Integrating OID/SSO with E- Business Suite and Third-Party SSO Solutions Presented by Paul Jackson (Norman Leach)
Agenda Why SSO Install Options Log Locations EBS Cloning Considerations Disaster Recovery Considerations Monitoring Options Case Study Overview Future Directions / References
User Account Challenges Users must be created in multiple systems/applications Multiple passwords must be maintained in each of the multiple systems Users must be disabled in multiple systems/applications
OID/SSO Benefits All authentication can be handled by one system Central Password Management Simplified User Management
Types of Installation All services on one node New database for MDR on separate node MDR in an already existing database Services consist of Identity Management (runs on Application server) and MetaData Repository, MDR (runs on Database)
Install MetaData Repository
Install Identity Management
Install Identity Management
Install Identity Management
Install Identity Management
Verify Installation Navigate to: http://<hostname>.<domain>:<port>/oaiddas or http://<load_balance_address>/oaiddas Create a test id Log in with new id
Verify Installation Also check for critical processes ps ef grep odisrv $ORACLE_HOME/opmn/bin/opmnctl status
Post Installation Steps Change Password Expiry Time (Article 380487.1, Section 6.9) Change Max Number of Password Failures Create new admin user and group Set limits on files in new tablespaces Backup
Apply Integration Patch for EBS 6936696-11i.ATG_PF.H RUP7 SSO 10g Integration 6117031-11i.ATG_PF.H RUP6 SSO 10g Integration Included in R12
Register EBS with OID/SSO Registration Types Default (Simple) Advanced
Registration Types Default (Simple) 10.1.3 Oracle Home Registration Registers AS 10.1.3 Oracle Home in OID before OSSO or OID registration 10.1.3 Oracle Home registration will happen only once per E-Business Suite deployment SSO Single SSO partner application Listener Token is set to site level of APPS_DATABASE_ID profile option OID Uses Bidirectional provisioning Can t have changed the default OID password policy
Registration Types Advanced > Register EBS with SSO txkrun.pl -script=setssoreg -registersso=yes Enter the host name where Oracle ias Infrastructure database is installed? Enter the Oracle ias Infrastructure database port number? Enter the Oracle ias Infrastructure database SID? Enter Oracle E-Business apps database user password? Enter Oracle ias Infrastructure database ORASSO schema password? Enter Oracle E-Business SYSTEM database user password? Enter E-Business Suite existing SSOSDK schema password or choose a password to use with the new SSOSDK schema if the schema does not exist?
Registration Types Advanced > Register EBS with OID txkrun.pl -script=setssoreg -registeroid=yes provtmp=<template> Enter the host name where Oracle ias Infrastructure database is installed? Enter the LDAP Port on Oracle Internet Directory server? Enter Oracle E-Business apps database user password? Enter the Oracle Internet Directory Administrator (orcladmin) Bind password? Enter the instance password that you would like to register this application instance with?
Information needed to register Hostname of OAS Infrastructure database Port of OAS Infrastructure database SID of OAS Infrastructure database LDAP port of OID Provision type Passwords: EBS apps OAS Infrastructure database orasso user EBS system EBS ssosdk OID admin user (orcladmin) EBS registration
Provisioning Types Bidirectional Inbound - Instance to OID Server Outbound - OID Server to Instance Bidirectional No Creation Custom Provisioning using oidprovtool
EBS Profile Updates Applications SSO Type Applications SSO Auto Link User Applications SSO Login Types Application SSO LDAP Synchronization Applications SSO Enable OID Identity Add Event Link Applications user with OID user with same username Applications SSO Allow Multiple Accounts
Product Specific Patches Follow My Oracle Support Article ID 233436.1 SSO Task 3 Install E-Business Suite Product Family SSO Patches For older products (e.g. 11.5.9) additional patches may be required.
EBS Logon with SSO EBS delegates to SSO User is directed to SSO login screen
EBS Logon with 3 rd Party SSO Chain of trust between 3 systems EBS continues to work directly and only with Oracle SSO 3 rd party must pass user s identity to Oracle SSO
Customizing IPASAuthInterface Two Methods authenticate (HttpServletRequest) getusercredentialpage(httpservletrequest, String)
EBS Integration with 3 rd Party LDAP EBS cannot be integrated directly with a thirdparty LDAP User information in 3 rd party LDAP must be synchronized with OID Synchronization can happen with either Oracle Directory Integration Platform or bulkload
Oracle Directory Integration Platform Uses directory synchronization profile Direction Type of interface Mapping rules Connection details of the connected directory OID uses change log to determine what changes to send 3 rd party changes are synced automatically or are written to a file in LDIF format
Log Locations ORACLE_HOME/j2ee/OC4J_SECURITY/log ORACLE_HOME/ldap/log ORACLE_HOME/sso/log ORACLE_HOME/Apache/Apache/logs ORACLE_HOME/Apache/modplsql/logs ORACLE_HOME/opmn/logs
EBS Cloning Considerations Prior to the clone, deregister the target instance After the clone, remove references to OID/SSO from target instance txkrun.pl -script=setssoreg -removereferences=yes Reregister target instance
EBS Cloning Considerations What if you forget to deregister before cloning? txkrun.pl -script=setssoreg -deregisteroid=yes Enter Oracle E-Business apps database user password? Checking preferences in the database. Enter the host name where Oracle ias Infrastructure database is installed? Enter the application name used for registration of this application instance in OID ( 24 chars or less )? Enter the descriptive service name used for registration of this application instance in OID ( 80 chars or less )? Enter the LDAP Port on Oracle Internet Directory server? Enter the Oracle Internet Directory Administrator (orcladmin) Bind password?
Disaster Recovery Failover Database with MDR to Standby Shut down Identity Management on all nodes $ORACLE_HOME/opmn/bin/opmnctl stopall Update tnsnames.ora in the OID home Start the OID monitor $ORACLE_HOME/bin/oidmon connect=<> start
Disaster Recovery (cont) Start Oracle Directory Manager $ORACLE_HOME/bin/oidadmin In the System Objects frame of Oracle Directory manager Expand Entry Management Expand cn=oracle Context Select the DB name for the OracleAS Metadata Repository On the Properties tab, update the orclnetdescstring field
Disaster Recovery (cont) Stop OID monitor Start Identity Manager
Monitoring EM can be used to monitor the Application Server OC4J Oracle HTTP Server Oracle Internet Directory OC4J_SECURITY Single Sign-On Server EM can also be used to run jobs
Case Study Installation MDR in an already existing database Identity Management Clustered Behind Load-Balancer
Case Study Integration with Third-Party SSO Custom Built IDM system Controls access to multiple corporate systems Wanted to use as source of record Turned off provisioning
Future Directions Oracle is focusing on Oracle Access Manager. This will still use OID as a go between with EBS Suite AccessGate Reference 975182.1 - Integrating Oracle E-Business Suite with Oracle Access Manager using Oracle E-Business Suite AccessGate
References 233436.1 - Installing Oracle Application Server 10g with Oracle E-Business Suite Release 11i 376811.1 - Integrating Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On 300436.1 - Setting Up OID Replication in 10.1.2 / 10.1.4 Oracle Application Server Single Sign-On Administrator's Guide Oracle Identity Management Integration Guide
Final Slide Please complete evaluations - 4232 Integrating OID/SSO with E-Business Suite and Third-Party SSO Solutions 4/22/2010 9:45AM Presentation available on www.fieldappsdba.com