12 Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager 11g Release 1

This chapter contains the following topics:

• Section 12.1, "Understanding JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager"

• Section 12.2, "Setting Up Oracle Access Manager Single Sign-On for JD Edwards EnterpriseOne"

• Section 12.3, "Setting Up EnterpriseOne for Single Sign-On Integration with Oracle Access Manager"

• Section 12.4, "Setting Up EnterpriseOne for Single Sign-Off Integration with Oracle Access Manager"

• Section 12.5, "Testing the Single Sign-On Configuration"

Note:

You can enable support of long user IDs and passwords in a JD Edwards EnterpriseOne single sign-on configuration with Oracle Access Manager. See Chapter 15, "Configuring Long User ID and Password Support for EnterpriseOne" in this guide for more information.

12.1 Understanding JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Manager

Oracle Access Manager provides single sign-on functionality for Oracle applications, including JD Edwards EnterpriseOne. It provides a secure internet infrastructure for identity management for EnterpriseOne applications and processes. This infrastructure provides:

• Identity and access management across EnterpriseOne applications, enterprise resources, and other domains.

• Foundation for managing the identities of customers, partners, and employees across internet applications. These user identities are protected by security policies for web interaction.

Integration with Oracle Access Manager provides EnterpriseOne implementations with these features:

• Oracle Access Manager authentication, authorization, and auditing services for EnterpriseOne applications.

• Oracle Access Manager single sign-on for EnterpriseOne applications and other Oracle Access Manager-protected resources in a single domain or across domains.

  Note:

  EnterpriseOne single sign-on through Oracle Access Manager is supported only by the EnterpriseOne Web client, not Collaborative Portal.

• Oracle Access Manager authentication schemes that provide single sign-on for EnterpriseOne applications:

  • Basic Over LDAP (Lightweight Directory Access Protocol): Users enter a user name and password in a window supplied by the Web server.

    This method can be redirected to Secure Socket Layer (SSL).

  • Form: Similar to the basic challenge method, users enter information in a custom HTML form.

    You choose the information that users must provide in the form.

  • X509 Certificates: X.509 digital certificates over SSL.

    A user's browser must supply a certificate.

  • Integrated Windows Authentication (IWA): Users will not notice a difference between an Oracle Access Manager authentication and IWA when they log on to the desktop, open an Internet Explorer (IE) browser, request an Oracle Access Manager-protected web resource, and complete single sign-on.

  • Microsoft .NET Passport: NET Passport is a component of the Microsoft .NET framework. The .NET plug-in is a Web-based authentication service that provides single sign-on for Microsoft-protected web resources.

  • Custom: You can use other forms of authentication through the Oracle Access Manager Authentication Plug-in API.

• Session timeout: Oracle Access Manager enables you to set the length of time that a user session is valid.

• Ability to use the Oracle Access Manager Identity System for identity management. The Identity System provides identity management features such as portal inserts, delegated administration, workflows, and self-registration to JD Edwards EnterpriseOne applications.

  You can determine how much access to provide to users upon self-registration. Identity System workflows enable a self-registration request to be routed to appropriate personnel before access is granted. Oracle Access Manager also provides self-service, enabling users to update their own identity profiles.

See Also:

• Oracle Access Manager Integration Guide and the Oracle Identity Manager documentation.

12.1.1 JD Edwards EnterpriseOne Integration Architecture

EnterpriseOne has a configurable authentication mechanism that allows it to authenticate a user against:

• Native tables (through a security kernel).

• Lightweight Data Access Protocol (LDAP).

• Custom plug-ins, including the ability to read HTTP Headers.

EnterpriseOne single sign-on through Oracle Access Manager involves:

• Protection through a WebGate, which is a plug-in that intercepts Web resource (HTTP) requests and forwards them to the Access Server for authentication and authorization.

• Populating a header variable with an attribute value that is stored in the LDAP directory used by Oracle Access Manager.

• Configuring EnterpriseOne to invoke the Oracle Access Manager authentication process, overriding the default authentication mechanism.

12.1.2 Single Sign-On Architecture

Single sign-on with Oracle Access Manager requires an EnterpriseOne HTML Server configuration with an application server, such as Oracle WebLogic Server 10g, that contains a J2EE container, which is required for the Java servlets and Java code to run. In addition, WebGate must be installed on an Oracle HTTP Server, and it must be configured to protect the EnterpriseOne URLs that are used to access the HTML Server.

The following illustration shows the integration environment and process flow:

Figure 12-1 JD Edwards EnterpriseOne Single Sign-On through Oracle Access Manager

The following steps describe the single sign-on process:

1. A user attempts to access an EnterpriseOne program by entering a URL to the EnterpriseOne Web client in a Web browser.

