Why Does EBS Integration with Oracle Access Manager Require Oracle Internet Directory?

The E-Business Suite has its own security and user-management capabilities.  You can use the E-Business Suite's native features to authenticate users, authorize users (i.e. assign responsibilities to them), and manage your EBS user repository.  The majority of E-Business Suite system administrators simply use these built-in capabilities for enabling access to the E-Business Suite.

When EBS built-in capabilities aren't enough

Some organisations have third-party user authentication systems in place.  These include CA Netegrity SiteMinder, Windows Kerberos, and others.  These organisations frequently use third-party LDAP directory solutions such as Microsoft Active Directory, OpenLDAP, and others. 

We don't certify the E-Business Suite with those third-party products directly, and we don't have any plans to do so.  This article is intended to explain why Oracle Internet Directory (OID) is required when integrating with Oracle Access Manager (OAM), but you can safely infer that the same requirements prevent the use of third-party authentication products directly with the E-Business Suite.

It's possible to integrate the E-Business Suite with those third-party solutions via Oracle Access Manager and Oracle Internet Directory.  See these articles:

Before going on, I'd recommend reading one of those two third-party integration articles.  If you don't have those concepts under your belt, the rest of this article isn't going to make much sense.

Architecture diagram showing Oracle Access Manager Oracle Internet Directory E-Business Suite AccessGate WebGate

Why does EBS require OID with OAM?

Oracle Access Manager itself doesn't require Oracle Internet Directory.  However, Oracle Internet Directory is a mandatory requirement when Oracle Access Manager is integrated with the E-Business Suite.

Why?  The short answer is that the E-Business Suite has hardcoded dependencies on Oracle Internet Directory for this configuration. These dependencies mean that you cannot replace Oracle Internet Directory with any third-party LDAP directory for this particular configuration. 

There are two cases of hardcoded dependencies on Oracle Internet Directory:

1. Reliance on Oracle GUIDs

From the articles linked above, you know that user authentication is handled by Oracle Access Manager, and user authorization is handled by the E-Business Suite itself.  This means that there are two different user namespaces. 

These namespaces must be linked and coordinated somehow, to ensure that a particular user logging in via Oracle Access Manager is the same user represented within the E-Business Suite's own internal FNDUSER repository.

We associate externally-managed Oracle Access Manager users with internally-managed E-Business Suite users via a Global Unique Identifier (GUID).  These Global Unique Identifiers are generated exclusively by Oracle Internet Directory. 

The E-Business Suite has hardcoded functions to handle the mapping of these Global Unique Identifiers between Oracle Access Manager and the E-Business Suite.  These mapping functions are specific to Oracle Internet Directory; it isn't possible to replace Oracle Internet Directory with a generic third-party LDAP directory and still preserve this functionality.

2. Synchronous user account creation

The E-Business Suite is predominantly used internally within an organisation.  Certain E-Business Suite application modules can be made visible to users outside of an organisation.  These include iStore, iRecruitment, iSupplier, and other application modules where the users aren't necessarily restricted to an organisation's own employees.

Users of some of those application modules expect to be able to register for a new account and use it immediately.  This makes sense.  If you're posting job openings via iRecruitment, potential applicants shouldn't need to hold off on submitting their resumes while your E-Business Suite sysadmin creates an account manually, assigns EBS responsibilities, and emails them the account login details. They'll be long gone before that happens.

This means that EBS application modules that support self-registration must create user accounts synchronously.  A new account must be created within the E-Business Suite and the externalized directory at the same time, on demand.

The E-Business Suite has hardcoded dependencies upon Oracle Internet Directory function calls that handle these synchronous account creation tasks.  These function calls are specific to Oracle Internet Directory; it isn't possible to replace Oracle Internet Directory with a generic third-party LDAP directory and still preserve this functionality.

Sun is setting for Oracle Single Sign-On

The older articles linked above refer to Oracle Single Sign-On.  All conceptual references to Oracle Single Sign-On apply equally to Oracle Access Manager.  Oracle Access Manager offers the same capabilities as Oracle Single Sign-On when integrated with the E-Business Suite.

You may have noticed that I have specifically been referring to Oracle Access Manager rather than Oracle Single Sign-On in this article.  There's a very good reason for this.

The Fusion Middleware Lifetime Support Policy shows that Premier Support for Oracle Single Sign-On 10gR2 ends on December 2011.  If you're using Portal 11gR1, Forms & Reports 11gR1, or Discoverer 11gR1, Premier Support for Oracle Single Sign-On 10gR2 is extended to December 2012. 

Extended Support is not available for Oracle Single Sign-On 10gR2.  This is true regardless of whether you're using those other Fusion Middleware 11gR1 products or not.  These support policy timelines for Oracle Single Sign-On are not affected by the E-Business Suite's own support timelines.  There are no special exceptions from these Fusion Middleware support timelines for E-Business Suite customers. 

Given that the Oracle Single Sign-On is nearing its end-of-life, anyone considering a new external authentication solution for the E-Business Suite should use Oracle Access Manager at this point.  If you're currently using Oracle Single Sign-On, I would recommend evaluating your plans for migrating to Oracle Access Manager as soon as possible.

Related Articles


Comments:

Steven,

Correct me if I'm wrong, but it seems you are saying that OID is required because:

1. EBS uses the OID GUID proprietary feature (as opposed to maintaining a mapping table or similar mechanism).

2. EBS uses a proprietary OID API to synchronously create a user in OID and in the EBS FND_USER table.

The implied reason behind #1 and #2 is that EBS needs to maintain a list of users in FND_USER, even if the authentication is delegated to a third-party mechanism.

None of these seem to be insurmountable technical problems... Is this just a matter of convenience for the EBS development team or is there more going on?

Thanks,
Ara

Posted by Ara on August 03, 2011 at 06:05 AM PDT #

Ara,

The code involved is rather complex, and the security and interoperability requirements are non-trivial.

Very few software challenges are insurmountable, given sufficient time and resources. Neither of those are in abundant supply right now. We'd certainly like to reduce or remove those hardcoded dependencies entirely, but that's not in the cards in the short term.

Regards,
Steven

Posted by Steven Chan on August 03, 2011 at 06:28 AM PDT #

That's fair. Thanks for the reply. Ara

Posted by Ara on August 03, 2011 at 06:31 AM PDT #

Hi Steven,

Nice article. One more question. What is the supported way of integrating kerberos with EBS. Many documents (infact all) state that for Kerberos user store should be AD for OAM. Now that we know that EBS requires OID, so how do we bring Kerberos into picture ? Would using OID-AD DIP synchronization with password plugin do the trick ? I'm looking for a supported method.

Posted by romil on August 03, 2011 at 04:02 PM PDT #

Hi, Romil,

OAM can be integrated with Windows Kerberos. This integration is sometimes called Windows Native Authentication (WNA). This will also required OID to be synchronized with MS Active Directory. See the right "Using Third-Party..." article for your EBS release (links above) for more details about that.

Regards,
Steven

Posted by Steven Chan on August 04, 2011 at 02:36 AM PDT #

I have posted to the supplimental R12 SSO article.

The install docs and NOTE IDs, seem to be missing the glue to enabling WNA and SSO with the EBS - OID integration.

I have completed and confirmed that my EBS users can be synced from AD to OID, and in turn from OID to FND_USERS. Also, I can cofirm that I can set the OID attribute "userPassword" and get the EBS AccessGate 1.1 utility to validate against it for access of EBS. But I am missing the next piece, to allow my EBS Access Gate to pass those credentials to OAM and have OAM in turn authenticate against my external LDAP store (Active Directory).

NOTE, that I have been driving my whole process from the following NOTE IDs:
1309013.1 - Integrating Oracle E-Business Suite with Oracle Access Manager 11g using Oracle E-Business Suite AccessGate
876539.1 - Using the Latest Oracle Internet Directory 11gR1 Patchset with Single Sign-on and Oracle E-Business Suite
975182.1 - Integrating Oracle E-Business Suite with Oracle Access Manager 10g using Oracle E-Business Suite AccessGate
376811.1 - Integrating Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On

What have I missed?

Posted by Paul L. Gonzalez on August 04, 2011 at 11:05 AM PDT #

Hello, Paul,

Glad to hear that you've gotten this far in your integration.

I'm sorry to hear that you've encountered an issue with this.

We can provide general conceptual guidance here, but I'm afraid that this blog isn't the best place to get technical support for specific issues like the one that you're working through.

Your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our specialists engaged.

Please feel free to forward your Service Request number to me if it gets stuck in the support process for some reason.

Regards,
Steven

Posted by Steven Chan on August 05, 2011 at 03:27 AM PDT #

Hi Paul, I just configured our R12 to using OID 11g, but I am using OSSO 10g instead of OAM.
support notes that I have here are:

R12+OID+OSSO/OAM
876539.1 - Using the Latest Oracle Internet Directory 11gR1 Patchset with Single Sign-on and Oracle E-Business Suite

Enable External authentication in OID 11g
1270329.1 - How to Setup Java External Authentication Plugins in OID 11g

Enable WNA in OSSO 10g
345025.1 - SSO/WNA Quick Start Guide
338560.1 - How to use the 'ssoca wna...' command to configure SSO WNA

And questions for Steven, what are other reasons that people should go to OAM rather than just the FM support policy? Are there
any improvements or new feature in the OAM solution?

