Beruflich Dokumente
Kultur Dokumente
DECEMBER 2015
Disclaimer
The following is intended to outline our general product direction. It is intended for information
purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any
material, code, or functionality, and should not be relied upon in making purchasing decisions. The
development, release, and timing of any features or functionality described for Oracles products
remains at the sole discretion of Oracle.
CHARACTERISTIC
DESCRIPTION
Compatible
Release(s):
Service Type:
Security
Definition:
This service enables the Oracle Fusion Cloud Service to be part of the cross domain
Single Sign-On (SSO) solution.
Business Need
By enabling SSO for the Oracle Fusion Cloud Service, your users need to sign in only
Met:
once and can access the service without having to remember a different password.
Typical
Frequency:
Fulfillment
Oracles Single Sign On enablement policy and service fulfillment process varies based
Considerations:
and the additional setup fee has been paid via your Fusion Cloud Service
subscription. NOTE: Exception approval for use of Other IdPs is uncommon.
Oracle recommends that you instead consider using a preapproved or
supported.
Plan ahead.
Preapproved IdP Once you file your request, Oracle will take 2 to 6 weeks
to fulfill it. Approval is automatic.
Supported IdP - Once you file your request, Oracle will take up to 6 weeks to
fulfill it for the first environment, and up to 3 weeks for each subsequent
environment. Approval is automatic with verification that the additional SSO
setup fee has been paid via your Fusion Cloud Service subscription.
Other IdP Once you file your request, Oracle will take 6 weeks to fulfill it.
Approval is not automatic. If your exception IdP is approved, an additional
setup fee is required and must be paid via your Fusion Cloud Service
subscription. Oracle has the right to reject any request for an exception IdP.
Oracle automatically approves requests to enable SSO with Preapproved
Identity Providers (IdP) below:
o
ADFS 2.0+
Shibboleth 2.4.0+
Ping One
Okta 6.0+
Please see the section entitled, SSO Enablement Process at the end of this document
Method:
for details.
SR Filing
You can submit a Service Request (SR) to enable Federated Single Sign-On (SSO)
Guidelines:
2.
3.
Under the What is the Problem? section, enter SSO enablement request as
the Problem Summary.
4.
Under the Where is the Problem? section, select the Cloud tab and enter the
following:
5.
Service Type: Oracle Fusion Global Human Resources Cloud Service, or other
Cloud Service
6.
7.
Problem Type: Hosting Services - Server Issue -> Federated Single Sign-on
8.
9.
Click Next and provide information requested. Questions will be similar to those
listed below.
Shibboleth 2.4.0+
Ping One
Okta 6.0+
If you selected Supported or Other IdP, you are requesting SSO enablement
with a Supported or Other Identity Federation. Please provide 1) name and 2)
release level of other Federation server. Only approved requests that have a
setup fee paid through your Fusion Cloud Service subscription will be
fulfilled.. Contact your Oracle Sales or other account representative if you
have questions.
HCM Cloud
Sales Cloud
ERP Cloud
Other
Do you wish to enable Federated SSO for Sales Cloud Mobile? (Yes/No)
Do you wish to enable Federated SSO for HCM Cloud Mobile? (Yes/No)
Do you wish to enable STS Authentication (SSO) for the Oracle Sales Cloud
for Microsoft Outlook (CRM Desktop)? (Yes/No)
Please provide details for environment that you want to enable SSO.
Please provide any additional information you would like to share with
Support.
Important Note: This service is limited to enabling SSO for your Oracle Cloud
Service. Customers own responsibility for managing their on-premise Identity
Provider (IdP) and any related expiration dates.
How to Validate
After configuring SSO on both the Oracle side and on the customer on-premise side,
Service
Oracle provides you with a test URL that you can access to verify that SSO is enabled
Fulfillment:
Related
N/A
Service(s):
Related
Information on
MOS:
C
U
S
T
O
M
E
R
1. File SR with
Fusion
10. Validate /
Test SSO
11. Is SSO
Working?
YES
NO
NO
NO
Oracle
13. Close SR
2. Is IdP
certified?
