Lift and shift of Oracle Applications from on premise to Oracle Cloud Infrastructure requires careful planning and enterprises want the same or higher level of security when moving their workloads to the cloud. OCI provides a number of features for securing application deployments/network and administrative access to these deployments.
Check out the OCI security best practices white paper available here –
https://cloud.oracle.com/iaas/whitepapers/oci_security.pdf
In this post, I want to focus on securing end user access to these applications.
In the on-premise world, enterprises would typically have a corporate Identity and Access Management solution to secure end user access by adding Single Sign On to the various apps. The security benefits of adding SSO are well known and multi-factor authentication combined with SSO makes end user access even more secure.
So, what SSO options do customers have when moving their workloads to OCI?
An obvious option would be to lift and shift the Identity and Access Management stack to the cloud; a better one would be to make use of a cloud SSO solution.
Traditionally, Oracle Apps like EBS, JDE & PeopleSoft support SSO via Oracle Access Manager(OAM) plus a directory server - either Oracle Internet Directory(OID) or Oracle Universal Directory(OUD). OAM and the directory would be deployed on-premise and managed by enterprises themselves.
Reference - https://docs.oracle.com/cd/E26401_01/doc.122/e22952/T156458T580814.htm
Pain Points
1. Complex integration
The integration is complex and requires OAM servers, the OAM WebGate, the EBS AccessGate, and a directory like OID or OUD with DIP configured.
2. Dependency on OID/OUD
Even if enterprises have a different user repository like MS Active Directory, EBS can only integrate with AD via OID/OUD. This then requires a separate OID instance and user synchronization via DIP, as well as regular maintenance of that OID instance and its underlying database.
3. Customers responsible for managing the IDM stack
Requires deep IDM domain knowledge and integration expertise. Customers are responsible for designing the solution to support high availability (HA) and Failover.
JDE and PeopleSoft Applications support SSO by externalizing authentication to OAM and consume a header variable set by the OAM Webgate.
The OAM Webgate acts as an enforcement point and intercepts every request going to the end application (JDE/PeopleSoft).
PeopleSoft SSO architecture diagram is very similar wherein a Webgate is deployed on the reverse proxy to PeopleSoft application that intercepts every incoming request.
Reference - https://docs.oracle.com/cd/E12530_01/oam.1014/e10356/people.htm#CHDJAJAA
Pain Points
1. Customers responsible for managing the Identity and access management stack.
Requires deep IDM domain knowledge and integration expertise. Customers are responsible for designing the solution to support high availability (HA) and Fail-over.
Oracle Identity Cloud Service (IDCS) is Oracle’s cloud SSO solution and it provides lightweight components to integrate with numerous applications.
IDCS supports a component called the “EBS Asserter”. Customers can download this from the IDCS administration console and deploy/run it on a WebLogic cluster.
This tutorial provides details on how to setup EBS SSO using the EBS Asserter component https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/ebs_asserter_obe/ebs-asserter.html
IDCS Asserter Successful Authentication Flow
IDCS provides a component called the “App Gateway” which is a software appliance that you install and configure on-premise or in OCI. It leverages your domain name system and networking solutions to provide reverse proxy services to your applications.
This is a simpler approach than the traditional one where customers install/configure a reverse proxy and WebGate to protect end applications.
Note – Both PeopleSoft and JDE integrate with IDCS using the “App Gateway” approach.
Reference:
JDE SSO -
PeopleSoft SSO - https://docs.oracle.com/en/solutions/secure-peoplesoft-with-identity-cloud/configure-app-gateway.html#GUID-0B15838B-CB54-435E-A3EB-8E605D39838E
1. Fully Oracle-managed SSO service.
2. Simpler deployment
3. Supports user synchronization with on premise Active Directory.
4. IDCS has several features that enhance end user security
When moving enterprise applications to the cloud, customers have a number of options for securing end user access. This post provided an overview of the traditional SSO approach and the new Oracle cloud SSO approach for securing EBS, JDE and PeopleSoft applications.
Previous Post
Next Post