Integrate Single Sign-on for Oracle EBS using OCI IAM EBS Asserter
Introduction
Configuring Single Sign-On for your Oracle E-Business environment provides a lot of operational and security benefits for the organization. In almost all use cases, the organization will have several identity stores/providers with Oracle E-Business Suite being one of them. Integrating Single Sign-On will all but eliminate the need to manage local users and credentials in Oracle E-Business Suite and instead put that burden onto a platform that's designed for Identity and Access Management such as OCI IAM. You can further extend this implementation and integrate your Active Directory or Azure AD / Microsoft Entra as your identity provider so users will really only need to be managed in one single source and the end users will only need to know one single credential.
Prerequisites
- Oracle Apps Premium Identity Domain
- WebLogic 12c Domain using JDK 8
- Latest version of EBS Asserter Downloaded
- Host names for Asserter WebLogic server and EBS server must be on the same domain
- Server clock and date synchronized between Asserter WebLogic Server and EBS Server
- Asserter WebLogic server configured with SSL
- Access to EBS Environment
Create service account on Oracle E-Business Suite
- Log into Oracle E-Business Suite as an administrator such as sysadmin
- Expand User Management and click Users
- Select User Account from the Register drop-down menu and click Go
- In the Create User Account page, provide the following details
- Username:
- Password: Use a temporary password as this will be reset upon first login
- Description: EBS Asserter Service Account
- Password Expire: none
- After creating the user. Click Assign Roles, and then click Assign Roles in the Update User page
- Type UMX|APPS_SCHEMA_CONNECT into the Code field and search
- In the Update User page, provide a justification such as EBS Asserter Service Account and click Save
- After the user is created, log off Oracle E-Business Suite, and then log in with the new service account and then reset the password when asked
- Use security best practice here and use a minimum of 16 characters mixed with upper, lower, numbers and symbols
Create Oracle E-Business Suite Admin in OCI IAM
Register E-Business Suite Asserter with Oracle E-Business Suite
- Connect to the machine where EBS is deployed
- Make note of the environment variable values of $JAVA_HOME and $WL_HOME
- Create a working directory
cd /u01
mdkr /u01/ebssdk
cd ebssdk
- Extract the EBS Asserter zip file
- Copy the fndext<version>.jar to $DOMAIN_HOME/lib of the E-Business Suite Asserter WebLogic domain
- Source your Oracle E-Business Suite environment file
source EBSapps.env
- Locate the .dbc file in $FND_SECURE/EBSDB.dbc - Make note of the full path of the .dbc file along with the name itself
- Run the following
java oracle.apps.fnd.security.AdminDesktop apps/apps CREATE NODE_NAME=ebsasserter.example.com DBC=$FND_SECURE/EBSDB.dbc
- Print the contents of the .dbc file
cat EBSDB.dbc
- Make note of the APPL_SERVER_ID
- Copy the .dbc file over from the EBS node to the EBS Asserter node
Register the E-Business Suite Asserter with OCI IAM
- Log into the OCI Console and Navigate to Identity & Security and select the working Domain with the proper subscription
- Click Integrated Applications and select Add Application
- Select Confidential Application
- Provide the following details
- Name: EBS Asserter
- Description: E-Business Suite Asserter Application
- Application URL: https://ebsasserter.example.com/ebs
- Display in My Apps: Check
- In the Configure OAuth window, in the Client Configuration area, select Configure this application as a client now and then enter the following details
- Allowed Grant Types: Client Credentials and Authorization Code
- Redirect URL: https://ebsasserter.example.com/ebs/response
- Logout URL: https://ebsasserter.example.com/ebs/logout
- Post Logout Redirect URL: https://ebsapps.example.com:8001/OA_HTML/OA.jsp?OAFunc=OANEWHOMEPAGE
- Scroll down and select Add App Role and choose Authenticator Client and Me and click Add
- Click Next till you reach the last window and click Finish
- Note down the Client ID and Client Secret values after the Application is created
- Click Activate and Activate the application
Create OCI Application Wallet for EBS Asserter
- Connect to the EBS Asserter server and navigate to /u01/ebssdk directory
- Navigate to the directory where idcs-wallet-version.jar is located
- Run the following command and provide the needed details when prompted
java -jar idcs-wallet-version.jar
- Enter Client ID: Enter the Client ID which was provided when you created the Confidential Application in OCI
- Enter Client Secret: Enter the Client Secret which was provided when you created the Confidential Application in OCI
- Enter IDCS base URL: Enter the Oracle Identity Cloud Service base URL. For example: https://tenantid.identity.oraclecloud.com
- The command creates a wallet file named cwallet.sso in the provided path
- Make note of the path of cwallet.sso
Configure E-Business Suite Asserter Properties File
The EBS Asserter application is fairly configurable through a property file. Unfortunately however it is not well documented from Oracle what some of the properties are and the working values for the properties. Hopefully Oracle will provide an exhaustive list at some point.
