Oracle Access Manager 10gR3 Certified with E-Business Suite

Oracle Access Manager 10gR3 (10.1.4.3) is now certified for use with E-Business Suite Releases 11.5.10 and 12.1, using the new component, Oracle E-Business Suite AccessGate. For information on how to obtain, install, and configure this new component, see:

About Oracle Access Manager

Oracle Access Manager is Oracle's next-generation identity and access management platform, and is a key component in Oracle's Fusion Middleware Identity Management solution. It provides a set of authentication and authorization features, including support for single sign-on authentication, and integration with other identity management offerings such as Oracle Identity Federation and Oracle Adaptive Access Manager.

Oracle E-Business Suite AccessGate integration architecture


Oracle Access Manager Benefits

Previously, E-Business Suite only supported single sign-on capabilities through Oracle Single Sign-On Server. While it was possible to integrate with Oracle Access Manager, this still required Oracle Single Sign-On Server as an intermediary, and did not allow access to the full feature set of Oracle Access Manager.

With the release of Oracle E-Business Suite AccessGate, this is no longer the case. E-Business Suite AccessGate is a Java EE application that resides on a separate application server, and provides direct integration between E-Business Suite and Oracle Access Manager. This direct integration also opens the door to the full set of authentication features in Oracle Access Manager, as well as integration with other products in Oracle's portfolio, such as Oracle Identity Federation or Oracle Adaptive Access Manager.

I'll be posting another article in the future that describes more about how integration with Oracle Access Manager works through Oracle E-Business Suite AccessGate.

Oracle Access Manager vs. Oracle Single Sign-On Server

Our primary audience for this release of Oracle E-Business Suite AccessGate (and Oracle Access Manager) is users who have Oracle Access Manager deployed in their enterprise, and want to expand its coverage to include E-Business Suite.

E-Business Suite users that are currently integrated with Single Sign-On Server do not necessarily need to migrate to Oracle Access Manager, and, in fact, may not want to at this time, as not all products in the E-Business Suite technology stack support Oracle Access Manager today. Oracle Access Manager and Oracle Single Sign-On Server may be used together, however, and this, too, will be covered in more detail in a future article. For more details from the Fusion Middleware Identity Management team, see:

Prerequisites for Oracle E-Business Suite AccessGate
  • E-Business Suite Release 12.1.2, 12.1.1; or,
    E-Business Suite Release 11i 11.5.10 CU2 (with ATG RUP 6 or higher)
  • Oracle Access Manager 10gR3 (10.1.4.3)
  • Oracle Internet Directory 10gR3 (10.1.4.3) or 11gR1 Patchset 1 (11.1.1.2)
  • Oracle WebLogic Server 10.3.1 or higher

Oracle E-Business Suite AccessGate is supported on any operating system platform that supports Oracle WebLogic Server 10.3.1. For Oracle Access Manager and its components, such as WebGate, any operating system and HTTP server supported by it may be used for this integration.

References

Related Articles


Comments:

"...as not all products in the E-Business Suite technology stack support Oracle Access Manager today." - This seems like a fairly significant fly in the ointment in light of upcoming desupport dates. Could you please encourage the Fusion Middleware team to give us a little more detail?

Posted by Floyd on March 25, 2010 at 07:03 AM PDT #

Hi Floyd,

The Oracle Single Sign-On Statement of Direction, linked to in this article, provides more details on this. The Fusion Middleware Documentation also has references in many places; the most relevant ones are linked to from the My Oracle Support document for Oracle E-Business Suite AccessGate (975182.1).

Hope this helps.

Keith M. Swartz

Posted by Keith M. Swartz on March 25, 2010 at 07:08 AM PDT #

Hi Steven,

Do you know when Oracle 11g FMW/Weblogic will be supported with Release 12 for EBS? Do you know if it will also support 11i?

Regards,
Ben Prusinski

Posted by Ben Prusinski on April 07, 2010 at 12:39 PM PDT #

Hi, Ben,

It's important to distinguish between running WebLogic as part of the E-Business Suite's internal technology stack (e.g. in place of JServ or OC4J) versus being compatible with externally-integrated Oracle Application Server servers running WebLogic.

