OK, I am coming out of my brief JDEList retirement to answer this question. I promised myself and a couple of other individuals that I wouldn't, but here goes...because I was addressed directly.
[Authors Note: My apologies go out in advance to Jon Steel for my borrowing part of his distinct JDEList responsorial writing style in my use of several capitalized words in an attempt to get a few of my KEY points across.]
[ QUOTE ]
Are you saying that single sign-on for E1 is only available if you are using OAS? Does it not work with WAS?
[/ QUOTE ]
...
[ QUOTE ]
And then the LDAP that comes with OAS is proprietary?
[/ QUOTE ]
No - I'm NOT saying anything of the sort. Single Sign-On for E1 is both mostly platform neutral and semi platform "agnostic", with certain Oracle JD Edwards EnterpriseOne support restrictions.
Yes you can implement single sign-on with IBM Websphere Application Server. It is just a different configuration. The post I was responding to in February was pertaining to an Oracle Application Server JAS implementation and I was offering some brief advice on how to go about that in a supported fashion.
The LDAP which can be enabled with OAS is not proprietary, per se, it is Oracle's implementation of an LDAP v3 compliant server which happens to utilize an Oracle database for the LDAP data store. <font color="red">Flame wars commence!</font> According to Oracle: "By implementing the LDAP service on top of Oracle database technology, Oracle Internet Directory can provide LDAP directory services with an unprecdented level of scalability, high-availability and information security." One could argue that only a couple of LDAP implementations are NOT "proprietary", such as OpenLDAP. Anyone ever manage to install Active Directory for LDAP WITHOUT WINDOWS? I don't think so.
To address what I sense is a general misunderstanding of the available options, I'm going to respond ("speak") in the framing of an Oracle SSO configuration because that is what I know the best, having supported it for two years now.
I do not think I know all things SSO and LDAP in relationship to JD Edwards. I DID however accept the Oracle Excellence Award in 2007 for our deployment of Oracle SSO with GSS-API/Kerberos/Windows Native Authentication, Portal and EnterpriseOne 8.11 SP1, but I am not saying that to toot my own horn. OK, maybe just a little. So many other more deserving folks should have been nominated or nominated themselves. Its not like I'm creating a new type of rocket fuel. I read instructions - then I rinse, lather, repeat, insert round peg into round slot, push-down-turn, etc.
I've posted in the past on IBM WAS and GSS-API / Kerberos possibilities, but I haven't done that personally so I would not be able to offer the right advice. There is a really good whitepaper from IBM which covers enablement of Kerberos and LDAP with Microsoft Windows Server 2003 R2 and AIX for WAS enterprise deployment that I've been meaning to comb through when I get the chance...
So in response:
Oracle Single Sign-On and LDAP can be, in a sense, mutually exclusive of one another from a JDE integration standpoint.
<ul type="square">LDAP integration can be enabled with JDE for the HTML client and not have ANY, and I can't stress this enough, any SSO component and still function just well enough on its own, thank you very much. Certain caveats do apply, however, but those caveats notwithstanding, if you follow the installation and configuration guides, you'll see what I mean.[/list]
<ul type="square">Although SSO generally requires an LDAP server, and the OracleSSO specific configuration currently requires Oracle Internet Directory, it is technically possible to implement SSO with Microsoft's Kerberos implementation and not configure the LDAP server integration. It wouldn't be a good idea from a fallback authentication perspective, but it can be done.[/list]
Technically AND in an Oracle supported fashion, you can implement Oracle Single Sign-On WITHOUT an LDAP connector between Active Directory and OID, though most would choose not to go this route. You can ALSO implement LDAP without Single-Sign On. For instance, you can integrate JDE directly with most any LDAP v3 compliant server such as Active Directory (and probably MS "AD Lite" ADAM), Sun Java System Directory Server, IBM Tivoli, Oracle Internet Directory and probably Novell eDirectory, OpenLDAP, etc.
Alternatively you can choose to enable Single Sign-On and NOT configure LDAP to work with the JDE security kernel. This is key and is the point I have been trying to make. You can do this and enable GSS-API to work with Microsoft's Kerberos implementation (turn on Integrated Windows Authentication in the Internet Explorer browser) and experience SharePoint like Single Sign-On with JDE. I do this for my employer and wouldn't have it any other way for them. Others may choose another method and I wouldn't have any problem with that.
I understand that a well known Journal of Tips related to all things JDE published part of a whitepaper I submitted to them on the subject. You might inquire about that - it could possibly help.
Sort of off the subject (my response that is):
Siteminder is indeed a common Single Sign-On "tool". Oracle doesn't support that directly, however...for JDE EnterpriseOne. From personal experience, I can tell you I have seen at least one instance where a Siteminder server side configuration was modified to support Oracle SSO - that would be with Hyperion System 9 Shared Services and OAS with Oracle SSO. Oracle enabled this functionality and I turned it on in a dev environment and it works. Hyperion, being another Oracle software acquisition, though technically wonky, is integrated into our Oracle SSO environment just as Oracle BI Enterprise Edition, JD Edwards EnterpriseOne and Oracle Portal are...
Gosh, it seems just about the only way to avoid being attacked on all fronts by the reigning doccia of JDEList is to turn VERBOSE mode on in my response. What a pity this site has become and my apologies to all who might be offended by my previous comments. Those to whom I direct my chin thumbing certainly know they deserve it...at least I hope they do and if not...pity.