Like most of our customers, you probably already have a corporate identity management system in place. And, you've probably not been enjoying the experience of redundantly administering the same user in your corporate identity management system as well as the E-Business Suite.
If this describes your environment, this post should come as good news to you.
With the certification of Oracle Application Server 10g and Single Sign-On 10g, it is now possible to integrate the E-Business Suite with existing third-party LDAP and single sign-on solutions, like this:
Third-party single sign-on solutions can be integrated with Oracle Single Sign-On 10g, and third-party LDAP directories can be integrated with Oracle Internet Directory 10g. From there, it's a short hop to the E-Business Suite.
Example Scenario: The Deluxe "Zero Sign-On" Approach
A user logs on their PC using their Windows userid and password. Wanting to avoid real work, the user decides to file a long-overdue expense report for last year's OpenWorld conference. He starts Internet Explorer, opens Favorites, and selects a bookmarked link for the E-Business Suite's Self-Service Expenses.
Self-Service Expenses starts up, and the user begins the process of assembling rationalizations to justify that $450 dinner at Jardiniere with their favorite Oracle blogger.
(This is a fictional example, of course; nobody takes bloggers out to dinner)
We sometimes call this "zero sign-on" because the user never actually logged on to any Oracle systems at all; their Windows Kerberos ticket gave them an all-access pass to the E-Business Suite automatically.
Magic? What Really Happened?
Brace yourself: some of the following material might require a couple of passes to sink in.
The scenario above illustrates the following integrations:
- Microsoft Active Directory with Oracle Internet Directory 10g
- Microsoft Kerberos Authentication with Oracle Single Sign-On 10g
- Oracle Application Server 10g with the E-Business Suite
The user logged on to their PC, which authenticated them against Microsoft Active Directory. As part of that logon process, Microsoft Kerberos Authentication issued a valid Kerberos ticket to the user.
When the user attempted to access Self-Service Expenses via his bookmarked link, he was redirected to Oracle Single Sign-On 10g. Oracle Single Sign-On 10g recognized the Microsoft Kerberos ticket, issued its own Oracle security tokens to the user, and redirected the user back to the E-Business Suite.
The E-Business Suite recognized the Oracle Single Sign-On 10g security tokens and looked up the user's assigned Applications Responsibilities to ensure that he was authorized to access Self-Service Expenses. That done, it issued its own E-Business Suite security tokens and then passed the user through to Self-Service Expenses without requiring any additional logons.
Integration with Microsoft Active Directory Only
Not everyone uses Microsoft Kerberos Authentication. A simpler integration option omits Kerberos and includes only Microsoft Active Directory and Oracle Internet Directory, like this:
In this simpler architecture, when the user attempts to access Self-Service Expenses via his bookmarked link, he's redirected to Oracle Single Sign-On OracleAS 10g. Single Sign-On displays a login screen and collects the user's ID and password.
Single Sign-On passes the user's supplied ID and password to Oracle Internet Directory for validation. Oracle Internet Directory uses the Windows NT External Authentication plug-in (sometimes also called the Windows Native Authentication plug-in) to delegate user authentication to Microsoft Active Directory.
Microsoft Active Directory looks up the user's ID and password in its database, and informs Oracle Internet Directory that this is an authenticated user. Oracle Internet Directory informs Single Sign-On that the user was successfully authenticated.
Single Sign-On issues the user a set of security tokens and redirects the user to the E-Business Suite. The E-Business Suite recognizes the Single Sign-On security tokens and looks up the user's assigned Applications Responsibilities to ensure that he's authorized to access Self-Service Expenses. That done, it issues its own E-Business Suite security tokens and then passes the user through to Self-Service Expenses.
"Out-of-the-box" Third-Party LDAP Integration with Oracle Internet Directory
Due to the popularity of Microsoft Active Directory, Oracle Internet Directory provides a prebuilt connector out-of-the box, ready to use.
Oracle Internet Directory also provides a prebuilt connector for the SunONE (iPlanet) Directory Server, ready-to-use. You should note that Sun (like Oracle, following its myriad recent acquisitions) has rebranded its identity management products, so there's a new name for the Sun LDAP directory now. I'll update this post with the latest name as soon as my Sun contacts provide me with that information.
