, on my test instance:
  1. Deployed application with custom DBLogin (I'm using: oracle.sample.dbloginmodule.DBProcLM.DBProcOraDataSourceLoginModule)
  2. Sucessfully login / logout -> so I guess DBLogin is working fine
  3. Stopped the java sso application
  4. Changed the javasso Security Provider to my custom DBLogin with following parameters:
  class: oracle.sample.dbloginmodule.DBProcLM.DBProcOraDataSourceLoginModule
  data_source_name - jdbc/WMSPortalDS
  log_level - ALL
  plsql_procedure - PK_SECURITY.GET_USER_AUTHENTICATION
  debug - true
  5. Added Connection Pool and Data Source in javasso Administration -> JDBC -> tested connections and it was sucessful
  6. Started javasso application
  7. Then I went to Java SSO Configuration -> Participating applications -> checked my application
  8. Restarted instance
  9. Try to login -> invalid username / password
  In enerprise manager Log files -> javasso -> there are only messages regarding starting and stopping application
  Questions:
  1. orion-application.xml for javasso -> what exactly needs to be specified inside, currently I have following:
  <?xml version="1.0"?>
  <orion-application  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd"  deployment-version="10.1.3.1.0" default-data-source="jdbc/OracleDS" component-classification="internal"
    schema-major-version="10" schema-minor-version="0" >
          <web-module id="javasso-web" path="javasso-web.war" />
          <security-role-mapping name="{{PUBLIC}}">
                  <group name="{{PUBLIC}}" />
          </security-role-mapping>
          <persistence path="persistence" />
          <jazn provider="XML">
                  <property name="custom.loginmodule.provider" value="true" />
                  <property name="role.mapping.dynamic" value="true" />
          </jazn>
          <log>
                  <file path="application.log" />
          </log>
          <data-sources path="./data-sources.xml" />
  </orion-application>2. orion-application.xml for my application
  <?xml version="1.0"?>
  <orion-application  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd"  deployment-version="10.1.3.1.0" default-data-source="jdbc/OracleDS" see-parent-data-sources="false" component-classification="external"
    schema-major-version="10" schema-minor-version="0" >
          <web-module id="Portal" path="Portal.war" />
          <persistence path="persistence" />
          <library path="./adf" />
          <jazn provider="XML" location="jazn-data.xml" default-realm="jazn.com" >
                  <property name="custom.loginmodule.provider" value="true" />
                  <property name="role.mapping.dynamic" value="true" />
                  <jazn-web-app auth-method="CUSTOM_AUTH" />
          </jazn>
          <log>
                  <file path="application.log" />
          </log>
          <data-sources path="./data-sources.xml" />
  </orion-application>3. How to get any information into logs, I cannot find out what I'm doing wrong since there's no output in logs for javasso and my application.
  Please help, I'm really stuck and I have to resolve this as soon as possible.
  Thanks in advance,
  Tomislav.

• Single Sign on and Protect URL step

  Hi,
  I have successfully installed Oracle Internet Directory, Identity Server, Web Pass, Policy manager, Access Server and WebGate (attached to Oracle HTTP Server from Oracle Management Infrastructure).
  My questions are:
  - How do I protect URL so the user will need to login to access certain URL?
  - How do I enable single sign on and test it?
  - What are the general steps involve to enable URL protection (so if the url is protected it will prompt for username and password) and single sign on using Oracle Internet Directory?
  Kindly help me if anyone know a solution or can point me to the right documentation. I have tried to read Oracle Access Manager - Access Administration Guide, but keep getting confused.
  Thanks.
  Regards,
  Alfonso

  Hi,
  You can follow Oracle Access Manager Integration Guide (10.1.4.0.1) B25347-01, chapter 4, to achieve this. This document will answer most of your questions.
  Regards,

• Single Sign-On and session information

  I have an Oracle Portal application with many Java Web Applications. I wish to
  provide Single Sign-On to this applications. I know how to configure Single
  Sign-On and how to get the user login in Java. I want to store session
  information such as: User First and Last Name, User Social Security Number. I
  want to get this information from the database after authentication, store it
  in session and then access this information from all my applications.

