1. Administering Oracle Identity Cloud Service
  2. Manage Oracle Identity Cloud Service Components
  3. Use the E-Business Suite Asserter to Enable SSO for Oracle E-Business Suite with Oracle Identity Cloud Service
  4. Typical Workflow for Using Identity Cloud Service E-Business Suite Asserter to Authenticate Oracle E-Business Suite with Oracle Identity Cloud Service

Typical Workflow for Using Identity Cloud Service E-Business Suite Asserter to Authenticate Oracle E-Business Suite with Oracle Identity Cloud Service

With the Identity Cloud Service E-Business Suite Asserter component that you download from the Identity Cloud Service console, you integrate your Oracle E-Business Suite with Oracle Identity Cloud Service to allow end users to authenticate in Oracle E-Business Suite environments and to Oracle E-Business Suite mobile applications using their Oracle Identity Cloud Service credentials.

Task Description Additional Information
Understand the Identity Cloud Service E-Business Suite Asserter Learn what Identity Cloud Service E-Business Suite Asserter is, why you should use it to integrate your Oracle E-Business Suite environment with Oracle Identity Cloud Service, and the certified components of the architecture. What is Identity Cloud Service E-Business Suite Asserter
What do You Need to Use the Asserter Understand the required services and roles, how to download the asserter, and the information you need from your environment. What do You Need to Use the E-Business Suite Asserter
Configure the Integration Configure Oracle E-Business Suite, register E-Business Suite Asserter in Oracle Identity Cloud Service, and deploy the asserter. Configure E-Business Suite Asserter Integration
Validate the Integration Test the single sign-on scenarios. Validate the Integration
Set up E-Business Suite Mobile Applications Integrate E-Business Suite mobile applications with Oracle Identity Cloud Service for single sign-on purposes. Set up E-Business Suite Mobile Applications
Collect Diagnostic Data Enable and collect diagnostic data from E-Business Suite Asserter. Collect Diagnostic Data
Monitor the E-Business Suite Asserter Monitor the E-Business Suite Asserter to determine the status and in turn its availability. Monitor the E-Business Suite Asserter
Deploy the Oracle App Gateway Docker Container Deploy the Oracle App Gateway Docker container. Deploy the Oracle App Gateway Docker Container
Troubleshoot Common Issues List of common issues found during the configuration of this integration. Troubleshoot Common Issues

What is Identity Cloud Service E-Business Suite Asserter

The E-Business Suite Asserter is a lightweight web application that enables single sign on (SSO) for E-Business Suite using IDCS. The asserter enables users to access E-Business Mobile Apps and the E-Business Suite Web interfaces. Users can also access other applications that are secured using Oracle Identity Cloud Service.

To enhance security for the sign-in process, you can set up sign-on and identity provider policies, and configure multi-factor authentication. You can also enable adaptive security to provide strong authentication capabilities and risk analysis for your users across applications and Oracle E-Business Suite in Oracle Identity Cloud Service.

Why You Should Use Identity Cloud Service E-Business Suite Asserter

The Identity Cloud Service E-Business Suite Asserter is a lightweight Java application. It helps to simplify the deployment topology for Oracle E-Business Suite single sign-on (SSO) by replacing Oracle Access Manager and Oracle Internet Directory with Oracle Identity Cloud Service.

You can use the asserter when you want to:
  • Have your Oracle E-Business Suite integrated with other applications for single sign-on.
  • Enhance security to access your Oracle E-Business Suite by enabling Oracle Identity Cloud Service security features such as multi-factor authentication, sign-on policies, account recovery, and adaptive security.
The E-Business Suite Asserter provides the following benefits:
  • Multiple access modes for SSO with Oracle E-Business Suite. You can access Oracle E-Business Suite by using one of the following modes:
    • The asserter direct URL (You can bookmark this URL.).
    • The Oracle Identity Cloud Service My Apps page.
    • The asserter direct URL with a redirect parameter.
    • Previously bookmarked Oracle E-Business Suite URLs.
  • Supports log out from multiple points including Oracle E-Business Suite, E-Business Suite Asserter, and Oracle Identity Cloud Service.
  • Allows single sign-on between Oracle E-Business Suite and Oracle E-Business Suite mobile application.