2. A WebGate deployed on the EnterpriseOne HTTP Server intercepts the request.

3. The WebGate checks Oracle Access Manager to determine whether the resource (EnterpriseOne URL) is protected.

4. If a valid session does not exist and the resource is protected, WebGate prompts the user for credentials through the Oracle Access Manager login page.

5. After the user enters their single sign-on user ID and password on the Oracle Access Manager login page, the WebGate captures the user credentials and sends them to Oracle Access Manager for authentication.

6. Oracle Access Manager compares the user credentials against the Oracle Internet Directory (OID).

   1. If the user's single sign-on credentials are not in OID, Oracle Access Manager notifies WebGate and the user is denied access to EnterpriseOne.

   2. If Oracle Access Manager finds the user's single sign-on credentials in OID, Oracle Access Manager authenticates the credentials.

7. If the credentials are validated, the user gains access to the EnterpriseOne Web client.

8. If a valid session already exists and the user is authorized to access the resource, WebGate redirects the user to the requested EnterpriseOne resource.

12.1.3 Supported Versions and Platforms

For supported versions and platforms for the integration of Oracle Access Manager with JD Edwards EnterpriseOne Tools and JD Edwards EnterpriseOne Applications, see the Certifications tab on My Oracle Support:

https://support.oracle.com/epmos/faces/CertifyHome?_adf.ctrl-state=78o46rofa_43&_afrLoop=34652538504327

Also, see document 745831.1 (JD Edwards EnterpriseOne Minimum Technical Requirements Reference) on My Oracle Support:

https://support.oracle.com/epmos/faces/DocumentDisplay?id=745831.1

12.2 Setting Up Oracle Access Manager Single Sign-On for JD Edwards EnterpriseOne

To configure Oracle Access Manager single sign-on for JD Edwards EnterpriseOne, you must register the Oracle Access Manager 11g WebGate Agent for JD Edwards EnterpriseOne HTML Server. This configuration includes the following tasks:

1. Creating a host identifier for the EnterpriseOne HTTP Server.

2. Creating an application domain template with resources, authentication and authorization policies.

3. Creating the JDE resources such as /JDE and /…/* and added them to the authorization policies.

4. Adding the JDE_SSO_UID Header field to responses section.

5. Copying the Agent files from the Oracle Access Manager 11g WebGate Agent to the JD Edwards EnterpriseOne Server.

See Registering the WebGate Agent for JD Edwards EnterpriseOne HTML Server in this section, which contains detailed steps on how to perform the preceding tasks.

12.2.1 Prerequisites

Before you set up Oracle Access Manager and EnterpriseOne for single sign-on, you must:

• Install a supported directory server, such as Oracle Internet Directory, according to vendor instructions.

• Install and configure Oracle Access Manager using the directory server as the LDAP repository.

• Install and configure the HTML Server so that EnterpriseOne applications are rendered and accessed through the HTTP Server.

• Install and configure the Oracle HTTP Server for EnterpriseOne HTML Server.

• Install and register the WebGate Agent for EnterpriseOne HTML Server.

See the following guides for information about the prerequisites:

• Oracle Fusion Middleware Installation Guide for Oracle Identity Management

• Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service

• "Configuring Oracle Internet Directory" in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management

12.2.2 Registering the WebGate Agent for JD Edwards EnterpriseOne HTML Server

Sign in to Oracle Access Manager.

1. Open the Oracle Access Manager console, for example http://oamservesr:oamport/oamconsole

2. Enter the Admin user and password.

   Figure 12-2 Welcome to Oracle Access Manager 11g Page

   
   

3. On the Welcome page, select the "New OAM 11g Webgate" option.

   Figure 12-3 Create OAM 11G Webgate Page

   
   

4. On Create OAM 11G Webgate, enter a name for the WebGate in the Name field.

5. In the Security options area, select Open, and then click the Apply button.

   This creates entries for the new WebGate under the Host Identifiers and Application Domains nodes, as shown in the following screen.

   Figure 12-4 OAM Policy Configuration Tab: New WebGate Entries

   
   

6. To create the resource URL, in the Applications Domains node, click Resources under the new WebGate.

   Figure 12-5 OAM Policy Configuration Tab: Create Button

   
   

7. In the Search Results area, click the Create button (paper icon).

   Figure 12-6 Create Resource Tab: Resources Page

   
   

8. On Resources, complete the following fields:

   • Type: HTTP

   • Host Identifier: Select you host identifier.

   • Resource URL: /jde

   • Protection Level: Select Protected.

   • Authentication Policy: Select Protected Resource Policy.

   • Authorization Policy: Select Protected Resource Policy.

9. Click the Apply button.

10. Repeat the preceding steps to add the following resource URL:

    /…/*

11. Double-click the Protected Resource Policy.

    The Resources tab displays the newly added resources.

