Security Software

Has anyone developed a way to use OIF for e-Business Suite authentication through SAML rather than using the standard Identity Management stack of apps?

Today we have Oracle e-Business Suite 115.10.2 using OSSO through OID with WNA for zero sign-on (no login, just pass-through, based on AD credentials). Our domain controllers are Windows 2003 but we are in the process of upgrading them to Windows 2008 R2, where the OSSO stack is not supported unless we globally set the 2008 R2 domain controllers to use DES encryption instead of the default AES encryption. (See Oracle note 1076018.1)

When deploying OSSO, we encountered a similar issue with Windows 7 workstations would not work with OSSO unless we set the workstation policy not to use AES encryption. (See Oracle note 973190.1)

We are not inclined to continue to use DES encryption and we have obstacles moving to 11g iDM/OAM/OID from OSSO. I am exploring the possibility continuing to keep one 2003 domain controller in production, and pointing OSSO to that, until we can move to the 11g iDM stack.

Meanwhile, we have ongoing frustration with how complicated SSO is with the e-Business Suite. Sure, it works, once you climb the mountain to set it up, and we don't have that many issues in production. But the implementation of SSO for e-Business Suite is simply complex. The trip from the workstation back to an EBS session is operationally somewhat brittle. I guess some of us relish complexity. Certainly there is pride in understanding something like this. But, after a while, when the trickle of tickets from the Help Desk never completely dries up, you get tired of complexity and you seek something simpler.

So, instead of this path:

Workstation > EBS > OID > AD / Kerberos > Workstation

(and I didn't even mention F5 switch with reverse proxy servers ...)

Why can't we have this?

Workstation with certificate > OIF with SAML > EBS session.

Has anyone done that?

Thank you for your help.