Oracle Fusion Applications Release 13

Before You Begin

Introduction

This document describes how to integrate Oracle Fusion Applications Cloud Service (Fusion Applications or Fusion Apps) with Oracle Identity Cloud Service, for the following scenarios:

Single Sign-On: Oracle Identity Cloud Service provides Single Sign-On (SSO) using SAML and acting as an identity provider for your Oracle Fusion Applications Cloud Service instance.

You can also integrate Oracle Fusion Applications Cloud Service with Oracle Identity Cloud Service and have Oracle Fusion Applications Cloud Service to act as the identity provider. To learn about all the supported scenarios and how to configure them, see Learn About Integrating an Oracle SaaS Application with Oracle PaaS.
Provisioning and Synchronization: You can configure users to be provisioned and synchronized between your Oracle Fusion Applications Cloud Service instance and Oracle Identity Cloud Service.

This document is applicable for Oracle Fusion Applications Cloud Service Release 13 environments. Follow the Pre-Requisites and then depending on the version of your Oracle Fusion Applications Cloud Service environment the steps may differ:

Scenario	Release 13 19A and before	Release 13 19B and later
Single Sign-On: Identity Cloud Service as Identity Provider	See Configure Single Sign-On in this document and Open a Service Request to Configure SSO to Oracle Fusion Applications.	See Configure Single Sign-On in this document.
Single Sign-On: Fusion Applications as Identity Provider	See Enable Federation with Oracle Fusion Applications Cloud Service as Identity Provider.	See Enable Federation with Oracle Fusion Applications Cloud Service as Identity Provider.
Provisioning and Synchronization	See Configure Provisioning and Synchronization in this document.	See Configure Provisioning and Synchronization in this document.

About Oracle Fusion Applications Cloud Service

Oracle Fusion Applications Cloud Service are distributed across various product families, including procurement and financial management (ERP), human capital management (HCM), customer relationship management (CRM), supply chain management (SCM), and governance.

After integrating Oracle Fusion Applications Cloud Service with Oracle Identity Cloud Service for both SSO and provisioning:

Users can access Oracle Fusion Applications Cloud Service instances using their Oracle Identity Cloud Service login credentials.
Users launch Oracle Fusion Applications Cloud Service using the Oracle Identity Cloud Service My Apps console.
Admins can assign and revoke user access to the application using the Oracle Identity Cloud Service administration console.

Pre-Requisites

Environment Information

An Oracle Fusion Applications Cloud Service 13 environment.
A service account in Oracle Fusion Applications Cloud Service with the ORA_FND_IT_SECURITY_MANAGER_JOB role to manage user accounts in Oracle Fusion Applications Cloud Service through Oracle Identity Cloud Service.
If you are using Oracle Fusion Applications Cloud Service Release 13 19B (11.13.19.04) or later versions, access to the Oracle Applications Cloud console as administrator.
The Tenant Name and Domain Name from your Oracle Fusion Applications Cloud Service environment URL. For example, if your environment URL is https://eeho.fa.us2.oraclecloud.com/fscmUI/faces/FuseWelcome, then the tenant name is eeho and domain name is us2.oracle.com.
An Oracle Identity Cloud Service account with authorization rights to manage applications (Application Administrator roles) and users (User Administrator).

Verify Your Oracle Fusion Applications Cloud Service Environment Version

You can integrate Oracle Fusion Applications Cloud Service with Oracle Identity Cloud Service using one of the two Application Catalog templates: Oracle Fusion Applications or Oracle Fusion Applications Release 13.

Before executing the procedures in this document, verify which Oracle Fusion Applications Cloud Service release you are using:

Sign in to the Oracle Applications Cloud console as administrator, click the avatar icon on the top-right corner of the screen, and then click About This Application.
If your environment version is equal or greater than 11.13.19.04 (19B), then use Oracle Fusion Applications Release 13 from Oracle Identity Cloud Service's App Catalog. Otherwise, use Oracle Fusion Applications.

Obtain Oracle Fusion Applications Cloud Service External Server Host and Port Values

The external server host name and port number values are required to define the Entity ID of your Oracle Fusion Applications Cloud Service Release 13 environment in Oracle Identity Cloud Service.

