Home / SSO for Legacy Apps / JD Edwards EnterpriseOne
ERP

SSO for JD Edwards EnterpriseOne

by Oracle

Add Modern SSO to JD Edwards EnterpriseOne Without CNC Changes

Start Free Trial See How It Works
Overview

Why JD Edwards EnterpriseOne Needs Modern SSO

JD Edwards EnterpriseOne (JDE E1) is one of the most widely deployed ERP systems in manufacturing, distribution, construction, and real estate. With over 20 years of continuous development, it manages financials, supply chain, manufacturing, project management, and human capital for mid-to-large enterprises worldwide. Despite Oracle's stewardship and continued investment, JDE E1's authentication model remains rooted in its proprietary security architecture. Users log in with JDE-specific credentials stored in the User Profile (F0092) table, separate from any corporate IdP. The HTML Server (JAS) and AIS Server present web-based login forms that do not support SAML or OIDC natively. Adding federation requires Oracle Access Manager (OAM) or third-party solutions, both adding cost and complexity. OnePAM eliminates these barriers by operating as an identity-aware reverse proxy in front of the JDE HTML Server (WebLogic-based JAS) or AIS Server. Users authenticate through your corporate IdP, and OnePAM injects the authenticated identity into JDE via HTTP header propagation or JDE token injection. All JDE web interfaces — EnterpriseOne HTML Client, Mobile Enterprise Applications, AIS-based integrations — gain SSO without JDE code changes or CNC configuration modifications.

The Problem

Authentication Challenges with JD Edwards EnterpriseOne

These are the security and operational challenges organizations face when JD Edwards EnterpriseOne relies on its native authentication model.

Proprietary User Store

JDE stores user credentials in the F0092 User Profile table, completely separate from corporate directories and modern IdPs.

No Native Federation

JDE EnterpriseOne HTML Server (JAS) and AIS Server do not support SAML or OIDC out of the box. There is no built-in IdP integration.

OAM Complexity

Oracle's recommended approach (OAM with WebGate on WebLogic/JAS) adds significant infrastructure, licensing, and specialized CNC/OAM expertise.

JDE Security Kernel

JDE's security kernel manages sign-on tokens and row/column-level security. Authentication changes risk affecting the entire security model.

CNC Expertise Shortage

JDE CNC (Configurable Network Computing) administrators are scarce and expensive. Security changes to the JAS server are high-risk operations.

Multi-Environment Complexity

JDE deployments typically have multiple environments (DEV, PY, PD) each with separate HTML Servers, requiring consistent authentication across all.

The OnePAM Solution

How OnePAM Adds SSO to JD Edwards EnterpriseOne

A step-by-step guide to deploying modern SSO for JD Edwards EnterpriseOne using OnePAM's identity-aware reverse proxy.

1

Deploy OnePAM Gateway

Install OnePAM as a reverse proxy in front of the JDE HTML Server (JAS running on WebLogic) or AIS Server.

OnePAM deploys as a container or VM and handles TLS termination. It intercepts all HTTP/HTTPS requests to the JDE web tier before they reach the JAS or AIS application.
2

Connect Your Identity Provider

Configure your corporate IdP (Okta, Azure AD, Google Workspace, or any SAML 2.0 / OIDC provider) as the authentication source.

OnePAM handles the full SAML/OIDC handshake: metadata exchange, assertion validation, MFA enforcement, and token lifecycle. SP-initiated and IdP-initiated flows are both supported.
3

Map IdP Users to JDE Users

Define how IdP user attributes (email, employee ID, UPN) map to JDE EnterpriseOne user profiles (F0092 records).

OnePAM maps IdP assertions to JDE user IDs using direct matching, address book (F0101) lookups, or regex transformations. Multiple mapping strategies handle complex organizational structures.
4

Enable Identity Injection

OnePAM injects the authenticated identity into JDE via HTTP header propagation or JDE session token injection.

After IdP authentication, OnePAM sets trusted HTTP headers or generates JDE-compatible session tokens. The JAS server accepts the identity, and users land on their JDE home page without a second login.
5

Enforce Policies & Audit

Apply access policies per JDE environment and role, enforce MFA, enable session recording, and generate compliance reports.

Every JDE access event is logged with full IdP context: user, MFA method, device, location, and environment (DEV/PY/PD). Session recording captures the full JDE web session for compliance.
Business Impact

Benefits of SSO for JD Edwards EnterpriseOne

Measurable business outcomes from deploying OnePAM SSO in front of JD Edwards EnterpriseOne.

Eliminate JDE Passwords

Users access JDE EnterpriseOne with their corporate IdP credentials — no separate JDE password to remember, expire, or reset.

88% fewer JDE password tickets

Enforce MFA for JDE

Apply your IdP's MFA policies to all JDE access — push notifications, FIDO2 keys, or biometrics — without CNC configuration changes.

