Blog | Sep 22, 2014

Oracle Access Manager 11g with EBS R12– An overview

Many of us must be using Single sign on (SSO) with our existing applications and might be vying for better and centralized solutions for business requirements. You might be facing several accessing issues, however, with Oracle Access Manager (OAM) 11g one can rid-off those issues as OAC has many such features to combat them and is also very easy to implement. In the following blog, we will get a brief overview of the various Oracle Access Manager (OAM) components and its basic architecture.

OAM is a web access management system that provides a single, secure point of entry where a user’s identity can be verified and access to the enterprise resources can be managed. As a comprehensive identity management and access control system, it has simplified user access across different applications. A rapidly growing Oracle Single Sign-on (OSSO) solution for all IT projects. Few of the important features of OAM 11gR2 supports are given below:

• Centralized policy administration
• Centralized agent management
• Simplified web single sign-on (SSO)
• Authentication and authorization
• Advanced session management
• Identity assertion service
• Native password management
• Comprehensive auditing and logging
• Windows Native Authentication

We can have the OAM integrated with the Oracle E-Business Suite environments and leverage the above mentioned features easily. Please note that integration with the Oracle Access Manager involves components spanning a different suite of Oracle products. There are no restrictions on which platform any particular component may be installed so as long as the platform is supported for that component.

The picture below depicts the components involved in the EBS R12 integration with OAM 11gR2 along with the flow of authentication, authorization and presentation of the resources accessed through OAM.

Image Source: (http://onlineappsdba.com/index.php/2011/05/06/oracle-access-manager-11g-is-now-certified-with-e-business-suite-apps-r12/)

Here are small excerpts about the various components involved in the integration of the EBS R12 with OAM 11gR2

OAM 11g Webgate: These are Java-based agents that are to be deployed on web servers (particularly Oracle HTTP Server (OHS)). The OAM 11g WebGate intercepts a request, determines whether the resource is protected, and if it is, the server returns a response with the authentication scheme that is required to authenticate the user. The Webgate sends a response to the OAM, which in turn captures the credentials using a credential collector (which uses a simple login page) and authenticates the session using the Oracle Internet Directory (OID) server. By default 11g Webgate denies all resource access and asks for authentication unless the resource is explicitly defined as public (this feature was not available in the 10g Webgates).

EBS AccessGate: EBS AccessGate uses the header variables sent from the SSO system to create the native user-session, it expects the SSO system to return orclguid and EBS username (stored as a user-attribute in SSO user store) in the two header variables USER_ORCLGUID and USER_NAME respectively. It links local user in the FND_USER table, add subscription for local users to SSO in OID and redirects the authenticated user to the EBS.

OAM Server: OAM is the service component at the foundation of the Oracle Access Management that provides the core functionality of Web SSO, authentication, coarse authorization, centralized policy administration/agent management, and a real-time session management along with auditing. It uses the Oracle Platform Security Services (OPSS) for uniform security, identity management and audit services. The communication between OAM and Webgate uses ‘Oracle Access Protocol’ and between OAM and Directory Server (OID) uses Lightweight Directory Access Protocol (LDAP).

Oracle Internet Directory (OID): Oracle Internet Directory is configured as the Identity Store and it is a user provisioning and administration solution that automates user account management. OID manages identities and control access to resources with the Oracle Access Manager. All the required containers for mapping Organization Units (OU’s) needs to be created before and then a Lightweight Directory Access Protocol (LDAP) sync profile and a Directory Integration Platform (DIP) Profile is used to sync OID with the third party Active Directory (AD) (Similar to a Microsoft’s Active Directory)

Conclusion:
Oracle Access Manager is a centralized solution for a diverse applications with the SSO requirements. As it has segregated tasks for each of the associated components, it is very effective and a valuable product, something that was lacking in earlier SSO solutions. Due to its array of features it has made access to different applications not only simple but more secure.

In the next blog we will elaborate on the various aspects of OAM and its utility.

About TriCore Solutions
TriCore Solutions, the application management experts, provides a full suite of scalable and reliable managed application, cloud, infrastructure hosting, and consulting services to enterprise organizations. The company delivers its services and the TriCore Trusted Promise to more than 250 companies worldwide to reduce costs, raise service levels, improve customer experience, increase business agility, and accelerate innovation, unlocking the business value from their IT investments. TriCore Solutions is headquartered in Boston, MA, with offices in India and throughout North America.