Overview of Single Sign-On Integration Options for Oracle E-Business Suite (Doc ID 1388152.1)

7/15/2014

Document 1388152.1

Overview of Single Sign-On Integration Options for Oracle E-Business Suite (Doc ID 1388152.1) Modified: 15-Oct-2013

Type: HOWTO

The most current version of this document can be obtained through My Oracle Support Knowledge DOCUMENT 1388152.1 There is a change log at the end of this document. In this Document Section 1: Section 2: Section 3: 3.1 3.2 3.3 Section 4: Section 5: Section 6:

Introduction Single Sign-On Concepts Overview of Single Sign-On Integration Options for Oracle E-Business Suite How the Oracle Access Manager Integration Works How the Oracle Single Sign-On Server (OSSO) Integration Works Integration with Third-Party Access Management Systems and LDAP Directories Choosing a Single Sign-On Solution Documentation Roadmap Reference Architecture

Section 1: Introduction This document provides an overview of the options for integrating Oracle E-Business Suite with Oracle Identity Management products.

Section 2: Single Sign-On Concepts

Authentication is the process by which you verify that someone is who they claim to be. Usually this involves a username and a password. An unauthenticated user is one who has not yet provided creden form of a username and password. Authorization is the process of determining whether the person, once identified is permitted to have access to the resource. This is usually determined by finding out i is part of a particular group. Oracle E-Business Suite single sign-on integrations allow for seamless authentication to multiple systems with one user id and password.

One reason to consider a single sign-on integration for your Oracle E-Business Suite environment is to provide a single login account for Oracle E-Business Suite and other applications in your environmen example, you may choose to deploy a single sign-on solution that integrates with other Applications Unlimited Products including PeopleSoft and JD Edwards and Fusion Middleware Tools such as Oracle Intelligence Enterprise Edition (OBIEE) and Discoverer.

Oracle E-Business Suite single sign-on integrations support deployments with third-party LDAP systems as well as third-party single sign-on systems. Integrating with your company's corporate solution fo sign-on and identity management is another reason to consider this integration. Additional information regarding third-party LDAP integrations are described in the Integration with Third-Party Access Ma Systems and LDAP Directory Services section.

Section 3: Overview of Single Sign-On Integration Options for Oracle E-Business Suite

Oracle has two single sign-on solutions, Oracle Access Manager and Oracle Single Sign-On Server (OSSO). Oracle Access Manager is the preferred solution and forms the basis of Oracle Fusion Middlew Premier Support for Oracle Single Sign-On ended on December 31, 2011, and all Oracle Single Sign-On users should migrate to Oracle Access Manager. Oracle Single Sign-on Server (OSSO) is no longe actively developed, and will not be ported to Oracle WebLogic Server. Architecturally, the single sign-on solutions with Oracle Access Manager or Oracle Single Sign-on are very similar. Both solutions authenticate a user by verifying credentials against a user directory. directory service for both solutions is Oracle Internet Directory. Oracle Internet Directory and Oracle E-Business Suite user information in FND_USER is synchronized by synchronization events raised based Business Event System.

Both solutions also support the integration with a third-party access management and LDAP systems. Oracle E-Business Suite is not certified to function directly with third-party Access Management produ party LDAP products. Due to dependencies in the integration, Oracle Access Manager and Oracle Internet Directory are mandatory components when integrating with third-party access management third-party LDAP directories. Additional information regarding third-party integrations is described in the Integration with Third-Party Access Management Systems and LDAP Directory Services section.

