Ebs idm con9020_pdf_9020_0001

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 1


Integrating Oracle E-Business Suite with Oracle Identity Management Solutions Sunil Ghosh, Group Manager Elke Phelps, Sr. Principal Product Manager


The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Safe Harbor Statement


Program Agenda

§  Oracle E-Business Suite and Oracle Identity Management Integrations

§  Support Time Line and Action Plans

§  Single Sign-On with Oracle E-Business Suite

§  Oracle Internet Directory Integration

§  Step-by-Step: Oracle E-Business Suite and Single Sign-On Integration

§  Oracle E-Business and Third-Party Identity Management Integrations

§  Step-by-Step: Oracle E-Business and Third-Party Identity Management Integration

§  Oracle E-Business Suite Single Sign-On Integration Roadmap


Oracle E-Business Suite and Oracle Identity Management Integrations


Manage Users in Oracle Internet Directory

§  Synchronize user credentials bi-directionally between Oracle Internet Directory and E-Business Suite

§  Set master “source of truth” as OID, EBS, or both §  Manage user provisioning via powerful OID Directory Integration & Provisioning

(DIP) templates §  Link an OID userid with one or more EBS userids “on-the-fly”

E-Business Suite FND_USER

Oracle Internet Directory

DIP

DBMS_LDAP


§  Protect E-Business Suite instances with Oracle Access Manager WebGate §  Single sign-on provides access to all registered partner applications, including EBS §  Log off any one partner application to log off all of them §  Support complex third-party single sign-on architectures

Enable Single Sign-On with Oracle Access Manager Oracle Internet Directory

WebGate

EBS AccessGate

Oracle Access Manager

E-Business Suite


Manage Users in Oracle Identity Manager

§  Use Oracle Identity Manager as a provisioning hub with third-party user directories and applications

§  Connectors available for OID, E-Business Suite’s FND_USER and HRMS directories, and many more

E-Business Suite

Oracle Identity Manager

OID

LDAP LDAP


§  Require additional protection through device fingerprinting and other contextual data §  Add secure and highly usable self-service password management §  Features are transparent to E-Business Suite

Add Layered Access Security with Oracle Adaptive Access Manager (OAAM)


WebGate

EBS AccessGate

E-Business Suite


Oracle Adaptive Access Manager

Oracle Identity Manager


§  Integrate E-Business Suite into federated network §  Delegate authentication to OIF to enable access through remote identity providers §  Features are transparent to E-Business Suite

Extend Single Sign-On with Oracle Identity Federation


WebGate

EBS AccessGate


E-Business Suite OIF

Service Provider

Remote Identity Provider


Other Identity Management Certifications

Product Latest Versions for EBS

Oracle Access Manager 11.1.1.5 Oracle Identity Manager 11.1.1.5

Oracle Identity Federation 11.1.1.6 Oracle Adaptive Access Manager 11.1.1.5

Oracle Enterprise Single Sign-On Suite Plus 11.1.1.5

All certifications here are performed by Fusion Middleware product teams.


Support Time Line and Action Plans


Oracle E-Business Suite Support Dates

Key

Release Premier Support Ends Extended Support Ends Minimum Baseline

11i (11.5.10) November 2010 November 2013 December 2014* MOS Doc ID 883202.1

12.0 January 2012 January 2015 MOS Doc ID 1195034.1

12.1 May 2014 May 2017 MOS Doc ID 1195034.1

Lifetime Support Information: http://www.oracle.com/us/support/lifetime-support/index.html

*Exception to Extended Support Some OAM integration requirements may supersede this minimum baseline.


Oracle Identity Management Support Dates

Key

Release Premier Support Ends Extended Support Ends

Oracle Single Sign-On 10g December 2011 December 2012*

Oracle Internet Directory 10g December 2011 Not available

Oracle Internet Directory 11g June 2015 June 2017 Oracle Access Manager 10g December 2013 Not available Oracle Access Manager 11g June 2015 June 2017

* Limited Extended Support to December 2012 Lifetime Support Information: http://www.oracle.com/us/support/lifetime-support/index.html


Action Plan for Oracle E-Business Suite Users Oracle Internet Directory 10g and Oracle Single Sign-On 10g

§ Extended Support ends this year –  Oracle Single Sign-On (OSSO)10g extended support ends December

