Integrating OID/SSO with E-

Business Suite and Third-Party

SSO Solutions
Presented by
Paul Jackson
(Norman Leach)
Agenda

• Why SSO
• Install Options
• Log Locations
• EBS Cloning Considerations
• Disaster Recovery Considerations
• Monitoring Options
• Case Study Overview
• Future Directions / References
User Account Challenges

• Users must be created in multiple

systems/applications
• Multiple passwords must be maintained in
each of the multiple systems
• Users must be disabled in multiple
systems/applications
OID/SSO Benefits

• All authentication can be handled by one

system
• Central Password Management
• Simplified User Management
Types of Installation

• All services on one node

• New database for MDR on separate node
• MDR in an already existing database

Services consist of Identity Management (runs

on Application server) and MetaData
Repository, MDR (runs on Database)
Install MetaData Repository
Install Identity Management
Install Identity Management
Install Identity Management
Install Identity Management
Verify Installation

• Navigate to:
http://<hostname>.<domain>:<port>/oaiddas
or
http://<load_balance_address>/oaiddas
• Create a test id
• Log in with new id
Verify Installation

• Also check for critical processes

– ps –ef | grep odisrv
– $ORACLE_HOME/opmn/bin/opmnctl status
Post Installation Steps

• Change Password Expiry Time (Article

380487.1, Section 6.9)
• Change Max Number of Password Failures
• Create new admin user and group
• Set limits on files in new tablespaces
• Backup
Apply Integration Patch for EBS

• 6936696 -11i.ATG_PF.H RUP7 SSO 10g

Integration
• 6117031 - 11i.ATG_PF.H RUP6 SSO 10g
Integration
• Included in R12
Register EBS with OID/SSO

• Registration Types
– Default (Simple)
– Advanced
Registration Types
Default (Simple)
• 10.1.3 Oracle Home Registration
– Registers AS 10.1.3 Oracle Home in OID before OSSO or
OID registration
– 10.1.3 Oracle Home registration will happen only once per
E-Business Suite deployment
• SSO
– Single SSO partner application
– Listener Token is set to site level of APPS_DATABASE_ID
profile option
• OID
– Uses Bidirectional provisioning
– Can’t have changed the default OID password policy
Registration Types
Advanced > Register EBS with SSO
txkrun.pl -script=SetSSOReg -registersso=Yes
Enter the host name where Oracle iAS Infrastructure database
is installed ?
Enter the Oracle iAS Infrastructure database port number ?
Enter the Oracle iAS Infrastructure database SID ?
Enter Oracle E-Business apps database user password ?
Enter Oracle iAS Infrastructure database ORASSO schema
password ?
Enter Oracle E-Business SYSTEM database user password ?
Enter E-Business Suite existing SSOSDK schema password or
choose a password to use with the new SSOSDK schema if the
schema does not exist ?
Registration Types
Advanced > Register EBS with OID
txkrun.pl -script=SetSSOReg -registeroid=Yes –
provtmp=<template>
Enter the host name where Oracle iAS Infrastructure database
is installed ?
Enter the LDAP Port on Oracle Internet Directory server ?
Enter Oracle E-Business apps database user password ?
Enter the Oracle Internet Directory Administrator (orcladmin)
Bind password ?
Enter the instance password that you would like to register this
application instance with ?
Information needed to register
• Hostname of OAS Infrastructure database
• Port of OAS Infrastructure database
• SID of OAS Infrastructure database
• LDAP port of OID
• Provision type
• Passwords:
– EBS apps
– OAS Infrastructure database orasso user
– EBS system
– EBS ssosdk
– OID admin user (orcladmin)
– EBS registration
Provisioning Types

• Bidirectional
• Inbound - Instance to OID Server
• Outbound - OID Server to Instance
• Bidirectional No Creation
• Custom Provisioning using oidprovtool
EBS Profile Updates
• Applications SSO Type
• Applications SSO Auto Link User
• Applications SSO Login Types
• Application SSO LDAP Synchronization
• Applications SSO Enable OID Identity Add
Event
• Link Applications user with OID user with
same username
• Applications SSO Allow Multiple Accounts
Product Specific Patches

