Oracle EBS On-Premise

Oracle E-Business Suite (Oracle EBS) is a comprehensive suite of integrated, global business applications that enable organizations to make better decisions, reduce costs, and increase performance. To configure Oracle EBS On-Premise with Centrify for single sign-on (SSO), Oracle EBS must be configured with Oracle Access Manager, and Oracle Access Manager is then configured with Centrify Admin Portal.

This guide assumes that Oracle EBS has already been configured with Oracle Access Manager, and provides instructions for configuring Oracle Access Manager for single sign-on via SAML.

The following is an overview of the steps required to configure Oracle Access Manager for single sign-on (SSO) via SAML. Oracle Access Manager offers both IdP-initiated SAML SSO (for SSO access through the user portal) and SP-initiated SAML SSO (for SSO access directly through the Oracle Access Manager). You can configure Oracle Access Manager for either or both types of SSO.

Note This document is written for SAML 2.0 SSO with Oracle Access Manager 11g Release 2 (11.1.2.3.0) and Oracle E-Business Suite 12.2.5. If you are not using these versions, your interface may differ from the descriptions in this document.

1 Prepare Oracle EBS On-Premise for single sign-on (see Oracle EBS On-Premise requirements for SSO).

2 In the Centrify Admin Portal, add the application and start configuring application settings.

1

Once the application settings are configured, complete the user account mapping and assign the application to one or more roles. For details, see Configuring Oracle EBS On-Premise in Admin Portal (Part 1).

3 Configure Oracle Access Manager for single sign-on.

For details, Configuring Oracle Access Manager as a service provider

4 Finish configuring application settings in the Admin Portal.

Finish configuring the application settings. For details, see Configuring Oracle EBS On-Premise in Admin Portal (Part 2).

Preparing for Configuration

Oracle EBS On-Premise requirements for SSO

Before you configure the Oracle EBS On-Premise for SSO, you need the following: Oracle EBS installed.

Oracle Access Manager installed.

Oracle EBS is configured with Oracle Access Manager with the help of Oracle AccessGate and WebGate. For more information, see document id 1576425.1 on https://support.oracle.com.

Users are able to do SSO with Oracle EBS using Oracle Access Manager.

A signed certificate.

You can either download one from Admin Portal or use your organization’s trusted certificate with a private key embedded in .pfx or .p12 format and upload this certificate in Admin Portal. This decision must be made before you download Identity Provider metadata.

Setting up the certificates for SSO

To establish a trusted connection between the web application and the Centrify Directory Service, you need to have the same signing certificate in both the application and the application settings in Admin Portal.

If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file to the application settings in Admin Portal. You also upload the public key certificate in a .cer or .pem file to the web application.

Note The uploaded certificate will be shared with Oracle Access Manager through Centrify metadata.

• 2

What you need to know about Oracle EBS with Oracle Access Manager

Each SAML application is different. The following table lists features and functionality specific to Oracle Access Manager.

Configuring Oracle EBS On-Premise in Admin Portal (Part 1)

To add and configure the Oracle EBS On-Premise application in Admin Portal:

1 In Admin Portal, click Apps, then click Add Web Apps.

The Add Web Apps screen appears.

Capability Supported? Support details

Web browser client Yes

Mobile client No

SAML 2.0 Yes

SP-initiated SSO Yes

IdP-initiated SSO Yes To use IdP-initiated SSO, configuration must be done at Oracle Access Manager. For details, see Configuring Oracle Access Manager for IdP-initiated flow.

Force user login via SSO only No Users can log in using a separate local login URL that follows this form: <http://<ebs_server>:<port>/OA_HTML/AppsLocalLogin.jsp>

Separate administrator login after SSO is enabled

Yes System administrator can log in using a separate URL that follows this form: <http://<ebs_server>:<port>/OA_HTML/AppsLocalLogin.jsp>

User or Administrator lockout risk No Users can log in using a separate local login URL that follows this form: <http://<ebs_server>:<port>/OA_HTML/AppsLocalLogin.jsp>

Automatic user provisioning Yes

Multiple User Types Yes Admin user

End users

Self-service password Yes Users can reset their own passwords.

