[The article applies to EBS 12.1 and 12.2; it is an updated version of this older article that covered EBS 12.0 and 11i]
The E-Business Suite has its own security and user-management capabilities. You can use the E-Business Suite’s native features to authenticate users, authorize users (i.e. assign responsibilities to them), and manage your EBS user repository. The majority of E-Business
Suite system administrators simply use these built-in capabilities for enabling access to the E-Business Suite.
When EBS built-in capabilities aren’t enough
Some organisations have third-party user authentication systems in place. These include CA Netegrity SiteMinder, Windows Kerberos, and
others. These organisations frequently use third-party LDAP directory solutions such as Microsoft Active Directory, OpenLDAP, and others.
We don’t certify the E-Business Suite with those third-party products directly, and we don’t have any plans to do so. This article is intended to explain why Oracle Internet Directory (OID) is required when integrating with Oracle Access Manager (OAM).
OAM and OID are mandatory for third-party integration
Oracle Internet Directory and Oracle Access Manager are mandatory requirements when integrating third-party authentication products directly with the E-Business Suite.
It is not possible to integrate E-Business Suite directly with Microsoft Active Directory, Windows Kerberos, or CA Netegrity Siteminder directly.
It’s possible to integrate the E-Business Suite with those third-party solutions via Oracle Access Manager and Oracle Internet Directory. See these articles:
Before going on, I’d recommend reading that third-party integration articles. If you don’t have those concepts under your belt, the rest of this article isn’t going to make much sense.
Why does EBS require OID with OAM?
Oracle Access Manager itself doesn’t require Oracle Internet Directory. However, Oracle Internet Directory is a mandatory requirement when Oracle Access Manager is integrated with the E-Business Suite.
Why? The short answer is that the E-Business Suite has hardcoded dependencies on Oracle Internet Directory for this configuration. These
dependencies mean that you cannot replace Oracle Internet Directory with any third-party LDAP directory for this particular configuration.
There are two cases of hardcoded dependencies on Oracle Internet Directory:
1. Reliance on Oracle GUIDs
From the articles linked above, you know that user authentication is handled by Oracle Access Manager, and user authorization is handled by the E-Business Suite itself. This means that there are two different user namespaces.
These namespaces must be linked and coordinated somehow, to ensure that a particular user logging in via Oracle Access Manager is the same user represented within the E-Business Suite’s own internal FNDUSER repository.
We associate externally-managed Oracle Access Manager users with internally-managed E-Business Suite users via a Global Unique Identifier (GUID). These Global Unique Identifiers are generated exclusively by Oracle Internet Directory.
The E-Business Suite has hardcoded functions to handle the mapping of these Global Unique Identifiers between Oracle Access Manager and the E-Business Suite. These mapping functions are specific to Oracle Internet Directory; it
isn’t possible to replace Oracle Internet Directory with a generic third-party LDAP directory and still preserve this functionality.2. Synchronous user account creation
The E-Business Suite is predominantly used internally within an organisation. Certain E-Business Suite application modules can be made visible to users outside of an organisation. These include iStore, iRecruitment, iSupplier, and other application modules where the users aren’t necessarily restricted to an organisation’s own employees.
Users of some of those application modules expect to be able to register for a new account and use it immediately. This makes sense. If you’re posting job openings via iRecruitment, potential applicants shouldn’t need to hold off on submitting their resumes while your E-Business Suite sysadmin creates an account manually, assigns EBS responsibilities, and emails them the account login details. They’ll be long gone before that happens.
This means that EBS application modules that support self-registration must create user accounts synchronously. A new
account must be created within the E-Business Suite and the externalized directory at the same time, on demand.The E-Business Suite has hardcoded dependencies upon Oracle Internet Directory function calls that handle these synchronous account creation tasks. These function calls are specific to Oracle Internet Directory; it isn’t possible to replace Oracle Internet Directory with a generic third-party LDAP directory and still preserve this functionality.
Related Articles