2012 è Deploy Oracle Access Manager § Upgrade path for OID

–  OID 10g è OID 11g (11.1.1.6 latest certified) § Migration path for OSSO

–  For EBS 12.0 or 12.1, OSSO 10g è OAM 11g with mod_osso –  For EBS 11i, migrate to OAM 10g NOTE: Oracle strongly recommends you upgrade to Release 12.1.3

and leverage OAM 11g and EBS AccessGate


Single Sign-On with Oracle E-Business Suite


Oracle Access Manager 11g

§ Oracle Access Manager (OAM) 11g is Oracle’s recommended single sign-on solution

§ Supports E-Business Suite, Fusion Middleware, OracleAS products, Fusion Applications, and more

§ Offers two styles of integration: WebGate and mod_osso

Overview of Single Sign-On Integration Options for Oracle E-Business Suite, Note 1388152.1 Integrating Oracle E-Business Suite Release 12 with Oracle Access Manager 11gR1 (11.1.1.5), Note 1309013.1


Authentication vs. Authorization

Authentication

Oracle Access Manager •  Identifies the user •  Validates user credentials

Authorization

Oracle E-Business Suite •  Identifies data and actions

the user can access •  Checks user

responsibilities


Oracle Access Manager 11g and E-Business Suite AccessGate

§  EBS AccessGate enables integration with WebGate –  Maps LDAP user to EBS user and complements EBS session management with OAM –  WebGate 10g and WebGate 11g both supported –  Requires Oracle Internet Directory

WebGate

EBS AccessGate

E-Business Suite




Oracle Access Manager 11g and E-Business Suite AccessGate

§ External Java EE application installed independently from EBS

–  Fewer points of integration = easier to certify new releases –  Insulates EBS instance from user authentication configuration

§ EBS AccessGate supports multiple EBS releases as well as multiple OAM releases

§ Multiple deployments can be supported with 1 WebGate


Oracle Access Manager 11g and mod_osso

§  Support for mod_osso enables fast and easy migration from Oracle Single Sign-On (OSSO) 10g

E-Business Suite User

OHS / mod_osso


Oracle Access Manager 11g and mod_osso

§ OAM 11g replaces OSSO 10g server –  Automatically migrate existing partner applications –  No changes needed for existing E-Business Suite installs

§ Recommended only for users upgrading from OSSO 10g § Available for EBS Release 12.0 and 12.1 only


Integration with Discoverer and Portal E-Business Suite

WebGate

User

EBS AccessGate


mod_osso

Oracle Discoverer

WebGate and mod_osso deployments can be used together to protect applications


Integration with Discoverer and Portal E-Business Suite

WebGate

User

EBS AccessGate


mod_osso

Oracle Discoverer

If mod_osso detects valid OAM session, user may access resource without resubmitting credentials


Oracle Internet Directory Integration


Oracle Internet Directory Integration

§ Oracle Internet Directory and FND_USER must be kept synchronized § Synchronization events are raised via the Workflow-based Business

Event System whenever users are added or modified



DIP

DBMS_LDAP


Oracle Internet Directory Supported Synchronization

§  Asynchronous OID to FND_USER using Directory Integration & Provisioning §  Synchronous FND_USER to OID using DBMS_LDAP §  Bi-directional synchronization



DIP

DBMS_LDAP


Link Accounts

§ One-time User Registration

–  Done at setup time by system administrator –  Optional: can be done by end-user on first logon (“Link on the fly”) –  Useful when existing accounts in OID or a third-party LDAP directory

differ from existing E-Business Suite accounts

Oracle Internet

Directory

E-Business Suite

(FND_USER)

“Link Account”

Global Unique Identifier (GUID) Userid = “jsmith”

Userid = “John.Smith”


Link Accounts

§ GUID = orclguid attribute in OID

–  This attribute is used by EBS to guarantee uniqueness –  Dependency on orclguid is why EBS supports direct integration only with OID

Oracle Internet

Directory

E-Business Suite

(FND_USER)

“Link Account”

Global Unique Identifier (GUID) Userid = “jsmith”



Link to Multiple EBS Accounts

§ Note: It’s not possible to link

multiple OID accounts to the same EBS account

“Link Account”

Userid = “testuser1”



Oracle Internet

Directory

Userid = “jsmith”

E-Business Suite

(FND_USER)


Access EBS Accounts Using Proxy Users

§  Recommended alternative to “multi-link” –  Grant/revoke proxy privilege to individual users by admin –  Track delegates’ actions within the system for improved security,

compliance enforcement –  Granular control of proxy authority; e.g.: for specific date ranges –  Configure entirely within EBS – no OID changes required

