Tutorial: Configure Datawiza to enable Azure Active Directory Multi-Factor Authentication and single sign-on to Oracle JD Edwards

In this tutorial, learn how to enable Azure Active Directory (Azure AD) single sign-on (SSO) and Azure AD Multi-Factor Authentication (MFA) for an Oracle JD Edwards (JDE) application using Datawiza Access Proxy (DAP).

Learn more Datawiza Access Proxy

Benefits of integrating applications with Azure AD using DAP:

Scenario description

This scenario focuses on Oracle JDE application integration using HTTP authorization headers to manage access to protected content.

In legacy applications, due to the absence of modern protocol support, a direct integration with Azure AD SSO is difficult. DAP can bridge the gap between the legacy application and the modern ID control plane, through protocol transitioning. DAP lowers integration overhead, saves engineering time, and improves application security.

Scenario architecture

The scenario solution has the following components:

  • Azure AD - identity and access management service that helps users sign in and access external and internal resources
  • Oracle JDE application - legacy application protected by Azure AD
  • Datawiza Access Proxy (DAP) - container-based reverse-proxy that implements OpenID Connect (OIDC), OAuth, or Security Assertion Markup Language (SAML) for user sign-in flow. It passes identity transparently to applications through HTTP headers.
  • Datawiza Cloud Management Console (DCMC) -a console to manage DAP. Administrators use UI and RESTful APIs to configure DAP and access control policies.

Learn more: Datawiza and Azure AD Authentication Architecture

Prerequisites

Ensure the following prerequisites are met.

Getting started with DAB

To integrate Oracle JDE with Azure AD:

  1. Sign in to Datawiza Cloud Management Console.

  2. The Welcome page appears.

  3. Select the orange Getting started button.

    Screenshot of the Getting Started button.

  4. In the Name and Description fields, enter information.

  5. Select Next.

    Screenshot of the Name field and Next button under Deployment Name.

  6. On the Add Application dialog, for Platform, select Web.

  7. For App Name, enter a unique application name.

  8. For Public Domain, for example enter https://jde-external.example.com. For testing the configuration, you can use localhost DNS. If you aren't deploying DAP behind a load balancer, use the Public Domain port.

  9. For Listen Port, select the port that DAP listens on.

  10. For Upstream Servers, select the Oracle JDE implementation URL and port to be protected.

  11. Select Next.

Screenshot of Public Domain, Listen Port, and Upstream Server entries.

  1. On the Configure IdP dialog, enter information.

Note

Use DCMC one-click integration to help complete Azure AD configuration. DCMC calls the Graph API to create an application registration on your behalf in your Azure AD tenant. Go to docs.datawiza.com for One Click Integration With Azure AD.

  1. Select Create.

Screenshot of Protocol, Identity Provider, and Supported account types entries, also the Create button.

  1. The DAP deployment page appears.

  2. Make a note of the deployment Docker Compose file. The file includes the DAP image, Provisioning Key, and Provision Secret, which pulls the latest configuration and policies from DCMC.

    Screenshot of Docker entries.

SSO and HTTP headers

DAP gets user attributes from IdP and passes them to the upstream application with a header or cookie.

The Oracle JDE application needs to recognize the user: using a name, the application instructs DAP to pass the values from the IdP to the application through the HTTP header.

  1. In Oracle JDE, from the left navigation, select Applications.

  2. Select the Attribute Pass subtab.

  3. For Field, select Email.

  4. For Expected, select JDE_SSO_UID.

  5. For Type, select Header.

    Screenshot of information on the Attribute Pass tab.

    Note

    This configuration uses the Azure AD user principal name as the sign-in username, used by Oracle JDE. To use another user identity, go to the Mappings tab.

    Screenshot of the userPrincipalName entry.

  6. Select the Advanced tab.

    Screenshot of information on the Advanced tab.

    Screenshot of information on the Attribute Pass tab.

  7. Select Enable SSL.

  8. From the Cert Type dropdown, select a type.

    Screenshot that shows the cert type dropdown.

  9. For testing purposes, we'll be providing a self-signed certificate.

    Screenshot that shows the enable SSL menu.

    Note

    You have the option to upload a certificate from a file.

    Screenshot that shows uploading cert from a file option.

  10. Select Save.

Enable Azure AD Multi-Factor Authentication

To provide more security for sign-ins, you can enforce MFA for user sign-in.

See, Tutorial: Secure user sign-in events with Azure AD MFA.

  1. Sign in to the Azure portal as a Global Administrator.
  2. Select Azure Active Directory > Manage > Properties.
  3. Under Properties, select Manage security defaults.
  4. Under Enable Security defaults, select Yes.
  5. Select Save.

Enable SSO in the Oracle JDE EnterpriseOne Console

To enable SSO in the Oracle JDE environment:

  1. Sign in to the Oracle JDE EnterpriseOne Server Manager Management Console as an Administrator.

  2. In Select Instance, select the option above EnterpriseOne HTML Server.

  3. In the Configuration tile, select View as Advanced.

  4. Select Security.

  5. Select the Enable Oracle Access Manager checkbox.

  6. In the Oracle Access Manager Sign-Off URL field, enter datawiza/ab-logout.

  7. In the Security Server Configuration section, select Apply.

  8. Select Stop.

    Note

    If a message states the web server configuration (jas.ini) is out-of-date, select Synchronize Configuration.

  9. Select Start.

Test an Oracle JDE-based application

To test an Oracle JDE application, validate application headers, policy, and overall testing. If needed, use header and policy simulation to validate header fields and policy execution.

To confirm Oracle JDE application access occurs, a prompt appears to use an Azure AD account for sign-in. Credentials are checked and the Oracle JDE appears.

Next steps