Sign in as an administrator to the Oracle Applications Cloud console, expand the Navigator, and then select Setup and Maintenance.
Click the Tasks icon, select Review Topology, and then click the Detailed tab.
Expand the FADomain domain name, and then note the values of External Server Host and External Server Port for the HCMServices entry. Otherwise, expand the hcmdomain domain name, and then note the values of External Server Host and External Server Port for the HCM Core Setup entry.

Download Oracle Identity Cloud Service Identity Provider Metadata

The metadata file from Oracle Identity Cloud Service is used during the identity provider registration in the Oracle Applications Cloud console to define the trusted relationship between Oracle Fusion Applications Cloud Service and Oracle Identity Cloud Service.

Sign in to the Oracle Identity Cloud Service console as an administrator.
In the web browser address bar enter the following URL to access the metadata: https://<IDCS-Tenant-Instance>.identity.oraclecloud.com/fed/v1/metadata, where \<IDCS-Tenant-Instance\> is the tenant name of your Oracle Identity Cloud Service instance.
Save the XML content of your web browser to a file on your desktop with the name idp_metadata.xml.

Configure Single Sign-On

Configure Oracle Fusion Applications Cloud Service to integrate with Oracle Identity Cloud Service for authentication purposes. The following configuration considers Oracle Identity Cloud Service as the identity provider and Oracle Fusion Applications Cloud Service as the service provider.

Use the following procedure only if you are using Oracle Fusion Applications Cloud Service Release 13 19B (11.13.19.04) or later versions.

If you use a version earlier than 19B (11.13.19.04), contact the Fusion Applications Support team for configuring your Oracle Identity Cloud Service instance as the identity provider for your Oracle Fusion Applications Cloud Service environment, and to obtain the PEM Certificate file. See Open Service Request to Configure SSO to Oracle Fusion Applications.

Configure Oracle Identity Cloud Service as Identity Provider in Oracle Applications Cloud Console

Use Oracle Applications Cloud console to register Oracle Identity Cloud Service as Identity Provider, download Fusion Applications metadata, and then extract both the PEM Certificate and the entityID value.

Sign in to the Oracle Applications Cloud console with security admin privileges, click Tools, click Security Console, and then click Single Sign-On on the left menu.
In the Single Sign-On page, click Create Identity Provider.
In the Single Sign-On Configuration: Identity Provider Details page, click Edit.

Use the following table to configure Oracle Identity Cloud Service as an identity provider for Oracle Fusion Applications Cloud Service:

This table lists the parameters used to configure Oracle Identity Cloud Service as identity provider.
Parameter	Value
Name	The name of the identity provider can't contain spaces or special characters, For example, `OracleIdentityCloudService`
Name ID Format	Unspecified
Default Identity Provider	Selected
Enable Chooser Login Page	You select this field so that the Oracle Fusion Applications Cloud Service administrator (local user) can access Oracle Applications Cloud console. Once you have a user created in Oracle Identity Cloud Service which synchronizes with the Oracle Fusion Applications Cloud Service administrator account, then you can deselect Enable Chooser Login Page from this identity provider.

In the Import Identity Provider Metadata section, click Browse, browse to the Identity Provider metadata file on your desktop, and then click Open. You obtained the identity provider metadata file in the Download Oracle Identity Cloud Service Identity Provider Metadata section.
Click Save and Close.
In the Single Sign-On Configuration: Identity Provider Details page, click Service Provider Details, click the download icon for the Service Provider SHA 256 Metadata URL, and then save the file on your local desktop with the name fa_sha256_metadata.xml.
Open the name fa_sha256_metadata.xml file, locate the <dsig:X509Certificate> tag under <md:KeyDescriptor use="signing">, and then copy the value between <dsig:X509Certificate> and </dsig:X509Certificate>, then close the file.
Create the PEM Certificate file on your desktop, name it as fa_cert.pem, edit this file, and then paste the certificate value you copied in the previous step. For example, if the fa_sha256_metadata.xml file contains the following entry:
```
   <dsig:X509Certificate>
      abcd1234EFGH5678ijklj0=
   </dsig:X509Certificate>
```
Then, create the fa_cert.pem PEM Certificate file with the following content:
```
-----BEGIN CERTIFICATE-----
abcd1234EFGH5678ijklj0=
-----END CERTIFICATE-----
```
Open the fa_sha256_metadata.xml file and locate the following and make a note of the following values:

a. entityID attribute in the <md:EntityDescriptor tag, and make note of the value. For example, if the fa_sha256_metadata.xml file contains:
```
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
    xmlns:enc="http://www.w3.org/2001/04/xmlenc#"
    ...
    entityID="https://eeho.login.us2.oraclecloud.com:443/oam/fed"
    validUntil="2029-07-23T06:24:39Z">
```
Then, the entityID value is https://eeho.login.us2.oraclecloud.com:443/oam/fed.

