Single Sign-On (SSO) Enablement

Oracle Applications Cloud Service Definition

OR AC LE WHI TE P AP E R

DECEMBER 2015

Disclaimer
The following is intended to outline our general product direction. It is intended for information
purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any
material, code, or functionality, and should not be relied upon in making purchasing decisions. The
development, release, and timing of any features or functionality described for Oracles products
remains at the sole discretion of Oracle.

Single Sign-On (SSO) Enablement

This document provides information about the Single Sign-On (SSO) Enablement service entitlement
and instructions on how to file a service request (SR) for SSO to be enabled on your Fusion Cloud
environment.
Be sure to read and fully understand Oracles policy for SSO service request approval and fulfillment.
Refer to the Fulfillment Considerations section below for details.
Important Note: This service is limited to enabling SSO for your Oracle Cloud Service. Customers own
responsibility for managing their on-premise Identity Provider (IdP) and expiration dates.

CHARACTERISTIC

DESCRIPTION

Compatible

Fusion Release 9 and above

Release(s):
Service Type:

Security

Definition:

This service enables the Oracle Fusion Cloud Service to be part of the cross domain
Single Sign-On (SSO) solution.

Business Need

By enabling SSO for the Oracle Fusion Cloud Service, your users need to sign in only

Met:

once and can access the service without having to remember a different password.

Typical

Once per environment.

Frequency:
Fulfillment

Oracles Single Sign On enablement policy and service fulfillment process varies based

Considerations:

on Identity Provider (IdP) requested. IdPs fall into 3 categories: Preapproved,

Supported, and Other.

Preapproved: Your request is automatically approved and Oracle begins

service fulfillment upon receipt of your SR.

Supported: Your request is automatically approved. Oracle begins service

fulfillment upon receipt of your request and verification that the setup fee has
been paid as part of your Fusion Cloud Service subscription agreement.
Contact your Oracle Sales Team if you need to add this service. For the most
current list of Supported federation servers, refer to My Oracle Support
Note#1484345.1 - Fusion Applications Technology: Master Note on Fusion
Federation.

Other: Any IdP outside the Preapproved or Supported list is considered an

exception IdP and must go through a review and approval process. Oracle
can begin SSO service fulfillment only after your exception IdP is approved

and the additional setup fee has been paid via your Fusion Cloud Service
subscription. NOTE: Exception approval for use of Other IdPs is uncommon.
Oracle recommends that you instead consider using a preapproved or
supported.
Plan ahead.

Preapproved IdP Once you file your request, Oracle will take 2 to 6 weeks
to fulfill it. Approval is automatic.

Supported IdP - Once you file your request, Oracle will take up to 6 weeks to
fulfill it for the first environment, and up to 3 weeks for each subsequent
environment. Approval is automatic with verification that the additional SSO
setup fee has been paid via your Fusion Cloud Service subscription.

Other IdP Once you file your request, Oracle will take 6 weeks to fulfill it.
Approval is not automatic. If your exception IdP is approved, an additional
setup fee is required and must be paid via your Fusion Cloud Service
subscription. Oracle has the right to reject any request for an exception IdP.
Oracle automatically approves requests to enable SSO with Preapproved
Identity Providers (IdP) below:
o

ADFS 2.0+

Oracle Identity Federation (OIF) 11g+

Oracle Access Management (OAM) 11gR2 PS3+

Shibboleth 2.4.0+

Ping Federate 6.0+

Ping One

Okta 6.0+

Oracle automatically approves requests to enable SSO with any Supported

federation server, as long as the additional setup fee has been paid. For the
most current list of Supported IdPs, refer to My Oracle Support
Note#1484345.1 - Fusion Applications Technology: Master Note on Fusion
Federation.
Requests for Other IdPs are considered an exception IdP and will go through
a special review and approval process that is contingent upon various factors,
including an assessment of the requested federation server. The other
federation server must support SAML2.0 in order to be considered for
approval. Oracle has the right to reject any request for an exception IdP. If
approved, an additional setup fee is required and must be paid via your
Fusion Cloud Service subscription. If you have questions, please contact
your Oracle Sales account or other designated representative.
Downtime.

At least 1 and up to 9 hours of downtime is required to enable SSO on each

environment. You will receive a planned outage notification in advance, to
confirm that you can accept the required downtime. Oracle configures SSO
on Friday evenings, U.S. Pacific Time.

Single sign-on is first enabled and tested in a non-production environment before

enabling it in production.
Fulfillment

Please see the section entitled, SSO Enablement Process at the end of this document

Method:

for details.

SR Filing

You can submit a Service Request (SR) to enable Federated Single Sign-On (SSO)

Guidelines:

by completing the following steps.

Submit a separate SR for each environment.
Single sign-on must first be enabled and tested in a non-production environment before
enabling it in production.
1.

Log on to My Oracle Support (MOS).

2.

Select Create SR from the Services Requests section or tab.

3.

Under the What is the Problem? section, enter SSO enablement request as
the Problem Summary.

4.

Under the Where is the Problem? section, select the Cloud tab and enter the
following:

5.

Service Type: Oracle Fusion Global Human Resources Cloud Service, or other
Cloud Service

6.

Environment: Select environment that you want to enable SSO

7.

Problem Type: Hosting Services - Server Issue -> Federated Single Sign-on

8.

Support Identifier: Defaults to your CSI number.

9.

Click Next and provide information requested. Questions will be similar to those
listed below.

Specify which Preapproved Federation Server you are using on-premise.

Active Directory Federation Server (ADFS 2.0 +)

Oracle Identity Federation (OIF) 11g

Oracle Access Management (OAM) 11gR2 PS3+

Shibboleth 2.4.0+

Ping Federate 6.0+

Ping One

Okta 6.0+

Supported or Other IdP (please provide name and version)

If you selected Supported or Other IdP, you are requesting SSO enablement
with a Supported or Other Identity Federation. Please provide 1) name and 2)
release level of other Federation server. Only approved requests that have a
setup fee paid through your Fusion Cloud Service subscription will be
fulfilled.. Contact your Oracle Sales or other account representative if you
have questions.

Specify which Cloud services need Federation enabled:

HCM Cloud

Sales Cloud

ERP Cloud

Other

How many employees and users will be enabled upon go-live?

Do you wish to enable Federated SSO for Sales Cloud Mobile? (Yes/No)

Do you wish to enable Federated SSO for HCM Cloud Mobile? (Yes/No)

Do you wish to enable STS Authentication (SSO) for the Oracle Sales Cloud
for Microsoft Outlook (CRM Desktop)? (Yes/No)

Please provide details for environment that you want to enable SSO.

URL for Non-Production, and Approximate Target Date, or

URL for Production, and Approximate Target Go-Live Date

Please provide Federation Enablement Technical Contact details. (Name,

Email, Office phone number, Cell phone number)

Please provide any additional information you would like to share with
Support.

Important Note: This service is limited to enabling SSO for your Oracle Cloud
Service. Customers own responsibility for managing their on-premise Identity
Provider (IdP) and any related expiration dates.

How to Validate

After configuring SSO on both the Oracle side and on the customer on-premise side,

Service

Oracle provides you with a test URL that you can access to verify that SSO is enabled

Fulfillment:

and that redirection works correctly.

Related

N/A

Service(s):
Related

Note#1484345.1 - Fusion Applications Technology: Master Note on Fusion Federation

Information on
MOS:

SSO Enablement Process

SSO process to enable Non Certified Federation Servers

C
U
S
T
O
M
E
R

5. Set up onpremise IdP

1. File SR with
Fusion

7. Configure IdP based

on the metadata.xml sent
by Oracle and send the
updated metadata.xml to
Oracle

10. Validate /
Test SSO

11. Is SSO
Working?

YES
NO

NO

NO
Oracle

3. Has the setup

fee been paid?

