Oracle Directory Services refers to both Oracle Internet Directory and Oracle Unified Directory.
Oracle has two single sign-on solutions, Oracle Access Manager and Oracle Single Sign-On Server (OSSO).Oracle Access Manager is the preferred solution and forms the basis of Oracle Fusion Middleware 11g. Premier Support for Oracle Single Sign-On ended on December 31, 2011, and all Oracle Single Sign-On users should migrate to Oracle Access Manager. Oracle Single Sign-on Server (OSSO) is no longer being actively developed, and will not be ported to Oracle WebLogic Server.
Oracle Internet Directory and Oracle E-Business Suite user information in FND_USER is synchronized by synchronization events raised by the Workflow-based Business Event System.
Oracle E-Business Suite is not certified to function directly with third-party Access Management products or third-party LDAP products. Due to dependencies in the integration, Oracle Access Manager and Oracle Internet Directory are mandatory components when integrating with third-party access management systems and third-party LDAP directories.
Oracle Access Manager WebGate is a component of Oracle Access Manager that intercepts HTTP requests and redirects them to the Oracle Access Manager server to determine if and how the resources are allowed to be accessed, and to authenticate the current user if authentication is required.
Oracle E-Business Suite AccessGate is a Java EE application responsible for mapping a single sign-on user to an Oracle E-Business Suite user, and creating the Oracle E-Business Suite session for that user. This application is deployed to a WebLogic Server instance, and is separate from Oracle E-Business Suite.
Various SSO component(OAM EBS Integration Components:):
Oracle Internet Directory (OID):
=================================
Oracle Internet Directory (OID) is Lightweight Directory Access Protocol (LDAP) server from Oracle where all enterprise users are stored. Users in OID are synchronized with users in EBusiness Suite (EBS) using Directory Integration Platform (DIP).Oracle Access Manager(OAM) should use LDAP Server (like OID or Oracle Virtual Directory- OVD pointing to this OID) as its identity store for authentication. There are various version of OID like 10g & 11g(11.1.1.2/3/4/5/6/7), as of Oct 2013 latest OID version is 11.1.1.7. Recommended to use OID version 11.1.17 to integrate with Oracle E-Business Suite R12.1.x/R12.2.x
Oracle has two single sign-on solutions, Oracle Access Manager and Oracle Single Sign-On Server (OSSO).Oracle Access Manager is the preferred solution and forms the basis of Oracle Fusion Middleware 11g. Premier Support for Oracle Single Sign-On ended on December 31, 2011, and all Oracle Single Sign-On users should migrate to Oracle Access Manager. Oracle Single Sign-on Server (OSSO) is no longer being actively developed, and will not be ported to Oracle WebLogic Server.
Oracle Internet Directory and Oracle E-Business Suite user information in FND_USER is synchronized by synchronization events raised by the Workflow-based Business Event System.
Oracle E-Business Suite is not certified to function directly with third-party Access Management products or third-party LDAP products. Due to dependencies in the integration, Oracle Access Manager and Oracle Internet Directory are mandatory components when integrating with third-party access management systems and third-party LDAP directories.
Oracle Access Manager WebGate is a component of Oracle Access Manager that intercepts HTTP requests and redirects them to the Oracle Access Manager server to determine if and how the resources are allowed to be accessed, and to authenticate the current user if authentication is required.
Oracle E-Business Suite AccessGate is a Java EE application responsible for mapping a single sign-on user to an Oracle E-Business Suite user, and creating the Oracle E-Business Suite session for that user. This application is deployed to a WebLogic Server instance, and is separate from Oracle E-Business Suite.
Various SSO component(OAM EBS Integration Components:):
Oracle Internet Directory (OID):
=================================
Oracle Internet Directory (OID) is Lightweight Directory Access Protocol (LDAP) server from Oracle where all enterprise users are stored. Users in OID are synchronized with users in EBusiness Suite (EBS) using Directory Integration Platform (DIP).Oracle Access Manager(OAM) should use LDAP Server (like OID or Oracle Virtual Directory- OVD pointing to this OID) as its identity store for authentication. There are various version of OID like 10g & 11g(11.1.1.2/3/4/5/6/7), as of Oct 2013 latest OID version is 11.1.1.7. Recommended to use OID version 11.1.17 to integrate with Oracle E-Business Suite R12.1.x/R12.2.x
Directory Integration Platform (DIP):
=======================================
Directory Integration Platform (DIP) 11g is J2EE application deployed on WebLogic server and used for provisioning/synchronization of users/groups across other LDAP servers and applications. DIP consists of two type of engine, Synchronization and Provisioning. Synchronization component is used to sync users/groups between OID and other LDAP servers like Microsoft Active Directory (MS-AD) or IBM Directory Server. Provisioning is used to sync OID with applications like EBS, Portal, and Collaboration Suite. For user synchronization between OID and EBS, DIP uses its provisioning component.
