Authentication and Integration

Introduction

The subject of authentication is a broad one, which covers a variety of technologies and components. This chapter provides a survey of the key architectural concepts and decisions involved in setting up the required level of authentication for an organization.

Note: For a complete list of the relevant authentication and authorization documentation, see My Oracle Support Knowledge Document 380482.1, Oracle Application Server with Oracle E-Business Suite Release 12 Documentation Roadmap.

Authentication of Oracle E-Business Suite users can be configured to be straightforward and out of the box, using the traditional FND_USER mechanism, or it can involve various additional features and levels of sophistication, such as single sign-on and use of optional products such as Oracle Portal and Oracle Discoverer. The system administrator can choose the optimal solution for an installation, taking into account factors such as simplicity of setup and maintenance, the possible need for a single point of access to enterprise-wide applications, and the ability to integrate with third-party user directories, as well as the overall security requirements of the organization.

Advanced features that are discussed briefly include the tasks involved in keeping user profile information automatically synchronized across an enterprise, and the steps needed to link an account in Oracle Internet Directory to multiple application accounts in Oracle E-Business Suite Release 12.

Important: Use of the advanced authentication features described in this chapter, such as Single Sign-On, are optional with Oracle E-Business Suite Release 12. If you wish to use them, you must carry out the requisite additional setup procedures as noted later.

The solutions described here do not address the issue of authorization. After a user has been authenticated, Oracle E-Business Suite retrieves the authorization information associated with the application account the user is logged into. Authorization information for application accounts is managed through application responsibilities. Oracle E-Business Suite applies authorization checks as and when required during the user’s session.

Oracle Application Server 10g Optional Components

Benefits of utilizing Oracle Application Server 10g optional components with Oracle E-Business Suite Release 12 include:

Performance, scalability and high-availability via distributed architectures.
The ability to connect a single Enterprise Portal to web providers running on multiple Release 12 instances.
Uniform Single Sign-On support for all Oracle E-Business Suite products.
Bidirectional Oracle Internet Directory-to-FND_USER synchronization.
Link-on-the-fly support for environments where the Single Sign-On userids in Oracle Internet Directory differ from the Oracle E-Business Suite userids.
One-to-many support for environments where a Single Sign-On userid may be associated with one or more Release 12 userids.
Bookmarkable URLs, where Applications Navigator Portlet will produce links that authenticate users and create Oracle E-Business Suite sessions as needed.
Integration with third-party single sign-on services (e.g. Netegrity, Tivoli, Entrust) and Lightweight Directory Access Protocol (LDAP) V.3 directories such as SunONE/iPlanet and Microsoft Active Directory.

Support for more advanced deployment topologies is also available, including multi-node load balancing configurations, Oracle Real Application Clusters (Oracle RAC), and other distributed architectures.

Note: For further details of additional options, see Oracle E-Business Suite System Administrator's Guide - Security, Chapter 6.

Oracle Portal

Oracle Portal (part of Oracle Application Server 10g) is a complete, browser-based environment for the development, deployment, administration, and configuration of enterprise class portals. Oracle Portal incorporates a complete portal building framework, with self-service publishing features to facilitate creation and management of the information accessed within your portal. A wide variety of portal interfaces and configurations are possible, from a simple departmental-level publishing portal to an Internet-accessible portal that serves both customers and employees. Tight integration with other components of the Oracle Application Server and with the Oracle database ensures that the solution can scale to an enterprise class audience.

Note: For further details of integrating Oracle Portal with E-Business Suite Release 12, see My Oracle Support Knowledge Document 380484.1, Using Oracle Portal 10g with Oracle E-Business Suite Release 12.

Oracle Discoverer

Business users at all levels of an organization can use Discoverer 10.1.2 to gain immediate access to information from data marts, data warehouses, and online transaction processing (OLTP) systems. Discoverer 10.1.2 enables business analysts to create, modify, and execute ad hoc queries and reports. Casual users can utilize a range of predefined reports and graphs that enable them to obtain business views while hiding the complexity of the underlying data structures being reported upon.

Discoverer 10.1.2 is tightly integrated with Oracle E-Business Suite Release 12. Release 12 users can use Discoverer to analyze data from selected business areas in Financials, Operations, Human Resources, Purchasing, Process Manufacturing, Activity Based Management, and others.

