16 Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Management 11g Release 2

This chapter contains the following topics:

16.1 Understanding JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Management

Oracle Access Management (OAM) provides single sign-on functionality for Oracle applications, including JD Edwards EnterpriseOne. It provides a secure internet infrastructure for identity management for EnterpriseOne applications and processes. This infrastructure provides:

  • Identity and access management across EnterpriseOne applications, enterprise resources, and other domains.

  • Foundation for managing the identities of customers, partners, and employees across internet applications. These user identities are protected by security policies for web interaction.

Integration with OAM provides EnterpriseOne implementations with these features:

  • OAM authentication, authorization, and auditing services for EnterpriseOne applications.

  • OAM single sign-on for EnterpriseOne applications and other OAM-protected resources in a single domain or across domains.

    Note:

    EnterpriseOne single sign-on through OAM is supported only by the EnterpriseOne web client, not Collaborative Portal.
  • OAM authentication schemes that provide single sign-on for EnterpriseOne applications:

    • Basic Over LDAP (Lightweight Directory Access Protocol): Users enter a user name and password in a window supplied by the web server.

      This method can be redirected to Secure Socket Layer (SSL).

    • Form: Similar to the basic challenge method, users enter information in a custom HTML form.

      You choose the information that users must provide in the form.

    • X509 Certificates: X.509 digital certificates over SSL.

      A user's browser must supply a certificate.

    • Integrated Windows Authentication (IWA): Users will not notice a difference between an OAM authentication and IWA when they log on to the desktop, open an Internet Explorer (IE) browser, request an OAM-protected web resource, and complete single sign-on.

    • Microsoft .NET Passport: NET Passport is a component of the Microsoft .NET Framework. The .NET plug-in is a web-based authentication service that provides single sign-on for Microsoft-protected web resources.

    • Custom: You can use other forms of authentication through the OAM Authentication Plug-in API.

  • Session timeout: OAM enables you to set the length of time that a user session is valid.

  • Ability to use Oracle Identity Manager for identity management. Oracle Identity Manager provides identity management features such as portal inserts, delegated administration, workflows, and self-registration EnterpriseOne applications.

    You can determine how much access to provide to users upon self-registration. Oracle Identity Manager workflows enable a self-registration request to be routed to appropriate personnel before access is granted. OAM also provides self-service, enabling users to update their own identity profiles.

See Also:

16.1.1 JD Edwards EnterpriseOne Integration Architecture

EnterpriseOne has a configurable authentication mechanism that allows it to authenticate a user against:

  • Native tables (through a security kernel)

  • Lightweight Directory Access Protocol (LDAP)

  • Custom plug-ins, including the ability to read HTTP headers

EnterpriseOne single sign-on through OAM involves:

  • Protection through a WebGate, which is a plug-in that intercepts web resource (HTTP) requests and forwards them to the Access Server for authentication and authorization.

  • Populating a header variable with an attribute value that is stored in the LDAP directory used by OAM.

  • Configuring EnterpriseOne to invoke the OAM authentication process, overriding the default authentication mechanism.

16.1.2 Single Sign-On Architecture

Single sign-on with OAM requires an EnterpriseOne HTML Server configuration with an application server, such as Oracle WebLogic Server 10g, that contains a J2EE container, which is required for the Java servlets and Java code to run. In addition, WebGate must be installed on an Oracle HTTP Server, and it must be configured to protect the EnterpriseOne URLs that are used to access the HTML Server.

The following illustration shows the integration environment and process flow:

Figure 16-1 JD Edwards EnterpriseOne Single Sign-On through Oracle Access Management

This image is described in surrounding text.

The following steps describe the single sign-on process:

  1. A user attempts to access an EnterpriseOne program by entering a URL to the EnterpriseOne web client in a web browser.

  2. A WebGate deployed on the EnterpriseOne HTTP Server intercepts the request.

  3. The WebGate checks OAM to determine whether the resource (EnterpriseOne URL) is protected.

  4. If a valid session does not exist and the resource is protected, WebGate prompts the user for credentials through the OAM login page.

  5. After the user enters the single sign-on user ID and password on the OAM login page, the WebGate captures the user credentials and sends them to OAM for authentication.

  6. OAM compares the user credentials against the Oracle Internet Directory (OID).

    1. If the user's single sign-on credentials are not in OID, OAM notifies WebGate and the user is denied access to EnterpriseOne.

