Understanding Federated Single Sign-On Process (SSO) Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracles products remains at the sole discretion of Oracle. Federated Single Sign-On Process Overview
Introduction ....................................................................................... 2 Scope of This Document ................................................................... 2 Prerequisites ..................................................................................... 2 Process Roadmap ............................................................................. 3 Appendix A .................................................................................... 7
Federated Single Sign-On Process Overview
Page | 2
Introduction Enterprises are rapidly moving from traditional on-premises environments to Oracle Cloud implementations. A majority of such customers want to use their current LDAP repositories for authenticating their employees in Oracle Cloud. They want to access Oracle Cloud services via Single Sign-On (SSO) by using their existing authentication methods and credentials, credentials, irrespective of the form factor or device type. Oracle Cloud implements a standards-based Federation solution, leveraging Security Assertion Markup Language (SAML) 2.0. Oracle Fusion SAML Service Provider integrated with the Fusion SSO Server acts as the Service Provider (SP). Customers must configure or deploy either Microsoft Active Directory Federation Server (ADFS) 2.0 or Oracle Identity Federation Server 11g as an Identity Provider (IdP) in their on-premises environments. Customers can also use their existing Microsoft Active Directory Federation Server (ADFS) 2.0 or Oracle Identity Federation Server 11g installations after incorporating some configuration changes. Currently, this Federated SSO solution is certified to support ADFS 2.0 and Oracle Identity Federation 11g Release 1 (11.1.1) only. Scope of This Document This document outlines the process for Oracle Cloud Fusion Applications customers to request Single Sign-On (SSO) enablement in their Fusion Applications cloud instances. This process includes steps to be completed by both customers and Oracle Cloud Operations personnel. This document does not describe how to configure Identity Providers (IdP) in customers on- premises environments. For information about configuring Microsoft Active Directory Federation Server (ADFS) 2.0 or Oracle Identity Federation Server 11g identity providers, see the support note ID 1484345.1 on My Oracle Support. For more information on configuring identity synchronization, see the document titled Configuring Identity Synchronization in Oracle Fusion Cloud Services, which is attached to the support note ID 1484345.1 on My Oracle Support. Prerequisites The following are the prerequisites for enabling SSO in Oracle Cloud Fusion Applications service instances: Federated Single Sign-On Process Overview
Page | 3
Oracle requires the use of an SAML 2.0 certified implementation of the Federation protocol. Oracle requires the use of SAML 2.0 browser artifact SSO profile to connect to Oracle Cloud Fusion Applications service instances. The SAML 2.0 Assertion NameID element must contain one of the following: o The user's email address with the NameID Format being Email Address o The user's Fusion uid with the NameID Format being Unspecified All Federation ID Provider (IdP) endpoints must use SSL. Process Roadmap Figure 1-1 illustrates the process of enabling Federated Single Sign-On (SSO). Federated Single Sign-On Process Overview
Page | 4
Figure 1-1 Federated SSO Process
Federated Single Sign-On Process Overview
Page | 5
Enabling Federated SSO in Oracle Cloud environments involves the following steps:
1. An Oracle Cloud customer expresses interest in using Federated SSO implementation by contacting Oracle representatives. The customer receives an SSO template from their Oracle representative. The customer sends the filled-in SSO template to Oracle and requests approval.
2. Oracle representatives review the customers request. For on-premises identity providers other than ADFS 2.0 and OIF 11g, SSO enablement requests may require additional approvals.
Note: It typically takes a minimum of two weeks or more to implement Federated SSO per POD (customer environment) after the necessary approval. For more information, see this support note on My Oracle Support.
3. Oracle notifies customer of request status. If a non-standard Identity Provider is being used, Oracle notifies the customer whether the solution can be supported.
4. The customer creates and submits a Service Request (SR) on My Oracle Support (http://support.oracle.com), for each Oracle Fusion Cloud Service instance. This SR is referred to as the Parent SR, which must use the following header:
SSO Enablement
To establish SSO between the customers on-premises environment and the Oracle Fusion Cloud Service environment, the customer must specify which identity attribute (user name or email address) will be unique across all users in the customers organization. This information is required for Oracle Cloud Operations personnel to identify the changes to be made in the customers SaaS environment.
