Oracle by Example brandingConfigure Oracle E-Business Suite (EBS) to use Oracle Identity Cloud Service for Single Sign-On (SSO)

section 0Before You Begin

This tutorial shows you how to configure Oracle e-Business Suite (EBS) to use Oracle Identity Cloud Service for authentication and password management purpose. This tutorial takes approximately 30 minutes to complete.

Background

Oracle E-Business Suite customers can integrate their environment with other cloud and non-cloud services in Single Sign-On (SSO) mode.

Oracle Identity Cloud Service provides a lightweight Java application, called Identity Cloud Service Asserter for E-Business Suite (EBS Asserter). With the E-Business Suite Asserter, you can implement SSO for Oracle e-Business Suite and other applications.

EBS Asserter main features:

  • Non-intrusive solution that doesn't require configuration changes in your Oracle e-Business Suite environment.
  • Needs to be deployed in Oracle WebLogic Server 12c Standard Edition using secure communications (SSL/TLS). Do not use Oracle WebLogic Server Enterprise Edition.
  • Multiple access modes for SSO with Oracle e-Business Suite:

    • Access Oracle e-Business Suite using the EBS Asserter’s direct URL link (bookmark)
    • Access Oracle e-Business Suite using Oracle Identity Cloud Service's My Apps page
    • Access Oracle e-Business Suite using the EBS Asserter's login using a redirect parameter
    • Access Oracle e-Business Suite using previously bookmarked Oracle EBS URLs

  • Supports Oracle e-Business Suite, EBS Asserter, and Oracle Identity Cloud Service Single logout.

Note: Your Oracle E-Business Suite must not be integrated with Oracle Access Manager, Oracle Internet Directory, or using any other SSO profile. If so, then remove the integration between these components and restart the servers before using the EBS Asserter.

What Do You Need?

  • Download the Oracle JRE/JDK version 8 or later.
  • Download the Java Cryptography Extension file for Java 8.
  • Access to an instance of Oracle Identity Cloud Service, rights to download the EBS Asserter from the console, and rights to register a confidential application.
  • Access to an instance of Oracle EBS Release 11i (11.5.10) or Release 12 (12.1.3, 12.2.4, or greater), with latest patch applied.
  • A separate instance of Oracle WebLogic Server 12c (12.1.3 and 12.2) using the Java SE Development Kit 8 or Java EE 8. Create a managed server named EBSAsserter_server to deploy the EBS Asserter Java application.
  • Download and extract the EBS Asserter zip file:
    • Access the Identity Cloud Service console, expand the Navigation Drawer , click Settings, and then click Downloads. On the Downloads page, click Download to download the Identity Cloud Service E-Business Suite Asserter, and then save the zip file to any folder on your desktop.
    • Extract the content of the EBS Asserter zip file on your desktop, and then find the location of the ebs.war and idcs-wallet-<version>.jar files.
    • Copy the ebs.war and idcs-wallet-<version>.jar files to a working folder into the EBS Asserter's WebLogic Server machine. For example, /opt/ebssdk (create this folder if it doesn't exist).

    Note: The name of the files may vary accordingly to the version.

    Note: Make sure you downloaded at least EBS Asserter version 19.1.4-1.2.2+.

Note: The host names for the EBS Asserter's WebLogic server and Oracle E-Business Suite's application server must belong to the same domain for SSO to work.

Note: It is recommended that the EBS Asserter be accessed over SSL, since Oracle Identity Cloud Service can only be accessed over SSL. Failure to do so may cause SSO between Oracle Identity Cloud Service and the EBS Asserter to fail.

Note: Make sure the clock of the server where the EBS Asserter runs, and the clock of the server where EBS runs are synchronized.

Provide Environment Information

To proceed with this tutorial, make note of the following values. An example value for each appears in the corresponding field. These values are used by this document.

  • WebLogic Server host name for EBS Asserter:
  • WebLogic Server HTTPS address for EBS Asserter (Including port number if not default 443):
  • Oracle E-Business Suite host name:
  • Oracle E-Business Suite HTTPS address:
  • Oracle Identity Cloud Service HTTPS address (including port number if not using the default 443):
  • Oracle E-Business Suite Database name:
  • Oracle E-Business Suite Database host:
  • Oracle E-Business Suite Database port:
  • Oracle E-Business Suite "APPS" user's password:

Work with Multiple Oracle E-Business Suite Instances

For each Oracle E-Business Suite (EBS) instance, you configure and deploy one instance of the E-Business Suite Asserter (EBS Asserter) Java application. Usually you deploy each EBS Asserter Java application to a specific WebLogic managed server. You can use the same WebLogic Server installation with multiple managed servers or from different WebLogic Server installation, each with one managed server. In both case, each EBS Asserter URL will have its own domain name and port number pair.