Oracle Directory Services Manager (ODSM):
==========================================
Oracle Directory Services Manager (ODSM) is a web application deployed on WebLogic server and used to manage OID using web browser. Using ODSM you can configure/manage OID, and create/delete users/groups.
Oracle WebLogic Server (WLS)
============================
Oracle WebLogic Server (WLS) is J2EE Application Server from Oracle. WebLogic Domain is logical component in which all resources (Admin Server, Managed Server, Java Database Connectivity(JDBC), Java Messaging Server(JMS)) are deployed/configured. WebLogic Domain consists of one and only one Admin Server and zero or more managed server.
Oracle Access Manager (OAM):
============================
Oracle Access Manager is a J2EE application deployed on Weblogic Server and used as Authentication & Authorization Server. OAM Server consists of OAM Server deployed on WebLogic Managed Server (default port 14100). There is OAM-Proxy server running in background on default port 5575. Agents (WebGate) connect to OAM-Proxy Port. OAMConsole is web application deployed on WebLogic Admin Server (default port 7001). OAM Console application is used to manage configuration, and define/manage policies, authentication schemes.
OAM Configuration is stored in XML file (oam-config.xml) on server and contains all OAM configuration like server name, port, webgate details, and audit store details. If we want to change the admin server port, then we need to shut down admin server and managed server first, then we need to change the listen port under config.xml file and start the admin, managed servers to take the new port. OAM Policy Store is a repository (database) which stores policy (details like which URL is protected and using what authentication/authorization schemes)
Oracle HTTP Server (OHS):
=========================
Oracle HTTP Server is a Web Server from Oracle on which Web Gate is deployed. Users are redirected from EBS Middle Tier to this server for authentication (URL of this server is configured in EBS Profile option “Application Authentication Agent”). OHS acts as proxy server to WebLogic Server on which EBS AccessGate (EBS-AG) is deployed. This OHS server also has mod_wl_ohs configured to forward request to WebLogic Server where Oracle EBusiness Suite AccessGate (EBS-AG) is deployed. E-Business Suite R12 comes with its own OHS server, OHS server mentioned here is different OHS server than one shipped with EBS R12 technology stack.
Webgate:
===========
WebGates are policy enforcement agents that act as a filter for HTTP requests and communicate with Oracle Access Manager authentication and authorization services.
Webgate is nothing but a policy enforcement point and role of it is any request thats comming to EBS,it will first take that request to oracle access manager for authenticatiocation and authorization.
Web Gate is a web server plug-in (deployed with WebServer like Apache, OHS, IHS) which intercepts user's request and send it to Oracle Access Manager Server to check if user is authenticated/authorized to access requested resource. Web Gate is installed on same machine as WebServer (OHS) and webgate configuration settings are pointed OHS configuration file(httpd.conf). For Web Gate to work an instance of Web Gate must be configured in OAM Server using Remote Registration (REG) utility or OAMConsole and Web Gate must be installed with OHS using same user as OHS.
mod_wl_ohs:
============
This is module in Oracle HTTP Server (OHS) which forward request from OHS to WebLogic
Server where EBS Access Gate is deployed as defined in mod_wl_ohs.conf
Access Gate:
=============
It is nothing but a Java application that comes as a part of patch for oracle EBS thats get deployed on the weblogic server and the role of it is once authentication is is successfull with oracle access manager and request comes back to the EBS application tier with the authenticated used id Access gate will take this user id , connect with EBS database, validate this user one more time to see if user exist in EBS , fnd_users table and if user exist it will link this user with user authenticated came from OAM.Then it will create a session in EBS and allow to access application tier.
