Pythian’s New Single Sign-on (SSO) Solution for Oracle E-Business Suite (EBS) – Part Two

Our mission at Pythian is to help you Love Your Data. Because security is a crucial part of managing your data, we are pleased to tell you about the identity management (IDM) solution Pythian has developed to make it easier for Oracle E-Business Suite (EBS) clients to implement a modern Single Sign-On (SSO) solution for your ERP system.

Some time has passed since we published Part One of this article. We have answered many questions in calls to those interested to know more about it. A list of successful implementation projects also got covered, making our customers happy by optimizing their IT costs.

We would like to share some technical details about it in a post.

What has changed when it comes to Oracle EBS?

Literally, nothing.

• The standard user authentication framework in Oracle EBS is still limited.
  • Outdated password policies which do not meet today’s security requirements and compliance standards (I was speaking about it).
  • No Multi-Factor Authentication (MFA) support which is a must.
• The SSO integration supports only the native Oracle’s own products – IAM Suite on-premises installation or IDCS cloud service.
• High licensing costs for an additional IDM solution plus operational costs.
• To integrate your existing corporate third-party Identity Management solution (like Microsoft’s Windows domain Native Authentication), you still need to implement Oracle’s native integration as a bridge.

In numbers, a generic 3000-employee org example looks like this (basic cost calculation):

IAM Suite (2 Production, 2 DR, and 1 Test middle-tier)

• Operational: 15 000 $ / year
• Licensing: 135 $ / user
  • Starting with release 12.2.1.4, IDM requires an additional Enterprise Edition database license.
  • Environment multiplier – each individual instance is separately licensed.
• Total: ~1 000 000 $ / year

The operational cost is based on OCI pricing – Standard.E4.Flex shape for a middle-tier (2 OCPUs, 16 GB RAM, storage) and DBCS for the metadata repository database.

The IAM licensing is based on Identity and Access Management Suite Plus per-user licensing for a more clear illustration purpose. Processor-based licensing viability, environment multipliers, and the final licensing cost are subject to a separate calculation and an individual deal with Oracle sales.

IDCS (SaaS)

• Operational: N/A
• Licensing: 3.20 $ / user / month
• Total: 115 200 $ / year

Oracle Identity Cloud Service Standard edition licensing is required.

Pythian’s solution

We have come up with a simpler solution based on the open-source components that can play the bridge role with your existing corporate third-party Identity Management solution. It can be SAML, OpenID, or any other authentication solution supported by the Apache Web Server.

Dependencies:

• Your organization has an existing corporate third-party Identity Management solution (like OKTA, ForgeRock, Onelogin, Azure ADFS, and others) meeting the required password policy and compliance standards.
• You need to integrate your Oracle E-Business Suite system with your existing corporate Single Sign-On.
• The cost of implementing the Oracle native integration options (IAM or IDCS) for just a bridge role is too high for your budget.

Pros:

• No extra licensing cost for a bridge integration requirement. The solution is based on the free open-source components available on most Linux OS distributions.
• Minimum operational costs – can be easily implemented on a pool of free-tiers on the cloud (depending on the platform and performance capacity requirements).
• Supports the identity federation services based on the standards like SAML and OpenID.
• No requirement to run an additional user directory (like OID or OUD) and support its data consistency.
• You can build a shared infrastructure that can serve all your EBS instances within the same pool.
• You can separate internal and external users and set two or more separate application registrations with different access security profiles.

Cons:

• It is not certified and not supported by Oracle. Therefore, it is a certain risk to be acknowledged by your organization.
• No universal support for the user provisioning integration out-of-the-box.

Let me comment on why we do not package the user provisioning integration. Per our experience, we have stopped seeing its real utilization on the customer systems for a very long time. The user provisioning mode configured usually is set to 4 (disabled) or enabled, but the EBS system is always the real source to sync up the Oracle directory. A common practice for organizations is to have an existing direct integration process – automated, which, for example, integrates your Workday HR system directly with EBS, or manually handled during the employee onboarding or offboarding. In most cases, it is just not required. At the same time, of course, there are exceptions or specific custom requirements where we can come up with a solution to meet the needs.

In numbers, taking the same generic 3000 employee org example like above (again, basic cost calculation):

Reverse Proxies (2 Production, 2 DR, and 1 Test middle-tier)

• Operational: 2 700 $ / year
• Licensing: N/A
• Total: 2 700 $ / year

The operational cost is based on OCI pricing – Standard.E4.Flex shape per proxy (2 OCPUs, 2 GB RAM, minimum storage).

So what does our package include?

1. We create a secure Reverse Proxy infrastructure design and build it into your Oracle E-Business Suite architecture.
2. We deploy and set all the requirements on the Oracle E-Business Suite side.
3. We complete the application registration on your third-party identity provider side and set the desired logon/logoff workflows.
4. Complete knowledge transition and documentation about the solution implementation.
5. Operational procedures, like the certificate rotation process, and most common “how-to” scenarios.
6. We help you adjust the Cloning and Disaster Recovery procedures to provide the necessary updates required to support the new Single Sign-On integration.
7. We support and cover the issues identified during testing and the post-go-live stabilization period.

If you are interested to know more, please reach out to us. Or sign-up for a free workshop session with our experts to identify the best Single Sign-On roadmap based on your requirements.