In-Depth: Using Third-Party Identity Managers with the E-Business Suite Release 11i

Like most of our customers, you probably already have a corporate identity management system in place.  And, you've probably not been enjoying the experience of redundantly administering the same user in your corporate identity management system as well as the E-Business Suite. 


If this describes your environment, this post should come as good news to you. 

No More Redundant User Administration

With the certification of Oracle Application Server 10g and Single Sign-On 10g, it is now possible to integrate the E-Business Suite with existing third-party LDAP and single sign-on solutions, like this:

Simple Third-Party LDAP SSO Integration:

Third-party single sign-on solutions can be integrated with Oracle Single Sign-On 10g, and third-party LDAP directories can be integrated with Oracle Internet Directory 10g.  From there, it's a short hop to the E-Business Suite.

Example Scenario:  The Deluxe "Zero Sign-On" Approach

A user logs on their PC using their Windows userid and password.  Wanting to avoid real work, the user decides to file a long-overdue expense report for last year's OpenWorld conference.  He starts Internet Explorer, opens Favorites, and selects a bookmarked link for the E-Business Suite's Self-Service Expenses.

Self-Service Expenses starts up, and the user begins the process of assembling rationalizations to justify that $450 dinner at Jardiniere with their favorite Oracle blogger.

(This is a fictional example, of course; nobody takes bloggers out to dinner)

We sometimes call this "zero sign-on" because the user never actually logged on to any Oracle systems at all; their Windows Kerberos ticket gave them an all-access pass to the E-Business Suite automatically.

Magic?  What Really Happened?

Brace yourself: some of the following material might require a couple of passes to sink in.

The scenario above illustrates the following integrations:
  • Microsoft Active Directory with Oracle Internet Directory 10g
  • Microsoft Kerberos Authentication with Oracle Single Sign-On 10g
  • Oracle Application Server 10g with the E-Business Suite
MS AD + Kerberos Integration:

The user logged on to their PC, which authenticated them against Microsoft Active Directory.  As part of that logon process, Microsoft Kerberos Authentication issued a valid Kerberos ticket to the user.

When the user attempted to access Self-Service Expenses via his bookmarked link, he was redirected to Oracle Single Sign-On 10g.  Oracle Single Sign-On 10g recognized the Microsoft Kerberos ticket, issued its own Oracle security tokens to the user, and redirected the user back to the E-Business Suite.

The E-Business Suite recognized the Oracle Single Sign-On 10g security tokens and looked up the user's assigned Applications Responsibilities to ensure that he was authorized to access Self-Service Expenses.  That done, it issued its own E-Business Suite security tokens and then passed the user through to Self-Service Expenses without requiring any additional logons.

Integration with Microsoft Active Directory Only

Not everyone uses Microsoft Kerberos Authentication.  A simpler integration option omits Kerberos and includes only Microsoft Active Directory and Oracle Internet Directory, like this:

MS AD Only - No Kerberos:

In this simpler architecture, when the user attempts to access Self-Service Expenses via his bookmarked link, he's redirected to Oracle Single Sign-On OracleAS 10g. Single Sign-On displays a login screen and collects the user's ID and password.

Single Sign-On passes the user's supplied ID and password to Oracle Internet Directory for validation.  Oracle Internet Directory uses the Windows NT External Authentication plug-in (sometimes also called the Windows Native Authentication plug-in) to delegate user authentication to Microsoft Active Directory.

Microsoft Active Directory looks up the user's ID and password in its database, and informs Oracle Internet Directory that this is an authenticated user.  Oracle Internet Directory informs Single Sign-On that the user was successfully authenticated. 

Single Sign-On issues the user a set of security tokens and redirects the user to the E-Business Suite.  The E-Business Suite recognizes the Single Sign-On security tokens and looks up the user's assigned Applications Responsibilities to ensure that he's authorized to access Self-Service Expenses.  That done, it issues its own E-Business Suite security tokens and then passes the user through to Self-Service Expenses.

"Out-of-the-box" Third-Party LDAP Integration with Oracle Internet Directory

Due to the popularity of Microsoft Active Directory, Oracle Internet Directory provides a prebuilt connector out-of-the box, ready to use.

Oracle Internet Directory also provides a prebuilt connector for the SunONE (iPlanet) Directory Server, ready-to-use.  You should note that Sun (like Oracle, following its myriad recent acquisitions) has rebranded its identity management products, so there's a new name for the Sun LDAP directory now.  I'll update this post with the latest name as soon as my Sun contacts provide me with that information.

Synchronization of User Credentials with Third-Party LDAP Directories

If you've been paying close attention so far, you have likely gathered that user credentials need to be synchronized between the third-party LDAP, Oracle Internet Directory, and the E-Business Suite.  The synchronization architecture looks like this:

Third-Party LDAP User Sync:

In this configuration, only the user name needs to be synchronized; the user's password is stored in the third-party LDAP directory.  None of the Oracle products need to store the user's password, since they delegate user authentication to the third-party LDAP solutions.

The key concept here is that user authentication is still separated from user authorization even when a third-party LDAP is in place.  So, the E-Business Suite still grants authenticated users access to E-Business Suite protected content based on the users' Applications Responsibilities, which are managed in the E-Business Suite exclusively.