Note: The filled-in questionnaire, which is shown in Appendix A, should be attached to the parent SR.
5. The customer receives a document that describes how to configure their on-premises IdP, based on their choice of IdP (Microsoft Active Directory Federation Server (ADFS) 2.0 or Oracle Identity Federation Server 11g).
6. The customer completes the procedures described in the document to configure Oracle Identity Federation (OIF) or Active Directory Federation Services (ADFS) as an IdP in their on-premises environment.
Note: If the customer encounters any issues related to the on-premises Oracle Identity Federation IdP, the customer must file a separate product SR on My Oracle Support. If the customer encounters issues related to third-party IdP products, such as ADFS, the Federated Single Sign-On Process Overview
Page | 6
customer should contact third-party vendors to resolve such issues.
7. Oracle Cloud Operations personnel set up a Fusion SAML Service Provider (SP) in your non-production SaaS environment. Subsequently, they will send a metadata.xml file, which contains SP configuration settings, to the customer via the parent SR.
This metadata.xml file contains the information required to add Fusion Applications as a trusted partner to the customers on-premises Identity Provider. The following information is included:
The Assertion Consumer Service URL of the OIF/SP, where the user will be redirected from the Identity Provider with SAML Assertion. The Signing Certificate corresponding to the private key used by the SP to sign the SAML Messages, in case of SAML 2.0 protocol. The Encryption Certificate corresponding to the private key used by the SP to decrypt the SAML Assertion, if SAML 2.0 encryption is to be used. The Logout service endpoint, if SAML 2.0 is used.
8. The customer downloads the metadata.xml file. They import or configure the SP settings in their on-premises environment.
9. The customer then sends another metadata.xml file, which contains information about their on-premises IdP, to Oracle Cloud Operations personnel by attaching the metadata.xml file to the parent SR.
10. Oracle Cloud Operations personnel configure the IdP settings in the customers non- production SaaS environment. They send a verification link to the customer.
11. The customer uses the verification link to test the features of Federated SSO in their on-premises environment. If the customer encounters problems during testing, the customer can request assistance from Oracle Cloud Operations personnel.
Note: The customer cannot use the Fusion environment for other operations, during the testing phase.
12. After the testing is complete, the customer sends a confirmation to Oracle. On receiving this confirmation, Oracle Cloud Operations personnel complete the configuration procedures in the customers production SaaS environment. At this stage, enabling Federated SSO means that the on-premises IdP is solely responsible for authenticating users.
Note: By enabling Federated SSO, only those users whose identities have been synchronized between the on-premises IdP and Oracle Cloud will be able to log in to Fusion Application services in Oracle Cloud. For more information on configuring Federated Single Sign-On Process Overview
Page | 7
identity synchronization, see the document titled Configuring Identity Synchronization in Oracle Fusion Cloud Services, which is attached to the support note ID 1484345.1 on My Oracle Support.
Note that the customer must have at least one valid user that is imported and synchronized between the on-premises environment and the non-production SaaS environment. This user is required to validate the SSO configuration. Appendix A
1. Please check which of the following Federation Servers you are using On-Premise? a. Active Directory Federation Server (ADFS 2.0) b. OIF 11g c. Other _________________
Note For requests based on products other than ADFS 2.0 and OIF 11g, approvals will be on an exception basis.
2. Please check which of the following Fusion SaaS Application you are currently running? a. HCM b. CRM c. ERP d. Other _________________
3. How many employees / users will be enabled upon go-live?
4. Do you wish to enable SSO for CRM Mobile Apps? a. Yes b. No
5. Which environment would you like to enable? a. URL for Non-Production? _______________________ i. Approx Target Date: ____________________ b. URL for Production? __________________ i. Approx Target Go-Live Date: ____________________
6. Technical Integration Contact Information a. Email: _________________ b. Phone numbers i. Office: ___________ ii. Cell: ___________
Understanding Federated Single Sign-On (SSO) Process [April] 2013
Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com Copyright 2013, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0113