    2. If OAM finds the user's single sign-on credentials in OID, OAM authenticates the credentials.

  7. If the credentials are validated, the user gains access to the EnterpriseOne web client.

  8. If a valid session already exists and the user is authorized to access the resource, WebGate redirects the user to the requested EnterpriseOne resource.

16.1.3 Supported Versions and Platforms

For supported versions and platforms for the integration of OAM with JD Edwards EnterpriseOne Tools, JD Edwards EnterpriseOne Applications, and JD Edwards EnterpriseOne HTML Server see the Certifications tab on My Oracle Support:

https://support.oracle.com/epmos/faces/CertifyHome?_adf.ctrl-state=78o46rofa_43&_afrLoop=34652538504327

16.2 Prerequisites

In addition to single sign-on configuration instructions, this chapter contains instructions on how to install Oracle Identity and Access Management 11gR2, which requires the following prerequisites:

  • Create the OAM schemas through Oracle Repository Utility (RCU).

    Note:

    The Oracle Repository Utility version must match the product that you are installing.
  • Install Oracle WebLogic Server.

  • Obtain the JDK 1.7 update 80 or later and the Oracle Identity and Access Management installation images from Oracle Software Delivery Cloud.

16.3 Installing Oracle Identity and Access Management

This section provides basic installation instructions to support a single sign-on configuration for EnterpriseOne. If your configuration requires supporting additional applications, see the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

To install Oracle Identity and Access Management:

  1. Launch the Oracle Identity and Access Management run Installer (or setup.exe).

  2. On the Welcome screen, click Next.

  3. Select the Install Software Updates option.

    The installer performs a prerequisites check.

  4. Specify the Oracle Middleware Home and accept the default Oracle Home Directory name.

  5. Review the Installation Summary and click Install.

  6. Click Finish when the installation is complete.

16.4 Setting Up OAM to Support an EnterpriseOne Single Sign-on Configuration

After installing Oracle Identity and Access Management, perform the following tasks:

16.4.1 Creating a New OAM Domain

To create a new OAM domain:

  1. Launch config.sh (.cmd) from the MW_Home/Oracle_IDM1/common/bin directory.

  2. Select the required Oracle Access Manager option. Other required products will be selected automatically.

  3. Enter a domain name.

  4. Enter the Administrator user name and password.

  5. Select Production Mode and verify the JDK location.

  6. On Configure JDBC Component Schema, enter the JDBC component schema information. You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port.

    Select each component schema one at a time because the schema owners are different.

    The schemas should have already been created using the Oracle Repository Utility (RCU) as described in the Prerequisites section in this chapter.

  7. Click Next to verify the connections.

  8. Select the Administration Server and then select the Managed Servers, Clusters, and Machines options.

    You can accept the default values for the Administration Server and Port.

  9. Enter or accept the default Managed Server name, oam_server1.

  10. Click Next to skip the Cluster configuration.

  11. Click Add to configure the Machine information.

  12. Assign the servers from the left pane after the machine is created.

  13. Review the Configuration Summary and click Create.

  14. Click Finish when complete.

    Before you start the WebLogic Administration Console, complete the steps in the remaining tasks in this section.

16.4.2 Configuring the Database Security Store for an Oracle Identity and Access Management Domain

You must run the configureSecurityStore.py script to configure the Database Security Store. This is the only security store type supported by Oracle Identity and Access Management 11g Release 2.

There are two options to configure the Database Security Store:

  • -m create

  • -m join

The instructions in this chapter use the create option because the join option is for additional domains to use the same Database Security Store already created.

To configure a domain to use a database security store using the -m create option, you must run the configureSecuirytStore.py script as follows depending on your platform:

  • On Windows:

    MW_home\oracle_common\common\bin\wlst.cmd <IAM_Home>\common\tools\configureSecurityStore.py -d <domaindir> -c IAM -p <opss_schema_pwd> -m create

  • On UNIX:

    MW_home/oracle_common/common/bin/wlst.sh <IAM_Home>/common/tools/configureSecurityStore.py -d <domaindir> -c IAM -p <opss_schema_pwd> -m create

Note:

For both platforms, the -c option must be specified as IAM.

The following is sample output from the script:

Using default context in /u01/Oracle/Middleware/user_projects/domains/IDM_domain/config/fmwconfig/jps-config-migration.xml file for credential store.
Credential store location : jdbc:oracle:thin:@myserver.com:1521/orcl
Credential with map Oracle-IAM-Security-Store-Diagnostics key Test-Cred stored successfully!
 Credential for map Oracle-IAM-Security-Store-Diagnostics and key Test-Cred is:
                GenericCredential
Info: diagnostic credential created in the credential store.
Info:  Create operation has completed successfully.