Integration With Other Single Sign-On Solutions

It is also possible to integrate Oracle Single Sign-On 10g with other single sign-on solutions, including:
When integrated with other single sign-on solutions, a chain of trust is established between the third-party, Oracle Single Sign-On, and the E-Business Suite.  Users logging on via the third-party single sign-on solution are passed through transparently to Oracle Single Sign-On and the E-Business Suite.

Bringing It All Together

Assuming I haven't lost you so far, the following diagram shouldn't be too overwhelming:

Combined 3rd Party LDAP SSO:

This combines all of the concepts we've covered:
  • Third-party LDAP integration with Oracle Internet Directory
  • Third-party SSO integration with Oracle Single Sign-On
  • Synchronization of user credentials via the Oracle Internet Directory's Oracle Directory & Provisioning Platform to the E-Business Suite
Relax, It's Easy and Fun

Well, maybe not... but at least it's technically feasible.  You might find it reassuring to note that a number of E-Business Suite customers are running this configuration in production already. 

This is about as much detail as I think is appropriate for now.  Feel free to post comments if you have questions about this topic. 

There are many more options for integration with the E-Business Suite, including options for linking OID userids to different E-Business Suite userids, and so on.  If you're really interested, I'd recommend a careful reading of this document:
Related Articles:

Comments:

Wow! That must have been some dinner! Sure tops the $25 Hamburger I had in New York!

Of course, down here in Australia we are not significant enough to warrant an OpenWorld Conference on an annual basis. That stopped back in 1999, then we had a "one off" event in 2004 and have not heard a peep since :-(

Paul

Posted by Paul Murgatroyd on May 03, 2006 at 05:52 PM PDT #

Steven,

Can you pls also add a pic of yours
to this blog.

thanks

Posted by Sunil Choudhary on May 21, 2006 at 04:46 PM PDT #

I'll pass on that one, Sunil, but thanks for the suggestion.Regards,Steven 

Posted by Steven Chan on May 22, 2006 at 01:19 AM PDT #

Hi Steve,
Can you explain how a java thick client running on PC can connect to Oracle Applications. There is this windows based program called Noetix Views Generator that accepts the Oracle Apps User-id and password and it authenticates the user and I believe is able to connect as an APPS user(database id). I think it must be using the applsyspub/apps gateway userid and password but not sure how it manages to create a database session with APPS user.

Can you please explain the process or atleast point to the right source.

Thanks and Regards
Nilesh

Posted by Nilesh Jethwa on June 12, 2006 at 02:32 PM PDT #

Nilesh,That sounds like it's plausible, but unfortunately I'm not familiar with Noetix's underlying connection mechanisms.  Someone at Noetix may be able to comment on this more authoritatively than I.Regards,Steven

Posted by Steven Chan on June 13, 2006 at 02:55 AM PDT #

Steven, we use Microsoft's Active Directory for authentication and are looking at using the Deluxe "Zero Sign-On" Approach but have questions. If we were to use the Desktop Discoverer 10g (in application mode) and ADI clients how can we include them in the SSO solution?
Possible thoughts are:
The Desktop client - can it use the Kerberos ticket?
Can we sync the Active Directory password with the FND_USER table?

Thanks,
Rob

Posted by Rob Culhane on January 03, 2007 at 06:35 AM PST #

Rob,Hmm... good question.  In a non-Kerberos environment, I know that both the Desktop Discoverer and ADI clients are definitely unable to take advantage of the SSO solution (which depends on HTTP level redirects).  However, I'm not familiar enough with the Kerberos ticket exchange process (and state management) to make a definitive statement about authentication flow in that configuration.  I would strongly suspect that this wouldn't work, but it can't hurt for you to assess this in a controlled testbed environment.If it fails, your best option may be to evaluate the Web-based Discoverer and WebADI versions.  There are admittedly functional gaps between those releases and their client-server counterparts, but those may be more palatable than the management implications of local authentication and dual-management of passwords.As for syncing the Active Directory password with FND_USER for local authentication, I believe that's not possible.  Like Oracle Internet Directory, MS Active Directory hashes user passwords, so they can't be decrypted and synced externally.I'd be very interested to hear how this works out for you.  Please drop me a line with the results of your investigations.Regards,Steven 

Posted by Steven Chan on January 08, 2007 at 08:37 AM PST #

Steven, how about this as away out:
Oracle? Identity Management Integration Guide
10g (10.1.4.0.1)
Part Number B15995-01

What is the Oracle Password Filter for Microsoft Active Directory?
Oracle Directory Integration Platform enables synchronization between Oracle Internet Directory and Microsoft Active Directory. The Oracle Directory Integration Platform can retrieve all Microsoft Active Directory attributes with the exception of user passwords. Oracle Application Server Single Sign-On uses an external authentication plug-in to verify user credentials in Microsoft Active Directory. Environments that do not use Oracle Application Server Single Sign-On can use the Oracle Password Filter for Microsoft Active Directory to retrieve passwords from Microsoft Active Directory into Oracle Internet Directory. When users change their passwords from their desktops, the updated password is automatically synchronized with Oracle Internet Directory. More specifically, the Oracle Password Filter for Microsoft Active Directory monitors Microsoft Active Directory for password changes, which it then stores in Oracle Internet Directory. This allows Oracle Internet Directory users to be authenticated with their Microsoft Active Directory credentials and authorized to access resources by using information stored in Oracle Internet Directory. Storing Microsoft Active Directory user credentials in Oracle Internet Directory also provides a high availability solution in the event that the Microsoft Active Directory server is down. The Oracle Password Filter is installed on each Microsoft Active Directory server and automatically forwards password changes to Oracle Internet Directory.

Question:
Can we get the source for this to add sending the password to FND_USER?

Thanks

Rob

Posted by Rob Culhane on January 10, 2007 at 03:23 AM PST #

Rob,This filter will allow the MS AD password to be provisioned to OID before it's irrevocably hashed.  There are two catches:  a) OID, in turn, irrevocably hashes the password, and b) we don't provision passwords from OID to FND_USER.Unfortunately, Oracle's policies prevent the distribution of our source code, also.  So, back to the fallback option: If there are mission-critical functional gaps between the fat-client Discoverer and the web-client Discoverer, is this functionality required by all of your Discoverer end-users, or a subset of power-users?  Can you shift the majority of your users to the web-client, thereby minimizing the number of Discoverer power-users who'll need to dual-maintain their passwords in FND_USER and MS AD?
The same approach would carry for ADI vs WebADI, too.Regards,Steven 

Posted by Steven Chan on January 11, 2007 at 03:08 AM PST #

Steven, my management is of the opinion that there is a large functional gap between the Web VS Client based Discoverer.

So if the filter, running on the MS Domain Controller, synced to the FND_USER table as well as the OID then we could have 鉄ame Sign-On? in that the same ID/Password pair makes the user experience very smooth in MSAD, OID and Desktop Discoverer. I guess at this point this is a product enhancement request that the filter can sync not only to the OID but also the FND_USER if setup accordingly.

Thanks

Rob

Posted by Rob Culhane on January 11, 2007 at 08:08 AM PST #

I can appreciate your management's concerns about the functional gaps.  If you've the energy for it, it would be worthwhile logging separate Service Requests for:  a) narrowing the key functional gaps for Discoverer, and b) the enhancement request for the MS AD password filter.The odds are that there won't be an immediate response from the respective Development teams for these products, but enhancement requests are more likely to be placed in a priority queue if lots of customers call for them.  Regards,Steven 

Posted by Steven Chan on January 12, 2007 at 07:14 AM PST #

John,Just a reminder about terminology:  Oracle Internet Directory (OID) is just an LDAP directory.  Oracle Single Sign-On prompts for the user credentials before passing them to Oracle Internet Directory for authentication.E-Business Suite 11i will always redirect authentication requests to Oracle Single Sign-On, but that's not really a problem.  My experience with Tivoli Access Manager (TAM) is limited, but I'll take a shot at this, based on my limited understanding.  One option for deploying TAM is via a web listener plug-in.  I believe that this plug-in can be installed on the Oracle HTTP Server (based on Apache) which fronts for Oracle Single Sign-On 10g.  This way, TAM intercepts and screens all traffic to Oracle Single Sign-On.When an unauthenticated end-user attempts to access the E-Business Suite, the E-Business Suite redirects to Oracle Single Sign-On.  In a TAM-integrated architecture, these SSO-redirects would be redirected, in turn, to TAM, which acts as the sole authentication point.  The user logs into TAM, gets a TAM session cookie, and then redirects back to Oracle Single Sign-On.  Oracle Single Sign-On recognizes the TAM session cookie, issues its own, then redirects back to the E-Business Suite.  The E-Business Suite recognizes the Oracle Single Sign-On session cookie, then issues its own.What happens with session timeouts depends on the relative values of the E-Business Suite timeout, the Oracle Single Sign-On timeout, and the TAM timeout.  Here's a simple case:The E-Business Suite session times out and redirects to Oracle Single Sign-On for reauthentication.  TAM ignores this because its own timeout limit hasn't been exceeded.  If the Oracle Single Sign-On timeout isn't exceeded, it reissues the Oracle Single Sign-On session cookie, redirects back to the E-Business Suite, which recognizes the Oracle Single Sign-On cookie and reissues its own.If TAM's timeout limit has been exceeded, then it will trap the Oracle Single Sign-On request, reauthenticate the user, and redirect back to Oracle Single Sign-On, triggering the cascading reauthentication process once again.Whew!  That's a long answer for a short question.  So, the short answer is:  I believe that this will work, but you'll want to verify this with someone who's had hands-on experience with TAM + Oracle SSO integrations.Regards,Steven 

Posted by Steven Chan on April 04, 2007 at 04:18 AM PDT #

Our customer has chosen to use Tivoli Access Manager (TAM) as their authentication mechanism. We are questioning the viability of a TAM/11i single signon construct (where OID/SSO is used in front of 11i) and would like some guidance. Initial signon to 11i seems to be relatively easy. Our concern lies in what happens if an 11i transaction fails. We think 11i requires the user to be re-authenticated and that 11i will direct the user to OID for the re-authentication. Our customer wants the re-authentication to take place at the TAM layer, not the OID layer and we believe this will require customization to accomplish. Can you confirm our thinking is accurate? If it is not accurate, can you give us some guidance on how to point 11i to TAM for re-authentication instead of pointing to OID? Thank you.

Posted by John Griffo on April 04, 2007 at 05:04 AM PDT #

Thanks for the quick reply. Does this also hold true for R12? Approximately how many customers do you know of that use TAM?

Posted by John Griffo on April 09, 2007 at 01:03 AM PDT #

John, This applies to both Release 11i and 12.  I only know of a handful of customers using TAM with the E-Business Suite, but can't cite them publicly here.  IBM would be tracking those more closely than us, for obvious reasons.Regards,Steven 

Posted by Steven Chan on April 09, 2007 at 01:42 AM PDT #

Hello, Ankush,Glad to hear that SiteMinder's working for you for your E-Business Suite environment.  I presume that you're using that with Sun's Java System Directory for LDAP, too?  What versions of the products are you using, and is this in production?Unfortunately, since I'm part of the E-Business Suite division, I don't get a lot of exposure to Siebel CRM myself.  I understand that Siebel CRM can be integrated with Oracle Application Server 10g for SSO/OID usage.  If that's done, then the E-Business Suite and Siebel CRM can share a common Oracle identity management system, which, in turn, would delegate user authentication to SiteMinder.  That architecture would look like this:Siebel ----+           |           +----> OracleAS 10g ---> SiteMinder           |      (SSO/OID)Apps 11i --+You might wish to log a Service Request via Metalink to get a pointer to the Siebel + Oracle Application Server 10g integration documentation.  Good luck with that; please let me know how that works out for you.Regards,Steven 

Posted by Steven Chan on April 09, 2007 at 04:30 AM PDT #

Hello Steven.

Can Siebel CRM (7.7) be integrated with Oracle e-Business Suite? We've already got Oracle e-Business Suite protected with SiteMinder, and it works like a charm. I was wondering if some kind of Oracle 11i / Siebel integration would let us extend SiteMinder protection to Siebel as well?

Thanks for your help; appreciate it.

regards,

Ankush

Posted by Ankush Kapoor on April 09, 2007 at 06:43 AM PDT #

Hi Steven,
I have successfully integrated OID/OAS 10gR2 with Microsoft AD ldap. We use AD as the users。ッ authentication repository. Now the management asks for using AD as the users。ッ authentication for Oracle Apps 11.5.10. I have looked up the note: 186981.1 。ーOracle Application Server with Oracle E-Business Suite Release 11i FAQ。ア. It is advised, first to integrate OID with Apps 11i and Then integrate the system of OID and 11i with AD. Since we have done the integration of OID and AD, do we need to redo the integration of OID and AD after having the integration of OID and 11i done?

Thanks in Advance.

Sean

Posted by Sean on November 27, 2007 at 08:42 AM PST #

Hi, Sean,Congratulations on integrating Oracle Internet Directory with MS Active Directory.No, you shouldn't have to redo any work.  At this point, you can integrate your E-Business Suite environment with Oracle Single Sign-On and Oracle Internet Directory by following Notes 233436.1 and 261914.1.  The integration of the E-Business Suite with SSO/OID will not affect your existing OID/MS AD integration.  Good luck with the next phase of your implementation.Regards,Steven 

Posted by Steven Chan on November 29, 2007 at 04:03 AM PST #

Hi, Sheilah,Based on my limited understanding of the IBM products, Tivoli Access Manager (TAM) wouldn't need to know anything about the E-Business Suite.  By definition, if it intercepts Oracle calls via an Apache-based plug-in, the mechanism used is through redirects.  In this architecture where the three layers are linked, TAM's sole job is to authenticate users against its own identity store and redirect the user back to the calling source.  In this architecture, the calling source is Oracle Single Sign-On, which should recognize the TAM headers/security token and issue its own security tokens.  Oracle Single Sign-On, in turn, redirects back to the E-Business Suite, which handles the authorization stage of the process.Now, if TAM has alternative deployment architectures that don't involve Apache plug-ins, then there may be other ways of integrating it with Oracle Single Sign-On.  If so, that's something that might be better-investigated with someone more familiar with TAM than I (I absorb most of my TAM knowledge osmotically, not through formal briefings on IBM products).  You may wish to consult with a TAM specialist for more-detailed information about their plug-in, by the way.There's no way that I know of to integrate TAM directly with the E-Business Suite, leaving Oracle Single Sign-On out of the loop.  Good luck with your implementation.Regards,Steven

Posted by Steven Chan on May 13, 2008 at 07:07 AM PDT #

Mr. Chan;

I have another question in regards to your response to Mr. Griffo.

In theory - would TAMS even have to know about the Ebusiness Suite? I would think that it would only have to be aware of OID since the initial entry point is TAMS. For that reason, why would there be the need for multiple redirections? My understanding of OID is somewhat limited, as I am just in the ramp up stage, but I have to believe that there should be some way for the system to seamlessly work without much intervention. Why couldn't you simply have OID handle the Ebusiness login once the initial handoff from TAMS?

