Advanced Configurations for Single Sign-On

Overview

Single sign-on (SSO) across Oracle E-Business Suite mobile apps when authenticating a user from a mobile device is not currently supported even if you have integrated Oracle E-Business Suite with Oracle Access Manager for single sign-on. If the mobile device has multiple Oracle E-Business Suite mobile apps, then it is required to re-authenticate the user by providing user login credentials when the user navigates from one Oracle E-Business Suite mobile app to another on the same mobile device.

When configuring Oracle E-Business Suite mobile apps with the "Apps SSO Login" authentication type available from Oracle E-Business Suite Mobile Foundation Release 4.0 and onwards, ensure that you complete the following required tasks:

Note: The "Apps SSO Login" type corresponds to the "Web SSO" authentication server type used in Oracle Mobile Application Framework.

Important: Before setting up your mobile app with any of the advanced configurations, ensure basic mobile app configuration is performed and validated. See: Validating the Configuration.

1. Common Tasks for Single Sign-On (Prerequisite Tasks)

   Regardless of using Oracle E-Business Suite mobile apps or not, you need to perform some common tasks for configuring Oracle E-Business Suite with single sign-on. This section describes these common tasks which serve as prerequisites for mobile apps configuration with single sign-on.

   See: Prerequisites for Setting Up Mobile Apps with Single Sign-On.

2. Specific Tasks for Mobile Apps with Single Sign-On

   After completing the common or prerequisite tasks for Oracle E-Business Suite with single sign-on, you can proceed with the rest of single sign-on configuration specifically for Oracle E-Business Suite mobile apps.

   See: Mobile Specific Setup Tasks to Enable Apps SSO Login Authentication Security.

For troubleshooting information, see Troubleshooting Tips on Configuring Apps With the Apps SSO Login Authentication Type.

Prerequisites for Setting Up Mobile Apps with Single Sign-On

If your Oracle E-Business Suite is integrated with Oracle Access Manager, to authenticate users remotely with single sign-on, ensure that you complete the following prerequisites:

• Oracle E-Business Suite mobile apps delegate user authentication to Oracle Access Manager in the same way as supported for Oracle E-Business Suite browser-based applications. In this situation, mobile users are authenticated remotely against an external Oracle Access Manager (OAM) server. Refer to My Oracle Support Knowledge Document 1388152.1, Overview of Single Sign-On Integration Options for Oracle E-Business Suite.

• For both browser-based applications and mobile apps, Oracle E-Business Suite certifies the form-based challenge method only.

• In addition to the form-based challenge method, Oracle Access Manager supports several alternative authentication methods, including Oracle Identity Federation, integration with multi-factor authentication, or integration with other third-party access management systems. You may leverage Oracle Access Manager to further integrate with any of the alternative authentication mechanisms supported by Oracle Access Manager. Integration with Oracle E-Business Suite is expected to work, regardless of how Oracle Access Manager authenticates the user, provided that Oracle Access Manager protects the resources, enforces authentication, and returns the configured response headers.

  Note that Oracle E-Business Suite does not certify these alternative authentication methods. You may be asked to revert Oracle Access Manager to the certified form-based authentication before further investigation on any issues in Oracle E-Business Suite can take place.

• If you encounter issues during the configuration of Oracle Access Manager with alternative authentication mechanisms, you may contact Oracle Support for diagnosing issues related to Oracle Access Manager.

To support "Apps SSO Login" (previously known as "Web SSO") authentication security, after completing these common or prerequisite tasks for Oracle E-Business Suite with single sign-on, you must perform additional setup tasks to enable this feature. See: Mobile Specific Setup Tasks to Enable Apps SSO Login Authentication Security.

