In today’s modern security landscape, it’s becoming increasingly uncommon to find customers who aren’t considering some form of hybrid cloud identity and access management solution. That said, however, we have come across some outliers. Fortunately for them, we’ve created a simple way to enable Single Sign-On for their on-prem applications.
A few months ago, we encountered a unique Identity and Access Management (IAM) project with a large financial institution who was trying to enable Single Sign-On (SSO) into Oracle E-Business Suite (EBS). They didn’t have an existing IAM solution like Oracle Access Manager, nor had they chosen a cloud vendor like Okta or IDCS.
In essence, they were looking to have their employees sit at their desks behind a firewall and log in to their own Windows Desktop; automatically granting access to EBS without additional passwords or credentials.
The requirement was simple: Enable SSO with EBS using only Windows Active Directory.

The ICSynergy Approach

Our approach was simple: begin by preparing EBS for SSO, including deployment of Oracle Internet Directory (OID), followed by installing Oracle’s EBS Access Gate and connecting the end points with the SPGateway (SPGW).
In practice, this integration isn’t so easy and requires a team with deep knowledge of EBS to prepare it for SSO. We’ll dive into some of the nuances next. EBS prep for SSO typically takes up the bulk of the man-hours in any customer engagement, and this customer project was no exception.
An important item to point out regarding EBS that most people don’t realize is that Oracle Internet Directory (OID) is a required element for EBS SSO today. Basically, OID acts as a mapping database for usernames and GUIDs and ties these together with the User ID. EBS is dependent on GUIDs and thereby dependent on OID.
Next, we installed Oracle E-business Suite’s Access Gate; this is what creates the user’s session. The architecture for this part of the solution is similar to if you were deploying Oracle’s original SSO product, Oracle Access Manager — an architecture that has been perfected over nearly twenty years.
The next and final step is standing up the Access Gate and integrating it with our SPGateway product. The SPGateway handles authentication into EBS and sits between the User the Access Gate and OID.

How The Data Flows

Kerberos comes into play whenever you’re using Windows, and since this use case is for Window Desktop SSO, it’s all Kerberos on the back end. If the user doesn’t have an existing session, the SPGateway will validate the Kerberos token with Active Directory.
Once your session is validated, the SPGateway takes the username and searches the OID database to look up the user’s GUID. The GUID is then passed to Oracle Access Gate to create the session. This all occurs within a second or two and the user is completely unaware of what is occurring in the background.

---

If this use case sounds like something you would want to see implemented within your systems architecture but aren’t sure were to start, that’s why the ICSynergy team is here! We’re ready to talk to you about how your project; contact us here.