Oracle Applications Cloud

Single Sign-On (SSO) Enablement

Service Entitlement Definition
Operational Policy: Enterprise and Standard
ORACLE WHITE PAPER | JANUARY 2018
Disclaimer
The following is intended to outline our general product direction. It is intended for information
purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any
material, code, or functionality, and should not be relied upon in making purchasing decisions. The
development, release, and timing of any features or functionality described for Oracle’s products
remains at the sole discretion of Oracle.
Single Sign-On (SSO) Enablement

This document provides information about the Single Sign-On (SSO) Enablement service entitlement
and instructions on how to file a service request (SR) for SSO to be enabled on your Cloud
environment.

Be sure to fully understand the policy for the SSO Enablement service, approval and fulfillment by
reviewing the Fulfillment Considerations section below.

Important Note: This service is limited to enabling SSO for your Oracle Cloud Service. Customers own
responsibility for managing their on-premise Identity Provider (IdP) and expiration dates.

CHARACTERISTIC DESCRIPTION

Compatible All Fusion Cloud Services, all supported releases

Release(s):
Enterprise and Standard operational policies

Service Type: Security

Definition: This service enables the Oracle Fusion Cloud Service to be part of the cross domain
Single Sign-On (SSO) solution.

Business Need By enabling SSO for the Oracle Fusion Cloud Service, your users need to sign in only
Met: once and can access the service without having to remember a different password.

Typical Once per environment.

Frequency:

Fulfillment Oracle’s Single Sign On enablement policy and service fulfillment process varies based
Considerations: on Identity Provider (IdP) requested, and your Cloud Service operational policy. You
can find your Cloud Service operational policy in My Services.
Identity providers (IdP) fall into 2 categories: certified and non-certified.

 Certified IdP

o Automatically approved

o Service fulfillment begins immediately upon receipt of your request

o Available with Enterprise and Standard operational policies

o See Appendix 1 for complete list of certified federation servers.

o Oracle Sales Cloud for Outlook: Note that if you use the integration
between Oracle Sales Cloud and Microsoft Outlook, only a subset of
certified federation servers is supported. Review Appendix A for
details.

 Non-certified IdP

o Subject to review and approval

o Available only with Enterprise operational policy

o Approval process is contingent upon various factors, including an

assessment of the requested federation server. The federation
server must support SAML2.0.

o If approved, requires an additional setup fee. Contact your Oracle

Sales team for subscription details.

o NOTE: Exception approval is uncommon. Oracle has the right to

reject any request for a non-certified IdP and instead recommends
that you use a certified IdP.

Plan ahead

 Certified IdP: Once you file your request, allow 2 to 6 weeks for service
fulfillment.

 Non-certified IdP: Upon approval and payment, allow up to 6 weeks for

service fulfillment of the first environment, and 3 weeks for an additional
environment.

Downtime.

 At least 1 and up to 9 hours of downtime is required to enable SSO on each

environment. You will receive a planned outage notification in advance, to
confirm that you can accept the required downtime. Oracle configures SSO
on Friday evenings, U.S. Pacific Time.

Enable and test SSO in a non-production environment before enabling it in production.

SSO Enablement Option: “Chooser Page” or “No Chooser Page”

After you verify the SSO test URL provided by Oracle Support, you specify how you
want SSO enabled for that environment. With SSO enabled, users typically sign in to
their Oracle Cloud Service with their SSO Identity Provider (IdP) credentials, or
username and password. However, you may provide users a second option to sign in
with their Fusion credentials maintained directly in their Cloud Service. If desired,
authentication using Fusion credentials would be in addition to SSO Identity Provider
credentials. You will be asked to select 1 of 2 options for SSO enablement:

 Option 1: “No Chooser Page” (strict SSO): Select this option if you want to
implement strict SSO by forcing your users to sign in with SSO Identity
Provider credentials only. Users will be unable to sign in with Fusion
credentials. Customers typically select this option for their production
environment.

 Option 2: “Chooser Page” (hybrid): Select this option if you want a hybrid
login method that enables users to sign in to Oracle Cloud Services with
either 1) SSO Identity Provider credentials or 2) Fusion credentials. You may
find this option useful for non-production environments.

 Note: The Chooser Page option does not impact sign in to My Services.