Mobile Specific Setup Tasks to Enable Apps SSO Login Authentication Security

This section describes additional setup tasks to support "Apps SSO Login" (previously known as "Web SSO") authentication type for Oracle E-Business Suite mobile apps. It includes the following topics:

• Setup Tasks to Enable the Apps SSO Login Authentication Security

• Testing the Setup for the Apps SSO Login Authentication Security

Additionally, see Troubleshooting Tips on Configuring Apps With the Apps SSO Login Authentication Type.

Setup Tasks to Enable the Apps SSO Login Authentication Security

To better understand the setup tasks specifically for mobile apps with Apps SSO Login, the following diagram illustrates the high level process flow when authenticating Oracle E-Business Suite mobile users using single sign-on in the case of TLS configuration:

Note: Oracle E-Business Suite mobile apps work with any single sign-on configurations for Oracle E-Business Suite.

High Level Process Flow for Apps SSO Login Authentication with TLS Configuration

In this diagram, there are two different REST invocation points (client vs server) which require you to import certificates into appropriate truststores:

• Scenario 1: TLS client invocation from a mobile app

  This scenario invokes the following two endpoints:

  • Oracle E-Business Suite AccessGate

    A mobile user attempts to log in to an app through the value configured in the "SSO Login URL" (login/sso) parameter. The user is directed to Oracle E-Business Suite AccessGate (EAG) which is protected by the Oracle Access Manager (OAM) server for user authentication. When the user enters the login credentials in the Sign In screen, OAM verifies the credentials against user directory. If the user is successfully authenticated, OAM returns a unique OAM access token to Oracle E-Business Suite AccessGate for further identification verification, as described in Scenario 2.

  • Oracle E-Business Suite REST endpoint on the server

    Once the user is successfully authenticated to access Oracle E-Business Suite from the mobile app, the mobile app uses "EBS Session Service" (login/apps) to create a valid Oracle E-Business Suite session. The user then performs desired actions through Oracle E-Business Suite REST APIs to fetch Oracle E-Business Suite data for the app.

  If your Oracle E-Business Suite AccessGate server and Oracle E-Business Suite server use custom CA or self-signed certificates, these certificates should be imported to your Oracle E-Business Suite mobile app. For information on importing these certificates to an app, see Using Custom or Self-signed Certificates with Oracle E-Business Suite Mobile Apps.

• Scenario 2: TLS client invocation from Oracle E-Business Suite AccessGate to invoke Oracle E-Business Suite application tier

  Oracle E-Business Suite AccessGate is a Java Enterprise Edition application that maps a single sign-on user to an Oracle E-Business Suite user. Once picking up the access token from OAM, Oracle E-Business Suite AccessGate verifies the user identification against the Oracle E-Business Suite database. If the verification is successful meaning that this is a valid Oracle E-Business Suite user, an Oracle E-Business Suite session token is returned. The session token that points to the user session will be passed to HTTP headers of all subsequent service calls for the user authentication.

  To successfully invoke the Oracle E-Business Suite application tier from Oracle E-Business Suite AccessGate as described in this scenario, custom CA or self-signed certificates used in Oracle E-Business Suite application tier should be imported to the Oracle E-Business Suite AccessGate truststore.

Based on the above high level invocation diagram, to enable the Apps SSO Login authentication for Oracle E-Business Suite mobile apps, you need to ensure Oracle E-Business Suite AccessGate is deployed properly and its required certificates are imported for a TLS-based environment. This section includes the following setup tasks for mobile apps based on your Oracle E-Business Suite release:

• Setup Tasks for Oracle E-Business Suite 12.1.3

• Setup Tasks for Oracle E-Business Suite 12.2

For Oracle E-Business Suite Release 12.1.3

1. Download Oracle E-Business Suite AccessGate for your Oracle E-Business Suite release. For download and patch information, refer to My Oracle Support Knowledge Document 2202932.1, Using the Latest Oracle E-Business Suite AccessGate for Single Sign-On Integration with Oracle Access Manager.