We plan to continue to certify Oracle E-Business Suite Release 11i and 12 with external Oracle Application Server instances. These integrations allow E-Business Suite customers to use the latest Fusion Middleware components such as Oracle Internet Directory, Oracle WebCenter, Oracle Business Intelligence, and others. These are certified now; see our recent announcements on this blog.

We're evaluating the feasibility of using WebLogic in some capacity with an as-yet-unspecified future version of Oracle E-Business Suite Release 12.

We have no plans to replace Oracle E-Business Suite Release 11i's internal JServ engine with WebLogic.

The above is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle.

Regards,
Steven

Posted by Steven Chan on April 08, 2010 at 12:36 AM PDT #

Hi Steven,

Is there any certification on Oracle identity and access manager?

Regards,
Parasu

Posted by parasuraman on April 10, 2010 at 03:54 AM PDT #

Hi Steven,

Thank you for the answers to my questions regarding Weblogic/FMW and 11i/R12 EBS. I do look forward to beta testing the next release of E-Business Suite.

Cheers,
Ben

Posted by Ben Prusinski on April 10, 2010 at 09:58 AM PDT #

Hi Parasu,

This article is, in fact, about the certification of Oracle Access Manager with Oracle E-Business Suite, so the answer is yes. If you are inquiring about Oracle Identity Manager, that is a separate product, but this already supports Oracle E-Business Suite through the Oracle Identity Manager Connector for Oracle E-Business Suite. (It is built and certified by the Identity Manager team themselves.) You can get more details through a datasheet and on-line documentation at http://www.oracle.com/technology/products/id_mgmt/oxp/index.html .

Cheers,
Keith

Posted by Keith M. Swartz on April 10, 2010 at 02:58 PM PDT #

Sorry, small clarification : I meant to say /connectors/, plural. There are multiple ones for integrating various areas of functionality in Oracle E-Business Suite with Oracle Identity Manager. The details are in the aforementioned datasheet.

Cheers,
Keith

Posted by Keith M. Swartz on April 10, 2010 at 03:05 PM PDT #

Hi Keith

Prerequisites for Oracle E-Business Suite AccessGate covers E-Business Suite Release 12.1.2, 12.1.1 and E-Business Suite Release 11i 11.5.10 CU2 (with ATG RUP 6 or higher).

Why is there no E-Business Suite Release 12.0.x?
Is the architecture diffenent completely between 12.0.x and 12.1.X?

Posted by anan on April 19, 2010 at 10:51 AM PDT #

Hi Anan,

It isn't an issue of architecture, but rather one of certification and development resources. We have many ongoing projects at any one time, and sometimes we have to prioritize and choose the ones that will be the most well-received. Since we need to test each minor release independently with Oracle E-Business Suite AccessGate, we opted to concentrate on Release 11i and 12.1, as the bulk of our users are on those two tracks.

At this time, we have no plans to certify E-Business Suite AccessGate with Release 12.0, but if there is considerable customer demand, we are open to reconsidering that in the future.

Thanks very much,
Keith

Posted by Keith M. Swartz on April 19, 2010 at 11:30 AM PDT #

Hi Steven,

We think about implementation of the SSO environment where I use OAM for in EBS(12.1.2) environment.
(We do not use OSSO.)
For a repository of the user nformations, We use ActiveDirectry(2 Domains).

Is OID required in that environment as follows?

OAM - OID - AD

Or is that environmental implementation possible without using OID as follows?

OAM - AD

Regards,
Takayuki Tabe

Posted by Takayuki Tabe on May 20, 2010 at 03:16 PM PDT #

Hello Takayuki,

Yes, OID is always required with E-Business Suite, whether you are using OSSO or OAM.

Cheers,
Keith M. Swartz

Posted by Keith M. Swartz on May 21, 2010 at 01:24 AM PDT #

Hi Keith,
is there way to implement R12 SSO with using OAM and OVD(Oracle Virtual Directory) and get it authenticated at MS AD
this process eliminates OID.
when you implement OVD basically we are not syncing users information . we are directly talking to AD using OVD
earlier implementations we are syncing users info into OID
from ad and ebs.
ADOIDEBS
with new approch of Oracle E-Business Suite with Oracle Access Manager using Oracle E-Business Suite Gate along with OVD why do we need OID?