Synchronization of User Credentials with Third-Party LDAP Directories
If you've been paying close attention so far, you have likely gathered that user credentials need to be synchronized between the third-party LDAP, Oracle Internet Directory, and the E-Business Suite. The synchronization architecture looks like this:
In this configuration, only the user name needs to be synchronized; the user's password is stored in the third-party LDAP directory. None of the Oracle products need to store the user's password, since they delegate user authentication to the third-party LDAP solutions.
The key concept here is that user authentication is still separated from user authorization even when a third-party LDAP is in place. So, the E-Business Suite still grants authenticated users access to E-Business Suite protected content based on the users' Applications Responsibilities, which are managed in the E-Business Suite exclusively.
Integration With Other Single Sign-On Solutions
It is also possible to integrate Oracle Single Sign-On 10g with other single sign-on solutions, including:
- Oracle's COREid from Oblix
- Netegrity SiteMinder
- Biometric devices like fingerprint readers
- Smartcards
- PKI X.509 digital certificates
Bringing It All Together
Assuming I haven't lost you so far, the following diagram shouldn't be too overwhelming:
This combines all of the concepts we've covered:
Well, maybe not... but at least it's technically feasible. You might find it reassuring to note that a number of E-Business Suite customers are running this configuration in production already.
This is about as much detail as I think is appropriate for now. Feel free to post comments if you have questions about this topic.
There are many more options for integration with the E-Business Suite, including options for linking OID userids to different E-Business Suite userids, and so on. If you're really interested, I'd recommend a careful reading of this document:
- Third-party LDAP integration with Oracle Internet Directory
- Third-party SSO integration with Oracle Single Sign-On
- Synchronization of user credentials via the Oracle Internet Directory's Oracle Directory & Provisioning Platform to the E-Business Suite
Well, maybe not... but at least it's technically feasible. You might find it reassuring to note that a number of E-Business Suite customers are running this configuration in production already.
This is about as much detail as I think is appropriate for now. Feel free to post comments if you have questions about this topic.
There are many more options for integration with the E-Business Suite, including options for linking OID userids to different E-Business Suite userids, and so on. If you're really interested, I'd recommend a careful reading of this document:
- Integrating Oracle E-Business Suite Release 11i with Oracle Internet Directory and Oracle Single Sign-On (Metalink Note 261914.1)
- In-Depth: Using OracleAS 10g with E-Business Suite Release 11
- In-Depth: Using Single Sign-On 10g with E-Business Suite Release 11i
- Login Server & Portal 3.0.9 To Be Effectively Desupported... in Autumn 2006?
- Password Management with Third-Party Solutions
Comments (36)
Wow! That must have been some dinner! Sure tops the $25 Hamburger I had in New York!
Of course, down here in Australia we are not significant enough to warrant an OpenWorld Conference on an annual basis. That stopped back in 1999, then we had a "one off" event in 2004 and have not heard a peep since :-(
Paul
Posted by Paul Murgatroyd | May 4, 2006 12:52 AM
Posted on May 4, 2006 00:52
Steven,
Can you pls also add a pic of yours
to this blog.
thanks
Posted by Sunil Choudhary | May 21, 2006 11:46 PM
Posted on May 21, 2006 23:46
I'll pass on that one, Sunil, but thanks for the suggestion.Regards,Steven
Posted by Steven Chan | May 22, 2006 8:19 AM
Posted on May 22, 2006 08:19
Hi Steve,
Can you explain how a java thick client running on PC can connect to Oracle Applications. There is this windows based program called Noetix Views Generator that accepts the Oracle Apps User-id and password and it authenticates the user and I believe is able to connect as an APPS user(database id). I think it must be using the applsyspub/apps gateway userid and password but not sure how it manages to create a database session with APPS user.
Can you please explain the process or atleast point to the right source.
Thanks and Regards
Nilesh
Posted by Nilesh Jethwa | June 12, 2006 9:32 PM
Posted on June 12, 2006 21:32
Nilesh,That sounds like it's plausible, but unfortunately I'm not familiar with Noetix's underlying connection mechanisms. Someone at Noetix may be able to comment on this more authoritatively than I.Regards,Steven
Posted by Steven Chan | June 13, 2006 9:55 AM
Posted on June 13, 2006 09:55
Steven, we use Microsoft's Active Directory for authentication and are looking at using the Deluxe "Zero Sign-On" Approach but have questions. If we were to use the Desktop Discoverer 10g (in application mode) and ADI clients how can we include them in the SSO solution?
Possible thoughts are:
The Desktop client - can it use the Kerberos ticket?
