Oracle Configure, Price, and Quote Cloud

Before You Begin

Introduction

This document describes how to configure Oracle Identity Cloud Service to provide Single Sign-On (SSO) using SAML and provisioning for Oracle Configure, Price, and Quote Cloud (CPQ Cloud).

About Oracle CPQ Cloud

Oracle CPQ Cloud is the best-in-class CPQ (Configure, Price, and Quote) solution, that helps companies improve margins and increase sales productivity. Equally proven for large and mid-size companies, CPQ Cloud makes your CRM and ERP systems more efficient and delivers tangible value adds: increased quote throughout, reduced sales cycle, and 100% data accuracy throughout the Quote-to-Cash process.

What Do You Need?

  • A CPQ Cloud application with a minimum supported version of 2017R2 or later.
  • An Oracle Identity Cloud Service account with authorization rights to manage apps and users (Identity Domain Administrator or Application Administrator).
  • A CPQ Cloud administrator account with authorization rights to configure federated authentication, and the example CPQ Cloud site URL is: https://cpq_site_url.oracle.com
  • A CPQ Cloud service account with authorization rights (FullAccess user type with the Create/Modify Users and Web Services Only permissions) to manage user accounts in CPQ Cloud through Oracle Identity Cloud Service.
  • Identity Provider metadata. To learn about accessing SAML metadata, see Access SAML Metadata.

Configuring SSO for CPQ Cloud

Use this section to configure an Identity Provider for CPQ Cloud.

Enabling User Management Delegation to IDP

Use the support URL to log a support request in order to enable User Management Delegation to IDP option for your site. The support URL is: https://support.oracle.com

Saving the IdP X509 Certificate in PEM Format

Use this section to convert the X509 Certificate value into a format that is suitable for Oracle Identity Cloud Service.

  1. Open the IdP metadata file that you previously downloaded. See the "What Do You Need" section.

    Note: In the metadata file, the signing certificate is the text that appears between <dsig:X509Certificate> and </dsig:X509Certificate> under the <md:KeyDescription use=”signing”> section.

  2. Copy the value between <dsign:X509Certificate> and </dsign:X509Certificate> to a text file.

    Image img1.png displays Highlights the signing certificate value to be used from the downloaded IdP Metadata file.

  3. Add -----BEGIN CERTIFICATE----- at the beginning of the file.

  4. Add -----END CERTIFICATE----- at the end of the file.

    Image img2.png displays a sample IdP X509 Cert file created.

  5. Save and change the file extension to .pem.

Obtaining the IdP Details

Use this section to obtain the IdP details such as the SAML Identity Provider URL, the SAML Logout URL, and the SAML Single Logout Endpoint information.

  1. Open the IdP metadata file that you previously downloaded. See the "What Do You Need" section.

  2. The SAML Identity Provider URL is available in the <md:SingleSignOnService> section. Make a note of the location URL. URL: https://<IDCS-Service-Instance>.idcs.internal.oracle.com:<port>/fed/v1/idp/sso

  3. The SAML Single Logout Endpoint URL is available in the <md:SingleLogoutService> section. Make a note of the location URL. URL: https://<IDCS-Service-Instance>.idcs.internal.oracle.com:<port>/fed/v1/idp/slo

  4. Make a note of the SAML Logout URL. For example, <SP-Site-url>/sso/saml_request.jsp. The following is an example of the URL format for CPQ Cloud: https://cpq_site_url.oracle.com/sso/saml_request.jsp

Configuring an Identity Provider

  1. Log in as an administrator to the CPQ Cloud console using the sample URL format: https://icpq016.us.oracle.com/commerce/display_company_profile.jsp

  2. Click Admin to go to the Admin Home Page.

  3. Click Single Sign-On under Integration Platform. The Single Sign-On Settings page opens.

    Image img3.png displays a Single Sign-On Settings Page.

  4. From the Single Sign On Method drop-down, select Federated Authentication. This enables SAML SSO.

  5. For BigMachines Issuer URL, enter the CPQ Site URL. See the "What Do You Need" section.

  6. Click Choose File to locate and upload an Identity Provider Certificate. This file details how to communicate with Oracle Identity Cloud Service. See the "Saving the IdP X509 Certificate in PEM Format" section.

