Session ID:
Prepared by:
Remember to complete your evaluation for this session within the app!
11323
Oracle Identity Cloud Service (IDCS) - SSO using EBS Asserter for EBS
How to Simplify SSO to Oracle EBS
10th April 2019
Sushil Motwani
Director – Cloud Infrastructure
SmartDog Services
Agenda
Who is SmartDog Services?
Certification Information
Current On-Premise Approach to SSO to EBS
IDCS with EBS-Asserter Approach to SSO
Conclusion and Q & A
who we are
SMARTDOG SERVICESOUR COMMITMENT
SmartDog Services believes that Oracle products have the
tremendous capability that can transform a business and the lives
of its employees. Our mission is to help our customers recognize
the full potential of this investment.
• Over 25 Years of Experience
• An Oracle Customer’s Best Friend
• SmartDog Consultants average 15
Years of Oracle Experience
• Over 250 EBS Customers
• Oracle Gold Partner
• Oracle Certified Cloud Managed
Service Provider (MSP) Partner
• Oracle Velocity Partner
IN A NUTSHELL
• Key relationships with Oracle employees (Cloud product development, sales, delivery, and support)
• Proprietary WatchDog and BloodHound Tools for E-Business Suite Optimization
• License Right Tools
APPLICATION PLATFORM INFRASTRUCTURE MANAGED SUPPORT
Cloud Managed Services
Cloud Architecture
Provisioning and Migration
Networking and Connectivity
Integration
Optimization
Customer Success Team
Oracle Cloud Infrastructure Expertise
Quarterly Cloud Consumption Review
Proactive Roadmap for Cloud
The Oracle Customer’s Best Friend
EBS Services
Software License Review
Development and Integration
EBS Diagnostics
EBS Health Check
Migrations and Upgrades
ERP Implementations
Reporting Solutions
Continuous Improvement
Functional Solution Center
Proactive EBS Roadmap
Quarterly Business Reviews
Technology Services
Oracle DBA on Demand
SQL Server DBA on Demand
Oracle Technology License Review
Incident Based Support
Architecture Footprint and Roadmap
Proactive Database Roadmap
Capacity Planning
Disaster Recovery Planning
Security/Database Release Updates
Technology Health Check
OUR SERVICES
Certification Information for OAM for EBS
Customers
SSO
10.1.4.3
Dec 2011
OAM
11.1.1.3
OAM
10.1.4.3
Dec 2012
EBS
Built-In
Security
SSO
3.0.9 to
10.1.4.2
SSO – Oracle Single Sign-OnOAM – Oracle Access Manager
EBS 12.0, 12.1 only
11.1.1.5
OAM11.1.2.0Jun 2015
11.1.2.1
11.1.1.7
STOP
STOP
11.1.2.2
EBS 12.1.x and 12.2.x only
11.1.2.3
Certification Information for OID / OUD for EBS
Customers
OID10.1.4.3
Dec 2011
EBS
Built-In
Directory
OID10.1.2.0.2to 10.1.4.2
OID – Oracle Internet Directory
OUD – Oracle Unified Directory
11.1.1.5
11.1.1.6
OID11.1.1.2
to 11.1.1.4
11.1.1.7
STOP
OUD
11.1.2.3
11.1.1.9
The Current On-Premise / IaaS Approach to
SSO
• The traditional, certified approach - Deployment and integration with Oracle Access
Manager and either Oracle Internet Directory (OID) or Oracle Unified Directory (OUD)
• Widely used and documented
• Additional components and additional complexity to your EBS deployment.
• For SSO - Access Manager, a Directory (OID/OUD), a WebGate, an AccessGate, and
configure each to integrate with EBS.
• Each components need to be updated / patched regularly.
• Each component also need to be licensed separately
• It is not easy to maintain, and cloning a SSO environment is very complicated
• Many customer have either abandoned the thought of implementing SSO or are facing
the issues described above
Architecture of Oracle Access Manager with E-
Business Suite R12.1.3
Architecture of Oracle Access Manager with E-
Business Suite R12.2.x
• With Oracle E-Business Suite Release 12.2, single sign-on integration is simplified.
• Both WebGate 11g and Oracle E-Business Suite AccessGate are automatically installed and
configured on Oracle E-Business Suite Release 12.2 application tier server node
• *Oracle E-Business Suite Release 12.2.5 and later supports Oracle Unified Directory as the
Directory Service
High Level Steps to Implement SSO with OUD
• Integrate Oracle Unified Directory with Oracle E-Business Suite• Install Pre-Requisite/Interoperability Patches on EBS to support OUD❖ Latest AD/TXK Delta Patches❖ Interoperability Patches for OUD 11.1.2.3 for EBS R12.2• For integration of Oracle Unified Directory, Install Oracle Identity Management 11g Release 1
Patch Set 7 or later (11.1.1.9), which includes the necessary components: Oracle Directory Integration Platform and Oracle Enterprise Manager.
