Learn About Enabling SSO for Oracle E-Business Suite with OCI IAM using EBS Asserter in High Availability mode

If you have an Oracle E-Business Suite (EBS) instance, you can seamlessly authenticate with other applications that use Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) as their authentication mechanism using the OCI IAM E-Business Suite Asserter component.

This integration allows your Oracle E-Business Suite to participate in the single sign-on (SSO) provided by OCI IAM. To enhance security for the sign-in process, you can set up sign-in and identity provider policies, and configure multi-factor authentication. You can also enable adaptive security to provide strong authentication capabilities and risk analysis for your users across applications and Oracle E-Business Suite in OCI IAM.

This solution playbook describes the steps and configuration for integrating OCI IAM with Oracle EBS using OCI IAM Asserter in High Availability mode where:
  • Oracle WebLogic Server is deployed on an OCI compute instance and
  • Oracle EBS is deployed on OCI using Oracle EBS Cloud Manager

For each EBS instance, you configure and deploy one instance of the OCI IAM E-Business Suite Asserter application.You can deploy EBS Asserter in HA mode using different configurations as described in the following section:

  1. Multiple WebLogic Server machines, with each machine hosting a single managed server and deployed with a single EBS Asserter.
  2. A single WebLogic Server machine with multiple managed servers. Each managed server has a single deployment of EBS Asserter.
  3. A single WebLogic Server machine with a single managed server. The managed server has multiple deployments of EBS Asserter.

To accomplish the third scenario, you must perform the following tasks:

  • Rename each EBS Asserter application's Web Application Resource (WAR) file before you deploy the file to the same WebLogic managed server. In this case, the domain name and port number of all E-Business Suite Asserter's URLs will be same, but the URL's context will change.
  • Extract the contents of each ebs.war file to a folder, find the weblogic.xml file, edit this file, update the value of the <cookie-path> tag to match the EBS Asserter's URL, and then rebuild the ebs.war file.

For example, if you want the E-Business Suite Asserter to respond to URL context /app/ebs, then update the tag within weblogic.xml with the value <cookie-path>/app/ebs</cookie-path>.

For example, if you have two EBS instances named Development 1 and Development 2 and you want to integrate these EBS instances with OCI IAM using the E-Business Suite Asserter, but you only have one WebLogic managed server for the two E-Business Suite Asserter applications, then you need to execute the procedures in this tutorial for each EBS instance. You configure the WebLogic Server only once, and configure and deploy the E-Business Suite Asserter Application for each EBS instance:

  • For EBS instance Development 1:
    • Make a copy of the ebs.war file and name the new file ebsdev1.war.
    • Update the weblogic.xml contained in the ebsdev1.war file, by replacing the cookie-path tag with the following value: <cookie-path>/ebsdev1</cookie-path>.
    • Update the bridge.properties file (section 5) contained in the ebsdev1.war file.
    • Rebuild the ebsdev1.war file and then deploy this file (section 7) to the WebLogic managed server.
  • For EBS instance Development 2:
    • Make a copy of the ebs.war file and name the new file ebsdev2.war.
    • Update the weblogic.xml contained in the ebsdev2.war file, by replacing the cookie-path tag with the following value: <cookie-path>/ebsdev2</cookie-path>.
    • Update the bridge.properties file (section 5) contained in the ebsdev2.war file.
    • Rebuild the ebsdev2.war file and then deploy this file (section 7) to the WebLogic managed server.

You will deploy both ebsdev1.war and ebsdev2.war files in to the same WebLogic managed server. The E-Business Suite Asserter's URL for EBS instance Development 1 will be https://ebsasserter.example.com:7002/ebsdev1, and for EBS instance Development 2 https://ebsasserter.example.com:7002/ebsdev2.

Before You Begin

Before you begin using E-Business Suite Asserter, understand how to enable it, and how it works with other components.

  • If your Oracle E-Business Suite is integrated with Oracle Access Manager, Oracle Internet Directory, E-Business Suite AccessGate, or uses any other SSO profile, then remove the integration between these components and Oracle E-Business Suite, and then restart the servers before using the OCI IAM E-Business Suite Asserter.
  • Know what’s supported. All Oracle E-Business modules which use browser-based login will work with E-Business Suite Asserter for SSO. Excel-based login of Web ADI is supported. Mobile Apps for EBS, such as approvals and expenses, are supported. Modules which do not use browser-based login, such as Mobile Web Applications (MWA) and E-Signature, are not supported.

Architecture

In this playbook, one WebLogic cluster is created comprising of two WebLogic machines. Each of these WebLogic machines host one WebLogic managed server. Two instances of E-Business Suite Asserter are deployed on each of the two WebLogic Managed servers. OCI Load Balancer is used to provide high availability and traffic management between the two nodes of OCI IAM Asserter.

Oracle E-Business Suite is also deployed in High Availability with two different nodes, using Oracle EBS Cloud Manager. Oracle E-Business Suite uses Oracle RAC database with two nodes of database server. The OCI IAM Asserter interacts with OCI IAM through OCI IAM Rest API and redirects the user's web browser to OCI IAM and Oracle E-Business Suite.

The following architecture diagram shows how the E-Business Suite Asserter, Oracle E-Business Suite, and OCI IAM interact.



  1. The user requests access to an Oracle E-Business Suite protected resource.
  2. The request reaches OCI Load Balancer and based on the availability of the backend servers, it forwards the requests to the appropriate Oracle E-Business Suite server.
  3. Oracle E-Business Suite redirects the user browser to the E-Business Suite Asserter application, which is directed through the OCI Load Balancer.
  4. The OCI Load Balancer, based on the configuration and availability of the backend E-Business Suite Asserter servers, forwards the request to the appropriate E-Business Suite Asserter server. The OCI Load Balancer generates a cookie and attaches it to the request to maintain session stickiness.
  5. The OCI IAM Asserter uses an OCI IAM SDK to generate the authorization URL and then redirects the browser to OCI IAM.
  6. OCI IAM presents its sign in page to the user.
  7. The user submits credentials to OCI IAM.
  8. OCI IAM issues an authorization code and redirects the user's browser to the E-Business Suite Asserter.
  9. The response reaches the OCI Load Balancer and based on the session cookie it redirects the request to appropiate E-Business Suite Asserter server.
  10. The E-Business Suite Asserter uses an OCI IAM SDK to communicate with OCI IAM to exchange the authorization code for an access token.
  11. OCI IAM issues an access token and an ID token to the E-Business Suite Asserter.
  12. The E-Business Suite Asserter creates an Oracle E-Business Suite cookie and redirects the user's browser to Oracle E-Business Suite.
  13. Oracle E-Business Suite presents the user requested protected resource.

About Required Services and Roles

An OCI IAM administrator must be able to access the OCI IAM console to download E-Business Suite Asserter and configure and activate applications.

You must have access to the following services and products:
  • OCI IAM
  • Oracle E-Business Suite

You must have the following roles:

Role Required to...

OCI IAM: Security administrator

Access the Downloads page of the OCI IAM console. From this page, you can download the OCI IAM E-Business Suite Asserter.

OCI IAM: Application administrator

Manage applications in OCI IAM, which includes registering the sample mobile app with OCI IAM.

Oracle E-Business Suite: Server administrator

Access the Oracle E-Business Suite installation folder, the Oracle WebLogic Server where you deploy the E-Business Suite Asserter, and the E-Business Suite Asserter machine as an operating system user.