The Latest Technology Stack News Directly from EBS Development

Oracle Access Manager 10gR3 Certified with E-Business Suite

Oracle Access Manager 10gR3 ( is now certified for use with E-Business Suite Releases 11.5.10 and 12.1, using the new component, Oracle E-Business Suite AccessGate. For information on how to obtain, install, and configure this new component, see:

About Oracle Access Manager

Oracle Access Manager is Oracle's next-generation identity and access management platform, and is a key component in Oracle's Fusion Middleware Identity Management solution. It provides a set of authentication and authorization features, including support for single sign-on authentication, and integration with other identity management offerings such as Oracle Identity Federation and Oracle Adaptive Access Manager.

Oracle E-Business Suite AccessGate integration architecture


Oracle Access Manager Benefits

Previously, E-Business Suite only supported single sign-on capabilities through Oracle Single Sign-On Server. While it was possible to integrate with Oracle Access Manager, this still required Oracle Single Sign-On Server as an intermediary, and did not allow access to the full feature set of Oracle Access Manager.

With the release of Oracle E-Business Suite AccessGate, this is no longer the case. E-Business Suite AccessGate is a Java EE application that resides on a separate application server, and provides direct integration between E-Business Suite and Oracle Access Manager. This direct integration also opens the door to the full set of authentication features in Oracle Access Manager, as well as integration with other products in Oracle's portfolio, such as Oracle Identity Federation or Oracle Adaptive Access Manager.

I'll be posting another article in the future that describes more about how integration with Oracle Access Manager works through Oracle E-Business Suite AccessGate.

Oracle Access Manager vs. Oracle Single Sign-On Server

Our primary audience for this release of Oracle E-Business Suite AccessGate (and Oracle Access Manager) is users who have Oracle Access Manager deployed in their enterprise, and want to expand its coverage to include E-Business Suite.

E-Business Suite users that are currently integrated with Single Sign-On Server do not necessarily need to migrate to Oracle Access Manager, and, in fact, may not want to at this time, as not all products in the E-Business Suite technology stack support Oracle Access Manager today. Oracle Access Manager and Oracle Single Sign-On Server may be used together, however, and this, too, will be covered in more detail in a future article. For more details from the Fusion Middleware Identity Management team, see:

Prerequisites for Oracle E-Business Suite AccessGate
  • E-Business Suite Release 12.1.2, 12.1.1; or, E-Business Suite Release 11i 11.5.10 CU2 (with ATG RUP 6 or higher)
  • Oracle Access Manager 10gR3 (
  • Oracle Internet Directory 10gR3 ( or 11gR1 Patchset 1 (
  • Oracle WebLogic Server 10.3.1 or higher

Oracle E-Business Suite AccessGate is supported on any operating system platform that supports Oracle WebLogic Server 10.3.1. For Oracle Access Manager and its components, such as WebGate, any operating system and HTTP server supported by it may be used for this integration.


Related Articles

Join the discussion

Comments ( 46 )
  • Floyd Thursday, March 25, 2010

    "...as not all products in the E-Business Suite technology stack support Oracle Access Manager today." - This seems like a fairly significant fly in the ointment in light of upcoming desupport dates. Could you please encourage the Fusion Middleware team to give us a little more detail?

  • Keith M. Swartz Thursday, March 25, 2010

    Hi Floyd,

    The Oracle Single Sign-On Statement of Direction, linked to in this article, provides more details on this. The Fusion Middleware Documentation also has references in many places; the most relevant ones are linked to from the My Oracle Support document for Oracle E-Business Suite AccessGate (975182.1).

    Hope this helps.

    Keith M. Swartz

  • Ben Prusinski Wednesday, April 7, 2010

    Hi Steven,

    Do you know when Oracle 11g FMW/Weblogic will be supported with Release 12 for EBS? Do you know if it will also support 11i?