Posted by Syam Pepala on May 28, 2010 at 01:01 AM PDT #

Hi Syam,

It is not possible today to eliminate OID. OID is required by Oracle E-Business Suite because of a dependency on the internal orclguid attribute, which is specific to OID.

Thanks,
Keith

Posted by Keith M. Swartz on May 28, 2010 at 03:41 AM PDT #

We want to use Active Directory as our LDAP source. where does OID come into picture ?

Are we forced to used OID as our LDAP source for using OAM with EBS?
or is it that OID just needs to be there for generating guid ?

Please provide more details on how to use AD as LDAP for integrating OAM wiht EBS ?

Posted by Rama Chilakmarri on June 21, 2010 at 10:48 AM PDT #

Hi Rama,

The short answer is that Oracle E-Business Suite only integrates directly with OID, so it must be the source that is used for authentication. However, you can still set up your environment so that a third-party LDAP, such as Active Directory, acts as the official source, by configuring one-way or two-way synchronization between the two directories. There are many ways this can be achieved, and you may want to refer to Steven's excellent in-depth article on that subject at http://blogs.oracle.com/stevenChan/2008/08/indepth_using_thirdparty_identity_managers_with_eb.html .

Cheers,
Keith

Posted by Keith M. Swartz on June 21, 2010 at 03:02 PM PDT #

Keith,

Thanks for quick response.

We would like to use OAM for non-EBS applications also and would like to use AccessGate for EBS integration.
Now that seems impossible..
SSO seems the path to go..

Most of users use AD as primary authentication LDAP.. The AccessGate certification is useless at this point.

Thanks for your timely help.
Rama

Posted by Rama chilakmarri on June 21, 2010 at 11:07 PM PDT #

Rama,

I think you may have misunderstood. The OID requirement is true for Oracle E-Business Suite regardless of what authentication system you are using, whether it's OSSO or OAM. This is explained in both the EBS AccessGate documentation, as well as our single sign-on integration documentation.

Also, did you review the other article I mentioned? It illustrates that it is perfectly possible to have AD as your primary source of authentication data. In fact, an overwhelming majority of our customers that use a single sign-on solution have been doing this for years quite successfully. You just need to make a *copy* of the user data into an OID instance for Oracle E-Business Suite to connect to. You can configure the two LDAPs to bidirectional sync so they always contain the same records in real-time.

That article shows how it can be done using OSSO, but you can simply replace OSSO with OAM and Oracle E-Business Suite AccessGate to achieve the exact same results.

We strongly recommend that you use OAM for any new deployments, and not OSSO, as OAM is Oracle's strategic direction for single sign-on, and OSSO is nearing its end of life.

Thanks,
Keith

Posted by Keith M. Swartz on June 22, 2010 at 01:52 AM PDT #

Rama,

Some other sources you may find helpful may be found in My Oracle Support; namely, Knowledge Document 267153.1: DIP Synchronization with Microsoft Active Directory Quick Start Guide, and Knowledge Document 277382.1: How to Configure OID External Authentication Plug-In for Authentication Via Microsoft Active Directory (MS AD).

Hope this helps.

Keith

Posted by Keith M. Swartz on June 22, 2010 at 01:58 AM PDT #

from what I understand I need to do this :
1. Configure OAM to use OID has its LDAP source
2. synch user data between OID and AD

So only change to diagram on top of this page is to have AD send data to OID ?

Thanks for taking time to clarify.
Rama

Posted by Rama Chilakmarri on June 22, 2010 at 09:18 AM PDT #

Rama,

In a nutshell, yes, but of course, there's always more to it than that. For example, OID has an adapter that can plug into AD so that you don't have to store user passwords and other attributes in both places -- but this is too complex for a comment stream. I recommend consulting with the Oracle Support Identity Management team and/or our fine Consulting organization if you have further questions about this configuration. Again, it is a very common layout, so there's a lot of experience helping customers through this.

Best of luck!
Keith

Posted by Keith M. Swartz on June 22, 2010 at 01:35 PM PDT #

Hi Keith,

We would like to implement SSO (IWA) using OAM however without extending the schema on the AD end.

Which would be the correct way / best practice of implementation?