Can we sync the Active Directory password with the FND_USER table?
Thanks,
Rob
Posted by Rob Culhane | January 3, 2007 2:35 PM
Posted on January 3, 2007 14:35
Rob,Hmm... good question. In a non-Kerberos environment, I know that both the Desktop Discoverer and ADI clients are definitely unable to take advantage of the SSO solution (which depends on HTTP level redirects). However, I'm not familiar enough with the Kerberos ticket exchange process (and state management) to make a definitive statement about authentication flow in that configuration. I would strongly suspect that this wouldn't work, but it can't hurt for you to assess this in a controlled testbed environment.If it fails, your best option may be to evaluate the Web-based Discoverer and WebADI versions. There are admittedly functional gaps between those releases and their client-server counterparts, but those may be more palatable than the management implications of local authentication and dual-management of passwords.As for syncing the Active Directory password with FND_USER for local authentication, I believe that's not possible. Like Oracle Internet Directory, MS Active Directory hashes user passwords, so they can't be decrypted and synced externally.I'd be very interested to hear how this works out for you. Please drop me a line with the results of your investigations.Regards,Steven
Posted by Steven Chan | January 8, 2007 4:37 PM
Posted on January 8, 2007 16:37
Steven, how about this as away out:
Oracle? Identity Management Integration Guide
10g (10.1.4.0.1)
Part Number B15995-01
What is the Oracle Password Filter for Microsoft Active Directory?
Oracle Directory Integration Platform enables synchronization between Oracle Internet Directory and Microsoft Active Directory. The Oracle Directory Integration Platform can retrieve all Microsoft Active Directory attributes with the exception of user passwords. Oracle Application Server Single Sign-On uses an external authentication plug-in to verify user credentials in Microsoft Active Directory. Environments that do not use Oracle Application Server Single Sign-On can use the Oracle Password Filter for Microsoft Active Directory to retrieve passwords from Microsoft Active Directory into Oracle Internet Directory. When users change their passwords from their desktops, the updated password is automatically synchronized with Oracle Internet Directory. More specifically, the Oracle Password Filter for Microsoft Active Directory monitors Microsoft Active Directory for password changes, which it then stores in Oracle Internet Directory. This allows Oracle Internet Directory users to be authenticated with their Microsoft Active Directory credentials and authorized to access resources by using information stored in Oracle Internet Directory. Storing Microsoft Active Directory user credentials in Oracle Internet Directory also provides a high availability solution in the event that the Microsoft Active Directory server is down. The Oracle Password Filter is installed on each Microsoft Active Directory server and automatically forwards password changes to Oracle Internet Directory.
Question:
Can we get the source for this to add sending the password to FND_USER?
Thanks
Rob
Posted by Rob Culhane | January 10, 2007 11:23 AM
Posted on January 10, 2007 11:23
Rob,This filter will allow the MS AD password to be provisioned to OID before it's irrevocably hashed. There are two catches: a) OID, in turn, irrevocably hashes the password, and b) we don't provision passwords from OID to FND_USER.Unfortunately, Oracle's policies prevent the distribution of our source code, also. So, back to the fallback option: If there are mission-critical functional gaps between the fat-client Discoverer and the web-client Discoverer, is this functionality required by all of your Discoverer end-users, or a subset of power-users? Can you shift the majority of your users to the web-client, thereby minimizing the number of Discoverer power-users who'll need to dual-maintain their passwords in FND_USER and MS AD?
The same approach would carry for ADI vs WebADI, too.Regards,Steven
Posted by Steven Chan | January 11, 2007 11:08 AM
Posted on January 11, 2007 11:08
Steven, my management is of the opinion that there is a large functional gap between the Web VS Client based Discoverer.
So if the filter, running on the MS Domain Controller, synced to the FND_USER table as well as the OID then we could have 鉄ame Sign-On? in that the same ID/Password pair makes the user experience very smooth in MSAD, OID and Desktop Discoverer. I guess at this point this is a product enhancement request that the filter can sync not only to the OID but also the FND_USER if setup accordingly.
