Oracle R12 Single Sign-On Functionality

Enterprise identity management solutions allow security administrators to define a user in a single location such as a Lightweight Directory Access Protocol (LDAP) directory, and share that common user definition throughout multiple parts of their enterprise. Oracle Identity Management, part of Oracle Application Server 10g, may be integrated with the EBS to support centralized user management via Oracle Internet Directory, and to support single sign-on functionality via Oracle Single Sign-On.

In its default configuration, Oracle EBS R12 allows registered users to log in using credentials stored directly in the EBS. In this default configuration, EBS system administrators are responsible for maintaining the local repository of registered EBS users.

When optionally integrated with Oracle Application Server 10g, EBS system administrators can reconfigure their environments to delegate both user administration and user authentication to Oracle Application Server 10g. This integration with Oracle Application Server 10g requires significant changes to how Oracle EBS R12 handles authentication. Instead of performing authentication natively, via the local EBS FND_USER table, the EBS R12 now delegates this functionality to the Oracle Single Sign-On server. In this configuration, Oracle EBS 12 can direct unauthenticated users to an Oracle Single Sign-On server for identity verification, and securely accept identities vouched for by the Single Sign-On mechanism.

Oracle Single Sign-On may, in turn, be integrated with existing third-party authentication systems such as Microsoft Windows (Kerberos), and Oracle Internet Directory may be integrated with existing third-party LDAP directories such as Microsoft Active Directory. Oracle Single Sign-On either performs authentication against information stored in Oracle Internet Directory (an LDAP server), or delegates authentication to a third-party authentication mechanism. Where a third-party authentication mechanism is in use, Oracle Single Sign-On server and Oracle Internet Directory are still required: they provide bridge functionality between Oracle EBS and the third-party single sign-on solution.

Enterprise User Management functionality

Oracle Internet Directory is the integration point that allows Oracle EBS R12 to participate in enterprise level user management. Each Oracle EBS instance must still maintain a record of registered users, in the form of the traditional application accounts. However, the level of abstraction needed for an enterprise level user requires a mechanism that can uniquely identify a user across the enterprise. This is accomplished via a globally unique identifier (GUID). Oracle Internet Directory and Oracle EBS R12 store GUID information for each enterprise level user; the GUID can be considered as an identity badge that is recognized by both Oracle Internet Directory and Oracle EBS  12.

Another requirement in such an environment is for user enrollment to be done only once, at well-defined places, with the user subsequently being known to the rest of the enterprise. Two additional features enable support for automatic propagation of user information across an enterprise:

·         A synchronization process between Oracle Internet Directory and a third-party

LDAP server

·         A provisioning process between Oracle Internet Directory and Oracle E-Business

Suite

Much of the complexity involved with integrating Oracle EBS into a single sign-on environment arises because of the need to consolidate fragmented or duplicated user data in the single sign-on environment, as a legacy of integrating previously isolated systems. The solution provides mechanisms to link the existing data together using the GUID. In addition, bulk migration tools are provided to move a large number of users between Oracle Internet Directory and Oracle EBS during the transition to a single sign-on environment.

Additional Single-Sign on Features and Limitations

Other advanced features include automatically keeping a set of user profile information synchronized across an enterprise for an entity, and the ability to link an account in Oracle Internet Directory to multiple application accounts in Oracle EBS. In this release, provisioning from Oracle EBS to Oracle Internet Directory is synchronous; that is, all user management operations carried out in Oracle EBS are also carried out in Oracle Internet Directory. However, provisioning from Oracle Internet Directory to Oracle EBS is done asynchronously.

The solution described here does not address the issue of authorization. After a user has been authenticated, Oracle EBS R12 retrieves the authorization information associated with the application account the user is logged into. Authorization information for application accounts is managed through Applications responsibilities. Oracle EBS R12 applies authorization checks as and when required during the user's session.