This article is an updated R12 version of an earlier one written for Oracle E-Business Suite Release 11i.
Like most of our customers, you probably already have a corporate identity management system in place. And, you've probably not been enjoying the experience of redundantly administering the same user in your corporate identity management system as well as the E-Business Suite. If this describes your environment, this in-depth article about integrating Oracle E-Business Suite Release 12, Oracle Single Sign-On and Oracle Internet Directory with third-party identity management systems will show you a better way of managing your EBS users.
No More Redundant User Administration
It is possible to integrate the E-Business Suite with existing third-party LDAP and single sign-on solutions via Oracle Application Server 10g and Single Sign-On 10g, like this:
Third-party single sign-on solutions can be integrated with Oracle Single Sign-On 10g, and third-party LDAP directories can be integrated with Oracle Internet Directory 10g. From there, it's a short hop to the E-Business Suite.
Example Scenario: The Deluxe "Zero Sign-On" Approach
A user logs on their PC using their Windows userid and password. Wanting to avoid real work, the user decides to file a long-overdue expense report for last year's OpenWorld conference. He starts Internet Explorer, opens Favorites, and selects a bookmarked link for the E-Business Suite's Self-Service Expenses.
Self-Service Expenses starts up, and the user begins the process of assembling rationalizations to justify that $450 dinner at Jardiniere with their favorite Oracle blogger. (This is a fictional example, of course; nobody takes bloggers out to dinner)
We sometimes call this "zero sign-on" because the user never actually logged on to any Oracle systems at all; their Windows Kerberos ticket gave them an all-access pass to the E-Business Suite automatically.
Magic? What Really Happened?
Brace yourself: some of the following material might require a couple of passes to sink in.
The "deluxe" scenario above illustrates the following integrations:
- Microsoft Active Directory with Oracle Internet Directory 10g
- Microsoft Kerberos Authentication with Oracle Single Sign-On 10g
- Oracle Application Server 10g with the E-Business Suite
The user logged on to their PC, which authenticated them against Microsoft Active Directory. As part of that logon process, Microsoft Kerberos Authentication issued a valid Kerberos ticket to the user.
When the user attempted to access Self-Service Expenses via his bookmarked link, he was redirected to Oracle Single Sign-On 10g. Oracle Single Sign-On 10g recognized the Microsoft Kerberos ticket, issued its own Oracle security tokens to the user, and redirected the user back to the E-Business Suite.
The E-Business Suite recognized the Oracle Single Sign-On 10g security tokens and looked up the user's assigned Applications Responsibilities to ensure that he was authorized to access Self-Service Expenses. That done, it issued its own E-Business Suite security tokens and then passed the user through to Self-Service Expenses without requiring any additional logons.
Integration with Microsoft Active Directory Only
Not everyone uses Microsoft Kerberos Authentication. A simpler integration option omits Kerberos and includes only Microsoft Active Directory and Oracle Internet Directory, like this:
In this simpler architecture, when the user attempts to access Self-Service Expenses via his bookmarked link, he's redirected to Oracle Single Sign-On OracleAS 10g. Single Sign-On displays a login screen and collects the user's ID and password.
Single Sign-On passes the user's supplied ID and password to Oracle Internet Directory for validation. Oracle Internet Directory uses the Windows NT External Authentication plug-in (sometimes also called the Windows Native Authentication plug-in) to delegate user authentication to Microsoft Active Directory.
Microsoft Active Directory looks up the user's ID and password in its database, and informs Oracle Internet Directory that this is an authenticated user. Oracle Internet Directory informs Single Sign-On that the user was successfully authenticated.
Single Sign-On issues the user a set of security tokens and redirects the user to the E-Business Suite. The E-Business Suite recognizes the Single Sign-On security tokens and looks up the user's assigned Applications Responsibilities to ensure that he's authorized to access Self-Service Expenses. That done, it issues its own E-Business Suite security tokens and then passes the user through to Self-Service Expenses.
"Out-of-the-box" Third-Party LDAP Integration with Oracle Internet Directory
Due to the popularity of Microsoft Active Directory, Oracle Internet Directory provides a prebuilt connector out-of-the box, ready to use.
Oracle Internet Directory also provides a prebuilt connector for the SunONE (iPlanet) Directory Server, ready-to-use. You should note that Sun (like Oracle, following its myriad recent acquisitions) has rebranded its identity management products, so there's a new name for the Sun LDAP directory now. I'll update this post with the latest name as soon as my Sun contacts provide me with that information.
