In-Depth: Using Single Sign-On 10g with E-Business Suite Release 11i

Editor Jan. 12, 2007 Update:  Oracle Identity Management 10g 10.1.4.0.1 is now certified with the E-Business Suite. 

In the two-year Early Adopter Program we ran for OracleAS 10g + E-Business Suite configurations, over 200 customers elected to enable Single Sign-On 10g in their environments.

If that's representative of the general E-Business Suite customer, this suggests that approximately 75% of E-Business Suite customers will wish to use OracleAS 10g for this reason alone. 

Technical Benefits

This is a technically-focussed blog and I've promised not to bore you with vacous marketing rhetoric.  If you want to get the full pitch on why Oracle Identity Management should be your choice of solutions, you can find many compelling arguments here.

For E-Business Suite customers, the key benefits are:
  • The ability to offer a comprehensive Single Sign-On solution that works with all Oracle products, including the E-Business Suite, PeopleSoft, and JD Edwards.

  • The ability to use Oracle Internet Directory for managing E-Business Suite user credentials, shifting focus from the older FND_USER directory

  • The ability to integrate the E-Business Suite with your existing third-party
    single sign-on and LDAP infrastructure
Comprehensive Single Sign-On Solution

If you have one or more E-Business Suite Release 11i instances and are tired of maintaining users separately for each environment, you can create a central OracleAS 10g environment and manage all 11i users in one place.

If you have a combination of PeopleSoft, JD Edwards, and the E-Business Suite in your organization, you can use OracleAS 10g to manage users for all three environments centrally.

If you have a combination of the E-Business Suite and custom applications based on Oracle databases or OracleAS 10g technology, you can use OracleAS 10g to manage users for all applications in a single place.

Use Oracle Internet Directory Instead of FND_USER

The E-Business Suite's user management capabilities (based on the FND_USER directory) are perfectly adequate for administering E-Business Suite users.  However, security administrators wishing for additional user management and provisioning features would benefit from switching to Oracle Internet Directory.

Integrate with Third-Party LDAP and Single Sign-On Products

If you have an existing corporate security system such as Microsoft Active Directory, Windows Kerberos, Sun ONE/iPlanet, or Netegrity SiteMinder, using OracleAS 10g allows you to integrate your E-Business Suite with that infrastructure.  This is a topic for a future In-Depth posting; watch this space.

How Single Sign-On 10g Works With the E-Business Suite

When the E-Business Suite is integrated with OracleAS 10g and Single Sign-On 10g, the user authentication process is handled by Single Sign-On 10g. 

Simple SSO 10g + Release 11i flow:

Users attempting to access protected E-Business Suite content are redirected to Single Sign-On 10g for authentication.  Users log in via Single Sign-On 10g, and then are redirected back to the E-Business Suite and the protected content they wished to access.

Authentication versus Authorization

It's important to distinguish user authentication from user authorization:
  • User authentication is the process of establishing whether the user is whom they claim to be.
  • User authorization is the process of determining what resources an authenticated user is permitted to access.
With our current integration for the E-Business Suite Release 11i, these two processes are handled by Single Sign-On and the E-Business Suite, respectively:
  • When the E-Business Suite is integrated with Single Sign-On 10g, it delegates user authentication to Single Sign-On. 
  • After Single Sign-On has successfully authenticated a user, the E-Business Suite handles the authorization process:  e.g. ensuring that the user is entitled to file expenses.
Partner Applications, Single Sign-On, and Single Sign-Off

The E-Business Suite is a Single Sign-On partner application.  Once a user logs on successfully to Single Sign-On 10g, the user has access to all registered partner applications without having to log on again.

Likewise, if a user logs out of any one of those partner applications, the user is logged out of all of them.  This is called Single Sign-Off, and works with the E-Business Suite, too.

Under the Covers:  The Chain of Trust


The key architectural concept to understand is that there is a chain of trust established between the E-Business Suite, Single Sign-On 10g, and Oracle Internet Directory 10g:

Simple SSO 10g Chain of Trust:

The E-Business Suite delegates user authentication to Single Sign-On, and Single Sign-On delegates user credential validation to Oracle Internet Directory.

The Log In Process, Deconstructed

Let's walk through this with an example:

Our example user isn't logged into the E-Business Suite.  She attempts to access a bookmarked link in her browser that points to the E-Business Suite's Self-Service Expenses page.

The E-Business Suite checks the user's browser for a valid 11i cookie, but doesn't find one:  not surprising -- she hasn't logged in yet. 

The E-Business Suite redirects the user to Single Sign-On 10g.  Single Sign-On 10g displays a login screen and collects the user's userid and password.  It then passes those credentials to Oracle Internet Directory for validation. 

Oracle Internet Directory looks up the user's credentials in the Oracle Internet Directory LDAP directory in the OracleAS 10g Infrastructure, providing an approval or rejection as appropriate to Single Sign-On.

If approved, Single Sign-On 10g issues a set of security tokens to the user and redirects her back to the E-Business Suite.   If rejected, the user is given another chance to log in with valid credentials.

