Multiple LDAPs Implementation with EBS using OID and OAM

1. Gaurav Verma and Ramandeep Singh
4th November,2017
Integration of
Multiple LDAP
with EBS Suite
using OAM-
OID and Best
Practices

2. Introduction to SNET
Business Case
Why OAM?
Implementation Roadmap
Authentication/Authorization
Approaches to integrate Multiple LDAPs
Extending EBS SSO solution with AD
Best Practices
Agenda

3. Solutions Network -SNET
The SNET is an integrated technology center of
expertise with highly skilled technical resources.
We enable our practices to sell and deliver client
projects, to drive innovation, and enable our
practitioners with the right skills at the right place
at the right time.
• Delivery support — host and manage client
projects; provide advisory and in-depth experience
through flexible consulting service offerings
• Sales support — helps with RPF responses,
proposal development, oral presentations, client
demonstrations, proof-of-concepts, product
evaluations, and resale.
• Solutions development — design, develop, deploy,
and manage technical aspects of solution portfolios
• Practice enablement — provide learning
environments, technical white papers, and knowledge
transfer sessions to help Deloitte practitioners
enhance their skills
Our Services
• Reduce delivery costs
• Improve quality
• Reduce risk
• Accelerate project startup
• Repeatable procedures
• Increase reliability
• Develop and deploy innovation
• Grow skills
• Apply demonstrated track record
Our Values
GAURAV VERMA
Oracle EBS Consultant with 6+ Year of
experience Worked on several E-Business
Suite and FMW suite. Client handling
experience with focus on delivering
solutions to provide best practices and
industry standards based solution
RAMANDEEP SINGH
Oracle EBS Consultant having 5+ years of
experience as an Oracle APPS DBA.
Worked on various End to
End implementations, upgrade &
support projects spanning across multiple
oracle Products

4. Business Cases
Organizations with large number of users
provisioned over multiple applications
Merger between two organizations
Federation across partners

5. Implementation of the SSO
solution with IDM suites
Scenario 1

6. Oracle Access Manager
Mobile and Social Sign-On/ Real-Time
External
• Provides seamless single sign-on across
native and Web applications on mobile
devices
• Enables low-value enterprise and consumer-
facing applications to consume identities
• Provides real-time external authorization for
applications, middleware, and databases
with enterprise-class scalability and
granular security
• Provide out-of-the-box integration with a
variety of native, custom, and third-party
applications, application servers
Web Access Management, Web Single Sign-
On, Identity Propagation, and Federation
• Provides centralized, policy-based
authentication.
• Provides seamless single sign-on to enterprise
resources.
• Enables on-boarding of partners and service
providers.
• Provides standards-based secure propagation of
identity across applications and Web services

7. Access System Components
OAM
Accessgate
OIDWebgate
OID: Oracle Internet Directory is a LDAP compliant directory
with meta-directory capabilities. It is built on Oracle database and
is fully integrated into Oracle Fusion Middleware and Oracle
Applications. Thus, it is ideally suited for Oracle environments or
enterprises with Oracle database expertise.
Webgate: Webgate is a web-server plug-in for Oracle Access
Manager (OAM) that intercepts HTTP requests and forwards them
to the Access Server for authentication and authorization
Access Gate: Oracle E-Business Suite AccessGate is a Java EE
application that is deployed to a WebLogic Server instance, and
works in conjunction with Oracle Access Manager and Oracle
Internet Directory (OID) to enable single sign-on capabilities for
your enterprise

8. Authentication and Authorization
• Authentication is the process of
verifying the identity of a user by
obtaining some sort of credentials
and using those credentials to verify
the user's identity. If the credentials
are valid, the authorization process
starts. Authentication process
generally proceeds to Authorization
process.
• Authorization is the process of
allowing an authenticated users to
access the resources by checking
whether the user has access rights to
the system. Authorization helps you
to control access rights by granting or
denying specific permissions to an
authenticated user.