b. Location attribute in <md:AssertionConsumerService under the <md:SPSSODescriptor element. Make a note of the value from the element that has <md:Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".

c. Location attribute in the <md:SingleLogoutService element under the <md:SPSSODescriptor element. Make a note of the value from the element that has <md:Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".

d. Value of <md:ResponseLocation attribute in the <md:SingleLogoutService element under the <md:SPSSODescriptor element. Make a note of the value from the element that has <md:Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".
Make sure you have the landing page URLs you have configured, for example, CRM, ERP.
The Oracle Fusion Applications welcome page URL.

Register and Activate Oracle Fusion Applications in Oracle Identity Cloud Service

Register and activate the Oracle Fusion Applications in Oracle Identity Cloud Service to enable SSO between this environment and Oracle Identity Cloud Service. Use the following procedure for Oracle Fusion Applications Cloud Service Release 13 19B (11.13.19.04) and later versions.

Access the Oracle Identity Cloud Service administration console, select Applications, and then click Add.
Click App Catalog.
Search Oracle Fusion Applications Release 13 and then click Add. See Verify Your Oracle Fusion Applications Cloud Service Environment Version.
In the Details tab, update the name of the application as per your Oracle Fusion Applications Cloud Service environment's name. For example, My Dev FA.
By default, all Oracle Fusion Applications apps are selected (CRM, ERP, HCM, and SCM). Uncheck the apps that aren't required, and then click Next.
For the Relay state, enter the first location attribute you obtained in step 10 of Configure Oracle Identity Cloud Service as Identity Provider in Oracle Applications Cloud Console.
For each app specific landing page URL, enter the URL you noted in Configure Oracle Identity Cloud Service as Identity Provider in Oracle Applications Cloud Console.
Click Next and enter the Entity Id that you obtained in step 10 of Configure Oracle Identity Cloud Service as Identity Provider in Oracle Applications Cloud Console.
Click Upload, browse to, and then select the PEM certificate file that you obtained in step 10 of Configure Oracle Identity Cloud Service as Identity Provider in Oracle Applications Cloud Console.
For Assertion Consumer URL, enter the value that you obtained in step 10(b) of Configure Oracle Identity Cloud Service as Identity Provider in Oracle Applications Cloud Console.
Optionally, in the Authentication and Authorization section, select the Enforce Grants as Authorization check box. When enabled, Oracle Identity Cloud Service performs a validation on the user authorization status for the application. Only users assigned to this application in Oracle Identity Cloud Service can access the application.
Expand Advanced Settings and enter the following:

a. For the Single Logout URL, the Location attribute in the <md:SingleLogoutService element under the <md:SPSSODescriptor element from step 10 of Configure Oracle Identity Cloud Service as Identity Provider in Oracle Applications Cloud Console.

b. For the Logout Response URL, the ResponseLocation attribute in the <md:SingleLogoutService element under the <md:SPSSODescriptor element from step 10 of Configure Oracle Identity Cloud Service as Identity Provider in Oracle Applications Cloud Console.
And then click Finish.
Click Activate and then click OK in the Confirmation window. Oracle Identity Cloud Service displays a message that your Oracle Fusion Applications Cloud Service has been activated.

Test and Activate the SSO Integration in Oracle Applications Cloud console

Use Oracle Fusion Applications console to test the SSO configuration between your Oracle Fusion Applications Cloud Service environment and Oracle Identity Cloud Service, and then activate the identity provider.

