Cloud Security Perspectives and Insights

Simplifying User Management in Oracle E-Business Suite with Identity Cloud Service

Paul Toal
Distinguished Solution Engineer - Cyber Security

I have talked before about how Oracle Identity Cloud Service (IDCS) can greatly simplify single sign-on (SSO) for Oracle E-Business Suite (EBS).  If you haven’t seen it, you can find my article here. In it, I talked about the 3 easy steps to simplifying SSO into EBS. For this extremely common use case I, 1) linked IDCS to Active Directory (AD) and synchronised users from AD into IDCS, 2) used federation so that users could log onto IDCS seamlessly from their desktop, and 3) integrated IDCS and EBS to extend SSO into EBS. This simplifies EBS SSO, since, where you would previously have deployed Oracle Access Manager and Oracle Internet Directory (together with their underpinning databases etc), the new IDCS-based approach only required the deployment a small runtime component called the IDCS EBS Asserter.

Whilst that is a very compelling and popular use case, it still left you with having to use your existing processes and procedures to manage your users and their roles and responsibilities within EBS. Well, hot off the press, there is some great news. With the latest release of IDCS (released in January), you can now manage the lifecycle of your EBS users directly from IDCS. Furthermore, with the existing integrations between AD and IDCS as described above, that user lifecycle can be fed all the way back from AD (or Azure). Thus, now you have a complete, simplified identity and access management solution for your EBS users, and the best part, if you are an IDCS Standard customer, then all of this is provided to you at no extra cost. I know what you’re thinking, “Please, tell me more”. Don’t worry, keep reading because you’ve come to the right place.

For some time within IDCS, it has been possible to deliver SSO for on-premise applications, such as EBS, as well as cloud applications. It has also been possible to manage user’s lifecycle for cloud applications, through standards like SCIM. In the previous release of IDCS, a new capability called the Provisioning Gateway was introduced. This completes the picture by now enabling you to also manage user lifecycle for on-premise applications.



Cloud-based apps

On-premise apps


User Lifecycle Mgmt


In the latest release of IDCS, EBS was certified with the provisioning gateway. So, what does that mean? Well, I can now create a user within IDCS, assign them EBS roles and responsibilities and have IDCS create the user within EBS with those assigned privileges. Should a user’s privileges change, or the user get disabled or removed from IDCS, those changes will also flow down to EBS. You can, of course, choose which operations you want to support, as shown below.



Let’s take a look at how we can extend our previous use case around SSO, to now also encompass user lifecycle. To ensure we are all starting from the same baseline, the diagram below represents the solution discussed in my ‘How to Simplify SSO to Oracle eBusiness Suite in Just 3 Steps” post.



As you can see, user management is done in two places; firstly, within AD, then, within EBS. The ability of the IDCS AD Bridge to sync users and groups means that users and groups don’t need to be manually managed within IDCS.

Now let’s extend our solution diagram to include the provisioning bridge and see how that changes.



With the addition of the provisioning bridge, user management is now limited to just your authoritative source (i.e. in this case AD). As well as provisioning/de-provisioning users and their privileges, the gateway is also used to synchronise the roles and responsibilities from E-Business into Identity Cloud Service so that they can be assigned. I also find it useful to show a working example of what this might look like.

Within my AD, I have created an OU (EMEA Users) containing my test users and groups. I have created two groups that will be used for this example: EBS Finance Controller and EBS Purchase Manager. The AD Bridge has been deployed and configured to sync all users and groups within this OU into IDCS. The sync runs on a configurable schedule.

I have an EBS environment and have deployed both the EBS Asserter and the Provisioning Bridge and configured them both to talk to IDCS and EBS. From a provisioning bridge setup, there is very little to configure. The EBS connector is already deployed within the provisioning bridge, so all I need to define is the connection to my EBS server.



The final configuration step is to define the assignment of roles and responsibilities. I can do that either on a user-by-user basis, or, more realistically, on a group level. My 2 example groups have already been synchronised from AD and therefore appear in Identity Cloud Service.



Within each group, I assign access to both EBS as an SSO application (EBS Vision Demo) as well as a provisioning application (Oracle eBusiness Suite – User Management).



Finally, within the provisioning application definition, I assign the roles and responsibilities that map to the EBS Finance Controller group from AD. In my example below, I have picked some random EBS roles and responsibilities to assign to the group. Note that the values are chosen from lookups as the roles and responsibilities from my EBS instance have been synchronised into IDCS to populate those lookups.



Now, when I create a user in AD and assign them to the EBS Finance Controller group within AD, that user and their group membership will be synchronised to IDCS, which will then automatically provision them into EBS with the roles and responsibilities mapped to the group they are in.

The existing SSO configuration means that the new user will be able to immediately log onto their desktop, open their browser and seamlessly access EBS (assuming WNA is enabled within their Windows environment).

If you want to see this use case in action, I have put together a short video, which you can see in the video below.


I hope this post has been useful in showing you how Oracle Identity Cloud Service is further simplifying the identity and access management of E-Business Suite, not just enabling simple SSO, but also now handling user management as well. And don't forget, all of this is available at no extra cost for IDCS Standard customers.

Join the discussion

Comments ( 1 )
  • Juan Sarro Saturday, February 15, 2020
    Great post!
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.