    Ben Prusinski

  • Steven Chan Thursday, April 8, 2010

    Hi, Ben,

    It's important to distinguish between running WebLogic as part of the E-Business Suite's internal technology stack (e.g. in place of JServ or OC4J) versus being compatible with externally-integrated Oracle Application Server servers running WebLogic.

    We plan to continue to certify Oracle E-Business Suite Release 11i and 12 with external Oracle Application Server instances. These integrations allow E-Business Suite customers to use the latest Fusion Middleware components such as Oracle Internet Directory, Oracle WebCenter, Oracle Business Intelligence, and others. These are certified now; see our recent announcements on this blog.

    We're evaluating the feasibility of using WebLogic in some capacity with an as-yet-unspecified future version of Oracle E-Business Suite Release 12.

    We have no plans to replace Oracle E-Business Suite Release 11i's internal JServ engine with WebLogic.

    The above is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle.



  • parasuraman Saturday, April 10, 2010

    Hi Steven,

    Is there any certification on Oracle identity and access manager?



  • Ben Prusinski Saturday, April 10, 2010

    Hi Steven,

    Thank you for the answers to my questions regarding Weblogic/FMW and 11i/R12 EBS. I do look forward to beta testing the next release of E-Business Suite.



  • Keith M. Swartz Saturday, April 10, 2010

    Hi Parasu,

    This article is, in fact, about the certification of Oracle Access Manager with Oracle E-Business Suite, so the answer is yes. If you are inquiring about Oracle Identity Manager, that is a separate product, but this already supports Oracle E-Business Suite through the Oracle Identity Manager Connector for Oracle E-Business Suite. (It is built and certified by the Identity Manager team themselves.) You can get more details through a datasheet and on-line documentation at http://www.oracle.com/technology/products/id_mgmt/oxp/index.html .



  • Keith M. Swartz Saturday, April 10, 2010

    Sorry, small clarification : I meant to say /connectors/, plural. There are multiple ones for integrating various areas of functionality in Oracle E-Business Suite with Oracle Identity Manager. The details are in the aforementioned datasheet.



  • anan Monday, April 19, 2010

    Hi Keith

    Prerequisites for Oracle E-Business Suite AccessGate covers E-Business Suite Release 12.1.2, 12.1.1 and E-Business Suite Release 11i 11.5.10 CU2 (with ATG RUP 6 or higher).

    Why is there no E-Business Suite Release 12.0.x?

    Is the architecture diffenent completely between 12.0.x and 12.1.X?

  • Keith M. Swartz Monday, April 19, 2010

    Hi Anan,

    It isn't an issue of architecture, but rather one of certification and development resources. We have many ongoing projects at any one time, and sometimes we have to prioritize and choose the ones that will be the most well-received. Since we need to test each minor release independently with Oracle E-Business Suite AccessGate, we opted to concentrate on Release 11i and 12.1, as the bulk of our users are on those two tracks.

    At this time, we have no plans to certify E-Business Suite AccessGate with Release 12.0, but if there is considerable customer demand, we are open to reconsidering that in the future.

    Thanks very much,


  • Takayuki Tabe Thursday, May 20, 2010

    Hi Steven,

    We think about implementation of the SSO environment where I use OAM for in EBS(12.1.2) environment.

    (We do not use OSSO.)

    For a repository of the user nformations, We use ActiveDirectry(2 Domains).

    Is OID required in that environment as follows?

    OAM - OID - AD

    Or is that environmental implementation possible without using OID as follows?

    OAM - AD


    Takayuki Tabe

  • Keith M. Swartz Friday, May 21, 2010

    Hello Takayuki,

    Yes, OID is always required with E-Business Suite, whether you are using OSSO or OAM.


    Keith M. Swartz

  • Syam Pepala Friday, May 28, 2010

    Hi Keith,

    is there way to implement R12 SSO with using OAM and OVD(Oracle Virtual Directory) and get it authenticated at MS AD

    this process eliminates OID.

    when you implement OVD basically we are not syncing users information . we are directly talking to AD using OVD

    earlier implementations we are syncing users info into OID

    from ad and ebs.


    with new approch of Oracle E-Business Suite with Oracle Access Manager using Oracle E-Business Suite Gate along with OVD why do we need OID?