Once redirected back to the E-Business Suite, the E-Business Suite recognizes the Single Sign-On security tokens and looks up the user's assigned Applications Responsibilities in the E-Business Suite FND_USER table. 

Having established that our example user is authorized to access Self-Service Expenses, the E-Business Suite issues its own security tokens and creates a new ICX user session.  The user now has two sets of security tokens in her browser, one from Single Sign-On 10g, and another from the E-Business Suite. 

At this point, the user is officially logged in, and is redirected to Self-Service Expenses.

Synchronizing User Credentials Between Oracle Internet Directory and the E-Business Suite

If user authentication and user authorization are performed by two different parts of this integrated system for the same user, the alert reader will leap ahead and guess that user credentials need to synchronized.

That guess would be correct:  user credentials in Oracle Internet Directory and the E-Business Suite's FND_USER directory need to be synchronized.  A user must be recognized and have valid entries in both locations to gain access to protected content.

DIP synchronization OID + Release 11i:

This synchronization is handled by an Oracle Internet Directory tool called the Directory Integration & Provisioning Platform. 

It's up to you to designate the master "source of truth" for user credentials; this is fully configurable.  For example, you can designate the E-Business Suite as the master and Oracle Internet Directory as the slave, or vice versa.  You can even elect to manage user credentials in both locations and have changes updated automatically between the two of them. 

In other words, changes to user credentials can flow:
  • From the E-Business Suite to Oracle Internet Directory
  • From Oracle Internet Directory to the E-Business Suite
  • Bidirectionally between them.
At this point, you're probably as exhausted as I am, so I'll cover third-party LDAP and Single Sign-On integration tomorrow.

Related Articles:

Comments:

Hello!
As I understanding, the only one way to add responsibility to EBS user(if SSO functionality is in use), is the
using of standart Form interface in EBS.
SSO required only form simplifying auntification between some systems.
User responsibility administering is not changing, when SSO implemented.

Posted by Oleg on June 18, 2007 at 07:16 PM PDT #

Hi, Oleg,Yes, that's correct.  You must still use the E-Business Suite's Security forms to assign Applications responsibilities to new users, even when you've integrated the E-Business Suite with Single Sign-On and Oracle Internet Directory.Regards,Steven 

Posted by Steven Chan on June 19, 2007 at 04:27 AM PDT #

Steve - Question for you , if we have some "generic" type users lets say a user created in 11i "gluser" or "minmax" which is shared by a group of people then post SSO implementation for 11i , how can these ids be handled ?

Appreciate your help in this area.

Regards,
Nandita

Posted by Nandita Saigal on December 12, 2007 at 06:38 AM PST #

Nandita,I'm afraid that the short answer is that you may have some trouble sharing a single Apps userid with multiple SSO userids.  You can associate a single SSO userid with multiple Apps userids.  This is a "one-to-many" linkage.  This is supported and technically feasible; see Note 261914.1 for details.  The Apps userid has a foreign key that points to the SSO userid.You cannot set up a "many-to-one" linkage as you've described, however.  The Apps userid can only point to a single SSO userid.Regards,Steven 

Posted by Steven Chan on December 17, 2007 at 07:08 AM PST #

HI Steve,

We are trying to configure e-biz 11i/10gAS (with SSO & OID) with IBM Tivolo Access Manager and Webseal, where webseal is being seen as reverse proxy by ebs. (we will create a junction for each ebs instances in webseal). We are planning to have the below profile options to point to the webseal server and tell ebs where to go during actions like a sswa page is invoked from an applet.

Apps Servlet Agent
Applications JSP Agent
Application Framework Agent
Applications Web Agent
Applications Help Web Agent
Applications Portal
Applications Portal Logout
ICX: Forms Launcher
TCF:HOST

Can you please advise if this is going to work and do you see any issues with this type of configuration.

Posted by Yugendhar Meka on February 05, 2009 at 10:07 AM PST #

Hello Yugendhar Meka,

To implement any device as a reverse proxy with eBiz, you should be using the instructions in Note 287176.1 "DMZ Configuration with Oracle E-Business Suite 11i"

There are no WebSeal specific instructions, however you should search Metalink for any known issues. For example Note 779065.1 " FRM-92050: Failed to connect to Server: /forms/lservlet:-1 When using IBM WebSeal with Oracle Applications" describes a specific case

Hope this helps

Mike Shaw

Posted by Mike Shaw on February 05, 2009 at 04:31 PM PST #

Hi,

Can you please explain how is Portal as a product used and how it's used as a part of authenitcation in OID/SSO environments. whats the major usage of Portal as a product? what do we gain and lose if we do not have Portal installed in E-Business environments.

any comments/information would be greatly appreciated.

Thanks
Rajiv

Posted by Rajiv on July 28, 2009 at 11:44 AM PDT #

In other posts, you mention OIM and SSO/OID as advancing on separate code bases tracking at versions 10.1.4 and 10.1.2 respectively. You also use the terms Oracle Identity Management in this article but refer exclusively to OID and SSO in your implementation examples. Does this infer that a) you must have the OID product-or just any LDAP product, b) you must have Oracle SSO, and 3) IF you use provisioning, you may now use OIM?

