1. Enable SSO for Oracle E-Business Suite with OCI IAM using E-Business Suite Asserter
  2. Learn About Enabling SSO for Oracle E-Business Suite with OCI IAM Using the E-Business Suite Asserter

Learn About Enabling SSO for Oracle E-Business Suite with OCI IAM Using the E-Business Suite Asserter

Note:

Use this document if your Oracle Cloud Infrastructure (OCI) region has been updated to use Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) identity domains. If your OCI region is using Oracle Identity Cloud Service, see Simplify authentication for Oracle E-Business Suite with the E-Business Suite Asserter
If you have an Oracle E-Business Suite instance, you can seamlessly authenticate with other applications that use OCI IAM as their authentication mechanism using the OCI IAM E-Business Suite Asserter component. This integration allows your Oracle E-Business Suite to participate in the single sign-on (SSO) provided by OCI IAM.

To enhance security for the sign-in process, you can set up sign-in and identity provider policies, and configure multi-factor authentication. You can also enable adaptive security to provide strong authentication capabilities and risk analysis for your users across applications and Oracle E-Business Suite in OCI IAM.

Before You Begin

Before you begin using E-Business Suite Asserter, understand how to enable it, and how it works with other components.

  • If your Oracle E-Business Suite is integrated with Oracle Access Manager, Oracle Internet Directory, E-Business Suite AccessGate, or uses any other SSO profile, then remove the integration between these components and Oracle E-Business Suite, and then restart the servers before using the OCI IAM E-Business Suite Asserter.
  • Know what’s supported. All Oracle E-Business modules which use browser-based login will work with E-Business Suite Asserter for SSO. Excel-based login of Web ADI is supported, mobile app for EBS is supported. Modules which do not use browser-based login, such as Mobile Web Applications (MWA) and E-Signature, are not supported.

Architecture

The OCI IAM E-Business Suite Asserter is deployed to a separate Oracle WebLogic Server instance. The E-Business Suite Asserter interacts with OCI IAM through OCI IAM REST API and redirects the user's web browser to OCI IAM and to Oracle E-Business Suite.

This architectural diagram shows how the E-Business Suite Asserter, Oracle E-Business Suite, and OCI IAM interact.

Description of architecture.png follows
Description of the illustration architecture.png

The following diagrams show the login and logout flow when using the E-Business Suite Asserter to integrate Oracle E-Business Suite with OCI IAM. These flow diagrams show the login and logout process starting with Oracle E-Business Suite, but the E-Business Suite Asserter approach also supports E-Business Suite Asserter and OCI IAM initiated flow.

Description of login-flow-chart.png follows
Description of the illustration login-flow-chart.png
  1. The user requests access to an Oracle E-Business Suite protected resource.
  2. Oracle E-Business Suite redirects the user browser to the E-Business Suite Asserter application.
  3. The E-Business Suite Asserter uses an OCI IAM SDK to generate the authorization URL and then redirects the browser to OCI IAM.
  4. OCI IAM presents its sign in page to the user.
  5. The user submits credentials to OCI IAM.
  6. OCI IAM issues an authorization code and redirects the user's browser to the E-Business Suite Asserter.
  7. The E-Business Suite Asserter uses an OCI IAM SDK to communicate with OCI IAM to exchange the authorization code for an access token.
  8. OCI IAM issues an access token and an ID token to the E-Business Suite Asserter.
  9. The E-Business Suite Asserter creates an Oracle E-Business Suite cookie and redirects the user's browser to Oracle E-Business Suite.
  10. Oracle E-Business Suite presents the user requested protected resource.

The logout process described below refers to a user invoking logout from Oracle E-Business Suite. If the logout process is initiated in OCI IAM, then only step 5 and 6 are executed.

Description of logout-flow-chart.png follows
Description of the illustration logout-flow-chart.png
  1. The user selects to logout from Oracle E-Business Suite, requesting the /ebslogout URL.
  2. Oracle E-Business Suite logs the user out and then redirects the user's browser to the E-Business Suite Asserter application.
  3. The E-Business Suite Asserter uses an OCI IAM SDK to obtain the OCI IAM logout URL, and then redirects the user's browser to this URL
  4. The user browser invokes the OCI IAM logout URL.
  5. OCI IAM removes the user session and then redirects the user's browser to the E-Business Suite Asserter logout URL, which is defined in the application configuration.
  6. The E-Business Suite Asserter logs the user out and redirects the user's browser to the Post Logout Redirect URL, which is defined in the application configuration.

About Required Services and Roles

An OCI IAM administrator must be able to access the OCI IAM console to download E-Business Suite Asserter and configure and activate applications.

You must have access to the following services and products:
  • OCI IAM
  • Oracle E-Business Suite

You must have the following roles:

Role Required to...

OCI IAM: Security administrator

Access the Downloads page of the OCI IAM console. From this page, you can download the OCI IAM E-Business Suite Asserter.

OCI IAM: Application administrator

Manage applications in OCI IAM, which includes registering the sample mobile app with OCI IAM.

Oracle E-Business Suite: Server administrator

Access the Oracle E-Business Suite installation folder, the Oracle WebLogic Server where you deploy the E-Business Suite Asserter, and the E-Business Suite Asserter machine as an operating system user.

See Learn how to get Oracle Cloud services for Oracle solutions.