  • Keith M. Swartz Friday, May 28, 2010

    Hi Syam,

    It is not possible today to eliminate OID. OID is required by Oracle E-Business Suite because of a dependency on the internal orclguid attribute, which is specific to OID.



  • Rama Chilakmarri Monday, June 21, 2010

    We want to use Active Directory as our LDAP source. where does OID come into picture ?

    Are we forced to used OID as our LDAP source for using OAM with EBS?

    or is it that OID just needs to be there for generating guid ?

    Please provide more details on how to use AD as LDAP for integrating OAM wiht EBS ?

  • Keith M. Swartz Monday, June 21, 2010

    Hi Rama,

    The short answer is that Oracle E-Business Suite only integrates directly with OID, so it must be the source that is used for authentication. However, you can still set up your environment so that a third-party LDAP, such as Active Directory, acts as the official source, by configuring one-way or two-way synchronization between the two directories. There are many ways this can be achieved, and you may want to refer to Steven's excellent in-depth article on that subject at http://blogs.oracle.com/stevenChan/2008/08/indepth_using_thirdparty_identity_managers_with_eb.html .



  • Rama chilakmarri Tuesday, June 22, 2010


    Thanks for quick response.

    We would like to use OAM for non-EBS applications also and would like to use AccessGate for EBS integration.

    Now that seems impossible..

    SSO seems the path to go..

    Most of users use AD as primary authentication LDAP.. The AccessGate certification is useless at this point.

    Thanks for your timely help.


  • Keith M. Swartz Tuesday, June 22, 2010


    I think you may have misunderstood. The OID requirement is true for Oracle E-Business Suite regardless of what authentication system you are using, whether it's OSSO or OAM. This is explained in both the EBS AccessGate documentation, as well as our single sign-on integration documentation.

    Also, did you review the other article I mentioned? It illustrates that it is perfectly possible to have AD as your primary source of authentication data. In fact, an overwhelming majority of our customers that use a single sign-on solution have been doing this for years quite successfully. You just need to make a *copy* of the user data into an OID instance for Oracle E-Business Suite to connect to. You can configure the two LDAPs to bidirectional sync so they always contain the same records in real-time.

    That article shows how it can be done using OSSO, but you can simply replace OSSO with OAM and Oracle E-Business Suite AccessGate to achieve the exact same results.

    We strongly recommend that you use OAM for any new deployments, and not OSSO, as OAM is Oracle's strategic direction for single sign-on, and OSSO is nearing its end of life.



  • Keith M. Swartz Tuesday, June 22, 2010


    Some other sources you may find helpful may be found in My Oracle Support; namely, Knowledge Document 267153.1: DIP Synchronization with Microsoft Active Directory Quick Start Guide, and Knowledge Document 277382.1: How to Configure OID External Authentication Plug-In for Authentication Via Microsoft Active Directory (MS AD).

    Hope this helps.


  • Rama Chilakmarri Tuesday, June 22, 2010

    from what I understand I need to do this :

    1. Configure OAM to use OID has its LDAP source

    2. synch user data between OID and AD

    So only change to diagram on top of this page is to have AD send data to OID ?

    Thanks for taking time to clarify.


  • Keith M. Swartz Tuesday, June 22, 2010


    In a nutshell, yes, but of course, there's always more to it than that. For example, OID has an adapter that can plug into AD so that you don't have to store user passwords and other attributes in both places -- but this is too complex for a comment stream. I recommend consulting with the Oracle Support Identity Management team and/or our fine Consulting organization if you have further questions about this configuration. Again, it is a very common layout, so there's a lot of experience helping customers through this.

    Best of luck!


