Scribd Logo
Upload

Welcome to Scribd!

  • Overview Document 1388152 PDF

    Uploaded by

    Tsdfsd Yfgdfg
    29 views7 pages

    Original Title

    Overview Document 1388152.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    29 views7 pages

    Overview Document 1388152 PDF

    Uploaded by

    Tsdfsd Yfgdfg

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    11/10/2014 Document 1388152.

    PowerView is Off Shaik (Available) (0) Contact Us Help

    Dashboard Knowledge Service Requests Patches & Updates Community

    Give Feedback...

    Overview of Single Sign-On Integration Options for Oracle E-Business Suite (Doc ID 1388152.1) To Bottom

    The most current version of this document can be obtained through My Oracle Support Knowledge DOCUMENT 1388152.1
    Document Details

    There is a change log at the end of this document.


    Type:
    HOWTO
    In this Document Status:
    PUBLISHED
    Last Major
    16-Oct-2013
    Update:
    Section 1: Introduction 16-Oct-2013
    Last Update:
    Section 2: Single Sign-On Concepts
    Section 3: Overview of Single Sign-On Integration Options for Oracle E-Business Suite
    3.1 How the Oracle Access Manager Integration Works
    3.2 How the Oracle Single Sign-On Server (OSSO) Integration Works Related Products
    3.3 Integration with Third-Party Access Management Systems and LDAP Directories Oracle Applications
    Section 4: Choosing a Single Sign-On Solution Technology Stack
    Section 5: Documentation Roadmap
    Section 6: Reference Architecture
    Information Centers
    Information Center: E-
    Business Suite Utilities
    Section 1: Introduction (Cloning, Autoconfig,
    Patching) [1375925.2]
    This document provides an overview of the options for integrating Oracle E-Business Suite with Oracle Identity Management Information Center: Patching
    products. E-Business Suite Utilities (AD,
    Clone, Autoconfig)
    [1377810.2]

    Section 2: Single Sign-On Concepts Information Center:


    Troubleshooting E-Business
    Suite Utilities [1377828.2]
    Authentication is the process by which you verify that someone is who they claim to be. Usually this involves a username and a
    password. An unauthenticated user is one who has not yet provided credentials in the form of a username and password. Information Center: Overview
    Authorization is the process of determining whether the person, once identified is permitted to have access to the resource. This EBS Technology Stack OID and
    SSO and OAM [1461465.2]
    is usually determined by finding out if that person is part of a particular group. Oracle E-Business Suite single sign-on integrations
    allow for seamless authentication to multiple systems with one user id and password. Information Center: Using EBS
    Technology Stack Java
    One reason to consider a single sign-on integration for your Oracle E-Business Suite environment is to provide a single login [1462269.2]
    account for Oracle E-Business Suite and other applications in your environment. For example, you may choose to deploy a single Show More
    sign-on solution that integrates with other Applications Unlimited Products including PeopleSoft and JD Edwards and Fusion
    Middleware Tools such as Oracle Business Intelligence Enterprise Edition (OBIEE) and Discoverer.
    Document References
    Oracle E-Business Suite single sign-on integrations support deployments with third-party LDAP systems as well as third-party No References available for
    single sign-on systems. Integrating with your company's corporate solution for single sign-on and identity management is another this document.
    reason to consider this integration. Additional information regarding third-party LDAP integrations are described in the Integration
    with Third-Party Access Management Systems and LDAP Directory Services section.
    Recently Viewed
    Integrating Oracle E-Business
    Section 3: Overview of Single Sign-On Integration Options for Oracle E-Business Suite Suite Release 12.2 with
    Oracle Access Manager 11gR2
    (11.1.2) using Oracle E-
    Oracle has two single sign-on solutions, Oracle Access Manager and Oracle Single Sign-On Server (OSSO). Oracle Access Business Suite AccessGate
    Manager is the preferred solution and forms the basis of Oracle Fusion Middleware 11g. Premier Support for Oracle Single Sign- [1576425.1]
    On ended on December 31, 2011, and all Oracle Single Sign-On users should migrate to Oracle Access Manager. Oracle Single Integrating Oracle E-Business
    Sign-on Server (OSSO) is no longer being actively developed, and will not be ported to Oracle WebLogic Server. Suite Release 12.2 with
    Oracle Internet Directory
    Architecturally, the single sign-on solutions with Oracle Access Manager or Oracle Single Sign-on are very similar. Both solutions 11gR1 [1371932.1]
    authenticate a user by verifying credentials against a user directory. The user directory service for both solutions is Oracle After SSO EBS R12
    Internet Directory. Oracle Internet Directory and Oracle E-Business Suite user information in FND_USER is synchronized by Registration SSO Login
    Results In "An Error Has
    synchronization events raised by the Workflow-based Business Event System. Occurred" EBS Screen
    [1924703.1]
    Both solutions also support the integration with a third-party access management and LDAP systems. Oracle E-Business Suite is
    Slow Performance
    not certified to function directly with third-party Access Management products or third-party LDAP products. Due to dependencies adcfgclone.pl appsTier -
    in the integration, Oracle Access Manager and Oracle Internet Directory are mandatory components when integrating with third- txkWfClone.sh/txkWfClone.sql
    party access management systems and third-party LDAP directories. Additional information regarding third-party integrations is [1431581.1]
    described in the Integration with Third-Party Access Management Systems and LDAP Directory Services section. Applying the Latest AD and
    TXK Release Update Packs to
    Oracle E-Business Suite
    3.1 How the Oracle Access Manager Integration Works Release 12.2 [1617461.1]
    Show More
    Integration with Oracle Access Manager 11g is achieved through agents and integration with Oracle E-Business Suite can be
    performed using one of two methods:

