Edit

Configure Datawiza for Microsoft Entra multifactor authentication and single sign-on to Oracle EBS

  • Article

In this article, learn how to enable Microsoft Entra multifactor authentication and single sign-on (SSO) for an Oracle E-Business Suite (Oracle EBS) application via Datawiza.

Here are some benefits of integrating applications with Microsoft Entra ID via Datawiza:

  • A Zero Trust security model adapts to modern environments and embraces a hybrid workplace while it helps protect people, devices, apps, and data.
  • Single sign-on provides secure and seamless access for device users and apps from any location.
  • Multifactor authentication prompts users during sign-in for forms of identification, such as a code on their device or a fingerprint scan.
  • Conditional Access provides policies as if/then statements. If a user wants to access a resource, then they must complete an action.
  • Datawiza provides authentication and authorization in Microsoft Entra ID with no code. Use web applications such as Oracle JDE, Oracle EBS, Oracle Siebel, and home-grown apps.
  • Use the Datawiza Cloud Management Console (DCMC) to manage access to applications in public clouds and on-premises.

This article focuses on modern identity providers (IdPs) integrating with the legacy Oracle EBS application. The application requires a set of Oracle EBS service account credentials and an Oracle EBS database container (DBC) file.

Architecture

The solution has the following components:

  • Microsoft Entra ID: Microsoft's cloud-based identity and access management service, which helps users sign in and access external and internal resources.
  • Oracle EBS: The legacy application that Microsoft Entra ID will help protect.
  • Datawiza Access Proxy (DAP): A lightweight container-based reverse proxy that implements OIDC/OAuth or SAML for user sign-on flow. It transparently passes identity to applications through HTTP headers.
  • DCMC: A centralized management console that manages DAP. The console provides UI and RESTful APIs for administrators to manage the configurations of DAP and its granular access control policies.

Prerequisites

To complete the steps in this article, you need:

Configure the Oracle EBS environment for SSO and create the DBC file

To enable SSO in the Oracle EBS environment:

  1. Sign in to the Oracle EBS management console as an administrator.

  2. Scroll down the navigation pane, expand User Management, and then select Users.

    Screenshot of the navigation pane in the Oracle EBS management console.

  3. Add a user account. Select Create User > User Account.

    Screenshot of selections for creating a user account.

  4. For User Name, enter DWSSOUSER.

  5. For Password, enter a password.

  6. For Description, enter DW User account for SSO.

  7. For Password Expiration, select None.

  8. Assign Apps Schema Connect Role to the user.

    Screenshot of selections to assign Apps Schema Connect Role in search results.

Register DAP with Oracle EBS

In the Oracle EBS Linux environment, generate a new DBC file for DAP. You need the app's user credentials and the default DBC file (under $FND_SECURE) that the application tier uses.

  1. Configure the environment for Oracle EBS by using a command similar to ./u01/install/APPS/EBSapps.env run.

  2. Use the AdminDesktop utility to generate the new DBC file. Specify the name of a new desktop node for this DBC file:

    java oracle.apps.fnd.security.AdminDesktop apps/apps CREATE NODE_NAME=\<ebs domain name> DBC=/u01/install/APPS/fs1/inst/apps/EBSDB_apps/appl/fnd/12.0.0/secure/EBSDB.dbc

    This action generates a file called ebsdb_\<ebs domain name>.dbc in the location where you ran the command.

  3. Copy the DBC file's content to a notebook. You'll use the content later.

Enable Oracle EBS for SSO

  1. To integrate JDE with Microsoft Entra ID, sign in to the Datawiza Cloud Management Console.

    The welcome page appears.

  2. Select the orange Getting started button.

    Screenshot of the button for getting started with an access proxy on the Datawiza Cloud Management Console.

  3. For Name, enter a name for the deployment.

    Screenshot of the text box for a deployment name.

  4. For Description, enter a description of the deployment.

  5. Select Next.

  6. On Add Application, for Platform, select Oracle E-Business Suite.

  7. For App Name, enter the app name.

  8. For Public Domain, enter the external-facing URL of the application. For example, enter https://ebs-external.example.com. You can use localhost DNS for testing.

  9. For Listen Port, select the port that DAP listens on. You can use the port in Public Domain if you aren't deploying the DAP behind a load balancer.

  10. For Upstream Servers, enter the URL and port combination of the Oracle EBS implementation that you want to protect.

  11. For EBS Service Account, enter the username from the service account (DWSSOUSER).

  12. For EBS Account Password, enter the password for the service account.

  13. For EBS User Mapping, the product decides the attribute to be mapped to the Oracle EBS username for authentication.

  14. For EBS DBC Content, use the content that you copied.

  15. Select Next.

    Screenshot of entries and selections for adding an application.

IdP configuration

Use the DCMC one-click integration to help you complete Microsoft Entra configuration. With this feature, you can reduce management costs and the likelihood of configuration errors.

Screenshot of entries and selections for configuring IdP.

Docker Compose file

Configuration on the management console is complete. You're prompted to deploy DAP with your application. Make a note of the deployment Docker Compose file. The file includes the DAP image, PROVISIONING_KEY, and PROVISIONING_SECRET. DAP uses this information to pull the latest configuration and policies from DCMC.

Screenshot of Docker information.

SSL configuration

  1. For certificate configuration, select the Advanced tab on your application page. Then select SSL > Edit.

    Screenshot of the tab for advanced settings.

  2. Turn on the Enable SSL toggle.

  3. For Cert Type, select a certificate type.

    Screenshot of options for enabling SSL and selecting a certificate type.

    There's a self-signed certificate for localhost. To use that certificate for testing, select Self Signed.

    Screenshot of the option to use a self-signed certificate.

    Optionally, you can upload a certificate from a file. For Cert Type, select Upload. Then, for Select Option, select File Based.

    Screenshot of the option to upload a file-based certificate.

  4. Select Save.

Optional: Enable multifactor authentication on Microsoft Entra ID

Tip

Steps in this article might vary slightly based on the portal you start from.

To provide more security for sign-ins, you can enable multifactor authentication in the Microsoft Entra admin center:

  1. Sign in to the Microsoft Entra admin center as a Global Administrator.
  2. Browse to Identity > Overview > Properties tab.
  3. Under Security defaults, select Manage security defaults.
  4. On the Security defaults pane, toggle the dropdown menu to select Enabled.
  5. Select Save.

Next steps