To further secure EPM System products, you can implement a supported access management system such as Oracle Access Manager or SiteMinder, which can provide authenticated user credentials to EPM System products and control access based on predefined access privileges.
SSO from security agents is available for EPM System web applications only. In this scenario, EPM System products use the user information provided by the security agent to determine access permissions of users. To enhance security, Oracle recommends that direct access to the servers be blocked by firewalls so that all requests are routed through an SSO portal.
SSO from access management systems is supported by accepting authenticated user credentials through an acceptable SSO mechanism. See Supported SSO Methods. The access management system authenticates users and passes their login name to EPM System. EPM System verifies the login names against configured user directories.
See these topics.
The illustrated concept:
Using a browser, users request access to a resource protected by an access management system, for example; Oracle Access Manager, or SiteMinder.
Note:
EPM System products are defined as resources protected by the access management system.
The access management system intercepts the request and presents a login screen. Users enter user names and passwords, which are validated against configured user directories in the access management system to verify user authenticity. EPM System products are also configured to work with these user directories.
Information about the authenticated user is passed to the EPM System product, which accepts the information as valid.
If the user logged on to SAP Portal, an SAP logon ticket is passed to the EPM System product, which decrypts the SAP logon ticket using an SAP certificate.
The access management system passes the user's login name (value of Login Attribute) to the EPM System product using an acceptable SSO mechanism. See Supported SSO Methods.
To verify user credentials, the EPM System product tries to locate the user in a user directory. If a matching user account is found, user information is returned to the EPM System product. EPM System security sets the SSO token that enables SSO across EPM System products.
Using the retrieved user information, the EPM System product queries the Native Directory to obtain provisioning details for the user.
Upon receiving user provisioning information, the EPM System product is made available to the user. SSO is enabled for all EPM System products for which the user is provisioned.