Starting from EBS Asserter version 19.2.1-1.5.0, if you don't want to create multiple managed servers and deploy one EBS Asserter Java application to each of them, you can deploy multiple EBS Asserter Java applications to the same WebLogic managed server.

To accomplish this scenario, you need to perform the following tasks:

  • Rename each EBS Asserter Java application's Web Application Resource (WAR) file before you deploy the file to the same WebLogic managed server. In this case, the domain name and port number of all EBS Asserter's URLs will be same, but the URL's context will change.
  • Extract the contents of each ebs.war file to a folder, find the weblogic.xml file, edit this file, update the value of the <cookie-path> tag to match the EBS Asserter's URL, and then rebuild the ebs.war.

    • For example, if you want the EBS Asserter to respond to URL context /app/ebs, then the update the tag within weblogic.xml with the value <cookie-path>/app/ebs</cookie-path>.

For example: If you have two EBS instances named Development 1 and Development 2, you want to integrate these EBS instances with Oracle Identity Cloud Service using the EBS Asserter, but you only have one WebLogic managed server for the two EBS Asserter Java application, then you need to execute the procedures in this tutorial for each EBS instance. You configure the WebLogic Server only once, and configure and deploy the EBS Asserter Java Application for each EBS instance:

  • For EBS instance Development 1:
    • Make a copy of the ebs.war file and name the new file ebsdev1.war.
    • Update the weblogic.xml contained in the ebsdev1.war file, by replacing the cookie-path tag with the following: <cookie-path>/ebsdev1</cookie-path>.
    • Update the brdige.properties file (section 5) contained in the ebsdev1.war file.
    • Rebuild the war file and then deploy this file (section 7) to the WebLogic managed server.
  • For EBS instance Development 2:
    • Make a copy of the ebs.war file and name the new file ebsdev2.war.
    • Update the weblogic.xml contained in the ebsdev2.war file, by replacing the cookie-path tag with the following: <cookie-path>/ebsdev2</cookie-path>.
    • Update the brdige.properties file (section 5) contained in the ebsdev2.war file.
    • Rebuild the war file and then deploy this file (section 7) to the WebLogic managed server.

You will deploy both ebsdev1.war and ebsdev2.war files in to the same WebLogic managed server. The EBS Asserter's URL for EBS instance Development 1 will be /ebsdev1, and for EBS instance Development 2 /ebsdev2.

section 2Create Users and Update the Administrator's Email in Oracle E-Business Suite

Create an Application User on Oracle E-Business Suite

Create a user for the E-Business Suite Asserter to communicate with Oracle E-Business Suite.

  1. Login as administrator (for example, sysadmin) to the Oracle E-Business Suite application.
  2. In the Oracle E-Business Suite Home page, scroll down the Navigator, expand User Management, and then click Users.
  3. In the User Management page, select User Account from the Register drop-down menu, and then click Go.
  4.  In the Create User Account page, enter the following details to create a new user, and then click Submit.
    • User Name: Provide a user name.
    • Password: Provide a password.
    • Description: EBS Asserter Service User
    • Password Expire: None

    Note: The User Name you create in this step is used later in this tutorial.

  5. After the A new user account has been created. message appears, click Assign Roles, and then click Assign Roles in the Update User page.
  6. In the Search and Select: Assign Roles window, search by Code UMX|APPS_SCHEMA_CONNECT.
  7. Select Apps Schema Connect Role, and then click Select.
  8. In the Update User page, provide justification as EBS Asserter Service User, and then click Save.

Note: You can ignore the warning message regarding the Workflow Background Engine.

After the user is created, log off Oracle E-Business Suite application,and then log in using the user name and password you provided in step 4 to reset the user password.

Create Oracle E-Business Suite's System Administrator in Oracle Identity Cloud Service

Create a user in Oracle Identity Cloud Service that correspond to the System Administrator in your Oracle E-Business Suite, otherwise the system administrator won't be able to login to the Oracle E-Business Suite console after Oracle E-Business Suite configured to use Oracle Identity Cloud Service for authentication.

