Introduction

This document describes how to integrate Oracle EBS(OEBS) with NetIQ Access Manager to provide Single Sign On capability.

Oracle EBS

Oracle EBS is an enterprise suite of business applications. It is a suite of web based applications. It has an inbuilt database that authenticates users against a user table called FND_USERS. The user details including minted passwords are stored in that table. The passwords cannot be read back.

Oracle EBS authenticates users by prompting a form asking for username and password. This credential is verified against the table.

Deployment

The solution involves NetIQ products NetIQ Identity Manager, NetIQ Access Manager.



The solution involves three major functions. Provisioning of users between the Oracle EBS and Corporate User store is managed by NetIQ Identity Manager.

The Web SSO and Application SSO integration is handled by NetIQ Access Manager.

User provisioning

For an SSO, users will be authenticated to a central Identity Provider. The Identity Provider can authenticate the users against a different set of user stores including database. For this approach, we will be authenticating against eDirectory. It is recommended to consolidate all the users to a single user store so that the user management like on-boarding, provisioning and de-provisioning can be done easily.

Since OEBS authenticates users only against its database table, it is required to synchronize the enterprise users to this database so that the users are allowed to access their business applications. The proposed solution in this article is to use NetIQ Identity Manager.

NetIQ Identity Manager has a driver for Oracle EBS, which can seamlessly synchronize users from variety of sources including eDirectory to and from Oracle EBS. Users are immediately provisioned.

Since passwords cannot be read from OEBS, only the passwords are synced in one direction. All other user attributes are two way synced. However, it is recommended to manage users always from your primary enterprise grade user store like eDirectory and handle password management, password reset and self service from your Identity Provider. NetIQ Identity Manager will handle the synchronizing of passwords with OEBS so that users can also login into EBS.

Web SSO

NetIQ Access Manager provides seamless SSO experience to users of Oracle EBS. When you deploy NetIQ Access Manager for all your enterprise applications, your employees can use their already established session to access Oracle EBS applications too.

In this solution, we will be deploying the two components of NetIQ Access Manager, namely Identity Provider and Access Gateway.

When the user accesses the portal of EBS or clicks on a bookmarked link to EBS, NetIQ Access Gateway intercepts the request and checks whether user has a valid session to EBS. If not, it will redirect the user to Identity Provider with a configured contract. If the user has been already authenticated with Identity provider with the required contract, then Identity Provider simply transfer the user back to EBS url. Otherwise, Identity Provider prompts the user for credentials and authenticates against corporate user store. When the request is redirected back to Access Gateway, Access Gateway will forward the request to Oracle EBS. The Access Gateway takes care of forwarding the current users credentials behind the scenes to OEBS and establishes an authenticated session with OEBS.

When a user clicks logout link in OEBS portal, the link has to take the user to logout of Access Manager session so that the user is prompted for credentials again later.

Configuration

In this article, we will cover how to configure NetIQ Access Manager for the above solution. You can follow the documented steps from the book https://www.netiq.com/documentation/idm402drivers/oracle_ebs_suite/data/bookinfo.html to configure the provisioning of users from eDirectory to OEBS.

The NetIQ configuration involves configuring the Authentication class to authenticate against corporate eDirectory to which the Identity Manager synchronizes the user to or from EBS. Also it involves creating of a proxy service in Access Gateway to EBS, configuring a form fill for transferring the credentials to OEBS and finally configuring a rewriter rule to rewrite the logout URL to logout out of NetIQ Access Manager.

Configuring Identity Provider

1. Login into Access Manager Administration Console

• Navigate to Identity Provider → Cluster → edit

• Navigate to Local → User Stores → New

• Enter details of the eDirectory to which the Identity Manager provisions the users with OEBS
  
  
  
  1. Note the administrator user name to connect to eDirectory, e.g. cn=admin,ou=sa,o=system
  
  
• Note the Search Contexts. This is the location where the users will be searched for during authentication. e.g. ou=users,o=data

• Click OK

• Optional: If this is the only directory configured, then you can proceed to apply the changes.

• Optional: if there are multiple directories, you have to create a new Authentication Method and select the userstore to be the one that is getting synced. Also, create a new contract and assign this Authentication method. This new contract will have to be configured in Access Gateway Configuration.

