Installation

This section provides instructions for installing, configuring & starting/stopping Authenion product. Authenion can be installed on the Linux servers. For the System requirements, please visit System Requirements section.

1. Pre-requisites

• Install a supported Java software with the JAVA_HOME environment variable set.

• The JAVA_HOME variable must be set representing the location of your Java installation.

2. Install Authenion

1. Request or download the Authenion product distribution file and a valid license from the Authenion support portal or by contacting your account manager at LikeMinds.

2. Install Authenion by extracting the authenion-2.0.zip file into the “/home/appuser” directory in the Authenion server.

3. After extracting the zip file, the folder structure should appear as shown in the table below.

Distribution ZIP file	Download & extract the distribution zip into the installation directory ‘/home/appuser’
File system after extraction	<authenion_install_dir>:  /home/appuser/authenion-2.0/authenion/
Directory Structure	- authenion-2.0 - authenion - bin - config - deploy - logs - server




4. Copy the obtained license file “authenion.lic” to the Authenion server and place it in the <authenion_install_dir>/config directory.

3. Setup Authenion

1. Navigate to the following directory in the Authenion server.

#] <authenion_install_dir>/bin



2. Execute the following command to grant permission.

#] chmod +x *



3. Run the setup command.

#] ./setup.sh



4. Read and accept the Software Terms & Conditions. This will complete the setup process.

Note: In case if the process fails to complete the setup, you can re-run the setup script to complete it.

4. Start & Stop Services

1. To Start the Authenion instance, navigate to the “<authenion_install_dir>/bin” directory and run the ‘start-instance.sh’ command.

#] cd <authenion_install_dir>/bin
#] ./start-instance.sh



2. To Stop the Authenion instance, run the ‘stop-instance.sh’ command.

#] cd <authenion_install_dir>/bin
#] ./stop-instance.sh



3. Check the status of the Authenion application by executing the ‘status.sh’ command.

5. Authenion Health-check

1. To check the Authenion status through the heartbeat URL, enter the following URL in the browser. This can be used for monitoring the Authenion services.

6. Install Identity Provider’s Certificate into Authenion Trust Store

The following steps will guide you to import the Identity provider’s certificate into the Authenion trust store.

1. Export the SSL Certificate from the Identity Provider (PingFederate, PingOne, AzureAD, etc.,) and place the certificate anywhere inside “<authenion_install_dir>” in the Authenion server.

2. Run the following command in the Authenion server to install the Identity Provider’s certificate.

7. Install SSL Certificates for Authenion (optional)

Authenion allows you to install your organization’s signed certificates. The certificates should be in the .crt & .key files format. To place your organization’s certificate in Authenion, follow the steps below.

1. If you have the certificate & private key in pkcs format, move the certificate to the Authenion server & run the following commands.

To extract .crt :
openssl pkcs12 -in ./myorgcert.p12 -clcerts -nokeys -out server.crt



To extract .key :
openssl pkcs12 -in ./myorgcert.p12 -nocerts -nodes -out server.key



2. Copy the .crt & .key extracted in the previous step and place it in “<authenion_install_dir>/server/conf/certs” directory.

3. The above steps can be repeated during the Authenion certificate renewal process.

Note: This setup is optional. The Certificates can also be installed on load-balancer servers.

Console Interactions & Configurations

This section describes the UI of Authenion (Admin Console) and its interactions and provides steps for accessing and configuring it. Access the Authenion UI by clicking Administrative Console.

1. Dashboard / Applications

The Dashboard / Applications page lets you view, create, or modify the applications we protect. The total protected applications will be displayed in the Dashboard Application’s tab. It also lets you access the Identity Provider Configuration page next to the Applications tab and access the sidebar menu for other required configurations.

2. Import - Getting config-data into the UI

The Import button in the Dashboard page lets you get the data into the UI.

The Import page has two operations:

1. Fetch Function: The Fetch function is used to get the data from your Authenion Server. It automatically retrieves all the Authenion config data and makes it available in the Authenion UI. It uses the Authenion Instance plugin which is running on the Authenion server.

2. Upload Operation: The Upload operation is used to load the data from your local file system into the UI manually through any previously extracted configs.

Retrieving Config data from existing Authenion Instance

1. For first time installation & configuration of Authenion, skip this step and continue with the next section – Identity Provider Configuration.

