By Steven Chan - EBS-Oracle on Dec 16, 2014
This article is an updated version of two earlier articles: one written for EBS 11i + SSO + OID, and another written for EBS 12 + SSO + OID. Oracle Single Sign-On has been superceded by Oracle Access Manager (OAM). This latest article covers the latest options for using EBS Release 12.x (12.0, 12.1, and 12.2) and Oracle Access Manager with third-party authentication systems.
Like most of our customers, you probably already have a corporate identity management system in place. And, you've probably not been enjoying the experience of redundantly administering the same user in your corporate identity management system as well as the E-Business Suite. If this describes your environment, this in-depth article about integrating Oracle E-Business Suite Release 12, Oracle Access Manager, and Oracle Internet Directory with third-party identity management systems will show you a better way of managing your EBS users.
No More Redundant User Administration
It is possible to integrate the E-Business Suite with existing third-party LDAP and single sign-on solutions via Oracle Internet Directory and Oracle Access Manager and Oracle Internet Directory, respectively:
Third-party single sign-on solutions can be integrated with Oracle Access Manager, and third-party LDAP directories can be integrated
with Oracle Internet Directory. Oracle Access Manager and Oracle Internet Directory are integrated, in turn, with the E-Business Suite.
Example Scenario: The Deluxe "Zero Sign-On" Approach
A user logs on their PC using their Windows userid and password. The user decides to file an expense report for attending the OpenWorld conference. He starts Internet Explorer, opens Favorites, and selects a bookmarked link for the E-Business Suite's Self-Service Expenses. Self-Service Expenses starts and the user begins the entering their expense report.
We sometimes call this "zero sign-on" because the user never actually logged on to any Oracle systems at all; the user's Windows Kerberos ticket from the Windows Primary Domain Controller (PDC) gave him access to the E-Business Suite automatically.
Magic? What Really Happened?
Brace yourself: some of the following material might require a couple of passes to sink in.
The "deluxe" scenario above illustrates the following integrations:
- Microsoft Active Directory with Oracle Internet Directory
- Microsoft Kerberos Authentication with Oracle Access Manager
- Oracle Access Manager and Oracle Internet Directory integration with the E-Business Suite
The user logged on to their PC, which authenticated them against Microsoft Active Directory. As part of that logon process, the Windows Primary Domain Controller (PDC) issued a valid Kerberos ticket to the user.
When the user attempted to access Self-Service Expenses via his bookmarked link, he was redirected to Oracle Access Manager. Oracle Access Manager checked the user's credentials against the Windows Key Domain Controller (KDC), issued its own Oracle security tokens to the user, and redirected the user back to the E-Business Suite.
The E-Business Suite recognized the Oracle Access Manager security tokens and looked up the user's assigned Applications Responsibilities to ensure that he was authorized to access Self-Service Expenses. That done, it issued its own E-Business Suite security tokens and then passed the user through to Self-Service Expenses without requiring any additional logons.
Integration with Microsoft Active Directory Only
Not everyone uses Microsoft Kerberos Authentication. A simpler integration option omits Kerberos and includes only Microsoft Active Directory and Oracle Internet Directory, like this:
In this simpler architecture, when the user attempts to access Self-Service Expenses via his bookmarked link, he's redirected to Oracle Access Manager. Oracle Access Manager displays a login screen and collects the user's ID and password.
Oracle Access Manager passes the user's credentials to Oracle Internet Directory. Oracle Internet Directory uses the Microsoft Active Directory External Authentication Plug-In to pass the user's credentials to Microsoft Active Directory.
Microsoft Active Directory looks up the user's ID and password in its database, and informs Oracle Internet Directory that this is an authenticated user. Oracle Internet Directory informs Oracle Access Manager that the user was successfully authenticated.
Oracle Access Manager issues the user a set of security tokens and redirects the user to the E-Business Suite. The E-Business Suite recognizes the Oracle Access Manager security tokens and looks up the user's assigned Applications Responsibilities to ensure that he's authorized to access Self-Service Expenses. That done, it issues its own E-Business Suite security tokens and then passes the user through to Self-Service Expenses.Synchronization of User Credentials with Third-Party LDAP Directories
If you've been paying close attention so far, you have gathered that user credentials need to be synchronized between the third-party LDAP, Oracle Internet Directory, and the E-Business Suite. The synchronization architecture looks like this:
In this configuration, only the user name needs to be synchronized; the user's password is stored in the third-party LDAP directory. None of the Oracle products need to store the user's password, since they delegate user authentication to the third-party LDAP solutions.
The key concept here is that user authentication is still separated from user authorization even when a third-party LDAP is in place.
So, the E-Business Suite still grants authenticated users access to E-Business Suite protected content based on the users' Applications Responsibilities, which are managed in the E-Business Suite exclusively.
Integration With Other Single Sign-On Solutions
It is also possible to integrate Oracle Access Manager with other single sign-on solutions, including:
- CA Netegrity SiteMinder
- Biometric devices like fingerprint readers
- PKI X.509 digital certificates
When integrated with other single sign-on solutions, a chain of trust is established between the third-party, Oracle Access Manager, and the E-Business Suite. Users logging on via the third-party single sign-on solution are passed through transparently to Oracle Access Manager and the E-Business Suite.
Relax, It's Easy and Fun
Well, maybe not... but at least it's technically feasible. You might find it reassuring to note that a number of E-Business Suite customers are running this configuration in production already.
This is about as much detail as I think is appropriate for now. Feel free to post comments if you have questions about this topic.
For a survey of options for integrating Oracle Access Manager and Oracle Internet Directory with Oracle E-Business Suite Release 12, see: