Académique Documents
Professionnel Documents
Culture Documents
Give Feedback...
Overview of Single Sign-On Integration Options for Oracle E-Business Suite (Doc ID 1388152.1) To Bottom
The most current version of this document can be obtained through My Oracle Support Knowledge DOCUMENT 1388152.1
Document Details
Method 1: Uses the WebGate agent, in conjunction with Oracle E-Business Suite AccessGate. This method is described in
detail in Section 3.1.1.
Method 2: Uses the mod_osso agent, and is only for users upgrading from Oracle Single Sign-On Server 10gR3. This
method is described in detail in Section 3.1.2.
3.1.1 Oracle E-Business Suite Single Sign-On integration using Oracle Access Manager with WebGate and Oracle
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=188419895820138&parent=DOCUMENT&sourceId=1576425.1&id=1388152.1&_afrWindo… 1/7
11/10/2014 Document 1388152.1
3.1.1 Oracle E-Business Suite Single Sign-On integration using Oracle Access Manager with WebGate and Oracle
E-Business Suite AccessGate
Oracle Access Manager WebGate is a component of Oracle Access Manager that intercepts HTTP requests and redirects them to
the Oracle Access Manager server to determine if and how the resources are allowed to be accessed, and to authenticate the
current user if authentication is required. If Oracle Access Manager is already deployed in the environment, an existing WebGate
can be configured for this purpose.
The integration with WebGate and Oracle E-Business Suite AccessGate is depicted in Figure 1 and detailed in the following
steps:
Steps 1 and 2. When an unauthenticated user attempts to access a protected Oracle E-Business Suite resource,
the user is directed to the Oracle E-Business Suite AccessGate application.
Oracle E-Business Suite AccessGate is a Java EE application responsible for mapping a single sign-on user to an
Oracle E-Business Suite user, and creating the Oracle E-Business Suite session for that user. This application is
deployed to a WebLogic Server instance, and is separate from Oracle E-Business Suite.
Steps 3 and 4. Oracle E-Business Suite Access Gate is protected by the Oracle Access Manager server, so the
authentication request is rerouted to a separate HTTP Server on which a WebGate is installed.
Oracle Access Manager WebGate is a component of Oracle Access Manager that intercepts HTTP requests and
redirects them to the Oracle Access Manager server to determine if and how the resources are allowed to be
accessed, and to authenticate the current user if authentication is required. If Oracle Access Manager is already
deployed in the environment, an existing WebGate can be configured for this purpose.
Steps 5, 6 and 7. Once a user is initially authenticated by Oracle Access Manager, the request for a resource -
along with the credentials returned by the Oracle Access Manager server - are picked up by Oracle E-Business
Suite AccessGate.
Steps 8 and 9. If the Access Server credentials are valid, this application connects to the Oracle E-Business Suite
database in order to link the Oracle Internet Directory (OID) user to an Oracle E-Business Suite user. If Oracle E-
Business Suite fails to identify a linked user for the Oracle Internet Directory user, the user is redirected to the
linking page so that he may map his unlinked Oracle Internet Directory user account to his Oracle E-Business Suite
username. Once this mapping is done, the originally requested resource is returned with a valid authenticated
Oracle E-Business Suite user session.
All subsequent requests for Oracle E-Business Suite resources are then returned directly to the user as long as the
user session remains valid.
NOTE: Each Oracle E-Business Suite instance requires its own deployment of the Oracle E-Business Suite AccessGate
application. Oracle E-Business Suite AccessGate must be installed and configured in the same Internet domain as the Oracle E-
Business Suite middle tier servers. If different physical hosts and domains are used for the components, the entry points must be
configured to use the same domain; for example, using a reverse proxy. This is because several Oracle E-Business Suite domain
cookies are shared among the middle tiers and the Oracle E-Business Suite AccessGate server.