2. If you have an Authenion server up & running already, you can bring the configuration data into the UI through the Import function.

3. Click Import in the Authenion Dashboard.

4. In the Import page, enter the detail for Authenion Instance. For example, authenion.example.com

5. Click Fetch.

6. This will bring your Authenion configuration data from Authenion server to the UI.

3. Identity Provider Configuration

The Identity Provider Configuration page allows you to connect with your Identity Provider / OIDC Token Provider. This configuration includes details such as Token Providers OAuth/OIDC endpoints, Authenion Client registration details, Claims to obtain from the Token Provider. It includes additional configuration for Authenion such as; Authenion Instance, Domain & Session duration configurations.

Adding Identity Provider Configuration

1. Click Identity Provider Configuration in the Dashboard page.

2. Enter the following details & click Save to configure your Token Provider with Authenion for authentication.

• OpenID Connect Provider - Settings

Configurations	Values
Authorization URL	https://idp.example.com/authorize
Token URL	https://idp.example.com/token
JWKS URL	https://idp.example.com/jwks
Logout URL	https://idp.example.com/idp/logout
Issuer	https://idp.example.com
Userinfo URL	https://idp.example.com/idp/userinfo (Optional)
Audience	authenion
Client ID	Registered value client_id from your IdP
Client Secret	Registered client_secret value from your IdP
Scope	openid (Multiple scopes can be added)
Claims	Claims from Identity Provider (sub, username, email, etc.,)
Authenion Instances	https://authenion.example.com:8090 Note: If the Authenion is configured in cluster, enter the Authenion Instances value from all the Authenion servers. The default port is 8090 and enabled with HTTPS. This field supports multiple entries.




• Cookie Settings

Configurations	Values
Cookie Domain	example.com
Session Duration	3600

4. Sidebar

The Sidebar Menu has the following Configurations

• Applications

• Virtual Servers

• Application Hosts

• Header Mappings

• Resources

• Authenion Status

• EIK Configurator

• Logout

• Sync

• Export

5. Applications

Applications sidebar represent the protected Applications to which the user requests are sent. Each application will have a dedicated entry in the Dashboard/Applications tab. Applications are configured with Virtual Servers, Resources, Header Mappings & corresponds to a single Application Host (target application/backend server).

Adding an Application

Adding a protected application in Authenion has the following pre-requisites. Complete the setup for the below configurations before you create a new application.

• Virtual Servers (Section 6)

• Application Hosts (Section 7)

• Header Mappings (Section 8)

• Resources (Section 9)

1. To add an application, click New Application on the Dashboard page.

2. Enter the following details:




Configurations	Values
Application ID	(auto generated)
Application Name	My App
Virtual Servers	AppVirtualServer (Configured in Section 6 )
Header Mappings	MyAppHeaders  (Configured Section 8)
Protected Resource	MyAppResources (Configured Section 9)
Excluded Resource	UnprotectedResource (Configured Section 9)
Application Hosts	MyAppBackend (Configured Section 7)
Authenion Instances	https://authenion.example.com:8090  (auto populated)




3. Click Save to complete the configuration for a new application.

6. Virtual Servers

Virtual Servers enables you to protect multiple applications and their hosts. The Virtual Server is a combination of hostname and port number and is defined by example.com:443.

Adding a Virtual Server

1. Click Virtual Servers on the sidebar menu.

2. Click the “+ New Virtual Server” button on the Virtual Servers page.

3. Enter the following details to create a Virtual Server for your application.

For example:

Configurations	Values
ID	1 (Unique ID)
Name	MyAppVirtualServer
Host	authenion.example.com  (protected application domain or hostname)
Port	443
Use SSL	checkbox   (HTTP or HTTPS)




4. Click Save to complete the Virtual Server configuration.

7. Application Hosts

Applications Hosts are the target applications or the backend application servers that Authenion is protecting through the gateway architecture. The target application’s access requests are validated by Authenion before they are forwarded.