100% MFA-protected JDE access

Instant Offboarding

Disable a user in your IdP and their JDE access is immediately revoked — no orphan F0092 user profiles, no lingering sessions.

0 orphan JDE accounts

No OAM Licensing

OnePAM replaces Oracle Access Manager for JDE SSO — no OAM servers, no WebGate agents, no per-processor OAM licenses.

Save $100K+/year

Unified Audit Trail

JDE access events appear alongside all other enterprise applications in a single audit trail with full IdP context and device information.

Single pane of glass

Zero CNC Changes

No JDE server code modifications, no JAS configuration changes, no CNC package deployments. OnePAM operates entirely at the HTTP layer.

0 CNC packages deployed
SSO Features

JD Edwards EnterpriseOne SSO Capabilities

Every feature needed to provide enterprise-grade SSO for JD Edwards EnterpriseOne.

SAML 2.0 & OIDC SSO for JDE EnterpriseOne HTML Client
JDE AIS Server authentication integration
HTTP header-based identity injection
JDE Mobile Enterprise Applications SSO
Multi-environment support (DEV, PY, PD)
F0092 user profile to IdP identity mapping
Session recording and keystroke logging
Just-in-time user provisioning from IdP
Security

Security Features

Enterprise-grade security controls protecting the SSO integration layer.

End-to-end TLS between user, OnePAM, and JDE HTML Server
Signed and encrypted SAML assertions
Per-environment access policies
IP allow-listing and geo-restriction per JDE environment
Device compliance verification before JDE access
Automatic session termination on IdP logout
Real-World Scenarios

JD Edwards EnterpriseOne SSO Use Cases

Common scenarios where organizations deploy OnePAM SSO for JD Edwards EnterpriseOne.

1
Manufacturing teams accessing JDE Shop Floor Management with corporate SSO
2
Finance departments using JDE General Ledger and AP/AR with MFA enforcement
3
Distribution warehouse staff accessing JDE WMS from handheld devices with device trust
4
Construction project managers accessing JDE Project Costing with time-limited sessions
5
External auditors given read-only, recorded access to JDE financial reports
6
M&A scenarios: bring acquired company JDE users under your corporate IdP in days
Frequently Asked Questions

JD Edwards EnterpriseOne SSO FAQ

Common questions about deploying OnePAM SSO for JD Edwards EnterpriseOne.

Does OnePAM require changes to JDE EnterpriseOne server code or CNC configuration?

No. OnePAM operates as a reverse proxy in front of the JDE HTML Server (JAS). It handles authentication at the HTTP layer. No JDE code modifications, no CNC package deployments, no JAS configuration changes.

Which JDE EnterpriseOne versions and Tools releases are supported?

OnePAM supports JDE EnterpriseOne with Tools releases 9.1, 9.2 (all updates), and the latest continuous delivery updates. Any version using the HTML Server (JAS) for web access is compatible.

Does OnePAM work with JDE Mobile Enterprise Applications?

Yes. JDE Mobile Enterprise Applications that connect through the AIS Server gain SSO through OnePAM. Mobile users authenticate via the IdP's mobile flow and access JDE without separate credentials.

How does OnePAM handle JDE environments (DEV, PY, PD)?

OnePAM supports per-environment policies. You can apply different MFA requirements, access windows, and session controls for each JDE environment. Development environments can have relaxed policies while production gets strict enforcement.

Can we keep JDE local passwords as a fallback?

Yes. OnePAM can be configured in 'SSO-preferred' mode where users are redirected to the IdP by default but can fall back to the JDE login page for break-glass or emergency scenarios.

Does OnePAM replace Oracle Access Manager for JDE?

Yes. OnePAM provides SSO, MFA, session management, and audit logging for JDE without requiring OAM, WebGate, or Oracle Identity Federation. This eliminates significant licensing and infrastructure costs.
Also Supported

SSO for Other Legacy Applications

OnePAM adds modern SSO to all these legacy enterprise applications — same approach, zero code changes.

Oracle E-Business Suite
ERP · Oracle
SAP ECC
ERP · SAP
HCL Domino (Lotus Notes)
Collaboration · HCL Technologies (formerly IBM)
SharePoint Server (On-Premise)
Content Management · Microsoft
PeopleSoft
HR / Finance · Oracle
Siebel CRM
CRM · Oracle
IBM WebSphere
Application Server · IBM
Oracle WebLogic
Application Server · Oracle
SAP NetWeaver Portal
Portal · SAP
Microsoft Dynamics AX
ERP · Microsoft
Sage X3
ERP · Sage

Ready to Add SSO to JD Edwards EnterpriseOne?

Deploy OnePAM in hours — not months. No JD Edwards EnterpriseOne code changes required. Start your free 14-day trial today.

Start Free Trial View All Legacy Apps