  1. Sign in to Oracle Identity Cloud Service to access the Identity Cloud Service console.
  2. In the Oracle Identity Cloud Service console, expand the Navigation Drawer , click Users, and then click Add in the Users page.
  3. In the Add User window, provide the following values, and then click Finish.
    • First Name: EBS
    • Last Name: Sysadmin
    • Uncheck Use the email address as the user name.
    • User Name: sysadmin
    • Email: Provide the email address set to the SYSADMIN account in your Oracle E-Business Suite.

Update Oracle E-Business Suite's System Administrator Email Address

Update the email address of the SYSADMIN user in Oracle E-Business Suite to match the email address you provided to the corresponding user in Oracle Identity Cloud Service.

  1. Login as administrator (for example, sysadmin) to the Oracle E-Business Suite application.
  2. In the Oracle E-Business Suite Home page, scroll down the Navigator, expand User Management, and then click Users.
  3. In the User Maintenance page, search by User Name SYSADMIN, and click the update icon for the SYSADMIN user.
  4. Update the Email field value with the same email address you provided during the creation of the system administrator user in Oracle Identity Cloud Service, and then click Apply.
  5. Close Oracle E-Business Suite application.

section 2Register E-Business Suite Asserter with Oracle E-Business Suite

  1. Log in to the Oracle e-Business Suite server machine.

    2. Note: Don't user root user. Use the user that you use to install and run the WebLogic server.

  2. Run the commands echo $JAVA_HOME and echo $WL_HOME, and then make note of the value that is set for each:
    • JAVA_HOME:
    • WL_HOME:

    Note: If the values of the JAVA_HOME and WL_HOME aren't set, request that the WebLogic administrator set them.

    Note: The values for the JAVA_HOME and WL_HOME may differ from your environment. Update the fields with the correct values for your environment.

    Note: The $WL_HOME value is only needed if you use a version of Oracle E-Business Suite greater than 12.2.

  3. Run the following command to create a working folder. 
    cd /opt
mkdir ebssdk
cd ebssdk
  4. Extract the content of the fndext.jar file which is located in the WEB-INF/lib folder inside the ebs.war file you have downloaded from the Oracle Identity Cloud Service console (follow the instructions in the What do You Need? section in this tutorial). Copy the fndext.jar file to the working folder you created in the previous step and also to the EBS Asserter's WebLogic $DOMAIN_HOME/lib folder.

    Note: The name of the fndext.jar file may vary depending on the current version.

  5. Locate your Oracle EBS's environment file (in this example /u01/install/VISION/EBSapps.env) and run the following command:
    source /u01/install/VISION/EBSapps.env

    Note: The path to the .env file may vary depending on your environment.

  6. Locate the .dbc file that is associated with your Oracle EBS instance in the following folder: 
    $FND_SECURE/.dbc

    Note: If your database instance name is , the file should have a name like .dbc.

    Make note of the full path of the .dbc file (including the file name itself):

  7. Run the following command to register the EBS Asserter's application server with Oracle E-Business Suite. 
    cd /opt/ebssdk
java oracle.apps.fnd.security.AdminDesktop apps/ CREATE NODE_NAME= DBC=
  8. Run the following command: 
    cat _.dbc

    Note: The resulting file name may be in all uppercase letters.

    Make note of the APPL_SERVER_ID value:

  9. Copy the _.dbc file to the EBS Asserter's WebLogic Server machine under the /opt/ebssdk folder.

section 3Register the E-Business Suite Asserter in Oracle Identity Cloud Service

Create an confidential application in Oracle Identity Cloud Service to represent the E-Business Suite Asserter.

  1. Sign in to Oracle Identity Cloud Service console.
  2. In the Oracle Identity Cloud Service console, expand the Navigation Drawer , and then click Applications.
  3. In the Applications page, click Add.
    Register application
    Description of this image
  4. In the Add Application dialog box, click Confidential Application.
  5. Enter the following information in the Details pane, and then click Next.
    • Name: EBS Asserter
    • Description: EBS Asserter Application
    • Application URL: /ebs
    • Display in My Apps: Select this check box.
  6. In the Client pane, select Configure this application as a client now, and then enter the following information:
    • Allowed Grant Types: Select Client Credentials and Authorization Code.
    • Redirect URL: /ebs/response
    • Logout URL: /ebs/logout
    • Post Logout Redirect URL: /ebs
  7. In the Client pane, scroll down, click the Add button below Grant the client access to Identity Cloud Service Admin APIs.
  8. In the Add App Role dialog window, select Authenticator Client and Me in the list, and then click Add.
  9. Click Next in the Client pane and in the following panes until you reach the last pane. Then click Finish.
  10. In the Application Added dialog box, make note of the Client ID and Client Secret values, and then click Close.