Adding Application Hosts

1. Click Application Hosts on the sidebar menu.

2. Click the “+New Application Host” button on the Application Hosts page.

3. Enter the following details to create an Application Host for your target application server.

For example:

Configurations	Values
ID	1 (Unique ID)
Name	MyAppBackend
Host	MyApp.example.com:8443   (protected application/webserver details)
Use SSL	checkbox   (HTTP or HTTPS)




4. Click Save to complete the Application Host configuration.

8. Header Mappings

Header Mappings sends the User attributes to the target application after authentication. The target application will send the attributes for validation purposes. The Header Mappings will receive the user attributes from the Claims which are sent by the Token Provider. Once the claims are received, it is then made available as HTTP-Headers to the target applications.

Adding Header Mapping

1. Click Header Mappings on the sidebar menu.

2. Click the “+New Header Mapping” button on the Header Mappings page.

3. Enter the following details to create a header mapping for your target application.

For example:

Configurations	Values
ID	1 (Unique ID)
Name	MyAppHeaders
App Header	OIDC Claims
USER_NAME	username
USER_MAIL	email




4. Click Save to complete the Header Mappings configuration.

9. Resources

Resources are the components/URI of the applications. The resources can be mapped as either protected or excluded resources in an application.

Adding Resources

1. Click Resources on the sidebar menu.

2. Click the “+New Resource” button on the Resources page.

3. Enter the following details to create a Resources for your target application.

For example:

Configurations	Values
ID	1 (Unique ID)
Name	MyAppResources
Resource Path	/MyApp (Resource Path starts with a ‘/’. Multiple resource paths can be added)




4. Click Save to complete the Resources configuration.

10. Authenion Status

The Authenion Status page shows the health of the Authenion Instance that is running in the Authenion server. This status page also displays your authenion license information.

1. Click Authenion Status on the sidebar menu to view the status of your Authenion application.

11. Sync & Export

Sync

The Sync is a manual operation that lets you push all the configuration data from the Authenion UI back to the Authenion server. When you install Authenion for the first time, there will be no configuration data in the UI or in the Authenion server. The Sync operation should be triggered for both new configurations & modifications that we perform in the Authenion UI. Any changes which are not pushed from the UI to Authenion server will not be reflected until Sync operation is triggered manually.

Note: Add the JWKS endpoint to the 'agent-authorization.properties' file in the '/config/' directory.

The Sync status will throw an error status when it can't reach the Authenion instance in the Authenion server.

Export

The Export button is a quick operation that lets you download the current configurations from the UI. The exported data will be in the format of a JSON file. This file acts as a backup for the Authenion configuration data. The downloaded file name is export.json.

Connect with your Identity Provider

This configuration section is the 'first mile integration' of the Authenion integration mechanism. This section guides you to configure Identity/Token Providers in the Authenion administration console. The integration will be established through OAuth and OpenID Connect protocols.

1. PingFederate as the Token Provider

  Pre-requisites

• PingFederate application with IdP and OAuth/OIDC roles enabled.

• Authorization server setup in PingFederate OAuth server setting.

• A configured Ping Federate IdP adapter and/or authentication policy contract policy if required for authentication and grant mapping.

  OAuth / OIDC Configurations

 This setup will manage the configurations related to the OAuth client.

1. Create a new Client in PingFederate for Authenion.

Configurations	Values
Client Name	Value to identify Client in PingFederate
Client ID	Unique value to identify clients in PingFederate
Client Secret	A secret value known only to this Client and PingFederate
Redirect URIs	https://<authenion.example.com>:<port>/ssolibrary/oidc/callback
Bypass Authorization Approval	Enable checkbox for bypassing authorization consent screen
Allowed Grant types	Enable Authorization Code checkbox
Default Access token manager	Select the access token to map with this client
OpenID Connect Policy	Select the OpenID Connect policy created earlier




2. Review the Client configurations and click Save.

3. Map an OpenID Connect Policy to this Client with the following information:

For example:

In OpenID Connect Policy Management tab, create/modify the policy and add the attributes that need to be sent through id_token and userinfo endpoint.

Add the following attributes that need to be returned in the id_token and/or as claims through userinfo endpoint.

• username
• email

The above attributes can be mapped with their respective Scopes in the next page. For example, openid scope.

4. Replicate the configurations if PingFederate is configured in a cluster.

2. Microsoft Entra ID (formerly Azure Active Directory) as the Token Provider

  Pre-requisites

• Azure account with valid subscription.

• App registration.