    Method 1: Uses the WebGate agent, in conjunction with Oracle E-Business Suite AccessGate. This method is described in
    detail in Section 3.1.1.

    Method 2: Uses the mod_osso agent, and is only for users upgrading from Oracle Single Sign-On Server 10gR3. This
    method is described in detail in Section 3.1.2.

    3.1.1 Oracle E-Business Suite Single Sign-On integration using Oracle Access Manager with WebGate and Oracle
    https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=188419895820138&parent=DOCUMENT&sourceId=1576425.1&id=1388152.1&_afrWindo… 1/7
    11/10/2014 Document 1388152.1
    3.1.1 Oracle E-Business Suite Single Sign-On integration using Oracle Access Manager with WebGate and Oracle
    E-Business Suite AccessGate

    Oracle Access Manager WebGate is a component of Oracle Access Manager that intercepts HTTP requests and redirects them to
    the Oracle Access Manager server to determine if and how the resources are allowed to be accessed, and to authenticate the
    current user if authentication is required. If Oracle Access Manager is already deployed in the environment, an existing WebGate
    can be configured for this purpose.

    The integration with WebGate and Oracle E-Business Suite AccessGate is depicted in Figure 1 and detailed in the following
    steps:

    Steps 1 and 2. When an unauthenticated user attempts to access a protected Oracle E-Business Suite resource,
    the user is directed to the Oracle E-Business Suite AccessGate application.

    Oracle E-Business Suite AccessGate is a Java EE application responsible for mapping a single sign-on user to an
    Oracle E-Business Suite user, and creating the Oracle E-Business Suite session for that user. This application is
    deployed to a WebLogic Server instance, and is separate from Oracle E-Business Suite.

    Steps 3 and 4. Oracle E-Business Suite Access Gate is protected by the Oracle Access Manager server, so the
    authentication request is rerouted to a separate HTTP Server on which a WebGate is installed.

    Oracle Access Manager WebGate is a component of Oracle Access Manager that intercepts HTTP requests and
    redirects them to the Oracle Access Manager server to determine if and how the resources are allowed to be
    accessed, and to authenticate the current user if authentication is required. If Oracle Access Manager is already
    deployed in the environment, an existing WebGate can be configured for this purpose.

