April 2013

Understanding Federated Single Sign-On

(SSO) Process


Understanding Federated Single Sign-On Process (SSO)
Disclaimer
The following is intended to outline our general product direction. It is intended for information purposes
only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code,
or functionality, and should not be relied upon in making purchasing decisions. The development, release,
and timing of any features or functionality described for Oracles products remains at the sole discretion
of Oracle.
Federated Single Sign-On Process Overview

Introduction ....................................................................................... 2
Scope of This Document ................................................................... 2
Prerequisites ..................................................................................... 2
Process Roadmap ............................................................................. 3
Appendix A .................................................................................... 7







Federated Single Sign-On Process Overview

Page | 2

Introduction
Enterprises are rapidly moving from traditional on-premises environments to Oracle Cloud
implementations. A majority of such customers want to use their current LDAP repositories for
authenticating their employees in Oracle Cloud. They want to access Oracle Cloud services
via Single Sign-On (SSO) by using their existing authentication methods and credentials,
credentials, irrespective of the form factor or device type.
Oracle Cloud implements a standards-based Federation solution, leveraging Security
Assertion Markup Language (SAML) 2.0. Oracle Fusion SAML Service Provider integrated
with the Fusion SSO Server acts as the Service Provider (SP). Customers must configure or
deploy either Microsoft Active Directory Federation Server (ADFS) 2.0 or Oracle Identity
Federation Server 11g as an Identity Provider (IdP) in their on-premises environments.
Customers can also use their existing Microsoft Active Directory Federation Server (ADFS) 2.0
or Oracle Identity Federation Server 11g installations after incorporating some configuration
changes. Currently, this Federated SSO solution is certified to support ADFS 2.0 and Oracle
Identity Federation 11g Release 1 (11.1.1) only.
Scope of This Document
This document outlines the process for Oracle Cloud Fusion Applications customers to request
Single Sign-On (SSO) enablement in their Fusion Applications cloud instances. This process
includes steps to be completed by both customers and Oracle Cloud Operations personnel.
This document does not describe how to configure Identity Providers (IdP) in customers on-
premises environments. For information about configuring Microsoft Active Directory
Federation Server (ADFS) 2.0 or Oracle Identity Federation Server 11g identity providers, see
the support note ID 1484345.1 on My Oracle Support.
For more information on configuring identity synchronization, see the document titled
Configuring Identity Synchronization in Oracle Fusion Cloud Services, which is attached to
the support note ID 1484345.1 on My Oracle Support.
Prerequisites
The following are the prerequisites for enabling SSO in Oracle Cloud Fusion Applications
service instances:
Federated Single Sign-On Process Overview

Page | 3

Oracle requires the use of an SAML 2.0 certified implementation of the Federation
protocol.
Oracle requires the use of SAML 2.0 browser artifact SSO profile to connect to Oracle
Cloud Fusion Applications service instances.
The SAML 2.0 Assertion NameID element must contain one of the following:
o The user's email address with the NameID Format being Email Address
o The user's Fusion uid with the NameID Format being Unspecified
All Federation ID Provider (IdP) endpoints must use SSL.
Process Roadmap
Figure 1-1 illustrates the process of enabling Federated Single Sign-On (SSO).
Federated Single Sign-On Process Overview

Page | 4



Figure 1-1 Federated SSO Process


Federated Single Sign-On Process Overview

Page | 5

Enabling Federated SSO in Oracle Cloud environments involves the following steps:

1. An Oracle Cloud customer expresses interest in using Federated SSO implementation
by contacting Oracle representatives. The customer receives an SSO template from
their Oracle representative. The customer sends the filled-in SSO template to Oracle
and requests approval.

2. Oracle representatives review the customers request. For on-premises identity
providers other than ADFS 2.0 and OIF 11g, SSO enablement requests may require
additional approvals.

Note: It typically takes a minimum of two weeks or more to implement Federated SSO
per POD (customer environment) after the necessary approval. For more information,
see this support note on My Oracle Support.

3. Oracle notifies customer of request status. If a non-standard Identity Provider is being
used, Oracle notifies the customer whether the solution can be supported.

4. The customer creates and submits a Service Request (SR) on My Oracle Support
(http://support.oracle.com), for each Oracle Fusion Cloud Service instance. This SR is
referred to as the Parent SR, which must use the following header:

SSO Enablement

To establish SSO between the customers on-premises environment and the Oracle
Fusion Cloud Service environment, the customer must specify which identity attribute
(user name or email address) will be unique across all users in the customers
organization. This information is required for Oracle Cloud Operations personnel to
identify the changes to be made in the customers SaaS environment.

