Wednesday, 29 July 2020

SSO, and Azure AD - secure JDE the right way.


There are a number of products that are facilitating the SSO process with JDE, but you want something good, easy and secure... Right?  This is where myAccess comes in.  The fusion5 product myAccess ensures that the complexity stays with Azure AD and the ease and benefits flow through to JD Edwards.

 

Once you use SSO, you are never going back - especially when you are able to use conditional access to enforce MFA.  This ensures that things are secure without going over the top.  I've enabled SSO on one of our demo environments and I have all of the consultants wanting more.

 

When you can finally login to JDE with a click of a button (or no interaction), then this is a good day.  This does save time and energy.  It's especially good for commissioning user accounts (and even better decommissioning), as it's done in a single process.  You delete the AD account and they cannot log into JDE - done.  They forget their password 0 forget level 0 or 1 support, they use self service and reset the password.

 

How does it work?  It's simple and uses open standards OpenID for authentication.  We have this working on premise with ADFS, but we don't like it.  We have it working with OKTA, but you don't need it.  Finally - it works out of the box and great with Azure AD.  If you have office365 - then this is all you need.

 



We register an app under your Azure AD and configure some settings.  Note that this is all standard stuff in Azure.

 

You need to ensure that you webservers can talk to the internet too, this is part of the AzureAD auth process.




Once the basic config is done, you can use any of the really cool and easy conditional access settings to ensure that you are only getting the correct users authenticating to JD Edwards.

 

You can see here that I've required MFA for our demo environment.   We are keeping things tight!


We install a new application on your weblogic instance that does all of the and we modify the login pages to enable the SSO functionality. [my son typed that sentence - he wanted to assist].   You can make the button look as sexy as you like.



That answers a common question, you can have SSO working and you can also login as a JDE user.  This is good for many many reasons.

 

This also means that the implementation does not need to be "big brush".

 

So, when you click this button (for the first time, or the Azure SSO token has expired (60 days)), then you are presented with your corporate Azure login dialog:


Whack your password in (this is your network password).  Note that this has nothing really to do with your site or our software...  It's all Azure.


Of course, we are secure, and now I need to MFA the sign in request.  Note that I'm using an incognito browser so that it does not have access to any of the standard cookies on my machine.


My phone pings and I can approve this.

 

 

Note that when you are done, you can ask to stay signed in - standard Azure AD

 

 



And I'm logged in.  I now have two cookies in the session - one for JDE and one for MSFT.  This is cool, because I can log back into JDE for the lifetime of the PS_TOKEN and also easily log in with the lifetime of the Azure application cookie.

If you want to know more, google myAccess or go here and start asking questions.  The solution is super cheap, as low as $1,250.00 per 100 users per year.  If you want an elegant SSO solution for JDE that basically pays for itself, get in touch!















Monday, 27 July 2020

Oracle Application Testing Suite - forgotten administrator password?

Oh, it's painfull...  All you want to do is login and upgrade the oats database or just login, and you cannot.

It'd easy changing the oats and olt user -

sqlplus /@xe as sysdba

SQL> alter user oats identified by HelloWorld99 account unlock;

But the admin account is frustrating.

You can log into wls admin http://localhost:8088/console

and login with oats and your admin password (if you remember the latest one).  Note that you can get confused, because even if you reinstall OATS, it seems to remember the first admin password or want it in the database.

So, what you need is this badboy - at the command line:

C:\OracleATS\lib>C:\OracleATS\jdk\bin\java.exe -Djava.library.path=c:\OracleATS\lib -jar ResetPassword.jar -otm "OATS_otm_DS"

Warning: This will reset the password for the Administrator account in the 'OATS_otm_DS' database. This action cannot be undone. Press Ctrl-C to cancel or enter the new password below.

Enter password:
Confirm password:

Password has been changed successfully.

Then

C:\OracleATS\lib>C:\OracleATS\jdk\bin\java.exe -Djava.library.path=c:\OracleATS\lib -jar ResetPassword.jar -olt "Default OLT Database"

Warning: This will reset the password for the Administrator account in the 'Default OLT Database' database. This action cannot be undone. Press Ctrl-C to cancel or enter the new password below.

Enter password:
Confirm password:

Password has been changed successfully.

BOOM - logging in!



Now I need to solve Steve's question about OTM playback and having the correct delay in the script!


Extending JDE to generative AI