• Follow My Oracle Support Article ID 233436.1

SSO Task 3 – Install E-Business Suite
Product Family SSO Patches

For older products (e.g. 11.5.9) additional

patches may be required.
EBS Logon with SSO

• EBS delegates to SSO

• User is directed to SSO login screen
EBS Logon with 3rd Party SSO

• Chain of trust between 3 systems

• EBS continues to work directly and only with
Oracle SSO
• 3rd party must pass user’s identity to Oracle
SSO
Customizing IPASAuthInterface

• Two Methods
– authenticate (HttpServletRequest)
– getUserCredentialPage(HttpServletRequest,
String)
EBS Integration with 3rd Party
LDAP
• EBS cannot be integrated directly with a third-
party LDAP
• User information in 3rd party LDAP must be
synchronized with OID
• Synchronization can happen with either
Oracle Directory Integration Platform or bulk-
load
Oracle Directory Integration
Platform
• Uses directory synchronization profile
– Direction
– Type of interface
– Mapping rules
– Connection details of the connected directory
• OID uses change log to determine what
changes to send
• 3rd party changes are synced automatically or
are written to a file in LDIF format
Log Locations

• ORACLE_HOME/j2ee/OC4J_SECURITY/log
• ORACLE_HOME/ldap/log
• ORACLE_HOME/sso/log
• ORACLE_HOME/Apache/Apache/logs
• ORACLE_HOME/Apache/modplsql/logs
• ORACLE_HOME/opmn/logs
EBS Cloning Considerations

• Prior to the clone, deregister the target

instance
• After the clone, remove references to
OID/SSO from target instance
– txkrun.pl -script=SetSSOReg
-removereferences=yes
• Reregister target instance
EBS Cloning Considerations
What if you forget to deregister before cloning?
txkrun.pl -script=SetSSOReg -deregisteroid=Yes
Enter Oracle E-Business apps database user password ?
Checking preferences in the database.
Enter the host name where Oracle iAS Infrastructure database
is installed ?
Enter the application name used for registration of this
application instance in OID ( 24 chars or less ) ?
Enter the descriptive service name used for registration of this
application instance in OID ( 80 chars or less ) ?
Enter the LDAP Port on Oracle Internet Directory server ?
Enter the Oracle Internet Directory Administrator (orcladmin)
Bind password ?
Disaster Recovery

• Failover Database with MDR to Standby

• Shut down Identity Management on all nodes
– $ORACLE_HOME/opmn/bin/opmnctl stopall
• Update tnsnames.ora in the OID home
• Start the OID monitor
– $ORACLE_HOME/bin/oidmon connect=<> start
Disaster Recovery (cont)

• Start Oracle Directory Manager

– $ORACLE_HOME/bin/oidadmin
• In the System Objects frame of Oracle
Directory manager
– Expand Entry Management
– Expand cn=Oracle Context
– Select the DB name for the OracleAS Metadata
Repository
– On the Properties tab, update the
orclnetdescstring field
Disaster Recovery (cont)

• Stop OID monitor

• Start Identity Manager
Monitoring

• EM can be used to monitor the Application

Server
– OC4J
– Oracle HTTP Server
– Oracle Internet Directory
– OC4J_SECURITY
– Single Sign-On Server
• EM can also be used to run jobs
Case Study Installation

• MDR in an already existing database

• Identity Management
– Clustered
– Behind Load-Balancer
Case Study Integration with
Third-Party SSO
• Custom Built IDM system
• Controls access to multiple corporate
systems
• Wanted to use as source of record
• Turned off provisioning
Future Directions

• Oracle is focusing on Oracle Access

Manager.
– This will still use OID as a go between with EBS
Suite AccessGate

Reference
975182.1 - Integrating Oracle E-Business Suite with
Oracle Access Manager using Oracle E-Business
Suite AccessGate
References
233436.1 - Installing Oracle Application
Server 10g with Oracle E-Business Suite
Release 11i
376811.1 - Integrating Oracle E-Business
Suite Release 12 with Oracle Internet
Directory and Oracle Single Sign-On
300436.1 - Setting Up OID Replication in
10.1.2 / 10.1.4
Oracle Application Server Single Sign-On
Administrator's Guide
Oracle Identity Management Integration
Guide
Final Slide

• Please complete evaluations - 4232

Integrating OID/SSO with E-Business Suite
and Third-Party SSO Solutions
4/22/2010
9:45AM

Presentation available on
www.fieldappsdba.com