• Client Secrets and Claim mappings.

  Entra ID Configurations

The following will register Authenion as an OAuth/OIDC client application in Microsoft Entra ID (formerly Azure Active Directory) & establish a unidirectional trust relationship between Authenion and Microsoft identity platform. When the registration finishes, the Azure portal displays the Authenion application registration’s overview pane. You can find the Application ID which will also be used as the client_id when we connect Authenion & Entra ID through OAuth/OIDC.

  App Registration

1. Login to the Azure portal.

2. In the Manage Microsoft Entra ID (formerly Azure Active Directory) section, click on view.

3. Click on +Add and then click on App Registration.

1. Give a display name for the app.

2. Select the tenant in which you want to register the Authenion application.

3. Add the following Authenion URI in the Redirect URI field. This is the location where Entra ID redirects the user’s request post authentication.

Redirect URI: https://<authenion.example.com>/ssolibrary/oidc/callback

4. Click on Register.

  Token Configuration

1. From the side menu, click on Token configuration.

2. Click on + Add optional claim.

1. Select ID

2. Check the attributes - email, preferred_username.

3. Click on Add.

Note: In case a dialogue appears, check the box which says Microsoft graph.

  API Permissions

1. From the side menu, click on API permissions.

2. Click on + Add a permission.

3. Click on Microsoft Graph.

4. Click on delegated permissions.

1. Under "Openid permissions", check email, openid and profile.

2. Under "User", check "User.Read".

5. Click on Add permissions.

  Certificates & Secrets

1. From the side menu, click on Certificates & secrets.

2. Click on Client secrets.

3. Click on + New client secret.

1. Enter some description for the client.

2. Set the expiry for the client.

4. Click on Add.

Application Integration with Authenion

Once you have connected Authenion with your Identity Provider, you can integrate end-user's applications into Authenion for Single Sign-On (SSO). This configuration is the 'last mile integration' mechanism.

Authenion supports a large number of proprietary or third-party applications for Single Sign-On. Following are the list of applications certified to work with Authenion:

Oracle E-Business Suite

Oracle E-Business Suite SSO made easy with Authenion

Oracle E-Business Suite (EBS) application is a special usecase for Single Sign-On (SSO). The Single Sign-On approach for Oracle EBS differ from other enterprise applications. Authenion enables SSO to Oracle EBS thorugh its plugin called 'EBS Integration Kit (EIK)'. This approach is secure & seamless and follows Oracle recommended changes on the application side.

Architecture

Configuration Steps

The following sections describes the configuration steps required for Authenion-EIK setup and Oracle EBS setup for Single Sign-On.

1. Pre-requisites

1. Install an Apache Tomcat / Weblogic application or any application server of your choice in a dedicated physical / virtual server

2. Configure the application server for SSL with a listen port (for example, 8443)

2. SSO Integration Workflow

Generate EIKAuth.config File

The EIKAuth.config config file can be generated from the Authenion Admin console. You can access the Authenion Admin console through https://launch.authenion.com (or) on-premises.

1. Login to the Authenion Admin console.

2. On the Dashboard page, click 'EIK Configurator' on the Sidebar menu.








3. Select the Authentication type as 'OpenID Connect Login'.








4. In the 'Issuer Url' field, enter your Identity Provider's Issuer value and click 'Load metadata'. This will automatically load the required Authorization server endpoints.








5. Click 'Show Advanced Configuration' next to the 'Load metadata' button.

6. Enter the value for 'Scopes' field. For example, 'openid'. This field supports multiple values entered with a space as mentioned in the screenshot below.








7. Enter the details for rest of the fields as mentioned below in the table.




Configurations	Values
Client ID	Unique value to identify Authenion-EIK in your Authorization server. For example, EIKClient
Client Secret	A secret value known only to this Authenion-EIK client and your Authorization server.
Authentication Attribute	User attribute name (OAuth/OIDC claim) that should be returned from your Identity Provider. For example, userId
Redirect URI	Callback URL for Authenion-EIK. For example, https://eik.example.com:8443/EBSAuth/handler
Context Path	Authenion-EIK plugin's deployment filename. The default plugin filename is 'EBSAuth.war'. Therefore, the Context path should be, /EBSAuth
EBS Default Homepage	Oracle E-Business application homepage URL. The example format is, https://ebs.example.com/OA_HTML/OA.jsp?OAFunc=OANEWHOMEPAGE
Cookie Domain	Domain value of the Oracle EBS application. For example, .example.com
Just-In-Time Access	If you want EIK to perform user provisioning (Just-In-Time) to your Oracle EBS application. Default value is, false









8. After entering the above values, click the 'Save' button. This will download a file named 'EIKAuth.config'.

9. Copy the downloaded 'EIKAuth.config' file to a temporary location in the Apache tomcat / Weblogic server. This file will be used in the EIK deployment section later.