Thanks,
George

Posted by George on August 05, 2011 at 04:09 AM PDT #

Can we just have the synchronization with OID without the SSO?
We want to start with the synchronization first and then do the SSO with OAM. Which profile options needs to be turned on and off.
I think the important parameters for synchronization are
Applications SSO Login Types - Both
Applications SSO Type - SSWA w/SSO
Application SSO LDAP Synchronization - Enabled
This does let my users sync to OID however if i access my application url it try to go to the ssologin set in "Application Authenticate Agent".
What value there will make it go to the applications local login as was the case before SSO registration.

Thanks,

Posted by Sagar on August 05, 2011 at 06:03 AM PDT #

Sagar,

If you wish to integrate Oracle Internet Directory directly with the E-Business Suite, you must also use either Oracle Access Manager or Oracle Single Sign-On.

Alternately, you can use Oracle Identity Manager with the appropriate EBS connector to push updates from an external store into the E-Business Suite's native user repositories. For more information about Oracle Identity Manager, see:

http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index-098451.html

Regards,
Steven

Posted by Steven Chan on August 05, 2011 at 06:32 AM PDT #

Hi,

I'm facing the same issue as Paul Gonzalez: I could not find a way to integrate eBS-OAM-WNA.
The OAM documentation tends to suggest that AD is required as OAM user store for WNA to work, but the information in note 1309013.1 on the other hand suggests that for OAM11g and EBS Integration, OAM User Store must be OID.

So it looks like that to enable eBS-OAM-WNA integration we have to use AD and OID at the same time as user data store, which does not seem possible to me.

I've logged an SR to Oracle Support for this issue and they've opened an enhancement request but that's it, I did not receive anymore updates on the issue and if I'm not wrong Oracle is not allowed to tell if (and possibly when) the E.R. will be reviewed.

Any clues?

Posted by Frank on August 07, 2011 at 10:23 PM PDT #

Note directed to Frank,

So the integration does indeed work.
To make it work you need to configure the External Authentication Plug-In for OID (Active Directory). Documentation can be found by following:

Oracle® Fusion Middleware Integration Guide for Oracle Identity Management
11g Release 1 (11.1.1)
Part Number E10031-01: http://download.oracle.com/docs/cd/E12839_01/oid.1111/e10031/toc.htm

Chapter #18:
18 Integrating with Microsoft Active Directory
http://download.oracle.com/docs/cd/E12839_01/oid.1111/e10031/odip_actdir.htm#CHDBBAII

Search For: Step 10: Configuring the Microsoft Active Directory External Authentication Plug-in

http://download.oracle.com/docs/cd/E12839_01/oid.1111/e10031/odip_actdir.htm#CHDJCIEE

Inside of: 17 Configuring Synchronization with a Third-Party Directory

http://download.oracle.com/docs/cd/E12839_01/oid.1111/e10031/odip_config_integration.htm

Below is where your work will begin:
Points to: (Configuring External Authentication Plug-ins)
http://download.oracle.com/docs/cd/E12839_01/oid.1111/e10031/odip_config_integration.htm#BABCDHFF

But be careful, as the documentation has flaws.
You can find NOTE ID: 1074101.1, which points out the configuration issues with the documentation.

Also, note that this NOTE ID is also incomplete. You should then follow: How to Configure or Setup Java External Authentication Plugins in OID 11g [ID 1270329.1].

I still have an outstanding SR open with support on running the command line configuration, but have been successful in completing the configuration using the ODSM UI.

Posted by guest on August 07, 2011 at 11:28 PM PDT #

Thanks for your response.

As I mentioned before we do intend to use OAM for authentication but not at this point in time. Our goal is to establish the synchronization between EBS and OID now and do the SSO later.

The configurations
Applications SSO Login Types - Both
Applications SSO Type - SSWA w/SSO
suggests that we should be able to use what we were using before without any issues along with the synchronization.

Is there any other configuration which can turn on and off the login redirection to "Application Authenticate Agent". It is logical to assume that EBS should treat both the SSO and Local login equally, and should be a matter of configuration.

Can you please provide me some pointers on how that can be done.

Thanks,
Sagar

Posted by Sagar on August 08, 2011 at 12:16 AM PDT #

Any one here have done both EBS+OID(11g)+OSSO(10g) and EBS+OID(11g)+OAM(11g) configuration, and would like to share your experience with both solutions?
We are upgrading our EBS 11i to R12 and also upgrade our sso solution from EBS+OID(10.1.2)+OSSO(10.1.2), our plan is to go with EBS(12.1.3)+OID(11g)+OSSO(10g),and upgrade it to EBS(12.2)+OID(11g)+OAM(11g) after the R12.2 comes out. Any comments on this plan?

And to Sagar, you can try this url to get into the local login:
host.domain:port/OA_HTML/AppsLocalLogin.jsp

Thanks,
George

Posted by guest on August 08, 2011 at 02:20 AM PDT #

Frank, Paul,

I'm sorry to hear that both of you are having issues with the OAM-Kerberos (WNA) and OID-Active Directory parts of your integration.

Remember that this blog is written by E-Business Suite division staff. From our perspective, we certify the integration of the E-Business Suite with Oracle Access Manager and Oracle Internet Directory.

The Identity Management team within the Fusion Middleware division handles the certification of Oracle Access Manager with Kerberos (WNA) and OID with Active Directory. Questions about that level of integration are best-directed to Oracle Identity Management Support since we don't work with that integration in the E-Business Suite division.

I've forwarded your comments to our Identity Management team; I think it's important for them to hear that some customers are struggling with those integrations. It's unlikely that they'll comment here, though -- they generally don't participate in blogs like these.

If either of you feel that your Service Requests are stuck, you should escalate them both directly with Oracle Support.

(Frank -- Even if I had the enhancement request number, I'm not permitted to speculate about delivery dates, especially for a different team's product.)

Regards,
Steven

Posted by Steven Chan on August 08, 2011 at 02:43 AM PDT #

George,

Local login url is fine but when we access a bookmarked url like http://host:port/OA_HTML/OA.jsp?OAFunc=OAHOMEPAGE it takes us to SSO login page if configured and gives out SSO registration error when no value present. Is there a way by which we are not redirected to this url and application local login comes into play.

Thanks,
Sagar

Posted by Sagar on August 08, 2011 at 04:10 AM PDT #

Hi,

Thank you all for your responses.
We are aware that the integration works but our problem at the moment is about the encryption used on the Windows domain. Through another SR I've opened we have found out that we cannot enable WNA integration with OID 10g becase on Linux it does not support HMAC encryption but only DES (we are using HMAC and cannot change this setting). So we've been told to move to OAM because it supports HMAC encryption but then we've found out that the only way to enable OAM-EBS-WNA integration is to use OID and the external authentication plugin, and at this point we're back to the encryption problem...

Anyway I understand that this is not the right blog to discuss this issue in detail. I will review the SR I've opened and eventually request an update.

Best regards,
Frank

Posted by Frank on August 09, 2011 at 06:05 PM PDT #

Hi Frank,

We hit a brick wall and had to abort our SSO10g-EBS12.1-WNA implementation due to the SSO10g DES enryption limitation you mention.

At that time were also told by Oracle product management that we should go for OAM11g as it supports WNA using EAS encryption; we plan to start this implementation soon but no details yet.

Would be Interested in progress on your SR and if the limitation is solved in OID11g. Please post the bug# if relevant.

Thanks.

Posted by guest on September 16, 2011 at 01:04 AM PDT #

So if you set up External Authentication Plugin in OID to AD, and I have accounts in OID that do not exist in AD, but are used for other applications protected by OAM through FORM based auth, with these still work, or does the External Auth plugin redirect ALL auth requests to AD?

Posted by Alex on September 22, 2011 at 07:09 AM PDT #

Hi, Alex,

>...or does the External Auth plugin redirect ALL auth requests to AD?

I don't have any firsthand experience with this plug-in. However, strictly on first-principles, I cannot envision a situation where the plug-in can redirect some authentication requests -- but not others -- to AD. I'm hard-pressed to see how the plug-in would be able to tell one set of users apart from another.

That said, I don't have any knowledge of this plug-in. For an authoritative answer, I'd recommend logging a formal Service Request with Oracle Internet Directory Support directly.

Regards,
Steven

Posted by Steven Chan on September 22, 2011 at 09:55 AM PDT #

Steven, Nice points on why OAM and EBS integration needs OID. And also provided headsup on de supoorting dates of Oracle Single Sign-On 10gR2 premier and extended support.

Posted by Thiru on September 27, 2011 at 10:01 AM PDT #

It looks like I'm hitting some encryption roadblocks too. I'm using the latest version of everyting (11g, 2008, etc) but I can't figure out if DES encryption is required by OAM. I'm seeing some docs and bugs say that it is; problem is that Windows 2008 doesn't come with DES and needs a patch to get it enabled.

Has anyone gotten WNA working with a Win2008 DC in OAM 11g?

And to answer my previous question, Yes, you can have both local and remote authentication in OID, as long as the accounts are in different OUs. For example if you enable Third Party Authentication on cn=Vendors,cn=Users,dc=blah,dc=com, only users belonging to this OU will be authenticated to AD. A user in cn=Users,dc=blah,dc=com will bind fine with her OID password.

Posted by Alex on October 03, 2011 at 09:00 AM PDT #

Hi Steven

We are running a 12.1.3 HR Payroll setup and would like to implement a mechanism that basically allows our EBS passwords to be the same as our Windows network password (to save users having to remember 2). This is the only functionality we'll need at the moment.

I was looking at linking the network passwords stored in Microsoft Active Directory with OID and then configuring SSO or OAM to do the EBS authentication.

But you hinted above that another way of linking EBS and Windows authentication was via Oracle Identity Manager (sorry if I've misunderstood!).

So to achieve what we need here, would OIM be a better alternative to using OID / OAM (or SSO)? And are there any useful note IDs guiding how to configure this? We're looking at the most straight forward configuration and on the face of it 2 products (OID / OAM) seems more complicated than 1 (OIM).

Your thoughts would be appreciated.

Regards

Dave.

Posted by dave on October 12, 2011 at 09:18 PM PDT #

Hi Dave,

If all you want to do is match up the users and passwords, you should be able to do that using OIM and the OIM Connectors for EBS. You can learn more about it at http://www.oracle.com/technetwork/testcontent/oimconnectordatasheet-oracleebs-1-130994.pdf and at http://download.oracle.com/docs/cd/E11223_01/index.htm . This is certainly an alternative to using OID, but is much more powerful, and therefore a bit more complex (and probably more expensive) than just using OID and Server Chaining.

The OIM and the OIM Connectors for EBS will allow you to provision accounts to multiple sources, but it does NOT provide you with SSO capabilities. The two are mutually exclusive. So if that feature is important to you, you will also need OAM and that integration will require OID, as described in this post.

Cheers,
Keith

Posted by Keith M Swartz on October 13, 2011 at 03:42 AM PDT #

I just finished setting up EBS with OID backend and OID External Authorization plugin connected to AD. This works great, people can log into EBS using an OID account (which has the same uid as AD's sAMAccountName) and their AD passwords. I would say it's going to be much easier setting up the External Auth plugin to allow AD passwords on OID objects, than setting up OIM to sync the passwords.

We also had to setup a DIP profile to sync some AD attributes required for the ext. auth plugin to work, like DN to orclSourceOjbectDN, principlanname, orclsamaccountname, etc...

Posted by ALex on October 13, 2011 at 04:11 AM PDT #

Would it be possible to create a different type of authentication integration. I would like to see a similar integration to what is done in PeopleSoft where we have PeopleTools code which changes the default authentication to check for the presence of an HTTP_Header Variable or Cookie to identify a user that was previously authenticated by a SiteMinder or Oracle Access Manager. If this token is present, PeopleSoft creates a session for that user instead of challenging the user. Many access management systems integrate with applications in this way.

Does EBS have any hooks (like people tools) which would allow us to accomplish this integration?

Posted by Mike Terra on October 14, 2011 at 04:21 AM PDT #

Hi Mike,

From an end user perspective, our current implementation should be able to achieve the same end result. However, if the intent is to hardwire a custom integration, then I'm afraid today the only answer is to do it through OAM.

Unfortunately, we don't have any plans to incorporate changes on the level you suggest, as this would require a significant rewriting effort, and right now, we are trying to focus our efforts on filling other functional gaps that exist in this space.

Thanks very much,
Keith

Posted by Keith M Swartz on October 14, 2011 at 10:03 AM PDT #

Hi Keith,

Could you elaborate on "Do it with through OAM." The OAM integration still requires OID.

What I'm looking for is a way to achieve SSO to EBS without the use of OID. For example, if I want to have SSO to SAP, PeopleSoft, SharePoint, etc it does not require that those applications store their data in a specific directory. I'm proposing that OAM could simply pass a token to EBS which it could consume and map to a user in FND_USERS and then create a session for this user. What I'm hearing is that this type of integration is impossible today as no hooks exist into the EBS's native authentication.

Posted by Mike Terra on October 16, 2011 at 01:44 AM PDT #

Mike,

I am saying that if you want to use a third-party SSO, you must configure EBS to use OAM, and OAM to trust the headers of that third-party SSO.

You are correct: we do not support the use of EBS native authentication with third-party software, mainly because it wouldn't work. That is why we have single sign-on integration. This meets those needs.

Unfortunately, there is no supported way to achieve what you are trying to do today -- that's part of what this blog post is trying to lay out. Any SSO solution with EBS requires the use of OAM (or OSSO, but this is nearing end-of-life), and those, in turn, require that you use OID when configuring with EBS.

Thanks,
Keith

Posted by Keith M Swartz on October 16, 2011 at 05:40 AM PDT #

Not to reopen this topic, but...

EBS 12.2 will be based on Weblogic 11g. That means, theoretically, that the whole security infrastructure could be revamped to take advantage of the Oracle Platform Security Services (OPSS) framework. It also means that, theoretically, EBS 12.2 could be set up to authenticate against Windows AD/Kerberos directly and bypass the whole OID/OAM/AccessGate morass of servers.

Any clue whether this is in the cards? We are in the middle of upgrading our security infrastructure and this would be critical information for us.

Thanks,
Ara

Posted by Ara on December 06, 2011 at 04:42 AM PST #

Ara,

At this point, our EBS 12.2 efforts are focussed on ensuring that all of our 240 EBS products, as well as our installation, cloning, systems configuration tools work with WLS.

Other security-related enhancements are theoretically possible, but would require deep changes to fundamental parts of the existing E-Business Suite security model. There is little enthusiasm for this.

Our standing recommendation is that you should plan on using Oracle Access Manager and Oracle Internet Directory if you wish to bridge the E-Business Suite with Microsoft Kerberos and Active Directory.

Regards,
Steven

Posted by Steven Chan on December 06, 2011 at 05:28 AM PST #

Well, that is helpful to know. Thanks!

Posted by Ara on December 06, 2011 at 05:37 AM PST #

Steve,
I am planning to integrate EBS R12 with OAM 11g using the EBS accessgate approach. However I do not intent to use Sync between EBS and OID. OID and EBS will be populated with users from different sources. Do I still have to register OID with EBS for the SSO to work?
Logically I do not see any problem with EBS accessgate creating an EBS session for me. However don't know if EBS is internally using OID for other purpose than Sync when SSO is configured.

Thanks,
Sagar

Posted by guest on February 16, 2012 at 08:48 AM PST #

Sagar,

Thank you for your inquiry.

Due to underlying dependencies, Oracle Internet Directory is a mandatory requirement when Oracle Access Manager is integrated with Oracle E-Business Suite. As per this blog article, the dependencies are as follows:

1) Reliaance on Oracle GUIDs
2) Synchronous user account creation

You will need to perform the required OID integration as per the documentation. Please refer to this blog article and the following references for additional details:
https://blogs.oracle.com/stevenChan/entry/oracle_access_manager_11_11
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1309013.1

Regards,
~ep

Posted by Elke Phelps (Oracle Development) on February 16, 2012 at 09:38 AM PST #

ep,

Here is my take on the two important considerations you have enlisted
1)Reliance on Oracle GUIDs
OAM will still be using OID as its user store and passing ORCL_GUID to EBS accessgate for the account linking.

2)Synchronous user account creation
I am not at all intersted in synchronization between EBS and OID. The user creation process in EBS will remain as it is in without SSO.

Am I still missing something here?
I am still not able to understand why registration of OID is required in my case.

Thanks,
Sagar

Posted by Sagar on February 16, 2012 at 10:33 AM PST #

Sagar,

Let me further clarify the dependency. The Oracle Global Unique Identifier(GUID)is used by Oracle E-Business Suite to guarantee uniqueness. It is used to "link accounts" from Oracle Internet Diretory to the E-Business Suite (FND_USER). Oracle Internet Directory and FND_USER must be kept synchronized.

Regards,
~ep

Posted by guest on February 17, 2012 at 08:41 AM PST #

ep,

I understand the requirement that FND_USER and OID must be kept synchronized. However what i don't understand is why EBS to OID sync be used for that? I can always create EBS and OID user from an external provisioning tool(e.g. OIM)and keep them in sync.
The other things mentioned in your comments

"The Oracle Global Unique Identifier(GUID)is used by Oracle E-Business Suite to guarantee uniqueness"
Why does it need OID registration for that?

It is used to "link accounts" from Oracle Internet Directory to the E-Business Suite (FND_USER)
Totally agree on this. However this account linking is done by EBS Accessgate, which directly writes the orclguid in EBS database. EBS accessgate gets the information about guid from OAM. Where is the direct dependency of EBS on OID?

As mentioned earlier if I don't need synchronization between EBS and OID why do I need OID registration in EBS?

Thanks,
Sagar

Posted by guest on February 24, 2012 at 07:33 AM PST #

Sagar,

Answers to your additional questions are provided below.

>>why EBS to OID sync be used for that?
>>Why does it need OID registration for that?
User credentials must be synchronized between OID and E-Business Suite. EBS has code that is specific to OID that makes it a mandatory integration component. The synchronization provides the link (GUID) between an OID account and an EBS account.

>>Where is the direct dependency of EBS on OID?
The synchronization process between OID and EBS links the accounts via the GUID. Synchronization events are raised via the Workflow-based Business Event system whenever users are added or modified. It is the dependency on the GUID that makes OID mandatory.

EBS AccessGate does not perform the synchronization of the accounts between OID and EBS (FND_USER). EBS AccessGate is passed information from WebGate and then looks up the EBS user based upon the GUID stored in OID.

