Single Sign On and LDAP

adri_valentim

Reputable Poster
Hi List,

We are currently on 8.10 SP 8.96.1.5 on Oracle Database and testing Web on OAS.

Question 1: Single Sign on (SSO), is it supported with 8.10?

Question 2: LDAP is it required for SSO?

Question 3: LDAP is it supported with 8.10?

All the documentation I'm reading is saying 8.11 but I can not find P95928.

Thank you
 
[ QUOTE ]

Hi List,

We are currently on 8.10 SP 8.96.1.5 on Oracle Database and testing Web on OAS.

Question 1: Single Sign on (SSO), is it supported with 8.10?

Question 2: LDAP is it required for SSO?

Question 3: LDAP is it supported with 8.10?

All the documentation I'm reading is saying 8.11 but I can not find P95928.

Thank you

[/ QUOTE ]

I put that case in a few weeks back, here's the responce.

Unfortunately support for LDAP within EnterpriseOne begins with release 8.11 and above, so there is not a way to integrate version 8.10 with LDAP. Please see page 14 of the following guide, which illustrates that while Tools Releases 8.94 and above support LDAP, they also require application release 8.11 or higher.
 
Thank you for your response.

Can someone help me with the Single Sign-on Question?
 
If you're testing OAS and are interested in Single Sign-On, you would enable Oracle SSO in the JAS client, but you must first setup an Oracle App Server Infrastructure instance which includes OID (Oracle Internet Directory - the LDAP v3 server). Then you would register your OAS JAS server instance with the infrastructure instance.

OID is a prereq for Oracle SSO, and although Oracle may eventualy support third party LDAP servers but not at this point in time.

I have set this up and it works well. If you go all web client for the end users, you really don't need the LDAP support in JDE unless you're wanting to integrate third party apps with JDE security and have a desire to eliminate JDE app user password resets, or have users on the fat client and you're not running the JDE UnifiedLogon service.
 
We're in the process of investigating the implementation of LDAP. We use OAS 10.1.3.1 (JDE 8.11 SP1 Tools 897.2). Do you have any advice on implementing, installing, etc.? Any chance you do consulting?
 
Ditto. Doing an LDAP integration now and would be grateful for some guidance.
 
Are you saying that single sign-on for E1 is only available if you are using OAS? Does it not work with WAS?

And then the LDAP that comes with OAS is proprietary? We are wanting to use Siteminder as our single sign-on 'tool'.

Any help / answers would be greatly appreciated.

Thanks,
James
 
OK, I am coming out of my brief JDEList retirement to answer this question. I promised myself and a couple of other individuals that I wouldn't, but here goes...because I was addressed directly.

[Authors Note: My apologies go out in advance to Jon Steel for my borrowing part of his distinct JDEList responsorial writing style in my use of several capitalized words in an attempt to get a few of my KEY points across.]

[ QUOTE ]
Are you saying that single sign-on for E1 is only available if you are using OAS? Does it not work with WAS?

[/ QUOTE ]
...

[ QUOTE ]
And then the LDAP that comes with OAS is proprietary?

[/ QUOTE ]

No - I'm NOT saying anything of the sort. Single Sign-On for E1 is both mostly platform neutral and semi platform "agnostic", with certain Oracle JD Edwards EnterpriseOne support restrictions.

Yes you can implement single sign-on with IBM Websphere Application Server. It is just a different configuration. The post I was responding to in February was pertaining to an Oracle Application Server JAS implementation and I was offering some brief advice on how to go about that in a supported fashion.

The LDAP which can be enabled with OAS is not proprietary, per se, it is Oracle's implementation of an LDAP v3 compliant server which happens to utilize an Oracle database for the LDAP data store. <font color="red">Flame wars commence!</font> According to Oracle: "By implementing the LDAP service on top of Oracle database technology, Oracle Internet Directory can provide LDAP directory services with an unprecdented level of scalability, high-availability and information security." One could argue that only a couple of LDAP implementations are NOT "proprietary", such as OpenLDAP. Anyone ever manage to install Active Directory for LDAP WITHOUT WINDOWS? I don't think so.