    Client ID value:

    Client Secret value:

  11. Click Activate to activate the application.
    Activate EBS Asserter application
    Description of this image
  12. In the Activate Application? dialog box, click Activate Application.

    The success message The EBS Asserter application has been activated. appears.

section 4Create a WebLogic Wallet

For security purpose, you register the client ID, Secret, and Oracle Identity Cloud Service URL as parameters in a wallet that is used by the EBS Asserter component.

  1. Log in to the Oracle EBS's Asserter WebLogic server machine, and navigate to the /opt/ebssdk folder.

    Note: Use a user with enough privileges to perform the following actions.

  2. Run the command  java -jar idcs-wallet-<version>.jar, and then provide the following values when prompted:
    • Enter Wallet Path: Enter the full path where you want to store the wallet file.
    • Enter Client ID: Enter the Client ID generated in the previous section.
    • Enter Client Secret: Enter the Client Secret for the client ID.
    • Enter IDCS base URL: Enter Oracle Identity Cloud Service base URL. For example: https://MYTENANT.identity.oraclecloud.com.
  3. The command line creates a wallet file named cwallet.sso in the provided path.

section 5Update the Configuration File

From version 19.2.1-1.4.0 onward, the E-Business Suite Asserter contains a properties file called bridge.properties. This file is located under the WEB-INF\ folder inside the ebs.war file. You need to update the information in the bridge.properties file, and then regenerate the ebs.war file, before deploying it to a WebLogic Server.

Note: For E-Business Suite Asserter versions before 19.1.4-1.4.0 release, the war file file doesn't contain the bridge.properties file inside. You need to create this file in a folder of the EBS Asserter's WebLogic server, update its content as per step 3, and then set an environment variable before starting the WebLogic Sesrver, as per the following example: export ebs_property_file="/opt/ebssdk/bridge.properties"

  1. In the server where you downloaded the E-Business Suite Asserter zip file, navigate to the location where you extracted the ebs.war file. See What Do You Need?
  2. Using a zip utility, extract the content of the ebs.war file, locate the the bridge.properties file, and open the file for editing:
  3. Uncomment the properties by removing the # from the beginning of each line, and update the values as follows:
    ###########################################################
## SSO Bridge for E-Business Suite
###########################################################
# Properties File
app.url=/ebs
app.serverid=
ebs.url.homepage=/OA_HTML/OA.jsp?OAFunc=OANEWHOMEPAGE
ebs.ds.name=visionDS
ebs.user.identifier=username
idcs.iss.url=https://identity.oraclecloud.com
idcs.aud.url=
#post.logout.url=/ebs
wallet.path=[PATH_OF_THE_WALLET]
whitelist.urls=/OA_HTML/RF.jsp,/OA_HTML/OA.jsp,/OA_HTML/BneApplicationService
ebs.renew.session=true
proxy.mode=false
proxy.home.url=/OA_HTML/RF.jsp?function_id=1031198&resp_id=-1&resp_appl_id=0&security_group_id=0&lang_code=US
#istore.pages=ibeCZzdMinisites.jsp,ibeCAcpSSOLoginR.jsp
#idcs.user.identifier=email/username>
###########################################################

    Note:The following table provide the description for each bridge.properties parameter and optional parameters supported by each EBS Asserter version.

    Parameter Description EBS Asserter Version
    app.url The URL and port number for the E-Business Suite Asserter application. 19.1.4 onward
    app.serverid Corresponds to the APPL_SERVER_ID value in the .dbc file generated while registering the EBS Asserter. 19.1.4 onward
    ebs.url.homepage The URL address for the Oracle E-Business Suite home page. 19.1.4 onward
    ebs.ds.name The data source name to be created in the Oracle WebLogic Server where the E-Business Suite Asserter is deployed. 19.1.4 onward
    ebs.user.identifier Oracle E-Business Suite field used to match the Oracle Identity Cloud Service user name. Allowed values are user name (representing the FND_USERS.USER_NAME column) or email (representing the FND_USERS.EMAIL_ADDRESS column). 19.1.4 onward
    idcs.iss.url Oracle Identity Cloud Service issuer URL. This value can be found in Oracle Identity Cloud Service's Discovery Doc endpoint. The default value is https://identity.oraclecloud.com. 19.1.4 onward
    post.logout.url This is an optional parameter. Uncomment this parameter so that E-Business Asserter redirects to this URL after logging the user out from the Single Sign-On. This value must match the value of the Post Logout Redirect URL parameter in Oracle Identity Cloud Service. 19.1.4 onward
    wallet.path The full path of the wallet file, including the file name. 19.1.4 onward
    whitelist.urls Lists the URL E-Business Suite Asserter can accept as the requestUrl parameter value. If the requestUrl value doesn't match one of the whitelist.urls values, then the test scenario for SSO Using the E-Business Suite Asserter Direct URL with a Redirect Parameter will fail. 19.1.4 onward
    ebs.renew.session This is an optional parameter. Use this parameter to control how the E-Business Suite Asserter manages the Oracle E-Business Suite session when the Oracle E-Business Suite cookie has expired. If you add this parameter to the bridge.properties file, and set the value to true, then the asserter refreshes the Oracle E-Business Suite Forms session after having reach the configured limit (ICX:Session Timeout). If the parameter is set to false, then after reaching the configured limit, the Forms session is invalidated closing all active Forms, however the Oracle E-Business Suite session in the browser will be active, allowing the user to reopen a new Forms session. 19.1.4-1.4.0 onward
    proxy.mode This is an optional parameter. Add this parameter to the bridge.properties file, and set the value to true to enable Oracle E-Business Suite Proxy User feature. Users trying to log in as a proxy user, are redirected to the URL you provide in the proxy.home.url parameter. 19.3.3-1.7.0 onward
    proxy.home.url This attribute is mandatory if proxy.mode=true. After the user signs in to Oracle Identity Cloud Service, the EBS Asserter redirects the proxy user to this URL. Usually this is the URL of the Oracle E-Business Suite's Switch User page. For example: https://ebs.example.com:8001/OA_HTML/RF.jsp?function_id=1031198&resp_id=-1&resp_appl_id=0&security_group_id=0&lang_code=US 19.3.3-1.7.0 onward
    istore.pages Lists the comma separated value of iStore pages E-Business Suite Asserter will accept. If the requestUrl matches one of the istore.pages values, then user will be redirected to the requested iStore page post login. Add the iStore pages to the existing list of istore.pages. 19.3.3-1912170009 onward
    idcs.user.identifier This is an optional parameter. Oracle Identity Cloud Service user attribute used to match with ebs.user.identifier attribute. Allowed values are user name (representing the username attribute in Oracle Identity Cloud Service) or email (representing the email attribute in Oracle Identity Cloud Service). If this value is not provided in bridge.properties, then it will be defaulted to the value of ebs.user.identifier. Ensure that there is one-to-one mapping between idcs.user.identifier attribute in Oracle Identity Cloud Service to ebs.user.attribute attribute in FND_USERS otherwise the login will fail. 19.3.3-1912170009 onward
  4. Rebuild the ebs.war file and make sure it contains the updated version of the bridge.properties file. Below is the structure of the ebs.war file.
    META-INF/
   MANIFEST.MF
WEB-INF/
   classes/
   lib/
   bridge.properties
   web.xml
   weblogic.xml

section 6Configure Hostname Verification in WebLogic Console

You can configure the hostname verification in Oracle WebLogic Server Administration Console.

  1. Start the Oracle WebLogic Server Administration Console by entering http://wls_host:wls_port/console in the URL line of a web browser. For example, https://ebsasserter.example.com:7002/console.
  2. Log in to WebLogic console as an administrator.
  3. In the left panel, click Lock & Edit, expand Environment, select Servers.
  4. Click the name of the target server where you want to deploy the EBS Asserter. In this example, AdminServer.
  5. Click the SSL tab. Scroll down and expand the Advanced section.
  6. Update the Hostname Verification parameter with the value None, and then click Save.
  7. Click Activate Changes.
  8. Restart the servers.

section 7Configure Keystores in WebLogic Console

If you are using Custom Trust Store in WebLogic for asserter deployment, instead of using Custom Identity and Custom Trust Store with WebLogic server, use Custom Identity and Java Trust Store. With this configuration, you do not need to import Oracle Identity Cloud Service certificate.