2. Deploy Oracle E-Business Suite AccessGate by following the setup and configuration instructions described in one of the following My Oracle Support Knowledge Documents based on your Oracle Access Manager release:

   • For Oracle Access Manager 12c, see Document 2339337.1, Automating Integration of Oracle E-Business Suite Release 12.1.3 With Oracle Access Manager 12c.

   • For Oracle Access Manager 11g, see Document 2045154.1, Automating Integration of Oracle E-Business Suite Release 12.1 With Oracle Access Manager 11gR2 (11.1.2).

3. After Oracle E-Business Suite AccessGate is successfully deployed, perform the following steps to define a public policy to make the /accessgate/logout/sso service to be publicly invokable:

   1. Log in to the Oracle Access Manager Console (http://<hostname>:<port>/oamconsole).

   2. Under the Launch Pad tab, navigate to Access Manager and then select Application Domain. In the Search Application Domains page, search and locate the identifier for your WebGate.

   3. Select the identifier for your WebGate from the application domain search result table.

   4. Click the Resources tab.

   5. Click the New Resource button in the Resources tab.

   6. Enter the following information in the Create Resources region to define a resource in an application domain:

      • Type: HTTP

      • Description: Logout service for mobile

      • Host Identifier: Enter the identifier for your WebGate

      • Resource URL: Enter the URL in the following format:

        /{CONTEXT_ROOT}/logout/sso

      • Protection Level: Unprotected

      • Authentication Policy: Public Resource Policy

      • Authorization Policy: Protected Resource Policy

   7. Click Apply.

      You should be able to access the newly-created public resource and verify the functionality.

4. Tasks for Enabling the feature on a TLS-based Oracle E-Business Suite environment

   Note: Oracle E-Business Suite mobile apps built with Oracle E-Business Suite Mobile Foundation Release 6.0 or later support TLS 1.2 only and TLS 1.2 with backward compatibility (recommended). For information on enabling TLS 1.2 only and TLS 1.2 with backward compatibility, see My Oracle Support Knowledge Document 376700.1, Enabling TLS in Oracle E-Business Suite Release 12.1.

   Please note that Oracle E-Business Suite mobile apps built with Oracle E-Business Suite Mobile Foundation Release 5.0 support TLS 1.0 only.

   If your Oracle E-Business Suite instance is TLS enabled and Oracle Access Manager (OAM) configured, ensure you perform the following tasks:

   1. If your mobile apps are built with Oracle E-Business Suite Mobile Foundation Release 6.0 or later, you need to configure the Oracle E-Business Suite AccessGate (EAG) managed server with required TLS parameters so that the same TLS security protocol is used for outbound communication.

      For information on adding the required parameters for the EAG managed server, refer to one of the following My Oracle Support Knowledge Documents based on your Oracle Access Manager release:

      • For Oracle Access Manager 12c, see Document 2339337.1, Automating Integration of Oracle E-Business Suite Release 12.1.3 With Oracle Access Manager 12c - "Configuring Oracle E-Business Suite AccessGate (EAG) Managed Server to use the TLS Protocol for Outbound Communication" in Section 9.1 Configuring Transport Layer Security (TLS).

      • For Oracle Access Manager 11g, see the following Knowledge Documents:

        • Document 2045154.1, Automating Integration of Oracle E-Business Suite Release 12.1 With Oracle Access Manager 11gR2 (11.1.2) - "Configuring Oracle E-Business Suite AccessGate (EAG) Managed Server to use the TLS Protocol for Outbound Communication" in Section 9.1 Configuring Transport Layer Security (TLS).

        • Document 1484024.1, Integrating Oracle E-Business Suite Release 12 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate - "Configuring Oracle E-Business Suite AccessGate (EAG) Managed Server to use the TLS Protocol for Outbound Communication" in Section 9.2 Configuring Transport Layer Security (TLS).

   2. Import the root-CA certificates from the Oracle HTTP Server (OHS) wallet and Oracle TLS CA certificates into the truststore of the managed server where Oracle E-Business Suite AccessGate is deployed.

      For information on obtaining private keys, digital certificates, and trusted certificate authority (CA) certificates, see Configuring Identity and Trust, Oracle Fusion Middleware Securing Oracle WebLogic Server.

For Oracle E-Business Suite Release 12.2

1. Download Oracle E-Business Suite AccessGate for your Oracle E-Business Suite release. For download and patch information, refer to My Oracle Support Knowledge Document 2202932.1, Using the Latest Oracle E-Business Suite AccessGate for Single Sign-On Integration with Oracle Access Manager.

2. Deploy Oracle E-Business Suite AccessGate by following the setup and configuration instructions described in one of the following My Oracle Support Knowledge Documents based on your Oracle Access Manager release:

   • For Oracle Access Manager 12c, see Document 2339348.1, Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager 12c using Oracle E-Business Suite AccessGate.

     If you have already deployed an earlier version of Oracle E-Business Suite AccessGate, refer to Section 8.2 Oracle E-Business Suite AccessGate Upgrade, My Oracle Support Knowledge Document 2339348.1.

   • For Oracle Access Manager 11g, see Document 1576425.1, Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2 (11.1.2) using Oracle E-Business Suite AccessGate.

     If you have already deployed an earlier version of Oracle E-Business Suite AccessGate, refer to Section 8.2 Oracle E-Business Suite AccessGate Upgrade, My Oracle Support Knowledge Document 1576425.1.

3. After Oracle E-Business Suite AccessGate is successfully deployed, define a public policy to make the /accessgate/logout/sso service to be publicly invokable.

   Please note that the new resource /accessgate/logout/sso has been added to the public resources defined in the AutoConfig template ebs_oam_uri_conf.tmp, and will be automatically configured when you register Oracle E-Business Suite with Oracle Access Manager.

   If you have already registered Oracle E-Business Suite with Oracle Access Manager for single sign-on prior to setting up Oracle E-Business Suite Mobile Foundation Release 4.0 or later, then you need to re-register Oracle E-Business Suite and include an additional parameter -policyUpdate=yes. These actions add the newly-defined public resource /accessgate/logout/sso to your configuration.

   Follow the registration instructions as documented in Section 4.2 Register Oracle E-Business Suite with Oracle Access Manager, My Oracle Support Knowledge Document 1576425.1. Additionally, add a command line parameter -policyUpdate=yes as shown in the following example:

   txkrun.pl -script=SetOAMReg -registeroam=yes -policyUpdate=yes \  
   -oamHost=http://myoam.example.com:7001 \  
   -oamUserName=weblogic \  
   -ldapUrl=ldap://myoid.example.com:3060 \ 
   -oidUserName=cn=orcladmin \  
   -skipConfirm=yes \  
   -ldapSearchBase=cn=Users,dc=example,dc=com \  
   -ldapGroupSearchBase=cn=Groups,dc=example,dc=com 

4. Tasks for Enabling the feature on a TLS-based Oracle E-Business Suite environment

   Note: Oracle E-Business Suite mobile apps built with Oracle E-Business Suite Mobile Foundation Release 6.0 or later support TLS 1.2 only and TLS 1.2 with backward compatibility (recommended). For information on enabling TLS 1.2 only and TLS 1.2 with backward compatibility, see My Oracle Support Knowledge Document 1367293.1, Enabling TLS in Oracle E-Business Suite Release 12.2.

   Please note that TLS 1.0 is required for Oracle E-Business Suite mobile apps built with Oracle E-Business Suite Mobile Foundation Release 5.0.

   If your Oracle E-Business Suite instance is TLS enabled and Oracle Access Manager (OAM) configured, perform the following tasks:

   1. Import the root-CA certificates from the OHS wallet into the truststore of the OAEA managed server where Oracle E-Business Suite AccessGate is deployed, if the root-CA certificates have not already been imported.

      Note: When the OAEA managed server is isolated from the oacore server, it is required to import the certificates into the truststore of the OAEA server.

