Scribd Logo
Upload

Welcome to Scribd!

  • Overview of Single Sign-On Integration Options For Oracle E-Business Suite

    Uploaded by

    Abdallah Attia
    105 views7 pages

    Original Title

    Overview of Single Sign-On Integration Options for Oracle E-Business Suite

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    105 views7 pages

    Overview of Single Sign-On Integration Options For Oracle E-Business Suite

    Uploaded by

    Abdallah Attia

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    4/22/2019 Document 1388152.

    PowerView is Off Abdallah (Available) (0) Contact Us Help

    Dashboard Knowledge Service Requests Patches & Updates Community

    Give Feedback...
    Copyright (c) 2019, Oracle. All rights reserved. Oracle Confidential.

    Overview of Single Sign-On Integration Options for Oracle E-Business Suite (Doc ID 1388152.1) To Bottom

    The most current version of this document can be obtained through My Oracle Support Knowledge DOCUMENT 1388152.1
    Was this document helpful?
    There is a change log at the end of this document. Yes
    No

    In this Document

    Section 1: Introduction Document Details


    Section 2: Single Sign-On Concepts
    Section 3: Overview of Single Sign-On Integration Options for Oracle E-Business Suite Type:
    HOWTO
    3.1 How the Oracle Access Manager Integration Works Status:
    PUBLISHED
    3.2 How the Oracle Single Sign-On Server (OSSO) Integration Works Last Major
    06-Aug-2018
    Update:
    3.3 Integration with Third-Party Access Management Systems and LDAP Directories 06-Aug-2018
    Last Update:
    Section 4: Choosing a Single Sign-On Solution
    Section 5: Documentation Roadmap
    Section 6: Reference Architecture
    Related Products
    Oracle E-Business Suite
    Technology Stack
    Section 1: Introduction
    This document provides an overview of the options for integrating Oracle E-Business Suite with Oracle Identity Management Information Centers
    products. Information Center: Using EBS
    Technology Stack OID and
    Oracle Directory Services refers to both Oracle Internet Directory and Oracle Unified Directory. Procedures documented for SSO [1461466.2]
    implementing Oracle Directory Services apply to both these directories.
    Information Center: Oracle E-
    Business Suite Extensions for
    Oracle Information Discovery
    Section 2: Single Sign-On Concepts Install & Configure
    [1487000.2]
    Authentication is the process by which you verify that someone is who they claim to be. Usually this involves a username and a Information Center: EBS
    password. An unauthenticated user is one who has not yet provided credentials in the form of a username and password. Printing - Component Tools -
    Authorization is the process of determining whether the person, once identified is permitted to have access to the resource. This Overview [1511969.2]
    is usually determined by finding out if that person is part of a particular group. Oracle E-Business Suite single sign-on Information Center: Overview
    integrations allow for seamless authentication to multiple systems with one user id and password. EBS Technology Stack OID
    and SSO and OAM
    One reason to consider a single sign-on integration for your Oracle E-Business Suite environment is to provide a single login [1461465.2]
    account for Oracle E-Business Suite and other applications in your environment. For example, you may choose to deploy a single
    sign-on solution that integrates with other Applications Unlimited Products including PeopleSoft and JD Edwards and Fusion
    Middleware Tools such as Oracle Business Intelligence Enterprise Edition (OBIEE) and Discoverer. Document References
    No References available for
    Oracle E-Business Suite single sign-on integrations support deployments with third-party LDAP systems as well as third-party this document.
    single sign-on systems. Integrating with your company's corporate solution for single sign-on and identity management is
    another reason to consider this integration. Additional information regarding third-party LDAP integrations are described in the
    Integration with Third-Party Access Management Systems and LDAP Directory Services section. Recently Viewed

    You may also refer to Chapter 8, Authentication and Integration, of Oracle E-Business Suite Concepts: FAQ: Oracle E-Business Suite S
    [2063486.1]
    OPSS - Unable start Admin Serv
    Oracle E-Business Suite Release 12.2 getting JPS-01055 Could Not Cr
    Oracle E-Business Suite Release 12.1 Credential Store Instance error
    [2290255.1]
    Admin Applets Fail to Start Whe
    Section 3: Overview of Single Sign-On Integration Options for Oracle E-Business Suite Domain Policy/Credential Store
    on the Database [1951490.1]