Also, you stated that he could use a plug in for the web listener, would you know off hand where that would be located?

Posted by Sheilah Scheurich on May 13, 2008 at 09:29 AM PDT #

Hi,

While integrating TAM with Oracle EBS we have to create 2 junctions 1) For Oracle SSO Server 2) For Oracle EBS.

Integration guide from IBM says we should use virtual junctions. Is it necessary to use Virtual junction only or we can have Transparent Junctions as well.

Thanks
Prakash

Posted by Prakash on July 21, 2008 at 02:26 AM PDT #

Hi, Prakash,

I'm afraid that I don't have sufficient experience with IBM's TAM to comment on the interchangeability of Virtual vs. Transparent Junctions. You might have better luck raising this with IBM Support's TAM specialists.

Good luck with this one.

Regards,
Steven

Posted by Steven Chan on July 22, 2008 at 03:32 AM PDT #

We are integrating TAM and Oracle EBS.
Based on exp till now

Only Virtual junction works (prefer SSL).
OID / OSSO needed for Oracle EBS integration.

For externlization of authentication we need to implement IPASAuthInterface interface to get the HTTP header (in case of TAM it is iv-user).

We have followed guide given by IBM for this integration and Oracle docs. But here we have some problem.

When we use hardcoded user id instead of getting users from HTTP header, its working. But when we dont hardcode it does not work.

In IBM log it clearly reflects that user id (iv-user) has been passed but somewhere lost at Oacle side before reaching the custom Authentication code (IPASAuthInterface ).

I read some more topics in forum where other users mentioned that even they faced this problem but NO solution..

plz let us know if something needs to be done (some where in mod_osso etc).

Thanks in Advance

-prakash

Posted by Buddhi on August 28, 2008 at 07:14 PM PDT #

Prakash,

I'm afraid that I don't have any hands-on experience with this particular issue. I'd strongly recommend logging a formal Service Request via Oracle Metalink against the Oracle Single Sign-On product. That will ensure that you get an OSSO specialist engaged on the Oracle side.

Good luck with your integration.

Regards,
Steven

Posted by Steven Chan on September 02, 2008 at 04:42 AM PDT #

http://forums.oracle.com/forums/thread.jspa?threadID=692699&tstart=90

Any one who can give solution for this problem.

Posted by Prakash on September 04, 2008 at 09:43 PM PDT #

Hi Steven,

In this article its mentioned that such TAM and Oracle integration has been done and you also have some references for that.

We are are facing some issues, as HTTP header information is stripped off at Oracle end. There are some more people who are facing this problem at Oracle end. Till now no one got some solution on this though such integration is done.

These are few URLs, you can reference:-

http://forums.oracle.com/forums/thread.jspa?threadID=692699&tstart=90
http://forums.oracle.com/forums/thread.jspa?threadID=374411

It would be great help for all of us who are trying such integration if some one from Oracle provide help / vital info.

Do we need to have some tie up or something with Oracle to get necessary help?

Thanks in advance. Would appreciate if you can share your views at

Prakash

Posted by Prakash on September 04, 2008 at 10:56 PM PDT #

Hi, Prakash,

I'm sorry to hear that you're struggling with this.

Your target architecture is:

EBS --> Oracle SSO --> IBM TAM

To elaborate on my comment above, my team is responsible for ensuring that the E-Business Suite works with Oracle Single Sign-On.

The Oracle Single Sign-On team is responsible for ensuring that their product works with third-party identity managers such as IBM TAM.

Since you're experiencing trouble with the SSO --> IBM TAM part of the chain, the best way of getting help with that will be to log a formal Service Request via Metalink against the Oracle SSO product.

An even better approach:

Contact IBM Software Support with the same request. Earlier this year, IBM provided me with a copy of an IBM-authored whitepaper entitled, "Tivoli Access Manager Version 6.0: Oracle E-Business Suite Integration Guide." This whitepaper has detailed technical steps on integrating these systems, and is part of a broader technical package which contains other supporting files.

Access to this whitepaper (and the technical package) is restricted to IBM registered customers, so I'm not authorized to email you a copy of this (as much as I'd like to be able to do so). I believe that you should be able to get a copy from IBM Support directly.

I'll email a copy of your request to my contacts at IBM, too.

Regards,
Steven

Posted by Steven Chan on September 05, 2008 at 06:23 AM PDT #

Hi Steven,

Thanks for reply. I too have that integration guide provided by IBM as part of tie ups. We have followed this guide only. We have raise TAR as well. But waiting for reponse from Oracle.

Though we believe its working, it would be great if you could share some tips on how to ensure that our Oracle EBS - Oracle SSO working as desired.

Also, some contact or reference who can help in integrating OSSO with TAM. I hope the way IBM has such integration guide, Oracle would also have. Can you share such guide/articles with us?

Plz let us know if you need more info from our side. Our Oracle expert working in US time zone can provide more info, if needed.

[Editor: email ID removed at request of commenter]

Thanks
Prakash

Posted by Prakash on September 07, 2008 at 06:08 PM PDT #

Hi, Prakash,

Testing your EBS+Single Sign-On integration is pretty straightforward:

1. Log in directly to Oracle Single Sign-On

2. Navigate to an E-Business Suite bookmarked URL or your EBS homepage

3. If you get in without being asked to log in again, it's working. If you're prompted to log in again, EBS isn't recognizing the SSO security token (so reregister it as a partner application, following Note 233436.1).

Good luck with your integration.

Regards,
Steven

Posted by Steven Chan on September 08, 2008 at 07:35 AM PDT #

Hi Steven,

As you suggested we raised TAR (formal request) with Oracle. The response we got from Oracle is :-

----------------------------------------------
First of all, integration with TAM is not directly supported by Oracle and would be considered a customized implementation. Also we will not have access to TAM for testing purposes. That said, I will do my best to help.
---------------------------------------------
This is surprising when we say that Oracle SSO server can be integrated with third party Access Manager I would assume that it is based on significant testing and support team will have ready to use lab facility.

We also have PMR (service request) with IBM open and they also trying to look into why harcoded user ids work at Oracle end.
I hope Oracle would also have something similar env to verify/test it.

You also mentioned that you can pass some IBM contact for help. Would it be possible for you to share with me.

[Editor: email removed by request of commenter]

Plz mail me any ref on this.

Posted by Prakash on September 09, 2008 at 08:22 PM PDT #

Hi, Buddhi,

If Oracle SSO Support doesn't have access to IBM products such as TAM, then their support for this configuration will be on a best-efforts basis.

My IBM contacts confirm that your best option for getting assistance with this is via IBM's PMR process.

Regards,
Steven

Posted by Steven Chan on September 10, 2008 at 01:41 AM PDT #

Hi Steven,

Thanks for inputs.
In earlier reply you mentioned path as

EBS --> Oracle SSO --> IBM TAM

actually its otherway rounf

IBM TAM -> Oracle SSO -> EBS.

Would you be able to share doc which you mentioned.

Thanks
Prakash

Posted by Prakash on September 10, 2008 at 03:25 PM PDT #

Hi, Prakash,

My comment was intended to show the general chain of trust between components in this architecture. The cardinality of the arrows is philosophically moot.

As I indicated above, I am not authorized to distribute IBM's copyrighted material. The only way that you can obtain a copy of this whitepaper is to contact IBM Software Support directly.

Regards,
Steven

Posted by Steven Chan on September 11, 2008 at 12:51 PM PDT #

Hi Steven.

Thank you for this article. Using 11.5.10 EBS, is it possible to integrate with Cleartrust. The typical way is to use the web agent on the servers, intercept the http/https request and send off the request to the cleartrust server and authenticate. My question is how does this fit into the architecture? Do I need to integrate directly into the underlying LDAP store that cleartrust uses? I'm not sure how this could work with doing that.

Thank You.

John McManus

Posted by John McManus on September 10, 2009 at 11:58 PM PDT #

Hi, John,

I've heard anecdotal reports from customers who have integrated their EBS environments with ClearTrust.

If your ClearTrust setup has its own LDAP directory as well as its own authentication mechanism, then I would think that the best approach would be to tie them both to OID and SSO respectively. In other words, the architecture would look like this:

EBS --> SSO --> ClearTrust (for authentication)
EBS --> OID --> ClearTrust LDAP (for user provisioning)

I don't have any first-hand experience with ClearTrust, however, so my suggestions are based on first principles only. The generic OID and SSO documentation describes steps for integrating with generic third-party LDAP and authentication systems.

If you're looking for an authoritative statement about the best architectural strategy for integrating ClearTrust with Oracle identity management products, your best bet might be to contact ClearTrust support. They may have whitepapers published for this.

Regards,
Steven

Posted by Steven Chan on September 11, 2009 at 06:23 AM PDT #

Hi Steven,

Quick question about SSO support for Oracle EBS 12. Is it possible/supported to achieve SSO to Oracle EBS application directly from Third party Access Management product.

Is having Oracle SSO as middle layer mandatory to facilitate SSO to Oracle EBS?

Thanks,
Rahul

Posted by Rahul on January 04, 2010 at 10:27 AM PST #

Hi, Rahul,

It is not possible to integrate the E-Business Suite directly with a third-party access management product. You must first integrate the E-Business Suite with Oracle Single Sign-On, which in turn may be integrated with a third-party access management product.

Regards,
Steven

Posted by Steven Chan on January 05, 2010 at 04:58 AM PST #

Hi Steven,

Thanks for your response.

I have another query related to EBS, is there any way that Oracle EBS Authentication mechanism allows user access only based on username, i.e., instead of traditional username and password based authentication from Oracle Database (FND_USERS), allowing user authentication on only based on username?

Thanks,
Rahul

Posted by Rahul on January 07, 2010 at 08:27 PM PST #

Hi, Rahul,

No, this is not possible, and violates just about every security principle that I can think of.

If this were possible, anyone could sign into Oracle's E-Business Suite instance as, say, Larry Ellison, and grant themselves a raise and stock options.

