Tutorial: Configure Datawiza to enable Microsoft Entra multifactor authentication and single sign-on to Oracle JD Edwards
In this tutorial, learn how to enable Microsoft Entra single sign-on (SSO) and Microsoft Entra multifactor authentication for an Oracle JD Edwards (JDE) application using Datawiza Access Proxy (DAP).
Learn more Datawiza Access Proxy
Benefits of integrating applications with Microsoft Entra ID using DAP:
- Embrace proactive security with Zero Trust - a security model that adapts to modern environments and embraces hybrid workplace, while it protects people, devices, apps, and data
- Microsoft Entra single sign-on - secure and seamless access for users and apps, from any location, using a device
- How it works: Microsoft Entra multifactor authentication - users are prompted during sign-in for forms of identification, such as a code on their cellphone or a fingerprint scan
- What is Conditional Access? - policies are if-then statements, if a user wants to access a resource, then they must complete an action
- Easy authentication and authorization in Microsoft Entra ID with no-code Datawiza - use web applications such as: Oracle JDE, Oracle E-Business Suite, Oracle Sibel, and home-grown apps
- Use the Datawiza Cloud Management Console (DCMC) - manage access to applications in public clouds and on-premises
This scenario focuses on Oracle JDE application integration using HTTP authorization headers to manage access to protected content.
In legacy applications, due to the absence of modern protocol support, a direct integration with Microsoft Entra SSO is difficult. DAP can bridge the gap between the legacy application and the modern ID control plane, through protocol transitioning. DAP lowers integration overhead, saves engineering time, and improves application security.
The scenario solution has the following components:
- Microsoft Entra ID - identity and access management service that helps users sign in and access external and internal resources
- Oracle JDE application - legacy application protected by Microsoft Entra ID
- Datawiza Access Proxy (DAP) - container-based reverse-proxy that implements OpenID Connect (OIDC), OAuth, or Security Assertion Markup Language (SAML) for user sign-in flow. It passes identity transparently to applications through HTTP headers.
- Datawiza Cloud Management Console (DCMC) -a console to manage DAP. Administrators use UI and RESTful APIs to configure DAP and access control policies.
Ensure the following prerequisites are met.
- An Azure subscription.
- If you don't have one, you can get an Azure free account
- A Microsoft Entra tenant linked to the Azure subscription
- Docker and Docker Compose
- User identities synchronized from an on-premises directory to Microsoft Entra ID, or created in Microsoft Entra ID and flowed back to an on-premises directory
- An account with Microsoft Entra ID and a global administrator role. See, Microsoft Entra built-in roles, all roles
- An Oracle JDE environment
- (Optional) An SSL web certificate to publish services over HTTPS. You can also use default Datawiza self-signed certs for testing
Getting started with DAB
To integrate Oracle JDE with Microsoft Entra ID:
Sign in to Datawiza Cloud Management Console.
The Welcome page appears.
Select the orange Getting started button.
In the Name and Description fields, enter information.
On the Add Application dialog, for Platform, select Web.
For App Name, enter a unique application name.
For Public Domain, for example enter
https://jde-external.example.com. For testing the configuration, you can use localhost DNS. If you aren't deploying DAP behind a load balancer, use the Public Domain port.
For Listen Port, select the port that DAP listens on.
For Upstream Servers, select the Oracle JDE implementation URL and port to be protected.
- On the Configure IdP dialog, enter information.
Use DCMC one-click integration to help complete Microsoft Entra configuration. DCMC calls the Graph API to create an application registration on your behalf in your Microsoft Entra tenant. Go to docs.datawiza.com for One Click Integration With Microsoft Entra ID.
- Select Create.
The DAP deployment page appears.
Make a note of the deployment Docker Compose file. The file includes the DAP image, Provisioning Key, and Provision Secret, which pulls the latest configuration and policies from DCMC.
SSO and HTTP headers
DAP gets user attributes from IdP and passes them to the upstream application with a header or cookie.
The Oracle JDE application needs to recognize the user: using a name, the application instructs DAP to pass the values from the IdP to the application through the HTTP header.
In Oracle JDE, from the left navigation, select Applications.
Select the Attribute Pass subtab.
For Field, select Email.
For Expected, select JDE_SSO_UID.
For Type, select Header.
This configuration uses the Microsoft Entra user principal name as the sign-in username, used by Oracle JDE. To use another user identity, go to the Mappings tab.
Select the Advanced tab.
Select Enable SSL.
From the Cert Type dropdown, select a type.
For testing purposes, we'll be providing a self-signed certificate.
You have the option to upload a certificate from a file.
Enable Microsoft Entra multifactor authentication
Steps in this article may vary slightly based on the portal you start from.
To provide more security for sign-ins, you can enforce MFA for user sign-in.
- Sign in to the Microsoft Entra admin center as a Global Administrator.
- Browse to Identity > Overview > Properties tab.
- Under Security defaults, select Manage security defaults.
- On the Security defaults pane, toggle the dropdown menu to select Enabled.
- Select Save.
Enable SSO in the Oracle JDE EnterpriseOne Console
To enable SSO in the Oracle JDE environment:
Sign in to the Oracle JDE EnterpriseOne Server Manager Management Console as an Administrator.
In Select Instance, select the option above EnterpriseOne HTML Server.
In the Configuration tile, select View as Advanced.
Select the Enable Oracle Access Manager checkbox.
In the Oracle Access Manager Sign-Off URL field, enter datawiza/ab-logout.
In the Security Server Configuration section, select Apply.
If a message states the web server configuration (jas.ini) is out-of-date, select Synchronize Configuration.
Test an Oracle JDE-based application
To test an Oracle JDE application, validate application headers, policy, and overall testing. If needed, use header and policy simulation to validate header fields and policy execution.
To confirm Oracle JDE application access occurs, a prompt appears to use a Microsoft Entra account for sign-in. Credentials are checked and the Oracle JDE appears.