Environment Refresh and SSO:

 Environment refresh migrates user security setup by removing all users and
roles from the target environment and copying that information from the
source environment. If you enabled SSO on the source environment, but not
the target environment, end users will be unable to log in to the target
environment because there will be no passwords available there.

If you enable SSO for your production environment, we recommend that you
enable SSO for all non-production environments to ensure user logins work
after the environment refresh service completes.

Important! If your users cannot login to the target environment post-

refresh, submit a service request (SR) in My Oracle Support to reset the
password for an Administrator, who can then reset the password for all
other end users.

Review the 3 scenarios below to understand how your decision to enable SSO
across environments impacts user login after an environment refresh service
completes.

Scenario 1 (Recommended): You enable SSO on both the source and target
environments

 End users can login to the target environment post-refresh using their SSO
identity provider credentials. Note: Users can also sign in using their Fusion
credentials if you selected the Chooser Page option at time of SSO
 enablement.

Scenario 2: You enable SSO only on the source environment

 End users cannot log in to the target environment post-refresh. SSO identity
provider credentials will not work since SSO is not enabled, and Fusion
credentials will not work since there were no passwords in the source
environment to migrate. To resolve, submit a service request (SR) in My
Oracle Support to reset the password for an Administrator, who can then
reset the password for all other end users.

Scenario 3: You enable SSO only on the target environment

 End users can login to the target environment post-refresh using their SSO
identity provider credentials. If you selected the Chooser Page option at time
of SSO enablement, users can also sign in to the target environment using
their Fusion credentials.

Fulfillment Please see Appendix 2: SSO Enablement Process at the end of this document for
Method: details.

SR Filing Note: For detailed steps on how to file a service request (SR), see “Instructions on
Guidelines: Submitting a Cloud Service Request (SR)” in My Oracle Support Doc ID 2120276.1.

When filing your request, look for the option to request the Federated Single Sign-On
(SSO) service. The system then will prompt you to answer questions that are specific
to this Cloud service.

Important: Submit a separate SR for each environment. Enable and verify SSO on
a non production environment first, before requesting enablement in production.

The Federated Single Sign-On (SSO) service request may ask you for the following
information:

 Specify which certified IdP you are using on-premise.

 For non-certified IdP, provide 1) name and 2) release level.

Oracle will fulfill requests only for Cloud Services managed under
the Enterprise operational policy, if approved and after the
additional setup fee has been paid through your Fusion Cloud
Service subscription. Contact your Oracle Sales or other account
representative for details.

 Provide details for environment that you want to enable SSO.

 URL for Non-Production, and Approximate Target Date, or

 URL for Production, and Approximate Target Go-Live Date

 Do you wish to enable SSO for the Oracle Sales Cloud for Microsoft Outlook?
 (Yes/No)

 Provide Federation Enablement Technical Contact details. (Name, Email,

Office phone number, Cell phone number)

 Provide any additional information you would like to share with Support.

 Important note: This service is limited to enabling SSO for your Oracle Cloud
Service. Customers own responsibility for managing their on-premise Identity
Provider (IdP) and any related expiration dates.

How to Validate After configuring SSO on both the Oracle side and on the customer on-premise side,
Service Oracle provides you with a test URL that you can access to verify that SSO is enabled
Fulfillment: and that redirection works correctly.

Related N/A
Service(s):

Related MOS ID 1484345.1 - Fusion Applications Technology: Master Note on Fusion

Federation
Information on
MOS:
Appendix 1: Certified Federation Servers
Certified federation servers include:

1. AuthAnvil

2. BIG-IP Access Policy Manager (APM) F5

3. CA Single Sign-on (formerly CA SiteMinder)

4. Centrify

5. Entrust GetAccess

6. ForgeRock OpenAM

7. Google IDP

8. IBM Security Access Manager

9. IBM Tivoli Access Manager

10. Microsoft ADFS 2.0+

11. Microsoft Azure Active Directory (Azure AD)

12. NetIQ Access Manager

13. Okta (SAML 2.0 compliant versions only)

14. OneLogin

15. Open SAML

16. Oracle Access Management (OAM) 11gR2 PS3+

17. Oracle Identity Cloud Service (IDCS)

18. Oracle Identity Federation (OIF) 11g+

19. Ping Federate 6.0+

20. Ping One

21. SailPoint Identity

22. SecureAuth

23. Shibboleth 2.4.0+

24. SimpleSAMLphp

25. SSO EasyConnect

26. SURFconext

27. WSO2 Identity Server

*Important Note: Oracle Sales Cloud for Microsoft Outlook works only with the certified
federation servers below:
  IBM Tivoli Access Manager