I -- and I suspect your firm's auditors -- would strongly recommend against you making any customizations to your system along those lines.

Regards,
Steven

Posted by Steven Chan on January 08, 2010 at 03:04 AM PST #

Hi Steven,

Thanks for your valuable inputs.

I have one last question. This may be basic question but based on my limited experience with Oracle EBS it will be great if you can help me with this.

Default Login mechanism for Oracle EBS 12i is Forms login and we want to know if it can be changed to HTTP Basic Authentication. i.e. User name and Password Dialog window. Is this configurable in Oracle EBS?

Please suggest.

Thanks,
Rahul

Posted by Rahul on January 12, 2010 at 10:18 PM PST #

Hi, Rahul,

No, this is not technically feasible, certified, supported, or recommended. We strongly recommend against any customizations to the E-Business Suite's built-in authentication mechanisms. Doing so runs the very real risk of compromising your environment's security.

Regards,
Steven

Posted by Steven Chan on January 13, 2010 at 02:46 AM PST #

Hi Steve,

Thanks for your valuable inputs related to Oracle EBS and configuration for third-party access manager.

I have one last question about Oracle EBS:

Setup:
- Oracle EBS is partnered with OSSO/OID
- Third party access manager configured for user authentication to Oracle EBS through OSSO

Question:
If Oracle EBS is partnered with OSSO and third-party access manager is used for user authentication/authorization, is it possible to allow certain specific users (Administrators) to still continue authenticating using the Oracle EBS login mechanism.

We actually want 95% users to come through third-party access manager URL and be authenticated by third party access manager, but also want to allow administrators to directly access the Oracle EBS web application for maintenance purposes.

Please suggest.

Thanks

Posted by Rahul on March 08, 2010 at 01:08 AM PST #

Hi, Rahul,

Yes, it's possible to flag a subset of users as being authorized to log directly into the E-Business Suite. These users are generally sysadmins. You can flag those users as "LOCAL" -- see Note 261914.1 for details.

Regards,
Steven

Posted by Steven Chan on March 09, 2010 at 02:29 AM PST #

Hi Steven,

Customer wants to use DoD CAC to implement SSO and thus authenticate users to Oracle E-business suite 11.5.10 and R12.
Can you point me to documents on how to do this ?

Thanks
Raj

Posted by Raj on April 15, 2010 at 02:40 AM PDT #

Hi, Raj,

I know that many DoD customers have integrated Oracle Single Sign-On with CAC solutions. This integration is transparent to the E-Business Suite, so we don't require any EBS-specific documentation.

I haven't reviewed this documentation lately, but understand that this is documented in the generic Identity Management Integration Guide here:

http://download.oracle.com/docs/cd/B14099_19/idmanage.htm

Regards,
Steven

Posted by Steven Chan on April 15, 2010 at 04:13 AM PDT #

We want to integrate Oracle HRMS with Microsoft AD ..we dont want to use SSO..
is a LDAP authentication possible..the basic requirement is when user logs in to HRMS the credentials are validated against the AD credentials..

Posted by Pamela on August 24, 2010 at 11:50 PM PDT #

Hello, Pamela,

Oracle Internet Directory is a mandatory prerequisite if you wish to integrate the E-Business Suite with Microsoft Active Directory (or any other third-party LDAP).

If you wish to authenticate your E-Business Suite users via Windows Native Authentication (Kerberos), you must use either Oracle Single Sign-On or Oracle Access Manager. Single Sign-On integration is covered in the article above, but the Oracle Access Manager integration was certified only recently. It's covered here:

Oracle Access Manager 10gR3 Certified with E-Business Suite
http://blogs.oracle.com/stevenChan/2010/03/oam_10gr3_ebs.html

Regards,
Steven

Posted by Steven Chan on August 25, 2010 at 12:58 AM PDT #

I really wish you wouldn't use the term zero sign-on. I know the idea that you're trying to convey, but it's horrible terminology.
Zero sign-on means anonymous or guest access.
Even if it really was magic, something would be authenticating you...

Posted by Eriks Richters on September 23, 2010 at 02:17 AM PDT #

Hi, Eriks,

Yes, that's true, and I'm not fond of the term myself. Our Oracle Identity Management team used it at some point in their materials, but it is more accurate to say that we simply set up a chain of trust from a third-party to EBS, obviating any authentication challenges from either the E-Business Suite or its intermediary Oracle Single Sign-On.

Regards,
Steven

Posted by Steven Chan on September 23, 2010 at 03:32 PM PDT #

We have Ebis 11i, OID 11.1.1.4, SSO 10.1.4.3 and MS Active Directory as the source of users and passwords. When selecting the APPS url, SSO login redirect works great and password authenticates with AD and then the APPS work as intended.
But after logging out, subsequent logins always prompt the SSO login.
What do we have to do so , for example, when I come in to work I can choose the APPS url and be sent straight to the APPS responsibilities page without having to reenter the password into SSO login ? Does a cookie persist on the desktop with credentials from the last login, or do we need to configure Windows Native Authentication and Kerberos integration ?

