About Setting Up SSO Between Azure AD and Oracle Access Manager for Oracle E-Business Suite

When a customer wants to run an Oracle application—such as Oracle E-Business Suite—on Microsoft Azure, but use the on-premises Oracle Access Manager as the service provider, federated SSO is required between Azure AD and on-premises OAM.

Because it logically has the greatest integration support within the cloud when working with other cloud applications, an ideal solution is to configure SAML 2.0 to provide the necessary federated SSO architecture.

Before You Begin

Before you begin to run an application in Microsoft Azure connected to a database in Oracle Cloud, understand the networking architecture for connecting workloads deployed on Oracle Cloud and Microsoft Azure.

See Learn about interconnecting Oracle Cloud with Microsoft Azure.

Architecture

This solution presents an architecture that is a hybrid approach to an already-documented on-premises integration between Oracle Access Manager and E-Business Suite.

This is considered a hybrid architecture because:
  • It places Oracle E-Business Suite in Azure.
  • It uses Azure Active Directory (Azure AD) as the federated identity provider (IDP) to authenticate a user to E-Business Suite.
  • You run Oracle Access Manager as the service provider (SP) on-premises with its backend LDAP server (either Oracle Unified Directory or Oracle Internet Directory).
Description of ebiz-architecture.png follows
Description of the illustration ebiz-architecture.png

This approach provides a way to be one step closer to moving some of your infrastructure to the cloud. It doesn’t have to stop with just E-Business Suite—Oracle Access Manager and Oracle Unified Directory or Oracle Internet Directory can also be moved to the cloud.

Another key part of this architecture is the provisioning of user accounts. This paper assumes that Azure AD is the source of truth for user accounts. This means that a method of provisioning such as Oracle Directory Integration Platform synchronization or an identity management tool like Microsoft Identity Manager or Oracle Identity Manager should be used to provision user accounts into the Oracle Access Manager LDAP server (Oracle Unified Directory or Oracle Internet Directory). Then Oracle Directory Integration Platform used as a bi-directional synchronization service can synchronize that account into the E-Business Suite database. Certain key attributes that are critically important to SSO will be covered later in this paper.

Understand the Components

The components in this hybrid architecture, as shown in the illustration, above, are described in the following table.

Data Center Component
Azure
  • Azure AD
  • Oracle E-Business Suite 12.2.x
  • Oracle HTTP Server 11g or 12c
  • Oracle WebGate 11g or 12c
  • Oracle AccessGate 11g or 12c
Oracle Cloud Infrastructure Oracle E-Business Suite Database 12.2 or later
Customer on-premises
  • Oracle Access Manager 11g or 12c
  • Oracle Unified Directory or Oracle Internet Directory 11g or 12c
  • Oracle Directory Integration Platform 11g or 12c
  • Oracle HTTP Server 11g or 12c (optional)

Understand the Provisioning and Federation Flows

The preceding diagram illustrates the combined provisioning and federation flows defined for this architecture.

This provisioning flow (described below in transactions 1-3) illustrate one example of how a user account is created in Azure AD, provisioned to the Oracle Access Manager LDAP server, and synchronized using Oracle Directory Integration Platform to the E-Business Suite database. The federation flow is illustrated in transactions 4-10. Additional federation flow details are described in Understand the Azure AD and E-Business Suite Federation Flow.

  1. Initial user account creation is provisioned to Oracle Unified Directory or Oracle Internet Directory that requires including the user principal name (UPN).
  2. Oracle Directory Integration Platform listens to Oracle Unified Directory change logs and provisions the user account to the E-Business Suite database.
  3. Oracle Directory Integration Platform provisions the user account, mapping uid to USER_NAME and orclguid to USER_GUID, to the E-Business Suite database.
  4. The user requests E-Business Suite access, and WebGate checks for the OAMAuthCookie Token.
  5. WebGate verifies that the user has no OAMAuthCookie Token, so it checks with Oracle Access Manager for a course of action.
  6. Oracle Access Manager tells WebGate to redirect the user to Azure AD for federated authentication, and Azure AD prompts the user for login.
  7. Azure AD validates the user’s credentials and then sends a SAML 2.0 assertion to Oracle Access Manager, using the mail attribute as the user mapping.
  8. Oracle Access Manager accepts the SAML 2.0 assertion and returns the matching user in Oracle Unified Directory using the UPN. In the response, it provides the USER_NAME (uid) and USER_ORCLGUID (orclguid) from Oracle Unified Directory in the header defined in the policy.
  9. WebGate redirects the user to E-Business Suite and sends the USER_NAME and USER_ORCLGUID as headers to AccessGate.
  10. AccessGate looks up the USER_NAME and USER_ORCLGUID in the E-Business Suite database to verify that the user exists. On success, it sets its own session and returns the E-Business Suite portal page back to the user.

About Required Services and Roles

This solution requires the combination of specific services and roles within those services.

These services and applications are required:
  • Oracle Cloud Infrastructure
  • Oracle Access Manager
  • A fully functional Oracle E-Business Suite instance deployed to Azure
  • Microsoft Azure AD
Service Name: Role Required to...
Oracle Cloud Infrastructure: Administrator Create and manage identity resources
Oracle Access Manager: Administrator Configure and maintain user settings on-premises
E-Business Suite: Administrative roles, includiing database administrator and LDAP administrator Configure E-Business Suite and change security settings
Azure AD: Azure AD contributor or greater privileged account To obtain an Azure subscription
Azure AD: Azure application or global administrator Handle configuration and set up on the Azure side