  • Wing Saturday, July 24, 2010

    Hi Keith,

    We would like to implement SSO (IWA) using OAM however without extending the schema on the AD end.

    Which would be the correct way / best practice of implementation?

    OAM >> OVD (AD or AD with Mapper) >> AD


    OAM >> AD?

    If we were to go with the 1st option, which is the best option for LDAP adapter? AD or AD with Mapper adapter? Does it has any effect on the SSO implementaiton?

    I am assuming OVD for storing User Data and OID is used to store policies and configuration data.

    Thanks in advanced and taking time to clarify my doubts.


  • Keith M. Swartz Sunday, July 25, 2010

    Hi Wing,

    Well, first a clarification. OVD does not actually store /anything/. The "V" stands for virtual, because it is just that: a mechanism for creating a series of mappings to /other/ directories that do contain the information you need, but making it look like a single directory. Think of it as a directory on a file system that contains symbolic links to files in other directories, but no actual files of its own.

    With that in mind, there still exists the requirement that EBS requires OID for its user data. We have not tested OVD for use with EBS, but that doesn't mean you can't use it in conjunction with OAM, so long as the EBS users are explicitly defined in OID. The details of such an integration are something you would be better off reviewing with someone from our Services organization that specializes in our Identity Management offerings; aside from the OID requirement, this is all independent of EBS.

    Thanks for your question.


  • Priya Tuesday, September 21, 2010

    Hi ..Is there any certification related to Oracle Identity manager or Oracle access manager. Please let me know

  • Keith M. Swartz Tuesday, September 21, 2010

    Hi Priya,

    This announcement is for Oracle Access Manager. Oracle Identity Manager is also certified for use with Oracle E-Business Suite via connectors; please see http://www.oracle.com/us/products/middleware/identity-management/oracle-identity-manager/index.html for information about the product, and http://www.oracle.com/technetwork/testcontent/index-098451.html for information about the Connectors for E-Business Suite.

    (NOTE: these URLs may not work for long, as the www.oracle.com site is in the middle of a long-running reorganization.) If the above URLs no longer work, you can google on "Oracle Identity Manager and Connectors for E-Business Suite" to find the information more directly.)



  • Eriks Richters Tuesday, September 28, 2010


    Can you explain why it has to use OID? There plenty of statements that it must be used, but I haven't found any explanation of why.

    I would think that any v3 LDAP would work. Is it a matter of what's been certified? or is there a technical reason for requiring OID?

  • Steven Chan Tuesday, September 28, 2010

    Hello, Eriks,

    The EBS authorization stage depends upon the linkage between an external user in Oracle Internet Directory (provided by the ORCLGUID in Oracle Internet Directory) and the equivalent user in the E-Business Suite's FND_USER table. This applies to both the Single Sign-On integration as well as the Oracle Access Manager integration.

    Therefore, if you remove Oracle Internet Directory, you lose the ORCLGUID from the picture, resulting in a situation where there's no way of determining what EBS responsibilities are assigned to a given externally-authenticated user.



  • Robert Woods Monday, October 4, 2010

    Is there a date when the EBS AccessGate will be certified with Access Manager Release 11g? We are currently implementing IDM/OAM 11g for use on our custom applications, will we also be required to implement IDM/OAM to integration with our EBS?

    Thanks, Robert

  • Keith M. Swartz Monday, October 4, 2010

    Hello Robert,

    OAM 11gR1 certification is ongoing. Revenue recognition rules do not allow us to disclose projects dates or schedules, so please keep monitoring the blog, where we will announce certifications as they become available.

    If you want to use OAM with Oracle E-Business Suite at this time, you will need to use both OAM 10gR3 (for E-Business Suite) and OAM 11gR1 (for your custom applications). This is not uncommon, since many 10gR3 users are unable to move to 11gR1. Once we complete our certification, you can reconfigure Oracle E-Business Suite AccessGate to work with OAM 11gR1.