Access restriction using a corporate IP range

Yes You can specify an IP Range in the Admin Portal Policy page to restrict access to the application.

Admin Portal user’s guide 3

2 On the Search tab, enter the partial or full application name in the Search field and click the search icon.

3 Next to the application, click Add.

4 In the Add Web App screen, click Yes to confirm.

Admin Portal adds the application.

5 Click Close to exit the Application Catalog.

The application that you just added opens to the Settings page.

6 Click the Trust page to begin configuring the application.

The UI is evolving in order to simplify application configuration. For example, many of the settings previously found on the Application Settings page are now on the Trust page.

• 4

You might have to select Manual Configuration to expose those settings, as shown in the following example.

Any previously configured applications retain their configuration and do not require reconfiguration. If you are configuring an application for the first time, refer to the Trust page for any settings previously found on the Application Settings page.

In addition, the description of how to choose and download a signing certificate in this document might differ slightly from your experience. See Choose a certificate file for the latest information.

1

2 Configure the following:

3 Click Download Identity Provider SAML Meta Data and save the file on your computer.

Field Set it to What you do

Assertion Consumer Service URL This field is auto-populated once the user uploads the SP Metadata provided by Oracle Access Manager

n/a

Admin Portal user’s guide 5

You will need to access this file when Configuring Oracle Access Manager as a service provider.

4 (Optional) On the Settings page, click Enable Derived Credentials for this app on enrolled devices (opens in built-in browser) to use derived credentials on enrolled mobile devices to authenticate with this application.

For more information, see Derived Credentials.

5 On the Settings page, specify the following settings:

Option Description

Category Specifies the default grouping for the application in the user portal. Users have the option to create a tag that overrides the default grouping in the user portal.

Application ID Configure the Application ID field if you are deploying a mobile application that uses the Centrify mobile SDK, for example mobile applications that are deployed into a Samsung KNOX version 1 container. The Centrify Directory Service uses the Application ID to provide single sign-on to mobile applications. Note the following:

• The Application ID has to be the same as the text string that is specified as the target in the code of the mobile application written using the mobile SDK. If you change the name of the web application that corresponds to the mobile application, you need to enter the original application name in the Application ID field.

• There can only be one SAML application deployed with the name used by the mobile application.

The Application ID is case-sensitive and can be any combination of letters, numbers, spaces, and special characters up to 256 characters.

Show in User app list Specifies whether this web application displays in the user portal. By default, this option is selected.

• 6

6 (Optional) On the Settings page, you can change the name, description, and logo for the application. For some applications, the name cannot be modified.

The Category field specifies the default grouping for the application in the user portal. Users have the option to create a tag that overrides the default grouping in the user portal.

7 On the User Access page, select the role(s) that represent the users and groups that have access to the application.

When assigning an application to a role, select either Automatic Install or Optional Install:

Select Automatic Install for applications that you want to appear automatically for users.

If you select Optional Install, the application doesn’t automatically appear in the user portal and users have the option to add the application.

Admin Portal user’s guide 7

8 (Optional) On the Policy page, specify additional authentication controls for this application.

a Click Add Rule.The Authentication Rule window displays.

• 8

b Click Add Filter on the Authentication Rule window.

c Define the filter and condition using the drop-down boxes.For example, you can create a rule that requires a specific authentication method when users access the Centrify Directory Service from an IP address that is outside of your corporate IP range. Supported filters are:

Filter Description

IP Address The authentication factor is the computer’s IP address when the user logs in. This option requires that you have configured the IP address range in Settings, Network, Corporate IP Range.

Identity Cookie The authentication factor is the cookie that is embedded in the current browser by the directory service after the user has successfully logged in.