    Steps 5, 6 and 7. Once a user is initially authenticated by Oracle Access Manager, the request for a resource -
    along with the credentials returned by the Oracle Access Manager server - are picked up by Oracle E-Business
    Suite AccessGate.

    Steps 8 and 9. If the Access Server credentials are valid, this application connects to the Oracle E-Business Suite
    database in order to link the Oracle Internet Directory (OID) user to an Oracle E-Business Suite user. If Oracle E-
    Business Suite fails to identify a linked user for the Oracle Internet Directory user, the user is redirected to the
    linking page so that he may map his unlinked Oracle Internet Directory user account to his Oracle E-Business Suite
    username. Once this mapping is done, the originally requested resource is returned with a valid authenticated
    Oracle E-Business Suite user session.

    All subsequent requests for Oracle E-Business Suite resources are then returned directly to the user as long as the
    user session remains valid.

    Figure 1: Integration with WebGate and Oracle E-Business Suite AccessGate

    NOTE: Each Oracle E-Business Suite instance requires its own deployment of the Oracle E-Business Suite AccessGate
    application. Oracle E-Business Suite AccessGate must be installed and configured in the same Internet domain as the Oracle E-
    Business Suite middle tier servers. If different physical hosts and domains are used for the components, the entry points must be
    configured to use the same domain; for example, using a reverse proxy. This is because several Oracle E-Business Suite domain
    cookies are shared among the middle tiers and the Oracle E-Business Suite AccessGate server.

    3.1.2 Oracle E-Business Suite Single Sign-On integration using Oracle Access Manager with mod_osso

    https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=188419895820138&parent=DOCUMENT&sourceId=1576425.1&id=1388152.1&_afrWindo… 2/7
    11/10/2014 Document 1388152.1
    The integration with Oracle Access Manager and mod_osso is depicted in Figure 2 and detailed in the following steps:

    Steps 1 and 2. When an unauthenticated user attempts to access a protected Oracle E-Business Suite resource,
    the user is directed to the Oracle Access Manager 11g Server by mod_osso in the Oracle E-Business Suite OHS.

    Step 3. Oracle Access Manager 11g server validates the Oracle Access Manager session (in the OAM_ID cookie, if
    the cookie exists), finding none (for a first time login) is displays the Oracle Access Manager SSO login page.

    Step 4. The user submits their credentials and the Oracle Access Manager 11g Server validates those against
    Oracle Internet Directory.

    Step 5. Oracle Access Manager 11g Server creates the Oracle Access Manager session (OAM_ID cookie) and
    redirects back to /osso_login_success on the Oracle E-Business Suite tier (i.e. http(s)://<EBSHostname>.
    <Domain_Name>:<EBS_OHS_Port>/osso_login_success (i.e. the Success URL as defined for the Oracle Single
    Sign-On Agent).

    Step 6. Mod_osso in the Oracle E-Business Suite OHS creates the OHS-ID cookies and sets Oracle Single Sign-On
    HTTP Server variables for reference by Oracle E-Business Suite.

    Step 7. Oracle E-Business Suite then creates an application session for the EBS user linked to the SSO
    authenticated Oracle Internet Directory user.

    Step 8. Finally the user is redirected to the original URL and the requested resource is returned.

    If Oracle E-Business Suite fails to identify a linked user for the Oracle Internet Directory user, the user is redirected
    to the linking page so that he may map his unlinked Oracle Internet Directory user account to his Oracle E-Business
    Suite username. Once this mapping is done, the originally requested resource is returned with a valid authenticated
    Oracle E-Business Suite user session. All subsequent requests for Oracle E-Business Suite resources are then
    returned directly to the user as long as the user session remains valid.

    Figure 2: Integration with Oracle Access Manager and mod_osso

    3.2 How the Oracle Single Sign-On Server (OSSO) Integration Works

    Oracle’s previous single sign-on solution for Oracle E-Business Suite customers was integration with Oracle Single Sign-On
    10gR3, accomplished by following My Oracle Support Knowledge Document 376811.1 (Integrating Oracle E-Business Suite
    Release 12 with Oracle Internet Directory and Oracle Single Sign-On).