    By the way, I am assuming that you are on Release 12 of Oracle E-Business Suite.



  • Chuck Friday, October 15, 2010


    For your last comment, are you saying that we would need to deploy OAM 10g with the EBusiness Suite 12.x access gate as well as use OAM 11g w/ 11g WebGates for SOA/WLS integration etc? In other words, you would need both OAM 10g and OAM 11g if you have multiple fusion products & applications installed and want to embrace SSO? Also, what about OAAM -- can you use OAAM 11 w/ OAM 10g or must you use OAAM 10g w/ OAM 10g?

    Thanks, Chuck

  • Keith M. Swartz Friday, October 15, 2010

    I am saying that if you want to use OAM 11g with some applications today, that's fine. But EBS only supports OAM 10g, you need to use OAM 10g with EBS. You can integrate the two OAM installs, however, so users only ever see one.

    Eventually, when OAM 11g is certified with EBS, you can just use OAM 11g for all your products. Of course, you can also just use OAM 10g with your custom applications, but that's probably not what you were looking to do.

    I'm not familiar with the certification requirements for OAAM, so I'm going to have to refer you to the Identity Management team for details on that.



  • Kiran Thakkar Thursday, November 18, 2010

    Hi Keith

    Are you then saying that OAM has to talk to OID as user data store? Suppose I have AD as primary user data store, can you configure OAM against AD and while configuring OID-AD synch, create orclguid attribute for the users as objectguid in AD?


    Kiran Thakkar

  • Keith M. Swartz Thursday, November 18, 2010

    Hi Kiran,

    We have neither tested nor certified this architecture, so I cannot say whether it would work. orclguid is an automatically-generated operational attribute, so it's not clear to me that it can be synced to another LDAP. What is required is that OID generate this attribute for each user, and that OAM return it when authentication is successful.

    It may be possible to achieve what you are describing, but you would probably need to discuss the details with someone from Identity Management support, or Consulting Services.



  • Kiran Thakkar Friday, November 19, 2010

    Thanks Keith for the information.

    -Kiran Thakkar

  • Farhoud Monday, January 10, 2011

    Hi Steve

    I started looking into this certification in detail for our implementation, and noticed that OAM is only available on limited platforms. OAM 11g is supported on more platforms i.e. AIX. Are there any plans for 11g certification?


  • Keith M. Swartz Monday, January 10, 2011

    Hello Farhoud,

    Yes, we are working on our certification for OAM 11g. Revenue recognition rules prohibit us from discussing it ahead of time, but be sure to keep watching this blog for updates!



  • Kalpesh Monday, February 7, 2011

    Hi Steve

    I am following this note Integrating Oracle E-Business Suite with Oracle Access Manager using Oracle E-Business Suite AccessGate (Note 975182.1)..

    I deployed access gate using ant script on weblogic 10.3.3

    But when I access this access gate application by its URL it gives following error.

    Error 500--Internal Server Error

    java.lang.ClassCastException: weblogic.servlet.internal.ServletRequestImpl cannot be cast to oracle.apps.fnd.ext.common.server.AppsHttpServletRequestWrapper

    at oracle.apps.fnd.ext.common.server.FndSsoLogin.doPost(FndSsoLogin.java:73)

    I have raised SR with oracle, but didn't find any solution from last one month.



  • Keith M. Swartz Monday, February 7, 2011

    Hi Kalpesh,

    I'm sorry to hear you're having problems. An HTTP/500 error almost always points to a problem with the configuration of your WebGate or OAM Server. Some examples and suggested workarounds can be found in My Oracle Support Knowledge Document 1077460.1. Unfortunately, a full analysis of this issue is not something that can best be done in blog comments -- an SR is definitely the way to go. If you have not gotten adequate response after one month, I would suggest escalating the SR to a duty manager, and hopefully the analysts in ATG and OAM support can help you.

