About Setting Up SSO Between Azure AD and Oracle Access Manager for Oracle Retail Merchandising Suite

This solution provides a reference architecture for implementing Oracle Retail Merchandising Suite on Microsoft Azure and associate it with a database running on Oracle Cloud Infrastructure. Using both clouds gives customers added flexibility as they move to the cloud.

This cross-cloud solution for Retail Merchandising Suite places the database tier on Oracle Cloud Infrastructure and the middleware tier, F tier (firewall, proxies, and load balancer), and DS tier on Microsoft Azure. Additionally, this architecture uses Azure Active Directory (Azure AD) as the federated identity provider (IDP) to authenticate a user to the Retail Merchandising Suite, while Oracle Access Manager is the service provider (SP).

Herein, you will find high-level instructions for installing the Retail Merchandising Suite in the cross-cloud model and configuring SAML 2.0 federated single sign-on (SSO) with Azure AD, through Oracle Access Manager. You should possess an understanding of Oracle Retail Merchandising cross-cloud architecture to understand this authorization integration.

Before You Begin

Before you begin to run an application in Microsoft Azure connected to a database in Oracle Cloud, understand the networking architecture for connecting workloads deployed on Oracle Cloud and Microsoft Azure.

See Learn about interconnecting Oracle Cloud with Microsoft Azure.

Understand SSO with Oracle Access Manager and Azure AD

Retail Merchandising uses Oracle Access Manager for authorization, while Oracle Access Manager itself delegates authentication to a backend LDAP store.

In this architecture, the backend LDAP store is Oracle Internet Directory; however, the system of record for users is Azure AD. Oracle Directory Integration Platform serves as a bridge between Oracle Internet Directory and Azure AD by synchronizing user information from Azure AD to Oracle Internet Directory. This synchronization allows Oracle Internet Directory to continue to act as the backing store for Oracle Access Manager, which in turn allows the existing integration between Oracle Access Manager and Retail Merchandising to function as in all other deployment models. In this cross-cloud model, Azure AD performs authentication and Oracle Access Manager performs authorization.

Architecture

To implement this cross-cloud solution, you should first understand the three architectures that implement it.

Physical architecture
Logical architecture
Authentication and authorization architecture

Understand the Logical Architecture

The Retail Merchandising Suite reference architecture consists of three logical tiers and the components that comprise these tiers.

Description of merch-logical-arch.png follows

Description of the illustration merch-logical-arch.png

Web tier: Oracle ADF-based UIs that are accessible from a web browser
Application tier:
- Retail Merchandising Suite applications.
- Retail Integration Suite (including Retail Integration Bus, Retail Service Bus, and Retail Bulk Data Integration).
- Identity Management through Oracle’s Identity Management stack (Oracle Access Manager, Oracle Identity Manager, and Oracle Internet Directory).
- Connections for transferring files with SFTP and other integrations .
Data tier: Merchandising and Integration Pluggable databases on an Oracle RAC Database.

Understand the Physical Architecture

At a high level, the cross-cloud model lets retailers deploy their data tier in Oracle Cloud Infrastructure and their application tier in Microsoft Azure.

Description of merch-physical-arch.png follows

Description of the illustration merch-physical-arch.png

The reference architecture clusters database and compute nodes to produce a highly scalable, highly available architecture. FastConnect between Oracle Cloud Infrastructure and Azure ensures reliable performance that meets all service level agreements (SLA).

The supported reference architecture deploys the tiers as follows:

Database tier on Oracle Cloud Infrastructure (OCI)
Middleware tier (with a high-performance network file system) on Azure
F tier (firewall, proxies, and load balancer) on Azure
DS tier (SFTP) on Azure

Understand the Authentication and Authorization Architecture

The authentication and authorization architecture is based on an integration between Oracle Access Manager and Retail Merchandising Suite.

Description of merch-authn-authz-arch.png follows

Description of the illustration merch-authn-authz-arch.png

Oracle Access Manager requires the backend LDAP store to be Oracle Unified Directory or Oracle Internet Directory. In this architecture, the system of record for users is Azure AD. Oracle Directory Integration Platform, used as a bidirectional synchronization service, synchronizes that account to Oracle Internet Directory.

Oracle has verified and supports this cross-cloud deployment architecture for Retail Merchandising Suite 16.0.2 and later, including federated SSO through the processes described in this document.

About Required Services and Roles

This solution requires the combination of specific services and roles within those services.

These services and applications are required:

Oracle Cloud Infrastructure
Oracle Access Manager
A fully functional Oracle Retail Merchandising Suite instance deployed to Azure
Microsoft Azure AD

Roles required are:

Service Name: Role	Required to...
Oracle Cloud Infrastructure: Administrator	Create and manage identity resources
Oracle Access Manager: Administrator	Configure and maintain user settings on-premises
Retail Merchandising: Administrative roles, includiing database administrator and LDAP administrator	Configure Retail Merchandising and change security settings
Azure AD: contributor or greater privileged account	To obtain an Azure subscription
Azure AD: application or global administrator	Handle configuration and set up on the Azure side

Describe the consideration.