Note: The filled-in questionnaire, which is shown in Appendix A, should be attached to
the parent SR.

5. The customer receives a document that describes how to configure their on-premises
IdP, based on their choice of IdP (Microsoft Active Directory Federation Server (ADFS)
2.0 or Oracle Identity Federation Server 11g).

6. The customer completes the procedures described in the document to configure
Oracle Identity Federation (OIF) or Active Directory Federation Services (ADFS) as an
IdP in their on-premises environment.

Note: If the customer encounters any issues related to the on-premises Oracle Identity
Federation IdP, the customer must file a separate product SR on My Oracle Support. If
the customer encounters issues related to third-party IdP products, such as ADFS, the
Federated Single Sign-On Process Overview

Page | 6

customer should contact third-party vendors to resolve such issues.

7. Oracle Cloud Operations personnel set up a Fusion SAML Service Provider (SP) in
your non-production SaaS environment. Subsequently, they will send a metadata.xml
file, which contains SP configuration settings, to the customer via the parent SR.

This metadata.xml file contains the information required to add Fusion Applications as
a trusted partner to the customers on-premises Identity Provider. The following
information is included:

The Assertion Consumer Service URL of the OIF/SP, where the user will be
redirected from the Identity Provider with SAML Assertion.
The Signing Certificate corresponding to the private key used by the SP to
sign the SAML Messages, in case of SAML 2.0 protocol.
The Encryption Certificate corresponding to the private key used by the SP to
decrypt the SAML Assertion, if SAML 2.0 encryption is to be used.
The Logout service endpoint, if SAML 2.0 is used.

8. The customer downloads the metadata.xml file. They import or configure the SP
settings in their on-premises environment.

9. The customer then sends another metadata.xml file, which contains information about
their on-premises IdP, to Oracle Cloud Operations personnel by attaching the
metadata.xml file to the parent SR.

10. Oracle Cloud Operations personnel configure the IdP settings in the customers non-
production SaaS environment. They send a verification link to the customer.

11. The customer uses the verification link to test the features of Federated SSO in their
on-premises environment. If the customer encounters problems during testing, the
customer can request assistance from Oracle Cloud Operations personnel.

Note: The customer cannot use the Fusion environment for other operations, during
the testing phase.

12. After the testing is complete, the customer sends a confirmation to Oracle. On
receiving this confirmation, Oracle Cloud Operations personnel complete the
configuration procedures in the customers production SaaS environment. At this
stage, enabling Federated SSO means that the on-premises IdP is solely responsible
for authenticating users.

Note: By enabling Federated SSO, only those users whose identities have been
synchronized between the on-premises IdP and Oracle Cloud will be able to log in to
Fusion Application services in Oracle Cloud. For more information on configuring
Federated Single Sign-On Process Overview

Page | 7

identity synchronization, see the document titled Configuring Identity Synchronization
in Oracle Fusion Cloud Services, which is attached to the support note ID 1484345.1
on My Oracle Support.

Note that the customer must have at least one valid user that is imported and
synchronized between the on-premises environment and the non-production SaaS
environment. This user is required to validate the SSO configuration.
Appendix A

Questionnaire

Customer Name: ___________________________________


1. Please check which of the following Federation Servers you are using On-Premise?
a. Active Directory Federation Server (ADFS 2.0)
b. OIF 11g
c. Other _________________

Note For requests based on products other than ADFS 2.0 and OIF 11g, approvals will
be on an exception basis.

2. Please check which of the following Fusion SaaS Application you are currently running?
a. HCM
b. CRM
c. ERP
d. Other _________________

3. How many employees / users will be enabled upon go-live?

4. Do you wish to enable SSO for CRM Mobile Apps?
a. Yes
b. No

5. Which environment would you like to enable?
a. URL for Non-Production? _______________________
i. Approx Target Date: ____________________
b. URL for Production? __________________
i. Approx Target Go-Live Date: ____________________

6. Technical Integration Contact Information
a. Email: _________________
b. Phone numbers
i. Office: ___________
ii. Cell: ___________




Understanding Federated Single Sign-On
(SSO) Process
[April] 2013

Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores, CA 94065
U.S.A.
Worldwide Inquiries:
Phone: +1.650.506.7000
Fax: +1.650.506.7200
oracle.com
Copyright 2013, Oracle and/or its affiliates. All rights reserved.
This document is provided for information purposes only, and the contents hereof are subject to change without notice. This
document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in
law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any
liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This
document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our
prior written permission.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and
are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are
trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0113