    Oracle has two single sign-on solutions, Oracle Access Manager and Oracle Single Sign-On Server (OSSO). Oracle Access OAM 11.1.1.5 upgrade to OAM
    : ImportAccessData fails [22041
    Manager is the preferred solution and forms the basis of Oracle Fusion Middleware 11g. Premier Support for Oracle Single Sign-
    WebCenter Content (WCC) Adm
    On ended on December 31, 2011, and all Oracle Single Sign-On users should migrate to Oracle Access Manager. Oracle Single
    Server Fails to Start due to
    Sign-on Server (OSSO) is no longer being actively developed, and will not be ported to Oracle WebLogic Server. oracle.security.jps.JpsRuntimeE
    JPS-01055: Could not create cre
    Architecturally, the single sign-on solutions with Oracle Access Manager or Oracle Single Sign-on are very similar. Both solutions store instance. [2058494.1]
    authenticate a user by verifying credentials against a user directory. The user directory service for both solutions is Oracle Show More
    Internet Directory. Oracle Internet Directory and Oracle E-Business Suite user information in FND_USER is synchronized by
    synchronization events raised by the Workflow-based Business Event System.

    Both solutions also support the integration with a third-party access management and LDAP systems. Oracle E-Business Suite is
    not certified to function directly with third-party Access Management products or third-party LDAP products. Due to
    dependencies in the integration, Oracle Access Manager and Oracle Internet Directory are mandatory components when
    integrating with third-party access management systems and third-party LDAP directories. Additional information regarding
    third-party integrations is described in the Integration with Third-Party Access Management Systems and LDAP Directory
    Services section.

    https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=182275961031460&parent=DOCUMENT&sourceId=2063486.1&id=1388152.1&… 1/7
    4/22/2019 Document 1388152.1

    3.1 How the Oracle Access Manager Integration Works

    Integration with Oracle Access Manager 11g is achieved through agents and integration with Oracle E-Business Suite can be
    performed using one of two methods:

    Method 1: Uses the WebGate agent, in conjunction with Oracle E-Business Suite AccessGate. This method is described
    in detail in Section 3.1.1.

    Method 2: Uses the mod_osso agent, and is only for users upgrading from Oracle Single Sign-On Server 10gR3. This
    method is described in detail in Section 3.1.2.

    3.1.1 Oracle E-Business Suite Single Sign-On integration using Oracle Access Manager with WebGate and Oracle
    E-Business Suite AccessGate

    Oracle Access Manager WebGate is a component of Oracle Access Manager that intercepts HTTP requests and redirects them to
    the Oracle Access Manager server to determine if and how the resources are allowed to be accessed, and to authenticate the
    current user if authentication is required. If Oracle Access Manager is already deployed in the environment, an existing WebGate
    can be configured for this purpose.

    The integration with WebGate and Oracle E-Business Suite AccessGate is depicted in Figure 1 and detailed in the following
    steps:

    Steps 1 and 2. When an unauthenticated user attempts to access a protected Oracle E-Business Suite resource,
    the user is directed to the Oracle E-Business Suite AccessGate application.

    Oracle E-Business Suite AccessGate is a Java EE application responsible for mapping a single sign-on user to an
    Oracle E-Business Suite user, and creating the Oracle E-Business Suite session for that user. This application is
    deployed to a WebLogic Server instance, and is separate from Oracle E-Business Suite.

    Steps 3 and 4. Oracle E-Business Suite Access Gate is protected by the Oracle Access Manager server, so the
    authentication request is rerouted to a separate HTTP Server on which a WebGate is installed.

    Oracle Access Manager WebGate is a component of Oracle Access Manager that intercepts HTTP requests and
    redirects them to the Oracle Access Manager server to determine if and how the resources are allowed to be
    accessed, and to authenticate the current user if authentication is required. If Oracle Access Manager is already
    deployed in the environment, an existing WebGate can be configured for this purpose.

