1. Administering Oracle Cloud Identity Management
  2. Managing Oracle Single Sign-On
  3. Problems Identified by Testing SSO

Problems Identified by Testing SSO

The Test SSO feature can identify various problems.

The Assertion Couldn’t be Mapped to an Oracle Cloud User

This may occur for the following reasons:

  • The SIM user corresponding to the identity provider user doesn't exist.

  • Oracle Cloud was incorrectly configured to map the incoming SSO assertion.

An Error Occurs When Oracle Cloud Consumes the SAML Assertion

To resolve this problem:

  • Ensure that the Oracle Cloud federation server has the latest identity provider metadata and signing certificate.

  • If the identity provider encrypts the assertion, ensure that the identity provider has the correct Oracle Cloud encryption certificate.

After Logging Out, the User is Automatically Logged in Again

This typically occurs when Oracle Cloud is wired with the identity provider using HTTP basic authentication or with Microsoft Active Directory Federation Services identity provider using Windows Integrated Authentication as the challenge mechanism. Upon logging out and performing the SAML 2.0 logout protocol, the user is automatically logged in again. The identity provider can’t log the user out because:

  • The browser caches the HTTP basic authentication credentials and thus the identity provider can’t log the browser out.

  • The Windows Desktop machine where the user is signed in automatically signs in the browser with Microsoft Active Directory Federation Services identity provider, so the identity provider can’t log the browser out.

To resolve this problem, change the authentication mechanism at the identity provider.

The Identity Metadata Fails to Be Uploaded from the Console.

To resolve this problem:

  • Ensure that the metadata wasn’t modified.

  • When downloading the metadata from the identity provider, save it using the File —> Save As command. That is, don’t copy and paste the contents of the browser, because this action modifies the contents of the metadata.

SSO Fails Because the Assertion Isn’t Signed.

The Oracle Cloud federation server requires the SAML assertion to be signed. Ensure that the assertion is signed and contains a digital signature element, even if the SSO response is signed.

Problems that Can’t Be Resolved

If you can’t resolve the problem using the Test feature, proceed to Troubleshooting SSO.