Using Third-Party Identity Managers with the E-Business Suite Release 11i
No More Redundant User Administration
With the certification of Oracle Application Server 10g and Single Sign-On 10g, it is now possible to integrate the E-Business Suite with existing third-party LDAP and single sign-on solutions, like this:
Third-party single sign-on solutions can be integrated with Oracle Single Sign-On 10g, and third-party LDAP directories can be integrated with Oracle Internet Directory 10g. From there, it's a short hop to the E-Business Suite.
Example Scenario: The Deluxe "Zero Sign-On" Approach
A user logs on their PC using their Windows userid and password. Wanting to avoid real work, the user decides to file a long-overdue expense report for last year's company conference. He starts Firefox, opens Favourites, and selects a bookmarked link for the E-Business Suite's Self-Service Expenses.
Self-Service Expenses starts up, and the user begins the process of assembling rationalizations to justify that $450 dinner with their favourite Macerich blogger.
(This is a fictional example, of course; nobody takes bloggers out to dinner)
We sometimes call this "zero sign-on" because the user never actually logged on to any Oracle systems at all; their Windows Kerberos ticket gave them an all-access pass to the E-Business Suite automatically.
Magic? What Really Happened?
Brace yourself: some of the following material might require a couple of passes to sink in.
The scenario above illustrates the following integrations:
- Microsoft Active Directory with Oracle Internet Directory 10g
- Microsoft Kerberos Authentication with Oracle Single Sign-On 10g
- Oracle Application Server 10g with the E-Business Suite
The user logged on to their PC, which authenticated them against Microsoft Active Directory. As part of that logon process, Microsoft Kerberos Authentication issued a valid Kerberos ticket to the user.
When the user attempted to access Self-Service Expenses via his bookmarked link, he was redirected to Oracle Single Sign-On 10g. Oracle Single Sign-On 10g recognized the Microsoft Kerberos ticket, issued its own Oracle security tokens to the user, and redirected the user back to the E-Business Suite.
The E-Business Suite recognized the Oracle Single Sign-On 10g security tokens and looked up the user's assigned Applications Responsibilities to ensure that he was authorized to access Self-Service Expenses. That done, it issued its own E-Business Suite security tokens and then passed the user through to Self-Service Expenses without requiring any additional logons.
Integration with Microsoft Active Directory Only
Not everyone uses Microsoft Kerberos Authentication. A simpler integration option omits Kerberos and includes only Microsoft Active Directory and Oracle Internet Directory, like this:
In this simpler architecture, when the user attempts to access Self-Service Expenses via his bookmarked link, he's redirected to Oracle Single Sign-On OracleAS 10g. Single Sign-On displays a login screen and collects the user's ID and password.
Single Sign-On passes the user's supplied ID and password to Oracle Internet Directory for validation. Oracle Internet Directory uses the Windows NT External Authentication plug-in (sometimes also called the Windows Native Authentication plug-in) to delegate user authentication to Microsoft Active Directory.
Microsoft Active Directory looks up the user's ID and password in its database, and informs Oracle Internet Directory that this is an authenticated user. Oracle Internet Directory informs Single Sign-On that the user was successfully authenticated.
Single Sign-On issues the user a set of security tokens and redirects the user to the E-Business Suite. The E-Business Suite recognizes the Single Sign-On security tokens and looks up the user's assigned Applications Responsibilities to ensure that he's authorized to access Self-Service Expenses. That done, it issues its own E-Business Suite security tokens and then passes the user through to Self-Service Expenses.
"Out-of-the-box" Third-Party LDAP Integration with Oracle Internet Directory
Due to the popularity of Microsoft Active Directory, Oracle Internet Directory provides a prebuilt connector out-of-the box, ready to use.
Synchronization of User Credentials with Third-Party LDAP Directories
If you've been paying close attention so far, you have likely gathered that user credentials need to be synchronized between the third-party LDAP, Oracle Internet Directory, and the E-Business Suite. The synchronization architecture looks like this:
In this configuration, only the user name needs to be synchronized; the user's password is stored in the third-party LDAP directory. None of the Oracle products need to store the user's password, since they delegate user authentication to the third-party LDAP solutions.
The key concept here is that user authentication is still separated from user authorization even when a third-party LDAP is in place. So, the E-Business Suite still grants authenticated users access to E-Business Suite protected content based on the users' Applications Responsibilities, which are managed in the E-Business Suite exclusively.
Bringing It All Together
Assuming I haven't lost you so far, the following diagram shouldn't be too overwhelming:
This combines all of the concepts we've covered:
- Third-party LDAP integration with Oracle Internet Directory
- Third-party SSO integration with Oracle Single Sign-On
- Synchronization of user credentials via the Oracle Internet Directory's Oracle Directory & Provisioning Platform to the E-Business Suite
Well, maybe not... but at least it's technically feasible. There are a number of E-Business Suite customers are running this configuration in production already.
There are many more options for integration with the E-Business Suite, including options for linking OID userids to different E-Business Suite userids, and so on. More information can be found in this document:
- Integrating Oracle E-Business Suite Release 11i with Oracle Internet Directory and Oracle Single Sign-On (Metalink Note 261914.1)
No comments:
Post a Comment