>>why do I need OID registration in EBS?
The E-Business Suite has hardcoded functions to handle the mapping of the GUID between Oracle Access Manager and the E-Business Suite. These mapping functions are specific to Oracle Internet Directory.

Thanks.
Elke

Posted by Elke Phelps (Oracle Development) on February 25, 2012 at 01:52 PM PST #

What if I integrate EBS with OAM and use OVD as the user store instead to mimic OID and have say AD as the real user store? I can use OVD maping functionality to create map for the GUID to some other unique attribute? Will this work if I don't use the self registration functionality of EBS?

Posted by Luke on April 12, 2012 at 02:33 PM PDT #

Hello, Luke,

Oracle Virtual Directory and Oracle Internet Directory are complementary products. Oracle Virtual Directory cannot be dropped into our certified architecture instead of Oracle Internet Directory; we have hardcoded dependencies on Oracle Internet Directory.

In other words:

It's possible to use Oracle Access Manager, Oracle Internet Directory, and Oracle Virtual Directory together with the E-Business Suite.

It's not possible to use just Oracle Access Manager and Oracle Virtual Directory with the E-Business Suite, leaving out Oracle Internet Directory entirely.

Regards,
Steven

Posted by Steven Chan on April 13, 2012 at 04:28 AM PDT #

hi steve....
i want to access OAM 11g with AD Administrator but i cant.... i have tried to add administrator roles in system stores (UserIdentityStore1)but search failed to get Administrator of Active directory....please guide me if u can....

Best Regards;
Faisal

Posted by faisal on April 18, 2012 at 08:42 PM PDT #

Hi, Faisal,

I'm sorry to hear that you've encountered an issue with this.

We can provide general conceptual guidance here, but I'm afraid that this blog isn't the best place to get technical support for specific issues like the one that you're working through.

Your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our specialists engaged.

Please feel free to forward your Service Request number to me if it gets stuck in the support process for some reason.

Regards,
Steven

Posted by Steven Chan on April 19, 2012 at 04:43 AM PDT #

Steven :

Can you please share the note id on integrating Windows native authentication ( WNA) with 11gOAM with ebusiness accessgate to EBS 12.1.3 ?

Is this supported as there seems to be conflict with the identity stores for WNA and EBS ?

Thanks

Posted by guest on May 18, 2012 at 12:46 PM PDT #

Guest,

Integrating with third-party LDAP and access management systems is certified.

Please note that Oracle E-Business Suite is certified with Oracle Access Manger. Third-party LDAP and access management systems are certified with Oracle Access Manager.

You may refer to the following blog articles regarding Oracle E-Business Suite integration with third-party systems:
https://blogs.oracle.com/stevenChan/entry/indepth_using_thirdparty_identity_managers_with_eb
https://blogs.oracle.com/stevenChan/entry/new_single_sign_on_iintegrations

You may refer to the following Oracle Access Manager My Oracle Support Note for information regarding setup with WNA:
OAM 11g WNA Step by Step Setup Guide [ID 1416860.1]

Thanks.
Elke

Posted by Elke Phelps (Oracle Development) on May 18, 2012 at 01:21 PM PDT #

Hi,

I have one Scenario as follows:

I have an Oracle Apps 11i Instance which is running on 10g database. I want to upgrade the application to Oracle Apps R12 12.1.3 with database 11g. Now my question is if we implement SSO, is it possible to access (view, run reports, enter data) 11i instance and R12 instance with single sign on ?

Please suggest.

Regards,
Partha

Posted by P P Mondal on July 19, 2012 at 04:53 AM PDT #

Hi, Partha,

It is possible for two different EBS instances on two different EBS release levels to share a single central Identity Management instance.

The limited Extended Support period for Oracle Single Sign-On 10g ends this year. I would recommend that you use Oracle Access Manager 10.1.4.3 instead of Oracle Single Sign-On 10g.

Both EBS 11i and 12 are certified with Oracle Access Manager 10.1.4.3.

Regards,
Steven

Posted by Steven Chan on July 20, 2012 at 08:06 AM PDT #

Hi,

Can you please provide suggessions/advice on how to configure latest version of OAM 11g with latest version of EBS R12 with subject to artical heading (OID needed for EBS sso). I have heard, latest version of EBS and OAM do not required OID as OAM can be directly inegrated with AD for EBS configuration.

Thanks in advance.
Regards
Nitesh

Posted by Nitesh on December 08, 2012 at 10:02 AM PST #

Nitesh,

Thanks for the inquiry. Oracle Access Manager 11.1.2 is the latest version certified for integration with E-Business Suite Release 12. Oracle Internet Directory is still a mandatory requirement when integrating E-Business Suite with Oracle Access Manager.

For additional details, please refer to the latest blog article regarding this recent Oracle Access Manager 11gR2 certification announcement:
https://blogs.oracle.com/stevenChan/entry/oracle_access_manager_11_12

Thanks.
Elke

Posted by guest on December 08, 2012 at 10:51 AM PST #

We have a question. Can we avoid OAM and have not SSO, just have the authentication of eBS user done against OID, and OID delegate the authentication in AD. That is one solution. Another one is to have AD replicating users and passwords to OID and OID replicate them in eBS ? OAM seems to be a high maintenance solution and we do not need single sign on, only an alignment of users and passwords with Active Directory (AD).

Thanks very much for answering.

Posted by Tudor Antohi on January 04, 2013 at 08:30 AM PST #

Tudor,

If you wish to integrate Oracle Internet Directory directly with the E-Business Suite, you must also use Oracle Access Manager.

An alternative is to use Oracle Identity Manager with the appropriate EBS connector to push updates from an external store into the E-Business Suite's native user repositories. Additional information regrading Oracle Identity Manager may be found here:
http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index-098451.html

Regards,
Elke

Posted by Elke Phelps (Oracle Development) on January 04, 2013 at 10:01 AM PST #

Thanks Elke. This is what we want to achieve because OAM is fairly complex. Have AD replicate users and passwords in OID and have OID pushing updates in EBS FND_USER tables.

Posted by Tudor Antohi on January 07, 2013 at 08:28 AM PST #

Did anyone deploy AccessGate in HighAvailable (H/A) environment? Did anyone deployed AccessGate on clustered of Managed Server.

We are getting feedback from Oracle Support team that AccessGate can't be deployed in HA environment.

Could you please suggest? This should be a very common pattern but I am not finding any details.

regards
Shyam

Posted by Shyam on January 29, 2013 at 05:27 PM PST #

@Shyam-

I can tell you 100% for sure that you can deploy AccessGates in HA. I've just done about 8 EBS enviornments, all in HA. Here's how we set it up.
Say you have 2 servers, oam01 and oam02.

- Deploy the access gates on both servers, so both these URLS work:
http://oam01:8602/ebsauth_ebsx/OAMLogin.jsp
http://oam02:8602/ebsauth_ebsx/OAMLogin.jsp

- Install OHS on both servers and configure mod_wl to reverse proxy to the access gate. After this the following urls should work:
http://oam01:7777/ebsauth_ebsx/OAMLogin.jsp
http://oam02:7777/ebsauth_ebsx/OAMLogin.jsp

- Create a DNS name like sso.company.com and point it to a VIP that does LoadBalancing between oam01 and oam02.

Now you should be able to hit http://sso.company.com:7777/ebsauth_ebsx/OAMLogin.jsp
This is your load balanced, HA, URL. When you set up the profile options in EBS, give it the root context of that for the profile option of your sso url (forget what it's called right now). (ie. http://sso.company.com:7777/ebsauth_ebsx)

If one OHS goes down, the other will handle the HTTP requests. If one of the Weblogic servers goes down, the other will handle the reverse proxy requests from either OHS instance (assuming you put both weblogic servers in your mod_wl config)

That's it.

Posted by Alex Stanciu on January 30, 2013 at 10:51 AM PST #

Hi Steven,

I've read a number of your blog posts and smoe of the recommended SRs too. I'm still a little confused!

We have OAM 10.1.4.3 deployed and it protects hundreds of applications for our users. It uses separate ODSEE 11 instances for it's config and user data. Our application guys want to install EBS R12.1.3, and they are asking if things will work... so I raised an SR and I've had it confirmed that the 2 items are a supported combination.

But on reading your posts then it implies we'd need to install new OID instance(s) and set up a feed from our existing ODSEE user instances to OID... is that correct? And what uses OID... OAM or EBS?

The way I'm reading it implies that it's OAM - but are you saying that we'd have to change our existing OAM setup to use a new directory, as that's definitely going to be a non-starter for us I think (i.e. put our hundreds of apps through pain and/or at risk just for 1 new app).

Thanks,
Darren

Posted by Darren on February 04, 2013 at 06:14 AM PST #

Darren,

Thanks for the inquiry.

Certified Oracle E-Business Suite single sign-on integrations require both Oracle Access Manager and Oracle Internet Directory. For this integration, Oracle Access Manager provides authentication (session sign-on) and E-Business Suite provides authorization (privileges once signed-on). It is Oracle Internet Directory that provides the connection between the externally managed Oracle Access Manager user and the internally managed E-Business Suite user.

You have deployed Oracle Access Manager 10.1.4.3 with Oracle Directory Services Enterprise Edition 11. Oracle Access Manager 11gR2 provides functionality that would benefit your deployment. With Oracle Access Manager 11gR2, you are not required to change Oracle Access Manager's primary identity store.