Thanks
Rob
Posted by Rob Culhane | January 11, 2007 4:08 PM
Posted on January 11, 2007 16:08
I can appreciate your management's concerns about the functional gaps. If you've the energy for it, it would be worthwhile logging separate Service Requests for: a) narrowing the key functional gaps for Discoverer, and b) the enhancement request for the MS AD password filter.The odds are that there won't be an immediate response from the respective Development teams for these products, but enhancement requests are more likely to be placed in a priority queue if lots of customers call for them. Regards,Steven
Posted by Steven Chan | January 12, 2007 3:14 PM
Posted on January 12, 2007 15:14
John,Just a reminder about terminology: Oracle Internet Directory (OID) is just an LDAP directory. Oracle Single Sign-On prompts for the user credentials before passing them to Oracle Internet Directory for authentication.E-Business Suite 11i will always redirect authentication requests to Oracle Single Sign-On, but that's not really a problem. My experience with Tivoli Access Manager (TAM) is limited, but I'll take a shot at this, based on my limited understanding. One option for deploying TAM is via a web listener plug-in. I believe that this plug-in can be installed on the Oracle HTTP Server (based on Apache) which fronts for Oracle Single Sign-On 10g. This way, TAM intercepts and screens all traffic to Oracle Single Sign-On.When an unauthenticated end-user attempts to access the E-Business Suite, the E-Business Suite redirects to Oracle Single Sign-On. In a TAM-integrated architecture, these SSO-redirects would be redirected, in turn, to TAM, which acts as the sole authentication point. The user logs into TAM, gets a TAM session cookie, and then redirects back to Oracle Single Sign-On. Oracle Single Sign-On recognizes the TAM session cookie, issues its own, then redirects back to the E-Business Suite. The E-Business Suite recognizes the Oracle Single Sign-On session cookie, then issues its own.What happens with session timeouts depends on the relative values of the E-Business Suite timeout, the Oracle Single Sign-On timeout, and the TAM timeout. Here's a simple case:The E-Business Suite session times out and redirects to Oracle Single Sign-On for reauthentication. TAM ignores this because its own timeout limit hasn't been exceeded. If the Oracle Single Sign-On timeout isn't exceeded, it reissues the Oracle Single Sign-On session cookie, redirects back to the E-Business Suite, which recognizes the Oracle Single Sign-On cookie and reissues its own.If TAM's timeout limit has been exceeded, then it will trap the Oracle Single Sign-On request, reauthenticate the user, and redirect back to Oracle Single Sign-On, triggering the cascading reauthentication process once again.Whew! That's a long answer for a short question. So, the short answer is: I believe that this will work, but you'll want to verify this with someone who's had hands-on experience with TAM + Oracle SSO integrations.Regards,Steven
Posted by Steven Chan | April 4, 2007 11:18 AM
Posted on April 4, 2007 11:18
Our customer has chosen to use Tivoli Access Manager (TAM) as their authentication mechanism. We are questioning the viability of a TAM/11i single signon construct (where OID/SSO is used in front of 11i) and would like some guidance. Initial signon to 11i seems to be relatively easy. Our concern lies in what happens if an 11i transaction fails. We think 11i requires the user to be re-authenticated and that 11i will direct the user to OID for the re-authentication. Our customer wants the re-authentication to take place at the TAM layer, not the OID layer and we believe this will require customization to accomplish. Can you confirm our thinking is accurate? If it is not accurate, can you give us some guidance on how to point 11i to TAM for re-authentication instead of pointing to OID? Thank you.
Posted by John Griffo | April 4, 2007 12:04 PM
Posted on April 4, 2007 12:04
Thanks for the quick reply. Does this also hold true for R12? Approximately how many customers do you know of that use TAM?
Posted by John Griffo | April 9, 2007 8:03 AM
Posted on April 9, 2007 08:03
John, This applies to both Release 11i and 12. I only know of a handful of customers using TAM with the E-Business Suite, but can't cite them publicly here. IBM would be tracking those more closely than us, for obvious reasons.Regards,Steven
Posted by Steven Chan | April 9, 2007 8:42 AM
Posted on April 9, 2007 08:42
Hello, Ankush,Glad to hear that SiteMinder's working for you for your E-Business Suite environment. I presume that you're using that with Sun's Java System Directory for LDAP, too? What versions of the products are you using, and is this in production?Unfortunately, since I'm part of the E-Business Suite division, I don't get a lot of exposure to Siebel CRM myself. I understand that Siebel CRM can be integrated with Oracle Application Server 10g for SSO/OID usage. If that's done, then the E-Business Suite and Siebel CRM can share a common Oracle identity management system, which, in turn, would delegate user authentication to SiteMinder. That architecture would look like this:Siebel ----+ | +----> OracleAS 10g ---> SiteMinder | (SSO/OID)Apps 11i --+You might wish to log a Service Request via Metalink to get a pointer to the Siebel + Oracle Application Server 10g integration documentation. Good luck with that; please let me know how that works out for you.Regards,Steven
Posted by Steven Chan | April 9, 2007 11:30 AM
Posted on April 9, 2007 11:30
Hello Steven.