    Steps 5, 6 and 7. Once a user is initially authenticated by Oracle Access Manager, the request for a resource -
    along with the credentials returned by the Oracle Access Manager server - are picked up by Oracle E-Business
    Suite AccessGate.

    Steps 8 and 9. If the Access Server credentials are valid, this application connects to the Oracle E-Business Suite
    database in order to link the Oracle Directory Services user to an Oracle E-Business Suite user. If Oracle E-
    Business Suite fails to identify a linked user for the Oracle Directory Services user, the user is redirected to the
    linking page so that he may map his unlinked Oracle Directory Services user account to his Oracle E-Business Suite
    username. Once this mapping is done, the originally requested resource is returned with a valid authenticated
    Oracle E-Business Suite user session.

    All subsequent requests for Oracle E-Business Suite resources are then returned directly to the user as long as the
    user session remains valid.

    https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=182275961031460&parent=DOCUMENT&sourceId=2063486.1&id=1388152.1&… 2/7
    4/22/2019 Document 1388152.1
    Figure 1: Integration with WebGate and Oracle E-Business Suite AccessGate

    NOTE: Each Oracle E-Business Suite instance requires its own deployment of the Oracle E-Business Suite AccessGate
    application. Oracle E-Business Suite AccessGate must be installed and configured in the same Internet domain as the Oracle E-
    Business Suite middle tier servers. If different physical hosts and domains are used for the components, the entry points must
    be configured to use the same domain; for example, using a reverse proxy. This is because several Oracle E-Business Suite
    domain cookies are shared among the middle tiers and the Oracle E-Business Suite AccessGate server.

    3.1.2 Oracle E-Business Suite Single Sign-On integration using Oracle Access Manager with mod_osso

    The integration with Oracle Access Manager and mod_osso is depicted in Figure 2 and detailed in the following steps:

    Steps 1 and 2. When an unauthenticated user attempts to access a protected Oracle E-Business Suite resource,
    the user is directed to the Oracle Access Manager 11g Server by mod_osso in the Oracle E-Business Suite OHS.

    Step 3. Oracle Access Manager 11g server validates the Oracle Access Manager session (in the OAM_ID cookie, if
    the cookie exists), finding none (for a first time login) is displays the Oracle Access Manager SSO login page.

    Step 4. The user submits their credentials and the Oracle Access Manager 11g Server validates those against
    Oracle Directory Services.

    Step 5. Oracle Access Manager 11g Server creates the Oracle Access Manager session (OAM_ID cookie) and
    redirects back to /osso_login_success on the Oracle E-Business Suite tier (i.e. http(s)://<EBSHostname>.
    <Domain_Name>:<EBS_OHS_Port>/osso_login_success (i.e. the Success URL as defined for the Oracle Single
    Sign-On Agent).

    Step 6. Mod_osso in the Oracle E-Business Suite OHS creates the OHS-ID cookies and sets Oracle Single Sign-On
    HTTP Server variables for reference by Oracle E-Business Suite.

    Step 7. Oracle E-Business Suite then creates an application session for the EBS user linked to the SSO
    authenticated Oracle Internet Directory user.

    Step 8. Finally the user is redirected to the original URL and the requested resource is returned.
    If Oracle E-Business Suite fails to identify a linked user for the Oracle Directory Services user, the user is redirected
    to the linking page so that he may map his unlinked Oracle Directory Services user account to his Oracle E-
    Business Suite username. Once this mapping is done, the originally requested resource is returned with a valid
    authenticated Oracle E-Business Suite user session. All subsequent requests for Oracle E-Business Suite resources
    are then returned directly to the user as long as the user session remains valid.

    Figure 2: Integration with Oracle Access Manager and mod_osso

    3.2 How the Oracle Single Sign-On Server (OSSO) Integration Works

    This architecture is only supported with Oracle Internet Directory as the Oracle Directory Service.

    Oracle’s previous single sign-on solution for Oracle E-Business Suite customers was integration with Oracle Single Sign-On
    10gR3, accomplished by following My Oracle Support Knowledge Document 376811.1 (Integrating Oracle E-Business Suite
    Release 12 with Oracle Internet Directory and Oracle Single Sign-On).