Sign in to the Oracle Cloud Applications console, click Tools, click Security Console, and then click Single Sign-On.
Click the name of the identity provider you created for Oracle Identity Cloud Service in the Configure Oracle Identity Cloud Service as Identity Provider in Oracle Applications Cloud Console section.
On the left menu, click Diagnostic and Activation, click Test, and then click Yes in the warning dialog. A new web browser window or tab opens to test SSO.
On the Initiate Federation SSO page, select Partner as the identity provider name for Oracle Identity Cloud Service, and then click Start SSO . The Oracle Identity Cloud Service Sign In page opens.
Sign in to Oracle Identity Cloud Service using Oracle Identity Cloud Service’s user credential. After successful sign in, the Federation SSO Operation Result page opens with information on the SSO integration.
In the Federation SSO Operation Result page, verify SSO Primary Status Code has status SUCCESS, and then close the new browser or tab.
In the Single Sign-On Configuration: Diagnostic and Activation page, click Edit, click Enable Identity Provider, and then click Save and Close.

Configure Provisioning and Synchronization

Use this section to enable provisioning and synchronization between Oracle Fusion Applications Cloud Service and Oracle Identity Cloud Service. Use this section for all Oracle Fusion Applications Cloud Service versions.

This integration supports 2 scenarios:

Accounts Provisioning and Synchronization: In this scenario, you manage your Oracle Fusion Applications Cloud Service users through Oracle Identity Cloud Service console. After you assign a user to the Oracle Fusion Applications Cloud Service application in Oracle Identity Cloud Service, a user account is created in your Oracle Fusion Applications Cloud Service environment. If you revoke the user assignment to the application, the user account is removed from your Oracle Fusion Applications Cloud Service environment. User accounts in Oracle Fusion Applications Cloud Service can also be synchronized to Oracle Identity Cloud Service, hence assigning the corresponding users to the application in Oracle Identity Cloud Service.

The provisioning process maps user attributes in Oracle Identity Cloud Service to user accounts attributes in Oracle Fusion Applications Cloud Service through a hidden user account form. This form enables you to select an Oracle Fusion Applications Cloud Service role to assign to the user account during the account creation in Oracle Fusion Applications Cloud Service. By default, this form is not enabled for Oracle Fusion Applications App Catalog. Contact Oracle Support to enable the user account form. See Open Service Request to Enable Account Form.
Authoritative Synchronization: You can configure Oracle Fusion Applications App Catalog to act as an authoritative source of users for Oracle Identity Cloud Service. In this scenario, users, roles, and user role memberships created or modified on Oracle Fusion Applications Cloud Service are synchronized to Oracle Identity Cloud Service creating or updating the corresponding users, groups, and user group memberships.

Enable Provisioning and Synchronization

Use this section to enable provisioning and synchronization between your Oracle Fusion Applications Cloud Service environment and Oracle Identity Cloud Service.

This section is valid for Oracle Fusion Applications Cloud Service release 13.

Enable Provisioning

Configure the provisioning aspects of the integration.

Access the Oracle Identity Cloud Service administration console, select Applications, and then click your Oracle Fusion Applications Cloud Service application.
On your Oracle Fusion Applications Cloud Service page, click the Provisioning tab, and then select Enable Provisioning.

Use the following table to configure connectivity for establishing a connection with your Oracle Fusion Applications Cloud Service environment:

This table lists the parameters that Oracle Identity Cloud Service requires to connect to Oracle Fusion Applications Cloud Service.
Parameter	Value
User Feed Endpoint URI	Enter `/hcmRestApi/atomservlet/user/userRequests`
Administrator Username	Enter the service account user name of Oracle Fusion Applications Cloud Service. See Environment Information.
Administrator Password	Enter the service account password of Oracle Fusion Applications Cloud Service. See Environment Information.
Host Name	Enter the external host name of your Oracle Fusion Applications Cloud Service environment. For example: `eeho.fa.us2.oraclecloud.com`. See Obtain Oracle Fusion Applications Cloud Service External Server Host and Port Values.
Port Number	Enter the external server port of your Oracle Fusion Applications Cloud Service environment. See Obtain Oracle Fusion Applications Cloud Service External Server Host and Port Values.
SSL Enabled	Select the checkbox for SSL communication between Oracle Identity Cloud Service and Oracle Fusion Applications Cloud Service.
Override custom sync	Specify whether to sync all users and groups. If this option is selected, Fusion Admin Roles values are not used for synchronization and all users and groups from the Fusion Application are synchronized.
Fusion Admin Roles	Specify a set of admin roles to be Synchronized. If the admin roles are provided, synchronization will bring only the provided roles and the members of those roles. If no admin roles are provided, all users and groups are synchronized. Separate each role code by a newline.

