SSO in Multiple EBS R12.2 by Single OID/OAM 11g for Multiple Sets of Users
SSO
implementation in EBS R12.2 with common user base is well documented by
Oracle. However, complexity of different sets of users for multiple EBS
R12.2 is not well documented or not achieved before. The problem
argument states that there are multiple sets of users – such as
Developers, Testers, & setup users. These users will connect to
multiple EBS environments. A scenario where one user may have access to
only one, some, or all environments. Multiple groups – such as CVDV,
CVIT, & CVUT - were created in Microsoft AD. These groups, then sync
to OID and put them in multiple user containers under the same domain –
such as CVDV, CVIT, and CVUT (Not the default Users). These user
containers, then should get either linked or provisioned in the
respective EBS environment.
In
this BLOG, I will discuss a way to address the challenge described
above. Most often, it seems that there are different OID and OAM
combination to serve a specific environment or a group of environment
with same set of users. For example, please see the flow chart below.
In
the above example, I am using a single AD; which is the case mostly.
However, there could be a development AD but you get the point. Here
there some potential pitfalls that I see:
- The same set of users have access to UAT and DEV environment. If they want to separate this then other OID and OAM environment has to be stacked up.
- Some development users may need access to UAT and or SIT or the granularity of access is not there.
- Licensing cost for stacking up multiple environment. Further maintenance cost and patch cycle time and effort.
- After cloning from PROD, if the users are not segregated at OID for UAT and DEV then all of those users may have access to UAT and DEV environments unless a precaution was taken to end date users after the clone.
After
thinking through, I thought why not only have a single OID/OAM
combination for all non-prod environment and separate set of users for
all those – such as some users will only have access to UAT while others
to DEV and SIT and some common users can have access to all or some.
This will address issues mentioned above. The depiction will look like.
So the question is – how do we do it?
Here is how:
Before,
I proceed; I will put a architecture diagram to illustrate. I have
created python scripts to failover and failback in an active-passive
cluster for Weblogic where the OID (opmn component) is an active-active
cluster.
It
is assumed that you already installed OID and OAM and is up and running
with latest versions – 11g at the time of post. Further, EBS 12.2 is
ready for OAM/OID.
Step 1:
Please login to ODSM using a browser, I use FireFox. After addressing
username password, you will end up on the home screen. Please navigate
to Data browser and to your domain. I deleted the client domain name and
inserted “abc” in place of it. This is now corp.abc.com.
Step -2
Please create the number of directory that you will be serving the EBS
environments – such as CVIT for SIT environment. Here I am connecting
three environments – such as UAT, SIT, and DEV. I took a prefix of CV
for checking validity but you can put some meaningful name for your
organization. You can do it either way and the easier way is create as
and select Users as a source.
Step -3:
Now we need ACLs for these directories similar to which Users has. SO
we navigate to Security tab and create the same directories while
selecting the Users as create as reference – such as CVIT, CVUT, and
CVDV as indicated below.
Step-4:
Now we navigate to advanced tab to create attribute uniqueness and
create three attribute uniqueness pertaining to each one of them.
Step-5:
Now we need to set the default search for Oracle to be a directory up
than what default is. Please note that the default search and create are
pointed to Users directory. We do not want to change the default create
as that is still the case – Users. However, default search should be
changed to a directory up so that entire directory is searched by OAM as
indicated in the picture below.
While staying in advanced tab, please update the subscription for AD plugin from default Users to your specific one as:
Click on “oidexplg_bind_ad” à optional properties à Plug-in Subscriber DN List
Update it and add the three that we have created – such as CVIT, CVUT, and CVDV as:
And enable the plugin as:
Please repeat same for the “oidexplg_compare_ad” property on same page.
Step-6:
Now we have to leave the ODSM and go to DIP through the enterprise
manager console and create three synchronization profile in which each
pointing to its directory structure created in ODSM – such as CVIT to
CVIT and so forth. Here I am opening one such profile to demonstrate the
process.
Step -7:
In the same synchronization profile you need to get a user separation
by filter. Here you need to ask Microsoft AD administrator to create the
three groups who will have the memberships for the users those are
pointed to each one of those environments. For example, we have created
three groups as “CVDV”, “CVIT”, and “CVUT”. We can add or remove the
memberships as often as we need and as often as required for changing
users and their responsibility form DEV to UAT progression. However,
there need to be a manual script at the OID UNIX level where it will
delete the users who are already SYNCED to OID if the membership change
requires one user to get removed from any users. So once the delete on
OID happens, the users will get end dated at EBS site. We cannot use
Oracle’s default delete SYNC as we are not using the directory tree
mapping as 1:1 from AD to OID and the privilege that is needed for such
process. Please ping me if you need the script to do this.
Step -8:
Please edit the event configuration on the synchronization profile to
match the directory that this profile is intended to. By default its
pointing to Users directory. You can use “oidprovtools” or combination
of ldapsearch and ldapdelete on this synchronization profile or use this
screen to edit. It should look like:
Step -9:
Now we should start making some changes in OAM to get things in
perspective. Here we will create three identity store, three
authorization scheme, and there authentication module to separate the
search. Please remember this authentication scheme is what we need to
present when registering the EBS to OAM so that we separate all the
environment with directories in ODSM. Let’s create three identity store
that then can be selected for authentication scheme and module.
So when you login to OAM, this is what is displayed:
Now select the configuration tab at the top where application security tab is selected.
Now to user identity store as:
Here is the example of one identity store that is pointing to the directory structure in OID.
