Glad to be presenting at UKOUG APPS14 with Atul Kumar on “Oracle E-Business Suite integration with Identity and Access Management – Lesson Learnt” on 8th Dec 2014 at LiverPool ,UK , Join Us !!! #ukoug_apps14
This post is 1st in series to cover an overview of Oracle E-Business Integration with below Identity and Access Management products:-
1) EBS Integration with OAM
2) EBS integration with OIM
3) Integration of EBS, OIM and GRC for Segregation of duties (SoD)
EBS Integration with OAM for Single Sign On (SSO) using Access Gate
E-Business Suite (EBS) integration with Oracle Access Manager (OAM) for Single Sign-On (SSO) involves integrating EBS with Oracle Internet Directory (OID) for user synchronization, pointing OAM’s identity store to use OID, and delegating EBS authentication to OAM.
Main components involved in basic EBS-OAM integration are:-
OID– Oracle Internet Directory is lightweight directory access protocol (LDAP) server that act us user store for OAM .
DIP – Directory Integration Platform (DIP) 11g is a J2EE application deployed on WebLogic server and used for provisioning/synchronization of users/groups across other LDAP servers & applications. DIP consists of two type of engine, Synchronization and Provisioning. Synchronization component is used to sync users/groups between OID and other LDAP servers like Microsoft Active Directory (MS-AD) or IBM Directory Server. Provisioning is used to sync OID with applications like EBS, Portal, and Collaboration Suite
ODSM – Oracle Directory Services Manager (ODSM) is a web application deployed on WebLogic server and used to manage OID using web browser. Using ODSM you can configure/manage OID, and create/delete users/groups.
OAM – Oracle Access Manager is a J2EE application deployed on Weblogic Server and used as Authentication & Authorization Server.
OAM Server consists of
• OAM Server deployed on WebLogic Managed Server (default port 14100). There is OAM-Proxy server running in background on default port 5575. Agents (WebGate) connect to OAM-Proxy Port
• OAM Console is a web application deployed on WebLogic Admin Server (default port 7001). OAM Console application is used to manage configuration, and define/manage policies, authentication schemes.
• OAM Configuration is stored in XML file (oam-config.xml) on server and contains all OAM configurations like Server Name, port, Webgate details, and Audit store details.
• OAM Policy Store is a repository (database) which stores policy (details like which URL is protected using what authentication/authorization schemes)
OHS – Oracle HTTP Server is a Web Server from Oracle on which Web Gate is deployed. Users are redirected from EBS Middle Tier to this server for authentication (URL of this server is configured in EBS Profile option “Application Authentication Agent”). OHS acts as proxy server to WebLogic Server on which EBS AccessGate (EBS-AG) is deployed. This OHS server also has mod_wl_ohs configured to forward request to WebLogic Server where Oracle E- Business Suite AccessGate (EBS-AG) is deployed.
WebGate – Web Gate is a web server plug-in (deployed with WebServer like Apache, OHS, IHS) which intercepts user’s request and send it to Oracle Access Manager Server to check if user is authenticated/authorised to access requested resource.
Oracle E-Business Suite Access Gate– EBS-AG is a Java EE Application that maps a Single Sign-On user (authenticated via OAM) to an Oracle E-Business Suite user (stored in FND_USER table), and creates E-Business Suite session for that user.
High Level User Request Flow in EBS-OAM Integration
1. User access E-Business Suite URL http://<ebs_mid_tier>:<ebs_ohs_port> . EBS checks that profile option Application SSO Type is set to either Portal w/SSO or SSWA w/SSO (w/SSO signifies that EBS is integrated with Single Sign-On Server).
2. EBS then check value of profile option Application Authentication Agent (value is set to http://<ohs_with_wg>:<ohs_with_wg:port>/<context_root>/ , where <context_root> is value set during E-Business Suite Access Gate Deployment) and redirect user to value set for profile option Application Authentication Agent
3. Web Gate deployed with OHS server then check if any token (Cookie) is available in user session and forwards this request to OAM server for validation.
4. OAM server will then check authentication URL configured for Web Gate (Host:Port or Host Identifier) and redirect user to authentication page configured by authentication URL. User will type username/password on authentication page, which OAM will validate against OAM’s identity store (Oracle Internet Directory). Oracle Internet Directory will validate username and password against attribute UID (login attribute) and attribute userPassword (password attribute)
5. On successful authentication OAM will forward response back to WebGate with generated Cookie
6. Web Gate will then redirect user to E-Business Suite Access Gate (EBS-AG) for user validation or user mapping.
7. E-Business Suite Access Gate will take this user ID and map/validate against user in E- Business Suite (FND_USER)
8. On successful validation response is returned back to Web Gate
9. Web Gate will forward response back to user
10. User with token/cookie from WebGate/Access Gate is redirected back to E-Business
11. E-Business Suite Middle Tier will generate E-Business Suite specific cookie to user and
from subsequently requests user talks directly to Oracle E-Business Suite until explicit log out or timeout.
High Level Steps to Integrate Oracle EBS R12 with OAM
1. Install Database for IAM (OID/OAM)
2. Install Oracle Internet Directory (OID)
3. Install Oracle Access Manager (OAM)
4. Integrate OAM with OID
5. Integrate EBS with OID
6. Install Oracle HTTP Server (OHS)
7. Install , deploy and configure WebGate
8. Integrate EBS with OAM
9. Test OAM-EBS Integration
For Step by Step configuration and integration of E-Business with Oracle Access Manager , check out our E-Book ” Oracle E-Business R12 integration with OID/OAM for Single Sign-On”
1) From R12.2 E-Business Suite which now have built-in Weblogic Tech stack, there is no longer need to install separate OHS and Weblogic for Webgate and Accessgate. Webgate is deployed on top of R12.2 OHS 11g home. Accessgate is deployed as a separate managed server ( oaea_server1 ) on top of R12.2 weblogic.
2) For Windows Native Authentication (WNA) also known as “Zero Sign On” , can be achieved as an extension of above configuration by synchrnonizing OID and AD (Active Directory) for users and configuring OAM for WNA authentication scheme .
Happy Learning !!!!
Stay Tuned for Part 2- Oracle EBS Integration with OIM- User Reconciliation and Provisioning…