YES
4.Send
configuration
documents to
customer
YES
6. Configure SP
and send
metadata.xml to
customer
8. Reconfigure
settings based
on the metadata
file received
from customer
9. Send
Verification
URL
12. Complete
configuration
[1] You file an SR by filling in the SR template requesting SSO be enabled. You will need to indicate which
federation server you will be using, along with the environment details of where SSO needs to be enabled. The
content of the template is given above.
[2] Once the SR is received, it is submitted through an approval process. If the federation server requested is in the
list of Preapproved or Supported Identity Providers, , then the SSO request is automatically approved.
The pre-approved federation servers are
ADFS 2.0 +
Shibboleth 2.4.0+
Ping One
Okta 6.0+
For the most current list of Supported federation servers, refer to My Oracle Support Note#1484345.1 - Fusion
Applications Technology: Master Note on Fusion Federation.
If the federation server is outside of the Preapproved or Supported list above, it is considered an Other IdP and is
submitted for exception IdP review and approval. The approval is contingent upon an assessment of the federation
server you want to use
[3] Depending on whether your SSO request is approved or not, (and whether the additional setup fee has been
paid where applicable), you will take the appropriate next steps.
[4] If the SSO request is not approved, then you will have to pick one of the pre-approved servers, or supported
servers, and resubmit your request. If using an Other federation server is your only option, then you must update
your original SR with a business justification. This will go to Oracle management for review and approval, which is
contingent upon an assessment of the requested federation server and technical feasibility. Note: If approved,
there is an additional setup fee required.
Once the SSO request is approved (and paid for, if you request setup for a supported federation server), support
transfers your SSO request to the Cloud Operations security team that starts working on it. As a first step, Oracle
sends you the configuration document for the given federation server. Currently standard configuration documents
are available only for ADFS and OIF. For other federation servers, once approved, Oracle will work with you,
through SRs, answering questions. You can find more information about setting up the IdP in My Oracle Support
document, Doc ID 1484345.1 - Fusion Applications Technology: Master Note on Fusion Federation. As part of this
note, you can find separate links for OIF and ADFS on how to set them up as your federation server.
[5] You then configure your federation server according to the document provided.
[6] Meanwhile, Oracle sets up SAML 2.0 Service Provider services in the environment you requested in your SR
and sends the resulting metadata.xml to you.
Oracle configures the Service Provider (SP) only on Friday evenings US Pacific Time with up to 9 hours of down
time. You will receive a planned outage notification prior to the required outage.
[7] Once you receive the metadata.xml, you can update your Identity Provider (IdPs) configuration with this
metadata.xml provided to you. You will then generate a metadata.xml and send it to Oracle.
The metadata.xml file contains information required to add Fusion Applications as a trusted partner to your onpremises Identity Provider (IdP). The following information is included:
The assertion consumer service URL of the SP, where the user will be redirected from the IdP with SAML
Assertion.
The signing certificate corresponding to the private key used by the SP to sign the SAML messages, in
case of SAML 2.0 protocol.
The encryption certificate corresponding to the private key used by the SP to decrypt the SAML Assertion,
if SAML 2.0 encryption is to be used.
The Logout service endpoint, if SAML 2.0 is used.
[8] Upon receiving the updated metadata.xml file with the IdPs information from you, Oracle reconfigures the SP
with this new information, that makes the hand shake complete between IdP and SP.
[9] Oracle then sends you a verification URL for you to test the redirection.
[10] You test the verification URL and see if the redirection to SSO is correct.
[11] If the redirection does not happen, you can work with Oracle to resolve the issue by updating the configuration
and re-exchanging the metadata.xml file.
[12] If the redirection tests successfully then you are SSO enabled for this environment.
[13] You notify Oracle of your successful SSO enablement and the SR is closed.
When you are ready to enable your production environment also for SSO, then you need to follow the same multistep process as outlined above. Until SSO is enabled, direct access to Fusion services will still be available, and so
there will be no downtime to enable SSO.
Worldwide Inquiries
Phone: +1.650.506.7000
Fax: +1.650.506.7200
C ON N E C T W I TH U S
blogs.oracle.com/oracle
facebook.com/oracle
twitter.com/oracle
oracle.com
Copyright 2015, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the
contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other
warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or
fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are
formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any
means, electronic or mechanical, for any purpose, without our prior written permission.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and
are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are
trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 1215
Oracle Applications Cloud Service Definition
Single Sign-On (SSO) Enablement
December 2015