Click Test Connectivity to verify the connection with your Oracle Fusion Applications Cloud Service environment. Oracle Identity Cloud Service displays a confirmation message.

To view predefined attribute mappings between the users in Oracle Identity Cloud Service and user accounts in Oracle Fusion Applications Cloud Service, click Attribute Mapping, and then click OK.

a. If you select Authoritative Sync as provisioning operations, then users from Oracle Fusion Applications Cloud Service will be synchronized to Oracle Identity Cloud Service. Click Application to Identity Cloud to configure the mapping between the application and Oracle Identity Cloud Service.

This table lists the default attribute mapping when users are synchronized from Oracle Fusion Applications Cloud Service to Oracle Identity Cloud Service.
Oracle Fusion Applications Cloud Service user account	User in Oracle Identity Cloud Service
$(account.displayName)	Display Name
$(account.emails)	emails[primary eq true and type eq "work"].value
$(account.givenName)	First name
$(account.familyName)	Last name
$(account.active)	User Status
$(account.name)	User Name
$(account.preferredLanguage)	Preferred Language

The Maps To column allows you to select how the attribute mapping is used: For Create Only operations or for Create and Update operations.

b. If you don't select Authoritative Sync, then Oracle Identity Cloud Service provision users to Oracle Fusion Applications Cloud Service. Click Identity Cloud to Application to configure the mapping between Oracle Identity Cloud Service and the application.

This table lists the default attribute mapping when users are provisioned from Oracle Identity Cloud Service to Oracle Fusion Applications Cloud Service.
User in Oracle Identity Cloud Service	Oracle Fusion Applications Cloud Service user account
$(user.name.givenName)	givenName
$(user.name.familyName)	familyName
$(user.displayName)	displayName
$(user.userName)	name
$(user.emails[primary=true].value)	emails
$(user.preferredLanguage)	preferredLanguage
$(user.active)	active

To add a new attribute mapping, click Add Row, specify the attributes in the User and Oracle Fusion Applications Account columns, and then click OK. For example, if you are in the Identity Cloud to Application tab and you want to add the External ID user attribute, then enter $(user.externalId) in the User column, and then select the corresponding Oracle Fusion Applications Cloud Service field from the drop-down list in the Oracle Fusion Applications Account column.
Specify the provisioning operations that you want to enable for Oracle Fusion Applications Cloud Service:

Authoritative Sync: Configures your Oracle Fusion Applications Cloud Service environment as an authoritative source of Oracle Identity Cloud Service, as described in the Configure Provisioning and Synchronization section.
- By default, authoritative sync is not enabled and the Create Account, Update Account, De-activate Account, and Delete Account check boxes are selected for performing provisioning operations. If you enable authoritative sync, these check boxes are disabled for this app and you can't perform the provisioning operations using Oracle Identity Cloud Service.
- During authoritative sync, if you want the users to be federated then you add a new row to the attribute mapping, and then map the Federated attribute to true. To do so, from the Attribute Mapping dialog box, click Application to Identity Cloud tab, click Add Row, enter toBoolean("true") in the My Dev FA Account column, and then select Federated in User column .
- The Import tab in Oracle Fusion Applications performs full synchronization of users into Oracle Identity Cloud Service.
- By default, if a user is created through synchronization, Oracle Identity Cloud Service won't send Welcome notification to users created through Import. If you want Oracle Identity Cloud Service to notify user creation, then you need to manually enable notification for users synchronized using Import. See Notify User Creation During Import.
Create Account: Automatically creates an account in your Oracle Fusion Applications Cloud Service environment when the application is granted to the corresponding user in Oracle Identity Cloud Service.

Update Account: Automatically updates an account in Oracle Fusion Applications Cloud Service when the corresponding user account is updated in Oracle Identity Cloud Service.

De-activate Account: Automatically activates or deactivates an account in Oracle Fusion Applications Cloud Service when the corresponding user account is activated or deactivated in Oracle Identity Cloud Service.

Delete Account: Automatically deletes an account from Oracle Fusion Applications Cloud Service when the application access is revoked from the corresponding user in Oracle Identity Cloud Service.

Note: User Life cycle management is supported for this application.

Enable Synchronization

Configure the attribute match rule between users in Oracle Identity Cloud Service user and user accounts in Oracle Fusion Applications Cloud Service, the action Oracle Identity Cloud Service must perform when a user matches a user account, the batch size, and the synchronization periodicity.