In order to create a dedicted identity store for E-Business Suite, you will first need to upgrade to Oracle Access Manager 11gR2. To complete the E-Business integration for your environment, you will need to install Oracle Internet Directory and following the steps documented the following My Oracle Support Note:

Integrating Oracle E-Business Suite Release 12 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate [ID 1484024.1]

Good luck with your project.
Regards,
Elke

Posted by Elke Phelps (Oracle Development) on February 05, 2013 at 11:07 AM PST #

Hi Steven,

We want to integrate (SSO) ADFS applications with R12.

We want to integrate using SAML. Users want to access R12 from other applications with out inputting credentials and the other application will pass SAML token wit usersid .

How can we get R12 OR R12/OAM/OIF to accept SAML tokens and login to R12.

Thanks in Advance.
Reddy

Posted by guest on February 20, 2013 at 01:08 PM PST #

Hi Steven,

Given the right "requirements" we can indeed by pass the OID dependency for OAM. I have done it our proof of concept.
Our requirements are that :
1. We do not do any DIP sync with EBS to OID. (no sync what so ever, DIP does not even run in our OID env)
2. Users are provisioned via a external batch process from our HR systems to FND_USER table in EBS.
3. There is no requirement for syncronous user creation, as the only users who are allowed to login are people who are on the corporate network and are authenticated to OAM via WNA(kerberos).

So that leaves the GUID - autolinking issue. that is easily surmontable, here is how I have done :

Installed OAM 11.2 and configured it for WNA auth and data store to be OVD,
within the OVD adaptor I created a new attributed called "orclGUID", it's value is always same as the uid, which are unique within our company.Registered a mod_sso agent and protected EBS R12 (there is no reason why accessgate cannot be used for the same, but why use two extra layers of webgate+accessgate, when mod_osso agent does the job).
On EBS side the USER_GUID column was populated by the batch process with the uid , thus making the guid in FND_USER table same as the one passed over by mod_osso header/cookie.
It has worked seamlessly. no problems there.

But the problem is with oracle support, they are have been refusing to support this config ? why ? what part of this is non-supportable ? I have just proven that the reasons given are well catered for by this config.

By using this config, it saves enormous costs in maintainance of separate store ie OID (when we have AD and OVD), it eliminates the need for having OID just for the sake of IT (adds no real value in this case).

Why would Oracle not support it ? I am at a loss to understand this .

Thanks
Narsimha

Posted by guest on March 19, 2013 at 02:55 AM PDT #

Hello, Narshima,

There are roughly 200 EBS products. Your firm has likely not implemented all of them. The customized integration that you've described may work for the subset of products that your firm uses, but will not work for all EBS products.

There's nothing to prevent customers from implementing their own customized configurations to meet their requirements. Oracle cannot support customized configurations because Oracle Support has no ability to test or reproduce issues in such customized environments.

We can provide EBS patches only for issues that can be reproduced in uncustomized environments. If you report an issue with this customized configuration that cannot be reproduced in our documented Oracle Access Manager configuration, our default recommendation will be to revert to our documented configuration.

Regards,
Steven

Posted by Steven Chan on March 19, 2013 at 06:58 AM PDT #

Thanks Steven for your reply.
But even with 200 Ebusiness products, if the two conditions you mentioned above are satisfied, it should all work ?
1. Reliance on Oracle GUIDs
--> this is taken care by the process I mentioned above
2. Synchronous user account creation
--> If an implementaion does not want/need to use this facility , then this condition too is satisfied.

It should not matter now many Ebus products are there as long as these two conditions are met?

Thanks and Regards
Narsimha

Posted by Narsimha on March 19, 2013 at 07:52 AM PDT #

Hi, Narshima,

As I noted in my previous comment, we can't prevent you from customizing your environment. The fact that your proposed customizations meet your needs doesn't necessarily mean that they work for all customers and all EBS products -- especially those that depend upon synchronous account creation.

If you haven't already seen it, I'd recommend that you review this article:

To Customize or Not to Customize? (Oracle E-Business Suite Technology)
https://blogs.oracle.com/stevenChan/entry/ebs_customization_implications

Regards,
Steven

Posted by Steven Chan on March 19, 2013 at 10:07 AM PDT #

Hi Steven,

I am sorry I still do not get your point. I not speaking for everybody, but I am speaking as a customer. From Oracle's prespective it may be cheap to maintain support for "plain vanilla" configs, but from a customer's prespective it is not. Every customer is diffenent, each business is unique not "plain vanilla". By this approch Oracle is offloading it's product maintaiance cost to customer by enfourcing "plain vanilla" even when it does not suit them, this puts more bloatware in customer implementations.

You give two reasons why OAM needs OID, but if those can be met without OID then there should be no hesitaion for Oracle to support this.

Your note implies that as long as those 2 conditions are met, OID can be bypassed.
From what you say so far, I feel this article should be changed to explicitly mention Oracle will not support any config other than "plain vanilla" and it does not matter what is technically possible.
This is implementing IT for the sake of IT, not for business reasons.

Regards
Narsimha

Posted by Narsimha on March 19, 2013 at 10:30 AM PDT #

Hi,

We are in the process of doing integration of OAM11gR2(BP02) with EBS 12.1.1.3. We are referring to the MOS note 1484024.1 for OAM-EBS integration which in turn points to MOS note 1370938.1 for OID-EBS configuration.

EBS has been setup with RAC enabled database. There are total of 3 database nodes in RAC and a scan address has been exposed for load balancing/failover.

Do we need to follow the Appendix B (meant for RAC enabled EBS)of the MOS note 1370938.1 in our case? Or can we treat it like a regular DB by using the SCAN details?
Do we need to use just the scan address entry while generating the DBC file or need to have individual DB entries? Same question holds for creating the JDBC sources in WLS. Do we need to create the multi-data source or we can just proceed with the regular commands that are meant for a regular DB using the scan details?

Thanks
Ekta Malik

Posted by guest on March 27, 2013 at 12:49 PM PDT #

It seems that this requirement of OID is just another way of forcing Oracle Customers to only use Oracle Products. I agree it is crazy to have yet another directory in place when we already have an LDAP Directgory that is a Real LDAP directory not an Oracle Database already in place. It is already expensive enough to be using eBusiness which is a whole other discussion.

Lee

Posted by guest on March 27, 2013 at 01:35 PM PDT #

Hello, Lee,

Thanks for your comment. I understand how you feel. I agree that the requirement of Oracle Internet Directory seems burdensome, but I can assure you that this isn't part of some Machiavellian plan to drive revenue.

We've had difficulties in finding functional equivalents in third-party LDAPs for things like the ORCLGUID requirement, which is required to ensure that the external namespace is synchronized with their FND_USER requirements.

We're actively investigating other ways to reduce the complexity of our integration requirements, especially for customers with straightforward and simple use cases. Some of our experiments are yielding some intriguing results. I'll post more details as soon as they're available.

Regards,
Steven

Posted by Steven Chan on March 28, 2013 at 10:42 AM PDT #

Hi Steven,
This line of thinking leads me to question if OID could still be in the equation but if the primary identity store be now set to an alternate directory(eg AD)(preventing nasty password sync requirement). If the DIP was configured then the creation of an AD user would trigger a OID user creation along with an orclguid which would filter down to EBS to populate the FND_USER attribute... The piece that I am not finding is the 11gr2 integration details, in 11gr2 is there still the requirement to pass the orclguid as a header variable as is noted in 1354788.1?
-B

Posted by Brent on May 06, 2013 at 12:33 PM PDT #

Hi, Brent,

Oracle Internet Directory must always be used as the primary identity store for Oracle Access Manager in these EBS-integrated configurations.

Passwords remain in the third-party directory (e.g. MS Active Directory); see this older article:

Password Management with Third-Party Solutions (Oracle E-Business Suite Technology)
https://blogs.oracle.com/stevenChan/entry/password_management_with_third

Although that article refers to Oracle Single Sign-On, it also applies to Oracle Access Manager, too.

All versions of Oracle Access Manager integrated with the E-Business Suite must pass the ORCLGUID as a header variable. That's what we use to ensure that the user's authorization and authentication match before creating the user's session.

Regards,
Steven

Posted by Steven Chan on May 08, 2013 at 10:05 AM PDT #

Hi Steve,

For OAM 11gR2, recommended LDAP directory seems to be OUD. Can we use this OUD for EBS R12(12.1.3) integration with OAM via AccessGate? or do we still need to setup another OID instance and replicate the OUD entries into this OID?

Thanks
Manoj

Posted by guest on May 21, 2013 at 10:47 AM PDT #

Hello Steven.

I am working on implementing EBS 11i with OAM, OID to achieve single sign on solution.

After installing all components I am seeing redirect to EBS from SSO login page, but user is not authorized. Same user exists in OID and FND_USER and ORCLGUID and USER_GUID are identical.
When configuring ODSM for SSO - i provided UID as a linked field based on the Oracle note.

On Access Gate log I see GUID "NOT_FOUND" error.

I wonder if you can advise what may be causing this? I need just a direction, not a point. Thank you

Posted by MArk on May 31, 2013 at 09:05 AM PDT #

Manoj,

Thanks for your inquiry. Oracle Unified Directory (OUD) is not currently certified as a replacement for Oracle Internet Directory when integrating E-Business Suite with Oracle Access Manager and Access Gate for single sign-on. E-Business Suite single sign-on integrations require Oracle Internet Directory.