Generate EIK.dbcx File

You can generate the EIK.dbcx file through a command line utility. The utility 'EBSdatasource.jar' will be provided along with the Authenion-EIK installation package. The following steps will guide you through in executing the utility and generate the EIK.dbcx file.

1. The below pre-requisites need to be done before executing the utility.

• Download the 'EBSdatasource.jar' utility file from the Like Minds Support Portal. Place the utility file in a machine (or) Local-PC.

• The machine (or) Local-PC that is used to execute the utility should have a connectivity to the Oracle EBS Database server. Please do a ping/telnet test to oracledb-hostname:port to check the connectivity.

• Create an application user in the Oracle E-Business suite application. Set the Username value as EIKUSER and assign 'UMX|APPS_SCHEMA_CONNECT' role to this user account.

2. Open an elevated command-prompt (windows) or a terminal (linux).

3. Navigate to the directory where you have placed the 'EBSdatasource.jar' file.

4. Execute the following command:

java -jar EBSdatasource.jar








5. The configuration section will open as mentioned in the screenshot below:

6. Enter the details as mentioned below in the table.




Configurations	Values
Enter the connection factory class	For example, oracle.jdbc.pool.OracleDataSource
Enter the JDBC url	For example, jdbc:oracle:thin:@oracledb-hostname:port:SID
Enter APPS username	apps
Enter APPS password	APPS user account password
Enter Connection pool name	The value should match with the EIK deployment context path. For example, EBSAuth
Enter initial connection pool size	For example, 10
Enter minimum connection pool size	For example, 10
Enter maximum connection pool size	For example, 25
Enter timeout check interval	For example, 30
Enter inactive connection timeout	For example, 30
Enter validate connection on borrow	For example, true
Enter the EIK username	For example, EIKUSER
Enter the EIK user password	EIKUSER user account password
Enter the Context Path	Context of the EIK plugin. For example, /EBSAuth









7. After entering the above values, the EIKUSER will be registered. A new file named 'EIK.dbcx' will be generated in the same directory.

8. Copy this file to a temporary location in the Apache tomcat / Weblogic server. This file will be used in the EIK deployment section.

Deploy Authenion-EIK

This section guides you through the deployment steps for Authenion - EBS Integration Kit. This guide will show the deployment steps in an 'Apache Tomcat / Weblogic' application server.

1. Login to the Like Minds Support Portal and download the required binaries to complete the EIK deployment.

2. The following are the list of files that will be downloaded as part of the installation package.

• EBSAuth.war

• security.properties

• log4j2.xml

• EBSdatasource.jar

3. Login to the server where Apache Tomcat / Weblogic or your preferred application server has been installed and copy all the above files into a temporary location.

4. Set an environment variable 'EIK_HOME' resolving the path to the application server installation directory.

Following is the example for a Linux system:

Linux: export EIK_HOME=<path to Apache tomcat / Weblogic installation directory>

Add the above command to the .bash_profile file and source it.

Following is the example for a Windows system:

Windows: Open the 'Environment variables' option in System Properties. Add the system variable as EIK_HOME and set its value to the Apache tomcat / Weblogic installation directory.

5. Navigate to $EIK_HOME directory. Create a new directory named 'EBSAuth'. Assign read & write privileges to the EBSAuth directory.

6. Obtain or download the Authenion-EIK license from the Like Minds Support portal. Copy the license file 'ebsauth.lic' and move it to a temporary location in the Apache tomcat / Weblogic server.

7. Copy the license file to the following directory:

$EIK_HOME/EBSAuth/

8. Locate the EIKAuth.config & EIK.dbcx files from the temporary location (Generated and copied to Apache tomcat / Weblogic server in the previous sections).