“Link Account”




Oracle Internet

Directory

E-Business Suite

(FND_USER)

Userid = “jsmith”


Step-By-Step: Oracle E-Business Suite Single Sign-On Integration


First-Time Login with EBS AccessGate E-Business Suite


WebGate

User

EBS AccessGate



Login to E-Business Suite via EBS AccessGate E-Business Suite


WebGate

User

EBS AccessGate


�

Unauthenticated user requests access to protected EBS resource

�




WebGate

User

EBS AccessGate


User redirected to EBS AccessGate, protected by OAM

� �




WebGate

User

EBS AccessGate


Per OAM policies, WebGate intercepts request

� �




WebGate

User

EBS AccessGate


WebGate connects user to EBS AccessGate to collect credentials

� �




WebGate

User

EBS AccessGate


User submits credentials to OAM server (OAM 11g) or WebGate (OAM 10)

� �




WebGate

User

EBS AccessGate


OAM verifies credentials against user directory and creates user session

� �




WebGate

User

EBS AccessGate


OAM securely passes user identifier to EBS AccessGate

�

�




WebGate

User

EBS AccessGate


EBS AccessGate links OID user to EBS user and creates ICX session

“

“




WebGate

User

EBS AccessGate


User redirected to original EBS URL with session, and resource returned to browser ”

”


Third-Party Identity Management Integrations


Third-Party Single Sign-On Integration

Third-Party SSO

EBS Application Server


… delegates user authentication to …

… delegates user authentication to …


Third-Party SSO Interoperability Many ways to work with third-party SSO engines §  Oracle Access Manager 11g

–  Windows Native Authentication via Kerberos, X.509 –  PKI X.509v3 Digital Certificates –  Other SSO systems via custom AccessGates with Access

SDK §  Oracle Enterprise SSO Suite Plus 11g

–  Biometric and smartcard systems §  Oracle Identity Federation 11g

–  SAML, WS-Federation, Liberty Alliance –  Support CA Netegrity, IBM Tivoli, etc.


Integration with Third-Party LDAP If you have an existing third-party LDAP…


E-Business Suite Database (FND_USER)

Third-Party LDAP

… synchronizes user attributes with …

… synchronizes user attributes with …


Integration with Third-Party LDAP Server Chaining § New feature in OID 11g

–  Map entries in third party LDAP directories to part of the directory tree and access through OID without synchronization

–  Replaces external authentication plug-ins from OID 10g § Third-party directories certified with Oracle Access Manager

–  Microsoft Active Directory §  Does not support Active Directory Lightweight Directory Service

–  Sun Java System Directory (SunONE iPlanet) –  Oracle Directory Server Enterprise Edition (formerly Sun) –  Novell eDirectory


Passwords Stored in Third-Party LDAP

§  Third-party LDAP –  Handles user authentication, usually with a third-party authentication solution –  Commonly considered “Master” source-of-truth

§  Oracle Internet Directory and E-Business Suite take minimal copies of master user definition -- excluding passwords

§  E-Business Suite doesn’t maintain user passwords in this configuration

E-Business Database (FND_USER)

Oracle Internet

Directory

Third-Party LDAP (optional)

User Password User Password User Password X X


Step-By-Step: Oracle E-Business Suite and Third Party Identity Management Integrations


Third-Party Integration Architecture

Oracle Access Manager *


End User

Third-Party SSO

Third-Party LDAP

EBS Application Server / EBS AccessGate

EBS Database (FND_USER)

* WebGate not shown.





End User

Third-Party SSO

Third-Party LDAP

EBS Database (FND_USER) �

�User provides credentials to third-party single sign-on system.






End User

Third-Party SSO

Third-Party LDAP


�

�

Third-party single sign-on sends user’s credentials to third-party LDAP for authentication.






End User

Third-Party SSO

Third-Party LDAP


�Third-party single sign-on provides authenticated user with third-party security token.

�






End User

Third-Party SSO

Third-Party LDAP


�User attempts to access EBS, and is redirected to EBS AccessGate and OAM. �






End User

Third-Party SSO

Third-Party LDAP


�

�OAM recognizes the third-party security token, then issues its own and returns OID user to EBS AccessGate.






End User

Third-Party SSO

Third-Party LDAP


�EBS AccessGate recognizes the OAM session, maps the OID user to an EBS user and returns the resource.