  1. Start the Oracle WebLogic Server Administration Console by entering http://wls_host:wls_port/console in the URL line of a web browser. For example, https://ebsasserter.example.com:7002/console.
  2. Log in to WebLogic console as an administrator.
  3. In the left panel, click Lock & Edit, expand Environment, select Servers.
  4. Click the name of the target server where you want to configure the keystore.
  5. Click Keystores under the Configuration tab.
  6. In the left panel, click Lock & Edit to make the changes.
  7. Select Custom Identity and Java Trust Store.
  8. Click Save and Activate Changes.
  9. Restart the WebLogic server.

section 6(Optional) Oracle Identity Cloud Service Certificate Update Notice

Oracle Identity Cloud Service will perform planned maintenance to renew SSL certificates. If you have imported Oracle Identity Cloud Service certificate previously into your Java and WebLogic trust stores, you may need to take the following action to remove the old certificate from the Java trust store.

  1. Run the commands echo $JAVA_HOME and echo $WL_HOME, and then make note of the value that is set for each:
    • JAVA_HOME:
    • WL_HOME:

    If the values of the JAVA_HOME and WL_HOME aren't set, request that the WebLogic administrator set them.

  2. Run the following command as root to remove Oracle Identity Cloud Service certificate: 
    cd /server/lib
keytool -delete -alias idcs -keystore DemoTrust.jks
    cd /jre/lib/security
keytool -delete -alias idcs-root-ca -keystore cacerts

    The above key tool commands use the default passwords of the key stores. If these passwords have been changed, contact your WebLogic administrator.

    Verify the correct alias you used to install the old certificate to both trust stores.

  3. Restart the servers.

section 7Deploy the E-Business Suite Asserter

Define the data source for the EBS Asserter and then deploy the EBS Asserter application. In this tutorial you deploy the EBS Asserter to a managed server named EBSAsserter_server.

Define the data source

  1. Log in as an administrator to the WebLogic console, in this example /console
  2. Expand Services and select Data Sources
  3. Click New and select Generic Data Source
  4. Enter the values as appropriated, and then click Next:
    • Name: visionDS
    • JNDI Name: visionDS
    • Database Type: Oracle

    The value of the Name parameter must match the ebs.ds.name parameter in the EBS Asserter's configuration file.

  5. Select the following database driver, and then click Next:
    • Database Driver: *Oracle's Driver (Thin) for Instance connections; Versions:Any.

    Note: If you are using an XA data source, select *Oracle's Driver (Thin XA) for Instance connections; Versions:any as Database Driver.

  6. For a non-XA data source, uncheck the Supports Global Transactions check box. For an XA data source, leave the check box checked. Click Next.
  7. Enter the following EBS database connection parameters, and then click Next:
  8. In the Driver Class Name field, if you use a non-XA datasource, type oracle.apps.fnd.ext.jdbc.datasource.AppsDataSource. If you are using an XA data source, type oracle.apps.fnd.ext.jdbc.datasource.AppsXADataSource

    Note: You can use the oracle.jdbc.OracleDriver drive instead, but you need to provide administrative database credentials during configuration. If you don't want to expose administrative database credentials to WebLogic administrators, use one of the previous values.

  9. In the Properties text box, keep the current value for user, add a new line, and enter the path to the dbc file as per the example below: 
    user=IDETITYADMIN
dbcFile=/opt/ebssdk/_.dbc

    Note: The Properties field is case sensitive. Make sure the name of the file is correctly written with the correct uppercase and lowercase letters.

    Note: You copied the _.dbc file from the E-Business Suite server in section 2.

  10. Click Test Configuration.

    If successful, click Next. If an error appears, contact your administrator.

    Note: Make sure your network doesn't block communication between the EBS Asserter's WebLogic server machine and the Oracle E-Business Suite Database through port number .

  11. Under Select Targets, select the target server. In this example, EBSAsserter_server.
  12. Click Finish, and then click Activate Changes.

Deploy EBS Asserter on WebLogic Server

Note: Use the ebs.war file that you update in the Update the E-Business Suite Asserter Configuration File section.

