In one of my SSO implementation in UAT env, suddenly few of the users started complaining of below error. Upon analysis, I noticed that FND_USER.USER_GUID was updated with wrong values which did not match OID. Also Local users in EBS were updated somehow which was not the case at the time of implementation.
Your Oracle E-Business account has not been linked with the Single Sign-On account that you just entered.
Please enter your Oracle E-Business Suite information. The next time you sign on with your SIngle sign-on account,
it will automatically sign you on to the Oracle E-Business Suite using the following account information.
The root cause of the issue was that this java command “oracle.apps.fnd.oid.AppsUserExport” was used with “-g” to export existing EBS users in order to bulk-load them to Oracle Internet Directory (OID).
export CLASSPATH=$CLASSPATH:$JAVA_TOP/oracle/apps/fnd/oid/.:. java oracle.apps.fnd.oid.AppsUserExport -v -dbc $FND_SECURE/<SID>.dbc -o <directory>/users.txt -pwd <password> -g -l <directory>/users.log
“-g” option of the command AppsUserExport updates FND_USER.USER_GUID for those records with following condition.
a. FND_USER.USER_GUID is null and b. Profile option APPS_SSO_LOCAL_LOGIN <> ‘LOCAL’ and c. APPS_SSO_LDAP_SYNC = ‘Y’
So important thing to note here is that Running AppsUserExport and specifying the “-g” option is to have the users moved in to OID retaining the GUID’s from the Apps Instance.
That way some users are created in OID with the same GUID’s as that of users in FND_USER and hence they match.
“-g” option is defaulted. (generate guid)
The solution is to use the “-ng” option to AppsUserExport if the customer is not supposed to bulk-load exported users to synchronized OID. “-ng” stands for “no generate guid”.
export CLASSPATH=$CLASSPATH:$JAVA_TOP/oracle/apps/fnd/oid/.:. java oracle.apps.fnd.oid.AppsUserExport -v -dbc $FND_SECURE/<SID>.dbc -o <directory>/users.txt -pwd <password> -ng -l <directory>/users.log
Use the FNDSSOUU.SQL script to set the USER_GUID field in FND_USER to NULL for each user with GUID fields that do not match.
SQL> @$FND_TOP/patch/115/sql/fndssouu.sql USER_NAME
Hope it helps.