To address what I sense is a general misunderstanding of the available options, I'm going to respond ("speak") in the framing of an Oracle SSO configuration because that is what I know the best, having supported it for two years now.

I do not think I know all things SSO and LDAP in relationship to JD Edwards. I DID however accept the Oracle Excellence Award in 2007 for our deployment of Oracle SSO with GSS-API/Kerberos/Windows Native Authentication, Portal and EnterpriseOne 8.11 SP1, but I am not saying that to toot my own horn. OK, maybe just a little. So many other more deserving folks should have been nominated or nominated themselves. Its not like I'm creating a new type of rocket fuel. I read instructions - then I rinse, lather, repeat, insert round peg into round slot, push-down-turn, etc.

I've posted in the past on IBM WAS and GSS-API / Kerberos possibilities, but I haven't done that personally so I would not be able to offer the right advice. There is a really good whitepaper from IBM which covers enablement of Kerberos and LDAP with Microsoft Windows Server 2003 R2 and AIX for WAS enterprise deployment that I've been meaning to comb through when I get the chance...

So in response:

Oracle Single Sign-On and LDAP can be, in a sense, mutually exclusive of one another from a JDE integration standpoint.

<ul type="square">LDAP integration can be enabled with JDE for the HTML client and not have ANY, and I can't stress this enough, any SSO component and still function just well enough on its own, thank you very much. Certain caveats do apply, however, but those caveats notwithstanding, if you follow the installation and configuration guides, you'll see what I mean.[/list]
<ul type="square">Although SSO generally requires an LDAP server, and the OracleSSO specific configuration currently requires Oracle Internet Directory, it is technically possible to implement SSO with Microsoft's Kerberos implementation and not configure the LDAP server integration. It wouldn't be a good idea from a fallback authentication perspective, but it can be done.[/list]

Technically AND in an Oracle supported fashion, you can implement Oracle Single Sign-On WITHOUT an LDAP connector between Active Directory and OID, though most would choose not to go this route. You can ALSO implement LDAP without Single-Sign On. For instance, you can integrate JDE directly with most any LDAP v3 compliant server such as Active Directory (and probably MS "AD Lite" ADAM), Sun Java System Directory Server, IBM Tivoli, Oracle Internet Directory and probably Novell eDirectory, OpenLDAP, etc.

Alternatively you can choose to enable Single Sign-On and NOT configure LDAP to work with the JDE security kernel. This is key and is the point I have been trying to make. You can do this and enable GSS-API to work with Microsoft's Kerberos implementation (turn on Integrated Windows Authentication in the Internet Explorer browser) and experience SharePoint like Single Sign-On with JDE. I do this for my employer and wouldn't have it any other way for them. Others may choose another method and I wouldn't have any problem with that.

I understand that a well known Journal of Tips related to all things JDE published part of a whitepaper I submitted to them on the subject. You might inquire about that - it could possibly help.

Sort of off the subject (my response that is):

Siteminder is indeed a common Single Sign-On "tool". Oracle doesn't support that directly, however...for JDE EnterpriseOne. From personal experience, I can tell you I have seen at least one instance where a Siteminder server side configuration was modified to support Oracle SSO - that would be with Hyperion System 9 Shared Services and OAS with Oracle SSO. Oracle enabled this functionality and I turned it on in a dev environment and it works. Hyperion, being another Oracle software acquisition, though technically wonky, is integrated into our Oracle SSO environment just as Oracle BI Enterprise Edition, JD Edwards EnterpriseOne and Oracle Portal are...

Gosh, it seems just about the only way to avoid being attacked on all fronts by the reigning doccia of JDEList is to turn VERBOSE mode on in my response. What a pity this site has become and my apologies to all who might be offended by my previous comments. Those to whom I direct my chin thumbing certainly know they deserve it...at least I hope they do and if not...pity.
 