    Thanks very much,


  • Chris Tuesday, February 8, 2011


    In the knowledge reference article # 975182.1, there is a note in the "How the integration works" section that specifies "the Oracle E-Business Suite AccessGate must be installed in the same domain as the Oracle E-Business Suite middle tier servers".

    Could you please clarify what this note means when it refers to "same domain". We are unsure how to interpret this note.


  • Keith M. Swartz Tuesday, February 8, 2011

    Hi Chris,

    We are referring to the cookie domain, e.g.: corp.yourcompany.com. An explanation is given in the Known Issues section (search for "ICX cookie").



  • guest Thursday, June 9, 2011
    Can this approach be used for any EBS application including istore ?
    if so, are there any specific changes or configurations to be done to integrate with istore ?
    Also, looking at all the notes, I am not sure which all patches to be applied on EBS 11.5.10 ATG RUP6
    This EBS instance was never configured with any SSO solution (OSSO,OAM) before.
    The document mentions patch # 10246061.
    Is this the only patch or do we also need patch # 6117031 ?
    Patch # 6117031 was required for OSSO-OID-EBS integration. Is this specific to OSSO –EBS integration ?
    Thank you,
  • Keith M Swartz Thursday, June 9, 2011
    Hello Manasi,
    Yes, you can use this integration with any EBS product (except for those
    identified in the Known Issues section of our documentation). However, there is
    a known issue -- not presently documented -- affecting global logout with
    This issue is fixed in the latest release of Oracle E-Business Suite AccessGate
    (1.1), but this code has not yet been certified for use with OAM 10g. This
    certification is planned, and will address any issues using iStore with OAM 10g
    and Oracle E-Business Suite 11i.
    Regarding the specifics of patch 6117031, I recommend reviewing this with
    Oracle Support. Generally, this is needed, but whether you require it or not
    will depend on what other patches you have installed. Note that 11.5.10 CU 2
    and ATG RUP 6 or later is the minimum requirement for OAM 10g integration.
  • Bernie Tuesday, August 16, 2011

    "Oracle Access Manager 11g Patchset 1 is not yet certified for use with Oracle E-Business Suite at this time"

    Is there any indication of progress with dertification against PS1 please? I'm really reluctant to have to regress to BP02 for this integration....



  • Keith M Swartz Tuesday, August 16, 2011

    Hi Bernie,

    Revenue recognition policies prevent us from disclosing specific projection dates for our certifications. However, I can say that we are working on PS1 certifications and are very close to being complete.

    That said, if you do choose to install, the upgrade to is very quick and painless, especially if you are integrating via Oracle E-Business Suite AccessGate. (There's a little more work if you are integrating with mod_osso, unless you wait to migrate your existing applications.) So I wouldn't necessarily let the delay hold up your deployment plans, unless you're really just a few weeks away from going live.



  • guest Friday, October 28, 2011

    Hi Steve,

    We have successfully inetgrated EBS R12.1.3 with OAM 10g using EBS accessgate ( MOS note 975182.1) . OID is 11g . SSO works fine . We have built DR for EBS and OID/OAM using Data guard , OID replication and rsync . we are testing DR scenarios and have below questions :

    1. If EBS-PROD goes down , EBS-DR will be activated and this should talk to OID-PROD , how to make it communicate with OID-PROD ? so that SSO still works via accessgate .

    2. If OID-PROD goes down ( and assuming EBS-PROD is still up) , then OID-DR will be activated , in this case how to make EBS-PROD talk to OID-DR so that SSO still works via accessgate , what steps need to be performed . I searched MOS and could not find any notes about DR testing for EBS inetgrated with OAM via accessgate.

    I have also raised an SR but seeking your help on this .

    Thanks in advance,


  • Keith M Swartz Friday, October 28, 2011

    Hi Raghav,

    Unfortunately, this type of detailed question is really better suited for our colleagues in the support organization than in a blog comment. Any configuration changes that are necessary to support DataGuard would be something that team could assist with.



Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha

Recent Content