You can integrate Discoverer into an existing Oracle E-Business Suite Release 12 environment by installing Discoverer 10.1.2 with Oracle Business Intelligence Server 10g Release 2 on a standalone application tier server node, or in a separate Oracle Business Intelligence Server 10g Release 2 ORACLE_HOME, on an existing application tier server node.

Note: For further details of using Oracle Discoverer with Oracle E-Business Suite Release 12, see My Oracle Support Knowledge Document 373634.1, Using Discoverer 10.1.2 with Oracle E-Business Suite Release 12.

Enterprise-Wide Single Sign-On

Single sign-on functionality enables users to access Oracle E-Business Suite and other applications through a single user ID, without having to log in to each application separately. Oracle E-Business Suite supports the use of single sign-on functionality via Oracle Single Sign-On, Oracle Internet Directory (OID), and Oracle Portal.

Implementing an enterprise-wide single sign-on solution involves significant changes to the mechanism by which Oracle E-Business Suite Release 12 users are authenticated. Instead of authentication being performed natively, via the FND_USER table, this functionality is delegated to Oracle Single Sign-On, which can either:

Perform user validation itself, against information stored in Oracle Internet Directory.
Delegate validation to a third-party single sign-on server.

With either of these solutions, Oracle E-Business Suite Release 12 accepts identities vouched for by the single sign-on mechanism. Oracle Internet Directory complements this by acting as an integration point that enables Oracle E-Business Suite Release 12 to participate in enterprise level user management.

Note: Note that where a third-party single sign-on server is in use, Oracle Single Sign-On and Oracle Internet Directory are still required, to provide a bridge between E-Business Suite Release 12 and the third-party single sign-on solution.

Each E-Business Suite instance must still maintain a record of registered users, in the form of the traditional application accounts. However, the level of abstraction needed for an enterprise level user requires a mechanism that can uniquely identify a user across the enterprise. This is accomplished via a globally unique identifier (GUID). Oracle Internet Directory and Oracle E-Business Suite store GUID information for each enterprise level user. The GUID can be considered as an identity badge that is recognized by both Oracle Internet Directory and Oracle E-Business Suite.

Another requirement in such an environment is for user enrollment to be done only once, at well defined places, with the user subsequently being known to the rest of the enterprise. Two additional features enable this:

Support for automatic propagation of application information across an enterprise, via a synchronization process between Oracle Internet Directory and a third-party LDAP server.
Support for automatic propagation of user information across an enterprise, via a provisioning process between Oracle Internet Directory and Oracle E-Business Suite Release 12.

User information in external, third-party user directories can be synchronized with Oracle Internet Directory using the LDAP protocol. With Oracle Internet Directory, customers can manage and publish user information in a central location that various application systems, including the Oracle E-Business Suite, can reference.

Much of the complexity involved with integrating Oracle E-Business Suite into a single sign-on environment arises because of the need to consolidate fragmented or duplicated user data in the single sign-on environment, as a legacy of integrating previously-isolated systems.

The solution described in this chapter provides mechanisms to link the existing data together using the GUID. In addition, bulk migration tools can be used to move a large number of users between Oracle Internet Directory and E-Business Suite during the transition to an integrated single sign-on environment.

Note that full synchronization of user credentials between Oracle Internet Directory and E-Business Suite Release 12 requires deployment of the relevant Oracle Application Server 10g components.

Note: For more information on implementing single sign-on with Oracle Single Sign-On and Oracle Internet Directory, see Chapter 6 of Oracle E-Business Suite System Administrator's Guide - Security, andMy Oracle Support Knowledge Document Note 376811.1, Using Oracle Application Server 10g with Oracle E-Business Suite Release 12.

Application Server Integration Options

Application Server 10g can act as an integration hub that enables the Oracle E-Business Suite to work in conjunction with other enterprise software, including software from third-party vendors.

Figure 8-1 Application Server Integration Architecture

the picture is described in the document text

By default, Release 12 continues to use the local E-Business Suite user directory, FND_USER, for user authentication. Optionally, Release 12 user authentication can be delegated to Single Sign-On 10g and Oracle Internet Directory 10g running externally.

It is possible to integrate Release 12 with a third-party LDAP (such as Microsoft Active Directory or SunONE/iPlanet) or a third-party single sign-on solution (such as Microsoft Windows Kerberos or Netegrity SiteMinder). This requires integration of the chosen third-party solutions via an external Oracle Application Server 10g instance, as shown in the diagram above. Release 12 delegates user authentication to Oracle Single Sign-On, and Oracle Single Sign-On delegates authentication to the third-party single sign-on solution.

Conversely, user information from the third-party LDAP must be synchronized with Oracle Internet Directory 10g, which synchronizes its users with E-Business Suite's FND_USER directory. Synchronization is handled by the Oracle Directory Integration Platform.

Basic Single Sign-On Deployment Scenario

This section outlines a simple deployment scenario where an existing Oracle E-Business Suite instance is integrated with a new Oracle Single Sign-On and Oracle Internet Directory infrastructure. A subsequent discussion considers additional factors, such as the existence of a third-party single sign-on solution, or the presence of multiple user repositories.

Note: This section provides a high-level overview of the common tasks that will apply to all installations. The exact steps needed for the requirements of a particular site will be more detailed.

The starting point of this scenario is an existing Oracle E-Business Suite Release 12 installation, plus a new Oracle Application Server 10g installation (including Oracle Single Sign-On and Oracle Internet Directory) on a different machine.

Oracle Internet Directory has no currently existing users apart from pre-seeded users, and Oracle Portal is not implemented. The requirement is to integrate Oracle E-Business Suite Release 12 with Oracle Single Sign-On and Oracle Internet Directory.

Key Goals

Oracle E-Business Suite Release 12 will delegate user sign-on and authentication to Oracle Single Sign-On
Oracle Single Sign-On will authenticate user credentials against user entries in Oracle Internet Directory
Oracle Internet Directory will store every user’s single sign-on account id and password

Figure 8-2 Deploying E-Business Suite with Oracle Single Sign-On and Oracle Internet Directory

the picture is described in the document text

User Management Options

Existing Oracle E-Business Suite Release 12 application accounts are migrated to single sign-on accounts in Oracle Internet Directory using the Bulk Migration Tool. After the migration, a system administrator has a number of user management options, related to the location(s) where user information is created, and where it is provisioned (sent) to.

Option 1

All user information is created in Oracle E-Business Suite Release 12, then provisioned into Oracle Internet Directory.

Oracle E-Business Suite Release 12 is configured as a provisioning integrated application with Oracle Internet Directory
System administrators configure the provisioning integration via provisioning profiles

Figure 8-3 Provisioning User Information from E-Business Suite to Oracle Internet Directory

the picture is described in the document text

The creation of a new application account in Oracle E-Business Suite Release 12 will automatically trigger the creation of a new single sign-on account in Oracle Internet Directory. Some of the user attributes from the application account may be provisioned in the single sign-on account in Oracle Internet Directory during account creation.

Option 2

All user information is created in Oracle Internet Directory, then provisioned into Oracle E-Business Suite Release 12:

Oracle E-Business Suite Release 12 is configured as a provisioning integrated application with Oracle Internet Directory
System administrators configure the provisioning integration via provisioning profiles

Figure 8-4 Provisioning User Information from Oracle Internet Directory to E-Business Suite

the picture is described in the document text

The creation of a new single sign-on account in Oracle Internet Directory will automatically trigger the creation of a new application account in Oracle E-Business Suite Release 12. Some of the user attributes from the single sign-on account may be provisioned in the application account in Oracle Internet Directory during account creation.

Option 3

All user information is created in either Oracle Internet Directory or Oracle E-Business Suite Release 12, then provisioned into the other system:

Oracle E-Business Suite Release 12 is configured as a provisioning integrated application with Oracle Internet Directory
System administrators configure the provisioning integration via provisioning profiles

Figure 8-5 Provisioning User Information Between E-Business Suite and Oracle Internet Directory

the picture is described in the document text

The creation of a new application account in Release 12 will automatically trigger the creation of a new single sign-on account in Oracle Internet Directory, and the creation of a new single sign-on account in Oracle Internet Directory will automatically trigger the creation of a new application account in Release 12.

