Hello there!

Need Help? We are right here!

support
miniOrange Email Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com

Oracle EBS ADFS SSO Integration


Oracle E-Business Suite is a major product line of Oracle Corporation. Oracle EBS is a combined set of business applications for automating customer relationship management (CRM), Enterprise Resource Planning (ERP) and Supply Chain Management (SCM) which helps in automating the processes within organizations.

"miniOrange SSO connector enables the Single Sign-On (SSO) between Oracle EBS and ADFS without the need to purchase and install Oracle Access Manager (OAM) and Oracle Internet Directory (OID) license."

Oracle EBS ADFS SSO integration is enabled with the help of miniOrange SSO Connector.This integration involves registering the miniOrange connector as a SAML Identity Provider (IdP) in the miniOrange connector. The authentication flow works like this: when a user tries to login into EBS, the authentication is delegated to miniOrange, which redirects the user to ADFS for Single Sign-On Login. Upon successful authentication, the user is granted access to Oracle EBS. Oracle EBS can also be protected with ADFS Multi-Factor. Oracle EBS URL can be added to ADFS Applications Dashboard by ADFS Admin, and users can launch it like any other ADFS Application. miniOrange SSO connector can enable ADFS SSO for the following supported Oracle EBS versions - R12 and R12.2 and it can also enable Oracle EBS integrations such as OBIEE, Hyperion/EPM Suite, ADF Applications, WebCenter and Agile. miniOrange SSO Connector can also enable Microsoft ADFS SSO for other Oracle Products as well such as Peoplesoft, Siebel and JD Edwards.



Oracle EBS ADFS SSO Authentication Flow with miniOrange Oracle EBS Solution:


Oracle EBS(E-Business Suite) ADFS SSO Authentication

1. The User sends the request to access the Oracle E-Business Suite.

2. Oracle EBS redirects the request to the miniOrange SSO Connector for authentication.

3. The miniOrange SSO Connector redirects the user to ADFS for authentication.

4. The user is prompted for their ADFS credentials, and is authenticated upon a successful response.

5. The connector receives the user’s Oracle EBS registered username/email from ADFS via SAML attributes.

6. The connector checks the value of the username/email received from ADFS against the FND_USER table in the Oracle EBS Database & creates a session for them.

7. Upon successfully creating a session, user is redirected to the Oracle E-Business Suite portal as logged-in user



Connect with External Source of Users


miniOrange provides user authentication from various external sources, which can be Directories (like ADFS, Microsoft Active Directory, Azure AD, OpenLDAP, Google, AWS Cognito etc), Identity Providers (like Shibboleth, Ping, Okta, OneLogin, KeyCloak), Databases (like MySQL, Maria DB, PostgreSQL) and many more.



Follow the step-by-step Guide given below for Oracle E-Business Single Sign-On (SSO) with Okta

1. Configure miniOrange Broker Agent as a SAML Service Provider in ADFS

  • On ADFS, search for ADFS Management application.
  • Oracle EBS SSO login - ADFS Management application

  • After opening the AD FS Management, select Relying Party Trust & then click on Add Relying Party Trust.
  • Oracle EBS SSO - Add Relying Party Trust

  • Click the Start button from the Relying Party Trust Wizard pop up. But before that please make sure Claims Aware is selected.
  • ADFS sso login - Start ADFS Wizard

  • Select the options for adding a relying party trust.
  • Using Metadata URL

    • In Select Data Source: Import data about the relying party published online or on the local network option & then add URL in Federation metadata address.
    • ADFS SSO - Add SAML Metadata URL

    • Skip step-5 to step-8 & start configuring from step-9. Navigate to Service Provider Info tab from the plugin for getting SP Meatadata URL.

    Using Metadata XML file

    • In Select Data Source: Import data about the relying party from a file option & then browse the metadata file.
    • To login with ADFS import data source file

    • Skip step-5 to step-8 & start configuring from step-9.

    Using Manual Configuration

    • In Select Data Source: Enter Data about the relying party manually & Click on Next.
    • Oracle EBS SSO - Enter Relying Party Data

  • Enter Display Name & Click Next.
  • Upload the certificate & click next. Download the certificate from plugin & use the same certificate to upload on ADFS.
  • Select Enable support for the SAML 2.0 WebSSO protocol & Enter ACS URL from the plugins Service Provider Info Tab. Click Next.
  • Enable SAML SSO Protocol to login with ADFS for EBS SSO

  • Add Entity ID from plugins Service Provider Info Tab as Relying party trust identifier then click Add button & then click Next.
  • Add Entity to configure miniOrange as SP

  • Also download the Signing certificate from Service Provider Info Tab from the plugin.
  • Select Permit everyone as an Access Control Policy & click on Next.
  • Select permit everyone as access policy to integrate adfs SAML IDP

  • Click the Next button from Ready to Add Trust & click Close.
  • It will show you the list of Relying Party Trusts. Select the respective application & click on Edit Claim Issuance Policy.
  • EBS adfs sso : Select application to claim issuance policy

  • Click on Add Rule button.
  • Oracle EBS SSO : ADFS Identity Provider - Add Rules

  • Select Send LDAP Attributes as Claims & click on Next.
  •  Oracle EBS ADFS SSO Send LDAP attributes

  • Enter the following details & click on Finish.
  • Claim rule name: Attributes
    Attribute Store: Active Directory
    LDAP Attribute: E-Mail-Addresses
    Outgoing Claim Type: Name ID
    ADFS - Submit Claim rule name, attribute store and Claim type

  • Click Apply Ok.
  • Select property of the application & add the certificate downloaded from the add-on.
  • ADFS Identity Provider : Add Certificate