3.1.2 Oracle E-Business Suite Single Sign-On integration using Oracle Access Manager with mod_osso
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=188419895820138&parent=DOCUMENT&sourceId=1576425.1&id=1388152.1&_afrWindo… 2/7
11/10/2014 Document 1388152.1
The integration with Oracle Access Manager and mod_osso is depicted in Figure 2 and detailed in the following steps:
Steps 1 and 2. When an unauthenticated user attempts to access a protected Oracle E-Business Suite resource,
the user is directed to the Oracle Access Manager 11g Server by mod_osso in the Oracle E-Business Suite OHS.
Step 3. Oracle Access Manager 11g server validates the Oracle Access Manager session (in the OAM_ID cookie, if
the cookie exists), finding none (for a first time login) is displays the Oracle Access Manager SSO login page.
Step 4. The user submits their credentials and the Oracle Access Manager 11g Server validates those against
Oracle Internet Directory.
Step 5. Oracle Access Manager 11g Server creates the Oracle Access Manager session (OAM_ID cookie) and
redirects back to /osso_login_success on the Oracle E-Business Suite tier (i.e. http(s)://<EBSHostname>.
<Domain_Name>:<EBS_OHS_Port>/osso_login_success (i.e. the Success URL as defined for the Oracle Single
Sign-On Agent).
Step 6. Mod_osso in the Oracle E-Business Suite OHS creates the OHS-ID cookies and sets Oracle Single Sign-On
HTTP Server variables for reference by Oracle E-Business Suite.
Step 7. Oracle E-Business Suite then creates an application session for the EBS user linked to the SSO
authenticated Oracle Internet Directory user.
Step 8. Finally the user is redirected to the original URL and the requested resource is returned.
If Oracle E-Business Suite fails to identify a linked user for the Oracle Internet Directory user, the user is redirected
to the linking page so that he may map his unlinked Oracle Internet Directory user account to his Oracle E-Business
Suite username. Once this mapping is done, the originally requested resource is returned with a valid authenticated
Oracle E-Business Suite user session. All subsequent requests for Oracle E-Business Suite resources are then
returned directly to the user as long as the user session remains valid.
3.2 How the Oracle Single Sign-On Server (OSSO) Integration Works
Oracle’s previous single sign-on solution for Oracle E-Business Suite customers was integration with Oracle Single Sign-On
10gR3, accomplished by following My Oracle Support Knowledge Document 376811.1 (Integrating Oracle E-Business Suite
Release 12 with Oracle Internet Directory and Oracle Single Sign-On).
When an unauthenticated user attempts to access a protected Oracle E-Business Suite resource, the user is directed to the
Oracle Single Sign-On server by mod_osso in the Oracle E-Business Suite OHS.
The Single Sign-On server looks for its cookie in the browser. If it finds none, it tries to authenticate the user with a user name
and password. If authentication is successful, the Single Sign-On server creates a cookie in the browser as a reminder that the
user has been authenticated. If a cookie exists, the Single Sign-On server will authenticate using the cookie.
The Single Sign-On server returns the user's encrypted information to mod_osso. Mod_osso creates its own cookie for the user in
the browser and redirects the user to the requested URL.
Premier Support for Oracle Single Sign-On ended on December 31, 2011. Oracle Single Sign-On is now in Extended Support. To
find out more about the support policies of these products, refer to: Oracle Software Technical Support Policies (see item '(g)' on
page 7).
If you are running Oracle E-Business Suite today with Oracle Single Sign-On, you may migrate your Oracle Single Sign-On partner
registrations to Oracle Access Manager 11g with mod_osso.
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=188419895820138&parent=DOCUMENT&sourceId=1576425.1&id=1388152.1&_afrWindo… 3/7
11/10/2014 Document 1388152.1
3.3 Integration with Third-Party Access Management Systems and LDAP Directories
Oracle E-Business Suite single sign-on solutions support integration with third-party access management systems and LDAP
directories, this integration is depicted in Figure 3. With third-party access management systems integration, the Oracle E-
Business Suite Application Server delegates user authentication to Oracle Access Manager or Oracle Single Sign-On which then
delegates user authentication to the third-party access management system.