Here is the example of creating an authentication module: [First navigate to the launch pad then authentication module]:
And
here is the example of creating authentication scheme [Please see the
authentication scheme in Access manager tab above on launch pad]:
Please repeat to have three of each - such as:
Step-10:
Now we are ready for the OID and OAM registration at the EBS side.
Please execute them in PTCH instance after enabling the ADOP phase –
such as adop phase=prepare. Please note to execute it to all there environments if configuring them together!!
Please
use following for OID registration on EBS R12.2. Please pass the
provisiontype as by default it will be bi-directional. You will need
ldap hostname, port, orcladmin password and apps password to perform the
following step.
$FND_TOP/bin/txkrun.pl -script=SetSSOReg -registeroid=yes
-provisiontype=3
[One
can provide non-default name for following parameters if CONTEXT_FILE
name is not desired which is default. -appname= -svcname=]
Please use following process to register the OAM in the same ADOP phase:
- Install WebGate:
txkrun.pl -script=SetOAMReg -installWebgate=yes -webgatestagedir=/ebsstagesw/ebs1223/MCG [Please change to your directory]
- Deploye AccessGate:
perl $AD_TOP/patch/115/bin/adProvisionEBS.pl ebs-create-oaea_resources
-contextfile=$CONTEXT_FILE -deployApps=accessgate
-SSOServerURL=http://oamdevuat.corp.abc.com:14100 -logfile=deployeag.log
- Register EBS to OAM as [
Please Note the Authentication Scheme here..]:
txkrun.pl
-script=SetOAMReg -registeroam=yes
-oamHost=http://oamdevuat.corp.abc.com:7002 -oamUserName=weblogic
-ldapUrl=ldap://oamdevuat.corp.abc.com:3060 -oidUserName=cn=orcladmin
-ldapSearchBase=cn=cvit,dc=corp,dc=abc,dc=com
-ldapGroupSearchBase=cn=Groups,dc=corp,dc=abc,dc=com -authScheme=
CVITAuthScheme
-authSchemeMode=reference
Now ADOP phase should end as:
adop phase=finalize,cutover,cleanup finalize_mode=full cleanup_mode=full mtrestart=no
Step-11: Please start the new RUN FS and do following:
Sqlplus apps/<apps password>
execute fnd_oid_plug.setPlugin();
Now select and verify that all is well here:
Verify the OID registration as:
select fnd_preference.get('#INTERNAL','LDAP_SYNCH','HOST') from dual;
Ldaphost.abc.com -- This should return !!
select fnd_preference.get('#INTERNAL','LDAP_SYNCH','PORT') from dual;
3060 -- This should return !!
col preference_value format a45
set lines 120
SELECT preference_name,preference_value FROM fnd_user_preferences
WHERE user_name='#INTERNAL' AND module_name= 'OID_CONF';
PREFERENCE_NAME PREFERENCE_VALUE
------------------------------ ---------------------------------------------
CREATE_BASE cn=cvit,dc=corp,dc=abc,dc=com
CREATE_BASE_opt_mode STATIC
DEFAULT_CREATE_BASE cn=cvit,dc=corp,dc=abc,dc=com
DEFAULT_CREATE_BASE_opt_mode STATIC
DEFAULT_REALM dc=corp,dc=abc,dc=com
DEFAULT_REALM_opt_mode STATIC
FIXUP NONE
FIXUP_opt_mode STATIC
PLUGIN_VERSION 1.1
RDN cn
RDN_opt_mode STATIC
REALM dc=corp,dc=abc,dc=com
REALM_opt_mode STATIC
Step-12: Now please set the profile option at EBS level – such as.
NAME
|
USER_PROFILE_OPTION_NAME
|
LEVEL
|
VALUE
|
APPS_SSO
|
Applications SSO Type
|
SITE
|
SSWA w/SSO
|
APPS_SSO_LINK_SAME_NAMES
|
Link Applications user with OID user with same username
|
SITE
|
Enable
|
APPS_SSO_AUTO_LINK_USER
|
Applications SSO Auto Link User
|
SITE
|
Enable
|
APPS_SSO_OID_IDENTITY
|
Applications SSO Enable OID Identity Add Event
|
SITE
|
Enable
|
Step -13:
Please now run the OID SYNC to manually pull the data based on the
filter set on the SYNC profile to OID and see that those users are
created in EBS (different environments will have different users based
on the filter and directory on OID): I ran with 5 parallelism but if the
user number is not that much then with “lp” be just fine.
syncProfileBootstrap -host oamdevuat.corp.abc.com -port 7005 -D weblogic -profile CVIT_AD2OID -lp 5
syncProfileBootstrap -host oamdevuat.corp.abc.com -port 7005 -D weblogic -profile CVUT_AD2OID -lp 5
syncProfileBootstrap -host oamdevuat.corp.abc.com -port 7005 -D weblogic -profile CVDV_AD2OID -lp 5
Now
verify the users via ODSM first and then to EBS. Please note that some
users were removed to protect the identity of the client.
Please use following SQL to check on EBS:
select
user_name,start_date,end_date,user_guid,to_char(creation_date,'DD-MON-YY
hh24:mi:ss') from fnd_user where trunc(creation_date) >=
trunc(sysdate -2);
This should match with what OID reports in ODSM.
Once all is well, please try the EBS URL to get the SSO page and use the AD password to login.
This should redirect to OAM page with login screen. Please test!!
Hi Mukesh,
ReplyDeleteExcellent article on segregating synchronization groups. Could you please share the script via email. Thanks in advance. my email trickydba at gmail dot com
Hi Mukesh,
ReplyDeleteThank you so much for a great article.
In your topology, how DR was designed ? is it storage level replication or any other methodology.
Thanks in advance,
Regards,
Narasimha.