    When an unauthenticated user attempts to access a protected Oracle E-Business Suite resource, the user is directed to the
    Oracle Single Sign-On server by mod_osso in the Oracle E-Business Suite OHS.

    https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=182275961031460&parent=DOCUMENT&sourceId=2063486.1&id=1388152.1&… 3/7
    4/22/2019 Document 1388152.1
    The Single Sign-On server looks for its cookie in the browser. If it finds none, it tries to authenticate the user with a user name
    and password. If authentication is successful, the Single Sign-On server creates a cookie in the browser as a reminder that the
    user has been authenticated. If a cookie exists, the Single Sign-On server will authenticate using the cookie.

    The Single Sign-On server returns the user's encrypted information to mod_osso. Mod_osso creates its own cookie for the user
    in the browser and redirects the user to the requested URL.

    Premier Support for Oracle Single Sign-On ended on December 31, 2011. Oracle Single Sign-On is now in Extended Support. To
    find out more about the support policies of these products, refer to: Oracle Software Technical Support Policies (see item '(g)' on
    page 7).

    If you are running Oracle E-Business Suite today with Oracle Single Sign-On, you may migrate your Oracle Single Sign-On
    partner registrations to Oracle Access Manager 11g with mod_osso.

    3.3 Integration with Third-Party Access Management Systems and LDAP Directories

    Oracle E-Business Suite single sign-on solutions support integration with third-party access management systems and LDAP
    directories, this integration is depicted in Figure 3. With third-party access management systems integration, the Oracle E-
    Business Suite Application Server delegates user authentication to Oracle Access Manager or Oracle Single Sign-On which then
    delegates user authentication to the third-party access management system.

    There are numerous dependencies on Oracle Access Manager and Oracle Directory Services in a single sign-on solution with
    Oracle E-Business Suite. Due to these underlying dependencies, Oracle Access Manager and Oracle Directory Services are
    mandatory components of the integration even when integrating with third-party systems.

    When integrating with a third-party LDAP, the third-party LDAP synchronizes user attributes with Oracle Directory Services which
    synchronizes user attributes with the Oracle E-Business Suite database (FND_USER). The following diagram depicts a third-party
    integration architecture with an Oracle Access Manager integration:

    Figure 3: Integration with Third-Party Single Sign-On and Third-Party LDAP


    Section 4: Choosing a Single Sign-On Solution
    We recommend that new single sign-on deployments are performed using the latest certified version of Oracle Access Manager
    with Oracle E-Business Suite AccessGate. Oracle E-Business Suite AccessGate integrates with WebGate, which offers the most
    robust set of features.

    Existing Oracle Single Sign-on (OSSO) customers should also consider upgrading to the latest certified version of Oracle Access
    Manager with Oracle E-Business Suite AccessGate. Additional details Details regarding recommended solutions and
    documentation may be found in the Documentation Roadmap section of this document.

    When upgrading or migrating you should consider the following points:

    Currently Oracle Access Manager 11gR1 and 11gR2 support two types of agents for integration: OAM Agents (WebGates),
    and OSSO Agents (mod_osso). Oracle E-Business Suite integration with Oracle Access Manager supports both types of
    agents. Using OAM Agents (WebGates) is Oracle’s strategic single sign-on integration. OSSO Agents (mod_osso) are still
    supported as legacy agents, but these are planned to be de-supported in future releases. For more information on the
    two types of agents, refer to section the Introduction to Agents and Registration in the Oracle Fusion Middleware
    Administrator's Guide for Oracle Access Management 11g Release 2.

    If you are running Oracle E-Business Suite with Oracle Access Manager 10gR3, there is an option to migrate to Oracle
    Access Manager 11gR2, however, when integrating with Oracle E-Business Suite it is also necessary to upgrade to the
    latest version of Oracle E-Business Suite AccessGate. It is therefore recommended to install OAM 11gR2 and integrate
    that with Oracle E-Business Suite using the latest version of Oracle E-Business Suite AccessGate, as documented in My
    Oracle Support Knowledge Document 1484024.1 Integrating Oracle E-Business Suite Release 12 with Oracle Access
    Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate.
    https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=182275961031460&parent=DOCUMENT&sourceId=2063486.1&id=1388152.1&… 4/7
    4/22/2019 Document 1388152.1

    Section 5: Documentation Roadmap


    Determine which My Oracle Support documentation to follow based on your current Oracle E-Business Suite version and your
    choice in the above section Choosing a Single Sign-On Solution.