Synchronization of User Credentials with Third-Party LDAP Directories
If you've been paying close attention so far, you have likely gathered that user credentials need to be synchronized between the third-party LDAP, Oracle Internet Directory, and the E-Business Suite. The synchronization architecture looks like this:
In this configuration, only the user name needs to be synchronized; the user's password is stored in the third-party LDAP directory. None of the Oracle products need to store the user's password, since they delegate user authentication to the third-party LDAP solutions.
The key concept here is that user authentication is still separated from user authorization even when a third-party LDAP is in place.
So, the E-Business Suite still grants authenticated users access to E-Business Suite protected content based on the users' Applications Responsibilities, which are managed in the E-Business Suite exclusively.
Integration With Other Single Sign-On Solutions
It is also possible to integrate Oracle Single Sign-On 10g with other single sign-on solutions, including:
- CA Netegrity SiteMinder
- Biometric devices like fingerprint readers
- Smartcards
- PKI X.509 digital certificates
When integrated with other single sign-on solutions, a chain of trust is established between the third-party, Oracle Single Sign-On, and the E-Business Suite. Users logging on via the third-party single sign-on solution are passed through transparently to Oracle Single Sign-On and the E-Business Suite.
Relax, It's Easy and Fun
Well, maybe not... but at least it's technically feasible. You might find it reassuring to note that a number of E-Business Suite customers are running this configuration in production already.
This is about as much detail as I think is appropriate for now. Feel free to post comments if you have questions about this topic.
References
For detailed instructions on how to integrate Single Sign-On and Oracle Internet Directory with Oracle E-Business Suite Release 12, see:
- Integrating Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On (Metalink Note 376811.1)
There are many more options for integration with the E-Business Suite, including options for linking OID userids to different E-Business Suite userids, and so on. If you're really interested, I'd recommend a careful reading of the "Oracle Single Sign-On Integration" section of this document:
Related Articles
Comments (14)
Thanks for sharing nice article.
I would like to synchronize only some users i.e Only suppliers with OID and E-Business Suite. Supplier user names are different can be distinguished from other users.
There are only 4 templates ( i know of ) for synchronization between OID and EBS. Is there an easy way out?
Posted by Manjit | August 12, 2008 10:32 AM
Posted on August 12, 2008 10:32
Hi, Manjit,
I'm afraid that the 4 supplied templates don't support selective or partial synchronizations of your users.
It might be possible to build a customization of some sort, but that approach comes with all of the issues inherent to customizations: support, maintenance, preservation during patching, scalability and performance, robustness to future techstack upgrades and changes, and so on.
If you're interested in evaluating the feasibility of such a customization, I can forward your contact information to our Security Consulting practice for you. Let me know if you're interested in going that route.
Regards,
Steven
Posted by Steven Chan | August 12, 2008 1:10 PM
Posted on August 12, 2008 13:10
Hi Steven
1. What is the protocol for the connectivity between Oracle Single Sign on and EBS environment?
2. Why can't we use third party like TAM to go directly to EBS, for example
Posted by Raja | August 21, 2008 11:22 AM
Posted on August 21, 2008 11:22
Hello Raja,
1. I presume you are talking about the runtime environment, when users login in. This being the case, then eBiz is registered as partner application, so eBiz will look for valid SSO cookie for the user and if not present will redirect the user to the SSO login page. After login, SSO redirects back to eBiz. This is all done by HTTP redirects.
2. You can integrate third party products directly to eBiz as a custom solution if you wish, however you will need to get it to work yourself and ensure that your custom solution is not effected by patches, etc. You will also need to reproduce any issues to do with login or session management problems using standard Oracle code (i.e. without your custom solution in place). Steven's article Certification and Support for Third-Party Products talks about this some more. The beauty of the integration solution Oracle provide is that OID supports many third party products out the box and eBiz simply needs to talk to OID
Mike
Posted by Mike Shaw | August 21, 2008 11:45 PM
Posted on August 21, 2008 23:45
Hello Steven.
We are in the midst of designing the Security Authentication Architecture for our Oracle R12 HRMS Implementation. Our Security Team wants to Strictly follow the company standards. We already have Microsoft Active Directory implemented enterpise wide. Now the Requirement is that
The user ( both Internal and External) logs in for the first time to Windows Domain using Authentication by Microsoft Active Directory. Now we want to have that when the AD authenciated user clicks a link on an Oracle Portal link, A Oracle login screen should appears. Generally the Login Screen for Oracle SSO doesn't occur since it forms a chain of trust with the Third Party LDAP. We need to force a re-authentication. Is they a way or mechanism to achieve this requirement which is very important for this project.