On the Provisioning page, select Enable Synchronization,
From the User Identifier drop-down list, select the Oracle Identity Cloud Service user attribute that you want to match with the corresponding record fetched from Oracle Fusion Applications Cloud Service. If the Primary Email Address and User Name values of Oracle Identity Cloud Service users are same for your instance, then select the Primary Email Address option. Otherwise, select the User Name option.
From the Application Identifier drop-down list, select the Oracle Fusion Applications Cloud Service account attribute that you want to match with the existing Oracle Identity Cloud Service user. By default, the name option is selected that represents the UserName attribute of the Oracle Fusion Applications Cloud Service account. Don't change this default option.
From the When exact match is found drop-down list, select one of the following actions to perform when a matching Oracle Identity Cloud Service user is found for an account:

Link and confirm: Automatically links and confirms the matched account to the corresponding Oracle Identity Cloud Service users based on the defined User Identifier and Application Identifier fields.

Link but do not confirm: Automatically links all the matched accounts to the corresponding Oracle Identity Cloud Service users based on the defined User Identifier and Application Identifier fields. You need to manually confirm the linked accounts.
In the Max. number of creates field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be created during the synchronization run.
In the Max. number of deletes field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be deleted during the synchronization run.
To specify a schedule for the synchronization, from the Synchronization Schedule drop-down list, select Never, Every Hour, Every Day, or Every Week.

After enabling provisioning and synchronization for Oracle Fusion Applications Cloud Service, you can synchronize the existing user accounts from Oracle Fusion Applications Cloud Service and link them to the corresponding Oracle Identity Cloud Service users. For more information on performing synchronization tasks, see the Import User Accounts from a Software as a Service Application section in Administering Oracle Identity Cloud Service.

You can manage Oracle Fusion Applications Cloud Service accounts through Oracle Identity Cloud Service. For more information on performing provisioning tasks, see the Manage Oracle Identity Cloud Service Users and Manage Oracle Identity Cloud Service Groups sections in Administering Oracle Identity Cloud Service.

Verify the Integration

Use this section to verify that Single Sign-On (SSO) and Single Log-Out (SLO) work when initiated from Oracle Identity Cloud Service (IdP Initiated SSO and IdP Initiated SLO) and when initiated from Oracle Fusion Applications Cloud Service (SP Initiated SSO and SP Initiated SLO).

Verify Identity Provider Initiated SSO from Oracle Identity Cloud Service

Access the Oracle Identity Cloud Service My Console using the URL: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole.
Sign in to the Oracle Fusion Applications Cloud Service application using credentials for a user that is assigned to the application in Oracle Identity Cloud Service. Oracle Identity Cloud Service displays a shortcut to Oracle Fusion Applications Cloud Service under My Apps.
Click an Oracle Fusion Applications Cloud Service app. The app page appears.
Confirm that the user that is logged in is the same for both Oracle Fusion Applications Cloud Service and Oracle Identity Cloud Service.

This confirms that SSO that is initiated from Oracle Identity Cloud Service works.

Verify Service Provider Initiated SSO from Oracle Fusion Applications

Access an Oracle Fusion Applications Cloud Service app, for example, HCM using the URL: https://<tenantname>.hcm.<domain>/hcmCore/faces/HcmFusionHome. If you selected Enable Chooser Login Page, then click Company Single Sign-On. The Oracle Identity Cloud Service Sign In page appears.
Enter credentials for a user that is assigned to the Oracle Fusion Applications Cloud Service app, and then click Sign In. The corresponding Oracle Applications Cloud app home page appears.
Confirm that the user that is logged in is the same for both Oracle Fusion Applications and Oracle Identity Cloud Service.

This confirms that SSO initiated from Oracle Fusion Applications works.
Repeat the above steps for the CRM application at https://<tenantname>.crm.<domain>/customer/faces/CrmFusionHome, for the ERP application at https://<tenantname>.fin.<domain>/ledger/faces/FuseWelcome, and for the SCM application at https://<tenantname>.scm.<domain>/costManagement/faces/FuseWelcome.

Verify Identity Provider Initiated Single Log Out

On the Oracle Identity Cloud Service home page, click the user name in the upper-right corner, and then select Sign Out from the drop-down list.
On the Oracle Applications Cloud home page, perform any operation. The Login Page appears.