EBS AccessGate (EBS-AG) is a Java EE Application that maps a Single Sign-On user (authenticated via OAM) to an Oracle E-Business Suite user (stored in FND_USER table), and creates E-Business Suite session for that user. EBS-AG is deployed on WebLogic Server using ANT script which creates a web application and JDBC connection to EBS Database. Login Page for E-Business Suite is also configured as part of EBS AG.
Profile Option:
================
Profile Option is used in E-Business Suite to update behavior of environment. Profile option which are used in Oracle E-Business Suite are Application SSO Type and Application Authentication Agent.
Application SSO Type (APPS_SSO) - This profile option can be set only at site level from one of four values SSWA, Portal, SSWA w/SSO or Portal w/SSO. To inform E-Business Suite that Single Sign-On is configured and redirect user to Single Sign-On Page and not to Local Login page, set this profile option to either SSWA w/SSO or Portal w/SSO
Application Authentication Agent (APPS_AUTH_AGENT) –
When this profile option is set with "Application SSO Type", user is redirected page generated from this profile option. Lets assume value of profile option "Application SSO Type" is set to http://ohsserver:ohsport/ebsauth_dev/, then user will be redirected to page http://ohsserver:ohsport/ebsauth_dev/OAMLogin.jsp. Value of profile option "Application Authentication Agent " is set to format http://server:port/<context_root> where server is name of server where Oracle HTTP Server (OHS) with Web Gate is installed, port is OHS Listen Port and context_root is context root defined during AccessGate configuration.
EBS AccessGate (EBS-AG) is a Java EE Application that maps a Single Sign-On user (authenticated via OAM) to an Oracle E-Business Suite user (stored in FND_USER table), and creates E-Business Suite session for that user. EBS-AG is deployed on WebLogic Server using ANT script which creates a web application and JDBC connection to EBS Database. Login Page for E-Business Suite is also configured as part of EBS AG.
Profile Option:
================
Profile Option is used in E-Business Suite to update behavior of environment. Profile option which are used in Oracle E-Business Suite are Application SSO Type and Application Authentication Agent.
Application SSO Type (APPS_SSO) - This profile option can be set only at site level from one of four values SSWA, Portal, SSWA w/SSO or Portal w/SSO. To inform E-Business Suite that Single Sign-On is configured and redirect user to Single Sign-On Page and not to Local Login page, set this profile option to either SSWA w/SSO or Portal w/SSO
Application Authentication Agent (APPS_AUTH_AGENT) –
When this profile option is set with "Application SSO Type", user is redirected page generated from this profile option. Lets assume value of profile option "Application SSO Type" is set to http://ohsserver:ohsport/ebsauth_dev/, then user will be redirected to page http://ohsserver:ohsport/ebsauth_dev/OAMLogin.jsp. Value of profile option "Application Authentication Agent " is set to format http://server:port/<context_root> where server is name of server where Oracle HTTP Server (OHS) with Web Gate is installed, port is OHS Listen Port and context_root is context root defined during AccessGate configuration.
================
1.EBS R12.2 with
- Access gate
- Webgate
2.Oracle Access Manager
3.Oracle directory server
OID(oracle internet directory)
or
OUD(oracle unified directory)
Request Flow for E-business Suite integrated with OAM/OID:
==========================================================
User will try to access EBS, they will hit oracle http server there webgate will intercept user request and forward the same request to oracle access manager , OAM will have its own database where policy will be defined arround oracle EBS url to be protected and protected by what authentication scheme,user will be redirected to OAM login page thats generated by or came from policy defined in OAM during integration. once user type credential and submitted to OAM, OAM will pick that user id and password and submitted to the OID for validation user id and password. Once OIDsay authentication is successfull a session will be created in OAM then authenticated user id and one thing that is guid(global user id), these two details will be sent to the webgate then this request will be intercepted by accessgate , Accessgate will pickup the authenticated user id and global user id and take these two details with EBS database, it will again check against the fns_users table and if a user is found with same GUID then a link is being made, then a ICx session will be created at database and a session at application tierand aftre that user can access EBS directy without going to OAM.
1.User access E-Business Suite URL http://<ebs_mid_tier>:<ebs_ohs_port> or http://<ebs_mid_tier>:<ebs_ohs_port/OA_HTML/AppsLogin . EBS checks
that profile option “Application SSO Type” is set to Portal w/SSO or SSWA w/SSO
(w/SSO signifies that EBS is integrated with Single Sign-On Server).
