Learn About Enabling SSO for Oracle E-Business Suite with OCI IAM using EBS Asserter in High Availability mode
This integration allows your Oracle E-Business Suite to participate in the single sign-on (SSO) provided by OCI IAM. To enhance security for the sign-in process, you can set up sign-in and identity provider policies, and configure multi-factor authentication. You can also enable adaptive security to provide strong authentication capabilities and risk analysis for your users across applications and Oracle E-Business Suite in OCI IAM.
- Oracle WebLogic Server is deployed on an OCI compute instance and
- Oracle EBS is deployed on OCI using Oracle EBS Cloud Manager
For each EBS instance, you configure and deploy one instance of the OCI IAM E-Business Suite Asserter application.You can deploy EBS Asserter in HA mode using different configurations as described in the following section:
- Multiple WebLogic Server machines, with each machine hosting a single managed server and deployed with a single EBS Asserter.
- A single WebLogic Server machine with multiple managed servers. Each managed server has a single deployment of EBS Asserter.
- A single WebLogic Server machine with a single managed server. The managed server has multiple deployments of EBS Asserter.
To accomplish the third scenario, you must perform the following tasks:
- Rename each EBS Asserter application's Web Application Resource (WAR) file before you deploy the file to the same WebLogic managed server. In this case, the domain name and port number of all E-Business Suite Asserter's URLs will be same, but the URL's context will change.
- Extract the contents of each
ebs.warfile to a folder, find theweblogic.xmlfile, edit this file, update the value of the<cookie-path>tag to match the EBS Asserter's URL, and then rebuild theebs.warfile.
For example, if you want the E-Business Suite Asserter to respond to URL
context /app/ebs, then update the tag within
weblogic.xml with the value
<cookie-path>/app/ebs</cookie-path>.
For example, if you have two EBS instances named Development 1 and Development 2 and you want to integrate these EBS instances with OCI IAM using the E-Business Suite Asserter, but you only have one WebLogic managed server for the two E-Business Suite Asserter applications, then you need to execute the procedures in this tutorial for each EBS instance. You configure the WebLogic Server only once, and configure and deploy the E-Business Suite Asserter Application for each EBS instance:
- For EBS instance Development 1:
- Make a copy of the ebs.war file and name the new file
ebsdev1.war. - Update the
weblogic.xmlcontained in theebsdev1.warfile, by replacing the cookie-path tag with the following value:<cookie-path>/ebsdev1</cookie-path>. - Update the
bridge.propertiesfile (section 5) contained in theebsdev1.warfile. - Rebuild the
ebsdev1.warfile and then deploy this file (section 7) to the WebLogic managed server.
- Make a copy of the ebs.war file and name the new file
- For EBS instance Development 2:
- Make a copy of the
ebs.warfile and name the new fileebsdev2.war. - Update the
weblogic.xmlcontained in theebsdev2.warfile, by replacing the cookie-path tag with the following value:<cookie-path>/ebsdev2</cookie-path>. - Update the
bridge.propertiesfile (section 5) contained in theebsdev2.warfile. - Rebuild the
ebsdev2.warfile and then deploy this file (section 7) to the WebLogic managed server.
- Make a copy of the
You will deploy both ebsdev1.war and ebsdev2.war files
in to the same WebLogic managed server. The E-Business Suite Asserter's URL for EBS
instance Development 1 will be
https://ebsasserter.example.com:7002/ebsdev1, and for EBS instance
Development 2
https://ebsasserter.example.com:7002/ebsdev2.
Before You Begin
Before you begin using E-Business Suite Asserter, understand how to enable it, and how it works with other components.
- If your Oracle E-Business Suite is integrated with Oracle Access Manager, Oracle Internet Directory, E-Business Suite AccessGate, or uses any other SSO profile, then remove the integration between these components and Oracle E-Business Suite, and then restart the servers before using the OCI IAM E-Business Suite Asserter.
- Know what’s supported. All Oracle E-Business modules which use browser-based login will work with E-Business Suite Asserter for SSO. Excel-based login of Web ADI is supported. Mobile Apps for EBS, such as approvals and expenses, are supported. Modules which do not use browser-based login, such as Mobile Web Applications (MWA) and E-Signature, are not supported.
Architecture
In this playbook, one WebLogic cluster is created comprising of two WebLogic machines. Each of these WebLogic machines host one WebLogic managed server. Two instances of E-Business Suite Asserter are deployed on each of the two WebLogic Managed servers. OCI Load Balancer is used to provide high availability and traffic management between the two nodes of OCI IAM Asserter.
Oracle E-Business Suite is also deployed in High Availability with two different nodes, using Oracle EBS Cloud Manager. Oracle E-Business Suite uses Oracle RAC database with two nodes of database server. The OCI IAM Asserter interacts with OCI IAM through OCI IAM Rest API and redirects the user's web browser to OCI IAM and Oracle E-Business Suite.
The following architecture diagram shows how the E-Business Suite Asserter, Oracle E-Business Suite, and OCI IAM interact.
- The user requests access to an Oracle E-Business Suite protected resource.
- The request reaches OCI Load Balancer and based on the availability of the backend servers, it forwards the requests to the appropriate Oracle E-Business Suite server.
- Oracle E-Business Suite redirects the user browser to the E-Business Suite Asserter application, which is directed through the OCI Load Balancer.
- The OCI Load Balancer, based on the configuration and availability of the backend E-Business Suite Asserter servers, forwards the request to the appropriate E-Business Suite Asserter server. The OCI Load Balancer generates a cookie and attaches it to the request to maintain session stickiness.
- The OCI IAM Asserter uses an OCI IAM SDK to generate the authorization URL and then redirects the browser to OCI IAM.
- OCI IAM presents its sign in page to the user.
- The user submits credentials to OCI IAM.
- OCI IAM issues an authorization code and redirects the user's browser to the E-Business Suite Asserter.
- The response reaches the OCI Load Balancer and based on the session cookie it redirects the request to appropiate E-Business Suite Asserter server.
- The E-Business Suite Asserter uses an OCI IAM SDK to communicate with OCI IAM to exchange the authorization code for an access token.
- OCI IAM issues an access token and an ID token to the E-Business Suite Asserter.
- The E-Business Suite Asserter creates an Oracle E-Business Suite cookie and redirects the user's browser to Oracle E-Business Suite.
- Oracle E-Business Suite presents the user requested protected resource.
About Required Services and Roles
An OCI IAM administrator must be able to access the OCI IAM console to download E-Business Suite Asserter and configure and activate applications.
- OCI IAM
- Oracle E-Business Suite
You must have the following roles:
| Role | Required to... |
|---|---|
|
OCI IAM: Security administrator |
Access the Downloads page of the OCI IAM console. From this page, you can download the OCI IAM E-Business Suite Asserter. |
|
OCI IAM: Application administrator |
Manage applications in OCI IAM, which includes registering the sample mobile app with OCI IAM. |
|
Oracle E-Business Suite: Server administrator |
Access the Oracle E-Business Suite installation folder, the Oracle WebLogic Server where you deploy the E-Business Suite Asserter, and the E-Business Suite Asserter machine as an operating system user. |