13. Close SR

2. Is IdP
certified?
YES
4.Send
configuration
documents to
customer

YES

6. Configure SP
and send
metadata.xml to
customer

8. Reconfigure
settings based
on the metadata
file received
from customer

9. Send
Verification
URL

12. Complete
configuration

Figure1 SSO Enablement Process

[1] You file an SR by filling in the SR template requesting SSO be enabled. You will need to indicate which
federation server you will be using, along with the environment details of where SSO needs to be enabled. The
content of the template is given above.
[2] Once the SR is received, it is submitted through an approval process. If the federation server requested is in the
list of Preapproved or Supported Identity Providers, , then the SSO request is automatically approved.
The pre-approved federation servers are

ADFS 2.0 +

Oracle Identity Federation (OIF) 11g

Oracle Access Management (OAM) 11gR2 PS3+

Shibboleth 2.4.0+

Ping Federate 6.0+

Ping One

Okta 6.0+

For the most current list of Supported federation servers, refer to My Oracle Support Note#1484345.1 - Fusion
Applications Technology: Master Note on Fusion Federation.
If the federation server is outside of the Preapproved or Supported list above, it is considered an Other IdP and is
submitted for exception IdP review and approval. The approval is contingent upon an assessment of the federation
server you want to use

[3] Depending on whether your SSO request is approved or not, (and whether the additional setup fee has been
paid where applicable), you will take the appropriate next steps.
[4] If the SSO request is not approved, then you will have to pick one of the pre-approved servers, or supported
servers, and resubmit your request. If using an Other federation server is your only option, then you must update
your original SR with a business justification. This will go to Oracle management for review and approval, which is
contingent upon an assessment of the requested federation server and technical feasibility. Note: If approved,
there is an additional setup fee required.
Once the SSO request is approved (and paid for, if you request setup for a supported federation server), support
transfers your SSO request to the Cloud Operations security team that starts working on it. As a first step, Oracle
sends you the configuration document for the given federation server. Currently standard configuration documents
are available only for ADFS and OIF. For other federation servers, once approved, Oracle will work with you,
through SRs, answering questions. You can find more information about setting up the IdP in My Oracle Support
document, Doc ID 1484345.1 - Fusion Applications Technology: Master Note on Fusion Federation. As part of this
note, you can find separate links for OIF and ADFS on how to set them up as your federation server.
[5] You then configure your federation server according to the document provided.
[6] Meanwhile, Oracle sets up SAML 2.0 Service Provider services in the environment you requested in your SR
and sends the resulting metadata.xml to you.
Oracle configures the Service Provider (SP) only on Friday evenings US Pacific Time with up to 9 hours of down
time. You will receive a planned outage notification prior to the required outage.
[7] Once you receive the metadata.xml, you can update your Identity Provider (IdPs) configuration with this
metadata.xml provided to you. You will then generate a metadata.xml and send it to Oracle.
The metadata.xml file contains information required to add Fusion Applications as a trusted partner to your onpremises Identity Provider (IdP). The following information is included:
The assertion consumer service URL of the SP, where the user will be redirected from the IdP with SAML
Assertion.
The signing certificate corresponding to the private key used by the SP to sign the SAML messages, in
case of SAML 2.0 protocol.
The encryption certificate corresponding to the private key used by the SP to decrypt the SAML Assertion,
if SAML 2.0 encryption is to be used.
The Logout service endpoint, if SAML 2.0 is used.
[8] Upon receiving the updated metadata.xml file with the IdPs information from you, Oracle reconfigures the SP
with this new information, that makes the hand shake complete between IdP and SP.
[9] Oracle then sends you a verification URL for you to test the redirection.
[10] You test the verification URL and see if the redirection to SSO is correct.
[11] If the redirection does not happen, you can work with Oracle to resolve the issue by updating the configuration
and re-exchanging the metadata.xml file.
[12] If the redirection tests successfully then you are SSO enabled for this environment.
[13] You notify Oracle of your successful SSO enablement and the SR is closed.

When you are ready to enable your production environment also for SSO, then you need to follow the same multistep process as outlined above. Until SSO is enabled, direct access to Fusion services will still be available, and so
there will be no downtime to enable SSO.

Oracle Corporation, World Headquarters

Worldwide Inquiries

500 Oracle Parkway

Phone: +1.650.506.7000

Redwood Shores, CA 94065, USA

Fax: +1.650.506.7200

C ON N E C T W I TH U S

blogs.oracle.com/oracle
facebook.com/oracle
twitter.com/oracle
oracle.com

Copyright 2015, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the
contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other
warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or
fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are
formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any
means, electronic or mechanical, for any purpose, without our prior written permission.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and
are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are
trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 1215
Oracle Applications Cloud Service Definition
Single Sign-On (SSO) Enablement
December 2015