OAM >> OVD (AD or AD with Mapper) >> AD

or
OAM >> AD?

If we were to go with the 1st option, which is the best option for LDAP adapter? AD or AD with Mapper adapter? Does it has any effect on the SSO implementaiton?

I am assuming OVD for storing User Data and OID is used to store policies and configuration data.

Thanks in advanced and taking time to clarify my doubts.

Wing

Posted by Wing on July 24, 2010 at 01:19 AM PDT #

Hi Wing,

Well, first a clarification. OVD does not actually store /anything/. The "V" stands for virtual, because it is just that: a mechanism for creating a series of mappings to /other/ directories that do contain the information you need, but making it look like a single directory. Think of it as a directory on a file system that contains symbolic links to files in other directories, but no actual files of its own.

With that in mind, there still exists the requirement that EBS requires OID for its user data. We have not tested OVD for use with EBS, but that doesn't mean you can't use it in conjunction with OAM, so long as the EBS users are explicitly defined in OID. The details of such an integration are something you would be better off reviewing with someone from our Services organization that specializes in our Identity Management offerings; aside from the OID requirement, this is all independent of EBS.

Thanks for your question.

Keith

Posted by Keith M. Swartz on July 25, 2010 at 03:55 PM PDT #

Hi ..Is there any certification related to Oracle Identity manager or Oracle access manager. Please let me know

Posted by Priya on September 20, 2010 at 11:10 PM PDT #

Hi Priya,

This announcement is for Oracle Access Manager. Oracle Identity Manager is also certified for use with Oracle E-Business Suite via connectors; please see http://www.oracle.com/us/products/middleware/identity-management/oracle-identity-manager/index.html for information about the product, and http://www.oracle.com/technetwork/testcontent/index-098451.html for information about the Connectors for E-Business Suite.

(NOTE: these URLs may not work for long, as the www.oracle.com site is in the middle of a long-running reorganization.) If the above URLs no longer work, you can google on "Oracle Identity Manager and Connectors for E-Business Suite" to find the information more directly.)

Thanks,
Keith

Posted by Keith M. Swartz on September 21, 2010 at 03:25 AM PDT #

Hello,
Can you explain why it has to use OID? There plenty of statements that it must be used, but I haven't found any explanation of why.
I would think that any v3 LDAP would work. Is it a matter of what's been certified? or is there a technical reason for requiring OID?

Posted by Eriks Richters on September 28, 2010 at 12:05 AM PDT #

Hello, Eriks,

The EBS authorization stage depends upon the linkage between an external user in Oracle Internet Directory (provided by the ORCLGUID in Oracle Internet Directory) and the equivalent user in the E-Business Suite's FND_USER table. This applies to both the Single Sign-On integration as well as the Oracle Access Manager integration.

Therefore, if you remove Oracle Internet Directory, you lose the ORCLGUID from the picture, resulting in a situation where there's no way of determining what EBS responsibilities are assigned to a given externally-authenticated user.

Regards,
Steven

Posted by Steven Chan on September 28, 2010 at 03:57 AM PDT #

Is there a date when the EBS AccessGate will be certified with Access Manager Release 11g? We are currently implementing IDM/OAM 11g for use on our custom applications, will we also be required to implement IDM/OAM 10.1.3.4 to integration with our EBS?

Thanks, Robert

Posted by Robert Woods on October 04, 2010 at 04:03 AM PDT #

Hello Robert,

OAM 11gR1 certification is ongoing. Revenue recognition rules do not allow us to disclose projects dates or schedules, so please keep monitoring the blog, where we will announce certifications as they become available.

If you want to use OAM with Oracle E-Business Suite at this time, you will need to use both OAM 10gR3 (for E-Business Suite) and OAM 11gR1 (for your custom applications). This is not uncommon, since many 10gR3 users are unable to move to 11gR1. Once we complete our certification, you can reconfigure Oracle E-Business Suite AccessGate to work with OAM 11gR1.

By the way, I am assuming that you are on Release 12 of Oracle E-Business Suite.