EBS Application Server / EBS AccessGate �


Case Studies


§  One server per server type –  E-Business Application Server –  EBS AccessGate Server –  Oracle Internet Directory Server –  Oracle Access Manager Server

Logical Server Topology

Case Study


WebGate

EBS AccessGate


E-Business Suite

User


§  Logical Servers may be combined §  Example:

–  One physical server for E-Business Suite and EBS AccessGate

–  One physical server for Fusion Middleware components – WebGate, Oracle Access Manager and Oracle Internet Directory

Physical Server Topology

Case Study

Fusion Middleware Server -Web Server with WebGate -Oracle Access Manager -Oracle Internet Directory

EBS Application Server - EBS Instance - EBS AccessGate



Case Study


EBS Application Server - EBS Instance - EBS AccessGate

§  Combine logical servers §  Scales easily §  Increases to Fusion Middleware

footprint not required §  Supports multiple E-Business

Suite Instances with EBS AccessGate


§  Combine logical servers §  Scales easily §  Increases to Fusion Middleware

footprint not required §  Supports multiple E-Business

Suite Instances with EBS AccessGate


Case Study


EBS Application Server 1 - EBS Instance 1 - EBS AccessGate 1

EBS Application Server 2 - EBS Instance 2 - EBS Access Gate 2


Integration with Active Directory & Kerberos

Case Study



End User

Microsoft Windows Native Authentication via Kerberos

Microsoft Active Directory

E-Business Suite Application Server EBS AccessGate



Case Study

Firewall Firewall

Internet Reverse Proxy

Firewall

FMW Repository

Internal EBS App Server +

EBS AccessGate

External Users

WebGate

OID

External EBS App Server +

EBS AccessGate

DMZ 1 DMZ 2

OAM Server

EBS Database

Internal Users

Company Intranet


E-Business Suite Single Sign-On Integration Roadmap


Single Sign-On

§ Certify with Oracle Access Manager 11.1.2 –  Simplify documentation –  Certify DMZ configurations with the Detached Credential

Collector

Roadmap


§  Oracle E-Business Suite Release 12 will use the Oracle Access Manager 11gR2 global login page

Roadmap

Certify with Oracle Access Manager 11.1.2



Roadmap




§  Custom login pages configured from Oracle Access Manager only

Roadmap



Single Sign-On

§ Certify with Oracle Access Manager 11.1.2 –  Simplify documentation –  Certify DMZ configurations with the Detached Credential Collector –  Utilize default OAM login page

§ Simplify Deployment and Configuration § Provide Advanced Diagnostics § Provide separate authentication for external vs. internal

users

Roadmap


Authentication for External and Internal Users

Existing Solution

External User

Internet Intranet

External EBS

Application Server

Internal EBS

Application Server

Internal User

http://intranet.mycompany.com http://jobs.company.com



Existing Solution

External User Internal User




Roadmap

External User

Internet Intranet

External EBS

Application Server

Internal EBS

Application Server

Internal User

http://myintranet.mycompany.com http://jobs.company.com

Internet



Roadmap

External User



References


References My Oracle Support

Note ID Title 1388152.1 Overview of Single Sign-On Integration Options for Oracle E-Business Suite

1309013.1 Integrating EBS with Oracle Access Manager 11g Using Oracle E-Business Suite AccessGate

1304550.1 Migrating Oracle Single Sign-On 10gR3 to Oracle Access Manager 11gR1 with Oracle E-Business Suite

975182.1 Integrating EBS with Oracle Access Manager 10g Using Oracle E-Business Suite AccessGate

876539.1 Using the Latest Oracle Internet Directory 11gR1 Patchset with Single Sign-On and EBS


•  Direct from EBS Development •  Latest news •  Certification announcements •  Primers, FAQs, tips •  Desupport reminders •  Latest upgrade recommendations •  Statements of Direction •  Subscribe via email or RSS

blogs.oracle.com/stevenChan

E-Business Suite Technology Stack Blog


References E-Business Suite Technology Blog

§  Understanding Options for Integrating Oracle Access Manager with E-Business Suite

§  Oracle Access Manager 11.1.1.5 Certified with E-Business Suite 12 §  Why Does EBS Integration with Oracle Access Manager Require Oracle

Internet Directory? §  Oracle Internet Directory 11gR1 11.1.1.5 Certified with E-Business Suite §  In-Depth: Using Third-Party Identity Managers with E-Business Suite

Release 12


Q&A


Graphic Section Divider



Documents

Ebs idm con9020_pdf_9020_0001