- Connect to the EBS Asserter server and navigate to /u01/ebssdk
- Unzip the ebs.war file
- Navigate to /.../build/libs/WEB-INF
- Modify the bridge.properties with the following details
###########################################################
## SSO Bridge for E-Business Suite
###########################################################
# Properties File
app.url=https://ebsasserter.example.com/ebs
app.serverid=APPL_SERVER_ID_value
ebs.url.homepage=https://ebs.example.com:8001/OA_HTML/OA.jsp?OAFunc=OANEWHOMEPAGE
ebs.ds.name=ebsDB
ebs.user.identifier=username
idcs.user.identifier=email/username
idcs.iss.url=https://identity.oraclecloud.com
idcs.aud.url=https://idcs-example.identity.oraclecloud.com
#post.logout.url=https://ebs.example.com:8001/OA_HTML/OA.jsp?OAFunc=OANEWHOMEPAGE
wallet.path=[FULL_PATH_OF_THE_WALLET_FILE]
whitelist.urls=https://ebs.example.com:8001/OA_HTML/RF.jsp,https://ebs.example.com:8001/OA_HTML/OA.jsp,https://ebs.example.com:8001/OA_HTML/BneApplicationService,https://ebs.example.com:8001/OA_HTML/jsp/fnd/close.jsp
ebs.renew.session=true
#proxy.mode=true
#proxy.home.url=https://ebs.example.com:8001/OA_HTML/RF.jsp?function_id=1031198&resp_id=-1&resp_appl_id=0&security_group_id=0&lang_code=US
#istore.pages=ibeCZzdMinisites.jsp,ibeCAcpSSOLoginR.jsp
###########################################################
- Make sure that the user matching attributes will have the same values. This is how OCI IAM and EBS FND will 'link' the user and match to verify the user upon login. Not only do the values need to match, they should be unique. If they are not unique, login and SSO will fail because OCI IAM will not know which FND user to use.
