Migrating from EBS 11i + Oracle Single Sign-On to EBS 12 + Oracle Access Manager

Our Identity Management team has just published an important change in the Oracle Software Technical Support Policies document (March, 2013):

"For customers with a current support contract for Oracle Single Sign-On 10gR3, Extended Support will be made available until December 2013 at then-current Extended Support fees. During this period, Extended Support will be limited to Severity 1 fixes only; critical patch updates will not be made available."

This is important if you've been wondering how to deal with this challenge: 

  • You know that Oracle Access Manager has supplanted Oracle Single Sign-On.  
  • You integrated Oracle Single Sign-On 10g with your E-Business Suite 11i environment several years ago.  
  • You plan to switch from Oracle Single Sign-On to Oracle Access Manager as part of your EBS 12 upgrade.
  • You want to get to EBS 12, but want to perform your EBS upgrade and OAM migrations different downtimes.
  • You've been staring at the latest EBS support timelines and deliberating your options:

Timeline showing updated EBS Support dates

All of the crucial pieces for this are now in place:

  1. Oracle Access Manager 11.1.2 is certified with EBS 11.5.10.2.
  2. Support for Oracle Single Sign-On 10g has been extended to Dec. 31, 2013.
  3. EBS 11.5.10's Exception to Sustaining Support has been extended to Dec. 31, 2014.
  4. EBS 12.1's Extended Support has been extended to Dec. 31, 2018.

This means that you have sufficient support coverage for all major components while you do this in a multi-phase implementation.  You can migrate your EBS 11i environment from Oracle SSO 10g to Oracle Access Manager 11.1.2 this year, in one initial downtime.  You can then upgrade that environment from EBS 11i to EBS 12.1.3 in a later downtime. 

Your implementation phases will look like this:

  1. Today: EBS 11i + Oracle Single Sign-On 10.1.4.3
  2. Interim phase:  EBS 11i + Oracle Access Manager 11.1.2
  3. Final phase: EBS 12.1.3 + Oracle Access Manager 11.1.2

Each of these undertakings can be fairly major initiatives on their own, so breaking the overall project into smaller parts helps you manage your risk.  I would be very interested in hearing about your experiences with this kind of combined migration + upgrade implementation approach.  Please feel free to post a comment here or drop me a line privately.

Related Articles


Comments:

Hi Steven,

It will be more appropriate, that a detailed upgrade checklist about the steps for the whole EBS 11i + OSSO 10.1.4.3 to EBS 12.1.3.X + OAM R2 is made available in a support document for quick reference.

Thanks,
Joshua

Posted by guest on March 27, 2013 at 03:23 PM PDT #

Can I get a clarificaton on the 10g SSO extended support.

When reading the documnet (section g) it implies that while extended support is available until Dec 2013 there is a cost associated with it.

Has the extended support fee been waived for 10g SSO or do we have to sign up and pay for the extended support?

Posted by MIke on March 28, 2013 at 08:53 AM PDT #

Hi, Joshua,

Thanks for your comment.

Although I've wanted to have combined documentation, there are vast numbers of combinations of supported technologies, features, and options (e.g. RAC, DMZ, reverse proxies, multinode, etc). It's simply not feasible to provide combined documentation that meets everyone's varied needs.

We document the EBS 12.1 upgrade in the EBS 12 Upgrade Guide. We document the OAM implementation in a separate guide.

Regards,
Steven

Posted by Steven Chan on March 28, 2013 at 10:33 AM PDT #

Hello, Mike,

Yes, I think that the Oracle Single Sign-On support extension requires an Extended Support licence. I'm not a licencing specialist, so your best option would be to contact your Oracle account manager for guidance on this.

Regards,
Steven

Posted by Steven Chan on March 28, 2013 at 10:37 AM PDT #

We wants to integrate R12 with third party Idp using OAM 11g R2 fedration, webgate, Accessgate, OID.

We have successfully implmented meta id 1484024.1 steps, now we would like integrate R12 with third party Idp using OAM SAML Relying Party(fedration), do you have any document or white paper integrate R12 with third party Idp.

I saw some artice http://blog.warrenstrange.com/2012/09/saml-federation-in-oam-11g-r2.html

but it's using OIF.

Thank you,
Regards
Komal

Posted by Komal on May 01, 2013 at 08:11 AM PDT #

Hello, Komal,
Congratulations on integrating your EBS environment with Oracle Access Manager and Oracle Internet Directory. Enabling your environment for SAML would require this general architecture:

EBS --> Oracle Access Manager --> Oracle Identity Federation --> SAML

I don't have much visibility into the OAM --> OIF integration. We test and document the integration between EBS --> OAM, but other integrations with Oracle Access Manager are handled by the Oracle Access Manager product and are outside of my visibility.

I would recommend logging a Service Request against the Oracle Access Manager product to get some guidance on OAM + OIF + SAML integrations.

Alternately, I can pass your contact information on to our Protected Enterprise Consulting group; please let me know if you'd like me to do that.

Regards,
Steven

Posted by Steven Chan on May 08, 2013 at 12:45 PM PDT #

Hi Steven. Could you please provide some reference to existing solutions on implementing SSon using OAM, OID through silent authentication? Will OAM support external authentication via OID plugin accessing AD? Thanks

Posted by guest on May 08, 2013 at 09:34 PM PDT #

Hi, Guest,

I'm unclear on what you mean by "silent authentication."

It's possible to have OAM integrate with Windows Native Authentication (Kerberos); you can refer to the generic Oracle Access Manager documentation for instructions in how to do that.

It is possible to integrate Oracle Internet Directory with Microsoft Active Directory; you can refer to the generic Oracle Internet Directory documentation for instructions in how to do that.

Both of those integrations are handled by the Oracle Access Manager and Oracle Internet Directory products directly. You can log Service Requests against those products if you have questions about those integrations.

Regards,
Steven

Posted by Steven Chan on May 09, 2013 at 08:25 AM PDT #

Hello Steven. We are trying to implement single sign on solution for Oracle EBS 11.5.10.2. From E15740-02 - (WNA - Configuring Oracle Access Manager to use Windows Native Authentication). It looks like we can setup AD as an identity store for OAM without OID being part of the solution. OID is mentioned as a mandatory piece of integration in most all the documents on SSO. Does it mean that WNA doesn't require OID at all?

Thank you

Posted by Mark on May 09, 2013 at 05:02 PM PDT #

Hello, Mark,

Oracle Internet Directory is a mandatory requirement when integrating EBS + Oracle Access Manager. This is true for WNA deployments, too, and true despite the fact that you can define AD as an identity store for Oracle Access Manager.

See this externally-published article for details:

Why Does EBS Integration with Oracle Access Manager Require Oracle Internet Directory? (Oracle E-Business Suite Technology)
https://blogs.oracle.com/stevenChan/entry/why_does_ebs_integration_with

Regards,
Steven

Posted by Steven Chan on May 10, 2013 at 07:49 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
4
5
6
7
8
9
10
11
12
13
14
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today