At this point, you can start the Domain Administration Server and the Managed Server.

16.4.3 Registering the WebGate Agent for JD Edwards EnterpriseOne HTML Server

  1. Sign in to Oracle Access Management Console.

  2. Open the Oracle Access Management Console, for example, http://oamserver:oamport/oamconsole

  3. Enter the Admin user name and password.

  4. On the Launch Pad, select the SSO Agent Registration from the Quick Start Wizards section.

  5. Select your WebGate, for example 11g WebGate, and click Next.

  6. In the Configuration section, enter a name and description for the WebGate.

  7. In the Security Option area, select the Open option, and then click Finish.

    If successful, the system displays a confirmation message and shows the location in which the artifacts are stored. Entries are also created for the new WebGate under the Host Identifiers and Application Domains nodes.

  8. To see the entry under Host Identifiers, on the Launch Pad, open the Host Identifiers from the Access Manager section, and then click Search.

    OAM displays a list of host identifiers.

  9. To see the entry under Application Domains, on the Launch Pad, open the Application Domains from the Access Manager section, and then click Search.

    OAM displays a list of application domains.

16.4.4 Creating Additional Authentication Policies and Resource

  1. Open the Oracle Access Management Console.

  2. Select Application Domains from the Access Manager section.

  3. Click Search and select your domain name, and then click Edit.

  4. Select the Authentication Policies tab.

  5. Click Create Authentication Policy button.

  6. Create the following policies with your Authentication Scheme.

    • E1Menu Policy

    • ParameterizedURL Policy

    • ShortcutLauncher Policy

  7. Click the Resources tab to create HTTP Type Resources for these policies.

  8. Create the following policies for the Protected Resource Policy:

    • /

    • /.../*

    • /jde

  9. Create the following resource for the E1Menu Policy:

    /jde/E1Menu.maf

  10. Create the following resource for the Parameterized URL Policy:

    /jde/HostedE1Servlet

  11. Create the following resources for the ShortcutLauncherPolicy:

  12. Enter the EnterpriseOne URL to the Success URL field in the Protected Resource Policy.

    Figure 16-3 Oracle Access Management - Authentication Policy

    Description of Figure 16-3 follows
    Description of ''Figure 16-3 Oracle Access Management - Authentication Policy''

  13. Create another HTTP Type Resource for the logout notification that will not be added to any Authentication or Authorization Policy:

    • /jde/NotificationController.mafService

      Select POST for the Operation of this resource.

      Select Excluded for the Protection Level of this resource.

  14. This step applies only to Oracle Access Management (OAM) for Application Development Framework (ADF) Container.

    Figure 16-4 Protected Application Development Framework (ADF) Container - Authentication Policy

    Description of Figure 16-4 follows
    Description of ''Figure 16-4 Protected Application Development Framework (ADF) Container - Authentication Policy''

    Create the following policy for Protected Resource Policy:

    • /JDEADFContainer/**

    Create the following policies for the Public Resource Policy:

    For information about the configuration settings for JAS, ADF, AIS Cookies and ADF settings using Server Manager, see "Configuring Oracle Access Management (OAM) for ADF Container" in the JD Edwards EnterpriseOne Tools Developer's Guide for EnterpriseOne Application Development Framework (ADF) Applications.

16.4.5 Configuring the EnterpriseOne SSO Parameter

  1. Open the Oracle Access Management Console.

  2. Select Application Domains from the Access Manager section.

  3. Click Search and select your domain name, and then click Edit.

  4. Select the Authorization Policies tab.

  5. Select the Protected Resource Policy.

  6. Click the Responses tab and click the plus (+) sign.

  7. In the Add Response area, complete the following fields:

    • Type. From the drop-down menu, select Header.

    • Name. Enter JDE_SSO_UID in this field.

    • Value. Enter $user.userid in this field.

  8. Click the Add button.

16.4.6 Copying the WebGate Artifact to the Oracle HTTP Server

After registering the SSO agent, verify the cwallet.sso and OBAccessClient.xml files have been created in the following directory:

<MW_Home>/user_projects/domain/IDMDomain/output/<SSO_Agent_Name>

Copy the cwallet.sso and OBAccessClient.xml files to the WebTier home on the Oracle WebTier (OHS) Server. For example:

<MW_Home>/Oracle_WT1/instances/instance1/config/OHS/ohs1/webgate/config

16.4.7 Configuring Oracle HTTP Server for the EnterpriseOne HTML Server

After you install and configure the Oracle HTTP Server and Oracle HTTP WebGate, you will need to configure the mod_wl_ohs.conf file.

