Tuesday, April 12, 2016

EBS R12 Integration with OAM 11g to enable SSO

E-Business Suite (EBS) integration with Oracle Access Manager (OAM) for Single Sign-On
(SSO) involves integrating EBS with Oracle Internet Directory (OID) for user synchronization,
pointing OAM’s identity store to use OID, and delegating EBS authentication to OAM.

OAM EBS Integration Components
In order to understand Oracle Access Manager (OAM) integration with Oracle E-Business Suite, let us first understand various components that are part of OAM-EBS integration.

1. Oracle Internet Directory (OID)
Oracle Internet Directory (OID) is Lightweight Directory Access Protocol (LDAP) server from
Oracle where all enterprise users are stored. Users in OID are synchronized with users in EBusiness
Suite (EBS) using Directory Integration Platform (DIP). Oracle Access Manager
(OAM) should use LDAP Server (like OID or Oracle Virtual Directory- OVD pointing to this
OID) as its identity store for authentication. There are various version of OID like 10g & 11g
(11.1.1.2/3/4/5/6/7), as of Oct 2013 latest OID version is 11.1.1.7. Recommended to use OID version
11.1.17 to integrate with Oracle E-Business Suite R12.1.x/R12.2.x

2. Directory Integration Platform (DIP)
Directory Integration Platform (DIP) 11g is a J2EE application deployed on WebLogic server
and used for provisioning/synchronization of users/groups across other LDAP servers &
applications. DIP consists of two type of engine, Synchronization and Provisioning.

Synchronization component is used to sync users/groups between OID and other LDAP servers
like Microsoft Active Directory (MS-AD) or IBM Directory Server.
Provisioning component is used to sync OID with applications like EBS, Portal, and Collaboration Suite. For user synchronization between OID and EBS, DIP uses its provisioning component.
DIP Provisioning component will be used to sync users between OID and E-Business Suite

3. Oracle Directory Services Manager (ODSM)
Oracle Directory Services Manager (ODSM) is a web application deployed on WebLogic server
and used to manage OID using web browser. Using ODSM you can configure/manage OID, and
create/delete users/groups.

4. Oracle WebLogic Server (WLS)
Oracle WebLogic Server (WLS) is J2EE Application Server from Oracle. WebLogic Domain is
logical component in which all resources (Admin Server, Managed Server, Java Database
Connectivity(JDBC), Java Messaging Server(JMS)) are deployed/configured. WebLogic
Domain consists of one and only one Admin Server and zero or more managed server.
In EBS-OAM deployment we should use two WebLogic Servers and two WebLogic Domain.
One for OID (DIP & ODSM) and second for OAM.

WebLogic version 10.3.6 (11g) can be used for both OAM & OID (DIP/ODSM) where EBS
AccessGate (EBS-AG) will be deployed on OAM WebLogic Domain.

  • On IDMDomain, Deployments are DIP & ODSM,
http://ed-olraclin.samiora.blogspot.com:7031/em

  • On IAMDomain, Deployments are EBS Access Gate, OAM and any custom login application, 
http://ed-olraclin.samiora.blogspot.com:7021/em

5.  Oracle Access Manager (OAM)
Oracle Access Manager is a J2EE application deployed on Weblogic Server and used as
Authentication & Authorization Server. There are various version of OAM like 10g, 11gR1
(11.1.1.3/5/7), and 11gR2 (11.1.2.0/1/2).

OAM Server consists of,
• OAM Server deployed on WebLogic Managed Server (default port 14100). There is
OAM-Proxy server running in background on default port 5575. Agents (WebGate)
connect to OAM-Proxy Port.
• OAM Console is a web application deployed on WebLogic Admin Server (default port
7001). OAM Console application is used to manage configuration, and define/manage
policies, authentication schemes.
• OAM Configuration is stored in XML file (oam-config.xml) on server and contains all
OAM configurations like Server Name, port, Webgate details, and Audit store details.
• OAM Policy Store is a repository (database) which stores policy (details like which
URL is protected using what authentication/authorization schemes)

http://ed-olraclin.samiora.blogspot.com:7021/oamconsole

6. Oracle HTTP Server (OHS)
Oracle HTTP Server is a Web Server from Oracle on which Web Gate is deployed. Users are redirected from EBS Middle Tier to this server for authentication (URL of this server is configured in EBS Profile option “Application Authentication Agent”). OHS acts as proxyserver to WebLogic Server on which EBS AccessGate (EBS-AG) is deployed. This OHS server also has mod_wl_ohs configured to forward request to WebLogic Server where Oracle EBusiness Suite AccessGate (EBS-AG) is deployed.
Note: E-Business Suite R12 comes with its own Oracle HTTP Server (OHS), OHS server mentioned here is different OHS server than one shipped with EBS R12 technology stack.

