Password Management with Third-Party Solutions

Editor Jan. 12, 2007 Update:  Oracle Identity Management 10g 10.1.4.0.1 is now certified with the E-Business Suite. 

We've now demonstrated that passwords no longer need to be maintained in the E-Business Suite when you've implemented Single Sign-On 10g integration.  What happens to passwords in a configuration that includes a third-party LDAP directory like Microsoft Active Directory, and a third-party single sign-on solution like Microsoft Kerberos?


Third-Party Integration In A Nutshell

Before we get to password management, I'd recommend that you review my earlier article about integrating the E-Business Suite with third-party LDAP and single sign-on solutions

If you're in a hurry, here's a quick recap of the key points:
  • Oracle Internet Directory is a mandatory hub for synchronizing user information between a third-party LDAP directory and the E-Business Suite
  • The third-party LDAP directory is usually considered to be the master "source of truth" for user credentials

  • Oracle Single Sign-On is a mandatory prerequisite for delegating E-Business Suite's user authentication to a third-party single sign-on solution
Using Oracle Internet Directory As A Hub

Recall that it's possible to integrate your E-Business Suite environment with a third-party LDAP directory using Oracle Internet Directory and its Directory Integration Platform as an intermediary, like this:

Third-Party LDAP Integration 2:

Oracle Internet Directory is a mandatory component in this chain.  Oracle doesn't currently offer any methods of directly integrating a third-party LDAP with the E-Business Suite.

Third-Party LDAP As The Master "Source of Truth"

In the typical configuration, the third-party LDAP directory is the master "source of truth" for the user's credentials.  For example, a change to the user's name would first be made in the third-party LDAP.  The updated user's information would then be sent to Oracle Internet Directory via the Directory Integration Platform.  Once in Oracle Internet Directory, the updated user's information would then be sent to the E-Business Suite via the Directory Integration Platform.

Extending the Chain of Trust

Remember that the E-Business Suite can delegate user authentication to Oracle Single Sign-On, effectively creating a chain of trust between the two components.  When the E-Business Suite is integrated with a third-party single sign-on solution, that chain of trust is extended one level further, like this:

Third-Party SSO Integration:
When the user logs on to the third-party single sign-on solution, she gets a set of security tokens that are recognized and trusted by Oracle Single Sign-On.  Oracle Single Sign-On doesn't challenge the user again for her credentials.

In turn, Oracle Single Sign-On issues its own set of security tokens, which are recognized and trusted by the E-Business Suite.  The E-Business Suite doesn't challenge the user again for her credentials.

What About Passwords?

Now that we've got the basics out of the way, understanding how passwords are handled in this scenario should be a bit easier.  In the scenario above, the user is challenged only once for their userid and password.  The third-party single sign-on solution handles that challenge and authenticates the user's credentials against the third-party LDAP.

It stands to reason that if the user is already logged in by the third-party single sign-on solution, and Oracle components never ask for the user's userid and password, there's no reason to keep the user's password anywhere in the Oracle namespaces.

Passwords Stored In Third-Party LDAP:

And, that's true:  when integrated as shown above, users' passwords are not stored locally in either Oracle Internet Directory or the E-Business Suite.  Passwords are stored only in the third-party LDAP directory.

Delegating User Management

Since the third-party LDAP repository is the master source of truth, it handles all user password resets.  Neither Oracle Internet Directory nor the E-Business Suite are interested in -- or even participate in the process -- of password management in this scenario.  It's all delegated to the third-party LDAP.

For Advanced Readers Only

By this point, I've weeded out readers with short attention spans.  For the handful of you who've toughed it out to this point, I should note that the above scenario is only one of many possible starting points.  Other advanced scenarios are technically feasible, including those in which user credentials flow bidirectionally between Oracle Internet Directory and the third-party LDAP. 

These can get pretty involved, so I'll have to leave these as an exercise for you to work out, for now.  More information can be found in our Implementation Guide, which describes more variants on the basic scenario outlined here. 

If you have a burning need to discuss those with someone, drop me a line.  I'll connect you to specialists in our Protected Enterprise Consulting group for more guidance.

Related

Note:  Everything in this article applies equally to both Release 11i and 12 environments.


Comments:

nice note thank you steven, but i have one qusiton if i changed my password from inside the ebuz suite is it going to be reflected on the 3ed party ldap or not? and if yes is it going online or it must be a kind of process.

thanks
fadi

Posted by Fadi Hasweh on August 08, 2006 at 06:55 PM PDT #

Fadi,As described in the, "What About Passwords" section above, and shown in the third diagram in the article, external passwords are stored in the third-party LDAP only, not inside the E-Business Suite.  In this configuration, password changes are executed in the third-party LDAP only.Regards,Steven

Posted by Steven Chan on August 09, 2006 at 01:58 AM PDT #

thanks steven i just though that it will be posible to change my password from the ebuz suite.
thanks again
fadi

Posted by Fadi Hasweh on August 09, 2006 at 06:55 PM PDT #

have a look at oracle virtual directory, which can act as proxy between your application and your multiple enterprise ldap services

Posted by Laurent Schneider on August 09, 2006 at 11:05 PM PDT #

Laurent,That's a good suggestion.  I plan to discuss the relative positioning of products in the Oracle Identity Management family for E-Business Suite customers in a future article; stay tuned.Regards,Steven 

Posted by Steven Chan on August 10, 2006 at 04:52 AM PDT #

Hi Steve,
Thank you for teh article. I have a question here.
We are developing one application - called CamApex on Oracle Apex. This application(CamApex) will have one custom database user(schema)in the existing Oracle EBusiness Suite.
CamApex continuosly interacts with the modules like AR,Apps, other CRM modules.