To configure the mod_wl_ohs.conf file:

  1. Navigate to the mod_wl_ohs.conf file located at:

    2.      <MW_Home>/user_projects/domain/<oamdomain>/config/fmwconfig/components/OHS/instances/<ohs_instance_name>/
    
  2. Edit the mod_wl_ohs.conf file.

    1. Add a Virtual Host section.

      NameVirtualHost *:7777
      <VirtualHost *:7777>
        <Location /jde>   <--EnterpriseOne Context
          SetHandler weblogic-handler
          WebLogicHost myserver.com
          WebLogicPort 9003  <-- EnterpriseOne Port
        </Location>
      </VirtualHost>
      
    2. If you prefer to use the single signon for the WebLogic console, then include a <Location /console> section.

      <Location /console>  <--WebLogic Console Configuration (optional)
          SetHandler weblogic-handler
          WebLogicHost myserver.com
          WebLogicPort 9001
      </Location>
      
    3. This step applies only to Oracle Access Management (OAM) for Application Development Framework (ADF) Container.

      If a virtual host section already exists for EnterpriseOne, you only need to add the Location section under the same Virtual Host section.

      For JAS, add a Virtual Host section for ADF container:

      NameVirtualHost *:7778
      <VirtualHost *:7778>
        <Location /JDEADFContainer>   <--ADF Container 
          SetHandler weblogic-handler
          WebLogicHost myserver.com
          WebLogicPort 9104  <-- ADF Container Port
        </Location>
      </VirtualHost>
      

      For information about the configuration settings for JAS, ADF, AIS Cookies, and ADF settings using Server Manager, see "Configuring Oracle Access Management (OAM) for ADF Container" in the JD Edwards EnterpriseOne Tools Developer's Guide for EnterpriseOne Application Development Framework (ADF) Applications.

    Note:

    The HTTP port number (for example: 7777) will be the SSO port.
  3. Restart the HTTP server.

    1. Change the directory to Webtier's instance. For example, <MW_Home>/Oracle_WT1/instances/<Instance_Name>/bin

    2. Run ./opmnctl stopall

    3. Run ./opmnctl startall

16.5 Setting Up EnterpriseOne for Single Sign-On Integration with OAM

To set up the EnterpriseOne HTML Server for single sign-on integration with OAM through EnterpriseOne Server Manager:

  1. Open Server Manager from a web browser.

  2. Select your EnterpriseOne HTML Server instance.

  3. In the Configuration section, select Security Settings.

  4. In the Security Server Configuration section, select the Enable Oracle Access Manager option.

  5. Enter the Oracle Access Manager (OAM) sign-off URL. This sign-off URL should include the OAM server URL, for example:

    http://OAMServer:OHSport/oam/server/logout.html?end_url=http://OAMserver:OHSport/jde/index.jsp
    

    Also, you can find the sign-off URL in the SSO agent that you set up in the OAM Console, as described in Registering the WebGate Agent for JD Edwards EnterpriseOne HTML Server. In the OAM Console, select SSO Agents and then search for and open the SSO agent. The sign-off URL is in the Logout Redirect URL field.

  6. Click Apply.

  7. At the prompt, click the Synchronize button to synchronize the changes in all .ini files.

  8. Stop and restart the EnterpriseOne HTML Server.

To set up the EnterpriseOne ADF Server for single sign-on integration with OAM through EnterpriseOne Server Manager:

  1. Open Server Manager from a web browser.

  2. Select your EnterpriseOne ADF Server instance.

  3. In the Configuration section, select Security Settings.

  4. Add OHS host and port in the HTML server whitelist field.

    http://OAMServer:OHSport
    
  5. Click Apply.

  6. At the prompt, click the Synchronize button to synchronize the changes in all .ini. files.

  7. Stop and restart the EnterpriseOne ADF Server.

Note:

To integrate Content and Experience Cloud with SSO enabled JD Edwards EntepriseOne HTML Server, you must enable SSO for Content and Experience Cloud with the same on-premise OAM.

See Section 16.10, "Configuring Federation SSO in Content and Experience Cloud (Release 9.2.2 Update)" for more information.

16.6 Configuring SSO Support for EnterpriseOne AIS Server Clients

In an EnterpriseOne single sign-on setup through Oracle Access Manager (OAM), an additional configuration is required to support single sign-on with applications that run on the AIS Server, which include EnterpriseOne mobile enterprise applications. This setup is also required to support E-Signatures in an EnterpriseOne SSO configuration.

