Oracle CRM On Demand Stateless Authentication Mechanisms
Stateless login is available on all APIs. Stateless Web services requests for the Web Services v1.0, Web Services v2.0, Services, and Data Loader APIs can be authenticated using:
UserName and Password provided in SOAP security header (using WSSE Version 1.0 Namespace)
Oracle CRM On Demand Single Sign On (SSO) Token provided in SOAP security header
SSO with SAML v1.1 or v2.0
For the Administrative Services APIs only, the following login options are supported for stateless Web services requests:
UserName and Password provided in SOAP security header (using WSSE Version 2.0 Namespace)
Oracle CRM On Demand Single Sign On (SSO) Token provided in SOAP security header
SSO with SAML v1.1
Login with UserName and Password in the SOAP Security Header
The ability to supply a user’s credentials is due to support for the UserNameToken profile of the WS-I Basic Security Profile Version 1.0. In this case, the SOAP header contains the element <wsse:UsernameToken>, which has child elements containing a username and password:
<soap:Header>
<wsse:Security soap:mustUnderstand="1">
<wsse:UsernameToken>
<wsse:Username>USERNAME</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
For the Administrative Services API, a similar login mechanism is used, but with a WSSE Version 2.0 namespace instead of the WSSE Version 1.0 Namespace.
Login with Oracle CRM On Demand Single Sign-On Token in the SOAP Header
This login mechanism is a type of outbound SSO, see Outbound SSO.
The client application supplies the SSO token in the <wsse:KeyIdentifier> element of the SOAP header:
<soap:Header>
<wsse:Security>
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier ValueType="http://schemas.crmondemand.com/ws/2011/01/
secext#SSOTokenKeyIdentifier">$6$qx6pJ/czNwO1trwQRazQ26j4osNiQHMoqQSwRfpz/
6HX2D5cw=;$6$IjwKO/BBoBW5oiuqC7P/TxwOBX1LxVpExR9vp7P5J/
kixzGFWIjxHyRye7zy9Ld2g2vKp4W4jykxjbgF3KE8CFOGmD5g==</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</wsse:Security>
</soap:Header>
The SOAP request will not be processed if the SSO token expired. It is best practice to validate the SSO token before using it for login, see SSO Token Validation.
SSO with SAML v1.1 or v2.0
This login mechanism is a type of inbound SSO, see Inbound SSO.
For SSO using Security Assertion Markup Language (SAML), Oracle CRM On Demand only supports the SAML Web Browser Profiles - the Browser/Artifact Profile and the Browser/POST Profile using the Proprietary Token method.