Mr. Anderson (kinda feels like the Matrix)

Wow! Thanks for your very complete (verbose) answer.

Unfortunately, I think I'm going to have to read it a couple more times at a more reasonable time of day to even remotely understand it.

Thanks again for addressing an issue that I have always been a little confused about.
 
[ QUOTE ]

Hi List,

We are currently on 8.10 SP 8.94 on iseries and using websphere v5.02. we have multiple JAS servers user accesing jde by individually(by JAS server)and want to single sign on for all JAS. please provide some help on that.


Thank you

[/ QUOTE ]
 
[ QUOTE ]
Mr.Anderson (kinda feels like the Matrix

[/ QUOTE ]

I swear I never heard that before AND I'm looking forward to getting my hands on the "ultimate edition" Blu-Ray(TM).
 
Great post Charles! As one of your editors on the "well known journal of all things JDE" I can attest that you certainly know your stuff on this subject. In your future installments of that white paper, you should include some of this information, good stuff.

Gregg "I chose my side in this flame war" Larkin
 
Actually I heard that you begged to read what I submitted the last time on the Red Stack.
cool.gif
I didn't know you were promoted to editor. J/K. Glad you enjoy it.
 
My wife is the Managing Editor, I'm just a part time tech editor called in when guys like you swamp them with techno-babble.
grin.gif
If we could convince Jon Steele to write for them, I'd have a full time job. <zing POW>
grin.gif
 
I’m really sorry if this is a redundant question and I hope I’m not missing something here but are we saying that if you use OAS for the JAS server the only way we can do Single-sign-on(LDAP) is to Create a “OracleAS Single Sign-on Server” which also adds a new Oracle Database for the LDAP data store?
 
I read the posts but when it got to the important point:

[ QUOTE ]
...any SSO component and still function just well enough on its own, thank you very much. Certain caveats do apply, however, but those caveats notwithstanding, if you follow the installation and configuration guides, you'll see what I mean.

[/ QUOTE ]

I got lost in the legal-speak of "certain caveats" and "notwithstanding"'s. I read further and interpreted:

[ QUOTE ]
the OracleSSO specific configuration currently requires Oracle Internet Directory, it is technically possible to implement SSO with Microsoft's Kerberos implementation and not configure the LDAP server integration. It wouldn't be a good idea from a fallback authentication perspective, but it can be done.


[/ QUOTE ]

to mean that for all practical purposes, yes, Oracle SSO requires an ancillary LDAP data store. It sounds like Kerberos is possible but I have not found much support of it here or on the KG/Metalink3/Metalink.

This is one of the reasons why the other JDE installations I have worked on did not want to bother with SSO (neither Oracles nor IBM). That problem and the problem with 10+ account names kind of makes it difficult to justify the expense of SSO.
 
I think I've answered my own question.
As long as I don't want to use any of the JDE Portals and my users are on our network I can just use LDAP without Single Sign On to allow users to login to JDE without re-entering their Username and Password.

If anyone see this differently please let me know.
 
It really depends on what you think of, and what you are looking for, in an "SSO" solution.

Some vendors define "SSO" differently than others. For instance, some application vendors I regularly work with refer to an LDAP interface as "Single Sign-On", strictly in the sense that a single userid (stored in an LDAP such as Active Directory) is used across multiple applications and infrastructure.

Other technology focused vendors refer to SSO in terms of a browser based persistent cookie which is what Oracle SSO provides. In that sense, you logon once and for each additional application you connect to which is an Oracle SSO "partner" or "external" application, your existing credentials are passed to the application in place of a forms or Windows basic authentication prompt.

So, no, it isn't the only way. Oracle does support this (Oracle SSO) directly within the JAS code, however. They also support Oracle Access Manager (OAM) which can be integrated with or without Oracle Single Sign-On (OSSO).
These options are in addition to the "backend" LDAP integration which synchronizes users and profiles with an LDAP server.

It is also possible to enable LDAP completely within the confines of an IBM blue stack configuration. There, however, just as with any other LDAP integration (hooked into the JDE Security Kernel, that is), you run into the 10 character username and password limitations.
 