Posted by Mark Athas on July 29, 2009 at 12:34 AM PDT #

Hi, Rajiv,

You might find the following article useful:

In-Depth: Using Portal 10g with the E-Business Suite - http://blogs.oracle.com/stevenChan/2006/05/indepth_using_portal_10g_with.html

You can find links to more Portal resources in that article. You should be aware that our Fusion Middleware team is focussing heavily on Oracle Web Center for the latest new website creation features and functionality. You can find links to Web Center-related resources here:

WebCenter 10g 10.1.3.4 Certified with E-Business Suite Release 12 - http://blogs.oracle.com/stevenChan/2009/04/webcenter_10g_10134_certified_with_ebs12.html

Good luck with your evaluation.

Regards,
Steven

Posted by Steven Chan on August 03, 2009 at 03:54 AM PDT #

Hi, Mark,

The E-Business Suite is certified to integrate directly with Single Sign-On and OID today. We're investigating options for integrating E-Business Suite directly with Oracle Access Manager (in place of SSO). We're also investigating options to integrated the E-Business Suite with Oracle Identity Manager (OIM).

I don't have firm schedules for either of these certifications yet, but you're welcome to monitor or subscribe to this blog for updates, which I'll post as soon as soon as they're available.

Oracle Single Sign-On requires Oracle Internet Directory; you cannot substitute Oracle Internet Directory with a third-party LDAP directory. It's possible to integrate a third-party LDAP directory with OID. I've covered that in more detail in this article:

In-Depth: Using Third-Party Identity Managers with the E-Business Suite Release 11i - http://blogs.oracle.com/stevenChan/2006/05/indepth_using_thirdparty_ident.html

Regards,
Steven

Posted by Steven Chan on August 03, 2009 at 04:00 AM PDT #

Hi Stephen,
I have just implemented SSO with EBS, and it is working great! All except for the Timeout of inactive users. All setup was done properly, and working at the GIT level at the console for instance, but no user timeout is occuring within the apps, unless we wait for the default 8 hours disconnect from the SSO console, at which time it works like a charm. I can not fine resolve on this. I need to know exactly what happens after the i.e 15 minutes of timeout, for the 11.5.10. apps, and what happens at the 8 hours, because while we can not change that setting and effect active users, it is exactly what we need to have happen.
Can you help?
Cindi

Posted by Cindi Stein on August 14, 2009 at 01:15 AM PDT #

Hi, Cindi,

Glad to hear that you've gotten this far in your implementation.

If I understand your question, you've got the SSO timeout set to 8 hours, and the EBS timeout set to 15 minutes. You'd like EBS users to be logged out of EBS if they're inactive for 15 minutes... but this isn't happening.

Remember that the SSO timeout will always take precedence if set to a value longer than the EBS timeout.

In your case, an inactive EBS user's session times out after 15 minutes. But then, say, 45 minutes later, the EBS user clicks on a particular menu item in their Apps Navigator.

EBS sees that the user session has timed out. EBS redirects the user back to SSO to be logged in again. SSO sees that the SSO session is still valid (ie. within the 8 hour window), and redirects the user back to EBS. EBS sees that the user has a valid SSO session and restores the EBS user back to an "active" session state. This all happens transparently to the user.

Since the SSO timeout trumps the EBS timeout, you'll have to have a discussion with your internal security team that defines the SSO timeout. I can imagine that you'll have a healthy debate about the EBS security implications of such a long SSO timeout window.

Regards,
Steven

Posted by Steven Chan on August 14, 2009 at 03:02 AM PDT #

Dear Steven

Can you please send me the steps to configure SSO with EBS as i'm new to the EBS.

Posted by Ali on February 01, 2012 at 03:53 AM PST #

Ali,

Thank you for your inquiry.

This blog entry is regarding Oracle Single Sign-On 10g integration with EBS R11i. Our recommendation for R11i customers is to first upgrade to R12.1.3, then deploy a single sign-on solution for R12 with Oracle Access Manager 11g and Oracle E-Business Suite Access Gate.

Configuration steps for an R12 integration with Oracle Access Manager and Oracle E-Business Suite Access Gate are provided in the following My Oracle Support Note: Integrating Oracle E-Business Suite Release 12 with Oracle Access Manager 11gR1 (11.1.1.5) using Oracle E-Business Suite AccessGate Note 1309013.1. The link to the My Oracle Support Note is as follows:
https://support.us.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1309013.1

Configuration steps for Oracle Single Sign-On integration with R11i are provided in the following My Oracle Support Note: Integrating Oracle E-Business Suite Release 11i with Oracle Internet Directory and Oracle Single Sign-On Note 261914.1. The link to the My Oracle Support Note is as follows:
https://support.us.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=261914.1&h=Y

Thanks.
~ep

Posted by Elke Phelps (Oracle Development) on February 01, 2012 at 09:56 AM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
4
5
6
7
8
9
10
11
12
13
14
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today