This Post covers options for integrating Oracle E-Business Suite with Oracle Identity Management products or if you’re upgrading from EBS 11i to 12, or perhaps also switching from the older Oracle Single Sign-On technology to Oracle Access Manager.
Before proceeding to the High-level Integration of E-Business suite with Oracle Single Sign-on, let’s First Discuss what is Single Sign on?
What is Single Sign-on?
As the name suggests, Single-Sign-On Server is set of services (Software) which enables login to Application once which will allow you to login to Partner Applications with no need to login again. Let’s assume; I have configured single SSO Server for Portal, E-Business Suite, Collaboration Suite plus some other applications. Now if I login to any one of them & after that if I wish to login to other applications, I should be able to login without supplying passwords again.
Oracle E-Business Suite single sign-on integrations allow for seamless authentication to multiple systems with one user id and password. It supports deployments with third-party LDAP systems as well as third-party single sign-on systems. For Additional Information on Single Sign-On (SSO), like, why it’s used, advantages of using it, what all different type of applications can use SSO including technical details of SSO, Click Here
Overview of Single Sign-On Integration Options for Oracle E-Business Suite
Oracle has two single sign-on solutions;
A). Oracle Access Manager
B). Oracle Single Sign-On Server (OSSO)
Oracle Access Manager is the preferred solution and forms the basis of Oracle Fusion Middleware 11g. Oracle Single Sign-on Server (OSSO) is no longer being actively developed, and will not be ported to Oracle WebLogic Server.
Architecturally, the single sign-on solutions with Oracle Access Manager or Oracle Single Sign-on are very similar. Both solutions authenticate a user by verifying credentials against a user directory. The user directory service for both solutions is Oracle Internet Directory. Oracle Internet Directory and Oracle E-Business Suite user information in FND_USER are synchronized by synchronization events raised by the Workflow-based Business Event System.
Let’s Discuss these two Single Sign solution in detail here:
1.How the Oracle Access Manager Integration Works
- Uses the WebGate agent, in conjunction with Oracle E-Business Suite AccessGate
- Uses the mod_osso agent and is only for users upgrading from Oracle Single Sign-On Server 10gR3.
1.1 Oracle E-Business Suite Single Sign-On integration using Oracle Access Manager with WebGate and Oracle E-Business Suite AccessGate
Oracle Access Manager WebGate is a component of Oracle Access Manager that intercepts HTTP requests and redirects them to the Oracle Access Manager server to determine if and how the resources are allowed to be accessed and to authenticate the current user if authentication is required. If Oracle Access Manager is already deployed in the environment, an existing WebGate can be configured for this purpose.
Note: This Method is the most robust set of features for SSO.
According to the above figure,
- An unauthenticated user attempts to access a protected Oracle E-Business Suite resource, the user is directed to the Oracle E-Business Suite AccessGate application.
- Oracle E-Business Suite Access Gate is protected by the Oracle Access Manager server, so the authentication request is rerouted to a separate HTTP Server on which a WebGate is installed.
- Once a user is initially authenticated by Oracle Access Manager, the request for a resource – along with the credentials returned by the Oracle Access Manager server – are picked up by Oracle E-Business Suite AccessGate.
- In the end, if the Access Server credentials are valid, this application connects to the Oracle E-Business Suite database in order to link the Oracle Directory Services user, if it fails then User is Redirected to the Original URL
1.2 Oracle E-Business Suite Single Sign-On integration using Oracle Access Manager with mod_osso
Above we learned how OAM Integration works with the WebGate agent. Now we will Integrate Oracle EBS SSO using OAM with mod_osso
Steps 1 and 2. When an unauthenticated user attempts to access a protected Oracle E-Business Suite resource, the user is directed to the Oracle Access Manager 11g Server by mod_osso in the Oracle E-Business Suite OHS.
Step 3. Oracle Access Manager 11g server validates the Oracle Access Manager session (in the OAM_ID cookie, if the cookie exists), finding none (for a first time login) it displays the Oracle Access Manager SSO login page.
Step 4. The user submits their credentials and the Oracle Access Manager 11g Server validates those against Oracle Directory Services.
Step 5. Oracle Access Manager 11g Server creates the Oracle Access Manager session (OAM_ID cookie) and redirects back to /osso_login_success on the Oracle E-Business Suite tier (i.e. http(s)://<EBSHostname>.<Domain_Name>:<EBS_OHS_Port>/osso_login_success (i.e. the Success URL as defined for the Oracle Single Sign-On Agent).
Step 6. Mod_osso in the Oracle E-Business Suite OHS creates the OHS-ID cookies and sets Oracle Single Sign-On HTTP Server variables for reference by Oracle E-Business Suite.
Step 7. Oracle E-Business Suite then creates an application session for the EBS user linked to the SSO authenticated Oracle Internet Directory user.
Step 8. Finally, the user is redirected to the original URL and the requested resource is returned.
2. How the Oracle Single Sign-On Server (OSSO) Integration Works
Note: This architecture is only supported with Oracle Internet Directory as the Oracle Directory Service.
When an unauthenticated user attempts to access a protected Oracle E-Business Suite resource, the user is directed to the Oracle Single Sign-On server by mod_osso in the Oracle E-Business Suite OHS.
The Single Sign-On server looks for its cookie in the browser. If it finds none, it tries to authenticate the user with a username and password. If authentication is successful, the Single Sign-On server creates a cookie in the browser as a reminder that the user has been authenticated. If a cookie exists, the Single Sign-On server will authenticate using the cookie.
The Single Sign-On server returns the user’s encrypted information to mod_osso. Mod_osso creates its own cookie for the user in the browser and redirects the user to the requested URL.
3. Integration with Third-Party Access Management Systems and LDAP Directories
When integrating with a third-party LDAP, the third-party LDAP synchronizes user attributes with Oracle Directory Services which synchronizes user attributes with the Oracle E-Business Suite database (FND_USER).
With Oracle E-Business Suite Release 12.2, single sign-on integration is simplified. Both WebGate 11g and Oracle E-Business Suite AccessGate are automatically installed and configured on your Oracle E-Business Suite Release 12.2 application tier server node.
Oracle E-Business Suite AccessGate integrates with WebGate, which offers the most robust set of features and those who are on Oracle Single Sign-On(OSSO) should also consider upgrading to the latest certified version of Oracle Access Manager with Oracle E-Business Suite AccessGate.
- Integration of E-Business suite with Oracle Single Sign-on click here
- Oracle Single Sign-on for Apps DBA Click Here
- EBS-OAM Integration: OAMSSA-20142: Authentication Failure for OID user Click Here
- [Video] Oracle EBS R12 – OAM/OID/OUD Integration: Request Flow & Troubleshoot Login Errors Click Here
- [Video] EBS (R12)-OAM/OID/OUD Integration for SSO: Architecture & Components Click Here
- Oracle EBS R12.2-OAM Integration: Internal Error: Webgate allowed access to protected page GUID=null Click Here
If you have not yet downloaded FREE eBook – 7 Docs every Oracle Apps DBA must read for EBS R12 integration with OAM/OID for SSO get a copy in your eMail.