When a customer wants to run an Oracle application—such as Oracle E-Business Suite—on Microsoft Azure, but use the on-premises Oracle Access Manager as the service provider, federated SSO is required between Azure AD and on-premises OAM.
Because it logically has the greatest integration support within the cloud when working with other cloud applications, an ideal solution is to configure SAML 2.0 to provide the necessary federated SSO architecture.
Before You Begin
This solution presents an architecture that is a hybrid approach to an already-documented on-premises integration between Oracle Access Manager and E-Business Suite.
- It places Oracle E-Business Suite in Azure.
- It uses Azure Active Directory (Azure AD) as the federated identity provider (IDP) to authenticate a user to E-Business Suite.
- You run Oracle Access Manager as the service provider (SP) on-premises with its backend LDAP server (either Oracle Unified Directory or Oracle Internet Directory).
Description of the illustration ebiz-architecture.png
This approach provides a way to be one step closer to moving some of your infrastructure to the cloud. It doesn’t have to stop with just E-Business Suite—Oracle Access Manager and Oracle Unified Directory or Oracle Internet Directory can also be moved to the cloud.
Another key part of this architecture is the provisioning of user accounts. This paper assumes that Azure AD is the source of truth for user accounts. This means that a method of provisioning such as Oracle Directory Integration Platform synchronization or an identity management tool like Microsoft Identity Manager or Oracle Identity Manager should be used to provision user accounts into the Oracle Access Manager LDAP server (Oracle Unified Directory or Oracle Internet Directory). Then Oracle Directory Integration Platform used as a bi-directional synchronization service can synchronize that account into the E-Business Suite database. Certain key attributes that are critically important to SSO will be covered later in this paper.
Understand the Components
The components in this hybrid architecture, as shown in the illustration, above, are described in the following table.
|Oracle Cloud Infrastructure||Oracle E-Business Suite Database 12.2 or later|
Understand the Provisioning and Federation Flows
The preceding diagram illustrates the combined provisioning and federation flows defined for this architecture.
This provisioning flow (described below in transactions 1-3) illustrate one example of how a user account is created in Azure AD, provisioned to the Oracle Access Manager LDAP server, and synchronized using Oracle Directory Integration Platform to the E-Business Suite database. The federation flow is illustrated in transactions 4-10. Additional federation flow details are described in Understand the Azure AD and E-Business Suite Federation Flow.
- An initial user account that includes the user principal name (UPN) is provisioned from Azure AD to the Oracle Access Manager LDAP server (Oracle Unified Directory or Oracle Internet Directory). This provisioning is not the responsibility of Oracle Directory Integration Platform but instead done by some type of provisioning outside the scope of this playbook.
- Oracle Directory Integration Platform listens to Oracle Unified Directory change logs and provisions the user account to the E-Business Suite database.
- Oracle Directory Integration Platform provisions the user account, mapping uid to USER_NAME and orclguid to USER_GUID, to the E-Business Suite database.
- The user requests E-Business Suite access, and WebGate checks for the OAMAuthCookie Token.
- WebGate verifies that the user has no OAMAuthCookie Token, so it checks with Oracle Access Manager for a course of action.
- Oracle Access Manager tells WebGate to redirect the user to Azure AD for federated authentication, and Azure AD prompts the user for login.
- Azure AD validates the user’s credentials and then sends a SAML 2.0 assertion to Oracle Access Manager, using the mail attribute as the user mapping.
- Oracle Access Manager accepts the SAML 2.0 assertion and returns the matching user in Oracle Unified Directory using the UPN. In the response, it provides the USER_NAME (uid) and USER_ORCLGUID (orclguid) from Oracle Unified Directory in the header defined in the policy.
- WebGate redirects the user to E-Business Suite and sends the USER_NAME and USER_ORCLGUID as headers to AccessGate.
- AccessGate looks up the USER_NAME and USER_ORCLGUID in the E-Business Suite database to verify that the user exists. On success, it sets its own session and returns the E-Business Suite portal page back to the user.
About Required Services and Roles
This solution requires the combination of specific services and roles within those services.
- Oracle Cloud Infrastructure
- Oracle Access Manager
- A fully functional Oracle E-Business Suite instance deployed to Azure
- Microsoft Azure AD
|Service Name: Role||Required to...|
|Oracle Cloud Infrastructure: Administrator||Create and manage identity resources|
|Oracle Access Manager: Administrator||Configure and maintain user settings on-premises|
|E-Business Suite: Administrative roles, includiing database administrator and LDAP administrator||Configure E-Business Suite and change security settings|
|Azure AD: Azure AD contributor or greater privileged account||To obtain an Azure subscription|
|Azure AD: Azure application or global administrator||Handle configuration and set up on the Azure side|