Properly implemented SSO eliminates the "long password" issue as a barrier at the HTML server layer. In those properly implemented environments, it simply never comes into play for production web users. I can say with confidence that for the majority of companies at the supported EnterpriseOne release level (currently 8.10 and above) it can be implemented in a reasonable amount of time. *Note that I mean SSO for 8.10 and not basic "LDAP integration" with the Security Kernel. For that it is 8.11 and up.

By "reasonable" I mean that it can be "turned on" in production in a matter of 30 to 60 days for a company with perhaps up to five to ten thousand accounts in a single account domain, and in some cases spread across multiple domains, even with a relatively complicated organizational unit structure. There is a learning curve involved, and as with most any technology solution, there are certain "kinks" one must work out before implementing (with our without Kerberos.) For that I am slowly building a "cookbook" for JD Edwards EnterpriseOne customers.


The long username issue also has a workaround from what I understand, by mapping JDE profiles to long usernames, though it may require Oracle Access Manager - I honestly haven't looked into it but recall this in my conversations with Oracle, but I freely admit I can't recall from those conversations whether or not it is possible with Oracle SSO or IBM's solution.

It also isn't an issue at the fat client if you do not integrate LDAP on the "backend".


The two quotes you provided aren't related to each other in the sense to which you are linking them together. My apologies for "legal speak". The "certain caveats" have been covered in other posts, and I am referring to "10 character username and password limitations" when I use that phrase.

Kerberos is definitely possible - I am running it right now and would be happy to provide you with recorded "video" login sessions showing the difference. Oracle supports it - it just isn't something you can call the JD Edwards support team about and expect "expert level" assistance. For that you would contact Oracle technology support. Support is tied together by the fact that JD Edwards EnterpriseOne supports Oracle SSO for the JAS server and Oracle supports Kerberos/WNA with Oracle SSO. I never once heard a single negative word about this configuration from JD Edwards product managers out of Denver, and in fact have a nice piece of glass that shows they appreciate how we hooked the pieces together. It can be a model for others to follow, but like any model it can have pinstriping or flames added on the side, etc.



Here's the deal with OAS and Kerberos:

If you have a working Oracle Single Sign-On install configured and integrated with JD Edwards HTML client, you "turn on" Kerberos (also known as Windows Native Authentication" at the Oracle SSO layer and SSO then "intercepts" your authentication attempts to JD Edwards and any other Oracle SSO integrated web applications and submits proxies the authentication for you after it certifies your PC via a Kerberos ticket exchange. The ticket is passed from your Windows computer through the HTTP Server to the SSO server which in turn proxies the authentication directly to the Windows Server Domain Controller.


I'm sure other Kerberos implementations can be made to work also for non-Windows environments (the probable 2-3% that exist.)


The "10 character password" limitation doesn't even come into play because you have the SSO server providing both Kerberos and "fall back authentication" services - by fall back I mean:

If you are logged into a domain which isn't part of the Oracle SSO / Kerberos configuration, you will see an Oracle SSO login prompt. You might also see this if you are logged into the local PC rather than the domain to which the Windows PC has been attached, etc. This SSO prompt is a forms based authentication prompt which can be configured to accept your Windows username and password from active directory. The JAS server is configured with SSO support and it simply delegates ID verification to SSO and then matches the credentials (userid) to a JDE profile and hooks that back through the JDE security kernel.


You can also "chain" the SSO server to Active Directory and not "pull" or "push/pull" accounts between Active Directory and Oracle Internet Directory. This is a feature recently introduced in Oracle Identity Management 10.1.4. What this does, essentially, is a "real time" connect to the AD when credentials aren't found to match an account stored within the Oracle Internet Directory. In that configuration the OID is still tied to Oracle SSO but not used for much.
 
Not really - in your proposed configuration, users would still be required to re-enter their username and password. It would be their Windows or other LDAP username and password, but they have to enter it nonetheless.
 
Back
Top