• Install Oracle Unified Directory 11.1.2.3• Configure Oracle Fusion Middleware Directory Services Manager (ODSM)• Configure Oracle Directory Integration Platform for Oracle Unified Directory• Complete configuration of Oracle Unified Directory with Oracle E-Business Suite❖ Online Patching❖ Parameter Checklist❖ Registration Type❖ Modify appropriate Profile Options in EBS to support OUD❖ Verify User Provisioning between OUD and EBS
High Level Steps to Implement SSO with OAM
• Ensure that OUD has been completely configured with Oracle E-Business Suite• Install and Configure Oracle Access Manager, and apply the latest OAM updates• Install Pre-Requisite/Interoperability Patches on EBS to support OAM❖ Latest AD/TXK Delta Patches❖ Interoperability Patches for OAM 11.1.2.3 for EBS R12.2❖ Install Oracle Access Manager WebGate❖ Apply OAM Patches for OAM WebGate• Integrate Oracle EBS with Oracle Access Manager❖ Deploy EBS AccessGate❖ Register EBS with OAM• Complete configuration of Oracle Access Manager❖ Long URLs❖ OAM Whitelists❖ OAM Timeouts❖ SSL/TLS❖ Configure OAM to work with the Load Balancer❖ Configure the Applications SSO to allow different authentication methods
The Current On-Premise / IaaS Approach to
SSO (Repeat Slide)
• The traditional, certified approach - Deployment and integration with Oracle Access
Manager and either Oracle Internet Directory (OID) or Oracle Unified Directory (OUD)
• Widely used and documented
• Additional components and additional complexity to your EBS deployment.
• For SSO - Access Manager, a Directory (OID/OUD), a WebGate, an AccessGate, and
configure each to integrate with EBS.
• Each components need to be updated / patched regularly.
• Each component also need to be licensed separately
• It is not easy to maintain, and cloning a SSO environment is very complicated
• Many customer have either abandoned the thought of implementing SSO or are facing
the issues described above
The New IDCS with EBS-Asserter Approach to
SSO
• Simpler option
• Single-On Capability
• No Oracle Access Manager, Directory or any of the other components
• Minimal configuration within EBS
• Oracle Identity Cloud Service (IDCS) is Oracle's cloud-based Identity platform
• Enable SSO to a standard installation of EBS through its EBS Asserter
• IDCS requires no installation - HA, DR, scaling, backup and restore, patching, and
upgrading are all taken care of by Oracle as part of the cloud service.
• Only component that requires deployment is the EBS Asserter - Acts as the interface
between an identity token being issued by IDCS and a user's session being created in
EBS
Architecture and Approach of Oracle Identity Cloud
Service integrated with EBS and EBS Asserter
• Easy.....
• Populate IDCS with users and groups by setting up synchronization between your AD
and IDCS
• Configure SSO between your on-premise Identity Provider (typically ADFS) and IDCS
• Deploy the EBS Asserter and configure integration with EBS and IDCS
Single Sign-On Option 1
Single Sign-On Option 2
Step 1 - Set up synchronization between your
AD (Microsoft - On-Premise) and IDCS
• An Oracle Identity Cloud Service agent – Bridge agent installed on a Local Windows Desktop Server automatically and continuously synchronizes users and groups from Microsoft Active Directory to Oracle Identity Cloud Service
• Best way to automatically and continuously synchronize company users and groups from your Microsoft Active Directory to Oracle Identity Cloud Service
• Leverages a windows installer for setup and configuration
• Supports only unidirectional integration (from Microsoft Active Directory to Oracle Identity Cloud Service)
– Download the Bridge Agent and Install on the Windows Server
– Configure the Bridge and Perform the Synchronization
– Verify Synchronization Results in Oracle IDCS
– Manage the Bridge from Oracle IDCS (Start, Stop and Restarting the Agent)
• http://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs_idbridge_obe/idbridge.html
Step 2 - Oracle Identity Cloud Service: Integrating with Microsoft
Active Directory Federation Services - Configure SSO between your on-
premise Identity Provider (typically ADFS) and IDCS
• Oracle Identity Cloud Service provides integration with SAML 2.0 identity providers (IdPs)
– Works with federated Single Sign-On (SSO) solutions that are compatible with SAML 2.0 as an
IdP. This includes Microsoft Active Directory Federation Services (AD FS), Shibboleth Identity
Provider, and Oracle Access Management (OAM).
– Allows users to log into Oracle Identity Cloud Service using the credentials from their own identity
provider.
– Can force the IdP authentication for all users or offer the IdP authentication as an option (Login
Chooser option).
• The identity provider integration provides the following benefits:
– Single Sign-On across cloud and on-premises solutions: Oracle Identity Cloud Service provides
Single Sign-On for cloud applications while the IdP provides Single Sign-On for on-premises
applications. Users log in only once, using their IdP credentials.
• http://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs_adfs_obe/adfs.html
Step 3 - Configure Oracle E-Business Suite (EBS) to
use Oracle Identity Cloud Service for Single Sign-On
• Oracle E-Business Suite customers can integrate their environment in Single Sign-On (SSO) mode.
• Oracle Identity Cloud Service provides a lightweight Java application, called the EBS Asserter. With the EBS Asserter, you can implement SSO for Oracle e-Business Suite and other applications.
• EBS Asserter main features:
– Non-intrusive solution that doesn't require configuration changes in your Oracle e-Business Suite environment.
– Can be deployed in WebLogic Server 11g or 12c using secure communications (SSL/TLS)
– Multiple access modes for SSO with Oracle e-Business Suite:
• Access Oracle EBS via the EBS Asserter’s direct URL link (bookmark)
• Access Oracle EBS via Oracle Identity Cloud Service's My Apps page
• Access Oracle EBS via the EBS Asserter's login using a redirect parameter
• Access Oracle EBS via previously bookmarked Oracle EBS URLs
– Supports Oracle e-Business Suite, EBS Asserter, and Oracle Identity Cloud Service Single logout.
Step 3 – Requirements for EBS Asserter Implementation
• Download the Oracle JRE/JDK version 8 or later.
• Download the Java Cryptography Extension file for Java 8.
• Download the EBS Asserter: IDCS Console → Settings → Downloads → download the Identity Cloud Service EBS Asserter → Save the zip file to any folder on your desktop, decompress it, and then find the location of the ebs.war and idcs-wallet-<version>.jar files.
Note: The name of the files may vary accordingly to the version.
Note: Make sure you downloaded at least version 19.1.4-1.2.2+.
• Access to an instance of Oracle Identity Cloud Service, rights to download the EBS Asserter from the console, and rights to register a trusted application.
• Access to an instance of Oracle EBS Release 11i (11.5.10) or Release 12 (12.1.3, 12.2.4 and higher), with latest Tech Stack Patches applied
• A separate instance of Oracle WebLogic Server 11g (10.3.6) or 12c (12.1.3 and 12.2) using the Java SE Development Kit 8 or Java EE 8.
Note: The host names for the EBS Asserter's application server and Oracle E-Business Suite's application server must belong to the same domain for SSO to work.
Note: It is recommended that the EBS Asserter be accessed over SSL, since Oracle Identity Cloud Service can only be accessed over SSL. Failure to do so may cause SSO between Oracle Identity Cloud Service and the EBS Asserter to fail.
Note: Make sure the clock of the server where the EBS Asserter runs, and the clock of the server where EBS runs are synchronized.
Step 3 – Requirements for EBS Asserter Implementation
To proceed with the configuration, make note of the following values:
• EBS Asserter's WebLogic Server host name
• EBS Asserter's WebLogic Server https address (including port number if not default
one)
• Oracle E-Business Suite host name
• Oracle E-Business Suite https address
• Oracle Identity Cloud Service https address (including port number if not using the
default one)
• Oracle E-Business Suite Database name
• Oracle E-Business Suite Database host
• Oracle E-Business Suite Database port
• Oracle E-Business Suite "APPS" user's password
Step 3 – Implementation Steps
https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/ebs_asserter_obe/ebs-asserter.html
1. Create an Application User – “EBS Asserter Service User” on E-Business Suite – Using User Management, search role code “UMX|APPS_SCHEMA_CONNECT”
– Select Apps Schema Connect Role, click Select, enter a justification, and then click Save.
2. Register EBS Asserter with Oracle E-Business Suite
3. Register the EBS Asserter Application in Oracle Identity Cloud Service
4. Create a WebLogic Wallet
5. Create the EBS Asserter Configuration File
6. Install JCE and Import Oracle Identity Cloud Service Certificate in WebLogic and Java Key Stores
7. Deploy the EBS Asserter
8. Configure Oracle EBS to redirect non-EBS-authenticated users to EBS Asserter instead of using the EBS local login page - Configure White-listing, Update EBS Profiles, and Restart the Servers
9. Test Single Sign-On with Oracle E-Business Suite
Q & A
Session ID:
Remember to complete your evaluation for this session within the app!
11323
