Editor Jan. 12, 2007 Update: Oracle Identity Management 10g 10.1.4.0.1 is now certified with the E-Business Suite.
In the two-year Early Adopter Program
we ran for OracleAS 10g + E-Business Suite
configurations, over 200 customers elected to enable Single Sign-On 10g in their environments.
If that's representative of the general E-Business Suite customer, this suggests that approximately 75% of E-Business Suite customers will wish to use OracleAS 10g for this reason alone. Technical Benefits
This is a technically-focussed blog and I've promised not to bore you with vacous marketing rhetoric. If you want to get the full pitch on why Oracle Identity Management should be your choice of solutions, you can find many compelling arguments here
For E-Business Suite customers, the key benefits are:
Comprehensive Single Sign-On Solution
- The ability to offer a comprehensive Single Sign-On solution that works with all Oracle products, including the E-Business Suite, PeopleSoft, and JD Edwards.
- The ability to use Oracle Internet Directory for managing E-Business Suite user credentials, shifting focus from the older FND_USER directory
- The ability to integrate the E-Business Suite with your existing third-party
single sign-on and LDAP infrastructure
If you have one or more E-Business Suite Release 11i instances and are tired of maintaining users separately for each environment, you can create a central OracleAS 10g environment and manage all 11i users in one place.
If you have a combination of PeopleSoft, JD Edwards, and the E-Business Suite in your organization, you can use OracleAS 10g to manage users for all three environments centrally.
If you have a combination of the E-Business Suite and custom applications based on Oracle databases or OracleAS 10g technology, you can use OracleAS 10g to manage users for all applications in a single place.Use Oracle Internet Directory Instead of FND_USER
The E-Business Suite's user management capabilities (based on the FND_USER directory) are perfectly adequate for administering E-Business Suite users. However, security administrators wishing for additional user management and provisioning features would benefit from switching to Oracle Internet Directory.
Integrate with Third-Party LDAP and Single Sign-On Products
If you have an existing corporate security system such as Microsoft Active Directory, Windows Kerberos, Sun ONE/iPlanet, or Netegrity SiteMinder, using OracleAS 10g allows you to integrate your E-Business Suite with that infrastructure. This is a topic for a future In-Depth posting; watch this space.How Single Sign-On 10g Works With the E-Business Suite
When the E-Business Suite is integrated with OracleAS 10g and Single Sign-On 10g, the user authentication
process is handled by Single Sign-On 10g.
Users attempting to access protected E-Business Suite content are redirected to Single Sign-On 10g for authentication. Users log in via Single Sign-On 10g, and then are redirected back to the E-Business Suite and the protected content they wished to access.Authentication versus Authorization
It's important to distinguish user authentication
from user authorization
- User authentication is the process of establishing whether the user is whom they claim to be.
- User authorization is the process of determining what resources an authenticated user is permitted to access.
With our current integration for the E-Business Suite Release 11i, these two processes are handled by Single Sign-On and the E-Business Suite, respectively:
- When the E-Business Suite is integrated with Single Sign-On 10g, it delegates user authentication to Single Sign-On.
Partner Applications, Single Sign-On, and Single Sign-Off
- After Single Sign-On has successfully authenticated a user, the E-Business Suite handles the authorization process: e.g. ensuring that the user is entitled to file expenses.
The E-Business Suite is a Single Sign-On partner application
. Once a user logs on successfully to Single Sign-On 10g, the user has access to all registered partner applications without having to log on again.
Likewise, if a user logs out of any one of those partner applications, the user is logged out of all of them. This is called Single Sign-Off
, and works with the E-Business Suite, too.
Under the Covers: The Chain of Trust
The key architectural concept to understand is that there is a chain of trust
established between the E-Business Suite, Single Sign-On 10g, and Oracle Internet Directory 10g:
The E-Business Suite delegates user authentication to Single Sign-On, and Single Sign-On delegates user credential validation to Oracle Internet Directory.The Log In Process, Deconstructed
Let's walk through this with an example:
Our example user isn't logged into the E-Business Suite. She attempts to access a bookmarked link in her browser that points to the E-Business Suite's Self-Service Expenses page.
The E-Business Suite checks the user's browser for a valid 11i cookie, but doesn't find one: not surprising -- she hasn't logged in yet.
The E-Business Suite redirects the user to Single Sign-On 10g. Single Sign-On 10g displays a login screen and collects the user's userid and password. It then passes those credentials to Oracle Internet Directory for validation.
Internet Directory looks up the user's credentials in the Oracle
Internet Directory LDAP directory in the OracleAS 10g Infrastructure
, providing an approval or rejection as
appropriate to Single Sign-On.
If approved, Single Sign-On 10g issues a set of security tokens to the user and redirects her back to the E-Business Suite. If rejected, the user is given another chance to log in with valid credentials.
Once redirected back to the E-Business Suite, the E-Business Suite recognizes the Single Sign-On security tokens and looks up the user's assigned Applications Responsibilities in the E-Business Suite FND_USER table.
Having established that our example user is authorized to access Self-Service Expenses, the E-Business Suite issues its own security tokens and creates a new ICX user session. The user now has two sets of security tokens in her browser, one from Single Sign-On 10g, and another from the E-Business Suite.
At this point, the user is officially logged in, and is redirected to Self-Service Expenses.Synchronizing User Credentials Between Oracle Internet Directory and the E-Business Suite
If user authentication and user authorization are performed by two different parts of this integrated system for the same user, the alert reader will leap ahead and guess that user credentials need to synchronized.
That guess would be correct: user credentials in Oracle Internet Directory and the E-Business Suite's FND_USER directory need to be synchronized. A user must be recognized and have valid entries in both locations to gain access to protected content.
This synchronization is handled by an Oracle Internet Directory tool called the Directory Integration & Provisioning Platform.
It's up to you to designate the master "source of truth" for user credentials; this is fully configurable. For example, you can designate the E-Business Suite as the master and Oracle Internet Directory as the slave, or vice versa. You can even elect to manage user credentials in both locations and have changes updated automatically between the two of them.
In other words, changes to user credentials can flow:
- From the E-Business Suite to Oracle Internet Directory
- From Oracle Internet Directory to the E-Business Suite
- Bidirectionally between them.
At this point, you're probably as exhausted as I am, so I'll cover third-party LDAP and Single Sign-On integration