During account creation, some of the user attributes from the application account may be provisioned in the single sign-on account in Oracle Internet Directory during account creation, and some of the user attributes from the single sign-on account may be provisioned in the application account in Oracle Internet Directory.

Synchronizing User Attributes

For all three of the above options, a set of user attributes can, on being updated from either system, optionally be synchronized between Oracle E-Business Suite Release 12 and Oracle Internet Directory. This is accomplished by configuring the provisioning profile.

Signing On

Attempting to gain access to an Oracle E-Business Suite Release 12 environment, a user who has not yet been authenticated with Oracle Single Sign-On is directed to a Single Sign-On login page, which can be customized to suit an individual site.

After authentication via Oracle Single Sign-On (or if authentication has previously been carried out) the user is redirected to the requested page or the user’s home page in the Oracle E-Business Suite Release 12.

Signing Out

When a user logs out of an Oracle E-Business Suite instance, the user is also logged out of Oracle Single Sign-On, as well as any partner applications that have been integrated with Oracle Single Sign-On. The user will see a logout page that lists all the applications the user has been successfully logged out of.

Session Timeout

It is important to understand the timeout behavior of the different sessions in a single sign-on environment, to ensure the appropriate level of security is maintained.

If a user's application session has timed out, but not his single sign-on session, he will be directed to Oracle Single Sign-On, and then back to Oracle E-Business Suite, without being prompted to re-authenticate.
If a user's application session and single sign-on session have both timed out, he will be directed to the single sign-on login page to re-authenticate, and then redirected back to Oracle E-Business Suite.

Until a user's application session times out (or he explicitly logs out), he can continue to access the partner application even if his Oracle Single Sign-On security cookie has expired. Since the application session timeout value takes precedence over the Single Sign-On timeout setting, Oracle recommends setting the application session timeout value to be equal to or less than that of Oracle Single Sign-On.

Advanced Single Sign-On Deployment Scenarios

This section outlines four more deployment scenarios. The guidelines given should be regarded as providing a high-level strategy rather than definitive instructions, as all real world deployments will be unique, and require detailed planning. The outline solutions build upon the basic scenario discussed above.

Scenario 1

Requirement - Need to enable Oracle Single Sign-On with Oracle E-Business Suite Release 12

Starting Environment

Multiple new Oracle E-Business Suite Release 12 environments have been installed
Other than the default administrative accounts, no user accounts have been registered yet
Oracle Portal is not implemented
No Single Sign-On infrastructure in place

Solution

Oracle Application Server 10g with Oracle Single Sign-On and Oracle Internet Directory are needed for the integration required
Oracle E-Business Suite Release 12 will delegate user sign-on and authentication to Oracle Single Sign-On
Oracle Single Sign-On authenticates user credentials against user entries in Oracle Internet Directory
Oracle Internet Directory contains every user’s single sign-on account ID and password

Either Oracle Internet Directory or one Oracle E-Business Suite Release 12 instance can be designated as the source of user enrollment, with the following implications:

If Oracle Internet Directory is the source, details of user accounts can be propagated to each Oracle E-Business Suite instance via the provisioning process.
If an Oracle E-Business Suite instance is the source, the provisioning process will propagate user accounts from that instance to Oracle Internet Directory, and then to the other Oracle E-Business Suite instances.

Optionally, user profile information in an Oracle E-Business Suite Release 12 instance can be kept synchronized with the information in Oracle Internet Directory.

Scenario 2

Requirement - Need to integrate new installation of Oracle E-Business Suite Release 12 with existing third-party single sign-on and user directory infrastructure

Starting Environment

Oracle E-Business Suite Release 12 has been newly installed using the Rapid Install Wizard.
Other than the default administrative accounts, no user accounts have been registered yet.
Oracle Portal is not implemented.
A third-party single sign-on solution such as Netegrity SiteMinder is in use as a corporate single sign-on solution.
A third-party LDAP directory such as SunONE/iPlanet is in use as a corporate user directory.

Solution

Oracle Application Server 10g (including Oracle Single Sign-On and Oracle Internet Directory) is needed for the integration.
Oracle E-Business Suite and Oracle Single Sign-On must be set up so that Oracle E-Business Suite delegates authentication to Oracle Single Sign-On, which in turn delegates the functionality to the third-party single sign-on server in use.
Oracle Internet Directory needs to be set up to synchronize a minimal set of information from the third-party LDAP directory for all users who will access Oracle E-Business Suite via single sign-on.
Oracle Internet Directory also needs to be set up to provision users in Oracle Internet Directory to Oracle E-Business Suite.