   Copy both the files to the following directory:

$EIK_HOME/EBSAuth/

9. Locate the security.properties & log4j2.xml files from the temporary location. Copy both the files to the following directory:

$EIK_HOME/EBSAuth/

10. Locate the EBSAuth.war file from the temporary location. Copy the file to the following directory:

$CATALINA_HOME/webapps/

11. Restart the Apache Tomcat / Weblogic services.

12. This completes the deployment of Authenion-EIK in the Apache Tomcat / Weblogic application server.

13. Repeat the steps above in all the servers, if Apache Tomcat / Weblogic is configured for H/A.

Note: A single Authenion-EIK deployment will connect with only one Oracle EBS Application for SSO. However, if you have requirements to connect with multiple Oracle EBS environments for SSO, you can deploy multiple instances of Authenion-EIK in the same Apache Tomcat / Weblogic server by changing the 'Context Path'. For example, you can follow the above steps 1 to 14 and deploy plugins by changing the .war filename to 'EBSAuth_DEV.war' & 'EBSAuth_PRD.war' in the Apache tomcat / Weblogic servers and point to appropriate Oralce EBS application environments.

Configure Oracle EBS System Profile options

This section will guide you to configure the system profile options that enable Single Sign-On to the Oracle E-Business Suite application. These system profile options are Oracle recommended for enabling SSO with any providers.

1. Login to the Oracle E-Business suite application as a 'System Administrator'

2. Navigate to 'System Profile' in System Administration. Edit the following system profile options as mentioned in the table:




Configurations	Values
Application SSO Type	SSWA w/SSO
Application Authenticate Agent	For example, https://eik.example.com:8443/EBSAuth
Application SSO Login Types	Both
Application SSO Auto Link User	Enabled
Application SSO LDAP Synchronization	Disabled




3. After modifying the above system profile options, restart the Oracle E-Business suite application & database services. After successful restart of the services, you can test the Single Sign-On login.

4. Testing: Enter your Oracle EBS application url in a browser. The browser will redirect your request to the Identity Provider for authentication. Upon successful authentication, you will be redirected back to the Oracle EBS application homepage with your assigned roles & responsibilities.

5. This completes the setup for Authenion-EIK & Oracle E-Business suite integration for Single Sign-On.

Oracle Application Express (APEX)

Oracle APEX SSO with Authenion

Oracle APEX is a web-based integrated development environment which simplifies the process of building applications and pages. It supports the use of HTTP Header variables to identify a user and to create a session for the user in Oracle APEX application.

Architecture

Configuration Steps

The following sections describes the configuration steps in Authenion & Oracle APEX application for Single Sign-On.

Pre-requisites

1. 'First-mile' integration (connecting Authenion to an identity provider).

2. Firewall requirements between APEX, Authenion and IdP servers.

SSO Integration Workflow

Following are the configurations that needs to be done in the Authenion Administrative Console to onboard the Oracle APEX application for Single Sign-On.

Virtual Server

Following is an example configuration of a Virtual Server for Oracle APEX application.

Application Host

Following is an example configuration of an Application Host in Authenion for Oracle APEX application.

Header Mapping

Following is an example configuration of a Header Mapping for Oracle APEX application.

Resources

Following is an example configuration of Protected & Excluded Resources in Authenion for Oracle APEX application.

Registering an Application for Oracle APEX in Authenion

Following is an example configuration of creating an Application in Authenion for Oracle APEX.

SSO Setup in Oracle APEX Application

Oracle APEX administrators can configure the available HTTP Header authentication schemes in APEX workspace to enable Single Sign-On with Authenion. The authentication schemes should be configured per APEX application and need to set its status as current. Click here to refer the Oracle Document.

1. Login to the Oracle APEX administrative console.

2. On the workspace homepage, click the App Builder icon.

3. Select the APEX application for which Single Sign-On needs to be enabled.

4. On the Application home page, click Shared Components.

5. Under Security, select an existing scheme or cretate a new scheme.

6. Modify the follwoing fields in the authentication scheme.

• Scheme Type - Select 'HTTP-Header' variable

• HTTP Header Variable Name - 'REMOTE_USER'

• Click Save

7. Repeat steps 1 to 6 to enable SSO login for Oracle APEX application.