9. User Validation Flow

10. Implementation Roadmap
Install and
configure OID
Integrate
OID with EBS
Configure
Webgate and
Accessgate
Install and
configure OAM
Integrate
OAM-OID-EBS
User
Provisioning
OID
RCU
Database
Weblogic
Start adop cycle
Registration Script
Apply AD TXK
Webgate
Bundle Patches
Accessgate
OAM
Weblogic Domain
Bundle Patches
Security Store
Start adop cycle
Registration Script
Set Profiles
Set Profiles
User Provisioning.
• Run RCU 11.1.1.9
• Install WebLogic
Server 10.3.6 (Full
Installer)
• Install OID
• Apply Required
Patch for Oracle
Directory
Integration
Platform
• Apply Required
Updates to Oracle
E-Business Suite
• Configure OID
• Start Online
patching cycle in
EBS
• Run Registration
script on Patch file
system
• End adop session
• Apply latest AD TXK
patches to EBS 12.2
• Install Oracle Access
Webgate
• Apply Bundle Patches
on Access Webgate
• Deploy Accessgate on
EBS
• Install OAM software
• Create Weblogic
Domain
• Apply bundle patches
• Configure Database
Security store.
• Start Online
patching cycle in
EBS
• Run Registration
script on Patch file
system
• End adop session
• Run fs_clone
• Test SSO login
page during EBS
login
• Export user from EBS
into ldif file format
• Set Profiles in EBS
• Validate and remove
duplicate entries from
the exported ldif file
• Import the user in OID
Repository
* Reference from Oracle notes

11. Extending EBS SSO solution
with multiple LDAPS
Scenario 2

12. User Provisioning and Reconciliation
Provisioning is a process by which an action to create,
modify, or delete user information in an external resource
is initiated from Oracle Identity Manager and passed into
the resource. In terms of data flow, provisioning provides
an outward flow of user information from Oracle Identity
Manager. The provisioning system communicates with the
external resource and specifies changes to make to the
user record residing in it.
Reconciliation is a process by which an action to create,
modify, or delete user information for a designated
resource is initiated from another external resource.
Oracle Identity Manager communicates with this external
resource to receive user information. In terms of data flow,
reconciliation provides an inward flow of user information
into Oracle Identity Manager, through which it learns about
the activity on the external resource.

13. Why only OID/OUD?
The E-Business Suite has hardcoded dependencies upon Oracle Internet Directory function calls that handle these
synchronous account creation tasks. These function calls are specific to Oracle Internet Directory; it isn't possible to replace
Oracle Internet Directory with a generic third-party LDAP directory and still preserve this functionality.
Synchronous user account
creation
•Users of all of EBS application
modules expect to be able to
register for a new account and
use it immediately. This means
EBS application modules that
support self-registration must
create user accounts
synchronously.
•A new account must be created
within the E-Business Suite and
the externalized directory at the
same time, on demand.
Dependency on Oracle GUIDs
•The E-Business Suite has
hardcoded functions to handle the
mapping of these Global Unique
Identifiers between Oracle Access
Manager and the E-Business
Suite. These mapping functions
are specific to Oracle Internet
Directory it isn't possible to
replace Oracle Internet Directory
with a generic third-party LDAP
directory and still preserve this
functionality.

14. Approaches for OAM in case of multiple LDAP
• Oracle Virtual Directory (OVD): Oracle Virtual Directory is an LDAP
service that provides a single, abstracted view of enterprise directory
servers and databases from a variety of vendors.
• Oracle Directory Integration Platform (DIP): The Oracle Directory
Integration Platform enables you to synchronize Oracle Internet
Directory data with other data sources.

15. Implementation Roadmap
• System with active
directory
• Install and
configure DIP
• Create import
profile in DIP
• Sync the data
from AD to OID
using import
profile
• Sync the data
from AD to OID
using import
profile
Oracle E-Business Suite integrated with Oracle access
manager using OID Install and configure Active
Directory
Oracle E-Business suite
using two LDAPs OID and
AD

16. User validation flow

17. Architectural Considerations
PROVISIONING
• Unidirectional Provisioning
• From Oracle Internet Directory
to Oracle E-Business Suite only
• From Oracle E-Business Suite to
Oracle Internet Directory only
• Bi-Directional Provisioning
• From Oracle Internet Directory
to Oracle E-Business Suite
• From Oracle E-Business Suite to
Oracle Internet Directory
Corporate User
Repositories
• Microsoft Active Directory
• LDAPs
• Databases
Authorization and
Upgrade
• EBS responsibilities are managed
within EBS
• Existing environment can
upgrade from OSSO to OAM

18. Best Practices
SSO Infrastructure
END to END SSL
Active Directory
• High Availability
• Disaster Recovery Environment
• Performance Considerations
• Dedicated Hardware to Improve
Reliability
• Configure a Single Idle Timeout for
the Entire Oracle Access Manager
Deployment
• Encrypt all HTTP and LDAP Traffic
• TLS 1.2/TLS 1.1
• Consider Deploying Webgate On
Reverse Proxies to Simplify
Management
• Use LDAP Over SSL Rather than
ADSI When Connecting to Microsoft
Active Directory
• When Deploying on top of Microsoft
Active Directory, Fine Tune the
Appropriate Active Directory
Configuration Parameters

19. Q & A