<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Access Gateway User Authentication to Oracle E-Business Suite
May 14, 2026
Access Gateway
Okta Classic Engine
Okta Identity Engine
Overview

This article outlines what happens when a user accesses the Oracle E-Business Suite (EBS) application protected by Okta Access Gateway (OAG).

Applies To
  • Okta Access Gateway (OAG)
  • Oracle E-Business Suite (EBS) 
  • Single Sign-On (SSO)
  • EBS SSO agent
  • Okta Classic Engine
  • Okta Identity Engine (OIE)
Solution

This article provides additional information beyond the existing documentation on the overall OAG > EBS authentication process.

 

The majority of the implementations will have the Rapid SSO flow. The EBS Classic process flow requires Oracle Internet Directory. If Oracle Internet Directory is unavailable, the rapid SSO flow must be used.

 

The following is the exact flow and what happens behind the scenes when using the rapid SSO setup:

  1. After receiving a Security Assertion Markup Language (SAML) assertion from the Identity Provider (IdP), OAG will send a request to the EBS SSO agent. 
  2. The EBS SSO agent uses an Oracle library to connect to the backend EBS database, using the DB connection details provided during the EBS SSO agent application setup. It also sends the username in EBS_USER header through the SSO agent service.
  3. In response, the backend EBS database will send an EBS session cookie along with the value configured in the Oracle Applications Session Cookie Domain.
    • NOTE: OAG only supports the value "DOMAIN" for "Oracle Applications Session Cookie Domain" as instructed in the documentation. Setting any other value than "DOMAIN" may result in access issues for all EBS applications.
  4. The generated EBS session cookie will be sent back to the user's browser and cached for the next step. The cookie will have a valid domain set that can be used for further authentication.
    • For example: If the OAG public domain is  https://ebssso.example.com and the EBS backend URL is https://apps.example.com, the EBS session cookie will have the domain set as ".example.com". In case the domain does not match with the public domain, then it will result in an authentication failure, or users may see the request going into an authentication loop.
  5. In addition to the above, the browser will also receive the location of the post-login URL from OAG, where the next request will get redirected. The browser will then send the cookie directly to the EBS server. Once received, EBS will validate the domain and the cookie from the session database and generate a JsessionID for the user.
    • NOTE: This session generation request and any request post successful authentication will be sent directly from the user's browser to EBS. 

Related References

Recommended content

Still looking for help?
Loading
Okta Access Gateway User Authentication to Oracle E-Business Suite