  Are you familiarized with sys_context function?
  Hope this is useful help.
  BR,
  Marcos

• Single Sign On -- Enterprise portal and BI JAVA

  Hi,
  I need to watch reports BI J2ee from an EP 7.00. I have configured the single sign On but it works just for ABAP BI Stack.
  This is what I have done for SSO JAVA:
  Importing the BI JAVA Certificate to the SAP NetWeaver 2004s Portal (SAP EP 7.0)
         1.      Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%admingo.bat.
         2.      Connect to the portal server.
         3.      Choose  are the values of and of certificate SAPLogonTicketKeypair-cert (see above).
  You also have to add these values under evaluate_assertion_ticket:
     13.      Start the SAP J2EE Engine Administrator with %INSTALLATION_ROOT%admingo.
     14.      Connect to the portal server.
     15.      Choose  (for example, CN=J2E)
  Any clue?
  Regards

  Hi Jorge,
  if the UME is used with an ABAP based system as the back-end user storage, do the following:
  Generate and export the Portal Certificate:
  Go to Visual Administrator
  Choose <SID> - Server - Services - Key Storage - from the tree Select the view TicketKeystore under Views
  If the SAPLogonTicketKeypair exist, delete it.
  If the SAPLogonTicketKeypair-cert exist, delete it.
  Generate a portal certificate using the following steps:
  Under Entry choose Create.
  Enter the folowing values in u201CKey and Certificate Generationu201D
  Organization Unit Name (OU) = J2EE
  Common Name (CN) = <SID>
  Entry Name = SAPLogonTicketKeypair
  Store Certificate: X
  Algorithm: DSA
  Click u201CGenerateu201D
  Import the Portal Java Certificate into ABAP
  STRUSTSSO2
  System PSE:
  u201CImport Certificateu201D - Choose your exported .crt file - File format = Binary
  Click u201CAdd to Certificate Listu201D
  Click u201CAdd to ACLu201D - System ID = <SID>, Client = 000
  save it.
  Export PSE ABAP Certificate and import into J2EE Portal:
  STRUST
  Choose PSE, export it and save as <SID>.pse
  sapgenpse export_p12 -p <SID>.pse <SID>.p12
  copy the generated p12 file <SID>.p12 to J2EE Portal
  Go to Visual Administrator
  Choose <SID> - Server - Services - Key Storage - from the tree Select the view TicketKeystore under Views
  export the .p12 ABAP certificate with "Load"
  adjust com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule:
  Choose <SID> - Server - Services - Security Provider - from the components tree select evaluate_assertion_ticket
  ensure that trustediss<n>, trusteddn<n>, trustedsys<n> are correct set.
  ume.configuration.active = true.
  restart the ICM in SMICM
  If you also want to use SSL, there are some further steps to be done.
  Regards,
  Gerd

• Single Sign-On (Portal to R/3 Backend)

  Hi all,
  Iu2019m trying to implement Single Sign On (SSO) between our SAP portal (front end) and SAP R/3 ECC 6.0 Backend.  Keep in mind this has nothing to do with Active Directory.
  I read posting after posting from this site and I canu2019t tell you how much documentation and canu2019t seem to get to the root cause of the problem.
  To sum it up, the Test connections in the Portal, which there are 3 (SAP Web AS Connection, ITS Connection, and Connection Test for Connectors)
  The connection tests work for the first 2.  The one that fails is the Connector.
  The errors are not much help.  Here is what I get.
  Test Details:
  The test consists of the following steps:
  1.     Retrieve the default alias of the system
  2.     Check the connection to the backend application using the connector defined in this object.
  Results:
  1.     Retrieval of default alias successful.
  2.     Connection failed.  Make sure the Single Sign-On is configured correctly. 
  Details:       Portal Host name = lansapdep01
       Backend Host name = lansapdev01
  Property Category:  Connector
  Application Host = lansapdev01
  Gateway Host = lansapdev01
  Logical System Name = devcln150
  Remote Host type = 3
  SAP Client = 150
  SAP System ID <SID> = DEV
  System Number = 01
  Server Port 3600
  System Type =  SAP R/3