  7. Select No for Require Signed Request.

  8. Enter the SAML Requested Name Identifier Format value as urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

  9. Enter the SAML Identity provider URL. See the “Obtaining IdP Details” section.

  10. Provide the SAML Logout URL. See the “Obtaining IdP Details” section.

  11. Provide the SAML Single Logout Endpoint URL. See the “Obtaining IdP Details” section.

  12. Select Assertion contains User`s BigMachines username for SAML User ID Type.

  13. Select User ID is located in the Subject statement of assertion for SAML User ID Location.

  14. Click Apply to save your changes. Click Update to save your changes and return to the Admin Home Page. Click Back to return to the Admin Home Page without saving your changes.

Configuring CPQ Cloud in Oracle Identity Cloud Service

Use this section to register and activate CPQ Cloud and to enable provisioning for CPQ Cloud. You can then assign users or groups to CPQ Cloud and start the user provisioning process.

Note: The Synchronization feature is currently not supported for CPQ Cloud. However, you can manually import user accounts from CPQ Cloud in Oracle Identity Cloud Service by using a flat file. For details, see the "Creating a Flat File for Manually Importing User Accounts from CPQ Cloud" section.

Registering and Activating the CPQ Cloud Application

  1. Access the Oracle Identity Cloud Service administration console, select Applications, and then click Add.

  2. Click App Catalog.

  3. Search for CPQ, and then click Add.

  4. In the App Details section, enter the Name and Description.

  5. Enter the CPQ Site URL.

  6. Click Next to enable provisioning for CPQ Cloud. See the "Enabling Provisioning for CPQ Cloud" section.

  7. After you enable provisioning, click Finish. Oracle Identity Cloud Service displays a confirmation message.

  8. Click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Enabling Provisioning for CPQ Cloud

Use this section to enable provisioning for managing user accounts in CPQ Cloud through Oracle Identity Cloud Service.

  1. On the Provisioning page, select Enable Provisioning.

  2. Use the table to enter values for establishing a connection with CPQ Cloud through Oracle Identity Cloud Service:

    This table lists the parameters that Oracle Identity Cloud Service requires to connect to CPQ Cloud.
    Parameter Value
    Host Name Enter the host name of the server hosting CPQ Cloud, for example, “myhost.oraclecorp.com”.
    Administrator Username Enter the CPQ Cloud service account user name.
    Administrator Password Enter the CPQ Cloud service account password.

  3. Click Test Connectivity to verify the connection with CPQ Cloud. Oracle Identity Cloud Service displays a confirmation message.

  4. To view predefined attribute mappings between the user account fields defined in CPQ Cloud and the corresponding fields defined in Oracle Identity Cloud Service, click Attribute Mapping, and then click OK.

    Note: The predefined value for the type attribute (corresponding to the Type field on the User Administration page in CPQ Cloud) is 8. Therefore, by default, all provisioned users are assigned the SalesAgent user type in CPQ Cloud. If you want to provision a user with another user type, then specify the appropriate value defined in CPQ Cloud for the type attribute.

    To add a new attribute for provisioning, click Add Attribute, specify the attributes in the User and CPQ Account columns, and then click OK. For example, if you want to add the User Name field, enter $(user.userName) in the User column, and then select the corresponding field from the drop-down list in the CPQ Account column.

  5. Specify the provisioning operations that you want to enable for CPQ Cloud:

    Note: By default, the Create Account, De-activate Account, and Delete Account check boxes are selected.

    Create Account: Automatically creates an account in CPQ Cloud when CPQ Cloud access is granted to the corresponding user in Oracle Identity Cloud Service.

    De-activate Account: Automatically activates or de-activates an account in CPQ Cloud when the corresponding user is activated or de-activated in Oracle Identity Cloud Service.

    Delete Account: Automatically deletes an account from CPQ Cloud when CPQ Cloud access is revoked from the corresponding user in Oracle Identity Cloud Service.

You can now manage CPQ Cloud accounts through Oracle Identity Cloud Service. For more information on performing provisioning tasks, see the Managing Oracle Identity Cloud Service Users and Managing Oracle Identity Cloud Service Groups sections in Administering Oracle Identity Cloud Service.

Creating a Flat File for Manually Importing User Accounts from CPQ Cloud

Use this section to download user data from CPQ Cloud and create a compatible flat file for manually importing user accounts in Oracle Identity Cloud Service.