2.EBS then check value of profile option “Application Authentication Agent” (value is set to
http://<ohs_with_wg>:<ohs_with_wg:port>/<context_root>/ , where <context_root>
is value set during E-Business Suite Access Gate Deployment) and redirect user to value
set for “Application Authentication Agent”.
3.Web Gate deployed with OHS server then check if any token (Cookie) is available in user session
and forwards this request to OAM server for validation.
4.OAM server will then check authentication URL configured for Web Gate (Host:Port or Host
Identifier) and redirect user to authentication page configured by authentication
URL. User will then type username/password, which OAM will validate against OAM’s
identity store (Oracle Internet Directory). Oracle Internet Directory will validate
username and password against UID (login attribute) and userPassword (password
attribute)
5.On successful authentication OAM will forward response back to WebGate with generate
Cookie
6.Web Gate will then redirect user to E-Business Suite Access Gate for user validation or user
Mapping
7.E-Business Suite Access Gate will take this user ID and map/validate against user in
EBusinessSuite (FND_USER)
8. On successful validation response is returned back to Web Gate
9. Web Gate will forward response to user
10.User with token/cookie from WebGate/Access Gate to E-Business Middle Tier
11. E-Business Suite Middle Tier will generate E-Business Suite specific cookie to user and in subsequent requests, user talks directly to Oracle E-Business Suite until explicit log out or timeout
Note: User in E-Business Suite (FND_USER) are synchronized with Oracle Internet Directory using Directory Integration Platform’s Provisioning Framework.
==================
Here is a overview of Steps to configure OAM with EBS R12.1
Install Oracle HTTP Server ( OHS) 11g
Deploy & Configure Webgate on OHS 11g
Install Weblogic
Deploy & Configure Accessgate on Weblogic
Integrate Webgate, Accessgate with EBS and OAM/OID
R12.2 has both OHS and Weblogic built-in. So we no longer have to Install OHS and Weblogic for Webgate and Accessgate.
All we have to do is Deploy and Configure Webgate and Accessgate.
Webgate is deployed on top of R12.2 OHS 11g home. Accessgate is deployed as a separate managed server ( oaea_server1 ) on top of R12.2 weblogic.
Oracle EBS native authentication works on FND_USER table which saves the user ID and password, every user gets authenticated to the table using API.
Authentication is the process by which you verify that someone is who they claim to be. Usually this involves a username and a password. An unauthenticated user is one who has not yet provided credentials in the form of a username and password.
Authorization is the process of determining whether the person, once identified is permitted to have access to the resource. This is usually determined by finding out if that person is part of a particular group.
Oracle has two single sign-on solutions, Oracle Access Manager and Oracle Single Sign-On Server (OSSO).
Oracle Access Manager is the preferred solution and forms the basis of Oracle Fusion Middleware 11g. Premier Support for Oracle Single Sign-On ended on December 31, 2011, and all Oracle Single Sign-On users should migrate to Oracle Access Manager. Oracle Single Sign-on Server (OSSO) is no longer being actively developed, and will not be ported to Oracle WebLogic Server.
Architecturally, the single sign-on solutions with Oracle Access Manager or Oracle Single Sign-on are very similar. Both solutions authenticate a user by verifying credentials against a user directory. The user directory service for both solutions is Oracle Internet Directory. Oracle Internet Directory and Oracle E-Business Suite user information in FND_USER is synchronized by synchronization events raised by the Workflow-based Business Event System.
Integration with Oracle Access Manager 11g is achieved through agents and integration with Oracle E-Business Suite can be performed using one of two methods:
Method 1: Uses the WebGate agent, in conjunction with Oracle E-Business Suite AccessGate. This method is described in detail in Section 3.1.1.
Method 2: Uses the mod_osso agent, and is only for users upgrading from Oracle Single Sign-On Server 10gR3. This method is described in detail in Section 3.1.2.
-------
http://dbafix.blogspot.com/2021/06/oracle-ebs-integration-with-oracle-idcs.html
Updated: Why Does EBS Integration with Oracle Access Manager Require Oracle Internet Directory? >>
https://blogs.oracle.com/ebstech/post/updated-why-does-ebs-integration-with-oracle-access-manager-require-oracle-internet-directory
No comments:
Post a Comment