Thanks,Varun
Posted by Varun | February 6, 2009 12:38 AM
Posted on February 6, 2009 00:38
Hello, Varun,
Well, this is an interesting switch. Most organizations wish to implement Single Sign-On to *eliminate* the need for multiple logins.
I'm personally not familiar with ways of forcing this, other than the brute-force method of invalidating the chain-of-trust between the Microsoft and Oracle components. There might be more elegant ways of doing this.
I've sent you a private email with a pointer to someone in our Oracle Consulting group that specializes in advanced security architectures. I'm sure he'll be able to help you out.
Regards,
Steven
Posted by Steven Chan | February 6, 2009 3:27 PM
Posted on February 6, 2009 15:27
Hello Steven, it's been a few years since we last spoke; I hope you are well.
My consulting customer currently is 11.5.10.2 RUP 6 with plans soon to migrate to 12i. The current system is integrated with 10gAS SSO/OID to externally authenticate inbound logins to TAM.
The customer has a new requirement such that login id's starting with a certain alpha character authenticate thru TAM via the current setup, but a new group of login id's about to be deployed, and leading with a different alpha character, be authenticated thru Windows Active Directory.
Can SSO/OID be configured based on some attribute like "leading character of the login id" to support multiple paths of authentication?
Thanks in advance for your help and regards...
Posted by Larry Klein | March 5, 2009 11:37 AM
Posted on March 5, 2009 11:37
Hello, Larry,
Good to hear from you; glad to see you're still working in this area.
We currently don't have the ability to support your customer's requirements with our standard configuration. A number of customers have raised a variant of this enhancement request.
The predominant theme of this kind of requested functionality is the ability to split off the authentication of users depending upon whether the users are internal (within a corporate firewall) or external (outside of a firewall). Customers would like the ability to use different authentication and LDAP directories for internal and external users.
We've got a project underway to evaluate the feasibility of this enhancement. I don't have a firm date for this yet, but you're welcome to monitor or subscribe to this blog for updates.
Regards,
Steven
Posted by Steven Chan | March 6, 2009 2:35 PM
Posted on March 6, 2009 14:35
Hi Steven, thank you for your reply. We'll eagerly await developments from your team but meanwhile will explore options on the "other side" of SSO/OID - currently we integrate with IBM TAM, so we'll see if TAM and its Directory Integrator will give us the two-path/two-ldap/two-authenticator scheme we are looking for. Regards...
Posted by Larry Klein | March 9, 2009 11:56 AM
Posted on March 9, 2009 11:56
Hi Steven,
How does multilevel authentication works. Can we use multilevel external authentication plugin.
Mediumsecurity goes TAM and Highsecurity goes to Microsoft AD. Please explain in detail
Thanks in advance
regards
Posted by Gangadhar | July 4, 2009 9:21 PM
Posted on July 4, 2009 21:21
Hi, Gangadhar,
Multilevel authentication should work, in theory. Whatever SSO supports should be supported for EBS partner applications.
I don't have personal experience with multilevel authentication configurations for SSO. I see that they're documented here:
http://download-west.oracle.com/docs/cd/B14099_19/idmanage.1012/b14078/multilevel.htm
Note that this seems to be on a per-partner-application basis. In other words, one partner application may use one type of authentication method. A different partner application may use a different authentication method.
If you need more assistance with SSO's support for multilevel authentication, I would recommend logging a formal Service Request against the Oracle SSO product to get one of those specialists engaged.
Good luck with your implementation.
Regards,
Steven
Posted by Steven Chan | July 6, 2009 11:48 AM
Posted on July 6, 2009 11:48
thanks for the update.
Posted by Gangadhar | July 8, 2009 7:17 AM
Posted on July 8, 2009 07:17
Steven,
Is OID mandatory to integrate E-Business suite (R12) to MS LDAP?
Posted by Edward Jayaraj | September 22, 2009 7:36 AM
Posted on September 22, 2009 07:36
Hello, Edward,
Yes, Oracle Internet Directory is mandatory. The E-Business Suite has dependencies on Oracle Internet Directory for user provisioning. It is not currently possible to substitute a third-party LDAP directory (e.g. MS Active Directory) for Oracle Internet Directory.
Regards,
Steven
Posted by Steven Chan
|
September 22, 2009 9:39 AM
Posted on September 22, 2009 09:39