7. Web Gate
Web Gate is a web server plug-in (deployed with WebServer like Apache, OHS, IHS) which
intercepts user's request and send it to Oracle Access Manager Server to check if user is authenticated/authorised to access requested resource. Web Gate is installed on same machine, as
WebServer (OHS) and webgate configuration settings are pointed OHS configuration file (httpd.conf). For Web Gate to work an instance of Web Gate must be configured in OAM
Server using Remote Registration (RREG) utility or OAM Console and Web Gate must be
installed with OHS using same user as OHS.

8. mod_wl_ohs
This is module in Oracle HTTP Server (OHS) which forward request from OHS to WebLogic
Server where EBS Access Gate is deployed as defined in mod_wl_ohs.conf

Do the below configuration to Redirect HTTP Server to WebLogic Server for Oracle E-Business Suite AccessGate

Set the OHS environment file
. $HOME/ohs.env

Modify mod_wl_ohs.conf file under $ORACLE_INSTANCE/config/OHS/ohs1 directory.

<IfModule mod_weblogic.c>
WebLogicHost ed-olraclin1.samiora.blogspot.com -- This is the Server that has Access gate deployed on it.
WebLogicPort 7043
</IfModule>
<Location /ebsauth_eprd>
SetHandler weblogic-handler
</Location>

Now restart HTTP Server.
opmnctl stopall
opmnctl startall


9. Oracle E-Business Suite Access Gate
EBS AccessGate (EBS-AG) is a Java EE Application that maps a Single Sign-On user (authenticated via OAM) to an Oracle E-Business Suite user (stored in FND_USER table), and creates E-Business Suite session for that user. EBS-AG is deployed on WebLogic Server using ANT script that creates a web application and JDBC connection to EBS Database. Login Page for E-Business Suite is also configured as part of EBS AG. There are currently multiple version of E-Business Suite Access Gate i.e. 1.0.2 is certified with OAM 10g R3 where as EBS-AG version 1.1.2.0 is certified with OAM 11g R2 (11.1.2.1).
Note: If WebLogic Server (which hosts EBS-AG) is on different machine than EBS Middle Tier then you must register node (hosting EBS-AG) in EBS database, create DBC file and use this DBC file during EBS AccessGate deployment. If EBS-AG and EBS Middle Tier are running on same machine then you can use existing dbc file under $FND_SECURE.

10. Profile Option
Profile Option is used in E-Business Suite to update behaviour of environment, two profile option which are used in Oracle E-Business Suite are "Application SSO Type" and "Application Authentication Agent".

• Application SSO Type (APPS_SSO) - This profile option can be set only at site level
from one of four values SSWA, Portal, SSWA w/SSO or Portal w/SSO. To inform EBusiness
Suite that Single Sign-On is configured and redirect user to Single Sign-On
Page and NOT to Local Login page, set this profile option to either SSWA w/SSO or
Portal w/SSO

• Application Authentication Agent (APPS_AUTH_AGENT) - When this profile option
is set with profile option Application SSO Type, user is redirected to page generated
from value of this profile option. Lets assume value of profile option Application SSO
Type is set to http://ohsserver:ohsport/ebsauth_eprd/ then user will be redirected to page
http://ohsserver:ohsport/ebsauth_dev/OAMLogin.jsp . Value of profile option
Application Authentication Agent is set to format http://server:port/<context_root>
where server is name of server where Oracle HTTP Server (OHS) with Web Gate installed, port is OHS Listen Port and context_root is context root defined during AccessGate deployment.
Note- If Application Authenticate Agent profile option is missing ensure you have below
patches applied as per the version:-
For R12.1.1 – Patch Number – 9824524
For R12.1.2/R12.1.3 – Patch Number – 9454600

• Applications SSO Login Types at site level to SSO (or BOTH)

• Applications SSO Auto Link User at site level to Enabled

Applications SSO Enable OID Identity Add Event at profile option
to “Enabled”


Applications Single Sign On Hint Cookie” at site level to <blank> 


Request flow for E-Business Suite integrated with Oracle Access Manager





Above Pictures depicts the request flow when an unauthenticated user access E-Business Suite
integrated with Oracle Access Manager.

