Oracle EBS 12.X Single Sign On (SSO) integration

  1. Summary ==========

Okta Access Gateway / Oracle EBS 12.X Single Sign On (SSO) integration.

In a standard EBS OAM SSO integration, EBS administrator must install and configure the Oracle EBS, OID/OUD, OAM in order to acheive the SSO objective. It is expensive, time consuming and has very limited capability to integrate with the modern cloud based identity providers.

Okta has developed the Access Gateway integration platform, which enables existing EBS SSO infrastructure to be quickly and easily be cloud ready. Now the EBS system admin can use any number of market leading identity provider as the IDP, and provide SSO functionality to the existing EBS users.

  1. Deployment Architecture ==========================

Most of the 30000 EBS customers in the world consists of on premises deployment, which was the only way to run an EBS environment in the past. The newer Oracle offering have started to move the EBS to the cloud, where Oracle can host it either in a private cloud, or even in public cloud.

Hence, in order to facilitate the SSO with an existing EBS environment, we need to address a number of technical issues, ie: Deployment topology, SSO identity provider integration, EBS user repository synchronization.

Lets examine the following 2 common deployment architectures.

  • A single-domain Access Gateway / EBS SSO integration architecture.

EBS122 OUD SSO Architecture SD.png

  • A multi-domain Access Gateway / EBS SSO integration architecture.

EBS122 OUD SSO Architecture.png

In the deployment scenarios shown above, we have eliminated the standard Oracle Access Manager layer, and replaced it with the Okta Access Gateway and a standard cloud based Identity Provider (ie: OKTA, OneLogin or Oracle IDCS), while maintaining the Oracle EBS AccessGate and Oracle OID as the backend services to facilitate the SSO transaction.

A Single-Domain deployment is a very common architecture where the EBS is hosted inhouse, along with the user repository datasource OID/OUD. While a Cross-Domain deployment applies to a more robust hosted EBS environment.

For example, Electronic Arts has its EBS servers hosted in the Oracle Cloud (eaebs.oracleoutsourcing.com), while the OID/OUD (oid1.ea.com) resides internally inside their own datacenter. This is a very common practice where the company wants to retain the user data inhouse, without exposing them in the cloud.

We will look at the difference in the integration process in detail below.

  1. EBS Access Gateway SSO Configuration Steps ========================================

Pre-requisite: EBS 12.X baseline reference installation must be up and running, ready for integration.

The EBS SSO integration process consists the following 3 major steps:

  1. Modify EBS SSO related System Profile attributes and register OID/OUD with EBS.

  2. Oracle AccessGate web application deployment.

  3. Configure Access Gateway with the EBS 12 Application with IDP

3.1. Modify EBS SSO related System Profile attributes and register OID/OUD with EBS.

The purpose of adjusting the EBS system profile and register the OUD with EBS are two folds. First, it enables synchronization between EBS user and the user entries in OID. There are 3 distinct synchronization routes: 1. Bi-directional where user created in EBS will automatically pushed to the OID ldap server, and vise versa. 2. EBS → OID: this is a one way sync, from EBS to OID. 3. OID → EBS: this is a one way sync, from OID to EBS. In addition, the system profile allows a site wide redirect, which is how the SSO process is triggered. When the user tries to access EBS at its base url (ie:

https://ebs1.gateway.info

), EBS server will redirect the user to the pre-defined SSO url if it doesnt detect a valid session. In our integration process, the SSO url would be the Access Gateway EBS application url. *EBS System Profiles involved:* * Application Authentication Agent:

https://ebs121demosso.gateway.info/ebsauth-ebs121demo

- This is the Access Gateway AccessGate URL, where the applicaiton context is "ebsauth-ebs121demo" of the AccessGate web app. * Applications SSO Type: SSWAw/SSO * Applications SSO Auto Link User: Enable * Applications SSO Login Types: Both (This in fact triggers the SSO, once turn off, the SSO user profile change, reset pw locally all work) * Application SSO LDAP Synchronization: Enable * Applications SSO Enable OID Identity Add Event: Enable * Link Applications user with OID user with same username: Enable *EBS OID Registration:* The registration command can only be run after the OID/DIP are installed and configured, as it needs to communicate with the DIP in order to create the necessary synchronization profile *Note:*

OID/DIP installation guide

Here is an output run of the registration process. [source,highlightjs,highlight] ---- ############################################### **We will register the Instance and OID here.** ############################################### [

oracle@ebs121-demo

bin]$ ./txkrun.pl -script=SetSSOReg -registerinstance=yes -infradbhost=oid1.gateway.info -ldapport=3060 -ldapportssl=3131 -ldaphost=oid1.gateway.info -oidadminuser=cn=orcladmin -oidadminuserpass=Password1 -appspass=apps You are registering ORACLE HOME only. *** Log File = /home/ebs121/applmgr/inst/apps/VIS_ebs121-demo/logs/appl/rgf/TXK/txkSetSSOReg_Mon_May_15_17_41_41_2017.xml Beginning input parameter validation for Oracle Home Instance registration. Input parameter validation for Oracle Home Instance registration completed. BEGIN ORACLE HOME INSTANCE REGISTRATION: Oracle Home Instance preferences stored successfully. Oracle Home Instance registered successfully. End of /home/ebs121/applmgr/apps/apps_st/appl/fnd/12.0.0/patch/115/bin/txkSetSSOReg.pl : No Errors encountered [

