Introduction

Lift and shift of Oracle Applications from on premise to Oracle Cloud Infrastructure requires careful planning and enterprises want the same or higher level of security when moving their workloads to the cloud. OCI provides a number of features for securing application deployments/network and administrative access to these deployments. 

Check out the OCI security best practices white paper available here –

https://cloud.oracle.com/iaas/whitepapers/oci_security.pdf

In this post, I want to focus on securing end user access to these applications. 

In the on-premise world, enterprises would typically have a corporate Identity and Access Management solution to secure end user access by adding Single Sign On to the various apps. The security benefits of adding SSO are well known and multi-factor authentication combined with SSO makes end user access even more secure. 

So, what SSO options do customers have when moving their workloads to OCI?

An obvious option would be to lift and shift the Identity and Access Management stack to the cloud; a better one would be to make use of a cloud SSO solution. 

Review: Traditional SSO Architecture

Traditionally, Oracle Apps like EBS, JDE & PeopleSoft support SSO via Oracle Access Manager(OAM) plus a directory server - either Oracle Internet Directory(OID) or Oracle Universal Directory(OUD). OAM and the directory would be deployed on-premise and managed by enterprises themselves.  

Traditional EBS SSO Architecture

Reference - https://docs.oracle.com/cd/E26401_01/doc.122/e22952/T156458T580814.htm

Pain Points

1. Complex integration 

The integration is complex and requires OAM servers, the OAM WebGate, the EBS AccessGate, and a directory like OID or OUD with DIP configured.

2. Dependency on OID/OUD 

Even if enterprises have a different user repository like MS Active Directory, EBS can only integrate with AD via OID/OUD. This then requires a separate OID instance and user synchronization via DIP, as well as regular maintenance of that OID instance and its underlying database.

3. Customers responsible for managing the IDM stack

Requires deep IDM domain knowledge and integration expertise. Customers are responsible for designing the solution to support high availability (HA) and Failover. 

Traditional SSO Architecture for JDE and PeopleSoft

JDE and PeopleSoft Applications support SSO by externalizing authentication to OAM and consume a header variable set by the OAM Webgate. 

The OAM Webgate acts as an enforcement point and intercepts every request going to the end application (JDE/PeopleSoft).

PeopleSoft SSO architecture diagram is very similar wherein a Webgate is deployed on the reverse proxy to PeopleSoft application that intercepts every incoming request. 

Reference - https://docs.oracle.com/cd/E12530_01/oam.1014/e10356/people.htm#CHDJAJAA

Pain Points

1.  Customers responsible for managing the Identity and access management stack.

Requires deep IDM domain knowledge and integration expertise. Customers are responsible for designing the solution to support high availability (HA) and Fail-over.

The Cloud Approach  

Oracle Identity Cloud Service (IDCS) is Oracle’s cloud SSO solution and it provides lightweight components to integrate with numerous applications.

EBS SSO

IDCS supports a component called the “EBS Asserter”. Customers can download this from the IDCS administration console and deploy/run it on a WebLogic cluster. 

This tutorial provides details on how to setup EBS SSO using the EBS Asserter component https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/ebs_asserter_obe/ebs-asserter.html 

IDCS Asserter Successful Authentication Flow

PeopleSoft/JDE SSO

IDCS provides a component called the “App Gateway” which is a software appliance that you install and configure on-premise or in OCI. It leverages your domain name system and networking solutions to provide reverse proxy services to your applications.

This is a simpler approach than the traditional one where customers install/configure a reverse proxy and WebGate to protect end applications.

Architecture Diagram

Note – Both PeopleSoft and JDE integrate with IDCS using the “App Gateway” approach.

Reference: 

JDE SSO -

https://docs.oracle.com/en/solutions/secure-jd-edwards-with-identity-cloud/configure-app-gateway.html#GUID-521D64CB-75EA-43B7-B0E2-0992D2A12B66

PeopleSoft SSO - https://docs.oracle.com/en/solutions/secure-peoplesoft-with-identity-cloud/configure-app-gateway.html#GUID-0B15838B-CB54-435E-A3EB-8E605D39838E

So, why is Cloud SSO better?  

1.     Fully Oracle-managed SSO service.

2.     Simpler deployment

• Applications Integrate with IDCS using lightweight components.
• Removes OID/OUD dependency. 

3.     Supports user synchronization with on premise Active Directory.

4.     IDCS has several features that enhance end user security 

• Easy setup and support for multi-factor authentication
• Supports risk based and contextual authentication
• Allows setting up coarse grained authorization by adding sign-on policies.
• Extensive auditing API

Summary

When moving enterprise applications to the cloud, customers have a number of options for securing end user access.  This post provided an overview of the traditional SSO approach and the new Oracle cloud SSO approach for securing EBS, JDE and PeopleSoft applications.