1. Set up SSO between Azure AD and Oracle Access Manager for Oracle E-Business Suite
  2. Prepare to Set Up SSO Between Azure AD and Oracle Access Manager for Oracle E-Business Suite

Prepare to Set Up SSO Between Azure AD and Oracle Access Manager for Oracle E-Business Suite

There are certain assumptions and details about key items you need to consider before attempting the integration described in this solution.

Along with the prerequisites and assumptions discussed here, you also need to provision user attributes, including three that are critical for this integration: user principle name (UPN), USER_NAME, and USER_ORCLGUID. This article provides details about these attributes and how they are used.

Understand the Prerequisites and Assumptions

Key prerequisites required and assumptions you can make are:

  • All the components outlined in the Architecture section have been deployed and are working.
  • Oracle E-Business Suite and Oracle Access Manager have been integrated. If they have not, follow the correct document referenced from the master list in My Oracle Support: Using the Latest Oracle E-Business Suite AccessGate for Single Sign-On Integration with Oracle Access Manager (Doc ID 2202932.1).
  • A user account has been provisioned from Azure AD to the Oracle Access Manager LDAP server (see the following section). Provisioning implementation is out of the scope of this document because there can be more than one way to implement it.
  • A user has been provisioned from the Oracle Access Manager LDAP server to the E-Business Suite database using Oracle Directory Integration Platform. This process is documented in one of the Oracle E-Business Suite SSO with Oracle Access Manager integration guides. See also the following section.
  • Any high availability (HA) for Oracle E-Business Suite and Oracle Access Manager components have already been implemented. HA can be achieved, but it is out of the scope of this document.

Provision Attributes for Oracle Access Manager and E-Business Suite Integration

Proper assignment of the unique user keys required to integrate Oracle Access Manager and E-Business Suite is critical to successfully implementing this solution.

As part of the E-Business Suite and Oracle Access Manager integration, USERNAME and ORCLGUID are critical unique user keys used between the Oracle Access Manager LDAP server and the E-Business Suite database. For example, the Oracle Access Manager LDAP server, whether Oracle Unified Directory or Oracle Internet Directory, typically uses the LDAP attribute uid for the username. However, when a user entry is created, the operational attribute orclguid is automatically created and stores a unique 32-character value. Similarly, in E-Business Suite, a username is stored in USER_NAME and an orclGUID is stored in USER_GUID. Both attributes must be unique.

In the authentication flow, the WebGate passes three headers, USER_NAME, USER_ORCLGUID, and OAM_LOCALE. The two most critical to authentication with E-Business Suite are USER_NAME and USER_ORCLGUID, which are retrieved from the Oracle Access Manager LDAP server. The attribute values must match between the Oracle Access Manager LDAP server and the E-Business Suite database user schema.

In regard to provisioning from Azure AD, you could use the samAccountName as the uid in the Oracle Access Manager LDAP server. It’s more important that the samAccountName is also unique because, as part of the Oracle Access Manager and E-Business Suite integration, a uniqueness plugin is enabled to ensure that uid is unique. The uid attribute isn’t important in the federation authentication, but it’s important to ensure that the value is unique across the Oracle Access Manager LDAP server and the E-Business Suite database.

Provision Attributes for Azure AD and Oracle Access Manager Integration

Proper assignment of the unique user keys required to integrate Azure AD and Oracle Access Manager is critical to successfully implementing this solution.

Following Azure AD best practices, the user principal name (UPN) is used as the federated user mapping attribute value. The UPN provides a unique value that is reliable for signing on to the user account and matching in Oracle Access Manager and E-Business Suite. As such, it’s the best choice for federation between Azure AD and Oracle Access Manager.

The following table lists the minimal attributes that we recommend to provision from Azure AD to the Oracle Access Manager LDAP server.
Azure Attribute LDAP Attribute Example
userPrincipalName mail test.user1@mydomain.com
samAccountName uid test.user1@mydomain.com
displayName cn User1
givenName givenName Test
sn sn User1