Thanks.
Elke

Posted by Elke Phelps (Oracle Development) on June 03, 2013 at 06:28 AM PDT #

Mark,

I'm sorry to hear that you have encountered a problem with your integration. This blog serves as a forum for announcements and general E-Business Suite technical guidance.

You will be better served by logging a service request with Oracle Support for the issue you are encountering with your deployment.

Please feel free to email me your service request number if you experience delays with support for some reason.

Regards,
Elke

Posted by Elke Phelps (Oracle Development) on June 03, 2013 at 06:34 AM PDT #

We've succeeded in integrating EBS 12.1.3 with Oracle Access Manager and OID. The problem is, every time we change the EBS APPS password (and we are required to every xx days), we have to jump through hoops very quickly to generate a new dbc file and get in in place on the IM server.

So... can we use a different EBS username to integrate with ? Perhaps create a copy of the apps username and set up the integration with that?
And is there any way to get a list of the critical objects in the EBS database that are required for the integration?

Regards,
Brian

Posted by Brian on June 25, 2013 at 02:39 PM PDT #

Brian,

Thanks for your inquiry. It's nice to hear that your E-Business Suite/Oracle Access Manager integration was a success.

To answer your questions:
- It is not currently certified for you to create a copy of the APPS schema and use the copied schema for the E-Business Suite/Oracle Access Manager Single Sign-on integration.
-For security reasons, we also do not publish the mechanisms (including the objects) used by E-Business Suite during the authentication process

Thanks.
Elke

Posted by Elke Phelps (Oracle Development) on June 26, 2013 at 12:31 PM PDT #

Steve or anyone on the thread,

I have eBS R12 integrated with OAM (OID integrated with AD for external authentication). This is working fine. Now I have a requirement to integrate OIF (as SP) with OAM and then integrate this OIF with TFIM (Tivoli product). This is a requirement from client. Is there any clean / published idea from Oracle on how to achieve this. I mean User still gets authenticated to eBS R12 either by Federated authentication or by OAM. In all this mess, one fact remains that all of these are latching on the single source of truth, that is MS-AD.

Posted by Kamlesh on August 29, 2013 at 06:03 AM PDT #

Hello, Kamlesh,

EBS -> OAM (OID->MSAD) -> OIF -> TFIM definitely sounds like an architecture with a lot of moving parts. This is technically feasible, but I haven't seen any case studies that describe this configuration specifically.

I don't have much visibility into the OAM -> OIF integration. My team focusses on the EBS -> OAM part of the configuration. I know that this is recommended by the Oracle Identity Management group, but you should probably follow up with them via a formal Service Request to get a pointer to the documentation that you should use.

We have a Consulting team that specializes in complex security architectures like this. Let me know if you'd like me to connect you with them.

Regards,
Steven

Posted by Steven Chan on August 30, 2013 at 10:20 AM PDT #

Hello Steven,
Is it possible to enable Single Sign on only for some selective modules of EBS through OAM 11gR1. For example I want to enable SSO only for Istore and not for irecuritment.

Posted by abhay on September 04, 2013 at 03:56 PM PDT #

Hello, Abhay,

No, it's not. Single Sign-On is enabled at the site level, not the product level.

Regards,
Steven

Posted by Steven Chan on September 05, 2013 at 09:49 AM PDT #

Thanks Steven

Posted by abhay on September 05, 2013 at 09:57 AM PDT #

Hello Steven,
Extending my question further....can I SSO enable EBS Core modules (like HR, AP, Etc..) only , but not iModule (iSupplier, iStore).

Posted by abhay on September 05, 2013 at 10:11 AM PDT #

Hello, Abhay,

Both Oracle Single Sign-On and Oracle Access Manager are enabled at the site level. This means that it's either on or off for your entire E-Business Suite environment.

You cannot selectively enable it for some EBS product modules and not others.

Regards,
Steven

Posted by Steven Chan on September 10, 2013 at 04:36 PM PDT #

thanks steven

Posted by abhay on September 10, 2013 at 06:32 PM PDT #

Steven/Elke,

We are in the process of implementing SSO with WNA for our EBS R12 12.1.3 and I was able to integrate EBS with OAM/OID/WebGate/AccessGate by following Oracle notes "Integrating Oracle E-Business Suite Release 12 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate [ID 1484024.1]", I was able to sign into EBS via OAM.

However, I encountered big problem now when trying to integrate OAM with WNA, there is no clear path for OAM/OID/EBS and AD/WNA integration, I synchronized AD with OID successfully but still have proble to do zero signon using WNA/Kerberos domain username/password and always have error "The user account is locked or disabled".

I opend a Oracle SR (SR 3-7649490131) with Oracle Support OAM group but the OAM analyst does not seem to understand our particular situation/issue with EBS/OAM/WNA integration, and it drives me nuts that I can't find a document talking about integrating these three components altogeter, as EBS groups only talks about EBS/OAM integration using OID as identity store, and OAM group only talks about OAM/WNA integration using AD as identity store.

Can you or any peers here suggest a best way/document for how to integrate OAM (with EBS) with WNA/AD?

Thanks,
Alan Wan

Posted by Alan Wan on September 23, 2013 at 10:48 AM PDT #

Alan Wan-

I can tell you 100% that what you're trying to do works. I implemented the exact scenario, EBS protected by OAM. We're using OID as the data store and the 3rd Party Authentication plugin so we can use AD passwords with OID accounts. We also enabled Kerberos/WNA.

The error you are describing sounds like maybe your OID<>AD link is not properly set up. Can you confirm that you can BIND to OID using an OID user's UID but with their AD password? (The UID should equal the user's samaccountname in AD, and requires a few extra AD attributes be brought in). You must be able to BIND to OID using AD credentials. I got the exact error you're describing "The user account is locked or disabled" when trying to authenticate with a user that was OID but not AD, or vice versa.

Posted by Alex Stanciu on September 24, 2013 at 05:57 AM PDT #

Alex,

Thanks for your comments. I know EBS/OAM/WNA (12.1.3/11.1.1.7/11.1.1.7) solution is working out there for many organizations. My problem is that there is no clear path for EBS/OAM/OID integration with AD/WNA after I did EBS/OAM/OID integration successfully, after EBS/OAM/OID integration, the UID in OID is the same as USER_NAME in EBS FND_USER table.

After that I integrated OID with AD and I did it successfully, but the new users brought in from AD have different format like username@orgname, so I am a little confused here since we need to sync OID with EBS FND_USERS first during EBS/OAM/OID integration, then we need to sync OID with AD and new users will be brought but existing users in OID are not changed!? I have not tried to BIND to OID using an OID user's UID but with their AD password though.

Also there is a side effect that whole bunch unwanted users got created in EBS FND_USER table from AD to OID then to EBS. And the WNA SSO for EBS is still not working with error "The user account is locked or disabled".

Then I read here or there that I need to set up External Authentication Plugin in OID pointing to AD, I will do that soon.

Do you or any other peers have any good documents for the OAM/EBS integration with WNA?

Thanks.

Posted by Alan Wan on September 24, 2013 at 10:33 AM PDT #

Alan-

Sounds like you really just need to focus on getting WNA working, maybe with a test page. Also, your AD to OID sync should bring in the UID from samaccountname, and if that contains @orgname, you need to strip that out in your DIP mappings.

My setup is as follows:
AD syncs to OID using DIP. We bring in samaccountname as uid and a few other fields required for the External Auth Plugin to work (forget what they are right now, things like kbprincipalname, another field that holds the full DN of the user in AD, etc...). This means if you have a user, JSMITH in AD, DIP Sync will create a user in OID. Now make the password in OID different than the one in AD, and test it by either doing a BIND or logging into an OAM protected test page using JSMITH and the AD password.

Once you have that working, move on to WNA and confirm it works by logging into your OAM protected test page using WNA.

Then simply protect EBS using WNA, the pieces should all line up.

As for extra users in AD getting into EBS, that's an architectural design issue, which is beyond the scope of the conversation here.

Good luck

Posted by Alex Stanciu on September 24, 2013 at 11:06 AM PDT #

Alex,

Thanks for your input.

To be honest with you, without defined document to point out a clear path, I am a little confused here. When we integrated EBS with OAM/OID/WebGate, we already pushed users from EBS FND_USER table into OID. Now looks like we will need to sync OID with AD to integrate OAM with WNA, does this synchronization update existing users in OID or simply import new users from AD into OID. I did one round of sync and it only brought new users into OID. How should I deal with existing users in OID which are really what we want to authenticate EBS users?

Also to matching users in OID with AD, we need define a mapping rule to match up attributes eg AD SamAccountName to UID, etc. I still can't find a document to tell me what to do with attribute mapping except following Oracle document at http://docs.oracle.com/cd/E12839_01/oid.1111/e10276/dip_attrmap.htm, but it only tells the basic mapping.

Posted by Alan Wan on October 01, 2013 at 03:03 PM PDT #

Alan-

For mapping rules, you can apply a Mapping Rule Expression. See this doc for the available functions:
https://blogs.oracle.com/stevenChan/entry/why_does_ebs_integration_with#comments
Section 6.4.2 under AttrMapping Rule. It sounds like in AD, your samAccount Name is in the form of uid@DOMAIN, so you need to strip out the "@DOMAIN" part. If that is the case, you want your uid to have an Attribute Mapping Express like:
truncl(sAMAccountName,'@')

Regarding the AD sync, it will create a users or update it if it already exists, but it's one way from AD > OID... you should not expect users to sync from OID to AD. For that you need OIM or write something custom.