    Figure 4 : Documentation Roadmap


    Section 6: Reference Architecture
    Architecture diagrams can be physical diagrams or logical diagrams. Physical diagrams are designed to depict the physical layout
    of the environment, including the number of servers and their names. The actual number of servers needed for your deployment
    will depend on your specific environment.

    https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=182275961031460&parent=DOCUMENT&sourceId=2063486.1&id=1388152.1&… 5/7
    4/22/2019 Document 1388152.1

    In contrast, logical diagrams are intended to assist with understanding the various components and services of an environment.
    They are not meant to denote the number of physical servers required for a particular environment, because the various logical
    components can be combined and installed on a single server.

    There are a number of configurations with numerous certified versions that are available for deploying an Oracle E-Business
    Suite single sign-on solution. The following diagram is a logical reference architecture diagram for Release 12 and Release 11i
    single sign-on solutions.

    Figure 5: Oracle E-Business Suite Release 12 single sign-on Reference


    Architecture
    With Oracle E-Business Suite Release 12.2, single sign-on integration is simplified. Both WebGate 11g and Oracle E-Business
    Suite AccessGate are automatically installed and configured on your Oracle E-Business Suite Release 12.2 application tier server
    node, and so are not shown on the diagram.

    Figure 6: Oracle E-Business Suite Release 12.2 single sign-on Reference


    Architecture
    *Oracle E-Business Suite Release 12.2.5 and later supports Oracle Unified Directory as
    the Directory Service.

    Change Log

    Date Description

    https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=182275961031460&parent=DOCUMENT&sourceId=2063486.1&id=1388152.1&… 6/7
    4/22/2019 Document 1388152.1
    Jul 30, 2018 Updated for OAM 12c.

    June 23, 2016


    Corrected links in Documentation Roadmap.

    December 10,
    2015 Updated to include MOS Note 2045154.1.

    December 9,
    2015 Updated to include Oracle Unified Directory 11.1.2.3.

    June 28, 2015


    Updated for Oracle E-Business Suite Release 12.2.5.

    September 17,
    2013 Updated the Documentation Roadmap for Oracle E-Business Suite Release 12.2.
    Added Figure 6 - Oracle E-Business Suite Release 12.2 single sign-on Reference Architecture
    diagram.

    August 13, 2013


    Updated the Documentation Roadmap for clarification.
    Updated Section 4 to clarify mod_osso agents and webgate agents usage.

    May 9, 2013
    Added a link to OAM 11gR1 PS1 (11.1.1.7.0) Document for Oracle E-Business Suite Release 12 in
    the Documentation Roadmap.

    March 15, 2013


    Consolidated the Reference Architecture Diagrams into a single diagram for Oracle E-Business Suite
    Release 11i and 12.
    Added a link to OAM 11gR2 Document for Oracle E-Business Suite Release 11i in the Documentation
    Roadmap.

    August 21, 2012


    Added links to OAM 11gR2 My Oracle Support documents.

    August 13, 2012


    Removed Tables detailing the OAM patches certified with Oracle E-Business Suite, as these are
    documented in the relevant OAM Integration MOS Documents directly.

    April 23, 2012


    Initial Creation.

    Knowledge Document 1388152.1 by Oracle E-Business Suite Development


    Copyright© 2012, 2018 Oracle

    Didn't find what you are looking for? Ask in Community...

    Related
    Products

    Oracle E-Business Suite > Applications Technology > Technology Components > Oracle E-Business Suite Technology Stack > OID SSO Technologies > OID SSO Technologies

    Back to Top
    Copyright (c) 2019, Oracle. All rights reserved. Legal Notices and Terms of Use Privacy Statement

    https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=182275961031460&parent=DOCUMENT&sourceId=2063486.1&id=1388152.1&… 7/7

    You might also like