E1: SEC: Security History Log Shows a "Success" Log When An Expired or Disabled SSO User Signs In (Doc ID 1263459.1)

Last updated on MAY 30, 2017

Applies to:

JD Edwards EnterpriseOne Tools - Version 8.98 and later
Information in this document applies to any platform.

Goal

An issue is encountered with regard to faulty security history log that shows a "Success" when an expired or disabled SSO userID signs in.   For non-SSO IDs, it was confirmed that despite being expired (Status 03), these IDs are logged as successfully signed on (when on an HTML Client) in the Security History table (F9312) as long as the Username and Password are both correct. Even though they are logged as successful, they do not have access if their environments/role were removed (which is part of the expiration process). As a workaround, the E1 password is reset upon expiry.

On the other hand for SSO IDs, resetting the password will not be relevant as a workaround given its nature of being "single-sign on". Having expired users logged on as successful in JDE equates to information exposure. Therefore, although technically the expired users were not able to enter JDE (having no role or environments), faulty logs remain questionable.

For SSO IDs, given that these IDs are SSO, when a user logs into the system they are automatically directed to select an environment window and will give a "Success" log in history log for expired, disabled, and active users. History log of this scenario will show as "Success". Is there a way/workaround on how history log will show a "failure" when an expired or disabled SSO user signs in? In non-SSO ID, we identified a workaround by resetting the user's E1 password when expiring an ID.


Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms