Understanding Options for Integrating Oracle Access Manager with E-Business Suite

Integrating Oracle Access Manager with the E-Business Suite can be tricky.  This is especially true if you're upgrading from EBS 11i to 12, or perhaps also switching from the older Oracle Single Sign-On technology to Oracle Access Manager.  Thing can get even more complicated if you're interested in integrating the E-Business Suite with a third-party authentication system such Windows Kerberos, or managing your users in a third-party LDAP directory like Microsoft Active Directory.

Understanding your options for integrating EBS with Oracle Access Manager and Oracle Internet Directory has just gotten a bit easier.  First, we've just published a new document that lays out the options and our recommendations:

OAM Oracle Access Manager architecture diagram and flow

This new document discusses:

  • Single sign-on concepts
  • Options for integrating single sign-on solutions for Oracle E-Business Suite including the following:
    • How the Oracle Access Manager Integration Works
    • How the Oracle Single Sign-On (OSSO) Integration Works
    • Integration with Third-Party Access Management Systems and LDAP
  • Considerations to take into account when choosing a single sign-on solution
  • Documentation roadmap specifying which document to follow dependent upon your integration goal
  • Reference architecture diagrams depicting example components by Oracle E-Business Suite release

Reworked instructions for integrating Oracle Access Manager + E-Business Suite 

In addition to the new overview document above, we've also made extensive revisions and updates to this previously-published document:

The updated Note is the result of your emails, Service Requests, and feedback to us on how we can improve our documentation. This is still an admittedly-complex implementation, with many detailed and exacting steps.  We're examining ways of streamlining and possibly automating some of the implementation steps in a future update to this certification.

Your feedback is welcome

We've tried hard to make this complex area just a little bit more-accessible.  We would love to hear about your experiences with these components.  Your feedback regarding the new note and updated note is welcome.  Please either post a comment here or log a bug request against the note in My Oracle Support.

References

Related Articles

(Special thanks to Allison Sparshott  and Hubert Ferst for their combined efforts in crafting these updates.)
Comments:

Hi Steven,
This is a very good initiative! And very welcome indeed too. I was at Collaborate in Las Vegas a couple of weeks back, and asked Oracle specifically for a comprehensive guide on installation and implementation of OAM with EBS.
Another question that still remains is what can and cannot be done from a license perspective. I am not sure whether this is the right place to ask, but I was quite surprised to find out that it is allowed to have OAM Basic Edition for SSO with E-Business Suite. However, restrictions apply (naturally). These restrictions are not very clear to me when it comes down to integration with E-Business Suite, and I would really appreciate (and I am sure, many are with me on this issue) a bit more explanation on what these restrictions are about, when it comes to integration of OAM Basic Edition with E-Business Suite.
For example:
I have got an E-Business Suite environment, but my infrastructure has already got an AD solution (MS Active Directory). Can I integrate OAM Basic Edition with E-Business Suite using the existing AD, under the restricted license of OAM Basic Edition?
Again, I wouldn't be surprised when it turns out that this blog is not the primary location to get information on this, but I don't know where else to turn, because this is an area where pure technology meets licensing, and if not covered correctly it can hit you straight back into the face when not correctly addressed.
Your help would be greatly appreciated!
Regards,
Arnoud Roth

Posted by Arnoud Roth on May 08, 2012 at 10:37 PM PDT #

Arnoud,

Thank you for the feedback. I'm glad the article was helpful.

In terms of your licensing questions, please work with your Oracle Account Manager who will be able to assist you. Your Oracle Account Manager will collect your liensing questions and get the information you need to make certain you are in compliance.

Regards,
Elke

Posted by Elke Phelps (Oracle Development) on May 09, 2012 at 05:39 AM PDT #

Steven,
Thank you for this article. I'm reaching out to you because of an OAM integration of EBS R12.1.3 that I'm currently working on and which seems to be running into a couple of showstopping issues. In fact, I sent you an email on this as well. I have copied the contents of the email (almost verbatim - I have only redacted SR numbers and the name of the customer) here:
------------------------------------------------------------
I apologize for reaching out to you directly like this and I do hope you monitor this email account and will be able to help out with my problem. I’m emailing in regards to an IAM integration of R12.1.3 that I’m working on for a customer. The customer has a 3-node (1 DB & Conc. Mgr, 1 Internal Web Tier & 1 External Web Tier) environment with one of the nodes being an external web tier (inside a DMZ) running iRecruitment. The entire environment is integrated with OAM 11.1.1.5.0 for authentication via an OAM 10g Webgate and E-Business Suite Access Gate. I followed the relevant note#1309013.1 to perform the integration and for the most part, the integration is working just fine. The problem is however, with respect to iRecruitment and there are two problems that I’ve listed down below:

1. Logging into iRecruitment via the External Web Tier: This is not working. Everytime we attempt to login via the external web tier, we get an OAM System error page. The OAM logs show that the policy runtime engine is failing. I created an SR with Oracle Support for the OAM issue and they told me that the OAM_REQ cookie was being lost due to the fact that the iRecruitment URL was very long (over 4000 characters). The engineer opened a spin-off SR with the Applications Technology Group which is currently trying to debug the issue with no success whatsoever. They have logged a bug for this but still there hasn’t been a resolution. The funny thing is the login works just fine in IE but fails in all other major browsers (Firefox, Chrome, Safari). We are scheduled to go live with the complete implementation (this includes the R12 upgrade and IAM integration) on Aug 6 and both projects will suffer if this issue is not resolved. I’m hoping you will be able to share some insight into this. To my mind, this should be part of the most basic testing that would’ve been done before certifying EBS R12.1.3 with OAM 11.1.1.5.

2. Logging out of iRecruitment throws HTTP-404: As I explained, logging into iRecruitment from the external web tier works just fine in IE. However, after logging in, when we attempt to log out of iRecruitment, we get an HTTP-404 error page. The problem is that after logout, instead of redirecting to http://<irec server>:<irec port>/OA_HTML/IrcVisitor.jsp, the system is redirecting to http://<oam server>:<oam port>/OA_HTML/IrcVisitor.jsp and this obviously throws an error page. Again, I have an SR logged with Oracle and haven’t had any success yet. They too have logged a bug for this but haven’t been able to provide any resolution.

With just over 2 weeks before we go-live, the customer is looking to me for answers which I am not able to provide. The integration that I’ve described should be very straight forward and should work out-of-the-box. I am surprised that nobody seems to be encountering this issue because the problem does not appear to be specific to iRecruitment but more like something which would affect every external facing module in EBS. Escalating these SR’s has not helped either and these issues have put in jeopardy not just one but two major projects for the organization. If we are not able to meet this go-live date, the customer would completely lose whatever little confidence they have in the Oracle products. This email to you is a last ditch effort on my part to get some kind of a resolution or workaround to my problems.

Thanks in advance for your help!

-------------------------------------------------------

I'm hoping you would be able to help me out with this!

Thanks,
Manu Goel

Posted by Manu Goel on July 19, 2012 at 12:34 PM PDT #

Hi, Manu,

I'm sorry to hear that you're encountering these issues.

If these issues are on your critical path, you should contact Oracle Support and ask the on-duty Escalation Manager to escalate these Service Requests.

I haven't heard about issues with long URL truncations with OAM-based integrations with EBS recently. In the past with Oracle SSO-based reports of this issue, this was due to people using long server identifiers, which sometimes had to be repeated in concatenated URL referrer strings. The only real workaround in those cases was to shorten the machine names.

I don't have any guidance on the iRecruitment 404 error. This sounds like a configuration error of some kind.

I've asked some of our Development staff to follow up with the Support Engineers assigned to your current Service Requests. Please monitor your Service Requests for updates.

Regards,
Steven

Posted by Steven Chan on July 20, 2012 at 08:25 AM PDT #

Hi,

Our client is on EBS 11i currently. EBS 11i is integrated with OAM 10g through OSSO for Web SSO. The actual authentication/SSO is provided by OAM.

Now our client is upgrading to EBS 12. they want OAM also to be upgraded to OAM 11g.

I explored and found 2 methods (e.g. note ID 1388152.1) to integrate EBS 12 with OAM 11g:
1. with EBS AccessGate
2. using mod_osso agent (only for users upgrading from OSSO Server 10gR3)

Can you please throw some light on this ? Which method out of the above mentioned 2 methods is preferable (with pros & cons of both) ? Or suggest some other method, if you know.

Thanks
Andy

Posted by Andy on September 04, 2012 at 08:34 AM PDT #

Hi Manu - can you please let me know if your issues/bugs with iRecruitment got fixed and OAM integration in DMZ is working fine? Our company is planning on implementing SSO with OAM and we have a similar setup with iRec and OTL in DMZ. I would really appreciate your reply.

Thanks,
Srinivas

Posted by Srinivas Erolla on October 12, 2012 at 08:53 AM PDT #

Hello Srinivas,
To answer your question, No; neither of the problems were fixed. The first problem - Logging into iRecruitment via External Tier - was an issue with the length of the URL. Apparently, iRecruitment generates a pretty large refURL which OAM is unable to handle. Part of that issue was due to the length of the "http://hostname:portnumber/" combo. In our Test environment, this length was 43 characters. Oracle never managed to fix it. We decided to move to production anyway in the hope that we would keep following up with Support on the issue. Surprisingly, this issue did not occur in Production - the length of the "http://hostname:portnumber/" combo was 34 characters in PROD and apparently that shortened the URL length enough that it was not happening in production. We ultimately had to abandon the SR.

The second issue - logout - is still logged as a bug and the last update I had from the ATG group was that the iRecruitment Dev group had not provided any updates for the past few months. We had implemented a workaround by putting in a RewriteRule in the Webgate OHS and that has been working well so this, too, is no longer a pressing issue for us.

Hope this helps.

Thanks,
Manu

Posted by Manu Goel on October 19, 2012 at 05:37 AM PDT #

Hi Steven

Its Always been a Great Learning experience going through you blog.

Could you please give your advise on the following Issue… Would be greatful to you..... Its very Basic info that i am seeking from you
... Hope you don't mind.... Thanks in Advance

We are having one single Node Linux 64 bit server which ‘ve 8 GB of RAM & 1200 GB Hard disk space.

Is it Possible to Install EBS r12 & OAM-OID Databases & than Integrate EBS with OAM-OID on single Node server by creating Virtual machine ?

Is it possible if we create one Vmware machine of 500 GB for installing OAM Database And use the remaining 700 Gb for EBS R12 Installation.. for EBS Integration with
OAM-OID as that would require 2 Databases one for EBS And another for OAM-OID.
OR

Create 2 Virtual machines on that Linux server…. i.e one for EBS R12 Database Install & another for OAM-OID database Install

Could you Please suggest which one would be better..

Thanks !
Priya

Posted by guest on November 13, 2012 at 01:38 PM PST #

Hi, Manu.
I understand this post is a year old, but hope you have answers.

We implemented OAM with EBS with external and internal Web Entry Points.
I have the same Logging out issue. When logging out from external session, I am redirected to internal server and request fails at the firewall.

Did you get a fix from Oracle or are you still using Rewrite Rules?
If so, could you send me the sample your rules?
Did you have separate AccessGates for external and internal logins?

Thanks,
Anatoly

Posted by guest on December 04, 2013 at 11:10 AM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
4
5
6
7
8
9
10
11
12
13
14
19
20
21
23
24
25
26
27
28
29
30
   
       
Today