To configure single sign-on support with OAM for AIS clients:

16.6.1 Enable the "Mobile and Social" Service in OAM

  1. In OAM, navigate to Configuration, Available Services.

  2. If not enabled, click the Mobile and Social service to enable it.

16.6.2 Configure the Identity Store - Directory Service

Create a new Identity Directory Service (IDS) Profile. This IDS Profile requires the same LDAP details used to create your Identity Store for SSO, including Oracle Identity Manager (or other supported LDAP directory) credentials, domain names, and so forth. See Creating Identity Store in OAM Console for more information.

The new IDS Profile creates both the IDS Profile and IDS Repository.

To create a new IDS profile:

  1. Open the Oracle Access Management (OAM) console.

  2. Click Configuration and then click User Identity Stores.

  3. In the IDS Profiles section, click Create.

  4. Enter the LDAP connection information, modifying the object classes to filter users based on the groups you want to use.

    You have to have at least one object class filter for users and groups.

  5. Click Create.

16.6.3 Configure the Mobile Service

You can configure the default provider and service or create your own. These steps describe how to configure the default provider.

  1. Navigate to Mobile Security, Mobile and Social Services.

  2. In the Service Providers section, select JWTAuthentication and click Edit.

  3. Edit the Identity Directory Service Name to point to the new IDS Profile you just created.

  4. Click the Mobile Services tab.

  5. In the Service Profiles section, select the JWTAuthentication row and click Edit.

  6. Edit the profile, taking note of the URLs listed for User Token and Access Token. You will use these later to configure the OAM settings for the EnterpriseOne Enterprise Server.

16.6.4 Configure OAM Mobile Settings for the Enterprise Server in Server Manager

  1. In Server Manager, access the Security Server Configuration settings for the Enterprise Server.

  2. Make sure that the Enable Oracle Access Manager check box is selected.

  3. Select the Oracle Access Manager Version 11g.

  4. Complete the following fields:

    • Oracle Access Manager Mobile Service Domain Name. Use Default, leave blank, or if you set up a specific domain for mobile in OAM, enter the domain name here.

    • Oracle Access Manager Mobile Authentication URL. Enter the URL for the JWT Authentication Service from OAM. This is the URL listed next to the "User Token" setting in OAM.

    • Oracle Access Manager Mobile Tokens URL. Enter the URL for the JWT Tokens Service from OAM. This is the URL listed next to the "Access Token" setting in OAM.

    The Oracle Access Manager Sign-Off URL setting is only for EnterpriseOne web client applications. You can ignore it for this configuration.

  5. Complete the configuration by performing the steps in the following sections, after which, users can use their single sign-on username and password to sign on to EnterpriseOne mobile applications.

16.7 Adding JD Edwards EnterpriseOne HTML Server User to the OID

Oracle Directory Services Manager (ODSM) is required to add a valid JD Edwards EnterpriseOne web client user to Oracle Internet Directory (OID). Complete the following steps to add a user to OID:

  1. Enter the ODSM URL in a browser, for example: http://<ServerName>:7005/odsm/faces/odsm.jspx

  2. Click Create A New Connection from the Connect to a directory menu.

  3. Enter a name for the connection in the Name field.

  4. Enter a name for the server in the Server field.

  5. Enter the ODSM port number in the Port field.

  6. Enter the user name in the User Name field. The default value, which should not be changed, is cn=orcladmin.

  7. Enter the password.

  8. Select a page from the Start Page list that will be displayed when a user connects to this connection.

  9. Click Connect.

  10. Use the connection created in the previous step to connect to the OID.

  11. Click the Data Browser tab.

  12. Expand the dc=com, dc=oracle, dc=us, cn=Users nodes.

  13. Click Create a new entry like this one to use the properties of an existing user for creating a new user.

    This option uses the values of the existing user to minimize the effort in providing information while creating a new user.

    Figure 16-5 The Data Tree Options for a Connection

    Description of Figure 16-5 follows
    Description of ''Figure 16-5 The Data Tree Options for a Connection''

  14. In the Entry Properties section in the New Entry dialog box, click Next.

  15. In the Mandatory Properties section, specify the JD Edwards username in the *cn and the *sn fields.

    The value specified in both the fields must be same.

  16. Select an option from the Relative Distinguished Name list and click Next.

  17. In the Optional Properties section, complete the following fields:

    • description: Specify a description.