Figure 8-6 Integrating E-Business Suite with Third-Party Single Sign-On and User Directory

the picture is described in the document text

Existing users in the third-party LDAP directory can be bulk migrated into Oracle Internet Directory, and then bulk migrated into Oracle E-Business Suite.

Optionally, user profile information in Oracle E-Business Suite can be kept synchronized with the information in the third-party LDAP directory.

Scenario 3

Requirement - Need to integrate existing Oracle E-Business Suite Release 12 with existing third-party single sign-on and user directory infrastructure

Starting Environment

Oracle E-Business Suite Release 12 is in use, and has an up to date user repository.
Oracle Portal is not implemented.
A third-party corporate single sign-on solution such as Netegrity SiteMinder is in use and is to be retained.
A third-party LDAP directory such as SunONE/iPlanet is in place as a corporate user directory and is to be retained.
At the start of the implementation, a given user may exist in both Oracle E-Business Suite Release 12 and the third-party LDAP directory, with either the same user name in both or a different user name in each.

Solution

Oracle Application Server 10g (including Oracle Single Sign-On and Oracle Internet Directory) is needed for the integration.
Oracle E-Business Suite and Oracle Single Sign-On need to be set up so that Oracle E-Business Suite delegates authentication to Oracle Single Sign-On, which in turn delegates the functionality to the third-party single sign-on server.
Oracle Internet Directory must be configured to synchronize a minimal set of information from the third-party LDAP directory for users who will access Oracle E-Business suite via single sign-on.
Existing users in the third-party LDAP directory can be bulk migrated into Oracle Internet Directory.
Existing accounts in both Oracle E-Business Suite and the third-party LDAP directory can be linked.
With proper planning, new users can be synchronized from the third-party LDAP directory into Oracle Internet Directory, and then into Oracle E-Business Suite.
Optionally, user profile information in Oracle E-Business Suite can be kept synchronized with the information in the third-party LDAP directory.

A simpler variant of this scenario arises when no third-party single sign-on/LDAP directory is involved. There is only an existing Oracle E-Business Suite Release 12 installation plus an Oracle Single Sign-On and Oracle Internet Directory infrastructure. In such a case, all steps relating to third-party (non-Oracle) software can be ignored.

Scenario 4

Requirement - Need to enable Oracle Single Sign-On with multiple Oracle E-Business Suite Release 12 installations where no Oracle Single Sign-On infrastructure is currently in place

Starting Environment

Multiple Oracle E-Business Suite Release 12 instances are implemented, and each has an existing user population.
Oracle Portal is not implemented.
No existing Oracle Single Sign-On infrastructure is in place.

Solution

Oracle Application Server 10g (including Oracle Single Sign-On and Oracle Internet Directory) is needed for the integration.
Each Oracle E-Business Suite instance delegates user sign-on and authentication to Oracle Single Sign-On.
Oracle Single Sign-On authenticates user credentials against user entries in Oracle Internet Directory.
Oracle Internet Directory contains every user’s single sign-on account id and password.
A single sign-on account needs to be created for every user in Oracle Internet Directory.
Existing applications accounts in Oracle E-Business Suite instances need to be linked to the single sign-on account.
Optionally, user profile information in Oracle E-Business Suite can be kept synchronized with the information in Oracle Internet Directory.

Advanced Single Sign-On Options

There are a number of advanced options that may be employed in specialized circumstances; one example is described here.

Linking Multiple Application Accounts to a Single Oracle Single Sign-On Account

Normally, a single sign-on account in Oracle Internet Directory will correspond to a single application account in Oracle E-Business Suite Release 12. However, in special cases a user may need to have a single sign-on account in Oracle Internet Directory and multiple application accounts in Oracle E-Business Suite Release 12.

Figure 8-7 Single Sign-On Account with Multiple Application Accounts

the picture is described in the document text

If required, this feature can be enabled by system administrators via the profile option ‘Applications SSO Allow Multiple Accounts’.