- After completing the modifications to bridge.properties we need to rebuild the ebs.war file for deployment
java -cvf /path/to/war/file/ebs.war META-INF/ WEB-INF/
Deploy E-Business Suite Asserter
Configure JDBC Data Source
- Log into the WebLogic Server Console as an admin
- Navigate to Data Sources
- Unlock the Domain for changes
- Click New to create a new Data Source and select Generic Data Source
- Specify the following details - Keep in mind the Name needs to be the same as the value of the ebs.ds.name used in the bridge.properties
- Name: ebsDB
- Database Type: oracle
- Select a database driver: Oracle's Driver (Thin) for RAC Service-Instance connections; Versions:Any
- For a non-XA data source, uncheck Supports Global Transactions
- For an XA data source, leave Support Global Transactions checked
- In the Connection Properties section, specify the following details
- Service Name: ebspdb
- Database Name: dbs
- Host Name: ebsapps.example.com
- Port: 1521
- Database Username: Enter the service account username you created at the beginning
- Password: Enter the service accounts password
- Select one of the following for Driver Class Name:
- oracle.apps.fnd.ext.jdbc.datasource.AppsDataSource if you are using a non-XA Data Source
- oracle.apps.fnd.ext.jdbc.datasource.AppsXADataSource if you are using an XA Data Source
- Note: you can choose to use oracle.jdbc.OracleDriver - however you'll need to use a service account with administrative privileges
- In the Properties box, keep the current value for user ad a new line, and enter the path to the dbc file
user=<ebs-service-account>
dbcFile=/opt/ebssdk/EBSDB_ebsasserter.example.com.dbc
- Note: This box is case sensitive
- Click and verify with Test Connection
- Select your EBS Asserter WebLogic Managed nodes as Targets
- Click Finish
- Activate Changes
Set Hostname Verification for Asserter Managed Node
- Log into WebLogic Admin Console as admin
- Click Lock & Edit
- Navigate to EBS Asserter Managed Node
- Click SSL tab and expand Advanced
- Update Hostname Verification value to None and click Save
- Activate Changes
- Restart Managed Node
Deploy E-Busiess Suite Asserter WAR File
- Log into the WebLogic Admin console as an admin
- Navigate to Deployments
- Click Lock & Edit and then Install
- Enter the path of the E-Business Suite Asserter WAR file we built earlier
- Select the ebs.war file and click Next
- Select Install this deployment as an application and then click Next
- Select the target server and click Next
- Default values are fine
- Activate changes
Modify Oracle E-Business Suite Profile Options
Set the following profile options. Once the profile options are modified, completely restart the Oracle E-Business Suite stack.
Profile Option | Value |
---|---|
APPS_AUTH_AGENT | E-Business Suite Asserter URL |
APPS_SSO | SSWA w/SSO |
ICX_SESSION_COOKIE_DOMAIN | DOMAIN |
Test Oracle E-Business Suite SSO
In order to validate the Single Sign-On integration between OCI IAM and EBS, you will need to make sure you have a user with either a matching username or email address in OCI IAM that matches an EBS FND record.
At the time of writing this, there is an issue if the FND Record has an expired password and the SSO profile options are set to allow BOTH SSO and Local login. There may be a way to bypass this with a property in the bridge.properties, but I haven't verified it yet. The user will see an error when trying to login via SSO if their FND Record password has expired.
You can use the E-Business Suite Asserter URL to verify the integration and ensure SSO works
- Open a browser and navigate to https://<ebs-asseter-host>:<port>/ebs
- The OCI IAM Sign In page appears.
- Provide credentials
- Upon successful authentication, the user is redirected to the Oracle E-Business Suite home page without needing to provide their local Oracle E-Busisness Suite credentials
- Verify the logged in username by looking at the upper right
- Log out of Oracle E-Business Suite and you will be brought back to the OCI IAM Sign In page
Test SSO with the EBS Application Login URL
Verify Oracle E-Business Suite Asserter Deployment
You can monitor and validate the E-Business Suite Asserter deployment to determine its status and availability by accessing the following endpoints.
- https://<ebs-asserter-host>:<port>/ebs/about
- https://<ebs-asserter-host>:<port>/ebs/validate
Enable the E-Business Suite Asserter Debug Log
- Create logger.properties file with the below details
handlers = java.util.logging.FileHandler, java.util.logging.ConsoleHandler
java.util.logging.FileHandler.pattern = %h/ebsasserter.log
java.util.logging.FileHandler.formatter = java.util.logging.SimpleFormatter
java.util.logging.FileHandler.level=ALL
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
java.util.logging.ConsoleHandler.level=ALL
com.oracle.ebs.sso.level=ALL
oracle.apps.fnd.ext.level=ALL
oracle.security.jps.idcsbinding.level=ALL
com.oracle.ebs.validator.level=ALL
- Add the option -Djava.util.logging.config.file=<logger.properties created above> in the WebLogic Server Arguments text box for the EBS Asserter Managed Server in the WebLogic Console