Thanks,
Keith

Posted by Keith M. Swartz on October 04, 2010 at 07:20 AM PDT #

Keith,

For your last comment, are you saying that we would need to deploy OAM 10g with the EBusiness Suite 12.x access gate as well as use OAM 11g w/ 11g WebGates for SOA/WLS integration etc? In other words, you would need both OAM 10g and OAM 11g if you have multiple fusion products & applications installed and want to embrace SSO? Also, what about OAAM -- can you use OAAM 11 w/ OAM 10g or must you use OAAM 10g w/ OAM 10g?

Thanks, Chuck

Posted by Chuck on October 15, 2010 at 05:35 AM PDT #

I am saying that if you want to use OAM 11g with some applications today, that's fine. But EBS only supports OAM 10g, you need to use OAM 10g with EBS. You can integrate the two OAM installs, however, so users only ever see one.

Eventually, when OAM 11g is certified with EBS, you can just use OAM 11g for all your products. Of course, you can also just use OAM 10g with your custom applications, but that's probably not what you were looking to do.

I'm not familiar with the certification requirements for OAAM, so I'm going to have to refer you to the Identity Management team for details on that.

Thanks,
Keith

Posted by Keith M. Swartz on October 15, 2010 at 08:30 AM PDT #

Hi Keith

Are you then saying that OAM has to talk to OID as user data store? Suppose I have AD as primary user data store, can you configure OAM against AD and while configuring OID-AD synch, create orclguid attribute for the users as objectguid in AD?

Thanks
Kiran Thakkar

Posted by Kiran Thakkar on November 17, 2010 at 11:36 PM PST #

Hi Kiran,

We have neither tested nor certified this architecture, so I cannot say whether it would work. orclguid is an automatically-generated operational attribute, so it's not clear to me that it can be synced to another LDAP. What is required is that OID generate this attribute for each user, and that OAM return it when authentication is successful.

It may be possible to achieve what you are describing, but you would probably need to discuss the details with someone from Identity Management support, or Consulting Services.

Thanks,
Keith

Posted by Keith M. Swartz on November 18, 2010 at 12:44 AM PST #

Thanks Keith for the information.

-Kiran Thakkar

Posted by Kiran Thakkar on November 18, 2010 at 05:29 PM PST #

Hi Steve

I started looking into this certification in detail for our implementation, and noticed that OAM 10.1.4.3 is only available on limited platforms. OAM 11g is supported on more platforms i.e. AIX. Are there any plans for 11g certification?

Thanks

Posted by Farhoud on January 10, 2011 at 08:32 AM PST #

Hello Farhoud,

Yes, we are working on our certification for OAM 11g. Revenue recognition rules prohibit us from discussing it ahead of time, but be sure to keep watching this blog for updates!

Cheers,
Keith

Posted by Keith M. Swartz on January 10, 2011 at 02:15 PM PST #

Hi Steve

I am following this note Integrating Oracle E-Business Suite with Oracle Access Manager using Oracle E-Business Suite AccessGate (Note 975182.1)..

I deployed access gate using ant script on weblogic 10.3.3
But when I access this access gate application by its URL it gives following error.

Error 500--Internal Server Error
java.lang.ClassCastException: weblogic.servlet.internal.ServletRequestImpl cannot be cast to oracle.apps.fnd.ext.common.server.AppsHttpServletRequestWrapper
at oracle.apps.fnd.ext.common.server.FndSsoLogin.doPost(FndSsoLogin.java:73)

I have raised SR with oracle, but didn't find any solution from last one month.

Thanks
Kalpesh

Posted by Kalpesh on February 07, 2011 at 01:07 PM PST #

Hi Kalpesh,

I'm sorry to hear you're having problems. An HTTP/500 error almost always points to a problem with the configuration of your WebGate or OAM Server. Some examples and suggested workarounds can be found in My Oracle Support Knowledge Document 1077460.1. Unfortunately, a full analysis of this issue is not something that can best be done in blog comments -- an SR is definitely the way to go. If you have not gotten adequate response after one month, I would suggest escalating the SR to a duty manager, and hopefully the analysts in ATG and OAM support can help you.

Thanks very much,
Keith

Posted by Keith M. Swartz on February 07, 2011 at 01:58 PM PST #

Hi,

In the knowledge reference article # 975182.1, there is a note in the "How the integration works" section that specifies "the Oracle E-Business Suite AccessGate must be installed in the same domain as the Oracle E-Business Suite middle tier servers".