Day of Week The authentication factor is the specific days of the week (Sunday through Saturday) when the user logs in.

Date The authentication factor is a date before or after which the user logs in that triggers the specified authentication requirement.

Date Range The authentication factor is a specific date range.

Time Range The authentication factor is a specific time range in hours and minutes.

Device OS The authentication factor is the device operating system.

Browser The authentication factor is the browser used for opening the Centrify Identity Services user portal.

Admin Portal user’s guide 9

d Click the Add button associated with the filter and condition.

e Select the profile you want applied if all filters/conditions are met in the Authentication Profile drop-down.The authentication profile is where you define the authentication methods. If you have not created the necessary authentication profile, select the Add New Profile option. See Creating authentication profiles.

f Click OK.

g (Optional) In the Default Profile (used if no conditions matched) drop-down, you can select a default profile to be applied if a user does not match any of the configured conditions.If you have no authentication rules configured and you select Not Allowed in the Default Profile dropdown, users will not be able to log in to the service.

h Click Save.If you have more than one authentication rule, you can prioritize them on the Policy page. You can also include JavaScript code to identify specific circumstances when you want to block an application or you want to require

Country The authentication factor is the country based on the IP address of the user computer.

Risk Level The authentication factor is the risk level of the user logging on to user portal. For example, a user attempting to log in to Centrify Identity Services from an unfamiliar location can be prompted to enter a password and text message (SMS) confirmation code because the external firewall condition correlates with a medium risk level. This Risk Level filter, requires additional licenses. If you do not see this filter, contact Centrify Identity Services support. The supported risk levels are:

• Non Detected -- No abnormal activities are detected.

• Low -- Some aspects of the requested identity activity are abnormal. Remediation action or simple warning notification can be raised depending on the policy setup.

• Medium -- Many aspects of the requested identity activity are abnormal. Remediation action or simple warning notification can be raised depending on the policy setup.

• High -- Strong indicators that the requested identity activity is anomaly and the user's identity has been compromised. Immediate remediation action, such as MFA, should be enforced.

• Unknown -- Not enough user behavior activities (frequency of system use by the user and length of time user has been in the system) have been collected.

Managed Devices The authentication factor is the designation of the device as “managed” or not. A device is considered “managed” if it is managed by Centrify Identity Services, or if it has a trusted certificate authority (CA has been uploaded to tenant).

For the Day/Date/Time related conditions, you can choose between the user’s local time and Universal Time Coordinated (UTC) time.

Filter Description

• 10

additional authentication methods. For details, see Application access policies with JavaScript.

Note If you left the Apps section of Admin Portal to specify additional authentication control, you will need to return to the Apps section before continuing by clicking Apps at the top of the page in Admin Portal.

9 On the Account Mapping page, configure how the login information is mapped to the application’s user accounts.

The options are as follows:

Use the following Directory Service field to supply the user name: Use this option if the user accounts are based on user attributes. For example, specify an Active Directory field such as mail or userPrincipalName or a similar field from the Centrify Directory.

Everybody shares a single user name: Use this option if you want to share access to an account but not share the user name and password. For example, some people share an application developer account.

Use Account Mapping Script: You can customize the user account mapping here by supplying a custom JavaScript script. For example, you could use the following line as a script:LoginUser.Username = LoginUser.Get('mail')+'.ad';

The above script instructs the Centrify Directory Service to set the login user name to the user’s mail attribute value in Active Directory and add ‘.ad’ to the end. So, if the

Admin Portal user’s guide 11

user’s mail attribute value is Adele.Darwin@acme.com then the Centrify Directory Service uses Adele.Darwin@acme.com.ad. For more information about writing a script to map user accounts, see the SAML application scripting.

Note Oracle EBS supports SAML assertion based on the email address value or the username. The default template for the Oracle EBS XS app is configured to use the email address. The attribute used for this purpose is mail.