    When an unauthenticated user attempts to access a protected Oracle E-Business Suite resource, the user is directed to the
    Oracle Single Sign-On server by mod_osso in the Oracle E-Business Suite OHS.

    The Single Sign-On server looks for its cookie in the browser. If it finds none, it tries to authenticate the user with a user name
    and password. If authentication is successful, the Single Sign-On server creates a cookie in the browser as a reminder that the
    user has been authenticated. If a cookie exists, the Single Sign-On server will authenticate using the cookie.

    The Single Sign-On server returns the user's encrypted information to mod_osso. Mod_osso creates its own cookie for the user in
    the browser and redirects the user to the requested URL.

    Premier Support for Oracle Single Sign-On ended on December 31, 2011. Oracle Single Sign-On is now in Extended Support. To
    find out more about the support policies of these products, refer to: Oracle Software Technical Support Policies (see item '(g)' on
    page 7).

    If you are running Oracle E-Business Suite today with Oracle Single Sign-On, you may migrate your Oracle Single Sign-On partner
    registrations to Oracle Access Manager 11g with mod_osso.

    https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=188419895820138&parent=DOCUMENT&sourceId=1576425.1&id=1388152.1&_afrWindo… 3/7
    11/10/2014 Document 1388152.1

    3.3 Integration with Third-Party Access Management Systems and LDAP Directories

    Oracle E-Business Suite single sign-on solutions support integration with third-party access management systems and LDAP
    directories, this integration is depicted in Figure 3. With third-party access management systems integration, the Oracle E-
    Business Suite Application Server delegates user authentication to Oracle Access Manager or Oracle Single Sign-On which then
    delegates user authentication to the third-party access management system.

    There are numerous dependencies on Oracle Access Manager and Oracle Internet Directory in a single sign-on solution with
    Oracle E-Business Suite. Due to these underlying dependencies, Oracle Access manager and Oracle Internet Directory are
    mandatory components of the integration even when integrating with third-party systems.

    When integrating with a third-party LDAP, the third-party LDAP synchronizes user attributes with Oracle Internet Directory which
    synchronizes user attributes with the Oracle E-Business Suite database (FND_USER). The following diagram depicts a third-party
    integration architecture with an Oracle Access Manager integration:

    Figure 3: Integration with Third-Party Single Sign-On and Third-Party LDAP

    Section 4: Choosing a Single Sign-On Solution


    We recommend that new single sign-on deployments are performed using the latest certified version of Oracle Access Manager
    with Oracle E-Business Suite AccessGate. Oracle E-Business Suite AccessGate integrates with WebGate, which offers the most
    robust set of features.

    Existing Oracle Single Sign-on (OSSO) customers should also consider upgrading to the latest certified version of Oracle Access
    Manager with Oracle E-Business Suite AccessGate. Additional details regarding recommended solutions and documentation may
    be found in the Documentation Roadmap section of this document.

    When upgrading or migrating you should consider the following points:

    Currently Oracle Access Manager 11gR1 and 11gR2 support two types of agents for integration: OAM Agents (WebGates),
    and OSSO Agents (mod_osso). Oracle E-Business Suite integration with Oracle Access Manager supports both types of
    agents. Using OAM Agents (WebGates) is Oracle’s strategic single sign-on integration. OSSO Agents (mod_osso) are still
    supported as legacy agents, but these are planned to be de-supported in future releases. For more information on the two
    types of agents, refer to section the Introduction to Agents and Registration in the Oracle Fusion Middleware
    Administrator's Guide for Oracle Access Management 11g Release 2.

