Cloud Security Perspectives and Insights

How to Simplify SSO to Oracle eBusiness Suite in Just 3 Steps

Paul Toal
Distinguished Solution Engineer - Cyber Security

Oracle E-Business Suite (EBS) is in use by thousands of customers worldwide today. Many of those customers have implemented single sign-on (SSO) to ensure a smooth user experience. From my experience with customers, the most common use case is to deliver a transparent sign-on experience from the user's desktop through to EBS.

The Current Approach

The traditional, certified approach for achieving this is through the deployment and integration with Oracle Access Manager and either Oracle Internet Directory (OID) or Oracle Unified Directory (OUD), as described by my colleague Steven Chan in this blog post. A good summary of this approach is shown in the diagram below.

Figure 1 - The traditional approach for E-Business Suite SSO


Whilst this approach is well understood and documented, it introduces a number of additional components and additional complexity to your EBS deployment. For SSO you need to deploy Access Manager, a Directory, a WebGate, an AccessGate, and configure each to integrate with EBS. All of these additional components need to be fed and watered, patched and updated. For some customers, this additional complexity has led to not implementing SSO, resulting in the user experience suffering.

A New Approach

However, fear not, there is now a simpler option available which will still enable that streamlined user experience you require, without the need to deploy and manage all of the above components, and without the need to make significant configuration changes within EBS, such as configuring the integration with OID or OUD.

Oracle Identity Cloud Service is Oracle's cloud-based Identity platform, which now enables SSO to a standard installation of EBS through its EBS Asserter. The figure below shows this simplified integration, with existing components shown in grey and the new components shown in red.

Figure 2 - A simplified architecture with IDCS

As a cloud-based Identity platform, IDCS requires no installation. In addition all of the key non-functional requirements such as HA, DR, scaling, backup and restore, patching, and upgrading are all taken care of by Oracle as part of the cloud service. The only component that requires deployment is the EBS Asserter. This acts as the interface between an identity token being issued by IDCS and a user's session being created in EBS.
So coming back to the title of this blog post, how you can achieve this simplification in 3 steps? Easy.....
  1. Populate IDCS with users and groups by setting up synchronization between your AD and IDCS (tutorial)
  2. Configure SSO between your on-premise Identity Provider (typically ADFS) and IDCS (tutorial)
  3. Deploy the EBS Asserter and configure integration with EBS and IDCS (tutorial)
As you can see, this approach is considerably simpler than the previous approach. It also means that once you have this integration in place, it is easy to extend the use of IDCS to other web-based applications and cloud-based applications. You can also take advantage of some of the advanced capabilities of IDCS such as multi-factor authentication to add an extra level of security over the user authentication process. I've covered some of this in a previous blog post (Three Reasons Why Identity Management Should Be On Your Radar For SaaS).
In summary, whether you have an existing EBS deployment already integrated with Access Manager today and are looking to simplify your footprint, or whether you don't have SSO enabled today, using IDCS to deliver SSO to EBS can greatly enhance the user experience whilst at the same time simplifying your overall topology and administration.

Join the discussion

Comments ( 19 )
  • Ruth Melnick Tuesday, July 10, 2018
    Thanks for this post. Very relevant to what customers are looking to implement.
  • Mike Friday, December 21, 2018
    Interesting post, thanks.. We are planning to implement JDE Okta SSO ,Any recommendations pls...
  • Paul Toal Friday, December 21, 2018
    Sure, my comment would be to ditch Okta and implement SSO to JDE with IDCS. You will benefit from a single vendor approach.
  • Suren Wednesday, January 9, 2019
    We did POC for both IDCS and SSOgen successfully.
  • Mike Thursday, January 10, 2019
    Hello Paul, Good Information Thank you!

    Is it possible to run two or more adpatch sessions simultaneously for one EBS instance?
    My client wants to implement SSOgen for EBS..

    1. https://www.ssogen.com/oracle-ebs-sso-integrations
    2. https://www.ssogen.com/oracle-ebs-sso-ldap

    Any recommendations please? Thanks Again.
  • Paul Toal Thursday, January 10, 2019
    Sorry Mike, you will need to get advise from your EBS team. My knowledge of EBS doesn't extend that far.
  • SK Wednesday, January 23, 2019
    mike --> not possible to run multiple adpatch sessions at one time
  • Sunil Monday, March 25, 2019
    Hi Paul,

    We are reviewing options for Mutli Factor Authentication for EBS (12.1.3).

