Results 1 to 5 of 5

Thread: JDE Mobile using Azure, MFA - Any alternative to OAM?

  1. #1

    JDE Mobile using Azure, MFA - Any alternative to OAM?

    All,

    We are exploring our options for using Multi-factor authentication (MFA) for custom Mobile apps (specifically Azure).

    If it matters, Mobile development is planned to be done using React toolset (NOT native Oracle ADF toolset)
    But we are planning to access JDE via AIS server , same way as ADF apps do)

    My understanding, that as per Oracle the only official way to be able to access AIS server using MFA (Multi-factor authentication services like Azure) is to configure SSO on JDE end which in turn requires setup of OAM (Oracle Access Manager)

    In that case Mobile client can obtain JWS token from Azure and pass it to AIS/JDE/OAM
    Although we do have some experience with OAM, we really would prefer to avoid using it due to various factors (complexity being one of them)

    So, I am wondering if there are any other options that will allow us to access AIS server using Azure/MFA that do not involve OAM.
    (Obviously we can setup VPN software on mobile devices as an option, but that will require users to enter their credentials multiple times which is no very convenient)

    We do have LDAP integration enabled, so JDE users are authenticated against Windows Domain controllers.

    We do not yet have ‘long user ID’ feature enabled, but this can be done implemented relatively quickly so logins like username@company.com will work in JDE.

    App 9.1
    Tools 9.2.2.4
    SQL 2014, WLS 12.2.1.3, Windows 2016

  2. #2
    Member
    Join Date
    Dec 2000
    Location
    Australia
    Posts
    581
    I agree, if OAM is only used for JDE SSO then it is definitely overkill and not worth the headache. I personally avoid OAM for JDE SSO by emulating the authentication/header injection that OAM does via a load balancer or a web server filter DLL.

    There was an enhancement in 9.2.1.2 to allow OAM auth for mobile. I haven't used it. I don't know if it simply relies on the same header injection technique that normal OAM/JDE JAS does.

    However, I don't believe you need JDE SSO turned on or OAM for your requirement.

    Take a look at these support notes. If you replace Oracle Mobile Cloud Service with the Azure MFA solution in these I think the JWT aligns with your requirement. This is something I have been meaning to try myself. I would definitely be interested to hear if you go this way and how it works out.

    E1: MOB: Third Party Single Sign On (SSO) Provider for JD Edwards EnterpriseOne Mobile Application using JDE/MCS Pass-through Solution (Doc ID 2211288.1)
    E1: AIS JSON - Authentication Options and Examples (Doc ID 2302120.1)

    Since the Azure AD signing certificate that signs the JWT tokens has to be imported into the JAS certificate store I think there may be a need to script some sort of periodic check and update. Have a look here for a discussion about key rollover https://docs.microsoft.com/en-us/azu...g-key-rollover

    It sounds like it can happen at any time and you have to be able to pick up the new key and trust it in order for the JWT interaction to work. It might be good job for a scheduled Powershell script that checks the signing certificate for rollover and then imports into the JAS certificate store.
    Last edited by JEMILLER; 01-03-2019 at 07:56 PM. Reason: typos
    Justin Miller

  3. #3
    thanks, Justin!
    It sounds like we _may_ get away without OAM. We are going to try this Azure / JWT token / Azure certificate imported approach and see how it goes.

  4. #4
    Yes, SSOgen offers free MFA and many SSO integration points.. Read more at https://www.ssogen.com/oracle-jde-sso/

  5. #5
    Ok, here is short version for now -
    In general, it works ! We built a functional POC.
    After certain setup JDE AIS server CAN authorize user with JWT token generated by Azure MFA (at least on tools 9224)
    No need for Oracle OAM

    Challenges –

    - Looks like long user IDs have to be enabled in E1 (at least in Azure case) and you have to be able to login to E1 using your email.

    - You can’t (easily) use Azure Proxy in order to publish AIS server API to the external world - Apparently Azure proxy doesn’t pass its own JWT token to the AIS server (or any API for that matter). It doesn’t make sense to me, but Microsoft confirmed it.

    - Public Azure keys are indeed changing periodically.

    We had to resort to some customized workarounds to address issues above.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
The legal restrictions and terms of use applicable to this site are available here.
Use of this site signifies your agreement to the terms of use.
JDELIST is NOT affiliated with JD Edwards® & Company, Oracle or Peoplesoft. Contents of this site are neither endorsed nor approved by JD Edwards® & Company and, or Oracle.