    If you are running Oracle E-Business Suite with Oracle Access Manager 10gR3, there is an option to migrate to Oracle
    Access Manager 11gR2, however, when integrating with Oracle E-Business Suite it is also necessary to upgrade to the
    latest version of Oracle E-Business Suite AccessGate. It is therefore recommended to install OAM 11gR2 and integrate that
    with Oracle E-Business Suite using the latest version of Oracle E-Business Suite AccessGate, as documented in My Oracle
    Support Knowledge Document 1484024.1 Integrating Oracle E-Business Suite Release 12 with Oracle Access Manager
    11gR2 (11.1.2) using Oracle E-Business Suite AccessGate.

    Section 5: Documentation Roadmap


    Determine which My Oracle Support documentation to follow based on your current Oracle E-Business Suite version and your
    choice in the above section Choosing a Single Sign-On Solution.

    https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=188419895820138&parent=DOCUMENT&sourceId=1576425.1&id=1388152.1&_afrWindo… 4/7
    11/10/2014 Document 1388152.1

    Figure 4 : Documentation Roadmap

    Section 6: Reference Architecture


    Architecture diagrams can be physical diagrams or logical diagrams. Physical diagrams are designed to depict the physical layout
    of the environment, including the number of servers and their names. The actual number of servers needed for your deployment
    will depend on your specific environment.

    In contrast, logical diagrams are intended to assist with understanding the various components and services of an environment.
    They are not meant to denote the number of physical servers required for a particular environment, because the various logical
    components can be combined and installed on a single server.

    There are a number of configurations with numerous certified versions that are available for deploying an Oracle E-Business
    Suite single sign-on solution. The following diagram is a logical reference architecture diagram for Release 12 and Release 11i
    single sign-on solutions.

    Figure 5: Oracle E-Business Suite Release 12 single sign-on Reference


    Architecture

    With Oracle E-Business Suite Release 12.2, single sign-on integration is simplified. Both WebGate 11g and Oracle E-Business
    Suite AccessGate are automatically installed and configured on your Oracle E-Business Suite Release 12.2 application tier server
    node, and so are not shown on the diagram.
    https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=188419895820138&parent=DOCUMENT&sourceId=1576425.1&id=1388152.1&_afrWindo… 5/7
    11/10/2014 Document 1388152.1

    Figure 6: Oracle E-Business Suite Release 12.2 single sign-on Reference


    Architecture

    Change Log

    Date Description

    September 17,
    2013 Updated the Documentation Roadmap for Oracle E-Business Suite Release 12.2.
    Added Figure 6 - Oracle E-Business Suite Release 12.2 single sign-on Reference Architecture
    diagram.

    August 13, 2013


    Updated the Documentation Roadmap for clarification.
    Updated Section 4 to clarify mod_osso agents and webgate agents usage.

    May 9, 2013
    Added a link to OAM 11gR1 PS1 (11.1.1.7.0) Document for Oracle E-Business Suite Release 12 in the
    Documentation Roadmap.

    March 15, 2013


    Consolidated the Reference Architecture Diagrams into a single diagram for Oracle E-Business Suite
    Release 11i and 12.
    Added a link to OAM 11gR2 Document for Oracle E-Business Suite Release 11i in the Documentation
    Roadmap.

    August 21, 2012


    Added links to OAM 11gR2 My Oracle Support documents.

    August 13, 2012


    Removed Tables detailing the OAM patches certified with Oracle E-Business Suite, as these are
    documented in the relevant OAM Integration MOS Documents directly.

    April 23, 2012


    Initial Creation.

    Knowledge Document 1388152.1 by Oracle E-Business Suite Development


    Copyright © 2012 Oracle

    Related
    Products
    Oracle E-Business Suite > Applications Technology > Technology Components > Oracle Applications Technology Stack > OID SSO Technologies > OID SSO Technologies

    Back to Top

    https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=188419895820138&parent=DOCUMENT&sourceId=1576425.1&id=1388152.1&_afrWindo… 6/7
    11/10/2014 Document 1388152.1

    Copyright (c) 2014, Oracle. All rights reserved. Legal Notices and Terms of Use Privacy Statement

    https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=188419895820138&parent=DOCUMENT&sourceId=1576425.1&id=1388152.1&_afrWindo… 7/7

    You might also like