• Apply the configuration

Configuring Access Manager

1. Login into Access Manager Administration Console if you have not logged-in yet

• Navigate to Access Manager → Cluster → edit

• Navigate to Proxy service or create a new one
  
  
  
  1. Proxy Services → Proxy Services List → New
  
  
• create a domain based multi homing proxy service with desired published dns name. e.g. ebs.mycompany.com. Provide the IP address of the EBS server and port. Also enter the dns name of the EBS or select Forward Incoming Hostname, if it is same.

• Click Protected resource link in the row of newly created proxy service

• Create two protected resources
  
  
  
  1. one for path /*, it is a catch all path. This should be configured with the same contract configured in step 7 of Identity Provider configuration.
  
  
• One for path /OA_HTML/RF.jsp. Configure the same “authentication procedure “ done above for this protected resource too.

• Click form fill policy link [None]. And then click, Manage Policies. Create policies mentioned in “Configuring policies section”

• Select the configured policies → click OK. And then, select the policies and click Enable.

• Click OK until you reach the “Access Gateway” devices page.

• Apply the configuration.

Configuring Policies

1. Click New Policy → Select Form Fill type → click OK after giving it a name

• Click New → Form Fill

• Enter “DefaultFormName” in “Form name” entry

• Add two Input Fields
  
  
  
  1. Input Field Name: usernameField
  
  
  

• Input Field Type: text

• Input Field Value: Credential Profile → Ldap Credential → Ldap username

1. Input Field Name: passwordField

• Input Field Type: password

• Input Field Value: Credential Profile → Ldap Credential → Ldap Password

5. Click Auto Submit

• Click “Enable Javascript Handling”

• Enter the following under “Statements to execute on form submit”
  

  submitForm('DefaultFormName',1,{'_FORM_SUBMIT_BUTTON':'SubmitButton'});
  
  return false;

8. Click OK

Configuring Rewriter Rule for changing Logout Link

1. Login into Access Manager Administration Console if you have not logged-in yet

• Navigate to Access Gateways → Cluster → edit

• Click on the ebs reverse proxy that is configured in section “Configuring Access Gateway” under Reverse Proxy List

• Click on “HTML Rewriting” tab

• Click “New” on “HTML Rewriter Profile List”
  
  
  
  1. Enter a name for the profile
  
  
• Select “Character” for Word Boundary

• In the “Additional Strings to Rewrite” section add the following
  

  /OA_HTML/OALogout.jsp  /AGLogout

7. Click OK

• Apply the configuration

Disabling “Change Password at first login” behaviour

When Identity Manager synchronizes new users between eDirectory to OEBS, it creates a user with configured password at OEBS. OEBS recognizes this a new user and sets the flag that user need to change his password during first login. This is a OEBS specific behavior. If not disabled, during the first login into OEBS through Access Manager, user will be changing his password. Following which, the password is not same between eDirectory and OEBS. Identity Manager cannot detect this password and sync back to eDirectory because these passwords stored at OEBS cannot be read back, but only can be rewritten. So, it is better to disable this behavior and handle all change passwords directly from Identity Provider or another application which will rewrite the OEBS password. To disable this change password prompt, run the following script using PL/SQL interface on OEBS.

DECLARE

v_flag BOOLEAN;

BEGIN

v_flag := fnd_user_pkg.ChangePassword('USERNAME','password');

END;
COMMIT;

Verifying by logging In & Test

Once you have configured as above and applied the configuration, you can verifying that Provisioning and SSO is working by doing the following

1. First verify the following checklist before proceeding the test
   
   
   
   1. Check that Identity Manager's “Oracle UB EBS” driver is running and healthy
   
   
2. Check that Access Manager's health of Identity Provider and Access Gateway are green

• Create a new user in corporate eDirectory

• Wait for few seconds so that user is provisioned to OEBS

• Access the OEBS link in a browser

• Select the Contract that is configured for OEBS

• Enter the credentials of newly created user

• It should take you the logged in page of OEBS with all his links

• Click Logout, it should take you to /AGLogout which will logout of Access Manager

• Enter the OEBS url again, it should prompt for user credentials again.