 Microsoft ADFS 2.0+

 Microsoft Azure Active Directory (Azure AD)

 Oracle Identity Federation (OIF) 11g+

Appendix 2: SSO Enablement Process

Figure1 – SSO Enablement Process

[1] You file an SR by filling in the SR template requesting SSO be enabled. You will need to indicate which
federation server you will be using, along with the environment details of where SSO needs to be enabled. The
content of the template is given above.
[2] Once the SR is received, it is submitted through an approval process. If the federation server requested is in the
list of Certified Identity Providers (IdP), then the SSO request is automatically approved.

Requests for use of a non-certified IdP are submitted for exception IdP review and approval. The approval is
contingent upon an assessment of the federation server you want to use

[3] Depending on whether your SSO request is approved or not, (and whether the additional setup fee has been
paid where applicable), you will take the appropriate next steps.

[4] If the SSO request is not approved, then you should instead select a certified IdP and resubmit your request. If
using a non-certified federation server is your only option, then you must update your original SR with a business
justification. This will go to Oracle management for review and approval, which is contingent upon an assessment of
the requested federation server and technical feasibility. Note: If approved, there is an additional setup fee
required.

Once the SSO request is approved (and paid for, if you request setup for a non-certified federation server), Oracle
sends you the configuration document for the given federation server. Currently, standard configuration documents
are available only for ADFS and OIF. For other federation servers, once approved, Oracle will work with you,
through SRs, answering questions. You can find more information about setting up the IdP in My Oracle Support
document, Doc ID 1484345.1 - Fusion Applications Technology: Master Note on Fusion Federation. As part of this
note, you can find separate links for OIF and ADFS on how to set them up as your federation server.

[5] You then configure your federation server according to the document provided.

[6] Meanwhile, Oracle sets up SAML 2.0 Service Provider services in the environment you requested in your SR
and sends the resulting metadata.xml to you.

Oracle configures the Service Provider (SP) only on Friday evenings US Pacific Time. This requires at least 1
andup to 9 hours of down time. You will receive a planned outage notification prior to the required outage.

[7] Once you receive the metadata.xml, you can update your Identity Provider (IdP’s) configuration with this
metadata.xml provided to you. You will then generate a metadata.xml and send it to Oracle.

The metadata.xml file contains information required to add Fusion Applications as a trusted partner to your on-
premises Identity Provider (IdP). The following information is included:

The assertion consumer service URL of the SP, where the user will be redirected from the IdP with SAML
Assertion.

The signing certificate corresponding to the private key used by the SP to sign the SAML messages, in
case of SAML 2.0 protocol.

The encryption certificate corresponding to the private key used by the SP to decrypt the SAML Assertion,
if SAML 2.0 encryption is to be used.

The Logout service endpoint, if SAML 2.0 is used.

[8] Upon receiving the updated metadata.xml file with the IdP’s information from you, Oracle reconfigures the SP
with this new information, that makes the hand shake complete between IdP and SP.

[9] Oracle then sends you a verification URL for you to test the redirection.

[10] You test the verification URL and see if the redirection to SSO is correct.

[11] If the redirection does not happen, you can work with Oracle to resolve the issue by updating the configuration
and re-exchanging the metadata.xml file.

[12] If the redirection tests successfully then you are SSO enabled for this environment.

[13] You notify Oracle of your successful SSO enablement and the SR is closed.

When you are ready to enable your production environment also for SSO, then you need to follow the same multi-
step process as outlined above. Until SSO is enabled, direct access to Fusion services will still be available, and so
there will be no downtime to enable SSO.
 Oracle Corporation, World Headquarters Worldwide Inquiries
500 Oracle Parkway Phone: +1.650.506.7000
Redwood Shores, CA 94065, USA Fax: +1.650.506.7200

CONNECT W ITH US

blogs.oracle.com/oracle Copyright © 2016, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the
contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other
warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or
facebook.com/oracle fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are
formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any
twitter.com/oracle means, electronic or mechanical, for any purpose, without our prior written permission.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
oracle.com
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and
are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are
trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0118

Oracle Applications Cloud Service Definition

Single Sign-On (SSO) Enablement
January 2018