In-Depth: Using Third-Party Identity Managers with E-Business Suite Release 12

This article is an updated R12 version of an earlier one written for Oracle E-Business Suite Release 11i.

Like most of our customers, you probably already have a corporate identity management system in place. And, you've probably not been enjoying the experience of redundantly administering the same user in your corporate identity management system as well as the E-Business Suite. If this describes your environment, this in-depth article about integrating Oracle E-Business Suite Release 12, Oracle Single Sign-On and Oracle Internet Directory with third-party identity management systems will show you a better way of managing your EBS users.

No More Redundant User Administration

It is possible to integrate the E-Business Suite with existing third-party LDAP and single sign-on solutions via Oracle Application Server 10g and Single Sign-On 10g, like this:

Architecture diagram showing integration between third part Single Sign-On and Oracle Single Sign-On third-party LDAP and Oracle Internet Directory and E-Business Suite

Third-party single sign-on solutions can be integrated with Oracle Single Sign-On 10g, and third-party LDAP directories can be integrated with Oracle Internet Directory 10g. From there, it's a short hop to the E-Business Suite.

Example Scenario: The Deluxe "Zero Sign-On" Approach

A user logs on their PC using their Windows userid and password. Wanting to avoid real work, the user decides to file a long-overdue expense report for last year's OpenWorld conference. He starts Internet Explorer, opens Favorites, and selects a bookmarked link for the E-Business Suite's Self-Service Expenses.

Self-Service Expenses starts up, and the user begins the process of assembling rationalizations to justify that $450 dinner at Jardiniere with their favorite Oracle blogger. (This is a fictional example, of course; nobody takes bloggers out to dinner)

We sometimes call this "zero sign-on" because the user never actually logged on to any Oracle systems at all; their Windows Kerberos ticket gave them an all-access pass to the E-Business Suite automatically.

Magic? What Really Happened?

Brace yourself: some of the following material might require a couple of passes to sink in.

The "deluxe" scenario above illustrates the following integrations:

  • Microsoft Active Directory with Oracle Internet Directory 10g
  • Microsoft Kerberos Authentication with Oracle Single Sign-On 10g
  • Oracle Application Server 10g with the E-Business Suite

Architecture diagram showing the integration of MS Active Directory with Oracle Internet Directory MS Kerberos with Oracle Single Sign-On and the E-Business Suite

The user logged on to their PC, which authenticated them against Microsoft Active Directory. As part of that logon process, Microsoft Kerberos Authentication issued a valid Kerberos ticket to the user.

When the user attempted to access Self-Service Expenses via his bookmarked link, he was redirected to Oracle Single Sign-On 10g. Oracle Single Sign-On 10g recognized the Microsoft Kerberos ticket, issued its own Oracle security tokens to the user, and redirected the user back to the E-Business Suite.

The E-Business Suite recognized the Oracle Single Sign-On 10g security tokens and looked up the user's assigned Applications Responsibilities to ensure that he was authorized to access Self-Service Expenses. That done, it issued its own E-Business Suite security tokens and then passed the user through to Self-Service Expenses without requiring any additional logons.

Integration with Microsoft Active Directory Only

Not everyone uses Microsoft Kerberos Authentication. A simpler integration option omits Kerberos and includes only Microsoft Active Directory and Oracle Internet Directory, like this:

MS%20Kerberos%20Apps%20Integration.png

In this simpler architecture, when the user attempts to access Self-Service Expenses via his bookmarked link, he's redirected to Oracle Single Sign-On OracleAS 10g. Single Sign-On displays a login screen and collects the user's ID and password.

Single Sign-On passes the user's supplied ID and password to Oracle Internet Directory for validation. Oracle Internet Directory uses the Windows NT External Authentication plug-in (sometimes also called the Windows Native Authentication plug-in) to delegate user authentication to Microsoft Active Directory.

Microsoft Active Directory looks up the user's ID and password in its database, and informs Oracle Internet Directory that this is an authenticated user. Oracle Internet Directory informs Single Sign-On that the user was successfully authenticated.

Single Sign-On issues the user a set of security tokens and redirects the user to the E-Business Suite. The E-Business Suite recognizes the Single Sign-On security tokens and looks up the user's assigned Applications Responsibilities to ensure that he's authorized to access Self-Service Expenses. That done, it issues its own E-Business Suite security tokens and then passes the user through to Self-Service Expenses.

"Out-of-the-box" Third-Party LDAP Integration with Oracle Internet Directory

Due to the popularity of Microsoft Active Directory, Oracle Internet Directory provides a prebuilt connector out-of-the box, ready to use.

Oracle Internet Directory also provides a prebuilt connector for the SunONE (iPlanet) Directory Server, ready-to-use. You should note that Sun (like Oracle, following its myriad recent acquisitions) has rebranded its identity management products, so there's a new name for the Sun LDAP directory now. I'll update this post with the latest name as soon as my Sun contacts provide me with that information.

Synchronization of User Credentials with Third-Party LDAP Directories

If you've been paying close attention so far, you have likely gathered that user credentials need to be synchronized between the third-party LDAP, Oracle Internet Directory, and the E-Business Suite. The synchronization architecture looks like this:

Architecture diagram showing Third-party%20LDAP%20synchronization with Oracle Internet Directory and E-Business Suite

In this configuration, only the user name needs to be synchronized; the user's password is stored in the third-party LDAP directory. None of the Oracle products need to store the user's password, since they delegate user authentication to the third-party LDAP solutions.

Architecture diagram showing how passwords are stored in third-party LDAPs and not Oracle Internet Directory or E-Business Suite

The key concept here is that user authentication is still separated from user authorization even when a third-party LDAP is in place.

Architecture diagram distinguishing Authentication%20vs%20Authorization.png

So, the E-Business Suite still grants authenticated users access to E-Business Suite protected content based on the users' Applications Responsibilities, which are managed in the E-Business Suite exclusively.

Integration With Other Single Sign-On Solutions

It is also possible to integrate Oracle Single Sign-On 10g with other single sign-on solutions, including:

  • CA Netegrity SiteMinder
  • Biometric devices like fingerprint readers
  • Smartcards
  • PKI X.509 digital certificates

When integrated with other single sign-on solutions, a chain of trust is established between the third-party, Oracle Single Sign-On, and the E-Business Suite. Users logging on via the third-party single sign-on solution are passed through transparently to Oracle Single Sign-On and the E-Business Suite.

Relax, It's Easy and Fun

Well, maybe not... but at least it's technically feasible. You might find it reassuring to note that a number of E-Business Suite customers are running this configuration in production already.

This is about as much detail as I think is appropriate for now. Feel free to post comments if you have questions about this topic.

References

For detailed instructions on how to integrate Single Sign-On and Oracle Internet Directory with Oracle E-Business Suite Release 12, see:

There are many more options for integration with the E-Business Suite, including options for linking OID userids to different E-Business Suite userids, and so on. If you're really interested, I'd recommend a careful reading of the "Oracle Single Sign-On Integration" section of this document:

Related Articles

Comments:

Thanks for sharing nice article.

I would like to synchronize only some users i.e Only suppliers with OID and E-Business Suite. Supplier user names are different can be distinguished from other users.

There are only 4 templates ( i know of ) for synchronization between OID and EBS. Is there an easy way out?

Posted by Manjit on August 12, 2008 at 03:32 AM PDT #

Hi, Manjit,

I'm afraid that the 4 supplied templates don't support selective or partial synchronizations of your users.

It might be possible to build a customization of some sort, but that approach comes with all of the issues inherent to customizations: support, maintenance, preservation during patching, scalability and performance, robustness to future techstack upgrades and changes, and so on.

If you're interested in evaluating the feasibility of such a customization, I can forward your contact information to our Security Consulting practice for you. Let me know if you're interested in going that route.

Regards,
Steven

Posted by Steven Chan on August 12, 2008 at 06:10 AM PDT #

Hi Steven
1. What is the protocol for the connectivity between Oracle Single Sign on and EBS environment?

2. Why can't we use third party like TAM to go directly to EBS, for example

Posted by Raja on August 21, 2008 at 04:22 AM PDT #

Hello Raja,

1. I presume you are talking about the runtime environment, when users login in. This being the case, then eBiz is registered as partner application, so eBiz will look for valid SSO cookie for the user and if not present will redirect the user to the SSO login page. After login, SSO redirects back to eBiz. This is all done by HTTP redirects.

2. You can integrate third party products directly to eBiz as a custom solution if you wish, however you will need to get it to work yourself and ensure that your custom solution is not effected by patches, etc. You will also need to reproduce any issues to do with login or session management problems using standard Oracle code (i.e. without your custom solution in place). Steven's article Certification and Support for Third-Party Products talks about this some more. The beauty of the integration solution Oracle provide is that OID supports many third party products out the box and eBiz simply needs to talk to OID

Mike

Posted by Mike Shaw on August 21, 2008 at 04:45 PM PDT #

Hello Steven.

We are in the midst of designing the Security Authentication Architecture for our Oracle R12 HRMS Implementation. Our Security Team wants to Strictly follow the company standards. We already have Microsoft Active Directory implemented enterpise wide. Now the Requirement is that

The user ( both Internal and External) logs in for the first time to Windows Domain using Authentication by Microsoft Active Directory. Now we want to have that when the AD authenciated user clicks a link on an Oracle Portal link, A Oracle login screen should appears. Generally the Login Screen for Oracle SSO doesn't occur since it forms a chain of trust with the Third Party LDAP. We need to force a re-authentication. Is they a way or mechanism to achieve this requirement which is very important for this project.

Thanks,Varun

Posted by Varun on February 05, 2009 at 04:38 PM PST #

Hello, Varun,

Well, this is an interesting switch. Most organizations wish to implement Single Sign-On to *eliminate* the need for multiple logins.

I'm personally not familiar with ways of forcing this, other than the brute-force method of invalidating the chain-of-trust between the Microsoft and Oracle components. There might be more elegant ways of doing this.

I've sent you a private email with a pointer to someone in our Oracle Consulting group that specializes in advanced security architectures. I'm sure he'll be able to help you out.

Regards,
Steven

Posted by Steven Chan on February 06, 2009 at 07:27 AM PST #

Hello Steven, it's been a few years since we last spoke; I hope you are well.

My consulting customer currently is 11.5.10.2 RUP 6 with plans soon to migrate to 12i. The current system is integrated with 10gAS SSO/OID to externally authenticate inbound logins to TAM.

The customer has a new requirement such that login id's starting with a certain alpha character authenticate thru TAM via the current setup, but a new group of login id's about to be deployed, and leading with a different alpha character, be authenticated thru Windows Active Directory.

Can SSO/OID be configured based on some attribute like "leading character of the login id" to support multiple paths of authentication?

Thanks in advance for your help and regards...

Posted by Larry Klein on March 05, 2009 at 03:37 AM PST #

Hello, Larry,

Good to hear from you; glad to see you're still working in this area.

We currently don't have the ability to support your customer's requirements with our standard configuration. A number of customers have raised a variant of this enhancement request.

The predominant theme of this kind of requested functionality is the ability to split off the authentication of users depending upon whether the users are internal (within a corporate firewall) or external (outside of a firewall). Customers would like the ability to use different authentication and LDAP directories for internal and external users.

We've got a project underway to evaluate the feasibility of this enhancement. I don't have a firm date for this yet, but you're welcome to monitor or subscribe to this blog for updates.

Regards,
Steven

Posted by Steven Chan on March 06, 2009 at 06:35 AM PST #

Hi Steven, thank you for your reply. We'll eagerly await developments from your team but meanwhile will explore options on the "other side" of SSO/OID - currently we integrate with IBM TAM, so we'll see if TAM and its Directory Integrator will give us the two-path/two-ldap/two-authenticator scheme we are looking for. Regards...

Posted by Larry Klein on March 09, 2009 at 04:56 AM PDT #

Hi Steven,

How does multilevel authentication works. Can we use multilevel external authentication plugin.

Mediumsecurity goes TAM and Highsecurity goes to Microsoft AD. Please explain in detail

Thanks in advance

regards

Posted by Gangadhar on July 04, 2009 at 02:21 PM PDT #

Hi, Gangadhar,

Multilevel authentication should work, in theory. Whatever SSO supports should be supported for EBS partner applications.

I don't have personal experience with multilevel authentication configurations for SSO. I see that they're documented here:

http://download-west.oracle.com/docs/cd/B14099_19/idmanage.1012/b14078/multilevel.htm

Note that this seems to be on a per-partner-application basis. In other words, one partner application may use one type of authentication method. A different partner application may use a different authentication method.

If you need more assistance with SSO's support for multilevel authentication, I would recommend logging a formal Service Request against the Oracle SSO product to get one of those specialists engaged.

Good luck with your implementation.

Regards,
Steven

Posted by Steven Chan on July 06, 2009 at 04:48 AM PDT #

thanks for the update.

Posted by Gangadhar on July 08, 2009 at 12:17 AM PDT #

Steven,

Is OID mandatory to integrate E-Business suite (R12) to MS LDAP?

Posted by Edward Jayaraj on September 22, 2009 at 12:36 AM PDT #

Hello, Edward,

Yes, Oracle Internet Directory is mandatory. The E-Business Suite has dependencies on Oracle Internet Directory for user provisioning. It is not currently possible to substitute a third-party LDAP directory (e.g. MS Active Directory) for Oracle Internet Directory.

Regards,
Steven

Posted by Steven Chan on September 22, 2009 at 02:39 AM PDT #

Steve,

By anychance Oracle EBS can communicate/Integrate with MOSS (Microsoft Office SharePoint Server 2007) . Basically we are looking MOSS for UI Perspective

Posted by mymithraa on December 01, 2009 at 06:42 PM PST #

Mymithraa,

We haven't done any certification or integration tests of the E-Business Suite with Microsoft Office SharePoint Server. We don't generally have the resources to test third-party software with the E-Business Suite. Your best option might be to contact Microsoft to see whether they have any guidance about this particular configuration.

Regards,
Steven

Posted by Steven Chan on December 02, 2009 at 05:53 AM PST #

Steve,
Great blog. Thanks for the detailed insight. Couple of questions.

1) How easy is it to integrate OSSO/OID if I already have EBS implemented
2) Can I leverage the existing infrstructure to deploy this without the need to obtain new servers etc.

and finally.. what about SSO using products such as passlogix, protocom etc. that do a form post rather than an intrusive approach of real integration

Posted by Kiran Mantha on January 14, 2010 at 06:30 AM PST #

Hi Steven,

Is there any certification matrix available between OID 10.1.4.3.0 and Microsoft Active Directory?
Please share the link, from there we can find the certified Active Directory information with OID 10.1.4.3.0

thx.
amit

Posted by Amit on August 03, 2010 at 02:24 AM PDT #

Hi, Amit,

I'm part of the E-Business Suite division; Oracle Internet Directory is owned by the Fusion Middleware team.

I don't have much visibility into the certification matrix for Oracle Internet Directory and other third-party products. Your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our Oracle Internet Directory specialists engaged.

Regards,
Steven

Posted by Steven Chan on August 03, 2010 at 03:26 AM PDT #

Steven,

Do you know of any eAuthenticate external authentications for suppliers/customers and Oracle EBiz R12 and the certified/required configuration?

Thanks,
Gary

Posted by GaryC on August 04, 2010 at 01:15 PM PDT #

Gary,

No, I haven't heard of any customers who've used eAuthenticate with the E-Business Suite.

Regards,
Steven

Posted by Steven Chan on August 05, 2010 at 01:21 AM PDT #

Hi Steven,

When we login to the single sign on page with AD user and password for the first time it is linking to EBS page but it is asking for the username and password of the EBS and the client do not want to enter this screen and directly it should go to the responsibilities page of the EBS of the login user. Can you please help us how we can achieve this.

Thanks & Regards,
Vas

Posted by Vas on August 25, 2010 at 04:57 AM PDT #

Hi, Vas,

It sounds like you might have missed a step in configuring the trust relationship between your Windows domain authentication and Oracle Single Sign-On (which is invoked transparently en route to the E-Business Suite).

Your best bet to get assistance with this would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our specialists engaged.

Please feel free to forward your Service Request number to me if it gets stuck in the support process for some reason.

Regards,
Steven

Posted by Steven Chan on August 25, 2010 at 06:28 AM PDT #

The network here uses Novell for it's security. However, there is a requirement to link Oracle SSO 10g to an exisiting Kerberos for authentication of an application. I have pointed several people to your article as evidence of its possibility. Some of these interpret your article to say that you have to use Kerberos for network authentication to make this work, as SSO will expect there to be an exisitng Kerberos ticket.

I would expect SSO to look for the ticket and, if there isn't one then ask for credentials. Is this the case?

Thank you

Jonathan

Posted by Jonathan Ward on September 21, 2010 at 10:08 PM PDT #

Hello, Jonathan,

Yes, that is the case from the user's perspective, but that doesn't really accurately describe what happens.

Technically speaking, if an unauthenticated user attempts to access the E-Business Suite in this configuration, Oracle Single Sign-On would redirect to the master authentication layer -- Novell, in this case -- which in turn would actually end up authenticating the user. After Novell authenticates the user (presumably by prompting the user to supply a userid and password), Oracle Single Sign-On would simply accept Novell's assertion that the user has been authenticated and pass the user on to the E-Business Suite to be authorized for access.

Regards,
Steven

Posted by Steven Chan on September 23, 2010 at 03:14 PM PDT #

Steven

Thank you for your response. It appears to be saying that Oracle Single Sign-On will only look at the masterauthenticating layer. I am surprised that SSO cannot be configured as to where it looks for authentication.

Regards

Jonathan

Posted by Jonathan Ward on September 27, 2010 at 05:11 PM PDT #

Hi Steven,

We have a third party LDAP, and we want to have single-sign on to our in-house application in Java using jdbc or use sqlplus. Is there any solution to that?

Thanks,

Posted by Jen on October 20, 2010 at 06:00 AM PDT #

Jen,

Our recommended architecture at this point would be to integrate your third-party authentication solution with EBS via Oracle Access Manager; ie. an architecture that looks like:

EBS --> Oracle Access Manager --> third-party authentication tool

The same principle applies to integrating your third-party LDAP with the E-Business Suite; that would be via Oracle Internet Directory. The architecture would look like this:

EBS --> Oracle Internet Directory --> third-party LDAP

Regards,
Steven

Posted by Steven Chan on October 28, 2010 at 07:02 AM PDT #

Steven,

I hope this holiday season is going well for you.

We are in discussions with an Oracle customer with a requirement of using OID 11g and CA site minder or Oracle Access Manager for SSO. OID 11g will serve as a central identity store to provide authentication to other COTS apps such as OBIEE, Siebel and Demantra - may be more apps later. The client has invested and have CA Site minder already in place and would like to use it for SSO but if it is not supported by EBS R12, we can introduce OAM.

Any guidance from you will be very helpful.

Posted by John Faucher on November 30, 2010 at 11:30 PM PST #

Hi, John,

Holiday greetings to you, too.

OID 11g is workable -- see:

Oracle Internet Directory 11g (11.1.1.3) Certified with E-Business Suite
http://blogs.oracle.com/stevenChan/2010/08/oid_11g_ps2_ebs.html

It's not possible to use CA Siteminder directly with the E-Business Suite. Either Oracle Access Manager or Oracle Single Sign-On are required as an intermediary gateway. We're now recommending Oracle Access Manager for new deployments with the E-Business Suite, since Oracle Single Sign-On is now in the sunset stage of its lifecycle. For the latest EBS + OAM integration resources, see:

Oracle E-Business Suite AccessGate Release 1.0.2 Now Available
http://blogs.oracle.com/stevenChan/2010/07/ebs_accessgate_102.html

Regards,
Steven

Posted by Steven Chan on December 01, 2010 at 05:30 AM PST #

Steven, thanks for this document as we are attempting to integrate this SSO solution as our third party SSO LDAP is NAM using edirectory

I am confused with some theories/procedures :

Is Oracle SSO, no doubt about it required when integrating third party SSO (NAM-EDIRECTORY) ? Can I simply just register OEBS with OID and use NAM identify injection or NAM form fill for OEBS with all user credentials being synchronized by dip from edirectory to OID ?

Or if it is required to use Oracle SSO when integrating third party SSO for OEBS where do I get the Novell authentication adapter ? Does Oracle supply it ?

My thought was since we can use NAM form fill or NAM identity injection for OEBS and register OEBS to OID, not Oracle SSO, I can take Oracle SSO completely out of the picture. However if Oracle SSO gotta be there as it appears in this document then somehow I gotta get an authentication module from NAM and loaded module in ORACLE SSO. Steven, thank you.

Posted by Bob on December 22, 2010 at 09:44 PM PST #

Bob,

Either Oracle Single Sign-On or Oracle Access Manager are mandatory if you wish to integrate the E-Business Suite with a third-party authentication tool.

As noted in the article above, the general architecture would look like this:

EBS OAM/SSO third-party tool

You can refer to either the Oracle Single Sign-On or Oracle Access Manager documentation for instructions on integrating them with third-party authentication tools.

Good luck with your implementation.

Regards,
Steven

Posted by Steven Chan on December 27, 2010 at 05:00 AM PST #

Thanks Stephen. I'm just starting to look into OAM since that's Oracle's direction. The documentation was a bit overwhelming and not as straight forwared as documented at this link :

http://download.oracle.com/docs/cd/B14099_19/idmanage.1012/b14078/tpsso.htm

Off the top, does OAM supply Oracle authentication adaptors(java constructors,etc) as does OSSO in the above link ?

Posted by Bob on December 29, 2010 at 10:15 AM PST #

Bob,

Yes, OAM has several connectors. This might be a good starting point:

http:/ / www.oracle.com/ technetwork/ middleware/ ias/ downloads/ 10gr3- webgates- integrations- readme- 154689.pdf

Good luck with your implementation.

Regards,
Steven

Posted by Steven Chan on December 30, 2010 at 02:46 AM PST #

Steven, great stuff. Thanks for you assistance.

Posted by Bob on January 02, 2011 at 11:30 PM PST #

Do you have technical details for Integrating Oracle E-Business Suite Release 12 with CA Netegrity SiteMinder?

We have done this for 11i but upon upgrading to 12.1.3 the same configuration is not working. I am not getting help with given Oracle note 376811.1 to configure further in R12. Please advise if you have any inputs to maintain the same intergration with Third party

Thanks in advance for your resonse,

Thanks,
Ravi

Posted by Ravi on February 14, 2011 at 03:30 AM PST #

Ravi,

Sorry to hear that you're having trouble with this integration.

As you know, the general architecture is:

EBS --> Oracle SSO (or OAM) --> third-party authentication tools like Netegrity

The generic Oracle SSO or OAM documentation should cover steps for integration those products with third-party tools like Netegrity (there are no EBS-specific steps). If you're having difficulty integrating SSO or OAM with Netegrity, your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of those tools' specialists engaged.

Good luck with the rest of this integration.

Regards,
Steven

Posted by Steven Chan on February 14, 2011 at 03:41 AM PST #

Sudheer: That architecture is technically feasible. However, you should be aware that Premier Support for Oracle Single Sign-On ends in December 2011. We are recommending that customers use Oracle Access Manager at this point. If you choose to stay on EBS 11.5.10.2 for now, you must use Oracle Access Manager 10g. If you upgrade to Oracle E-Business Suite Release 12, you can use Oracle Access Manager 11g. There's one important catch, though. Oracle Access Manager 10g does not support Microsoft Kerberos Authentication. You will need to use Oracle Access Manager 11g if that's a mandatory requirement for you (which in turn will require EBS 12). We have no current plans to certify Oracle Access Manager 11g with Oracle E-Business Suite Release 11i, since EBS 11i is already in the first year of Extended Support. Regards, Steven

Posted by Steven Chan on May 19, 2011 at 02:36 AM PDT #

Sudheer, Blog comments may not be the best way of getting this kind of technical guidance. I've responded to you offline. Regards, Steven

Posted by Steven Chan on May 23, 2011 at 03:22 AM PDT #

Hi Steven,

We are currently running Oracle EBS R12(12.1.3) and currently no SSO available. One of our other department is implementing enterprise level SSO solution which includes access to our EBS R12 application. From Oracle EBS R12 side, we would like to know the best possible architecture

1. Assuming that the 3rd party SSO solution is Non-Oracle products, what are the components (like OAM, OID, etc) required for Oracle EBS R12 integrating with 3rd Party SSO solution.

2. Assuming that 3rd party SSO solution is also uses oracle products such as OAM, OID, WLS, etc, what are the components/tools required for Oracle EBS R12.

3. For easy maintenance (such as patching, certifications, admininistration issues), if we (Oracle EBS) implement SSO using OID, OAM 11gR1 and AccessGate, do we need WebGate installed in our HTTP server?

4. Is there any other best suitable method?

Thanks for your help.

Regards
Narayanasamy

Posted by Narayanasamy on July 28, 2011 at 10:23 PM PDT #

Hi, Narayanasamy,

1. Premier Support for Oracle Single Sign-On ends this year in Dec 2011. At this point, we recommend that you use Oracle Access Manager and Oracle Internet Directory to enable external authentication for your E-Business Suite environment. All of the points in the article above still apply; simply replace Oracle SSO with Oracle Access Manager and you're good to go.

For pointers to OAM and OID references for EBS 12, see:

Oracle Access Manager 11.1.1.3 Certified with E-Business Suite 12 (Oracle E-Business Suite Technology)
http://blogs.oracle.com/stevenChan/entry/oracle_access_manager_11_1

Once you've done that, you can integrate OAM and OID with whatever third-party systems you wish, as described in the article above.

2. If those assumptions hold (which would make your life much easier), you can simply share the same Oracle Identity Management components.

At this point of the discussion, I must point out that blog comments aren't the best way of getting in-depth architectural recommendations. You may have requirements around security, auditing, platforms, maintenance, and other considerations that cannot be adequately assessed here.

I'd recommend contacting your Oracle account manager to arrange a meeting with someone in our Oracle Protected Enterprise consulting team. If you'd like me to help with the introductions, let me know.

Regards,
Steven

Posted by Steven Chan on July 29, 2011 at 05:07 AM PDT #

Steve,

Thanks a lot for your clarification. One final question,
In Option#1 (3rd party non-oracle SSO), please let us know where the WebGate is installed? Do we have to install it at OAM server side or at the 3rd Party SSO' HTTP server side?

Thank you very much for your help!!

Regards,
Narayanasamy

Posted by Narayanasamy on July 29, 2011 at 05:42 AM PDT #

Hi Narayanasamy,

The WebGate can be installed on any HTTP server -- even a new one. OAM does not actually have an HTTP server of its own. I think the explanations in My Oracle Support Knowledge Document 1309013.1 will help clarify the relationship with Oracle E-Business Suite a bit more.

Cheers,
Keith

Posted by Keith M Swartz on July 29, 2011 at 12:51 PM PDT #

Steven,

Our EBS R12 (12.1.3) running on AIX 6.1 (64 bit machine with 32-bit JDK/JRE installed). For Integrating Oracle E-Business Suite with Oracle Access Manager 11g using Oracle E-Business Suite AccessGate (Doc ID 1309013.1) for SSO, do we have to use 64-bit JDK/JRE for all the FMW 11gR1 products (OID, OAM, OHS, WLS, etc) or we can use 32-bit JDK/JRE also?

Thanks for your help!

Posted by Narayanasamy on August 02, 2011 at 12:05 AM PDT #

Hello -
The requirements for the FMW 11gR1 products required for use with EBS AccessGate can differ from that of the E-Business Suite and are specifically outlined in the FMW certification page:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html
As it turns out for AIX (64-bit), the FMW requirement is for the 64-bit version of IBM's JDK on AIX.
Regards,
John

Posted by John Abraham on August 02, 2011 at 06:06 AM PDT #

So, after getting my recommendations back into 1309013.1, I am pretty familiar with the EBS R12.1.x stack and OAM 11g R1 via WebGate 11g and EBS AccessGate 1.1.
However, as we all know, the documentation is, lets just say, lacking.
So, in order to use the AD Model for autentication and OAM 11g, am I forced to use the OID store that I created based on note id: 1309013.1.
I also need to deploy to my user base with Windows Native Authentication.

I have created an external LDAP store (AD and set it as primary), but after doing this, my EBS users cannot validate against the external LDAP via kerberos setups that I can confirm for my WebLogic UI users.

What your speaking of here, does this require me to deploy the "Oracle Password Filter for Active Directory" on my AD domain controller?
OR
Is there another way to configure OID to pass-forward the authentication (via this plug-in) that you have mentioned?

I am almost there, please help me get the last step complete....

Posted by guest on August 04, 2011 at 10:56 AM PDT #

Hello, Guest,

I'm sorry to hear that you've encountered an issue with this.

We can provide general conceptual guidance here, but I'm afraid that this blog isn't the best place to get technical support for specific issues like the one that you're working through.

Your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our specialists engaged.

Please feel free to forward your Service Request number to me if it gets stuck in the support process for some reason.

Regards,
Steven

Posted by Steven Chan on August 05, 2011 at 03:28 AM PDT #

Sorry for the extremely basic question and if this has already been answer, but EOL aside, is Oracle Single Sign-On a component that is included with the 10g Application Server 10.1.3.5 and not licensed separately? It appears to be the case, but the diagram seems to show that it is a separate server. I have very limited experience with the Oracle stack (which I am sure shows) and I'm trying to get a better understanding of how this piece is related when you have EBS r12.1.3 in the mix.

Thanks very much,
Todd

Posted by guest on October 19, 2011 at 11:58 PM PDT #

Todd,

I'm in EBS Development and don't have much visibility into Fusion Middleware licencing. I believe that Oracle Single Sign-On is licenced separately from Oracle Application Server 10g, but you should verify that with your Oracle account manager (or someone in Oracle Sales).

We've shown this as a separate server since most customers wish to use Oracle Single Sign-On as an enterprise-wide service rather than something just for EBS. There are no technical limitations that prevent you from installing it on an existing server.

Regards,
Steven

Posted by Steven Chan on October 20, 2011 at 06:32 AM PDT #

Hi Steven,

Thanks for the information. I appreciate it.

Todd

Posted by Todd Clayton on October 20, 2011 at 09:18 AM PDT #

Hi Steven,

Excellent article. Most of our enterprise systems are using SSO through Microsoft Active Directory with the exception of a number of legacy applications. Two of these legacy systems are our E-Business Suite and a separate client server application that currently uses Oracle Database authentication. With these two systems although the User IDs are created with the same name, the passwords are not synchronized. We are now in the early stages or trying to figure out how best to convert these systems to SSO.

There are a number of issues we will face on converting these to SSO. Among them is that the existing User IDs (as well as the passwords) have no relation to our SSO IDs so we will need to build some type of link between the existing IDs and the enterprise SSO IDs.

There is also the question of how to handle existing data assigned or audited by user ID. For some other legacy applications that were using database authentication we maintained the existing user IDs, but the authentication itself would have the user sign in with there SSO ID. But this does mean that we need to maintain the link between SSO User IDs and Database User IDs which is more overhead.

Making this a little more complex is that the E-Business Suite uses its own authentication method.

I'd like to know your thoughts and recommendations on how best to handle this.

Dave

Posted by Dave on January 20, 2012 at 02:21 AM PST #

Hello Steve,

Its Great info from you, Currently i was working on the integration of the EBS R12 with the OAM 11g and this whole setup is to be protected by the CA Siteminder. Oracle Webgate 11g uses the OAM_Auth cookie which is not supported by the Siteminder cookie. Where as the Siteminder cookie is supported by the 10G webgate cookie or modsso.

Can you tell me here like whether the modsso is supported by the EBS Access gate 1.1.0.0 using the OHS 11g.

Posted by Venkatesh on January 25, 2012 at 11:49 PM PST #

Venkatesh,

Thank you for your inquiry.

Oracle E-Business Suite AccessGate is not supported with a mod_sso deployment. Oracle E-Business Suite AccessGate versions 1.1.0.0 and 1.1.1.0 are supported with Oracle Access Manager and Oracle WebGate per My Oracle Support Note 1309013.1.

Regards,
~ep

Posted by Elke Phelps (Oracle Development) on January 26, 2012 at 11:16 AM PST #

http://blogs.oracle.com/schan/entry/top_5_myths_about_patching_app
Missing.Can you please provide info on these myths.

Posted by guest on February 02, 2012 at 08:01 PM PST #

Hi, Guest,

Here's the new URL:

http://blogs.oracle.com/stevenChan/entry/top_5_myths_about_patching_app

Regards,
Steven

Posted by Steven Chan on February 03, 2012 at 10:22 AM PST #

Hello,

Is it possible to configure Demantra (7.3.0.1+) to use Windows Native Authentication, so that when the user signs into their Windows client on the AD domain these credentials are passed to Demantra and the user does not have to re-authenticate?

Thanks,
Glen

Posted by Glen on February 09, 2012 at 02:20 PM PST #

Hello, Glen,

We don't have any Demantra specialists on this blog's panel of authors. Rather than my speculating about the feasibility of that configuration, I think it would be advisable for you to confirm this with the Demantra team directly. If they don't have an OTN forum or blog, your best option might be to log a formal Service Request via Oracle Support to get an official reply from the Demantra team.

Regards,
Steven

Posted by Steven Chan on February 10, 2012 at 12:03 PM PST #

Steven,

We were integrated our Ebiz with SSO(sync with AD) for login purpose. The issue here is, whenever a user location gets changed in AD, its counterpart variable is not getting reflected in OID. Because of this, user is not able to login, getting authentication error message. Even we checked with Oracle SR indian team on this, no luck till date. Need your idea on this to fix this permanently as we are doing manual fixes which is very irritating one.

IN OID, parameter refers to location is
orclsourceobjectdn

where in AD,
distinguishedName.

Jegan N

Posted by guest on February 20, 2012 at 03:16 AM PST #

Hi, Jegan,

I'm sorry to hear that you've encountered an issue with this.

We can provide general conceptual guidance here, but I'm afraid that this blog isn't the best place to get technical support for specific issues like the one that you're working through.

Your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our Oracle Internet Directory specialists engaged.

Please feel free to forward your Service Request number to me if it gets stuck in the support process for some reason.

Regards,
Steven

Posted by Steven Chan on February 20, 2012 at 11:00 AM PST #

Steven,
Need help on below:
EBS HR (11.5.10.2), EBS 11i Payroll , EBS 11i [ASCP]
Novell e-directory 8.1.x

Proposed :Impelement SSO & Integrate with Novell e-direcotry

Multiple EBS Instnaces to Single OID(10g).

Please recommend the applicable integration plans.
Single OID will support multiple EBS Instances.??
How the USERS can be differentiated for each EBS Instance??
Integration should be ??
Novell(eDIR) => OID => EBS or
EBS => OID => eDIR ??

Please advice on above

Thanks
KUMAR

Posted by kumar on March 04, 2012 at 03:32 PM PST #

Kumar,

Thank you for the inquiry.

Your plans are to integrate EBS 11i with Oracle Single Sign-on. Our recommendation for EBS 11i customers is to first upgrade to Release 12.1.3, then integrate with Oracle Access Manager 11g using E-Business Suite AccessGate. Please refer to Integrating Oracle E-Business Suite Release 12 with Oracle Access Manager 11gR1 (11.1.1.5) using Oracle E-Business Suite AccessGate (Doc ID 1309013.1)

If you cannot upgrade to EBS 12.1.3 first, you should consider integrating with Oracle Access Manager 10g and E-Business Suite AccessGate. Please refer to Integrating Oracle E-Business Suite with Oracle Access Manager 10g using Oracle E-Business Suite AccessGate (Doc ID 975182.1).

To answer your questions:
- Yes, a single Oracle Internet Directory can be used to support multiple EBS instances.
- Users are uniquely identified by the Global Unique Identifier or GUID.
- With Third-Party LDAP integration, user credentials are synchronized from the third-party LDAP to Oracle Internet Directory to the E-Business Suite Database. Please refer to the Synchronization of User Credentials with Third-Party LDAP Directories in this blog article.

From an integration standpoint, the architecture you are describing is quite complex and very difficult to answer in detail in the form of a blog comment response. For additional assistance, please contact your Oracle Account Manager who can connect you with the Protected Enterprise group within Oracle Consulting for additional assistance.

Best of luck to you with your deployment.
Regards,
~ep

Posted by Elke Phelps (Oracle Development) on March 05, 2012 at 11:30 AM PST #

Steven,

Our R12(12.1.1) is currently integrated WNA with 11g OID & 10g SSO and third party LDAP is MS AD. Now we are implementing HRMS & Payroll modules.

We have a requirement of synchronizing AD user with employees in HRMS database. That is, when there is a addition/deletion or modification of employee in HRMS those needs to be propagated to MS AD. Can we achieve this existing OID & SSO setup?
Looking forward for your kind advice.

Thanks & Regards,
George

Posted by george on April 12, 2012 at 07:09 PM PDT #

Hello, George,

Yes, this is possible. The MS AD namespace is first synchronized with Oracle Internet Directory. Then the prebuilt Oracle Internet Directory tool -- the HR Agent -- can be used to synchronize the employee information into the E-Business Suite HR database.

There are more details here:

https://blogs.oracle.com/stevenChan/entry/indepth_synchronizing_oracle_h

That article is fairly old but still conceptually applicable to both E-Business Suite 11i and 12, and Oracle Internet Directory 10g and 11g.

Regards,
Steven

Posted by Steven Chan on April 13, 2012 at 04:20 AM PDT #

Hello, Guest,

My apologies -- I only just noticed that your question had slipped through the cracks. Here's an updated pointer to the article:

Top 5 Myths About Patching Apps Environments
https://blogs.oracle.com/stevenChan/entry/top_5_myths_about_patching_app

Regards,
Steven

Posted by Steven Chan on April 13, 2012 at 04:23 AM PDT #

Hello Steven,

Thanks for the info, actually our requirement is other way around. From HRMS To MS AD. Sorry if my earlier post is confusing you.

When a new employee joins, his/her details entered into HRMS first, then user account must be created in MS AD.

Regards,
Shaiju

Posted by George on April 13, 2012 at 05:03 AM PDT #

Hello, Shaiju (George?),

The HR agent can be configured to move information into HR from Oracle Internet Directory. It can also be configured to move information out of HR into Oracle Internet Directory.

You can refer to the documentation in the linked article about the HR Agent for more details.

Regards,
Steven

Posted by Steven Chan on April 13, 2012 at 06:42 AM PDT #

Steven
You recommended https://blogs.oracle.com/stevenChan/2010/07/ebs_accessgate_102.html on a post above but that page is not available. Can you post the right link?
Thanks
Manish

Posted by guest on May 09, 2012 at 12:21 AM PDT #

Manish,

The correct link is as follows:
https://blogs.oracle.com/stevenChan/entry/ebs_accessgate_102

Thanks.
Elke

Posted by Elke Phelps (Oracle Development) on May 09, 2012 at 05:41 AM PDT #

Dear,

We have to configure the below requirement in Oracle EBS R12 for our client.

Environment: HRMS-Oracle E-Business Suite R12 to integrate with our Microsoft Active Directory 2008,
SSO has been already configured in EBS R12

We have certain details in EBS such as Staff Number,First Name,Middle Name,Last Name,Office Location,Email,Address,City,Country etc.. which has to be pulled from HRMS and to be updated to the Microsoft Active Directory. Estimated number of AD accounts is 6000 with an annual growth rate of 3% over next three years.

I have gone thru' the below metalink documents where they are mentioned the Integration part of EBS with OID & SSO, where my case is with Microsoft AD 2008.

Integrating Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On 10gR3 (10.1.4.3) [ID 376811.1]
Using the Latest Oracle Internet Directory 11gR1 Patchset with Single Sign-on and Oracle E-Business Suite [ID 876539.1]
Registering Oracle E-Business Suite Release 12 with Oracle Internet Directory 11gR1 and Single Sign-On [ID 1370938.1]
External Authentication To Active Directory Integration With E-Business Suite [ID 429020.1]

Can you pls guide me how to implement the above requirement?.

Regards
Nagu

Posted by Nagu on July 11, 2012 at 05:35 AM PDT #

Hello, Nagu,

Apologies for the delay in responding to this.

The Oracle Internet Directory group offers a product called the HR Agent; it's described here:

In-Depth: Synchronizing Oracle HRMS with OID (Oracle E-Business Suite Technology)
https://blogs.oracle.com/stevenChan/entry/indepth_synchronizing_oracle_h

I'm afraid that this blog's authors don't have much experience with that product. Your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) against the Oracle Internet Directory product to get one of those specialists engaged.

Best of luck with your implementation.

Regards,
Steven

Posted by Steven Chan on August 22, 2012 at 12:27 PM PDT #

Thanks steven.

Sure i will create an SR and start proceeding with the requirements.

Regards
Nagu

Posted by Nagu on August 28, 2012 at 02:11 AM PDT #

Hi Steve,

We are planning to implement WNA for EBS 12.1.3 using OID/OAM/AD via kerberos. I have gone through the articles but got confused about what should be the primary default user identity store for this configuration.

1. Is it AD or OID. If AD is the primary default store how OID is used.
2. If OID is the primary is AD is referenced using external auth plugin.

I am targeting for zero login configuration setup.

Thanks,
Srinivas

Posted by Srinivas on September 21, 2012 at 10:22 AM PDT #

Srinivas,

Thank you for the inquiry.

For the E-Business Suite configuration, Oracle Internet Directory is the primary default store. Authentication from Oracle Internet Directory is delegated to Active Directory using the Windows Native Authentication plugin.

NOTE: This article details Oracle Single Sign-On integration with E-Business Suite. Oracle Single Sign-On is currently in limited extended support. Please review the following artcile for recommendations for integrating with Oracle Access Manager:
https://blogs.oracle.com/stevenChan/entry/new_single_sign_on_iintegrations

Thanks.
Elke

Posted by Elke Phelps (Oracle Development) on October 15, 2012 at 12:42 PM PDT #

We have EBS R12 with Fusion IM 11.1.1.2 using SSO 10.1.4.3 integrated with CA siteminder as third party authenication. If we upgrade from SSO 10g to OAM 11.1.1.5.0, how to integrate with CA siteminder?

Oracle has provided java plug-in in SSO 10G for integration with third party like CA siteminder however what options are available to use third party integration with OAM 11G? do you have any document or steps for same?

Posted by guest on November 26, 2012 at 03:24 PM PST #

Guest,

Thanks for your inquiry. Oracle E-Business Suite single sign-on integration includes integration with Oracle Access Manager, Oracle Internet Directory and E-Business Suite AccessGate. Oracle E-Business Suite is certified with Oracle Access Manager, which in turn is certified with third-party systems. It is through the Oracle Access Manager certification that E-Business Suite is certified with third-party systems.

Details regarding configuration and implemention of Oracle Access Manager with third-party systems such as CA SiteMinder is maintained in the Fusion Middleware documentation and support is through the Fusion Middleware Team. Please check out the Fusion Middleware documentation on the Oracle Technology Network here:
http://www.oracle.com/technetwork/indexes/documentation/index.html#middleware

If your not able to find the specifics you need in the generic Oracle Access Manager documentation or having difficulty with the integration of OAM with CA SiteMinder, you should consider logging a service request via My Oracle Support with the Fusion Middleware Oracle Access Management Support Team

Good luck with your implementation.

Regards,
Elke

Posted by Elke Phelps (Oracle Development) on November 28, 2012 at 06:55 AM PST #

Hi Elke

Thanks for response. we did raised SR and Oracle responded there's no document or steps available to perform integration between OAM 11g with CA siteminder and suggested to contact third party vendors to write code.
We won't use Accessgate as we are migrating from SSO 10g to OAM 11g and this is major road block. I need to know when siteminder authenicates user and passes HTTP header info, there' should be some way for OAM to understand it and pass it to EBS. Document you provided doesn't have that info, can you please point to specific document please?

Posted by guest on December 10, 2012 at 02:27 PM PST #

Guest,

Thanks for the additional information and update. I'm sorry to hear that you did not find the information you require.

Integrating third-party identity management systems with E-Business Suite is certifed through the E-Businesss Suite integration with Oracle Access Manager. If Oracle Access Manager does not provide configuration documentation for a specific third-party identity management system, then an enhancement request must be raised with the Oracle Access Manager development team.

I am a member of E-Business Sute development. I will raise this request with the Oracle Access Management development team. Please also open a service request and request the ability to log an enhancement request for this issue.

Thanks.
Elke

Posted by Elke Phelps (Oracle Development) on December 11, 2012 at 08:56 AM PST #

Hi Elke

Thank you very much for update. We were really struck with moving forward on SSO 10g to OAM 11g migration in our EBS R12.1.2 setup. I would like to provide you SR which we opened and it closed stating it's not certified by Oracle. I am not sure if I can post SR # here, please let me know if you want me to sent to you. Also in the SR they pointed us to below document and mentioned it's not certified to use CA siteminder with OAM 11g for EBS R12.1.2

note 1151138.1 - Essentiall this integration is not certified by Oracle

Basically our existing setup as below:

EBS R12.1.2 using OID as user repository and SSO 10.1.4.3. Authentication happens at CA siteminder(note : there's no sync up between OID and Siteminder repository) and http header information passed to SSO 10G which inturn sends information to identity management and finally to EBS. Oracle has provided some plug-in named SSOAuthSM.java for integrating Siteminder with SSO 10g. Now we need configuration details for integrating Siteminder with OAM 11g, please assist.

Appreciate your help, please let me know if you want to open separate SR or I can re-open existing SR with reference to your comment.

Thanks
Thiagu

Posted by guest on December 11, 2012 at 04:05 PM PST #

Hi Elke

As you advised, we did raise SR and requested them to log enchancement request with OAM product team. They also raised request(Defect 16003641 has been created via Defect Workbench iBug portal request id: (3792869)), however they still confirm this is not certified and there's no guarantee we get any documentation/configuration for this setup. Please see update from SR 3-6556749631 below:

==================

Hello Thiagu,

Elke stated that EBS is certified for integration with Oracle Access Manager, and in that integration would rely on OAM for authentication (which is why the enhancement request would need to be made against OAM). She did not say that OAM is certified with CA siteminder, as it is not.

The issue you encounter is that you are currently authenticating with siteminder integrated with OSSO (for which there is a documented/certified integration). In 11g there is no OSSO, only OAM, so EBS has to rely on OAM for SSO, and OAM does not have a documented/certified integration with CA siteminder. I can refer you to note 1151138.1 which also discusses the integration with Siteminder and the constraints in OAM 11g.

However, at this time, Oracle does not document/certify OAM 11g integration with Siteminder. I will file an enhancement request on your behalf to request such documentation/certification, but whether it is produced will be solely at the discretion of OAM product management. EBS isn't involved in this request other than being a integration client with OAM...if you want to use the OSSO agent for the EBS integration with OAM 11g rather than the EBS accessgate, request for support of that method of integration would need to be directed to the EBS team.

Thanks & Regards,

Robert
Global Customer Services
=========================================================

Can you please confirm this is certified and we do get configuration document as we got it for SSO 10g with Siteminder? Also we would like to OSSO agent with OAM/EBS not Accessgate as we are upgrading from SSO 10g to OAM 11g and already have users in our application.

Thanks
Thiagu

Posted by Thiagu on December 14, 2012 at 06:58 AM PST #

Thiagu,

I'm sorry that you have uncovered these limitations. I am part of the Oracle E-Business Suite development organization. The Oracle Access Manager development organization is responsible for certification with third-party IDM systems.

You have taken the appropriate action by logging an enhancement request with the Oracle Access Manager development team. I have also followed up with Oracle Access Manager Product Management on your behalf.

Please note that when deploying an Oracle E-Business Suite single sign-on integration, our recommendation is to use Oracle Access Manager 11gR2 with EBS AccessGate. Failure to deploy a certified configurations is considered a custom deployment and is not supported by Oracle. Additional details regading certified and recommended E-Business Suite single sign-on integrations are avialable here: https://support.oracle.com/rs?type=doc&id=1388152.1

Regards,
Elke

Posted by Elke Phelps (Oracle Development) on December 18, 2012 at 07:59 AM PST #

Hi Elke

Thanks for update. We have no issues using Accessgate, however using OSSO agent with OAM for existing users in 10G SSO setup is supported and certified by Oracle as per note ID 1304550.1. now issue is not about using accessgate or not but configuration details for integrating OAM with Siteminder, without that we cannot move forward with this migration. Hopefully enhancement request will solve this problem, please update me if you hear anything about it.

Thanks
Thiagu

Posted by Thiagu on December 18, 2012 at 04:40 PM PST #

Hi Steve

One of our client want to integrate E-BIZ R12 with MS Active Directory 2008R2.

We are proposing OID (Directory service plus) for this.

Is it mandatory to have OAM for this or we can acheive integration without that aswell.

Appreciate your advise on this.

thanks

Posted by Ahmed on January 26, 2013 at 11:03 AM PST #

Hi, Ahmed,

Oracle Access Manager is mandatory when integrating the E-Business Suite with Oracle Internet Directory (and vice versa).

Once your EBS environment is integrated with OAM and OID, you can then integrate OID with MS Active Directory.

Regards,
Steven

Posted by Steven Chan on January 28, 2013 at 10:20 AM PST #

In the usecase where,Microsoft Kerberos Authentication is used (in your blog above) when you say : "Oracle Single Sign-On 10g recognized the Microsoft Kerberos ticket, issued its own Oracle security tokens to the user" . The OSSO recognises the Microsoft Kerberos ticket by contacting OID? Can you please explain in this usecase where is OID used?

Thanks.

Posted by JaJa on April 17, 2013 at 01:37 AM PDT #

Hello, JaJa,

See this externally-published article:

Why Does EBS Integration with Oracle Access Manager Require Oracle Internet Directory? (Oracle E-Business Suite Technology)
https://blogs.oracle.com/stevenChan/entry/why_does_ebs_integration_with

This article applies to both Oracle Single Sign-On 10g as well as Oracle Access Manager. It applies even when Oracle Single Sign-On or Oracle Access Manager are used with Microsoft Kerberos authentication configurations.

Regards,
Steven

Posted by Steven Chan on April 17, 2013 at 07:49 AM PDT #

Hi,

Do you have a good documentation to authenticate the user using SSO 10.1.4.3 using encryption via active directory.

Thanks
Chenthil

Posted by Chenthil Murugan on August 11, 2013 at 05:56 PM PDT #

Greetings All,

The architecture described for 3rd party SSO solutions integration with Oracle EBS does not make sense (see diagram 1). Why are two SSO solution needed (See diagram 1 where we have 3rd Party SSO server and OracleAS SSO 10g server)?

My question is can Oracle EBS not be configured to directly integrate with 3rd party SSO solutions without needing the Oracle SSO server? For example, can Oracle EBS be configured to accept user and groups in the HTTP header (or some other from of creds like a proprietary or a SAML token)sent by the SSO solution that has authenticated the user. I understand there needs to be a mapping in place of userID/groups but that be handled by having sync in place between OID and 3rd party SSO user registry (usually AD or LDAP).

My point is logically we do not need two components in the architecture to handle SSO as I understand now Oracle are encouraging Oracle Access Manager in place of Oracle SSO server for new customers which brings in more components to handle.

With one SSO component the architecture is streamlined, simple to manage and easier to troubleshoot.

Please help as I am getting blasted by customers asking the same question on the solution we are implementing for them. Unfortunately I can not rip out the 3rd party SSO solution (IBM access manager) as its been integrated with a large number of other web app envs (incl MS apps) and works well for them. I would appreciate your help, thanks in advance.

- Yassin

Posted by guest on November 01, 2013 at 03:54 AM PDT #

Chenthil,

Thank you for the inquiry. Please refer to the Oracle Single Sign-On documentation for integration requirements, steps and configuration with third-party directory services.

Please note that Oracle Single Sign-On 10gR3 is currently in limited extended support thru December 2013. You should already be planning your migration to Oracle Access Manager 11gR2.

Thanks.
Elke

Posted by Elke Phelps (Oracle Development) on November 01, 2013 at 07:16 AM PDT #

Yassin,

Thank you for your inquiry. I understand your concerns and the questions being raised by your customers. I assure you that the information as posted in this article is accurate.

Oracle E-Business Suite is not directly certified with third-party single sign-on systems or third-party directory services. Oracle E-Business Suite is certified with Oracle Access Manager and Oracle Internet Directory. It is through our certification with Oracle Access Manager that we are certified with third-party systems.

We in Oracle E-Business Suite development simply cannot certify with all third-party systems that are available in the market. Our primary objective is to develop Oracle E-Business Suite functionality.

If you have additional questions or comments, please feel free to contact me directly.

Regards,
Elke

Posted by Elke Phelps (Oracle Development) on November 01, 2013 at 07:30 AM PDT #

Hi Elke,

I am not asking for Oracle to *certify* Oracle EBS integration with other 3rd party SSO solution. I would leave this for the 3rd party SSO vendor to provide the support/certification that is needed for the integration they provide with their solution.

My point is the Oracle EBS is restricted to have OAM as mandatory which purely from an architecture design perspective it is not necessary and from a support perspective becomes quite complex especially when troubleshooting. I am trying to achieve SSO and nothing more (e.g. I am not trying to replace OID supporting Oracle EBS or circumvent the authorisation within Oracle EBS access control).

I'm at the moment I am looking into a simple method that works for almost all web apps without violating support or requiring certification of any sort; that is to auto-inject user authentication credentials/data (on behalf of the user) on the web logon form presented by a web app. This only works if the authentication data (userid, password, etc) are static values (entered one time and auto-injected the rest of the time).

By analyising the http request/response between client browser and Oracle EBS backend web server, I find that _FORM_SUBMIT_BUTTON attribute/header value sent by the client (browser) together with the userID and password for user authentication. The _FORM_SUBMIT_BUTTON attribute/header value has a dynamic string included (takes the form 'SubmitButton<8 digit dynamic string>'). I have noticed this dynamic string ('<8 digit dynamic string>') was introduced through a patch release where in previous patch releases of Oracle EBS v12.1.3 the _FORM_SUBMIT_BUTTON had a static value ('SubmitButton'). As such the method I have tested works fine with Oracle EBS v12.1.3 that does not have the latest patch.

Is there any configuration in Oracle EBS so that _FORM_SUBMIT_BUTTON value does not have this dynamic string appended to SubmitButton? This would help me immensely as my project is currently on hold for this integration. As such, I would really really appreciate your assistance.

- Yassin

Posted by guest on November 02, 2013 at 03:00 AM PDT #

Yassin,

Thank you for the additional questions. It might be possible for a third-party system to certify with Oracle E-Business Suite and it might be possible to build a customized solution of some kind. Either approach would be considered a customization to Oracle.

Customized approaches come with all of the issues inherent to customizations: support, maintenance, scalability and performance, robustness to future techstack upgrades and changes, and etc, etc. Also, as you pointed out, preservation of the solution after patching may be an issue. Oracle code changes can occur with all types of patches including one-offs, RUPs, maintenance packs, CPUs, etc.

Any issue that you may encounter with login or session management problems must be reproducible using standard Oracle code - without your custom solution in place. For these reasons, we do do not recommend that customers create a customized authentication mechanism.

As per my prior update, Oracle Access Manager and Oracle Internet Directroy are mandatory requirements for a certified Oracle E-Business Suite single sign-on integration.

In regards to your question about the _FORM_SUBMIT_BUTTON - this blog is available to provide general certification and architectural guidelines. Your best option is to log an Service Request with Oracle Support to determine if there is a way to configure the button as requested.

Thanks again for your inquiries and good luck.

Regards,
Elke

Posted by Elke Phelps (Oracle Development) on November 04, 2013 at 09:22 AM PST #

Hi Elke,

Thanks for your encouraging response. I've sorted my integration issue out with 3rd party SSO solution and Oracle EBS. It does not require Oracle Access Manager or OracleAS SSO Server.

Kind Regards,
Yassin

Posted by guest on November 07, 2013 at 10:31 AM PST #

Yassin,

Do you mind sharing your solution?

Todd

Posted by Todd on November 07, 2013 at 11:16 AM PST #

Great Yassin,

How would you achieve it, it would be worthwhile for others if you can share your solution or point us the direction.

Thanks
Chenthil

Posted by Chenthil on November 07, 2013 at 03:22 PM PST #

Hi,

Apologies for the late response, I was off for couple of days.

The integration I done was through IBM Access Manager as the 3rd party SSO solution used by this customer. This integration largely depends on the type integration methods the 3rd party SSO offers. Referring to Elke's response, I doubt the integration is certified by Oracle. I therefore suggest you get in touch with IBM developerWorks ( http://www.ibm.com/developerworks/mydeveloperworks/groups/service/html/communityview?communityUuid=9cada156-0920-439b-a1d4-598aad993bd0 ) integration factory community as they will be able to give you free advice & support.

There is also Oracle EBS AccessGate that is used by OAM. Not sure if I would be able to use this component on its own (without OAM and its webgate) to achieve SSO with 3rd party vendor solution for SSO. In theory it should. Any idea if Oracle EBS AccessGate part of Oracle EBS?

Kind Regards,
Yassin

Posted by guest on November 14, 2013 at 01:12 AM PST #

Hi, everyone,

There's nothing to prevent you from using third-party products with Oracle E-Business Suite. There are important support implications; see:

Certification and Support for Third-Party Products
https://blogs.oracle.com/stevenChan/entry/certification_support_for_thir

And to answer Yassin's question: yes, EBS AccessGate is part of Oracle E-Business Suite. It is designed for use only with Oracle Access Manager.

Regards,
Steven

Posted by Steven Chan on November 14, 2013 at 09:28 AM PST #

Hi Steven,

Please let me know if it is possible to have EBS SSO using Okta.

Thanks
Abhi

Posted by guest on December 11, 2013 at 04:03 PM PST #

Hi, Abhi,

I haven't heard any reports from customers integrating Oracle Access Manager with Okta. You might wish to ask Okta directly if that's feasible. Alternately, you can log a Service Request with Oracle Support against the Oracle Access Manager product to see if they've had any experience with this combination.

Regards,
Steven

Posted by guest on December 11, 2013 at 04:39 PM PST #

Steven,

When integrating Active Directory with E-Business Suite to use AD for authentication, is Oracle E-Business AccessGate a mandatory component ? I'm a bit confused between this blog post and note 1484024.1 (which suggests E-Business Suite AccessGate is needed on EBS end) ?

Can you please clarify?

Thanks,
Rakesh

Posted by guest on April 03, 2014 at 12:25 AM PDT #

Hi, Rakesh,

Oracle Access Manager and Oracle Internet Directory are required when using Microsoft AD and Kerberos for EBS authentication. EBS AccessGate is required to use Oracle Access Manager with the E-Business Suite.

Regards,
Steven

Posted by guest on April 04, 2014 at 10:27 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
4
5
6
7
8
9
10
11
12
13
14
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today