There are numerous dependencies on Oracle Access Manager and Oracle Internet Directory in a single sign-on solution with
Oracle E-Business Suite. Due to these underlying dependencies, Oracle Access manager and Oracle Internet Directory are
mandatory components of the integration even when integrating with third-party systems.
When integrating with a third-party LDAP, the third-party LDAP synchronizes user attributes with Oracle Internet Directory which
synchronizes user attributes with the Oracle E-Business Suite database (FND_USER). The following diagram depicts a third-party
integration architecture with an Oracle Access Manager integration:
Existing Oracle Single Sign-on (OSSO) customers should also consider upgrading to the latest certified version of Oracle Access
Manager with Oracle E-Business Suite AccessGate. Additional details regarding recommended solutions and documentation may
be found in the Documentation Roadmap section of this document.
Currently Oracle Access Manager 11gR1 and 11gR2 support two types of agents for integration: OAM Agents (WebGates),
and OSSO Agents (mod_osso). Oracle E-Business Suite integration with Oracle Access Manager supports both types of
agents. Using OAM Agents (WebGates) is Oracle’s strategic single sign-on integration. OSSO Agents (mod_osso) are still
supported as legacy agents, but these are planned to be de-supported in future releases. For more information on the two
types of agents, refer to section the Introduction to Agents and Registration in the Oracle Fusion Middleware
Administrator's Guide for Oracle Access Management 11g Release 2.
If you are running Oracle E-Business Suite with Oracle Access Manager 10gR3, there is an option to migrate to Oracle
Access Manager 11gR2, however, when integrating with Oracle E-Business Suite it is also necessary to upgrade to the
latest version of Oracle E-Business Suite AccessGate. It is therefore recommended to install OAM 11gR2 and integrate that
with Oracle E-Business Suite using the latest version of Oracle E-Business Suite AccessGate, as documented in My Oracle
Support Knowledge Document 1484024.1 Integrating Oracle E-Business Suite Release 12 with Oracle Access Manager
11gR2 (11.1.2) using Oracle E-Business Suite AccessGate.
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=188419895820138&parent=DOCUMENT&sourceId=1576425.1&id=1388152.1&_afrWindo… 4/7
11/10/2014 Document 1388152.1
In contrast, logical diagrams are intended to assist with understanding the various components and services of an environment.
They are not meant to denote the number of physical servers required for a particular environment, because the various logical
components can be combined and installed on a single server.
There are a number of configurations with numerous certified versions that are available for deploying an Oracle E-Business
Suite single sign-on solution. The following diagram is a logical reference architecture diagram for Release 12 and Release 11i
single sign-on solutions.
With Oracle E-Business Suite Release 12.2, single sign-on integration is simplified. Both WebGate 11g and Oracle E-Business
Suite AccessGate are automatically installed and configured on your Oracle E-Business Suite Release 12.2 application tier server
node, and so are not shown on the diagram.
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=188419895820138&parent=DOCUMENT&sourceId=1576425.1&id=1388152.1&_afrWindo… 5/7
11/10/2014 Document 1388152.1
Change Log
Date Description
September 17,
2013 Updated the Documentation Roadmap for Oracle E-Business Suite Release 12.2.
Added Figure 6 - Oracle E-Business Suite Release 12.2 single sign-on Reference Architecture
diagram.
May 9, 2013
Added a link to OAM 11gR1 PS1 (11.1.1.7.0) Document for Oracle E-Business Suite Release 12 in the
Documentation Roadmap.
Related
Products
Oracle E-Business Suite > Applications Technology > Technology Components > Oracle Applications Technology Stack > OID SSO Technologies > OID SSO Technologies
Back to Top
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=188419895820138&parent=DOCUMENT&sourceId=1576425.1&id=1388152.1&_afrWindo… 6/7
11/10/2014 Document 1388152.1
Copyright (c) 2014, Oracle. All rights reserved. Legal Notices and Terms of Use Privacy Statement
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=188419895820138&parent=DOCUMENT&sourceId=1576425.1&id=1388152.1&_afrWindo… 7/7