    • givenName: Specify the JD Edwards user name specified in the *cn and the *sn.

    • mail: Specify the JD Edwards user name specified in the *cn and the *sn.

    • orclActiveStartDate: Specify the date when the user will be activated.

    • orclIsEnabled: Specify whether the user account is enabled or disabled.

    • uid: Specify the JD Edwards user name specified in the *cn and the *sn.

    • userPassword: Specify the password that will be used to log in to the OAM console.

  18. Click Next.

  19. Expand the cn=Groups node.

  20. Click the group that you want to add the user to.

  21. Click the plus (+) sign above the Members section.

  22. Click the entry button to open the Select Distinguished Name (DN) Path dialog box.

  23. Expand the dc=com, dc=oracle, dc=us, cn=Users nodes.

  24. Select the user you want to add to the group and click OK.

16.8 Creating Identity Store in OAM Console

  1. Open the Oracle Access Management (OAM) console.

  2. Click Configuration.

  3. Click User Identity Stores and click Create.

    Note:

    The default port of OID specified in the Location and Credentials section is 3060.
  4. Click the Test Connection button to test the connection.

  5. Set the newly created identity store as default store for OID.

  6. Restart the OAM and HTTP server.

16.9 Testing the Single Sign-On Configuration

Complete the following steps to test the single sign-on configuration:

  1. In a web browser, enter the following URL to access the EnterpriseOne web client:

    http://yourhost:yourssoport/jde/E1Menu.maf
    

    The system displays the OAM 11g login page.

  2. On the login page, enter the LDAP user name and password. The LDAP user should also be a valid EnterpriseOne user.

    If the credentials are validated, the system grants access to the EnterpriseOne web client. You have successfully configured single sign-on.

16.10 Configuring Federation SSO in Content and Experience Cloud (Release 9.2.2 Update)

Complete the following steps to configure single sign-on to link a tenant account of Content and Experience Cloud and the on-premise Identity Provider (IdP):

  1. Add the Content and Experience Cloud user to the Oracle Internet Directory (OID).

    Note:

    You must use the email address of the JD Edwards EnterpriseOne user as the user name for creating the Content and Experience Cloud user.
  2. Download the on-premise Oracle Access Manager (OAM) IdP SAML 2.0 metadata:

    1. Type the Identity Provider URL in a browser.

    2. Log in using your OAM credentials.

    3. Save the IdP SAML 2.0 metadata file on your computer.

16.10.1 Adding the On-Premise Identity Provider as a Partner in Content and Experience Cloud

  1. Log in to the Content and Experience Cloud Dashboard.

  2. Click Users.

  3. Click the SSO Configuration tab, and then click Edit for the Configure SSO.

  4. In the Edit Single Sign-On Configuration dialog box, select the Import identity provider metadata option, and then Click Choose File.

  5. On the Browse window, select the IdP SAML 2.0 metadata file you recently saved on your computer, and then click OK.

  6. Select the following values , and then click Save:

    Options Value
    SSO Protocol List HTTP POST
    User Identifier User's Email Address
    contained in NameID

    Note:

    You must select User's Email Address option for User Identifier when JDE is configured with long user ID and select User ID when JDE is configured with short user ID.
  7. Click Export Metadata, and then select the Provider Metadata option to save the SP SAML 2.0 metadata file on your computer.

16.10.2 Adding the Content and Experience Cloud Service Provider as a Partner in the On-Premise Identity Provider

  1. Log in to the OAM Console.

  2. Click Enable SSO, and then click OK.

  3. Click Federation, and then click the Identity Provider Management tab.

  4. Click Create Service Provider Partner.

  5. On the new tab, type a name for the service provider partner in the Name field.

  6. Click Load Metadata, and then click Choose File.

  7. On the Browse window, select the SP SAML 2.0 metadata file you recently saved on your computer, and then click Open.

  8. Select the Email Address option from the NameID Format list.

  9. Select the User ID Store Attribute option from the NameID Value list.

  10. Type the email address in the adjacent box, and then click Save.

  11. Log out from the OAM.

16.10.3 Testing the Federation SSO

  1. Log in to the MyServices Admin Console/Dashboard.

  2. Click Users, and then click the SSO Configuration tab.

  3. Click Test, and then click Start SSO.

    The system redirects you to the on-premise Identity Provider.

  4. Use the credentials of the test user to sign in.

    If the credentials are validated, the system grants access to Content and Experience Cloud. You have successfully configured single sign-on.