    Figure 12-7 Resources Tab with Newly Added Resources

    
    

12. Click the Responses tab and click the Add button (plus symbol icon).

    Figure 12-8 Responses Tab: Header Row

    
    

13. On the Responses tab, complete the following fields in the header row:

    • Name: JDE_SSO_UID

    • Type: Header

    • Value: $user.userid

14. Review all registered agents, and then select the System Configuration tab.

15. Open the Access Manager Settings section, and then open the SSO Agents option.

    Figure 12-9 OAM Agents Tab: List of Registered Agents

    
    

16. In the "Access Manager Settings" section in the left pane, double-click OAM Agents and then click the Search button.

    A list of registered agents appears. The registered agent creates a cwallet.sso file and ObAccessClient.xml file.

17. Copy these two files from <MW_HOME>/user_projects/domain/OAMDomain/output/<Agent_name> and paste them to the following directory on the JD Edwards EnterpriseOne Server:

    <MW_Home>Oracle_WT1/instances/instance1/OHS/ohs1/webgate/config

12.2.3 Configuring Oracle HTTP Server for the EnterpriseOne HTML Server

After you install and configure the Oracle HTTP Server and Oracle HTTP WebGate, you will need to configure the mod_wl_ohs.conf file.

To configure the mod_wl_ohs.conf file:

1. Navigate to the mod_wl_ohs.conf file located at:

   MW_Home>/Oracle_WT1/instances/instance1/config/OHS/ohs1
   

2. Edit the mod_wl_ohs.conf file.

   1. Add a Virtual Host section.

      NameVirtualHost *:7777
      <VirtualHost *:7777>
        <Location /jde>   <--EnterpriseOne Context
          SetHandler weblogic-handler
          WebLogicHost myserver.com
          WebLogicPort 9003  <-- EnterpriseOne Port
        </Location>
      

   2. If you would prefer to use the single signon for the Weblogic console, then include a <Location /console> section.

      <Location /console>  <--WebLogic Console Configuration (optional)
          SetHandler weblogic-handler
          WebLogicHost myserver.com
          WebLogicPort 9001
      </Location>
      

   Use the following image to verify that the WebLogic port numbers match your configuration.

   Figure 12-10 Configure mod_wl_ohs.conf

   
   

   Note:

   The HTTP port number (for example: 7777) will be the SSO port.

3. Restart the HTTP server.

   1. Change the directory to MW_Home>/Oracle_WT1/instances/instance1/bin.

   2. Run ./opmnctl stopall

   3. Run ./opmnctl startall

12.3 Setting Up EnterpriseOne for Single Sign-On Integration with Oracle Access Manager

This section discusses how to set up the EnterpriseOne HTML Server for single sign-on integration with Oracle Access Manager through EnterpriseOne Server Manager.

1. Open EnterpriseOne Server Manager from a browser.

2. Select your EnterpriseOne HTML Server instance.

3. Select Network Settings from the Configuration section.

   Figure 12-11 Security Server Configuration Page

   
   

4. Select the Enable Oracle Access Manager option.

5. Click Apply.

6. At the prompt, click the Synchronize button to synchronize the changes in all .ini files.

7. Stop and restart the HTML server.

12.4 Setting Up EnterpriseOne for Single Sign-Off Integration with Oracle Access Manager

This section discusses how to set up the EnterpriseOne HTML Server for single sign-off integration with Oracle Access Manager through EnterpriseOne Server Manager.

1. Open Server Manager from a Web browser.

2. Select your EnterpriseOne HTML Server instance.

3. In the Configuration section, select Network Settings.

   Figure 12-12 Network Settings for Single Sign-Off

   
   

4. In the Security Server Configuration section, select the Enable Oracle Access Manager option.

5. Enter the Oracle Access Manager (OAM) sign-off URL. The sign-off URL should include the OAM server URL, for example:

   http://OAMServer:OAMPort/oamsso/logout.html?end_url=http://e1server:e1ssoport/jde/index.jsp
   

6. Click Apply.

7. At the prompt, click the Synchronize button to synchronize the changes in all .ini files.

8. Stop and restart the EnterpriseOne HTML Server.

12.5 Testing the Single Sign-On Configuration

Perform the steps in this section to test the single sign-on configuration.

1. In a Web browser, enter the following URL to the EnterpriseOne Web client:

   http://yourhost:yourssoport/jde/E1Menu.maf
   

   The Oracle Access Manager 11g login page appears.

   Figure 12-13 Oracle Access Manager 11g Login Page

   
   

2. On the login page, enter user credentials in the Username and Password fields, and then click the Login button.

   If the credentials are validated, the system grants access to the EnterpriseOne Web client. You have successfully configured single sign-on!