Can Siebel CRM (7.7) be integrated with Oracle e-Business Suite? We've already got Oracle e-Business Suite protected with SiteMinder, and it works like a charm. I was wondering if some kind of Oracle 11i / Siebel integration would let us extend SiteMinder protection to Siebel as well?
Thanks for your help; appreciate it.
regards,
Ankush
Posted by Ankush Kapoor | April 9, 2007 1:43 PM
Posted on April 9, 2007 13:43
Hi Steven,
I have successfully integrated OID/OAS 10gR2 with Microsoft AD ldap. We use AD as the users。ッ authentication repository. Now the management asks for using AD as the users。ッ authentication for Oracle Apps 11.5.10. I have looked up the note: 186981.1 。ーOracle Application Server with Oracle E-Business Suite Release 11i FAQ。ア. It is advised, first to integrate OID with Apps 11i and Then integrate the system of OID and 11i with AD. Since we have done the integration of OID and AD, do we need to redo the integration of OID and AD after having the integration of OID and 11i done?
Thanks in Advance.
Sean
Posted by Sean | November 27, 2007 4:42 PM
Posted on November 27, 2007 16:42
Hi, Sean,Congratulations on integrating Oracle Internet Directory with MS Active Directory.No, you shouldn't have to redo any work. At this point, you can integrate your E-Business Suite environment with Oracle Single Sign-On and Oracle Internet Directory by following Notes 233436.1 and 261914.1. The integration of the E-Business Suite with SSO/OID will not affect your existing OID/MS AD integration. Good luck with the next phase of your implementation.Regards,Steven
Posted by Steven Chan | November 29, 2007 12:03 PM
Posted on November 29, 2007 12:03
Hi, Sheilah,Based on my limited understanding of the IBM products, Tivoli Access Manager (TAM) wouldn't need to know anything about the E-Business Suite. By definition, if it intercepts Oracle calls via an Apache-based plug-in, the mechanism used is through redirects. In this architecture where the three layers are linked, TAM's sole job is to authenticate users against its own identity store and redirect the user back to the calling source. In this architecture, the calling source is Oracle Single Sign-On, which should recognize the TAM headers/security token and issue its own security tokens. Oracle Single Sign-On, in turn, redirects back to the E-Business Suite, which handles the authorization stage of the process.Now, if TAM has alternative deployment architectures that don't involve Apache plug-ins, then there may be other ways of integrating it with Oracle Single Sign-On. If so, that's something that might be better-investigated with someone more familiar with TAM than I (I absorb most of my TAM knowledge osmotically, not through formal briefings on IBM products). You may wish to consult with a TAM specialist for more-detailed information about their plug-in, by the way.There's no way that I know of to integrate TAM directly with the E-Business Suite, leaving Oracle Single Sign-On out of the loop. Good luck with your implementation.Regards,Steven
Posted by Steven Chan | May 13, 2008 2:07 PM
Posted on May 13, 2008 14:07
Mr. Chan;
I have another question in regards to your response to Mr. Griffo.
In theory - would TAMS even have to know about the Ebusiness Suite? I would think that it would only have to be aware of OID since the initial entry point is TAMS. For that reason, why would there be the need for multiple redirections? My understanding of OID is somewhat limited, as I am just in the ramp up stage, but I have to believe that there should be some way for the system to seamlessly work without much intervention. Why couldn't you simply have OID handle the Ebusiness login once the initial handoff from TAMS?
Also, you stated that he could use a plug in for the web listener, would you know off hand where that would be located?
Posted by Sheilah Scheurich | May 13, 2008 4:29 PM
Posted on May 13, 2008 16:29
Hi,
While integrating TAM with Oracle EBS we have to create 2 junctions 1) For Oracle SSO Server 2) For Oracle EBS.
Integration guide from IBM says we should use virtual junctions. Is it necessary to use Virtual junction only or we can have Transparent Junctions as well.
