• Home
• App Integrations
• Single Sign-On Integrations
• Oracle EBS Okta Single Sign-On SSO Integration

Oracle E-Business Suite is a major product line of Oracle Corporation. Oracle EBS is a combined set of business applications for automating customer relationship management (CRM), Enterprise Resource Planning (ERP) and Supply Chain Management (SCM) which helps in automating the processes within organizations.

"miniOrange SSO connector enables Single Sign-On (SSO) between Oracle EBS and Okta without the need to purchase and install Oracle Access Manager (OAM) and Oracle Internet Directory (OID) license."

Oracle EBS Okta Single Sign-On SSO integration is enabled with the help of miniOrange SSO Connector. This integration involves registering the miniOrange connector as a SAML Service Provider (SP) in Okta, and Okta as a SAML Identity Provider (IdP) in the miniOrange connector. The authentication flow works like this: when a user tries to login into Oracle EBS, the authentication is delegated to miniOrange, which redirects the user to Okta for Single Sign On Login. Upon successful authentication, the user is granted access to Oracle EBS. Oracle EBS can also be protected with Okta Multi-Factor. Oracle EBS URL can be added to Okta Applications Dashboard by Okta Admin, and users can launch it like any other Okta Application. miniOrange SSO connector can enable Okta SSO for the following supported Oracle EBS versions - R12 and R12.2 and it can also enable Oracle EBS integrations such as OBIEE, Hyperion/EPM Suite, ADF Applications, WebCenter and Agile. miniOrange SSO Connector can also enable Okta Cloud SSO for other Oracle Products as well such as Peoplesoft, Siebel and JD Edwards.

Oracle EBS Okta Single Sign-On SSO Authentication Flow with miniOrange Oracle EBS Solution:

1. The User sends the request to access the Oracle E-Business Suite.

2. Oracle EBS redirects the request to the miniOrange SSO Connector for authentication.

3. The miniOrange SSO Connector redirects the user to Okta for authentication.

4. The user is prompted for their Okta credentials, and is authenticated upon a successful response.

5. The connector receives the user’s Oracle EBS registered username/email from Okta via SAML attributes.

6. The connector checks the value of the username/email received from Okta against the FND_USER table in the Oracle EBS Database & creates a session for them.

7. Upon successfully creating a session, user is redirected to the Oracle E-Business Suite portal as logged-in user

Follow the step-by-step Guide given below for Oracle E-Business Single Sign-On (SSO) with Okta

1. Configure miniOrange Broker Agent as a SAML Service Provider in Okta

• Log in to Okta.
• In your Okta tenant, navigate to Applications and click on Application section under it.



• Click on App Integration button.



• Select SAML as Sign-On method and Click on Next.



• In General Settings category, enter the Application Name and click on Next.



• For SAML Configuration, you need to get : Single Sign-On URL, Audience URL etc.
• Log into you miniOrange SSO Connector Admin Dashboard in the left navigation menu. Click on Add Identity Source.



• In Choose Identity Provider, select SAML from the dropdown.



• Then, search for Okta and click on it.



• Now click on the Click here link to get miniOrange metadata as shown in Screen below.



• For SP - Initiated SSO section, select Show Metadata Details.



• Copy Entity ID or Issuer and ACS URL (For SP-Initiated SSO) values and keep them handy. This will require configuring the application on the Oracle E-Business side.



• Enter the SAML configuration details as shown in below screen.



• Add Attribute Statement & Group Attribute Statement if required & click on Next.



• Click on the Save button to proceed.



• Click Copy Link to copy the Metadata URL from the Metadata Details section and keep it handy.



• miniOrange Broker Agent is now added as a SAML Service Provider in Okta.

2.Configure Okta as a SAML Identity Provider in the miniOrange Broker Agent

• Return to the miniOrange Admin Console (you should have kept it open from Step 1).
• Click on Import IDP metadata.



• Choose an appropriate IDP name. Enter the URL which you have saved in the previous step from Oracle E-Business
• Click on Import.



• As shown in the below screen the IDP Entity ID, SAML SSO Login URL and x.509 Certificate will be filled from the Metadata file we just imported.



• Few other optional features that can be configured to the Identity Provider(IDP) are listed in the table below:




Domain Mapping	Can be used to redirect specific domain user to specific IDP
Show IdP to Users	Enable this if you want to show this IDP to all users during Login

• Click on Save.