You basically need 3 accounts. AD, OID, FNDUSER... Think about where the user will be created initially (Sounds like EBS in your case) and then think about the tools available to get that user an account into the other systems (EBS sync into OID, OIM to recon from OID to OIM, then OIM to provision to AD).

Or if the user is first created in AD, then use DIP Sync to pull the user into OID, then EBS sync to push the user to EBS from OID.

It all depends on your business processes.

As for the technicalities of some users making it while others don't, or wrong format of attributes or whatever, those are just configuration challenges that need to be worked out.

If you're looking for more serious help (consulting services), feel free to contact me.

Good luck

Posted by Alex Stanciu on October 01, 2013 at 03:26 PM PDT #

Oops, I put the wrong link to the Attribute Mapping Expression functions. Here's the correct documentation:
http://docs.oracle.com/cd/E17904_01/oid.1111/e10031/odip_sync_prof_confg.htm#CHDICHGJ

Posted by Alex Stanciu on October 01, 2013 at 03:30 PM PDT #

Hi Steve,

Actually we use OSSO and OID 10.1.4.3 single sing-on solution for our EBS version 12.1.3 and other application partner. we like to upgrade our infrastruture. OSSO is no longer supported and it will be replaced by OAM. we use also F5 as load balancer.

my question is: it is possible to use just (F5 and OID) instand of (OSSO or OAM) and OID as a solution for sigle sign-on.

Thanks.

Abdel.

Posted by guest on October 02, 2013 at 08:25 AM PDT #

Does anyone use hostname:port for OAM configuration (it worked perfect fine for EBS/OAM/OID integration) and made it working with WNA/SSO integration?

I am working with Oracle Support and the analyst told me that I have to use a fully qualified domain names( no short friendly names, well in my case is hostname, and our DNS can resolve it just fine) in order for OAM WNA (using Windows Active Directory) integration to work. Just want to hear from 3rd party.

Posted by Alan Wan on October 04, 2013 at 01:08 PM PDT #

Abdel,

Thanks for the inquiry. An Oracle E-Business Suite single sign-on solution without the use of Oracle Access Manager or Oracle Single Sign-On is not supported.

Our current certified and recommended solution for single sign-on is for customers to integrate Oracle E-Business Suite with Oracle Access Manager and Oracle Internet Directory.

Please refer to the following blog artcile and related My Oracle Support note which describe single sign-on integration options for Oracle E-Business Suite:
https://blogs.oracle.com/stevenChan/entry/new_single_sign_on_iintegrations
https://support.oracle.com/rs?type=doc&id=1388152.1

Thanks.
Elke

Posted by Elke Phelps (Oracle Development) on October 14, 2013 at 09:38 AM PDT #

A few Questions:

1. Can OVD be used in front of multiple OID instances with EBS? We'd like to use one OID instance for Internal EBS users and one OID instance for external EBS (iStore, iRecruitment, etc.) users. Is this possible/supported?

2. This doc: http://docs.oracle.com/cd/E18727_01/doc.121/e12843/T156458T465432.htm#4236218 mentions that iStore users are TCA users and provisioning TCA users to OID using DIP is not supported. Is this correct? If yes, how do iStore EBS users get pushed to OID so they can login?
"Provisioning from Trading Community Architecture (TCA) to Oracle Internet Directory is not supported"

Posted by Seth on October 18, 2013 at 08:16 AM PDT #

Hi, Seth,

Sorry for the delay in responding to this.

1. We have not certified using OVD to subsume namespaces from multiple OID instances. As noted above, the E-Business Suite has a number of hardcoded dependencies on OID. The E-Business Suite instance must somehow know how to synchronize its information with OID. Given that requirement, it's unclear how EBS would know which one to use if they're concealed behind an OVD layer. On strictly first principles, I would not expect this to work. If you report any issues with this configuration, you should expect that it will be treated like a customization.

2. I'll need to research this in more detail. If your question is time-sensitive, I'd strongly recommend that you log a Service Request for this one. Feel free to forward the SR number once logged.

Regards,
Steven

Posted by Steven Chan on November 06, 2013 at 10:47 AM PST #

Hi,
Can we have direct integration of EBS 12g with OID 11g with out SSO used for authentication? Is there a place in EBS where we can switch authentication to OID instead of native data base tables?

Regards,
Ramnath

Posted by Ramnath Krishnamurthi on December 02, 2013 at 02:11 PM PST #

Ramnath,

Thanks for the inquiry. You cannot integrate Oracle E-Business Suite directly with Oracle Internet Directory.

Authentication can be performed locally by Oracle E-Business Suite or it can be performed externally with Oracle Access Manager. If authentication is performed externally with Oracle Access Manager, the data store for E-Business Suite must be Oracle Internet Directory.

For additional information please review the following:
• Oracle E-Business Suite Technology - Understanding Options for Integrating Oracle Access Manager with E-Business Suite:
http://blogs.oracle.com/stevenChan/entry/new_single_sign_on_iintegrations
• Oracle E-Business Suite Technology - Oracle Access Manager 11gR2 11.1.2.1.0 Certified With E-Business Suite:
http://blogs.oracle.com/stevenChan/entry/oracle_access_manager_11gr2_patchset
• Oracle Internet Directory 11gR1 11.1.1.7 Certified with E-Business Suite:
https://blogs.oracle.com/stevenChan/entry/oracle_internet_directory_11gr1_111

Thanks.
Elke

Posted by Elke Phelps (Oracle Development) on December 02, 2013 at 04:14 PM PST #

Thanks Steve and Elke for a valuable information.

Regards,
Ramnath

Posted by Ramnath Krishnamurthi on December 03, 2013 at 08:10 AM PST #

Hi Steven

Is there any OVM for IDM 11g and OAM that I can download from oracle website?

Thanks.

Abdel.

Posted by guest on December 17, 2013 at 07:57 AM PST #

Hi, Abdel,

I'm not aware of any Oracle VM templates for those Identity Management components. I'd recommend logging a Service Request against those products to request some to be made.

Regards,
Steven

Posted by guest on December 17, 2013 at 08:45 AM PST #

Hello,

I am currently working on integrating OIM 11g R2 with an already existing EBS R12.1 system. SSO is already configured with OAM 11g R1(using EBS Access Gate) and OID 11g R1, by registering the two components with EBS - register instance (Oracle Home) and register OID (using an OutBound provisioningtype=3, therefore the creation of SSO account in OID triggers the creation of application account in EBS).

Now, since I need to integrate OIM with both EBS and OID as target systems, this might result in a triangle of provisioning identities (OIM to OID, OIM to EBS and the current SSO setup driving OID to EBS) which is obviously not an ideal situation. The solution I have in mind would be to integrate OIM with OID (OID Connector) and EBS (EBS User Management Connector in SSO enabled mode) and to stop the synch from OID to EBS by changing the provisioning profile of the OID registration (set provisiontype=4 - BiDiNoCreation, so no provisioning).

Since I haven't seen this implemented before and I couldn't find any documentation about this arrangement on the Oracle site, I have a few questions to help validate the suggested architecture:

1. If I use the EBS UM Connector in the SSE enabled mode, does that exclude enabling the "Applications SSO Auto Link User" feature on the EBS side?
2. Is provisioningtype=4 (BiDiNoCreation) the answer to how to correctly stop the synchronisation of accounts between OID and EBS and still have SSO working considering the given architecture?
3. Any reasons why this couldn't work? Any risks or issues which might occur (e.g. risks when changing the provisioning type)? Please let me know if you have any other suggestions.

Many thanks for your help!Regards,
Lavinia.

Posted by guest on January 07, 2014 at 12:03 PM PST #

Hello,

I am currently working on integrating OIM 11g R2 with an already existing EBS R12.1 system. SSO is already configured with OAM 11g R1(using EBS Access Gate) and OID 11g R1, by registering the two components with EBS - register instance (Oracle Home) and register OID (using an OutBound provisioningtype=3, therefore the creation of SSO account in OID triggers the creation of application account in EBS).

Now, since I need to integrate OIM with both EBS and OID as target systems, this might result in a triangle of provisioning identities (OIM to OID, OIM to EBS and the current SSO setup driving OID to EBS) which is obviously not an ideal situation.

The solution I have in mind would be to integrate OIM with OID (OID Connector) and EBS (EBS User Management Connector in SSO enabled mode) and to stop the synch from OID to EBS by changing the provisioning profile of the OID registration (set provisiontype=4 - BiDiNoCreation, so no provisioning).

Since I haven't seen this implemented before and I couldn't find any documentation about this arrangement on the Oracle site, I have a few questions to help validate the suggested architecture:

1. The EBS UM Connector can operate in an SSO enabled mode: during a Create User provisioning operation, the connector takes the orclGUID value of the user from the OID system and populates it in the
USER_GUID field of the target system. Providing this setup, do I still need to enable the "Applications SSO Auto Link User" feature?

2. Is provisioningtype=4 (BiDiNoCreation) the answer to how to correctly stop the synchronisation of accounts between OID and EBS and still have SSO working considering the given architecture?

3. Any reasons why this couldn't work? Any risks or issues which might occur (e.g. risks when changing the provisioning type)? Please let me know if you have any other suggestions.