      The default truststore or keystore for the managed server is at: <s_fmw_jdkto>/jre/lib/security/cacerts

      For information on importing the certificates into the truststore, see Section 3.9 Update the JDK Cacerts File in My Oracle Support Knowledge Document 2143101.1, Enabling SSL or TLS in Oracle E-Business Suite Release 12.2.

   2. If your Oracle Fusion Middleware version is earlier than 11.1.1.9, then you must enable JSSE TLS in the Oracle E-Business Suite context file. Use Oracle Applications Manager to update the Oracle E-Business Suite context file.

      Prerequisites: Review My Oracle Support Knowledge Document 1617461.1, Applying the Latest AD and TXK Release Update Packs to Oracle E-Business Suite Release 12.2, and follow the instructions to apply the required codelevel of AD and TXK for your system.

      1. Log in to Oracle E-Business Suite as a system administrator.

      2. Navigate to System Administration. Select Oracle Applications Manager, and then AutoConfig.

      3. Select the application tier context file, and choose Edit Parameters.

      4. Search for the s_enable_jsse variable by selecting OA_VAR in the search list of values and entering s_enable_jsse in the search text box. Choose the Go button.

      5. By default, the s_enable_jsse variable is set to false. Change this value to true to enable JSSE TLS. Refer to the description of the context variable for more information.

      6. Choose the Save button.

      7. Enter a reason for the update, such as "Enabling JSSE TLS". Then choose the OK button.

      8. Run AutoConfig and restart all the application tier services. For more information about AutoConfig, see: Technical Configuration, Oracle E-Business Suite Setup Guide.

Testing the Setup for the Apps SSO Login Authentication Security

To successfully log in to an Oracle E-Business Suite mobile app configured with the Apps SSO Login security, you need to ensure successful HTTP(s) communication from the Oracle E-Business Suite AccessGate managed server to the Oracle E-Business Suite server.

1. Validate the communication by running the following WGET command from the managed server where Oracle E-Business Suite AccessGate is deployed:

   wget -d http(s)://<ebs_host>:<ebs_port>/OA_HTML/RF.jsp?function_id=mLogin

2. If this fails, verify the following tasks and ensure they are in place:

   1. The root-CA, intermediate, and server certificates from the Oracle HTTP Server (OHS) wallet and Oracle TLS CA certificates are imported into the truststore of the managed server where Oracle E-Business Suite AccessGate is deployed.

   2. Network port from the current managed server to the Oracle E-Business Suite web entry is NOT restricted.

   3. For an Oracle E-Business Suite environment configured in a DMZ configuration, if Oracle E-Business Suite AccessGate is deployed on your intranet server with firewalls and the Oracle E-Business Suite web entry point is a URL over the Internet, then make sure this Oracle E-Business Suite URL is NOT DIS_ALLOWED from the intranet server.

      Although this Oracle E-Business Suite web entry point URL can be your enterprise's own URL, this could still restrict access from your intranet server. If this network restriction policy cannot be exempted to ALLOW access from the intranet managed server where Oracle E-Business Suite AccessGate is deployed to the Oracle E-Business Suite web entry point over the Internet, then you can try the following option of configuring proxy host and port for the HTTP communication as a workaround.

      1. Restart with the following -D System settings on the managed server where Oracle E-Business Suite AccessGate is deployed.

      2. Use the -D settings for setting up proxy host and port through the System properties in JAVA_OPTIONS:

         • For the HTTP protocol communication:

           -Dhttp.proxyHost 
           -Dhttp.proxyPort 
           

         • For the HTTPS protocol communication:

           -Dhttps.protocols (TLSv1.1/SSL version) 
           -Dhttps.proxyHost 
           -Dhttps.proxyPort 

      For more information, refer to Oracle Networking Properties (https://docs.oracle.com/javase/7/docs/api/java/net/doc-files/net-properties.html), Oracle Java Documentation.