This section describes how to configure an Oracle E-Business Suite Release 12.2 instance as a provisioning integrated application with Oracle Access Manager. The goal is to keep user information synchronized between Oracle Directory Services and Oracle E-Business Suite Release 12.
Bidirectional provisioning between Oracle E-Business Suite and Oracle Directory Services is built around the Oracle Directory Integration Platform, as described further in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory or Oracle Fusion Middleware Administering Oracle Unified Directory.
A key feature of this solution is the provisioning integration service, which enables automatic provisioning (updating between the systems) of account creation or changes of user attributes. The provisioning process between each Oracle E-Business Suite instance and Oracle Directory Services is controlled by a provisioning profile.
When changes are made in Oracle Directory Services that match an application's provisioning profile event subscription criteria, the Provisioning Integration Service is the agent that sends the relevant new data to that application. Going in the other direction, the Provisioning Integration Service filters changes coming from an application (according to the application's provisioning profile's permitted events criteria), and transmits applicable ones to Oracle Directory Services.
One of the advantages of this solution is a high level of flexibility at deployment time, i.e. the provisioning profile is highly customizable. Configuration of the profile is carried out by either using the oidprovtool, or by instantiating an LDIF template file that contains the requisite values for the particular deployment.
Before a profile can be created, the relevant Oracle E-Business Suite instance must be registered with Oracle Directory Services. This involves creating a unique application identity for the instance in Oracle Directory Services.
Oracle E-Business Suite instances are created at the following location in the directory information tree (DIT): "cn=E-Business,cn=Products,cn=OracleContext, <Identity Management Realm>"
The created application identity (combination of dn and password) also needs to be stored in Oracle E-Business Suite. Note that the registered application identity and password can be used by the application administrator to connect to Oracle Directory Services for certain tasks, such as querying the provisioned profile details between this application instance and Oracle Directory Services.
CREATION, MODIFICATION, and DELETION events can be enabled or disabled individually. Four event types are currently used:
SUBSCRIPTION_ADD
IDENTITY_ADD
IDENTITY_MODIFY
IDENTITY_DELETE
Each of these is described below:
SUBSCRIPTION_ADD
This event is generated by either Oracle Directory Services or Oracle E-Business Suite Release 12.
Oracle Directory Services maintains a subscription list for each Oracle E-Business instance that has registered with Oracle Directory Services. The subscription list maintains a list of all single sign-on user accounts that need to access the associated Oracle E-Business Suite instance.
Oracle Directory Services and the associated Oracle E-Business Suite instance jointly maintain the accuracy of the subscription list.
When a single sign-on account is created in Oracle Directory Services, and subsequently added to the subscription list of an Oracle E-Business Suite instance (see Manual Subscription Management With Provsubtool for how this is done), a SUBSCRIPTION_ADD event is generated in Oracle Directory Services. If this event is enabled in the Oracle Directory Services to Oracle E-Business Suite direction, a new application account will be created and linked to the single sign-on account.
When Oracle Directory Services receives an IDENTITY_ADD event (see below) from an Oracle E-Business Suite instance, it adds the user to the subscription list of that Oracle E-Business Suite instance.
When Link-on-the-Fly is performed on an Oracle E-Business Suite Release 12 instance, the Oracle E-Business Suite instance will send a SUBSCRIPTION_ADD event to Oracle Directory Services.
When an IDENTITY_MODIFY (see below) event is generated in Oracle Directory Services, Oracle Directory Services will check the subscription lists of all registered Oracle E-Business Suite Release 12 instances, and only send the event to an Oracle E-Business Release 12 instance if the modified user appears on its subscription list.
IDENTITY_ADD
This event is generated by either Oracle E-Business Suite or Oracle Directory Services when a new user is created. If this event is enabled from Oracle E-Business Suite to Oracle Directory Services direction, after Oracle Directory Services receives this event, it will create an Oracle single sign-on account in Oracle Directory Services and add the account to the subscription list of that Oracle E-Business Suite Release 12 instance. The other way, if this event is enabled from Oracle Directory Services to E-Business Suite and profile 'Applications SSO Enable OID Identity Add Event' is 'Enabled', it has the same affect as SUBSCRIPTION_ADD event generated by Oracle Directory Services.