  1. Copy the EBS Asserter war file (ebs.war) to the working folder in the WebLogic Server /opt/ebssdk.
  2. Log in as an administrator to the WebLogic console, in this example /console
  3. In the left panel, click Lock & Edit.
  4. Click Deployments and then click Install.
  5. Enter the path for the EBS Asserter war file as /opt/ebssdk
  6. Select the ebs.war file and click Next to continue.
  7. Select Install this deployment as an application, and then click Next.
  8. Select the target server. In this example, EBSAsserter_server. Then click Next.
  9. Accept the default values and click Finish.
  10. Click Activate Changes.

section 8Update Oracle E-Business Suite Profiles

Follow these steps to configure Oracle E-Business Suite to redirect non-E-Business-Suite-authenticated users to E-Business Suite Asserter instead of using the Oracle E-Business Suite local login page.

Update Oracle E-Business Suite Profiles

  1. Access Oracle Applications Administration page in Oracle E-business Suite, click the Core Services tab, and then click Profiles tab.
  2. Enter APPS_AUTH_AGENT in the Search, Profile Values, Code field, and then click Go.
  3. On the list of Profile Values, click the pencil icon to update the APPS_AUTH_AGENT code entry.
  4. On the Define Profile Values: Application Authenticate Agent page enter E-Business Suite Asserter's URL in the Site Value field, and then save it.
  5. Back to the Profiles tab, enter APPS_SSO in the Search, update the APPS_SSO code entry from SSWA to SSWAw/SSO, and save the profile.
  6. Back to the Profiles tab, enter Oracle Applications Session% in the Search, update the Oracle Applications Session code entry from HOST to DOMAIN, and save the profile.
  7. Re-start the Oracle E-Business Suite servers.

next stepTest Single Sign-On with Oracle E-Business Suite

In order to successfully test SSO with Oracle E-Business Suite, make sure that you create a user in Oracle Identity Cloud Service whose User Name is identical to an Oracle E-Business Suite's user username. Then, Assign the E-Business Suite Asserter application to this user.

  1. Test the SSO using the EBS Asserter direct URL link.
    1. Open a browser window and enter the URL for the EBS Asserter 
      /ebs
    2. The Oracle Identity Cloud Service Sign In page appears. Use the User Name and Password of the previously created user to sign in.
    3. Upon successful authentication, the user is redirected to the Oracle E-Business Suite home page without having to enter EBS credentials.
    4. If the Oracle EBS home page appears, verify the logged-in user name.
    5. Log out from Oracle EBS. The browser is redirected to the Oracle Identity Cloud Service Sign In page.
  2. Test the SSO using the EBS Asserter icon within My Apps page in Oracle Identity Cloud Service.
    1. Open a browser window and enter the Oracle Identity Cloud Service My Console URL 
      /ui/v1/myconsole
    2. Sign in using the credentials of the previously created user.
    3. In the My Apps page, click the EBS Asserter icon to access the Oracle EBS home page.
    4. If the Oracle EBS home page appears, verify the logged-in user name.
    5. Log out from Oracle EBS. The browser is redirected to the Oracle Identity Cloud Service Sign In page.
  3. Test the SSO using EBS Asserter's login URL using a redirect parameter.
    1. Open a browser window and enter the URL for the EBS Asserter URL along with the requestUrl parameter. In the following example, the parameter value points to one of the Oracle EBS pages (for example, Self Service Reports page - P11D Reports). 
      /ebs?requestUrl=http%3A%2F%2Febs.example.com%3A8000%2FOA_HTML%2FRF.jsp%3Ffunction_id%3D1023615%26resp_id%3D54745%26resp_appl_id%3D800%26security_group_id%3D0%26lang_code%3DUS%26oas%3DZGSSqTllSAVkI4tpzTqoZw..%26params%3DYQiYllX3TGJSmdkebayqm4plh8uddwPMseD54DE-G-c

      Note: The requestUrl parameter value must match one of the whitelist.urls and must be URL encoded.