    Can it be achieve using Oracle Identity Cloud Service without external user directory setup?

    If external user directory setup is required, is it possible to integrate EBS (12.1.3) with IBM Tivoli Access Manager via Oracle Identity Cloud Service?

    Where can we get more information on overall component and license requirement?

    Will appreciate your reply. Thanks.
  • Paul Toal Thursday, March 28, 2019
    Hi Sunil,

    Yes you can implement MFA using IDCS without the need to deploy a directory behind EBS. This is done using the IDCS EBS Asserter as described above. You can follow step 3 of my steps above to find out more information on the Asserter, including how to deploy it.

    I hope that helps
  • Mahomed Khan Wednesday, May 15, 2019

    Interesting article. Please advise if this will work with EBS 12.1.3, we are not on the cloud, but we do have ADFS in our organization.

  • Paul Toal Wednesday, May 15, 2019
    Hi Mahomed,

    Yes it will work with EBS 12.1.3 running on premise.

  • Vijay Monday, June 17, 2019

    We did the EBS integration with IDCS. while accessing the URL the "https:///ebs" it is returning 403 Forbidden error.

    Did any one come across this. Any inputs what the reason could be would help.

    followed the steps in doc: https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/ebs_asserter_obe/ebs-asserter.html

  • Paul Toal Monday, June 17, 2019
    Hi Vijay,

    I would check your re-write rules as I suspect the issue is within those rules. Failing that, I suggest you log an SR with Support so they can help you resolve the issue.

  • Atul Friday, November 1, 2019
    Hi Paul,
    Thanks for the article.
    Apart from EBS we have SSO integration with WebCenter as well. We have same OAM and OID used for SSO with WebCenter Suite. Please let me know.

  • Paul Toal Friday, November 1, 2019
    @Atul - There are a number of considerations such as versions and exactly which components you are using.

    Fortunately, there are a multiple options, all of which can be addressed with IDCS. The following list isn't exhaustive but will give you some ideas:

    1) You could replace OAM with IDCS and its App Gateway, leaving OID in place and using the IDCS provisioning gateway to provision/sync users between OID and IDCS.

    2) Depending on your WebCenter components and versions, you could use virtual users in WebLogic and use the IDCS asserter and authenticator.

    3) If your WebCenter component needs an LDAP (e.g. WC Content), then you could still use IDCS when the upcoming IDCS LDAP Proxy is available.

    I hope that helps.
  • Balaji Monday, April 6, 2020
    can we use Azure AD for this integration?
  • Paul Toal Monday, April 6, 2020
    Yes, you can use Azure AD for this integration. You don't use the AD bridge if you integrating AD. Instead, the integration is a SCIM-based integration. You can either push from Azure, or you can pull from IDCS.

    You might find this article a useful reference:


  • Karthikeyan S Thursday, January 7, 2021
    For integrating Oracle EBS with AD, is Oracle Identity Cloud service a must as it involves licensing?

    Can I integrate with AD with Oracle EBS without any additional cost, wherein its not SSO, but I would using AD username and password to logon to EBS?

    Sorry for a novice Q.
  • Paul Toal Thursday, January 7, 2021
    Hi Karthikeyan,

    It depends on what you mean by cost.

    EBS has no native capability to talk to Active Directory and therefore some additional software will be required. You essentially have two options. As part of your EBS licensing you get a restricted use license for Oracle Access Manager (OAM) Basic, which would cover your use case. Whilst you aren’t paying for any extra software to implement this, OAM is middleware component and therefore needs a WebLogic mid-tier, Oracle Internet/Unified Directory and Oracle databases, all with the appropriate HA deployments in order to run. Remember, that if you integrate EBS with an external access management solution like OAM, then OAM needs at least the same level of availability as EBS, since, if OAM goes down, no-one can login to your EBS. You then have to feed and water your OAM, OID and Database infrastructure. So, whilst there is no license cost, there is a TCO.

    The second option is the one discussed in this article. You use IDCS with its subscription. You don’t have to deploy and manage OAM, OID/OUD and Database. The only component to deploy is the EBS Asserter (and Provisioning Bridge if you want to also manage your EBS users from IDCS). Similarly, IDCS is an Oracle-managed Cloud Service so you don’t have to feed or water it. We take care of that for you.

    So, I would encourage you to consider the TCO when looking at the best option for achieving your use case.

    I hope that helps.
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.