3.1 How the Oracle Access Manager Integration Works Integration with Oracle Access Manager 11g is achieved through agents and integration with Oracle E-Business Suite can be performed using one of two methods: Method 1: Uses the WebGate agent, in conjunction with Oracle E-Business Suite AccessGate. This method is described in detail in Section 3.1.1. Method 2: Uses the mod_osso agent, and is only for users upgrading from Oracle Single Sign-On Server 10gR3. This method is described in detail in Section 3.1.2. 3.1.1 Oracle E-Business Suite Single Sign-On integration using Oracle Access Manager with WebGate and Oracle E-Business Suite AccessGate

Oracle Access Manager WebGate is a component of Oracle Access Manager that intercepts HTTP requests and redirects them to the Oracle Access Manager server to determine if and how the resources to be accessed, and to authenticate the current user if authentication is required. If Oracle Access Manager is already deployed in the environment, an existing WebGate can be configured for this purpos The integration with WebGate and Oracle E-Business Suite AccessGate is depicted in Figure 1 and detailed in the following steps: Steps 1 and 2. When an unauthenticated user attempts to access a protected Oracle E-Business Suite resource, the user is directed to the Oracle E-Business Suite AccessGate application. Oracle E-Business Suite AccessGate is a Java EE application responsible for mapping a single sign-on user to an Oracle E-Business Suite user, and creating the Oracle E-Business Suite session for user. This application is deployed to a WebLogic Server instance, and is separate from Oracle E-Business Suite. Steps 3 and 4. Oracle E-Business Suite Access Gate is protected by the Oracle Access Manager server, so the authentication request is rerouted to a separate HTTP Server on which a installed.

Oracle Access Manager WebGate is a component of Oracle Access Manager that intercepts HTTP requests and redirects them to the Oracle Access Manager server to determine if and how the resources are allowed to be accessed, and to authenticate the current user if authentication is required. If Oracle Access Manager is already deployed in the environment, an existing WebGate can configured for this purpose. Steps 5, 6 and 7. Once a user is initially authenticated by Oracle Access Manager, the request for a resource - along with the credentials returned by the Oracle Access Manager server up by Oracle E-Business Suite AccessGate.

Steps 8 and 9. If the Access Server credentials are valid, this application connects to the Oracle E-Business Suite database in order to link the Oracle Internet Directory (OID) user to an Oracle EBusiness Suite user. If Oracle E-Business Suite fails to identify a linked user for the Oracle Internet Directory user, the user is redirected to the linking page so that he may map his unlinked Oracle Internet Directory user account to his Oracle E-Business Suite username. Once this mapping is done, the originally requested resource is returned with a valid authenticated Oracle E-Business Suit user session. All subsequent requests for Oracle E-Business Suite resources are then returned directly to the user as long as the user session remains valid.

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=19i6pltprf_4&id=1388152.1

1/6

7/15/2014

Document 1388152.1

Figure 1: Integration with WebGate and Oracle E-Business Suite AccessGate

NOTE: Each Oracle E-Business Suite instance requires its own deployment of the Oracle E-Business Suite AccessGate application. Oracle E-Business Suite AccessGate must be installed and configured in t Internet domain as the Oracle E-Business Suite middle tier servers. If different physical hosts and domains are used for the components, the entry points must be configured to use the same domain; for using a reverse proxy. This is because several Oracle E-Business Suite domain cookies are shared among the middle tiers and the Oracle E-Business Suite AccessGate server. 3.1.2 Oracle E-Business Suite Single Sign-On integration using Oracle Access Manager with mod_osso The integration with Oracle Access Manager and mod_osso is depicted in Figure 2 and detailed in the following steps:

Steps 1 and 2. When an unauthenticated user attempts to access a protected Oracle E-Business Suite resource, the user is directed to the Oracle Access Manager 11g Server by mod_osso in the Oracle E-Business Suite OHS.

Step 3. Oracle Access Manager 11g server validates the Oracle Access Manager session (in the OAM_ID cookie, if the cookie exists), finding none (for a first time login) is displays the Oracle Acce Manager SSO login page. Step 4. The user submits their credentials and the Oracle Access Manager 11g Server validates those against Oracle Internet Directory. Step 5. Oracle Access Manager 11g Server creates the Oracle Access Manager session (OAM_ID cookie) and redirects back to /osso_login_success on the Oracle E-Business Suite tier (i.e. http(s)://.:/osso_login_success (i.e. the Success URL as defined for the Oracle Single Sign-On Agent). Step 6. Mod_osso in the Oracle E-Business Suite OHS creates the OHS-ID cookies and sets Oracle Single Sign-On HTTP Server variables for reference by Oracle E-Business Suite. Step 7. Oracle E-Business Suite then creates an application session for the EBS user linked to the SSO authenticated Oracle Internet Directory user. Step 8. Finally the user is redirected to the original URL and the requested resource is returned.

If Oracle E-Business Suite fails to identify a linked user for the Oracle Internet Directory user, the user is redirected to the linking page so that he may map his unlinked Oracle Internet Directory us account to his Oracle E-Business Suite username. Once this mapping is done, the originally requested resource is returned with a valid authenticated Oracle E-Business Suite user session. All subsequent requests for Oracle E-Business Suite resources are then returned directly to the user as long as the user session remains valid.

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=19i6pltprf_4&id=1388152.1

2/6

7/15/2014

Document 1388152.1 Figure 2: Integration with Oracle Access Manager and mod_osso

3.2 How the Oracle Single Sign-On Server (OSSO) Integration Works

Oracle’s previous single sign-on solution for Oracle E-Business Suite customers was integration with Oracle Single Sign-On 10gR3, accomplished by following My Oracle Support Knowledge Document 376 (Integrating Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On).

When an unauthenticated user attempts to access a protected Oracle E-Business Suite resource, the user is directed to the Oracle Single Sign-On server by mod_osso in the Oracle E-Business Suite OHS

The Single Sign-On server looks for its cookie in the browser. If it finds none, it tries to authenticate the user with a user name and password. If authentication is successful, the Single Sign-On server cr cookie in the browser as a reminder that the user has been authenticated. If a cookie exists, the Single Sign-On server will authenticate using the cookie. The Single Sign-On server returns the user's encrypted information to mod_osso. Mod_osso creates its own cookie for the user in the browser and redirects the user to the requested URL. Premier Support for Oracle Single Sign-On ended on December 31, 2011. Oracle Single Sign-On is now in Extended Support. To find out more about the support policies of these products, refer to: Technical Support Policies (see item '(g)' on page 7). If you are running Oracle E-Business Suite today with Oracle Single Sign-On, you may migrate your Oracle Single Sign-On partner registrations to Oracle Access Manager 11g with mod_osso.

3.3 Integration with Third-Party Access Management Systems and LDAP Directories

Oracle E-Business Suite single sign-on solutions support integration with third-party access management systems and LDAP directories, this integration is depicted in Figure 3. With third-party access ma systems integration, the Oracle E-Business Suite Application Server delegates user authentication to Oracle Access Manager or Oracle Single Sign-On which then delegates user authentication to the access management system. There are numerous dependencies on Oracle Access Manager and Oracle Internet Directory in a single sign-on solution with Oracle E-Business Suite. Due to these underlying dependencies, Oracle Acce and Oracle Internet Directory are mandatory components of the integration even when integrating with third-party systems. When integrating with a third-party LDAP, the third-party LDAP synchronizes user attributes with Oracle Internet Directory which synchronizes user attributes with the Oracle E-Business Suite database The following diagram depicts a third-party integration architecture with an Oracle Access Manager integration:

Figure 3: Integration with Third-Party Single Sign-On and Third-Party LDAP

Section 4: Choosing a Single Sign-On Solution

We recommend that new single sign-on deployments are performed using the latest certified version of Oracle Access Manager with Oracle E-Business Suite AccessGate. Oracle E-Business Suite AccessG integrates with WebGate, which offers the most robust set of features. Existing Oracle Single Sign-on (OSSO) customers should also consider upgrading to the latest certified version of Oracle Access Manager with Oracle E-Business Suite AccessGate. Additional details rega recommended solutions and documentation may be found in the Documentation Roadmap section of this document. When upgrading or migrating you should consider the following points:

Currently Oracle Access Manager 11gR1 and 11gR2 support two types of agents for integration: OAM Agents (WebGates), and OSSO Agents (mod_osso). Oracle E-Business Suite integration with Access Manager supports both types of agents. Using OAM Agents (WebGates) is Oracle’s strategic single sign-on integration. OSSO Agents (mod_osso) are still supported as legacy agents, but th planned to be de-supported in future releases. For more information on the two types of agents, refer to section the Introduction to Agents and Registration in the Oracle Fusion Middleware Admin Guide for Oracle Access Management 11g Release 2.

If you are running Oracle E-Business Suite with Oracle Access Manager 10gR3, there is an option to migrate to Oracle Access Manager 11gR2, however, when integrating with Oracle E-Business S necessary to upgrade to the latest version of Oracle E-Business Suite AccessGate. It is therefore recommended to install OAM 11gR2 and integrate that with Oracle E-Business Suite using the lates Oracle E-Business Suite AccessGate, as documented in My Oracle Support Knowledge Document 1484024.1 Integrating Oracle E-Business Suite Release 12 with Oracle Access Manager 11gR2 (11 Oracle E-Business Suite AccessGate.

Section 5: Documentation Roadmap Determine which My Oracle Support documentation to follow based on your current Oracle E-Business Suite version and your choice in the above section Choosing a Single Sign-On Solution.

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=19i6pltprf_4&id=1388152.1

3/6

7/15/2014

Document 1388152.1

Figure 4 : Documentation Roadmap

Section 6: Reference Architecture

Architecture diagrams can be physical diagrams or logical diagrams. Physical diagrams are designed to depict the physical layout of the environment, including the number of servers and their names. Th number of servers needed for your deployment will depend on your specific environment.

In contrast, logical diagrams are intended to assist with understanding the various components and services of an environment. They are not meant to denote the number of physical servers required for environment, because the various logical components can be combined and installed on a single server. There are a number of configurations with numerous certified versions that are available for deploying an Oracle E-Business Suite single sign-on solution. The following diagram is a logical reference diagram for Release 12 and Release 11i single sign-on solutions.

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=19i6pltprf_4&id=1388152.1

4/6

7/15/2014

Document 1388152.1

Figure 5: Oracle E-Business Suite Release 12 single sign-on Reference Architecture

With Oracle E-Business Suite Release 12.2, single sign-on integration is simplified. Both WebGate 11g and Oracle E-Business Suite AccessGate are automatically installed and configured on your Oracle E Suite Release 12.2 application tier server node, and so are not shown on the diagram.

Figure 6: Oracle E-Business Suite Release 12.2 single sign-on Reference Architecture

Change Log Date September 17, 2013

August 13, 2013

Description Updated the Documentation Roadmap for Oracle E-Business Suite Release 12.2. Added Figure 6 - Oracle E-Business Suite Release 12.2 single sign-on Reference Architecture diagram.

Updated the Documentation Roadmap for clarification.

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=19i6pltprf_4&id=1388152.1

5/6

7/15/2014

Document 1388152.1 Updated Section 4 to clarify mod_osso agents and webgate agents usage.

May 9, 2013

March 15, 2013

August 21, 2012

August 13, 2012

April 23, 2012

Added a link to OAM 11gR1 PS1 (11.1.1.7.0) Document for Oracle E-Business Suite Release 12 in the Documentation Roadmap.

Consolidated the Reference Architecture Diagrams into a single diagram for Oracle E-Business Suite Release 11i and 12. Added a link to OAM 11gR2 Document for Oracle E-Business Suite Release 11i in the Documentation Roadmap.

Added links to OAM 11gR2 My Oracle Support documents.

Removed Tables detailing the OAM patches certified with Oracle E-Business Suite, as these are documented in the relevant OAM Integration MOS Documents directly.

Initial Creation.

Knowledge Document 1388152.1 by Oracle E-Business Suite Development Copyright © 2012 Oracle

https://support.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl-state=19i6pltprf_4&id=1388152.1

6/6