oracle@ebs121-demo

bin]$ txkrun.pl -script=SetSSOReg -registeroid=yes -ldaphost=oid1.gateway.info -ldapport=3060 -oidadminuser=cn=orcladmin -oidadminuserpass=Password1 -appspass=apps -instpass=Password1 -appname=ebs1213demo -svcname=ebs1213demoOID1 -provisiontype=1 -dbldapauthlevel=0 You are registering this instance with OID Server. *** Log File = /home/ebs121/applmgr/inst/apps/VIS_ebs121-demo/logs/appl/rgf/TXK/txkSetSSOReg_Mon_May_15_17_47_04_2017.xml Beginning input parameter validation for OID registration. Input parameters validation for OID registration completed. BEGIN OID REGISTRATION: Beginning to register Application and Service containers if necessary. Application and Service containers were created successfully if necessary. Beginning to register application in Oracle Internet Directory. Registration of application in Oracle Internet Directory completed successfully. -> LOADING: /home/ebs121/applmgr/apps/apps_st/appl/fnd/12.0.0/admin/template/AppsOIDRegistration.tmp Beginning to register provisioning profile in Oracle Internet Directory. Registration of provisioning profile in Oracle Internet Directory completed successfully. Application is now registered successfully with provisioning in Oracle Internet Directory. End of /home/ebs121/applmgr/apps/apps_st/appl/fnd/12.0.0/patch/115/bin/txkSetSSOReg.pl : No Errors encountered ----

3.2. Oracle AccessGate web application deployment

The Oracle AccessGate (AG) is a web application that can be deployed on a standard Oracle WebLogic Server. In our standard practice, we can install the AG on the same WebLogic domain as the OID is hosted, and we can then managed the OID managed server and the AG managed server via the same WebLogic console.

Deploying AG is a fairly involved process. The main steps are to install a Weblogic Server, create a JDBC datasource that will communicate to the EBS database, deploy the AG web application.

Here is the doc link that shows those steps in detail: Oracle AccessGate Deployment

3.3. Configure Access Gateway with the EBS 12 Application with IDP

Once the AG is successfully deployed, we can proceed to create the Access Gateway AG application. This is a fairly straight forward exerciese, with one important detail: Cookie Domain

As explained above in the architecture section, EBS and the corresponding AG can be hosted on a single cookie domain, or on a different cookie domain. The reason it is extremely import is the fact that for a single domain scenario, the browser can consumer the cookies that were created in AG and forward them to the target EBS. Once EBS server receives the valid cookie, it allows the user to login and creates the necessary EBS session cookie and be done with it.

But in a Cross Domain scenario, the browser will not forward the AG domain cookie to the EBS server, as it is a security violation.

Hence there must be a mechanizm in place to handle the cookies from one cookie domain to the next. This is where the Access Gateway landing page comes into place. The landing page performs the necessary cookie transformation so the browser will then forward the necessary cookie to the target EBS server.

The following doc links details the 2 distinct process in preparing the EBS environment and create the AG application in the Access Gateway:

  1. Appendix A: Oracle Document Links ====================================

Here are the Oracle doc links that are useful for this entire integration process.

  • EBS Oracle Applications Release Notes, Release 12.1.1 (Doc ID 798258.1) Oracle E-Business Suite Installation and Upgrade Notes Release 12 (12.1.1) for Linux x86-64 (Doc ID 761566.1) Interoperability Notes EBS 12.0 and 12.1 with Database 11gR2 (Doc ID 1058763.1) MD5 Checksums for R12.1.1 Rapid Install Media (Doc ID 802195.1)

  • E-Business Suite Release 12.1 With Oracle Access Manager 11gR2 (11.1.2) (Doc ID 2045154.1)

  • Oracle E-Business Suite Security Guide (Part Number E22952-18

  • Registering Oracle E-Business Suite Release 12 with Oracle Internet Directory 11gR1 and Single Sign-On (Doc ID 1370938.1)

  • Using the Latest Oracle Internet Directory 11gR1 Patchset with Single Sign-on and Oracle E-Business Suite (Doc ID 876539.1)

  • Troubleshooting Oracle Access Manager and Oracle E-Business Suite AccessGate (Doc ID 1077460.1)

  • Oracle E-Business Suite Software Development Kit for Java (includes AppsDataSource, Java Authentication and Authorization Service, session management) Readme - Patch 13882058 (Doc ID 974949.1)

  • Latest Oracle E-Business Suite AccessGate for Single Sign-On Integration with Oracle Access Manager (Doc ID 2202932.1)

  • Oracle EBS 12.1 Administrator Guide

  • How to Configure 11g DIP for SSL Mode 2 Server Authentication (Doc ID 1203927.1)

  • How to create an SHA2 certificate using oracle wallet and ORAPKI ? (Doc ID 1914184.1)

  • RDA - Health Check / Validation Engine Guide (Doc ID 250262.1)

  • Using JDK 7.0 Latest Update with Oracle E-Business Suite Release 12.0 and 12.1 (Doc ID 1467892.1)

  • Upgrading OracleAS 10g Forms and Reports in Oracle E-Business Suite Release 12 (Doc ID 437878.1)

  • Deploying JRE (Native Plug-in) for Windows Clients in Oracle E-Business Suite Release 12 (Doc ID 393931.1)

  • Upgrading to the Latest OracleAS 10g 10.1.3.x Patch Set in Oracle E-Business Suite Release 12 (Doc ID 454811.1)

  • Oracle E-Business Suite Release 12.1.3+ Recommended Patch Collection 5 ( RPC5 ) (Doc ID 2152266.1)

  • Oracle E-Business Suite Release 12.1.3 Readme (Doc ID 1080973.1)

  1. Appendix B: Server HardWare Requirements ===========================================

Server Hardware Requirements

5.1. EBS Server

  • Linux 6.8, 8 core, 500G hard drive, 8G memory

5.2. DB/OID/DIP Server

  • Linux 6.8, 4 core, 60G hard drive, 4G memory

5.3. Access Gateway Appliance

  • Standard Access Gateway configuration applies.