Certified Components for Identity Cloud Service E-Business Suite Asserter

The following table lists the certified components and their versions for Oracle Identity Cloud Service, Oracle E-Business Suite, WebLogic Server, Java JDK, and the Identity Cloud Service E-Business Suite Asserter to use for integration.

Oracle Identity Cloud Service Oracle E-Business Suite (EBS) WebLogic Server JDK E-Business Suite Asserter
19.2.1+ The following versions with latest patches applied:
  • Oracle EBS Release 11i (11.5.10)
  • Oracle EBS Release 12 (12.1.3, 12.2 or greater), with latest patch applied.
 Oracle WebLogic Server 12c (12.1.3 and 12.2)
  • Java SE Development Kit 8
  • Java EE 8
 19.1.4-1.2.2+

Architecture

The Identity Cloud Service E-Business Suite Asserter is deployed to a separate Oracle WebLogic Server instance. The E-Business Suite Asserter interacts with Oracle Identity Cloud Service through Oracle Identity Cloud Service REST API and redirects the user's web browser to Oracle Identity Cloud Service and to Oracle E-Business Suite.

This architectural diagram shows how the E-Business Suite Asserter, Oracle E-Business Suite, and Oracle Identity Cloud Service interact.

Description of architecture.png follows
Description of the illustration architecture.png

The following diagrams show the login and logout flow when using the E-Business Suite Asserter to integrate Oracle E-Business Suite with Oracle Identity Cloud Service. These flow diagrams show the login and logout process starting with Oracle E-Business Suite, but the E-Business Suite Asserter approach also supports E-Business Suite Asserter and Oracle Identity Cloud Service initiated flow.

Description of login-flow-chart.png follows
Description of the illustration login-flow-chart.png
  1. The user requests access to an Oracle E-Business Suite protected resource.
  2. Oracle E-Business Suite redirects the user browser to the E-Business Suite Asserter application.
  3. The E-Business Suite Asserter uses an Oracle Identity Cloud Service SDK to generate the authorization URL and then redirects the browser to Oracle Identity Cloud Service.
  4. Oracle Identity Cloud Service presents its sign in page to the user.
  5. The user submits credentials to Oracle Identity Cloud Service.
  6. Oracle Identity Cloud Service issues an authorization code and redirects the user's browser to the E-Business Suite Asserter.
  7. The E-Business Suite Asserter uses an Oracle Identity Cloud Service SDK to communicate with Oracle Identity Cloud Service to exchange the authorization code for an access token.
  8. Oracle Identity Cloud Service issues an access token and an ID token to the E-Business Suite Asserter.
  9. The E-Business Suite Asserter creates an Oracle E-Business Suite cookie and redirects the user's browser to Oracle E-Business Suite.
  10. Oracle E-Business Suite presents the user requested protected resource.

The logout process described below refers to a user invoking logout from Oracle E-Business Suite. If the logout process is initiated in Oracle Identity Cloud Service, then only step 5 and 6 are executed.

Description of logout-flow-chart.png follows
Description of the illustration logout-flow-chart.png
  1. The user selects to logout from Oracle E-Business Suite, requesting the /ebslogout URL.
  2. Oracle E-Business Suite logs the user out and then redirects the user's browser to the E-Business Suite Asserter application.
  3. The E-Business Suite Asserter uses an Oracle Identity Cloud Service SDK to obtain the Oracle Identity Cloud Service logout URL, and then redirects the user's browser to this URL
  4. The user browser invokes the Oracle Identity Cloud Service logout URL.
  5. Oracle Identity Cloud Service removes the user session and then redirects the user's browser to the E-Business Suite Asserter logout URL, which is defined in the application configuration.
  6. The E-Business Suite Asserter logs the user out and redirects the user's browser to the Post Logout Redirect URL, which is defined in the application configuration.

Considerations for Using the E-Business Suite Asserter

To use the E-Business Suite Asserter, you should understand the following considerations for installation and configuration.

  • The host names for the EBS Asserter's WebLogic server and Oracle E-Business Suite's application server must have exactly same domain for SSO to work.

  • The E-Business Suite Asserter must be accessed over SSL, since Oracle Identity Cloud Service can only be accessed over SSL. Failure to do so may cause SSO between Oracle Identity Cloud Service and the E-Business Suite Asserter to fail.

  • Synchronize the server clock where the E-Business Suite Asserter runs, and the server clock where Oracle E-Business Suite runs.

  • You can deploy the asserter in Oracle WebLogic Server 12c by using secure communications such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS).

How to Use the Asserter With Multiple Instances of Oracle E-Business Suite

You can use the same WebLogic Server installation with multiple managed servers or from a different WebLogic Server installation, each with one managed server. In both case, each Identity Cloud Service E-Business Suite Asserter URL will have its own domain name and port number pair.

For each Oracle E-Business Suite (EBS) instance, you configure and deploy one instance of the E-Business Suite Asserter (EBS Asserter) Java application. Usually you deploy each EBS Asserter Java application to a specific WebLogic managed server.

Starting from EBS Asserter version 19.2.1-1.5.0, if you don't want to create multiple managed servers and deploy one EBS Asserter Java application to each of them, you can deploy multiple EBS Asserter Java applications to the same WebLogic managed server.

To accomplish this scenario, you need to perform the following tasks:

  • Rename each EBS Asserter Java application's Web Application Resource (WAR) file before you deploy the file to the same WebLogic managed server. In this case, the domain name and port number of all EBS Asserter's URLs will be same, but the URL's context will change.

  • Extract the contents of each ebs.war file to a folder, find the weblogic.xml file, edit this file, update the value of the <cookie-path> tag to match the EBS Asserter's URL, and then rebuild the ebs.war.

    For example, if you want EBS Asserter to respond to URL context /app/ebs, then the update the tag within weblogic.xml with the value <cookie-path>/app/ebs</cookie-path>.

For example: If you have two EBS instances named Development 1 and Development 2, you want to integrate these EBS instances with Oracle Identity Cloud Service using the EBS Asserter, but you only have one WebLogic managed server for the two EBS Asserter Java applications, you need to execute the procedures in this tutorial for each EBS instance. You configure the WebLogic Server only once, and configure and deploy the EBS Asserter Java Application for each EBS instance:

  • For EBS instance Development 1:

    • Make a copy of the ebs.war file and name the new file ebsdev1.war.
    • Udate the weblogic.xml file contained in the ebsdev1.war file, by replacing the cookie-path tag with the following: <cookie-path>/ebsdev1</cookie-path>.
    • Update the bridge.properties file contained in the ebsdev1.war file.
    • Deploy the ebsdev1.war file to the WebLogic managed server.

  • For EBS instance Development 2:

    • Make a copy of the ebs.war file and name the new file ebsdev2.war.
    • Udate the weblogic.xml file contained in the ebsdev2.war file, by replacing the cookie-path tag with the following: <cookie-path>/ebsdev2</cookie-path>.
    • Update the bridge.properties file contained in the ebsdev2.war file.
    • Deploy the ebsdev2.war file to the WebLogic managed server.

You deploy both ebsdev1.war and ebsdev2.war files in to the same WebLogic managed server. The EBS Asserter's URL for EBS instance Development 1 will be similar to the following example: https://ebsasserter.example.com:7002/ebsdev1.

The EBS Asserter's URL for EBS instance Development 2 will be similar to the following example: https://ebsasserter.example.com:7002/ebsdev2.