April 2013

Understanding Federated Single Sign-On (SSO) Process

Understanding Federated Single Sign-On Process (SSO)

Disclaimer

The following is intended to outline our general product direction. It is intended for information purposes

only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code,

or functionality, and should not be relied upon in making purchasing decisions. The development, release,

and timing of any features or functionality described for Oracle’s products remains at the sole discretion

of Oracle.

Federated Single Sign-On Process Overview

Introduction ....................................................................................... 2

Scope of This Document ................................................................... 2

Prerequisites ..................................................................................... 2

Process Roadmap ............................................................................. 3

Appendix A .................................................................................... 7

Federated Single Sign-On Process Overview

Page | 2

Introduction

Enterprises are rapidly moving from traditional on-premises environments to Oracle Cloud

implementations. A majority of such customers want to use their current LDAP repositories for

authenticating their employees in Oracle Cloud. They want to access Oracle Cloud services

via Single Sign-On (SSO) by using their existing authentication methods and credentials,

credentials, irrespective of the form factor or device type.

Oracle Cloud implements a standards-based Federation solution, leveraging Security

Assertion Markup Language (SAML) 2.0. Oracle Fusion SAML Service Provider integrated

with the Fusion SSO Server acts as the Service Provider (SP). Customers must configure or

deploy either Microsoft Active Directory Federation Server (ADFS) 2.0 or Oracle Identity

Federation Server 11g as an Identity Provider (IdP) in their on-premises environments.

Customers can also use their existing Microsoft Active Directory Federation Server (ADFS) 2.0

or Oracle Identity Federation Server 11g installations after incorporating some configuration

changes. Currently, this Federated SSO solution is certified to support ADFS 2.0 and Oracle

Identity Federation 11g Release 1 (11.1.1) only.

Scope of This Document

This document outlines the process for Oracle Cloud Fusion Applications customers to request

Single Sign-On (SSO) enablement in their Fusion Applications cloud instances. This process

includes steps to be completed by both customers and Oracle Cloud Operations personnel.

This document does not describe how to configure Identity Providers (IdP) in customers’ on-

premises environments. For information about configuring Microsoft Active Directory

Federation Server (ADFS) 2.0 or Oracle Identity Federation Server 11g identity providers, see

the support note ID 1484345.1 on My Oracle Support.

For more information on configuring identity synchronization, see the document titled

“Configuring Identity Synchronization in Oracle Fusion Cloud Services,” which is attached to

the support note ID 1484345.1 on My Oracle Support.

Prerequisites

The following are the prerequisites for enabling SSO in Oracle Cloud Fusion Applications

service instances:

Federated Single Sign-On Process Overview

Page | 3

Oracle requires the use of an SAML 2.0 certified implementation of the Federation

protocol.

Oracle requires the use of SAML 2.0 browser artifact SSO profile to connect to Oracle

Cloud Fusion Applications service instances.

The SAML 2.0 Assertion NameID element must contain one of the following:

o The user's email address with the NameID Format being Email Address

o The user's Fusion uid with the NameID Format being Unspecified

All Federation ID Provider (IdP) endpoints must use SSL.

Process Roadmap

Figure 1-1 illustrates the process of enabling Federated Single Sign-On (SSO).

Federated Single Sign-On Process Overview

Page | 4

Figure 1-1 Federated SSO Process

Federated Single Sign-On Process Overview

Page | 5

Enabling Federated SSO in Oracle Cloud environments involves the following steps:

1. An Oracle Cloud customer expresses interest in using Federated SSO implementation

by contacting Oracle representatives. The customer receives an SSO template from

their Oracle representative. The customer sends the filled-in SSO template to Oracle

and requests approval.

2. Oracle representatives review the customer’s request. For on-premises identity

providers other than ADFS 2.0 and OIF 11g, SSO enablement requests may require

additional approvals.

Note: It typically takes a minimum of two weeks or more to implement Federated SSO

per POD (customer environment) after the necessary approval. For more information,

see this support note on My Oracle Support.

3. Oracle notifies customer of request status. If a non-standard Identity Provider is being

used, Oracle notifies the customer whether the solution can be supported.

4. The customer creates and submits a Service Request (SR) on My Oracle Support

(http://support.oracle.com), for each Oracle Fusion Cloud Service instance. This SR is

referred to as the Parent SR, which must use the following header:

SSO Enablement

To establish SSO between the customer’s on-premises environment and the Oracle

Fusion Cloud Service environment, the customer must specify which identity attribute

(user name or email address) will be unique across all users in the customer’s

organization. This information is required for Oracle Cloud Operations personnel to

identify the changes to be made in the customer’s SaaS environment.