  1. Log in as an administrator to the CPQ Cloud console using the sample URL format: https://icpq016.us.oracle.com/commerce/display_company_profile.jsp

  2. Click the Admin icon. The Administration Platform page appears.

  3. Click Download from the Utilities section. The Download Category List page appears.

  4. Select the User category, and then click Next. The Search Criteria page appears.

  5. Select the CSV option for the Download Format field, and then click Download. The Download Status page appears. After the download is complete, the CSV file is stored on the server.

  6. Download the CSV file to your local system. This CSV file holds data for all of the User attributes available in CPQ Cloud.

  7. Create a new CSV file, add ID, NAME, and ACTIVE column headers, and then copy corresponding data from the CSV file (downloaded in Step 6) based on the mappings described in the following table:

    This table provides the mapping details, description, and sample values for the CPQ Cloud User attributes.
    Attribute Map To Description Sample Value
    ID login Unique identifier abc.user@sampleapp.com
    NAME login Account name abc.user@sampleapp.com
    ACTIVE status Account status true

    You can now use this CSV file to import user accounts into Oracle Identity Cloud Service. For more information on performing this task, see the Importing User Accounts from a Flat File Using REST APIs section in Administering Oracle Identity Cloud Service.

Verifying the Integration

Use this section to verify that SSO and single log-out (SLO) work when initiated from Oracle Identity Cloud Service (IdP Initiated SSO and IdP Initiated SLO) and when initiated from CPQ Cloud (SP Initiated SSO and SP Initiated SLO).

Verifying Identity Provider Initiated SSO from Oracle Identity Cloud Service

  1. Access the Oracle Identity Cloud Service My Profile console: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole.

  2. Log in using credentials for a user that is assigned to the CPQ Cloud app. Oracle Identity Cloud Service displays a shortcut to the CPQ app under My Apps.

  3. Click CPQ. The CPQ home page appears.

  4. On the CPQ Cloud home page, confirm that the user who is logged in is the same for both CPQ Cloud and Oracle Identity Cloud Service.

This confirms that SSO that is initiated from Oracle Identity Cloud Service works.

Verifying Service Provider Initiated SSO from CPQ

  1. Access the CPQ Cloud from: `{CPQ-Site-Url}/sso/saml_request.jsp’. The Oracle Identity Cloud Service login page appears.

  2. Enter the credentials for a user that is assigned to the CPQ Cloud App, and then click Sign In. The CPQ Cloud home page appears.

  3. Confirm that the user that is logged in is the same for both CPQ Cloud and Oracle Identity Cloud Service.

This confirms that SSO that is initiated from CPQ Cloud works.

Verifying Identity Provider Initiated SLO

  1. On the Oracle Identity Cloud Service home page, click the user name in the upper-right corner, and then select Sign Out from the drop-down list. The Login Page appears.

  2. On the CPQ Cloud home page, perform any operation. The Oracle Identity Cloud Service login page appears.

This confirms that SLO works and that the user is no longer logged in to CPQ Cloud and Oracle Identity Cloud Service.

Verifying Service Provider Initiated SLO

  1. On the CPQ Cloud home page, click Logout.

  2. Access the Oracle Identity Cloud Service My Profile console, and confirm that the login page appears.

This confirms that SLO works and that the user is no longer logged in to CPQ Cloud and Oracle Identity Cloud Service.

Troubleshooting

Use this section to locate solutions to common integration issues.

Known Issues

Oracle Identity Cloud Service displays the message, " You are not authorized to access the app. Contact your system administrator."

Cause1: The administrator revokes access for the user at the same time that the user tries to access the CPQ Cloud app using Oracle Identity Cloud Service.

Solution1: Access the Oracle Identity Cloud Service administration console, select ApplicationsCPQUsers, and then click Assign to re-assign the user.

Cause2: The SAML 2.0 integration between the Oracle Identity Cloud Service and CPQ Cloud is deactivated.

Solution2:

  • Access the Oracle Identity Cloud Service administration console, select Applications, and then CPQ.

  • Click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Unknown Issues

For unknown issues, contact Oracle Support:

  • Go to https://support.oracle.com.

  • Select Cloud Support, and then sign in with your support credentials.

  • In the Cloud Dashboard, confirm that there are no planned outages in Oracle Identity Cloud Service, and then click Create Service Request.

  • Select Oracle Identity Cloud Service as the service type.

  • Complete your service request.