  You use Server Port 3600, message server.
  It means, while creating a system you used wrong template and picked "SAP system using dedicated application server".
  You should use "SAP system with load balancing", since message server is doing load balancing.
  Once you selected correct template you will see "Message Server" instead of App and GW servers.
  Make sure to fill in
  Group  - Logon group to use. If not defined in R3, use SPACE
  Message Server - ansapdev01
  SAP Client = 150
  SAP System ID <SID> = DEV
  Server Port 3600
  System Type = SAP R/3
  It should work.
  Regards,
  Slava

• Queries regarding Single Sign On

  Hi Experts,
  I am new to Single Sign On and have few doubts
  1)For OAM to implement single sign on across multiple applications , is it mandatory that the identity store of OAM and the application to be the same.Is it possible that the applications have their own identity store and OAM has its own and users in both the identity stores are in sync?This scenario comes into picture where for some applications the identity store is database
  2)If the first point is correct then for protecting OIM using OAM 11gR2 why do we need to enable ldap sync? can we have database as the user store for OIM and for OAM have a LDAP server for exmaple AD and then use AD connector to make sure that any users getting created in OIM is autoprovisioned to AD
  Request you to please clarify my below doubts

  Hi,
  1) No, It is not necessarily to be same identity store for OAM 11g and the applications that need to be protected. It can be different. This is the feature in OAM11g, where you can have multiple Identity stores mapped to your authentication modules.
  Yes, it is possible to have own identity store for the applications.
  Oracle provides inbuilt authentication modules only for LDAP, Kerberos and X.509. If you want OAM to authenticate against Database then you need write your own Database Authentication Module.
  Clients will always prefer Out of the box functionalities as there might not be support provided if any issues faced. If client want to built in their own mechanism then oracle will not support.
  That's why most of them goes for Ldap Sync which is inbuilt functionality.
  2) You can build your own Authentication module for OIM. Again it is time consuming process to decide on the Error Handling and the logic to build the module. It is better to go LDAP Sync.
  Hope this clarifies.

• Single sign-on using Kerberos and Ldap

  I am currently setting up single sign-on using Kerberos for authentication and Ldap for authorization and information store.
  The setup includes several Solaris 8 & 9 workstations, a couple of SGI's, as well as a M$ terminal server farm, several WinXP desktops and their associated Active Directory.
  I am required to authenticate etc against the AD. (which has M$ SFU3.5 installed)
  I have the Kerberos authentication and part of the Ldap service working via pam & nss.
  ie. I can logon to the solaris worksatations using the AD username and password, mount the home directory from a M$ NFS server.
  BUT...
  id gives:- userID, groupID (primary group only)
  groups :- primary group only. (no secondary groups are listed)
  Question: what additional configuration information do I need in the pam, nss &/or ldap config files, so that I can list the secondary groups.
  Thanks in advance for any help.

  After evaluating (giving up on, and finally throwing out) the Sun Directory server it looks like we are going to endup with a similar solution..
  Sadly enough, the MS AD seems much more stable and easier to handle than Suns DS, kerberos and associated services.
  Anyway, currently we are evaluating a product called vintela ( www.vintela.com ), and it seems very promising; its easy, robust, stable and does what we require it to do, as well as more :) It comes with an additional nss module called 'vas', so you easily can retrieve data like hosts/groups from your AD.
  //M.

• How to single sign off from all integrated forms with application server

  Hi!
  I deployed two forms form1 and form 2 on oracle application server 10g.
  The i created user in oid and created two data sources for these two forms to have data from database .
  I enabled single sign on on the formsweb.cfg file ,Now single sign on is working fine .
  When i try to open any form it promt me the SSO page after successful login it opens the form but problem is that now how do i log out so that when i logout from one form i should logout from other form as well using single sign off
  please can anybody help...