Could you please clarify what this note means when it refers to "same domain". We are unsure how to interpret this note.

Thanks

Posted by Chris on February 07, 2011 at 04:05 PM PST #

Hi Chris,

We are referring to the cookie domain, e.g.: corp.yourcompany.com. An explanation is given in the Known Issues section (search for "ICX cookie").

Thanks,
Keith

Posted by Keith M. Swartz on February 07, 2011 at 04:19 PM PST #

Hi Can this approach be used for any EBS application including istore ? if so, are there any specific changes or configurations to be done to integrate with istore ? Also, looking at all the notes, I am not sure which all patches to be applied on EBS 11.5.10 ATG RUP6 This EBS instance was never configured with any SSO solution (OSSO,OAM) before. The document mentions patch # 10246061. Is this the only patch or do we also need patch # 6117031 ? Patch # 6117031 was required for OSSO-OID-EBS integration. Is this specific to OSSO –EBS integration ? Thank you, Manasi.

Posted by guest on June 09, 2011 at 05:46 AM PDT #

Hello Manasi, Yes, you can use this integration with any EBS product (except for those identified in the Known Issues section of our documentation). However, there is a known issue -- not presently documented -- affecting global logout with iStore. This issue is fixed in the latest release of Oracle E-Business Suite AccessGate (1.1), but this code has not yet been certified for use with OAM 10g. This certification is planned, and will address any issues using iStore with OAM 10g and Oracle E-Business Suite 11i. Regarding the specifics of patch 6117031, I recommend reviewing this with Oracle Support. Generally, this is needed, but whether you require it or not will depend on what other patches you have installed. Note that 11.5.10 CU 2 and ATG RUP 6 or later is the minimum requirement for OAM 10g integration. Thanks, Keith

Posted by Keith M Swartz on June 09, 2011 at 08:16 AM PDT #

"Oracle Access Manager 11g Patchset 1 is not yet certified for use with Oracle E-Business Suite at this time"

Is there any indication of progress with dertification against PS1 please? I'm really reluctant to have to regress to 11.1.1.3 BP02 for this integration....

Thanks,

Bernie

Posted by Bernie on August 15, 2011 at 08:25 PM PDT #

Hi Bernie,

Revenue recognition policies prevent us from disclosing specific projection dates for our certifications. However, I can say that we are working on PS1 certifications and are very close to being complete.

That said, if you do choose to install 11.1.1.3.2, the upgrade to 11.1.1.5 is very quick and painless, especially if you are integrating via Oracle E-Business Suite AccessGate. (There's a little more work if you are integrating with mod_osso, unless you wait to migrate your existing applications.) So I wouldn't necessarily let the delay hold up your deployment plans, unless you're really just a few weeks away from going live.

Cheers,
Keith

Posted by Keith M Swartz on August 16, 2011 at 05:46 AM PDT #

Hi Steve,

We have successfully inetgrated EBS R12.1.3 with OAM 10g using EBS accessgate ( MOS note 975182.1) . OID is 11g . SSO works fine . We have built DR for EBS and OID/OAM using Data guard , OID replication and rsync . we are testing DR scenarios and have below questions :
1. If EBS-PROD goes down , EBS-DR will be activated and this should talk to OID-PROD , how to make it communicate with OID-PROD ? so that SSO still works via accessgate .
2. If OID-PROD goes down ( and assuming EBS-PROD is still up) , then OID-DR will be activated , in this case how to make EBS-PROD talk to OID-DR so that SSO still works via accessgate , what steps need to be performed . I searched MOS and could not find any notes about DR testing for EBS inetgrated with OAM via accessgate.

I have also raised an SR but seeking your help on this .

Thanks in advance,
Raghav

Posted by guest on October 28, 2011 at 01:58 AM PDT #

Hi Raghav,

Unfortunately, this type of detailed question is really better suited for our colleagues in the support organization than in a blog comment. Any configuration changes that are necessary to support DataGuard would be something that team could assist with.

Cheers,
Keith

Posted by Keith M Swartz on October 28, 2011 at 05:43 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Search

Categories
Archives
« April 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
  
       
Today