1. User access E-Business Suite URL http://<ebs_mid_tier>:<ebs_ohs_port> . EBS checks that profile option 'Application SSO Type' is set to either 'Portal w/SSO' or 'SSWA w/SSO' (w/SSO signifies that EBS is integrated with Single Sign-On Server).
2. EBS then check value of profile option Application Authentication Agent (value is set to http://<ohs_with_wg>:<ohs_with_wg:port>/<context_root>/ , where <context_root> is value set during E-Business Suite Access Gate Deployment) and redirect user to value set for profile option Application Authentication Agent
3. Web Gate deployed with OHS server then check if any token (Cookie) is available in user session and forwards this request to OAM server for validation.
4. OAM server will then check authentication URL configured for Web Gate (Host:Port or Host Identifier) and redirect user to authentication page configured by authentication URL. User will type username/password on authentication page, which OAM will validate against OAM’s identity store (Oracle Internet Directory). Oracle Internet Directory will validate username and password against attribute UID (login attribute) and attribute userPassword (password attribute)
5. On successful authentication OAM will forward response back to WebGate with generated Cookie
6. Web Gate will then redirect user to E-Business Suite Access Gate (EBS-AG) for user validation or user mapping.
7. E-Business Suite Access Gate will take this user ID and map/validate against user in EBusiness Suite (FND_USER)
8. On successful validation response is returned back to Web Gate
9. Web Gate will forward response back to user
10. User with token/cookie from WebGate/Access Gate is redirected back to E-Business Middle Tier
11. E-Business Suite Middle Tier will generate E-Business Suite specific cookie to user and from subsequently requests user talks directly to Oracle E-Business Suite until explicit log out or timeout

Attention: User in E-Business Suite (FND_USER) are synchronized with Oracle Internet Directory using Directory Integration Platform’s(DIP) Provisioning Framework
Attention: OIM (another product from Oracle IAM Suite) Connector (EBS User Management and EBS Employee Reconciliation) can also be used to synchronize users between OIM and EBS. Users in OID and OIM are also synchronized using LDAPSync. This integration is NOT required for EBS integration with OAM to enable SSO feature.

High Level Steps to integrate Oracle EBS R12 with OAM for Single Sign-On
Below are the high-level steps to integrate Oracle E-Business Suite with Oracle Access Manager to enable SSO.
1. Install Database for IAM (OID/OAM)
2. Install Oracle Internet Directory (OID)
3. Install Oracle Access Manager (OAM)
4. Integrate OAM with OID
5. Integrate EBS with OID
6. Install Oracle HTTP Server (OHS)
7. Install WebGate
8. Integrate EBS with OAM
9. WNA configuration (Optional but recommended) -http://samiora.blogspot.ae/2015/03/wna-configuration-in-oracle-access.html
10. Test OAM-EBS Integration

Bibliography:
http://www.otn.oracle.com
http://samiora.blogspot.ae/2014/02/steps-to-integrate-oracle-ebs-r12-with.html
http://samiora.blogspot.ae/2015/12/oam-application-domain-and-policy.html
http://samiora.blogspot.ae/2014/03/oracle-access-management-sso.html
http://samiora.blogspot.ae/2016/01/setup-ad-and-oid-plug-in-for-passwords.html
http://samiora.blogspot.ae/2014/10/start-oid-oam-components-integrated.html
http://samiora.blogspot.ae/2014/08/deregister-sso-oid-from-oracle.html

Join/Subscribe to this blog and I will email you the Step by step document I prepared for SSO setup with WNA Configuration.

For any further queries on this article, please don't hesitate to contact me on samiora@gmail.com