3. Configure miniOrange Broker Agent in miniOrange EBS Connector

• Add the miniOrange EBS SSO Connector as an OpenID Connect application in the Broker Agent
• Log in as a customer from the Admin Console.
• Go to Apps. Click Add Application button at right corner of your screen.



• In Choose Application Type click on Create App button in OAUTH/OIDC application type.



• Click on the 'OAuth2/OpenID Connect’ App Type



• Enter the Redirect URL for the miniOrange EBS SSO Connector. For example, https://ebsauth.example.com/ebsauth/redirect
• Select the Group Name from dropdown & enter Policy Name (Optional).
• Select Password as your login method. You can also opt for 2-factor authentication.
• Scroll down and click on the “Save Button”.



• The miniOrange Oracle EBS Single Sign-On SSO Connector is now successfully configured with the Broker Agent.

You can edit Application by using the following steps:

• Go to Apps >> Manage Apps.
• Search for your app and Click on the edit in action menu against your app.
• Note down Client id and Client secret, you will need this info for configuring the miniOrange EBS SSO connector.



• Open the miniOrange EBS SSO Connector connector.properties file located under /webapps/ebsauth/WEB-INF/classes for editing.
• Set the miniorange.base.url property to the base URL of your miniOrange tenant. For Cloud version, this is the base URL: https://.xecurify.com/moas For On-Premise version, this is the base URL: https://fqdn-of-onpremise-server
• Set the customer.id property to the customer ID of your Broker Agent (found under product settings).
• Set the 'authentication.source' and property to ‘external’.
• Set the value of the redirect.uri property to the FQDN of your EBS connector, with /redirect appended to it. For example, https://ebsauth.example.com/ebsauth/redirect
• Set the client.id & client.secret properties to the values from the miniOrange Broker Agent OIDC application
• Set the value of the identity.attribute property to either ‘username’ or ‘email’, depending on whether you want to log into Oracle EBS using your EBS username or your EBS email. Note that email should be unique in Oracle EBS in case you set this property to ‘email’.
• Set the value of the username.attribute & email.attribute to the name of the attributes sent from Okta, that contain the user’s Oracle EBS username & email respectively. Leave email.attribute blank in case you set the identity.attribute property to ‘username’
• miniOrange Broker Agent is now configured with the miniOrange EBS SSO connector.

4. Configure Oracle EBS with miniOrange SSO Connector

• Set aside a sub-domain for the miniOrange EBS SSO connector on the same domain as the EBS installation. For example, if the EBS installation has the FQDN apps.example.com, then miniOrange EBS SSO connector could be installed on the sub-domain ebsauth.example.com.
• Create a new user, and assign them the role with code: UMX|APPS_SCHEMA_CONNECT. Make a note of the credentials for this user.
• Navigate to Functional Administrator → Core Services → Profiles, and make the following changes:
• Search for the Profile with code APPS_SSO; change its site value from SSWA to SSWA w/SSO.
• Search for the Profile with the code APPS_AUTH_AGENT; change its site value to the full URL (FQDN) of the miniOrange EBS SSO connector (e.g. http://ebsauth.example.com/ebsauth).
• Search for the Profile with the name Oracle Applications Session Cookie Domain; change its value from Host to Domain.
• Bounce the Application Tier of the E-Business Suite to reflect the changes.
• Generate a DBC file with the miniOrange EBS SSO connector domain (e.g. ebsauth.example.com) using the AdminDesktop utility in EBS; make a note of the APPL_SERVER_ID value present in this newly generated file.
• Update the connector.properties file in your miniOrange EBS SSO connector to reflect the credentials for the user created, the path of the DBC file & the APPL_SERVER_ID and the endpoint URLs from the above points.

References

• Looking around SSO solution for other Oracle Applications?
• Oracle EBS SSO Integration with Microsoft Entra ID
• Oracle EBS Ping SSO
• Oracle EBS OneLogin SSO
• Oracle Oracle EBS SSO, MFA and Provisioning
• Oracle EBS Integrated Windows Authentication (IWA)
• Configure Okta as IDP

Note: Oracle and Java are registered trademarks of Oracle and/or its affiliates. miniOrange is a separate entity.