2.Configure ADFS as a SAML Identity Provider in the miniOrange Broker Agent

  • Go to miniOrange Admin Console.
  • From the left navigation bar select Identity Provider and click on Add Identity Provider button.
  • Add Identity Provider for Oracle EBS ADFS SSO

  • Select SAML. Click on Import IDP metadata button.
  • Import ADFS metadata to configure it as IDP

  • Enter ADFS as IDP name and Click on Import button.
  • Oracle EBS ADFS SSO : Metadata file imported

  • As shown in the below screen the IDP Entity ID, SAML SSO Login URL and x.509 Certificate will be auto filled from the file imported.
  • Click on Save.
  • IDP Entity ID, SAML SSO Login URL and X.509 auto filled

  • Few other optional features that can be added to the ADFS Identity Provider(IDP) are listed in the table below:
  • Domain Mapping Can be used to redirect specific domain user to specific IDP
    Show IdP to Users Enable this if you want to show this IDP to all users during Login
    Send Configured Attributes Enabling this would allow you to add attributes to be sent from IDP
  • Go to Identity Providers tab.
  • Click on Select>>Test Connection option against the Identity Provider you configured.
  • Test Oracle EBS SSO  connection

  • On entering valid ADFS credentials you will see a pop-up window which as shown in below screen.
  • Oracle EBS SSO  SSO configuration successful

  • Hence your configuration of Oracle EBS SSO in miniOrange is sucesssfully completed.

3. Configure miniOrange Broker Agent in miniOrange EBS Connector

  • Add the miniOrange EBS SSO Connector as an OpenID Connect application in the Broker Agent
  • Log in as a customer from the Admin Console.
  • Go to Apps >> Manage Apps. Click Add Application button at right corner of your screen.
  • Add SSO connector for Oracle EBS

  • In Choose Application Type click on Create App button in OAUTH/OIDC application type.
  •  Oracle EBS ADFS SSO : Choose Application type

  • Click on the 'OAuth2/OpenID Connect’ App Type
  • Oracle EBS ADFS SSO : Select Oauth/OpenID

  • Enter the Redirect URL for the miniOrange EBS SSO Connector. For example, https://ebsauth.example.com/ebsauth/redirect
  • Select the Group Name from dropdown & enter Policy Name (Optional).
  • Select Password as your login method. You can also opt for 2-factor authentication.
  • Scroll down and click on the “Save Button”.
  • Oracle EBS ADFS SSO : Submit Configuration Details

  • The miniOrange EBS SSO Connector is now successfully configured with the Broker Agent.
  • You can edit Application by using the following steps:

  • Go to Apps >> Manage Apps.
  • Search for your app and Click on the edit in action menu against your app.


  • Note down Client id and Client secret, you will need this info for configuring the miniOrange EBS SSO connector.
  • Get Client ID and Secret for Oracle EBS ADFS SSO

  • Open the miniOrange EBS SSO Connector connector.properties file located under /webapps/ebsauth/WEB-INF/classes for editing.
  • Set the miniorange.base.url property to the base URL of your miniOrange tenant. For Cloud version, this is the base URL: https://.xecurify.com/moas For On-Premise version, this is the base URL: https://fqdn-of-onpremise-server
  • Set the customer.id property to the customer ID of your Broker Agent (found under product settings).
  • Set the 'authentication.source' and property to ‘external’.
  • Set the value of the redirect.uri property to the FQDN of your EBS connector, with /redirect appended to it For example, https://ebsauth.example.com/ebsauth/redirect
  • Set the client.id & client.secret properties to the values from the miniOrange Broker Agent OIDC application
  • Set the value of the identity.attribute property to either ‘username’ or ‘email’, depending on whether you want to log into Oracle EBS using your EBS username or your EBS email. Note that email should be unique in Oracle EBS in case you set this property to ‘email’.
  • Set the value of the username.attribute & email.attribute to the name of the attributes sent from ADFS, that contain the user’s Oracle EBS username & email respectively. Leave email.attribute blank in case you set the identity.attribute property to ‘username’
  • miniOrange Broker Agent is now configured with the miniOrange EBS SSO connector.

4. Configure Oracle EBS with miniOrange SSO Connector

  • Set aside a sub-domain for the miniOrange EBS SSO connector on the same domain as the EBS installation. For example, if the EBS installation has the FQDN apps.example.com, then miniOrange EBS SSO connector could be installed on the sub-domain ebsauth.example.com.
    • Create a new user, and assign them the role with code: UMX|APPS_SCHEMA_CONNECT. Make a note of the credentials for this user.
    • Navigate to Functional Administrator → Core Services → Profiles, and make the following changes:
      • Search for the Profile with code APPS_SSO; change its site value from SSWA to SSWA w/SSO.
      • Search for the Profile with the code APPS_AUTH_AGENT; change its site value to the full URL (FQDN) of the miniOrange EBS SSO connector (e.g. http://ebsauth.example.com/ebsauth).
      • Search for the Profile with the name Oracle Applications Session Cookie Domain; change its value from Host to Domain.
    • Bounce the Application Tier of the E-Business Suite to reflect the changes.
  • Generate a DBC file with the miniOrange EBS SSO connector domain (e.g. ebsauth.example.com) using the AdminDesktop utility in EBS; make a note of the APPL_SERVER_ID value present in this newly generated file.
  • Update the connector.properties file in your miniOrange EBS SSO connector to reflect the credentials for the user created, the path of the DBC file & the APPL_SERVER_ID and the endpoint URLs from the above points.

References

Our Other Identity & Access Management Products