    2. The Oracle Identity Cloud Service Sign In page appears. Use the User Name and Password of the previously created user to sign in.
    3. Upon successful authentication, the user is redirected to the Oracle E-Business Suite page passed as a parameter to the EBS Asserter URL.
    4. Log out from Oracle EBS. The browser is redirected to the Oracle Identity Cloud Service Sign In page.
  4. Test the SSO using a previously Oracle E-Business Suite bookmarked URLs.
    1. Open a browser window and enter one of the Oracle EBS URLs that you have bookmarked (for example, the Self Service Reports page - P11D Reports): 
      /OA_HTML/RF.jsp?function_id=1023615&resp_id=54745&resp_appl_id=800&security_group_id=0&lang_code=US&oas=ZGSSqTllSAVkI4tpzTqoZw..¶ms=YQiYllX3TGJSmdkebayqm4plh8uddwPMseD54DE-G-c
    2. The Oracle Identity Cloud Service Sign In page appears. Use the User Name and Password of the previously created user to sign in.
    3. Upon successful authentication, the user is redirected to the Oracle E-Business Suite page passed as a parameter to the EBS Asserter URL.
    4. Log out from Oracle EBS. The browser is redirected to the Oracle Identity Cloud Service Sign In page.

Note: These sample configurations and testing apply to an Oracle EBS demo distribution (VISION) environment on Oracle Cloud. Check the values of the encoded URLs before applying them to your environment.

more information(Optional) Set up E-Business Suite Mobile Applications

You can use Oracle E-Business Suite mobile applications such as Approvals for EBS, when your Oracle E-Business Suite is integrated with Oracle Identity Cloud Service for authentication purpose.

By doing so, when users open the mobile application and try to access Oracle E-Business Suite information, the Asserter uses Oracle Identity Cloud Service to authentication these mobile users.

This set up is valid for the following Oracle E-Business Suite mobile applications:

  • Custom mobile applications based on Mobile Application Framework (MAF).
  • Approvals for EBS from Oracle America, Inc.
  • Oracle Fusion Expenses from Oracle America, Inc.,
    from EBS Asserter version 19.3.3-1.7.0 onward

Prerequisites

Make sure you have configured the E-Business Suite mobile application to work with your Oracle E-Business Suite.

  • For Oracle E-Business Suite version 12.1.3 and version 12.2, apply or validate if mobile application patches have been applied as per Oracle E-Business Suite documentation. If you use Oracle E-Business Suite 12.2.8, you can skip applying the patches as those are already included.
  • To execute the following configurations, you need to log in Oracle E-Business Suite with any user (excluding sysadmin) assigned to Mobile Applications Manager role.

Note: You don't need to configure Oracle E-Business Suite with Oracle Access Manager (OAM) Access Gate. Identity Cloud Service E-Business Suite Asserter replaces OAM Access Gate as the authentication mechanism for your Oracle E-Business Suite.

Configuration

Configure Oracle E-Business Suite to enable E-Business Suite mobile applications to retrieve Oracle Identity Cloud Service login URL.

  1. Access the drawer icon (version 12.2.8) or navigator icon (version 12.1/12.2), select Mobile Applications Manager, and then select Applications.
  2. Search for Application Name. For example, EBS Approvals.
  3. In the results list, click on the Configure icon for the EBS Approvals application.
  4. In the Configure Mobile Application page, expand the Connection Settings.
  5. Select Sub Category as AppsSSO Login.
  6. Expand the Connection Settings category, and then update the parameters as follows:
    • LoginURL: %APPS_AUTH_AGENT%/ssologin
    • LogoutURL: %APPS_AUTH_AGENT%/ssologout
    • LoginSuccessURL: %APPS_FRAMEWORK_AGENT%/OA_HTML/OA.jsp?OAFunc=OANEWHOMEPAGE
    • APPS_SESSION_SERVICE: %APPS_FRAMEWORK_AGENT%/OA_HTML/OA.jsp?OAFunc=OANEWHOMEPAGE
  7. Click Apply.

After you save the changes, restart Oracle E-Business Suite.

Test

Test the authentication of the Oracle E-Business mobile application.

  • Use your mobile device to open the Oracle E-Business mobile application and access a protected feature.
  • The mobile device opens Oracle Identity Cloud Service Sign In page.
  • Sign in to Oracle Identity Cloud Service.
  • After successful authentication, the mobile application completes the login process and activates the requested feature.

Note: The mobile application completes the login flow and shows the protected feature only if it detects a successful return redirecting to the URL configured in the Login Success URL parameter.

more informationMonitor the E-Business Suite Asserter

You can monitor the E-Business Suite Asserter to determine the status and in turn its availability. Use the app.url/about URL to monitor the availability of the EBS Asserter. For example, https://ebsasserter.example.com:7002/ebs/about.

more informationTroubleshoot Common Issues

The Simplify authentication for Oracle E-Business Suite with the E-Business Suite Asserter solution contains a section to help you troubleshoot common issues.