Thanks
Prakash
Posted by Prakash | July 21, 2008 9:26 AM
Posted on July 21, 2008 09:26
Hi, Prakash,
I'm afraid that I don't have sufficient experience with IBM's TAM to comment on the interchangeability of Virtual vs. Transparent Junctions. You might have better luck raising this with IBM Support's TAM specialists.
Good luck with this one.
Regards,
Steven
Posted by Steven Chan | July 22, 2008 10:32 AM
Posted on July 22, 2008 10:32
We are integrating TAM and Oracle EBS.
Based on exp till now
Only Virtual junction works (prefer SSL).
OID / OSSO needed for Oracle EBS integration.
For externlization of authentication we need to implement IPASAuthInterface interface to get the HTTP header (in case of TAM it is iv-user).
We have followed guide given by IBM for this integration and Oracle docs. But here we have some problem.
When we use hardcoded user id instead of getting users from HTTP header, its working. But when we dont hardcode it does not work.
In IBM log it clearly reflects that user id (iv-user) has been passed but somewhere lost at Oacle side before reaching the custom Authentication code (IPASAuthInterface ).
I read some more topics in forum where other users mentioned that even they faced this problem but NO solution..
plz let us know if something needs to be done (some where in mod_osso etc).
Thanks in Advance
-prakash
Posted by Buddhi | August 29, 2008 2:14 AM
Posted on August 29, 2008 02:14
Prakash,
I'm afraid that I don't have any hands-on experience with this particular issue. I'd strongly recommend logging a formal Service Request via Oracle Metalink against the Oracle Single Sign-On product. That will ensure that you get an OSSO specialist engaged on the Oracle side.
Good luck with your integration.
Regards,
Steven
Posted by Steven Chan | September 2, 2008 11:42 AM
Posted on September 2, 2008 11:42
http://forums.oracle.com/forums/thread.jspa?threadID=692699&tstart=90
Any one who can give solution for this problem.
Posted by Prakash | September 5, 2008 4:43 AM
Posted on September 5, 2008 04:43
Hi Steven,
In this article its mentioned that such TAM and Oracle integration has been done and you also have some references for that.
We are are facing some issues, as HTTP header information is stripped off at Oracle end. There are some more people who are facing this problem at Oracle end. Till now no one got some solution on this though such integration is done.
These are few URLs, you can reference:-
http://forums.oracle.com/forums/thread.jspa?threadID=692699&tstart=90
http://forums.oracle.com/forums/thread.jspa?threadID=374411
It would be great help for all of us who are trying such integration if some one from Oracle provide help / vital info.
Do we need to have some tie up or something with Oracle to get necessary help?
Thanks in advance. Would appreciate if you can share your views at
Prakash
Posted by Prakash | September 5, 2008 5:56 AM
Posted on September 5, 2008 05:56
Hi, Prakash,
I'm sorry to hear that you're struggling with this.
Your target architecture is:
EBS --> Oracle SSO --> IBM TAM
To elaborate on my comment above, my team is responsible for ensuring that the E-Business Suite works with Oracle Single Sign-On.
The Oracle Single Sign-On team is responsible for ensuring that their product works with third-party identity managers such as IBM TAM.
Since you're experiencing trouble with the SSO --> IBM TAM part of the chain, the best way of getting help with that will be to log a formal Service Request via Metalink against the Oracle SSO product.
An even better approach:
Contact IBM Software Support with the same request. Earlier this year, IBM provided me with a copy of an IBM-authored whitepaper entitled, "Tivoli Access Manager Version 6.0: Oracle E-Business Suite Integration Guide." This whitepaper has detailed technical steps on integrating these systems, and is part of a broader technical package which contains other supporting files.
Access to this whitepaper (and the technical package) is restricted to IBM registered customers, so I'm not authorized to email you a copy of this (as much as I'd like to be able to do so). I believe that you should be able to get a copy from IBM Support directly.
I'll email a copy of your request to my contacts at IBM, too.
Regards,
Steven
Posted by Steven Chan | September 5, 2008 1:23 PM
Posted on September 5, 2008 13:23
Hi Steven,
Thanks for reply. I too have that integration guide provided by IBM as part of tie ups. We have followed this guide only. We have raise TAR as well. But waiting for reponse from Oracle.
Though we believe its working, it would be great if you could share some tips on how to ensure that our Oracle EBS - Oracle SSO working as desired.