  Hello Anoop,
  The folowing link describes how to setup SSO between two portal.
  http://help.sap.com/saphelp_nw04s/helpdata/en/43/2232900bb93fece10000000a11466f/frameset.htm
  Regards
  Deb
  [Reward Points for helpful answers]

• Single Sign On WiFi issue

  Hi folks!
  I've got the most frustrating issue I've ever experienced. Single Sign on for my wireless clients (laptops/tablets). It's literally hit or miss whether it happens or not.
  The most recent one is a rebuild of an ASUS T100TA. I installed 8.1 Pro from USB stick and used a USB LAN Adapter to connect the client to the domain the first time and to refresh GPs for the first few hours of use. After that, the device was to go to a
  new user who would be able to login via the Wireless settings being rolled out via GPO - see settings below.
  Now, I know the profile is 100% correct, as once logged in, the SSID is magically connected (based on the GPO settings to connect immediately, not seen in the image). Users have full access to any/all network services.
  But see to log a new user onto the device, I get connecting, then "Unable to connect to SSID. Logging on", and finally the dreaded There are no logon servers available message.
  But that's not strictly true either, as all my tested BEFORE
  sending to the site/user were successful. And even once on site, one of the admin staff logged in to test it (mustn't have trusted me :/) with 100% success. Logged her in without her ever being logged onto it before. But the following day, when the device's
  owner arrived and logged on, the bloody nope train arrived again, and it's been like that ever since. But once I log on with a cached profile, boom, WiFi connects via the GPO settings without an issue. There is another identical device in the same office and
  it works without an issue.
  Without sounding dramatic, I can find absolutely no one else that has experienced the same issues as I'm having and it's starting to look like the window and ground will be the destination for the wee tablet if it doesn't start to play ball.
  Any help would be so appreciated.
  Cheers!

  Hi Goducks90,
  We'd better start your own thread for the others to be better involved. As the issue is different from many aspects.
  Also please have a share with the current situation and what steps you have tried for the folks to share a quick and helpful suggestions. We may follow the suggestions in the thread below to ask in TechNet:
  How to ask a question efficiently in TechNet forum
  Best regards
  Michael Shao
  TechNet Community Support

• BPM - Alert Inbox - Detail List - Single Sign on

  Hi
  I have some issues with single signon and the detail list in the alert inbox.
  When I click the details list, it should open the list on the managed system, but for some reason it only takes me to the login screen of the managed system. I would like to get straight into the list in the managed system, since trusted RFC and SSO has allready been setup.
  I have seen it working with the SSO.
  Has anyone experienced this and/or know of a Solution? Maybe just a hint into what could be missing.
  Kindly Regards

  hi,
  sso configuration taken over by solman_setup.
  hence make sure managed system configuration -> step 'single sign on setup' successfully completed or not.
  Thanks
  Jansi

• Oracle E-Business Suite account has not been linked with the Single Sign-On

  We followed this note 1484024.1 to integrate Oracle EBS 12.1.3 with Oracle Access manager 11g R2.
  Integrating Oracle E-Business Suite Release 12 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite Access Gate [ID 1484024.1]
  All the steps have been complete successfully without any errors.
  When the excisistign users trying to login.. they will get the single single OAM page but not able to use their current user id and passwords..
  it says: "Your Oracle E-Business Suite account has not been linked with the Single Sign-On account that you just entered. Please enter your Oracle E-Business Suite information. The next time you sign on with your Single Sign-On account, it will automatically sign you on to the Oracle E-Business Suite using the following account information. "
  Any help greatly appreciated.
  Thanks!

  Hi,
  it says: "Your Oracle E-Business Suite account has not been linked with the Single Sign-On account that you just entered. Please enter your Oracle E-Business Suite information. The next time you sign on with your Single Sign-On account, it will automatically sign you on to the Oracle E-Business Suite using the following account information. "this is expected, if you are linking your existing OID users with existing EBS users.
  When it asks the user information here, enter the EBS username and password.
  The first time users login to ebs, it needs to link that particular usre with a particular.
  The next time you login, it does auto link.
  Please see "Applications SSO Auto Link User (APPS_SSO_AUTO_LINK_USER)" in
  http://docs.oracle.com/cd/E18727_01/doc.121/e12843/T156458T465432.htm
  Thanks