Using Single Sign-On 10g with E-Business Suite Release 11i
For E-Business Suite customers, the key benefits are:
If you have one or more E-Business Suite Release 11i instances and are tired of maintaining users separately for each environment, you can create a central OracleAS 10g environment and manage all 11i users in one place.
If you have a combination of PeopleSoft, JD Edwards, and the E-Business Suite in your organization, you can use OracleAS 10g to manage users for all three environments centrally.
If you have a combination of the E-Business Suite and custom applications based on Oracle databases or OracleAS 10g technology, you can use OracleAS 10g to manage users for all applications in a single place.
Use Oracle Internet Directory Instead of FND_USERThe E-Business Suite's user management capabilities (based on the FND_USER directory) are perfectly adequate for administering E-Business Suite users. However, security administrators wishing for additional user management and provisioning features would benefit from switching to Oracle Internet Directory.
Integrate with Third-Party LDAP and Single Sign-On ProductsIf you have an existing corporate security system such as Microsoft Active Directory, Windows Kerberos, Sun ONE/iPlanet, or Netegrity SiteMinder, using OracleAS 10g allows you to integrate your E-Business Suite with that infrastructure. This is a topic for a future In-Depth posting; watch this space.
How Single Sign-On 10g Works With the E-Business Suite
When the E-Business Suite is integrated with OracleAS 10g and Single Sign-On 10g, the user authentication process is handled by Single Sign-On 10g.
Users attempting to access protected E-Business Suite content are redirected to Single Sign-On 10g for authentication. Users log in via Single Sign-On 10g, and then are redirected back to the E-Business Suite and the protected content they wished to access.
Authentication versus Authorization
It's important to distinguish user authentication from user authorization:
Likewise, if a user logs out of any one of those partner applications, the user is logged out of all of them. This is called Single Sign-Off, and works with the E-Business Suite, too.
Under the Covers: The Chain of Trust
The key architectural concept to understand is that there is a chain of trust established between the E-Business Suite, Single Sign-On 10g, and Oracle Internet Directory 10g:
The E-Business Suite delegates user authentication to Single Sign-On, and Single Sign-On delegates user credential validation to Oracle Internet Directory.
The Log In Process, Deconstructed
Let's walk through this with an example:
Our example user isn't logged into the E-Business Suite. She attempts to access a bookmarked link in her browser that points to the E-Business Suite's Self-Service Expenses page.
The E-Business Suite checks the user's browser for a valid 11i cookie, but doesn't find one: not surprising -- she hasn't logged in yet.
The E-Business Suite redirects the user to Single Sign-On 10g. Single Sign-On 10g displays a login screen and collects the user's userid and password. It then passes those credentials to Oracle Internet Directory for validation.
Oracle Internet Directory looks up the user's credentials in the Oracle Internet Directory LDAP directory in the OracleAS 10g Infrastructure, providing an approval or rejection as appropriate to Single Sign-On.
If approved, Single Sign-On 10g issues a set of security tokens to the user and redirects her back to the E-Business Suite. If rejected, the user is given another chance to log in with valid credentials.
Once redirected back to the E-Business Suite, the E-Business Suite recognizes the Single Sign-On security tokens and looks up the user's assigned Applications Responsibilities in the E-Business Suite FND_USER table.
Having established that our example user is authorized to access Self-Service Expenses, the E-Business Suite issues its own security tokens and creates a new ICX user session. The user now has two sets of security tokens in her browser, one from Single Sign-On 10g, and another from the E-Business Suite.
At this point, the user is officially logged in, and is redirected to Self-Service Expenses.
Synchronizing User Credentials Between Oracle Internet Directory and the E-Business Suite
If user authentication and user authorization are performed by two different parts of this integrated system for the same user, the alert reader will leap ahead and guess that user credentials need to synchronized.
That guess would be correct: user credentials in Oracle Internet Directory and the E-Business Suite's FND_USER directory need to be synchronized. A user must be recognized and have valid entries in both locations to gain access to protected content.
This synchronization is handled by an Oracle Internet Directory tool called the Directory Integration & Provisioning Platform.
It's up to you to designate the master "source of truth" for user credentials; this is fully configurable. For example, you can designate the E-Business Suite as the master and Oracle Internet Directory as the slave, or vice versa. You can even elect to manage user credentials in both locations and have changes updated automatically between the two of them.
In other words, changes to user credentials can flow:
For E-Business Suite customers, the key benefits are:
- The ability to offer a comprehensive Single Sign-On solution that works with all Oracle products, including the E-Business Suite, PeopleSoft, and JD Edwards.
- The ability to use Oracle Internet Directory for managing E-Business Suite user credentials, shifting focus from the older FND_USER directory
- The ability to integrate the E-Business Suite with your existing third-party
single sign-on and LDAP infrastructure
If you have one or more E-Business Suite Release 11i instances and are tired of maintaining users separately for each environment, you can create a central OracleAS 10g environment and manage all 11i users in one place.
If you have a combination of PeopleSoft, JD Edwards, and the E-Business Suite in your organization, you can use OracleAS 10g to manage users for all three environments centrally.
If you have a combination of the E-Business Suite and custom applications based on Oracle databases or OracleAS 10g technology, you can use OracleAS 10g to manage users for all applications in a single place.
Use Oracle Internet Directory Instead of FND_USERThe E-Business Suite's user management capabilities (based on the FND_USER directory) are perfectly adequate for administering E-Business Suite users. However, security administrators wishing for additional user management and provisioning features would benefit from switching to Oracle Internet Directory.
Integrate with Third-Party LDAP and Single Sign-On ProductsIf you have an existing corporate security system such as Microsoft Active Directory, Windows Kerberos, Sun ONE/iPlanet, or Netegrity SiteMinder, using OracleAS 10g allows you to integrate your E-Business Suite with that infrastructure. This is a topic for a future In-Depth posting; watch this space.
How Single Sign-On 10g Works With the E-Business Suite
When the E-Business Suite is integrated with OracleAS 10g and Single Sign-On 10g, the user authentication process is handled by Single Sign-On 10g.
Users attempting to access protected E-Business Suite content are redirected to Single Sign-On 10g for authentication. Users log in via Single Sign-On 10g, and then are redirected back to the E-Business Suite and the protected content they wished to access.
Authentication versus Authorization
It's important to distinguish user authentication from user authorization:
- User authentication is the process of establishing whether the user is whom they claim to be.
- User authorization is the process of determining what resources an authenticated user is permitted to access.
- When the E-Business Suite is integrated with Single Sign-On 10g, it delegates user authentication to Single Sign-On.
- After Single Sign-On has successfully authenticated a user, the E-Business Suite handles the authorization process: e.g. ensuring that the user is entitled to file expenses.
Likewise, if a user logs out of any one of those partner applications, the user is logged out of all of them. This is called Single Sign-Off, and works with the E-Business Suite, too.
Under the Covers: The Chain of Trust
The key architectural concept to understand is that there is a chain of trust established between the E-Business Suite, Single Sign-On 10g, and Oracle Internet Directory 10g:
The E-Business Suite delegates user authentication to Single Sign-On, and Single Sign-On delegates user credential validation to Oracle Internet Directory.
The Log In Process, Deconstructed
Let's walk through this with an example:
Our example user isn't logged into the E-Business Suite. She attempts to access a bookmarked link in her browser that points to the E-Business Suite's Self-Service Expenses page.
The E-Business Suite checks the user's browser for a valid 11i cookie, but doesn't find one: not surprising -- she hasn't logged in yet.
The E-Business Suite redirects the user to Single Sign-On 10g. Single Sign-On 10g displays a login screen and collects the user's userid and password. It then passes those credentials to Oracle Internet Directory for validation.
Oracle Internet Directory looks up the user's credentials in the Oracle Internet Directory LDAP directory in the OracleAS 10g Infrastructure, providing an approval or rejection as appropriate to Single Sign-On.
If approved, Single Sign-On 10g issues a set of security tokens to the user and redirects her back to the E-Business Suite. If rejected, the user is given another chance to log in with valid credentials.
Once redirected back to the E-Business Suite, the E-Business Suite recognizes the Single Sign-On security tokens and looks up the user's assigned Applications Responsibilities in the E-Business Suite FND_USER table.
Having established that our example user is authorized to access Self-Service Expenses, the E-Business Suite issues its own security tokens and creates a new ICX user session. The user now has two sets of security tokens in her browser, one from Single Sign-On 10g, and another from the E-Business Suite.
At this point, the user is officially logged in, and is redirected to Self-Service Expenses.
Synchronizing User Credentials Between Oracle Internet Directory and the E-Business Suite
If user authentication and user authorization are performed by two different parts of this integrated system for the same user, the alert reader will leap ahead and guess that user credentials need to synchronized.
That guess would be correct: user credentials in Oracle Internet Directory and the E-Business Suite's FND_USER directory need to be synchronized. A user must be recognized and have valid entries in both locations to gain access to protected content.
This synchronization is handled by an Oracle Internet Directory tool called the Directory Integration & Provisioning Platform.
It's up to you to designate the master "source of truth" for user credentials; this is fully configurable. For example, you can designate the E-Business Suite as the master and Oracle Internet Directory as the slave, or vice versa. You can even elect to manage user credentials in both locations and have changes updated automatically between the two of them.
In other words, changes to user credentials can flow:
- From the E-Business Suite to Oracle Internet Directory
- From Oracle Internet Directory to the E-Business Suite
- Bidirectionally between them.
No comments:
Post a Comment
No one has ever become poor by giving