CamApex users will be given HTML based screens to loging and record some data. So during the login, I thougt of using the login methodology of Oracle Apps(FND_USER).
Is there any API available for this to integrate with .?

Please give me some direction. Any hint will be appreciated.

Regards,
Chandra

Posted by Chandra on March 25, 2007 at 01:44 PM PDT #

Hi, Chandra,I'm afraid that I don't have a lot of experience integrating third-party applications with the E-Business Suite in the manner that you're pursuing.  It's possible that there are FND_USER APIs that may support this, but I'm not familiar with them.  You might have some success looking into the Integration Repository; see:Integration Repository for the E-Business Suite - http://blogs.oracle.com/schan/2006/05/16/Alternately, you may wish to code your custom application to be an Oracle Single Sign-On partner application, which will allow it to share some session context information with the E-Business Suite.  Look into the SSO 10g Developers Guide for more information about partner applications.Good luck with your project.Regards,Steven 

Posted by Steven Chan on March 25, 2007 at 02:30 PM PDT #

Hi Steven,

I have two questions

1. Can i create user accounts directly in OID who is not in 3rd party LDAP?, so that he can access any oracle product.

2. Can i use OID for creating, terminating, reseting user accounts?

Regards,

Posted by lardy on December 07, 2010 at 07:44 PM PST #

Lardy,

In general, you should make user updates in your master source of truth for user definitions. Those changes should flow "downhill" to all subsequent links in the provisioning chain.

I'm assuming that you're integrating OID with a third-party LDAP directory, and that user updates flow "downhill" from OID to both EBS and your third-party LDAP.

It's possible to perform all of these functions in Oracle Internet Directory. However, you need to plan your provisioning strategy carefully to ensure that changes that you make in Oracle Internet Directory will propagate as you'd expect to both E-Business Suite and your third-party LDAP directory.

If you need assistance with planning a provisioning strategy, drop me a line. I can put you in touch with our Protected Enterprise consulting group to help you architect a solution that meets your user management requirements.

Regards,
Steven

Posted by Steven Chan on December 08, 2010 at 12:52 AM PST #

hi Steven,
how do i implement chain of trust for the 11g OAM integrated with thirdparty ldap(ms ad) single-sign-on solution?

Can i have 11g R2 OAM integated with 11g OID, but I want OAM to perform the authentication against the third party ldap and not with OID. I will be integrating this single-sign-on solution with Ebiz 11i&R12 environments. Please provide any references of documentation covering the implementation step details.
-Srini

Posted by guest on June 26, 2013 at 10:57 PM PDT #

Srini,

Thanks for your inquiry.

Oracle E-Business Suite single sign-on integrations require both Oracle Access Manager and Oracle Internet Directory. Additional details may be found here:
• Understanding Options for Integrating Oracle Access Manager with E-Business Suite, https://blogs.oracle.com/stevenChan/entry/new_single_sign_on_iintegrations
• Why Does E-Business Suite Integration with OAM Require Oracle Internet Directory?, http://blogs.oracle.com/stevenChan/entry/why_does_ebs_integration_with

Additional details regarding Oracle E-Business Suite single sign-on integrations with third-party systems may be found here:
• In-Depth: Using Third-Party Identity Managers with E-Business Suite Release 12, http://blogs.oracle.com/stevenChan/entry/indepth_using_thirdparty_identity_managers_with_eb

This blog is maintained by Oracle E-Business Suite development. Oracle Access Manager and Oracle Internet Directory documentation is maintained by the Oracle Fusion Middleware organization. Oracle Fusion Middleware documentation may be accessed here:
http://www.oracle.com/technetwork/middleware/fusion-middleware/documentation/index.html#libs

Good luck with your project.
Regards,
Elke

Posted by Elke Phelps (Oracle Development) on July 04, 2013 at 12:56 PM PDT #

hi Elke,
Thanks for responding.

I have already gone thru these links and none of these links talks about 11g OAM integration with third party LDAP(MSAD) which in turn to be integrated with 11g OID for providing single-sign-on for Ebiz environments. I have multiple SRs going with OID,EBIZ and OAM team and I have not got any answer so far. Here are my specific questions:

- I have an existing 11gR2 OAM environment which is integrated with MSAD, this will challenge any authentication against our third ldap(MSAD).
- Can i integrate the above setup with 11g OID for enabling single-sign-on for Ebiz environments?
- If yes, any metalink note references.
- Note: 1536941.1, Option number 2.
my OAM 11G R2 is configured against MSAD. If i go with option 2, can expect the authentication to be done against MSAD?. as I am not going to store any user password on 11g OID. I will be keeping only username information on 11g OID. please confirm.
-Note:1536941.1, section 7.Configuring Multiple Oracle E-Business Suite Instances.
It says that if I have 50 ebiz environment to be integrated for sso, i need to create 50 managed servers on ebiz accessgate weblogic instance,rt? please confirm.
- Please check the bug id 14736219 for ebiz accessgate, it says that for enabling sso for 50 ebiz environment, we have to setup 50 weblogic environments as a workaround due to a bug. This is practically not possible at all. Is there any permanent fix identified so far?

Sorry for too many questions.

Thanks in advance.
-Srini

Posted by Srini on July 08, 2013 at 06:15 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
4
5
6
7
8
9
10
11
12
13
14
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today