Oracle EBS integration with OAM and OID
Oracle EBS E-Business suite can be integrated with Oracle IAM suite to provide a complete user access management solution. However in order to use integration with Oracle Access Manager (OAM) it is mandatory to use Oracle Internet Directory (OID). (Note: There is a newer integration of Oracle EBS with Oracle Identity Cloud Service where there is no requirement of OAM or OID. Here is the link for this new integration.) To understand the integration of EBS with OAM/OID, see below the (a) architecture EBS+OAM+OID integration and (b) flow of authentication with EBS+OAM+OID. (Note: EBS has the capability to provide authentication and access control without OAM since EBS has its own native AccessGate which uses the header variables to create user sessions. These header variables similar to OAM_HEADER can be sent by any other external Access Management solution.) Also refer here for the concepts of how Single sign on works with OAM and Oracle Fusion Middleware.
Update (July 2019) : Now OUD 12c is also certified with EBS 12.2. What this means is now you have a choice - you can use either OID or OUD in this integration. So you must use one of these directories.
Below is the architecture for EBS, OAM, WebGate, EBS AccessGate
and below is the Authentication flow
Oracle Internet Directory 11gR1 Patchset 7 (11.1.1.9) is now certified for use in the Oracle Access Manager integration with Oracle E-Business Suite Release 11i (11.5.10.2) and 12 (12.1.3+, 12.2.2+).
Here is a follow up to above reference which includes OUD in addition to OID as supported directory. That said OID and OUD remain the required or mandatory directory in the OAM+EBS+OID integration
Note: OID is a mandatory requirement when OAM is integrated with EBS due to hardcoded dependencies built in EBS that rely on OID. This is because E-Business suite (EBS) requires OID as the user directory to enable Single Sign on since EBS is registered with OID to for this integration - (1) EBS uses “orclguid” in OID to map the SSO user with the corresponding local user profile and (2) during authentication, EBS AccessGate expects the SSO system to return this orclguid and EBS username (stored as a user-attribute in SSO user store) in two header variables USER_ORCLGUID and USER_NAME respectively. (Note: In OAM the HTTP Header Variable Name is OAM_REMOTE_USER which is the user_name)
Following are the two dependencies: (Here is Steve Chan article on why EBS integration with OAM requires OID)
(1) The OAM users are mapped with EBS users via a Global Unique Identifier (GUID). The GUIDs for users which are managed by OAM, are generated by OID. The E-Business Suite has hardcoded functions to handle the mapping of these GUIDs (these GUIDs are generated by OID) between OAM and EBS. Hence no external LDAP directory can be used, i.e. OID is mandatory to be used in this configuration of OAM+OID+EBS.
(2) In addition in order to create synchronous or new user accounts which are created in OAM first (for example when users do self registration), these user accounts should also be created in EBS as well. Such EBS modules which support self registation of user accounts have hardcoded function calls in OID for such tasks of user account creation. This is another mandatory requirement to use OID (no other external LDAP directory can be used)
Here is a good blog on OAM,OID integration with EBS
Also FYI now there is EBS available in Oracle Cloud
Update (July 2019) : Now OUD 12c is also certified with EBS 12.2. What this means is now you have a choice - you can use either OID or OUD in this integration. So you must use one of these directories.
Below is the architecture for EBS, OAM, WebGate, EBS AccessGate
 |
| EBS, OAM, WebGate, AccessGate, OID integration architecture |
Oracle Internet Directory 11gR1 Patchset 7 (11.1.1.9) is now certified for use in the Oracle Access Manager integration with Oracle E-Business Suite Release 11i (11.5.10.2) and 12 (12.1.3+, 12.2.2+).
Here is a follow up to above reference which includes OUD in addition to OID as supported directory. That said OID and OUD remain the required or mandatory directory in the OAM+EBS+OID integration
Note: OID is a mandatory requirement when OAM is integrated with EBS due to hardcoded dependencies built in EBS that rely on OID. This is because E-Business suite (EBS) requires OID as the user directory to enable Single Sign on since EBS is registered with OID to for this integration - (1) EBS uses “orclguid” in OID to map the SSO user with the corresponding local user profile and (2) during authentication, EBS AccessGate expects the SSO system to return this orclguid and EBS username (stored as a user-attribute in SSO user store) in two header variables USER_ORCLGUID and USER_NAME respectively. (Note: In OAM the HTTP Header Variable Name is OAM_REMOTE_USER which is the user_name)
Following are the two dependencies: (Here is Steve Chan article on why EBS integration with OAM requires OID)
(1) The OAM users are mapped with EBS users via a Global Unique Identifier (GUID). The GUIDs for users which are managed by OAM, are generated by OID. The E-Business Suite has hardcoded functions to handle the mapping of these GUIDs (these GUIDs are generated by OID) between OAM and EBS. Hence no external LDAP directory can be used, i.e. OID is mandatory to be used in this configuration of OAM+OID+EBS.
(2) In addition in order to create synchronous or new user accounts which are created in OAM first (for example when users do self registration), these user accounts should also be created in EBS as well. Such EBS modules which support self registation of user accounts have hardcoded function calls in OID for such tasks of user account creation. This is another mandatory requirement to use OID (no other external LDAP directory can be used)
Here is a good blog on OAM,OID integration with EBS
Also FYI now there is EBS available in Oracle Cloud
Comments
Post a Comment