Note: The filled-in questionnaire, which is shown in Appendix A, should be attached to

the parent SR.

5. The customer receives a document that describes how to configure their on-premises

IdP, based on their choice of IdP (Microsoft Active Directory Federation Server (ADFS)

2.0 or Oracle Identity Federation Server 11g).

6. The customer completes the procedures described in the document to configure

Oracle Identity Federation (OIF) or Active Directory Federation Services (ADFS) as an

IdP in their on-premises environment.

Note: If the customer encounters any issues related to the on-premises Oracle Identity

Federation IdP, the customer must file a separate product SR on My Oracle Support. If

the customer encounters issues related to third-party IdP products, such as ADFS, the

Federated Single Sign-On Process Overview

Page | 6

customer should contact third-party vendors to resolve such issues.

7. Oracle Cloud Operations personnel set up a Fusion SAML Service Provider (SP) in

your non-production SaaS environment. Subsequently, they will send a metadata.xml

file, which contains SP configuration settings, to the customer via the parent SR.

This metadata.xml file contains the information required to add Fusion Applications as

a trusted partner to the customer’s on-premises Identity Provider. The following

information is included:

The Assertion Consumer Service URL of the OIF/SP, where the user will be

redirected from the Identity Provider with SAML Assertion.

The Signing Certificate corresponding to the private key used by the SP to

sign the SAML Messages, in case of SAML 2.0 protocol.

The Encryption Certificate corresponding to the private key used by the SP to

decrypt the SAML Assertion, if SAML 2.0 encryption is to be used.

The Logout service endpoint, if SAML 2.0 is used.

8. The customer downloads the metadata.xml file. They import or configure the SP

settings in their on-premises environment.

9. The customer then sends another metadata.xml file, which contains information about

their on-premises IdP, to Oracle Cloud Operations personnel by attaching the

metadata.xml file to the parent SR.

10. Oracle Cloud Operations personnel configure the IdP settings in the customer’s non-

production SaaS environment. They send a verification link to the customer.

11. The customer uses the verification link to test the features of Federated SSO in their

on-premises environment. If the customer encounters problems during testing, the

customer can request assistance from Oracle Cloud Operations personnel.

Note: The customer cannot use the Fusion environment for other operations, during

the testing phase.

12. After the testing is complete, the customer sends a confirmation to Oracle. On

receiving this confirmation, Oracle Cloud Operations personnel complete the

configuration procedures in the customer’s production SaaS environment. At this

stage, enabling Federated SSO means that the on-premises IdP is solely responsible

for authenticating users.

Note: By enabling Federated SSO, only those users whose identities have been

synchronized between the on-premises IdP and Oracle Cloud will be able to log in to

Fusion Application services in Oracle Cloud. For more information on configuring

Federated Single Sign-On Process Overview

Page | 7

identity synchronization, see the document titled “Configuring Identity Synchronization

in Oracle Fusion Cloud Services,” which is attached to the support note ID 1484345.1

on My Oracle Support.

Note that the customer must have at least one valid user that is imported and

synchronized between the on-premises environment and the non-production SaaS

environment. This user is required to validate the SSO configuration.

Appendix A

Questionnaire Customer Name: ___________________________________ 1. Please check which of the following Federation Servers you are using On-Premise?

a. □ Active Directory Federation Server (ADFS 2.0) b. □ OIF 11g c. □ Other _________________ Note – For requests based on products other than ADFS 2.0 and OIF 11g, approvals will be on an exception basis.

2. Please check which of the following Fusion SaaS Application you are currently running?

a. □ HCM b. □ CRM c. □ ERP d. □ Other _________________

3. How many employees / users will be enabled upon go-live? 4. Do you wish to enable SSO for CRM Mobile Apps?

a. □ Yes b. □ No

5. Which environment would you like to enable?

a. URL for Non-Production? _______________________ i. Approx Target Date: ____________________

b. URL for Production? __________________ i. Approx Target Go-Live Date: ____________________

6. Technical Integration Contact Information

a. Email: _________________ b. Phone numbers

i. Office: ___________ ii. Cell: ___________

Understanding Federated Single Sign-On

(SSO) Process

[April] 2013

Oracle Corporation

World Headquarters

500 Oracle Parkway

Redwood Shores, CA 94065

U.S.A.

Worldwide Inquiries:

Phone: +1.650.506.7000

Fax: +1.650.506.7200

oracle.com

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.

This document is provided for information purposes only, and the contents hereof are subject to change without notice. This

document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in

law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any

liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This

document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our

prior written permission.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and

are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are

trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0113