This article is an updated version of two earlier articles: one written for EBS 11i + SSO + OID, and another written for EBS 12 + SSO + OID. Oracle Single Sign-On has been superceded by Oracle Access Manager (OAM). This latest article covers the latest options for using EBS Release 12.x (12.0, 12.1, and 12.2) and Oracle Access Manager with third-party authentication systems.
Like most of our customers, you probably already have a corporate
identity management system in place. And, you've probably not been
enjoying the experience of redundantly administering the same user in
your corporate identity management system as well as the E-Business
Suite. If this describes your environment, this in-depth article about
integrating Oracle E-Business Suite Release 12, Oracle Access Manager,
and Oracle Internet Directory with third-party identity management
systems will show you a better way of managing your EBS users.
No More Redundant User Administration
It is possible to integrate the E-Business Suite with existing
third-party LDAP and single sign-on solutions via Oracle Internet Directory and Oracle Access Manager and Oracle Internet Directory, respectively:
Third-party single sign-on solutions can be integrated with Oracle Access Manager, and third-party LDAP directories can be integrated
with Oracle Internet Directory. Oracle Access Manager and Oracle Internet Directory are integrated, in turn, with the E-Business Suite.
Example Scenario: The Deluxe "Zero Sign-On" Approach
A user logs on their PC using their Windows userid and password. The user decides to file an expense report for attending the OpenWorld conference. He starts Internet
Explorer, opens Favorites, and selects a bookmarked
link for the E-Business Suite's Self-Service Expenses. Self-Service Expenses starts and the user begins the entering their expense report.
We sometimes call this "zero sign-on" because the user never
actually logged on to any Oracle systems at all; the user's Windows Kerberos
ticket from the Windows Primary Domain Controller (PDC) gave him access to the E-Business Suite
Magic? What Really Happened?
Brace yourself: some of the following material might require a couple of passes to sink in.
The "deluxe" scenario above illustrates the following integrations:
- Microsoft Active Directory with Oracle Internet Directory
- Microsoft Kerberos Authentication with Oracle Access Manager
- Oracle Access Manager and Oracle Internet Directory integration with the E-Business Suite
The user logged on to their PC, which authenticated them against
Microsoft Active Directory. As part of that logon process, the Windows Primary Domain Controller (PDC) issued a valid Kerberos ticket to the user.
When the user attempted to access Self-Service Expenses via his
bookmarked link, he was redirected to Oracle Access Manager. Oracle Access Manager checked the user's credentials against the Windows Key Domain Controller (KDC), issued its
own Oracle security tokens to the user, and
redirected the user back to the E-Business Suite.
The E-Business Suite recognized the Oracle Access Manager
security tokens and looked up the user's assigned Applications
Responsibilities to ensure that he was authorized to access Self-Service
Expenses. That done, it issued its own E-Business Suite
security tokens and then passed the user through to Self-Service
Expenses without requiring any additional logons.
Integration with Microsoft Active Directory Only
Not everyone uses Microsoft Kerberos Authentication. A simpler
integration option omits Kerberos and includes only Microsoft Active
Directory and Oracle Internet Directory, like this:
In this simpler architecture, when the user attempts to access
Self-Service Expenses via his bookmarked link, he's redirected to Oracle Access Manager. Oracle Access Manager displays a login screen and
collects the user's ID and password.
Oracle Access Manager passes the user's credentials to Oracle Internet Directory. Oracle Internet Directory uses the Microsoft Active Directory External Authentication Plug-In to pass the user's credentials to Microsoft Active Directory.
Microsoft Active Directory looks up the user's ID and password in
its database, and informs Oracle Internet Directory that this is an
authenticated user. Oracle Internet Directory informs Oracle Access Manager
that the user was successfully authenticated.
Oracle Access Manager issues the user a set of security tokens and
redirects the user to the E-Business Suite. The E-Business Suite
recognizes the Oracle Access Manager security tokens and looks up the user's
assigned Applications Responsibilities to ensure that he's
authorized to access Self-Service Expenses. That done, it issues its own
E-Business Suite security tokens and then passes the user through to
Self-Service Expenses.Synchronization of User Credentials with Third-Party LDAP Directories
If you've been paying close attention so far, you have
gathered that user credentials need to be synchronized between the
third-party LDAP, Oracle Internet Directory, and the E-Business Suite.
The synchronization architecture looks like this:
In this configuration, only the user name needs to be synchronized;
the user's password is stored in the third-party LDAP directory. None
of the Oracle products need to store the user's password, since they
delegate user authentication to the third-party
The key concept here is that user authentication is still separated
from user authorization even when a third-party LDAP is in place.
So, the E-Business Suite still grants authenticated users access to
E-Business Suite protected content based on the users' Applications
Responsibilities, which are managed in the E-Business Suite exclusively.
Integration With Other Single Sign-On Solutions
It is also possible to integrate Oracle Access Manager with other single sign-on solutions, including:
CA Netegrity SiteMinder
Biometric devices like fingerprint readers
PKI X.509 digital certificates
When integrated with other single sign-on solutions, a chain of
trust is established between the third-party, Oracle Access Manager, and
the E-Business Suite. Users logging on via the third-party single
sign-on solution are passed through transparently to Oracle Access Manager and the E-Business Suite.
Relax, It's Easy and Fun
Well, maybe not... but at least it's technically feasible. You
might find it reassuring to note that a number of E-Business Suite
customers are running this configuration in production already.
This is about as much detail as I think is appropriate for now.
Feel free to post comments if you have questions about this topic.
For a survey of options for integrating Oracle Access Manager and
Oracle Internet Directory with Oracle E-Business Suite Release 12, see: