Typical Workflow for Using Identity Cloud Service E-Business Suite Asserter to Authenticate Oracle E-Business Suite with Oracle Identity Cloud Service
With the Identity Cloud Service E-Business Suite Asserter component that you download from the Identity Cloud Service console, you integrate your Oracle E-Business Suite with Oracle Identity Cloud Service to allow end users to authenticate in Oracle E-Business Suite environments and to Oracle E-Business Suite mobile applications using their Oracle Identity Cloud Service credentials.
| Task | Description | Additional Information |
|---|---|---|
| Understand the Identity Cloud Service E-Business Suite Asserter | Learn what Identity Cloud Service E-Business Suite Asserter is, why you should use it to integrate your Oracle E-Business Suite environment with Oracle Identity Cloud Service, and the certified components of the architecture. | What is Identity Cloud Service E-Business Suite Asserter |
| What do You Need to Use the Asserter | Understand the required services and roles, how to download the asserter, and the information you need from your environment. | What do You Need to Use the E-Business Suite Asserter |
| Configure the Integration | Configure Oracle E-Business Suite, register E-Business Suite Asserter in Oracle Identity Cloud Service, and deploy the asserter. | Configure E-Business Suite Asserter Integration |
| Validate the Integration | Test the single sign-on scenarios. | Validate the Integration |
| Set up E-Business Suite Mobile Applications | Integrate E-Business Suite mobile applications with Oracle Identity Cloud Service for single sign-on purposes. | Set up E-Business Suite Mobile Applications |
| Collect Diagnostic Data | Enable and collect diagnostic data from E-Business Suite Asserter. | Collect Diagnostic Data |
| Monitor the E-Business Suite Asserter | Monitor the E-Business Suite Asserter to determine the status and in turn its availability. | Monitor the E-Business Suite Asserter |
| Deploy the Oracle App Gateway Docker Container | Deploy the Oracle App Gateway Docker container. | Deploy the Oracle App Gateway Docker Container |
| Troubleshoot Common Issues | List of common issues found during the configuration of this integration. | Troubleshoot Common Issues |
What is Identity Cloud Service E-Business Suite Asserter
The E-Business Suite Asserter is a lightweight web application that enables single sign on (SSO) for E-Business Suite using IDCS. The asserter enables users to access E-Business Mobile Apps and the E-Business Suite Web interfaces. Users can also access other applications that are secured using Oracle Identity Cloud Service.
To enhance security for the sign-in process, you can set up sign-on and identity provider policies, and configure multi-factor authentication. You can also enable adaptive security to provide strong authentication capabilities and risk analysis for your users across applications and Oracle E-Business Suite in Oracle Identity Cloud Service.
Why You Should Use Identity Cloud Service E-Business Suite Asserter
The Identity Cloud Service E-Business Suite Asserter is a lightweight Java application. It helps to simplify the deployment topology for Oracle E-Business Suite single sign-on (SSO) by replacing Oracle Access Manager and Oracle Internet Directory with Oracle Identity Cloud Service.
- Have your Oracle E-Business Suite integrated with other applications for single sign-on.
- Enhance security to access your Oracle E-Business Suite by enabling Oracle Identity Cloud Service security features such as multi-factor authentication, sign-on policies, account recovery, and adaptive security.
- Multiple access modes for SSO with Oracle E-Business
Suite. You can access Oracle E-Business Suite by using one
of the following modes:
- The asserter direct URL (You can bookmark this URL.).
- The Oracle Identity Cloud Service My Apps page.
- The asserter direct URL with a redirect parameter.
- Previously bookmarked Oracle E-Business Suite URLs.
- Supports log out from multiple points including Oracle E-Business Suite, E-Business Suite Asserter, and Oracle Identity Cloud Service.
- Allows single sign-on between Oracle E-Business Suite and Oracle E-Business Suite mobile application.
Certified Components for Identity Cloud Service E-Business Suite Asserter
The following table lists the certified components and their versions for Oracle Identity Cloud Service, Oracle E-Business Suite, WebLogic Server, Java JDK, and the Identity Cloud Service E-Business Suite Asserter to use for integration.
| Oracle Identity Cloud Service | Oracle E-Business Suite (EBS) | WebLogic Server | JDK | E-Business Suite Asserter |
|---|---|---|---|---|
| 19.2.1+ | The following versions with latest patches applied:
|
Oracle WebLogic Server 12c (12.1.3 and 12.2) Oracle WebLogic Server 14c (14.1.1) |
|
19.1.4-1.2.2+ |
Architecture
The Identity Cloud Service E-Business Suite Asserter is deployed to a separate Oracle WebLogic Server instance. The E-Business Suite Asserter interacts with Oracle Identity Cloud Service through Oracle Identity Cloud Service REST API and redirects the user's web browser to Oracle Identity Cloud Service and to Oracle E-Business Suite.
This architectural diagram shows how the E-Business Suite Asserter, Oracle E-Business Suite, and Oracle Identity Cloud Service interact.
Description of the illustration architecture.png
The following diagrams show the login and logout flow when using the E-Business Suite Asserter to integrate Oracle E-Business Suite with Oracle Identity Cloud Service. These flow diagrams show the login and logout process starting with Oracle E-Business Suite, but the E-Business Suite Asserter approach also supports E-Business Suite Asserter and Oracle Identity Cloud Service initiated flow.
Description of the illustration login-flow-chart.png
- The user requests access to an Oracle E-Business Suite protected resource.
- Oracle E-Business Suite redirects the user browser to the E-Business Suite Asserter application.
- The E-Business Suite Asserter uses an Oracle Identity Cloud Service SDK to generate the authorization URL and then redirects the browser to Oracle Identity Cloud Service.
- Oracle Identity Cloud Service presents its sign in page to the user.
- The user submits credentials to Oracle Identity Cloud Service.
- Oracle Identity Cloud Service issues an authorization code and redirects the user's browser to the E-Business Suite Asserter.
- The E-Business Suite Asserter uses an Oracle Identity Cloud Service SDK to communicate with Oracle Identity Cloud Service to exchange the authorization code for an access token.
- Oracle Identity Cloud Service issues an access token and an ID token to the E-Business Suite Asserter.
- The E-Business Suite Asserter creates an Oracle E-Business Suite cookie and redirects the user's browser to Oracle E-Business Suite.
- Oracle E-Business Suite presents the user requested protected resource.
The logout process described below refers to a user invoking logout from Oracle E-Business Suite. If the logout process is initiated in Oracle Identity Cloud Service, then only step 5 and 6 are executed.
Description of the illustration logout-flow-chart.png
- The user selects to logout from Oracle E-Business Suite, requesting the
/ebslogoutURL. - Oracle E-Business Suite logs the user out and then redirects the user's browser to the E-Business Suite Asserter application.
- The E-Business Suite Asserter uses an Oracle Identity Cloud Service SDK to obtain the Oracle Identity Cloud Service logout URL, and then redirects the user's browser to this URL
- The user browser invokes the Oracle Identity Cloud Service logout URL.
- Oracle Identity Cloud Service removes the user session and then redirects the user's browser to the E-Business Suite Asserter logout URL, which is defined in the application configuration.
- The E-Business Suite Asserter logs the user out and redirects the user's browser to the Post Logout Redirect URL, which is defined in the application configuration.
Considerations for Using the E-Business Suite Asserter
To use the E-Business Suite Asserter, you should understand the following considerations for installation and configuration.
-
The host names for the EBS Asserter's WebLogic server and Oracle E-Business Suite's application server must have exactly same domain for SSO to work.
-
The E-Business Suite Asserter must be accessed over SSL, since Oracle Identity Cloud Service can only be accessed over SSL. Failure to do so may cause SSO between Oracle Identity Cloud Service and the E-Business Suite Asserter to fail.
-
Synchronize the server clock where the E-Business Suite Asserter runs, and the server clock where Oracle E-Business Suite runs.
-
You can deploy the asserter in Oracle WebLogic Server 12c by using secure communications such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS).
How to Use the Asserter With Multiple Instances of Oracle E-Business Suite
You can use the same WebLogic Server installation with multiple managed servers or from a different WebLogic Server installation, each with one managed server. In both case, each Identity Cloud Service E-Business Suite Asserter URL will have its own domain name and port number pair.
For each Oracle E-Business Suite (EBS) instance, you configure and deploy one instance of the E-Business Suite Asserter (EBS Asserter) Java application. Usually you deploy each EBS Asserter Java application to a specific WebLogic managed server.
Starting from EBS Asserter version 19.2.1-1.5.0, if you don't want to create multiple managed servers and deploy one EBS Asserter Java application to each of them, you can deploy multiple EBS Asserter Java applications to the same WebLogic managed server.
To accomplish this scenario, you need to perform the following tasks:
-
Rename each EBS Asserter Java application's Web Application Resource (WAR) file before you deploy the file to the same WebLogic managed server. In this case, the domain name and port number of all EBS Asserter's URLs will be same, but the URL's context will change.
-
Extract the contents of each
ebs.warfile to a folder, find theweblogic.xmlfile, edit this file, update the value of the<cookie-path>tag to match the EBS Asserter's URL, and then rebuild theebs.war.For example, if you want EBS Asserter to respond to URL context
/app/ebs, then the update the tag withinweblogic.xmlwith the value<cookie-path>/app/ebs</cookie-path>.
For example: If you have two EBS instances named Development 1 and Development 2, you want to integrate these EBS instances with Oracle Identity Cloud Service using the EBS Asserter, but you only have one WebLogic managed server for the two EBS Asserter Java applications, you need to execute the procedures in this tutorial for each EBS instance. You configure the WebLogic Server only once, and configure and deploy the EBS Asserter Java Application for each EBS instance:
-
For EBS instance Development 1:
- Make a copy of the
ebs.warfile and name the new fileebsdev1.war. - Udate the
weblogic.xmlfile contained in theebsdev1.warfile, by replacing thecookie-pathtag with the following:<cookie-path>/ebsdev1</cookie-path>. - Update the
bridge.propertiesfile contained in theebsdev1.warfile. - Deploy the
ebsdev1.warfile to the WebLogic managed server.
- Make a copy of the
-
For EBS instance Development 2:
- Make a copy of the
ebs.warfile and name the new fileebsdev2.war. - Udate the
weblogic.xmlfile contained in theebsdev2.warfile, by replacing thecookie-pathtag with the following:<cookie-path>/ebsdev2</cookie-path>. - Update the
bridge.propertiesfile contained in theebsdev2.warfile. - Deploy the
ebsdev2.warfile to the WebLogic managed server.
- Make a copy of the
You deploy both ebsdev1.war and ebsdev2.war
files in to the same WebLogic managed server. The EBS Asserter's URL for EBS
instance Development 1 will be similar to the following example:
https://ebsasserter.example.com:7002/ebsdev1.
The EBS Asserter's URL for EBS instance Development 2 will be similar to the
following example:
https://ebsasserter.example.com:7002/ebsdev2.