10 (Optional) On the SAML Response page, you can edit the script that generates the SAML assertion, if needed. In most cases, you don’t need to edit this script. For more information, see the SAML application scripting.

11 (Optional) On the Changelog page, you can see recent changes that have been made to the application settings, by date, user, and the type of change that was made.

12 (Optional) Click Workflow to set up a request and approval work flow for this application.

The Workflow feature is a premium feature and is available only in the Centrify Identity Services App+ Edition. See Configuring Workflow for more information.

13 Click Save.

Configuring Oracle Access Manager as a service providerThe following is an overview of the steps required to configure Oracle Access Manager as a service provider.

1 Enable identity federation (see Enabling Identity Federation).

2 Create remote identity provider partners (see Creating remote identity provider partners).

3 Configure Oracle Access Manager for IdP-initiated flow (see Configuring Oracle Access Manager for IdP-initiated flow).

4 Configure Oracle Access Manager for automatic user provisioning (see Configuring Oracle Access Manager for automatic user provisioning).

5 Export metadata (see Exporting Metadata).

Enabling Identity Federation

To enable the Identity Federation service with Oracle Access Manager:

1 Log in to the Oracle Access Management Console using your server name and port number:http://<oam_server>:<port>/oamconsole/

• 12

2 On the Welcome page go to Configuration > Available Services.

3 Confirm that the green status check mark displays next to Access Manager; if it does not, click Enable.

4 Confirm that the green status check mark displays next to Identity Federation; if it does not, click Enable.

For more information, see https://docs.oracle.com/cd/E52734_01/oam/AIAAG/oif_1.htm#AIAAG6499

Creating remote identity provider partners

To create a remote identity provider partner:

1 In the Oracle Access Management Console, click Federation at the top of the window and click the Service Provider Management link.

2 Click the Create Identity Provider Partner from the Create (+) drop-down list.

3 In the General section, enter a Name for your IdP, e.g., CentrifyIdP.

4 Set Enable Partner to Yes.

5 Set Default Identity Provider Partner to Yes.

6 Under Service Information, select SAML 2.0 from the Select Protocol drop-down menu.

Admin Portal user’s guide 13

7 In the Service Details field, select Load from provider metadata, and a new field named Metadata File appears.

8 Click Browse.

9 Select the metadata file that you downloaded in Configuring Oracle EBS On-Premise in Admin Portal (Part 1).

10 Under Mapping Options, select User Identity Store from the drop-down menu.

11 Select Map assertion Name ID to User ID Store and set its value to: mail.

12 Click Save to create the Identity Provider definition.

For more information, see https://docs.oracle.com/cd/E52734_01/oam/AIAAG/oif_srv_prvdr.htm#AIAAG6511

Configuring Oracle Access Manager for IdP-initiated flow

To configure Oracle Access Manager for IdP-initiated flow:

1 Log in to Oracle Access Manager using SSH client, where <machine_user> is the user than installed Oracle Access Manager and <machine_IP> is the IP address for the machine where Oracle Access Manager is installed:ssh <machine_user>@<machine_IP>

2 In the shell window, enter the following set of commands in order, substituting values as shown in the Definitions column:

Command Definitions:

cd <WLST_Path> <WLST_Path> = <OAM_INSTALL_DIR>/common/bin

where <OAM_INSTALL_DIR> is the directory where Oracle Access Manager is installed.

./wlst.sh

connect ('<username>','<password>','t3://

<oam_server>:<oam_port>')<username> = Oracle Access Manager console username.

<password> = Oracle Access Manager console password.

<oam_server> = Oracle Access Manager fully qualified domain name.

<oam_port> = Port where Oracle Access Manager is accessed.

• 14

Configuring Oracle Access Manager for automatic user provisioning

To configure Oracle Access Manager for automatic user provisioning, enable the default provisioning plug-in from the plug-in configuration interface as described in this section.