The documentation I could find related to this is the following, but still not answering my questions unfortunately:

EBS Security Guide - Deployment Scenario 3: http://docs.oracle.com/cd/E26401_01/doc.122/e22952/T156458T580814.htm#4236275

Registering EBS with OID - specifically section 1.4 - unfortunately couldn't find more info on provisioningtype=4:
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=45015970211520&id=1370938.1&_afrWindowMode=0&_adf.ctrl-state=q3gvece1_4#Section1_4

EBS UM Connector Documentation - section 1.5.4 Support for SSO enabled target system:
http://docs.oracle.com/cd/E11223_01/doc.910/e11203.pdf

Many thanks for your help! I am looking forward to hearing your input.

Regards,
Lavinia.

Posted by Lavinia on January 09, 2014 at 02:28 AM PST #

I understand that OID is required when integrating OAM with EBS. My question is can I avoid to install totally OAM and OID and use agent from a third party vendor (CA or other ?). Or only OID is required in this case ?
Thanks to clarify.

Posted by guest on February 18, 2014 at 12:19 PM PST #

Hello Dear Steve,

First : Thanks for the valuable information.

I successfully integrated EBS->OID->MSAD. My question is what happens if MSAD goes down, I did some test and users are not able login when MSAD is down, so I'm wondering if there is some way that users will be able to login when MSAS is down.

Thanks in Advance.
Regards,Diego

Posted by guest on February 18, 2014 at 03:25 PM PST #

Guest,

Directly integrating Oracle E-Business Suite with third-party directory services and third-party authentication systems is not certified.

Oracle E-Business Suite inherits its certification with third-party LDAPs and authentication systems via the E-Business Suite certification with Oracle Internet Directory and Oracle Access Manager.

If you plan to integrate with third-party systems, you must first integrate Oracle E-Business Suite with Oracle Access Manager and Oracle Internet Directory.

Thanks.
Elke

Posted by Elke Phelps (Oracle Development) on February 19, 2014 at 06:30 AM PST #

Deigo,

We in Oracle E-Business Suite development do not have much visibility into the OID-MSAD integration. We focus on the EBS-OID integration. The Oracle Identity Management team performs the OID-MSAD integration. I recommend that you follow-up with them by logging an Oracle Service request.

Thanks.
Elke

Posted by Elke Phelps (Oracle Development) on February 19, 2014 at 06:50 AM PST #

hi Elke,
I dont understand why do you still say that third party ldap services are not certified.

www.oracle.com/technetwork/middleware/id-mgmt/downloads/oamebsintegrationwhitepaper-2152856.pdf

This document gives two approaches to integrate with your third party - corporate LDAP.

Why would oracle releases a whitepaper if it is not certified?
-Srini

Posted by Srini on March 10, 2014 at 03:05 AM PDT #

Srini,

The whitepaper that you've referenced in your comment applies to generic Oracle Access Manager partner applications.

It does not apply to the E-Business Suite. Please review the article above. The article describes EBS-specific requirements that cannot be met by the approach in the referenced whitepaper.

Regards,
Steven

Posted by Steven Chan on March 12, 2014 at 10:01 AM PDT #

Hi Steven,

www.oracle.com/technetwork/middleware/id-mgmt/downloads/oamebsintegrationwhitepaper-2152856.pdf

This document talks about
"Integrating Oracle E-Business Suite Using Oracle E-Business Suite AccessGate with Oracle Access Manager Using Multiple Data Stores"

It is not a generic OAM doc and it is very specific to E-business suite sso integration with 11g OAM with a third party ldap.

-Srini

Posted by Srini on March 13, 2014 at 03:42 AM PDT #

Hello,
so if I understand correctly (my english .....), it's not possible to use the Active Directory to autenticarci in EBS, but we have to use:

Access Manager or OID, right?

Thank you, Max

Posted by guest on April 07, 2014 at 12:21 PM PDT #

Sunil,

I did not state that third-party LDAPs are not certified. What I described is how Oracle E-Business Suite (EBS) inherits third-party certifications through the EBS certification with Oracle Access Manager (OAM) and Oracle Internet Directory (OID). Per my post on February 19, 2014:

“Directly integrating Oracle E-Business Suite with third-party directory services and third-party authentication systems is not certified. Oracle E-Business Suite inherits its certification with third-party LDAPs and authentication systems via the E-Business Suite certification with Oracle Internet Directory and Oracle Access Manager. If you plan to integrate with third-party systems, you must first integrate Oracle E-Business Suite with Oracle Access Manager and Oracle Internet Directory. “

You referenced the following whitepaper:
www.oracle.com/technetwork/middleware/id-mgmt/downloads/oamebsintegrationwhitepaper-2152856.pdf

The third-party LDAP integration approaches documented in the referenced whitepaper supports the mandatory requirements for certification as all mandatory components are part of the integrations that are described. The mandatory components include: EBS AccessGate, Oracle Access Manager and Oracle Internet Directory.

Note the following regarding the whitepaper:
- Per Section 1.1 Assumption: An existing Oracle E-Business Suite and Oracle Access Manager 11g integrated environment is configured and running. Oracle E-Business Suite will be configured to use Oracle Internet Directory.

- Architecture diagrams in Figure 1 and Figure 7 both depict integration with EBS AccessGate, Oracle Access Manager and Oracle Internet Directory. As previously stated, these are mandatory components for EBS and third-party LDAP integrations.

Hope this helps.
Regards,
Elke

Posted by Elke Phelps (Oracle Development) on April 17, 2014 at 11:24 AM PDT #

Max,

It is possible to use third-party directory servies with Oracle E-Business Suite; however, you cannot do so directly.

Oracle E-Business Suite inherits its certification with third-party LDAPs and authentication systems via the E-Business Suite certification with Oracle Internet Directory and Oracle Access Manager. If you plan to integrate EBS with third-party directory services and authentication systems, you must first integrate Oracle E-Business Suite with Oracle Access Manager and Oracle Internet Directory.

Thanks.
Elke

Posted by Elke Phelps (Oracle Development) on April 17, 2014 at 11:27 AM PDT #

Hi Elke,
thank you for your reply,
I had heard of "connectors" that could be used to EBS V.12 interface directly with Microsoft's Active Directory, but obviously it was not true

Regards, Max

Posted by guest on April 29, 2014 at 12:12 PM PDT #

Max,

You're welcome. At present, connectors that work directly with Oracle E-Business Suite and MS Active Directory have not been certified by Oracle E-Business Suite development.

Thanks.
Elke

Posted by Elke Phelps (Oracle Development) on May 05, 2014 at 06:13 AM PDT #

Hi Steve/Elke,

We have implemented OAM-OID-EBS along with kerberos to enable zero sign on and this works fine. Now the client has a requirement to move their EBS install to cloud based hosting. The challenge this posses is that they do not wish to open access from cloud to their KDC domain controller to allow kerberos to validate user credential. Is there any way for OAM to just use the passed user account without revalidating it with KDC?

In the meanwhile we are exploring following options :
1. introduce federated security - client is not convinced for additional license cost and complex solution
2. Replace Kerberos with a custom authentication module , which identifies the logged in window user and pass this to OAM which then connect to OID and do the rest. Is this possible and is there any sample available or some one else done some thing similar
3. Do EBS has any option to allow user access without password and accept login with just a user name?

Thanks
njain

Posted by guest on May 18, 2014 at 02:19 PM PDT #

Can a single OAM be configured with multiple OIDs?

We are planning to Integrate Oracle EBS R12.1.3 with the latest version of Oracle Access Manager 11gR2 for our Single Sign-On solution. But one condition/requirement is that each EBS or partner application must have its own OID.

I have a question...

Assume that one department (say CIO) is implementing SSO solution for all the departments and each department is running its own EBS and other applications such as PeopleSoft, Siebel, etc.

Since partner applications such as EBS, need to have its own OID for security reasons, can the OID (configured with EBS) be configured with the centralized OAM and WebGate? Or each OID (of EBS) need to have its own OAM?

Under this setup (assuming that EBS must have its own OID and the centralized SSO solution has all the Oracle Tools, such as OID, OAM, AccessGate, Id Federation, WebGate, etc), what are the tools (other than OID and its WLS) need to installed in the EBS side? Do we (EBS side) need to have a separate OAM?

Please advice.

Posted by guest on June 09, 2014 at 11:22 AM PDT #

Nijan,

Thanks for the inquiry. Oracle E-Business Suite always requires a username and password for authentication. In general, we do not recommend any configuration/integration (custom or otherwise) that requires only a User ID for authentication.

You seem to have some unique requirements. If you like, please email me additional details and I can connect you with our security specialists in Oracle consulting for further review.

Regards,
Elke

Posted by Elke Phelps (Oracle Development) on July 01, 2014 at 12:41 PM PDT #

Dear Guest,

Thanks for the inquiry. Certified configurations of Oracle Access Manager (OAM) include the use of multiple directory services from a single OAM installation; therefore, you may deploy one OAM installation with multiple EBS-to-OID configurations.

Per the Oracle E-Business Suite integration with Oracle Access Manager (see My Oracle Support Note for details), each Oracle E-Business Suite deployment requires its own WebGate.

Thanks.
Elke

Posted by Elke Phelps (Oracle Development) on July 01, 2014 at 01:25 PM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Search

Categories
Archives
« July 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today