IDENTITY_MODIFY
This event is generated by either Oracle Directory Services or Oracle E-Business Suite when a user account is modified. If this event is enabled in either direction, the receiving system will apply the modification to the account on that system.
IDENTITY_DELETE
This event is generated by Oracle Directory Services when an Oracle single sign-on account is deleted. If this event is enabled from the Oracle Directory Services to Oracle E-Business Suite direction, after an Oracle E-Business Suite Release 12 instance receives this event, it will end-date the application account linked to the Oracle single sign-on account.
Provisioning Direction
Each event can be enabled in:
One direction:
From Oracle Directory Services to Oracle E-Business Suite only
From Oracle E-Business Suite to Oracle Directory Services only
Both directions:
From Oracle Directory Services to Oracle E-Business Suite
From Oracle E-Business Suite to Oracle Directory Services
Attribute List
For each direction, and each type of event, the list of provisioned attributes can be customized as required (removing an attribute from the attribute list would disable sending that attribute). The Supported Attributes section lists the attributes that are currently supported for each direction, and also as the mapping between Oracle Directory Services attributes and application table and column names.
Polling Interval
By default, Oracle Directory Services sends out provisioning events every 60 seconds; this value can be increased or decreased by using oidprovtool, or by editing the orclodipprofileschedule attribute value in the provisioning template (see below). The polling interval should be set with caution; provisioning that is not frequent enough for site activity may have an impact on operations, while provisioning that is more frequent than necessary will result in needless network traffic.
Once the values of the configurable variables for a profile have been decided, there are two methods available to create the profile in Oracle Directory Services. The first is oidProvTool (see the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory or Oracle Fusion Middleware Administering Oracle Unified Directory for more information). The second option is to instantiate an LDIF template, which captures the configuration choices. The instantiated templates can then be loaded into Oracle Directory Services using the ldapmodify command. The template method is described in detail below.
Creating a Profile From a Provisioning Template
Creating the provisioning profile consists of the following steps:
Create a suitable template based on deployment choices. The sample templates shipped can be used as examples and starting points.
Instantiate the template with deployment specific values, to generate an LDIF file.
Load the LDIF file into Oracle Directory Services.
Once the LDIF file is loaded, Oracle Directory Services will start sending and polling provisioning events to and from the Oracle E-Business Suite instance for which the profile was created. It takes the provisioning service approximately two minutes to detect that a new profile has been added or an existing one has changed. The new or updated profile is then read by the service.
Four types of provisioning are provided by the registration utility:
BiDirectional Provisioning: Set by specifying "-provisiontype=1" as a command line argument during Oracle Directory Services registration. This is the default provisioning type set by the registration utility.
InBound Provisioning: Set by specifying "-provisiontype=2" as a command line argument during Oracle Directory Services registration
OutBound Provisioning: Set by specifying "-provisiontype=3" as a command line argument during Oracle Directory Services registration.
BiDiNoCreation Provisioning: Set by specifying "-provisiontype=4" as a command line argument during Oracle Directory Services registration.
To decide on the right template to use, an Oracle E-Business Suite administrator needs to determine the direction or directions of provisioning, and which provisioning events need to be enabled in each direction. The deployment scenarios discussed in this section may be used as a reference.
For example, if the Oracle E-Business Suite instance only needs to send events to Oracle Directory Services, then an INBOUND provisioning profile should be created. If the Oracle E-Business Suite instance only needs to receive provisioning events from Oracle Directory Services, then an OUTBOUND profile should be created.
If provisioning events may need to be sent in both directions, a bidirectional profile (BOTH) should be created.
Note: Oracle recommends using the base provisioning profile templates provided with Oracle E-Business Suite. Best-efforts support will be provided for customizations to the standard provisioning profile templates. Customers may wish to engage Oracle Consulting for assistance with specific customization requirements and issues.