Also, some contact or reference who can help in integrating OSSO with TAM. I hope the way IBM has such integration guide, Oracle would also have. Can you share such guide/articles with us?
Plz let us know if you need more info from our side. Our Oracle expert working in US time zone can provide more info, if needed.
[Editor: email ID removed at request of commenter]
Thanks
Prakash
Posted by Prakash | September 8, 2008 1:08 AM
Posted on September 8, 2008 01:08
Hi, Prakash,
Testing your EBS+Single Sign-On integration is pretty straightforward:
1. Log in directly to Oracle Single Sign-On
2. Navigate to an E-Business Suite bookmarked URL or your EBS homepage
3. If you get in without being asked to log in again, it's working. If you're prompted to log in again, EBS isn't recognizing the SSO security token (so reregister it as a partner application, following Note 233436.1).
Good luck with your integration.
Regards,
Steven
Posted by Steven Chan | September 8, 2008 2:35 PM
Posted on September 8, 2008 14:35
Hi Steven,
As you suggested we raised TAR (formal request) with Oracle. The response we got from Oracle is :-
----------------------------------------------
First of all, integration with TAM is not directly supported by Oracle and would be considered a customized implementation. Also we will not have access to TAM for testing purposes. That said, I will do my best to help.
---------------------------------------------
This is surprising when we say that Oracle SSO server can be integrated with third party Access Manager I would assume that it is based on significant testing and support team will have ready to use lab facility.
We also have PMR (service request) with IBM open and they also trying to look into why harcoded user ids work at Oracle end.
I hope Oracle would also have something similar env to verify/test it.
You also mentioned that you can pass some IBM contact for help. Would it be possible for you to share with me.
[Editor: email removed by request of commenter]
Plz mail me any ref on this.
Posted by Prakash | September 10, 2008 3:22 AM
Posted on September 10, 2008 03:22
Hi, Buddhi,
If Oracle SSO Support doesn't have access to IBM products such as TAM, then their support for this configuration will be on a best-efforts basis.
My IBM contacts confirm that your best option for getting assistance with this is via IBM's PMR process.
Regards,
Steven
Posted by Steven Chan | September 10, 2008 8:41 AM
Posted on September 10, 2008 08:41
Hi Steven,
Thanks for inputs.
In earlier reply you mentioned path as
EBS --> Oracle SSO --> IBM TAM
actually its otherway rounf
IBM TAM -> Oracle SSO -> EBS.
Would you be able to share doc which you mentioned.
Thanks
Prakash
Posted by Prakash | September 10, 2008 10:25 PM
Posted on September 10, 2008 22:25
Hi, Prakash,
My comment was intended to show the general chain of trust between components in this architecture. The cardinality of the arrows is philosophically moot.
As I indicated above, I am not authorized to distribute IBM's copyrighted material. The only way that you can obtain a copy of this whitepaper is to contact IBM Software Support directly.
Regards,
Steven
Posted by Steven Chan | September 11, 2008 7:51 PM
Posted on September 11, 2008 19:51
Hi Steven.
Thank you for this article. Using 11.5.10 EBS, is it possible to integrate with Cleartrust. The typical way is to use the web agent on the servers, intercept the http/https request and send off the request to the cleartrust server and authenticate. My question is how does this fit into the architecture? Do I need to integrate directly into the underlying LDAP store that cleartrust uses? I'm not sure how this could work with doing that.
Thank You.
John McManus
Posted by John McManus | September 11, 2009 6:58 AM
Posted on September 11, 2009 06:58
Hi, John,
I've heard anecdotal reports from customers who have integrated their EBS environments with ClearTrust.
If your ClearTrust setup has its own LDAP directory as well as its own authentication mechanism, then I would think that the best approach would be to tie them both to OID and SSO respectively. In other words, the architecture would look like this:
EBS --> SSO --> ClearTrust (for authentication)
EBS --> OID --> ClearTrust LDAP (for user provisioning)
I don't have any first-hand experience with ClearTrust, however, so my suggestions are based on first principles only. The generic OID and SSO documentation describes steps for integrating with generic third-party LDAP and authentication systems.
If you're looking for an authoritative statement about the best architectural strategy for integrating ClearTrust with Oracle identity management products, your best bet might be to contact ClearTrust support. They may have whitepapers published for this.
Regards,
Steven
Posted by Steven Chan
|
September 11, 2009 1:23 PM
Posted on September 11, 2009 13:23