Tuesday, September 16, 2008

Oracle E-Business Suite Login Integration with Corporate LDAP

Introduction

I am currently working on a new project to integrate Oracle E-Business Suite Login Information with the corporate LDAP Directory ( In our case it is the Microsoft Active Directory). This will accomplish Single Sign On (SSO) functionality for Oracle Applications. Instead of storing user login credentials in a local oracle database table, users can directly login to Oracle Applications website using their Windows NT credentials. SSO allows users login to their enterprise assets using only a single username/password across the enterprise. This eliminates the need for the user to register multiple times for multiple IT Applications, greatly increasing simplicity. In our organization, the enterprise user credential repository is stored in the corporate LDAP directory (MS Active Directory). Oracle E-Business Suite uses OID (Oracle's LDAP) Implementation to integrate with MS Active Directory (Microsoft's LDAP Implementation). However, external users and vendors who use Applications such as iSupplier and Procurement will continue to get authenticated using the local oracle database table, because of the fact that they are not enterprise users.

Architecture

All the details are available in the Proof-of-Concept architecture diagram attached above.Click on it for the full-sized image. Currently i am still working on the Proof-of-Concept setup before finalizing the final architecture. The final architecture will have advanced features such as High Availability through Real Application Clusters for the OID database, OID LDAP Replication, Oracle AS Cluster for SSO login servers etc.

18 comments:

Anonymous said...

So how is the authentication done againsta AD, bind with credentials over SSL?

DBA University Blog said...

Yes. You use an external authentication plugin using the 'dipassistant ea' command.

'ea' stands for external authentication. You can use SSL or NON-SSL.

Anonymous said...

Hi Srinivas,
Have you implemented integrating OIM with OID. If so can you share some documentation around it.

Thanks
Rakesh

Anonymous said...

Hi,
Can you please share your documentation?

DBA University Blog said...

What kind of documentation you need ?

If it is an issue that you are facing, then I can help. I cannot share work related documentation. I used the Oracle documentation as the source and then added customization and other configuration/issue fixes that are relevant to our implementation.

-Srinivas

Indika said...

Hi Srinivas,

I am new to Oracle EBS, and need to integrate the MS Active directory to Oracle R12. Oracle EBS is running on a Linux machine.

I have read and tried some mechanisms but didn't suceed and read some DOC regarding OID and LDAP as well but no progress.

I really appreciate if you can guide me on how to get this done.

Indika

DBA University Blog said...

Indika,

What kind of integration you are trying to accomplish ? Is uni-directional ? i.e user syncrhonization from MS Active Directory "to" Oracle R12 (one-way). This is a complex and sensitive project and you cannot perform it in one day. For a 6000 user Oracle E-Business Suite, we completed the integration in 4 months (with a DEV, TEST and Production system).

To start with, please go through the "My Oracle Support" (Metalink) NOTE ID 376811.1

If you are getting specific errors during your project, you can post them as comments in this blog.

-Srinivas

Indika said...

thanks Srinivas for the Metalink number given. its really helping me to gain knowledge. and I am going through that. and found that OID is not running.

I tried to use the following command and start it.

$ORACLE_HOME/opmn/bin/opmnctl startall

its giving me the following error

opmnctl: starting opmn and all managed processes...
LPX-00202: could not open "/scratch/VIS1/inst/apps/VIS1_ct-oratraning/ora/10.1.2/opmn/conf/opmn.xml" (error 200)
XML parse failed: error 202.
LPX-00202: could not open "/scratch/VIS1/inst/apps/VIS1_ct-oratraning/ora/10.1.2/opmn/conf/opmn.xml" (error 200)
XML parse failed: error 202.
LPX-00202: could not open "/scratch/VIS1/inst/apps/VIS1_ct-oratraning/ora/10.1.2/opmn/conf/opmn.xml" (error 200)
XML parse failed: error 202.
opmnctl: opmn start failed


and can see that the located file is not available.

Any idea how i can overcome this?

thanks in advance

DBA University Blog said...

Indika,

You are using E-Business Suite (VIS1) to start your OID, which is wrong.

OID is a seperate server by itself. You have to first install Oracle Identity Management (10g or 11g) and that will contain OID and SSO components.

Have you installed Oracle Identity Management (OID, SSO) server ?

-Thanks
Srinivas Ramineni

Indika said...

I am having a doubt on this. because R12 EBS says that OID is bundled with the EBS.

Is there any configuration that we have to do to take the OID demon up and running or do we have to install it from the scratch? ie. downloading OID and installing.

DBA University Blog said...
This comment has been removed by the author.
DBA University Blog said...

Indika,

I am not very sure about OID bundled in R12. I doubt it. I dont have access to an R12 instance now. So I cannot verify.

When you work with OID, you need SSO server also. Both of these are in Oracle Identity Management. Yes I believe you have to install these seperately in the similar architecture that I showed in this post and then follow the metalink NOTE to integrate with R12.

-Thanks
Sriniva

Anonymous said...

Can I directly call a web service from MS AD without going through OID ? In other words, why do I need OID if I already have MS AD ?

DBA University Blog said...

You cannot. OID is Oracle's Gateway. You cannot use MS Active Directory without OID.

Ather Hussain said...

Hi Srinivas,

I want to integrate only OID to EBS.

my setup is like, I have to 2 servers.
1). EBS R12 (12.1.3)
2). Oracle DB (11.2.0.0)
both on Solaris 10 5/09 s10s_u7wos_08 SPARC

Kindly tell me, from where I have to start, which software and patches I need to download/apply on these servers.

Thank you,
Ather Hussain
atherhussain9@yahoo.com
Chennai - India

DBA University Blog said...

Ather,

This is a complete project. You need to check the relevant Oracle support NOTE ID (Oracle metalink note ID) and get things done.

-Srinivas

Umeshwar Thakur said...

Hi Srinivas,


Is there any way to connect oracle with MS AD without really going for OID and OAM? All my read suggests that its not possible. Is there any workaround ? OAM license cost is very high for 8000 employees and it does not make sense to spend that much money.


Thanks
Umesh

Srinivas Ramineni said...

Umesh

Thanks for visiting our blog and asking the question. Can you check support.oracle.com ? Please create a service request with Oracle support specifically whether they allow MS AD integration. Many things may have changed recently regarding the Oracle Identity Management.

If it is not supported with AD, then I don't have any workaround.

Srinivas