JDE Mobile using Azure, MFA - Any alternative to OAM?

Longrider2

Member
All,

We are exploring our options for using Multi-factor authentication (MFA) for custom Mobile apps (specifically Azure).

If it matters, Mobile development is planned to be done using React toolset (NOT native Oracle ADF toolset)
But we are planning to access JDE via AIS server , same way as ADF apps do)

My understanding, that as per Oracle the only official way to be able to access AIS server using MFA (Multi-factor authentication services like Azure) is to configure SSO on JDE end which in turn requires setup of OAM (Oracle Access Manager)

In that case Mobile client can obtain JWS token from Azure and pass it to AIS/JDE/OAM
Although we do have some experience with OAM, we really would prefer to avoid using it due to various factors (complexity being one of them)

So, I am wondering if there are any other options that will allow us to access AIS server using Azure/MFA that do not involve OAM.
(Obviously we can setup VPN software on mobile devices as an option, but that will require users to enter their credentials multiple times which is no very convenient)

We do have LDAP integration enabled, so JDE users are authenticated against Windows Domain controllers.

We do not yet have ‘long user ID’ feature enabled, but this can be done implemented relatively quickly so logins like [email protected] will work in JDE.

App 9.1
Tools 9.2.2.4
SQL 2014, WLS 12.2.1.3, Windows 2016
 
I agree, if OAM is only used for JDE SSO then it is definitely overkill and not worth the headache. I personally avoid OAM for JDE SSO by emulating the authentication/header injection that OAM does via a load balancer or a web server filter DLL.

There was an enhancement in 9.2.1.2 to allow OAM auth for mobile. I haven't used it. I don't know if it simply relies on the same header injection technique that normal OAM/JDE JAS does.

However, I don't believe you need JDE SSO turned on or OAM for your requirement.

Take a look at these support notes. If you replace Oracle Mobile Cloud Service with the Azure MFA solution in these I think the JWT aligns with your requirement. This is something I have been meaning to try myself. I would definitely be interested to hear if you go this way and how it works out.

E1: MOB: Third Party Single Sign On (SSO) Provider for JD Edwards EnterpriseOne Mobile Application using JDE/MCS Pass-through Solution (Doc ID 2211288.1)
E1: AIS JSON - Authentication Options and Examples (Doc ID 2302120.1)

Since the Azure AD signing certificate that signs the JWT tokens has to be imported into the JAS certificate store I think there may be a need to script some sort of periodic check and update. Have a look here for a discussion about key rollover https://docs.microsoft.com/en-us/az...develop/active-directory-signing-key-rollover

It sounds like it can happen at any time and you have to be able to pick up the new key and trust it in order for the JWT interaction to work. It might be good job for a scheduled Powershell script that checks the signing certificate for rollover and then imports into the JAS certificate store.
 
Last edited:
thanks, Justin!
It sounds like we _may_ get away without OAM. We are going to try this Azure / JWT token / Azure certificate imported approach and see how it goes.
 
Ok, here is short version for now -
In general, it works ! We built a functional POC.
After certain setup JDE AIS server CAN authorize user with JWT token generated by Azure MFA (at least on tools 9224)
No need for Oracle OAM

Challenges –

- Looks like long user IDs have to be enabled in E1 (at least in Azure case) and you have to be able to login to E1 using your email.

- You can’t (easily) use Azure Proxy in order to publish AIS server API to the external world - Apparently Azure proxy doesn’t pass its own JWT token to the AIS server (or any API for that matter). It doesn’t make sense to me, but Microsoft confirmed it.

- Public Azure keys are indeed changing periodically.

We had to resort to some customized workarounds to address issues above.
 
Ok, here is short version for now -
In general, it works ! We built a functional POC.
After certain setup JDE AIS server CAN authorize user with JWT token generated by Azure MFA (at least on tools 9224)
No need for Oracle OAM

Challenges –

- Looks like long user IDs have to be enabled in E1 (at least in Azure case) and you have to be able to login to E1 using your email.

- You can’t (easily) use Azure Proxy in order to publish AIS server API to the external world - Apparently Azure proxy doesn’t pass its own JWT token to the AIS server (or any API for that matter). It doesn’t make sense to me, but Microsoft confirmed it.

- Public Azure keys are indeed changing periodically.

We had to resort to some customized workarounds to address issues above.

Hey.. I'm looking to replicate your POC for setting up an AIS server to authorize users with Azure JWT.
I feel like I'm missing some key steps after doing basic research through JDE documentation on 3rd party JWT authorization & SSO...
It'd be awesome if you would be able to assist. No worries otherwise, it's good to know that it's possible regardless.
 
Hey Longrider2, -redacted- (see above post, accidentally double-posted)
 
Last edited:
Back
Top