Posted by George on October 06, 2011 at 06:04 AM PDT #

Hi Steve,

We are struggling with the what is called as zero deluxe single sign on. We have Microsoft AD as the authenticating mechanism and are running oracle e biz 11.5.10.2(ATG rup7).
We have to now implement OAM 10g and dont have a know of what component is going to get installed where.
The architecture with OAM is becoming very complex using the access gates, Webgates, Web logic server, OID.

Please guide us with a link which talks about the architecture. I have already gone through the note 975182.1. This does not talk about what to install where.

The components required are
IIS Web Server
WebGate Component – Shipped along with OAM
OAM 10.1.4.3 Server
E Business Suite Access Gate 10g
Weblogic Server 10.3.2+
Oracle Internet Directory 11.1.1.2+
Active Directory
Oracle E Business Suite 11.5.10.2 RUP 7

But we do not know where to install what?
Thanks,

Posted by Ashwani on October 10, 2011 at 04:35 PM PDT #

Hello, George,

Glad to hear that the overall integration is working. It's hard to determine what might be going on with the reauthentication process, though.

We can provide general conceptual guidance here, but I'm afraid that this blog isn't the best place to get technical support for specific issues like the one that you're working through.

Your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our specialists engaged.

Please feel free to forward your Service Request number to me if it gets stuck in the support process for some reason.

Regards,
Steven

Posted by Steven Chan on October 14, 2011 at 06:42 AM PDT #

Hi Ashwani,

The Oracle E-Business Suite team does not have any experience working with third-party systems like Active Directory, so we don't have any architectural diagrams to provide you with. Our integration point is OAM, but then we rely on OAM to manage the integration with AD, WNA, or other third-party systems.

My best suggestion would be to work with the OAM support team, or to engage with someone in Oracle Consulting Services to help you map out the details for an integration such as yours.

Thanks,
Keith

Posted by Keith M Swartz on October 14, 2011 at 10:12 AM PDT #

Hello Steve,

Currently we have EBS 11.5.10.2 and thus can only use OAM 10.1.4.3 in order to authenticate users via Active Directory.

However, support for OAM 10.1.4.3 is until December 2013.

Taking into account that we will stay with 11i beyond 2013, would you say that going for OAM 10.1.4.3 is a bad choice ?

What other "long-term" solution is possible if this is the case ?

Posted by Roy Antman on January 02, 2012 at 11:15 PM PST #

Hello, Roy,

It's true that Extended Support for Oracle Access Manager 10g will run through December 2013.

It's also true that Extended Support for Oracle E-Business Suite Release 11i will run through November 2013.

If you're using EBS 11i, the OAM 10g is really your only certified solution.

Your comment about using this beyond 2013 worries me. Both of those products will no longer have error correction support after 2013. I would *STRONGLY* recommend that you make plans to upgrade to EBS 12.1.3 and OAM 11g as soon as you can. Running a mission-critical production system for which you can't request new patches or certifications is a very dangerous proposition.

Regards,
Steven

Posted by Steven Chan on January 03, 2012 at 06:28 AM PST #

Steve, is it possible to use OID with EBS, without syncing from our third party (oracle/iplanet) Dir Svr? Can OID be sync'd from another utility if created?

Posted by Stephen on April 12, 2012 at 08:10 AM PDT #

Stephen,

Thanks for the inquiry.

Oracle Internet Directory is a requirement when integrating a single sign-on option with Oracle E-Business Suite. It is not required to integrate Oracle Internet Directory with your third party LDAP.

Given that Oracle Single Sign-On is currently in limited extended support, we recommend that you integrate with Oracle Access Manager and Oracle Internet Directory.

Please refer to the following blog articles for additional details regarding integrating Oracle E-Business Suite Release 12 with Oracle Access Manager:
https://blogs.oracle.com/stevenChan/entry/oracle_access_manager_11_11
https://blogs.oracle.com/stevenChan/entry/why_does_ebs_integration_with

It's unclear from your post what type of other utility would be used to synchronize with Oracle Internet Directory. Oracle Internet Directory can be integrated with other third-party LDAP servers. Additional concepts and considerations for third-party directory integrations can be found in the Oracle Fusion Middleware Administrator's Guide.

Thanks.
~ep

Posted by Elke Phelps (Oracle Development) on April 16, 2012 at 03:31 AM PDT #

Hi Steven,

Can you please elaborate on the technical obstacle to clarify your reply to Rahul below on January 05, 2010 at 04:58 AM PST?

"It is not possible to integrate the E-Business Suite directly with a third-party access management product. You must first integrate the E-Business Suite with Oracle Single Sign-On, which in turn may be integrated with a third-party access management product."

Regards,
Laura

Posted by guest on June 10, 2013 at 04:11 PM PDT #

Hi, Laura,

We have special dependencies that can't be handled by generic third-party authentication tools or LDAP directories. For more details, see:

Why Does EBS Integration with Oracle Access Manager Require Oracle Internet Directory? (Oracle E-Business Suite Technology)
https://blogs.oracle.com/stevenChan/entry/why_does_ebs_integration_with

Regards,
Steven

Posted by Steven Chan on June 11, 2013 at 10:34 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
4
5
6
7
8
9
10
11
12
13
14
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today