To configure Oracle Access Manager for automatic user provisioning:

1 Log in to Oracle Access Manager Console and click on Plug-ins.

2 Select FedUserProvisioningPlugin.

3 (Optional) In the configuration parameters tab, set one or more of the following parameters:-

4 Log in to Oracle Access Manager using SSH client, where <machine_user> is the user than installed Oracle Access Manager and <machine_IP> is the IP address for the machine where Oracle Access Manager is installed:ssh <machine_user>@<machine_IP>

5 Enable user provisioning with the default plug-in by executing the WLST command:

domainRuntime()

updatePartnerProperty('<partner name>',

'idp', 'providerrelaystate', 'http://<ebs_server>:<ebs_port>/OA_HTML/

AppsLogin', 'string')

<partner name> = The partner name provided for Creating Remote Identity Provider Partners, e.g., CentrifyIdP.

<ebs_server> = Fully Qualified Domain Name of the machine where Oracle EBS On-Premise is installed.

<ebs_port> = Port to access Oracle EBS On-Premise Application.

Parameter Definition

KEY_USER_RECORD_ATTRIBUTE_LIST The list of attributes with which the user should be provisioned. These attributes are available as part of the assertion, for example: mail.

KEY_PROVIDERID_ATTRIBUTE_NAME The tenant ID attribute name in the identity store which Identity Federation populates at run-time with the tenant name.

KEY_USERID_ATTRIBUTE_NAME The attribute name to use for the userid value from the assertion attributes.

Command Definitions:

cd <WLST_Path> <WLST_Path> = <OAM_INSTALL_DIR>/common/bin

where <OAM_INSTALL_DIR> is the directory where Oracle Access Manager is installed.

./wlst.sh

Command Definitions:

Admin Portal user’s guide 15

For more details, see https://docs.oracle.com/cd/E52734_01/oam/AIAAG/oif_policies.htm#AIAAG8208

Exporting Metadata

Before exporting Metadata, it is important to complete all the steps in the previous sections: Enabling Identity Federation, Creating remote identity provider partners, Configuring Oracle Access Manager for IdP-initiated flow, and Configuring Oracle Access Manager for automatic user provisioning.

To export metadata:

1 Open the Oracle Access Manager Console and click Configuration at the top of the window to open the Configuration console.

2 In the Settings section, select Federation from the drop-down list to open the Federation Settings page

3 Click Export SAML 2.0 Metadata to download the Metadata file to your browser’s default download folder.

Configuring Oracle EBS On-Premise in Admin Portal (Part 2)

To finish configuring Oracle EBS On-Premise in Admin Portal:

1 Return to the browser tab you were using to work in the Admin Portal in Configuring Oracle EBS On-Premise in Admin Portal (Part 1) and navigate to the Application Settings screen of your Oracle EBS On-Premise app.

2 Click Upload SP Metadata and choose the Metadata file you downloaded from the Oracle Access Manager Console.

connect ('<username>','<password>','t3://

<oam_server>:<oam_port>')<username> = Oracle Access Manager console username.

<password> = Oracle Access Manager console password.

<oam_server> = Oracle Access Manager fully qualified domain name.

<oam_port> = Port where Oracle Access Manager is accessed.

domainRuntime()

putBooleanProperty("/fedserverconfig/

userprovisioningenabled","true")

Command Definitions:

• 16

Note The Assertion Consumer Service URL and the Advanced Script will be automatically updated when you upload the metadata file. All existing data in the Advanced Script will be overwritten.

3 Verify that the configuration id done in the Application Settings and Advanced pages as described in Configuring Oracle EBS On-Premise in Admin Portal (Part 1).

For more information about Oracle Access ManagerGo to the support page of Oracle Access Manager for more information about configuring Oracle Access Manager for SAML SSO:

https://docs.oracle.com/cd/E52734_01/oam/AIAAG/sso.htm#AIAAG296

Admin Portal user’s guide 17

• 18