Oracle EBS On-Premise SAML SSO using Oracle Access Manager
Oracle E-Business Suite (Oracle EBS) is a comprehensive suite of integrated, global business applications that enable organizations to make better decisions, reduce costs, and increase performance. To configure Oracle EBS On-Premise with Infisign for single sign-on (SSO), Oracle EBS must be configured with Oracle Access Manager, and Oracle Access Manager is then configured with the Identity Administration portal.
This document states that Oracle EBS has already been configured with Oracle Access Manager, and provides instructions for configuring Oracle Access Manager for single sign-on via SAML.
The following steps are required to configure Oracle Access Manager for single sign-on (SSO) via SAML. Oracle Access Manager offers both IdP-initiated SAML SSO (for SSO access through the user portal) and SP-initiated SAML SSO (for SSO access directly through the Oracle Access Manager). You can configure Oracle Access Manager for either or both types of SSO.
Step1: Prepare Oracle EBS On-Premise for single sign-on
Before you configure the Oracle EBS On-Premise for SSO, you need the following:
- Oracle EBS installed.
- Oracle Access Manager installed.
- Oracle EBS is configured with Oracle Access Manager with the help of Oracle AccessGate and WebGate. For more information, see document id 1576425.1 on https://support.oracle.com.
- Users can do SSO with Oracle EBS using Oracle Access Manager.
A signed certificate.
You can either download one from the Identity Administration portal or use your organization’s trusted certificate with a private key embedded in
.pfx
or.p12
format and upload this certificate in the Identity Administration portal. This decision must be made before you download Identity Provider metadata.
What you need to know about Oracle EBS with Oracle Access Manager
Each SAML application is different. The following table lists features and functionality specific to Oracle Access Manager.
Capability | Supported? | Support details |
Web browser client | Yes | |
Mobile client | No | |
SAML 2.0 | Yes | |
SP-initiated SSO | Yes | |
IdP-initiated SSO | Yes | To use IdP-initiated SSO, configuration must be done at Oracle Access Manager. |
Force user login via SSO only | No | Users can log in using a separate local login URL that follows this form: <http:// <ebs_server>: <port>/OA_HTML/AppsLocalLogin.jsp> |
Separate administrator login after SSO is enabled |
Yes | System administrator can log in using a separate URL that follows this form: <http://< ebs_server>: <port>/OA_HTML/AppsLocalLogin.jsp> |
User or Administrator lockout risk | No | Users can log in using a separate local login URL that follows this form: <http:// <ebs_server>: <port>/OA_HTML/AppsLocalLogin.jsp> |
Automatic user provisioning | Yes | |
Multiple User Types | Yes | Admin user End users |
Self-service password | Yes | Users can reset their own passwords. |
Access restriction using a corporate IP range | Yes | You can specify an IP Range in the Identity Administration portal Policy page to restrict access to the application. |
Step 2: In the Identity Administration portal, add the application and start configuring application settings.
Once the application settings are configured, complete the user account mapping and assign the application to one or more roles
Step 3: Configure Oracle Access Manager for single sign-on.
The following is an overview of the steps required to configure Oracle Access Manager as a service provider.
a. Enable identity federation
Log in to the Oracle Access Management Console using your server name and port number:
http://<oam_server>:<port>/oamconsole/
On the Welcome page go to Configuration > Available Services.
- Confirm that the green status check mark displays next to Access Manager; if it does not, click Enable.
- Confirm that the green status check mark displays next to Identity Federation; if it does not, click Enable.
b. Create remote identity provider partners
- In the Oracle Access Management Console, click Federation at the top of the window and click the Service Provider Management link.
- Click the Create Identity Provider Partner from the Create (+) drop-down list.
- In the General section, enter a Name for your IDP, Infisign
- Set Enable Partner to Yes.
- Set Default Identity Provider Partner to Yes.
- Under Service Information, select SAML 2.0 from the Select Protocol drop-down menu.
- In the Service Details field, select Load from provider metadata, and a new field named Metadata File appears.
- Click Browse.
- Select the metadata file that you downloaded.
- Under Mapping Options, select User Identity Store from the drop-down menu.
- Select Map assertion Name ID to User ID Store and set its value to
mail
. - Click Save to create the Identity Provider definition.
c. Configure Oracle Access Manager for IdP-initiated flow
- Log in to Oracle Access Manager using SSH client, where <machine_user> is the user that installed Oracle Access Manager and <machine_IP> is the IP address for the machine where Oracle Access Manager is installed:
ssh <machine_user>@<machine_IP>
- In the shell window, enter the following set of commands in order, substituting values as shown in the Definitions column:
Command | Definitions: |
cd <WLST_Path> |
<OAM_INSTALL_DIR> |
./wlst.sh | |
connect ('<username>','<password>','t3:// <oam_server>:<oam_port>') |
|
domainRuntime() | |
updatePartnerProperty('<partner name>', 'idp', 'providerrelaystate', 'http://<ebs_server>:<ebs_port>/OA_HTML/AppsLogin', 'string') |
|
d. Configure Oracle Access Manager for automatic user provisioning
- Log in to Oracle Access Manager Console and click on Plug-ins.
- Select FedUserProvisioningPlugin.
- (Optional) In the configuration parameters tab, set one or more of the following parameters:
Log in to Oracle Access Manager using SSH client, where <machine_user> is the user that installed Oracle Access Manager and <machine_IP> is the IP address for the machine where Oracle Access Manager is installed:
ssh <machine_user>@<machine_IP>
- Enable user provisioning with the default plug-in by executing the WLST command:
Parameter | Definition |
KEY_USER_RECORD_ATTRIBUTE_LIST |
The list of attributes with which the user should be provisioned. These attributes are available as part of the assertion, for example: mail. |
KEY_PROVIDERID_ATTRIBUTE_NAME |
The tenant ID attribute name in the identity store which Identity Federation populates at run-time with the tenant name. |
KEY_USERID_ATTRIBUTE_NAME |
The attribute name to use for the userid value from the assertion attributes. |
Command | Definitions: |
cd <WLST_Path> |
<OAM_INSTALL_DIR> |
./wlst.sh | |
connect ('<username>','<password>','t3:// <oam_server>:<oam_port>') |
|
domainRuntime() | |
putBooleanProperty("/fedserverconfig/userprovisioningenabled","true") |
e. Export metadata
- Open the Oracle Access Manager Console and click Configuration at the top of the window to open the Configuration console.
- In the Settings section, select Federation from the drop-down list to open the Federation Settings page
- Click Export SAML 2.0 Metadata to download the Metadata file to your browser’s default download folder.
Step 4: Configure Oracle EBS On-Premise in the Identity Administration portal
- Return to the browser tab you were using to work in the Identity Administration portal and navigate to the Application Settings screen of your Oracle EBS On-Premise app.
- Click Upload SP Metadata and choose the Metadata file you downloaded from the Oracle Access Manager Console.
- Note: The Assertion Consumer Service URL and the Advanced Script will be automatically updated when you upload the metadata file. All existing data in the Advanced Script will be overwritten.
- Verify that the configuration idp is done in the Application Settings and Advanced pages as described.