This confirms that logout works and that the user is no longer logged in to Oracle Fusion Applications and Oracle Identity Cloud Service.

Verify Service Provider Initiated Single Log Out

On the Oracle Applications Cloud home page, click the user name in the upper-right corner, select Sign Out from the drop-down list, and then click Confirm to sign out.
Access the Oracle Identity Cloud Service My Console, and then confirm that the login page appears.

This confirms that logout works and that the user is no longer logged in to Oracle Fusion Applications and Oracle Identity Cloud Service.

How to File a Service Request with My Oracle Support

Learn how to open Service Request with My Oracle Support to Enable Account Form in your Oracle Identity Cloud Service instance, and to configure SSO to your Oracle Fusion Applications release 13 version earlier than 19B (11.13.19.04).

Open Service Request to Enable Account Form

After integrating your Oracle Fusion Applications Cloud Service environment with an Oracle Identity Cloud Service instance for provisioning purposes, you can enable account form in Oracle Identity Cloud Service.

Refer to Enable Account Form IDCS / How to Enable Fusion Apps Application Template with Account Form & Entitlements Grant in Customer's Tenant (Doc ID 2582719.1) document in My Oracle Support.

File a service request with Oracle Support with the title Enable Account Form for Fusion Applications in Oracle Identity Cloud Service and include the following information:
- Your Oracle Identity Cloud Service instance details: Cloud Account name and base URL.
- Name of the Oracle Fusion Applications application in Oracle Identity Cloud Service.
- Data Center where your Oracle Identity Cloud Service instance is hosted.
- Expected No of Users.
- Customer Type. For example: POC, Trial, Foundation, Standard.
- Oracle Fusion Applications details: Cloud Account name and base URL.

Open Service Request to Configure SSO to Oracle Fusion Applications

If you use an Oracle Fusion Applications Cloud Service version earlier than 19B (11.13.19.04), then you need to open a service request in Oracle Support to integrate your environment with Oracle Identity Cloud Service for Single Sign-On purposes. In this scenario Oracle Identity Cloud Service acts as the identity provider for Oracle Fusion Applications Cloud Service.

Refer to How to Configure Federation SSO Between Fusion Application Cloud Environment (SAAS) And Oracle IDCS Cloud Environment (Doc ID 2369495.1) document in My Oracle Support.

File a service request with Oracle Support with the title Configure SSO Between Fusion Applications (sp) and Oracle Identity Cloud Service (idP) and include the following information:
- Your Oracle Identity Cloud Service metadata URL and the identity provider metadata XML file you downloaded in Download Oracle Identity Cloud Service Identity Provider Metadata section.

Upload Oracle Identity Cloud Service Signing Certificate. You download the Signing Certificate from the application's SSO Configuration tab in Oracle Identity Cloud Service. See Register and Activate Oracle Fusion Applications in Oracle Identity Cloud Service.
- Indicate the Oracle Fusion Applications Cloud Service user ID will be used for single sign-on (SSO).
- Request support to enable the Chooser Login Page for Oracle Fusion Applications Cloud Service.

Monitor your support ticket and provide any additional information requested by Oracle Support.
Oracle Support will add your Oracle Identity Cloud Service as an Identity Provider to your Oracle Fusion Applications Cloud Service environment.
Oracle Support will notify you when the task is complete, and send you a copy of your Oracle Fusion Applications Cloud Service PEM certificate. You’ll need this certificate to finish the configuration of your Oracle Identity Cloud Service instance. See Register and Activate Oracle Fusion Applications in Oracle Identity Cloud Service.

Notify User Creation During Import

By default, Oracle Identity Cloud Service doesn't send Welcome notification to users synchronized and created in Oracle Identity Cloud Service if you use the Import feature of the Oracle Fusion Applications application.

You can change this behavior by updating your Oracle Fusion Applications using REST API.

Find the application ID.
- Access Oracle Identity Cloud Service administration console, select Applications, and then click Oracle Fusion Applications in the list of applications.
- At the browser's address bar, find the application ID. The URL appears as per the following example: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/adminconsole?root=apps&app=<app_id>.
Request an access token to Oracle Identity Cloud Service. See Make Your First REST API Call.

Execute the following cURL command to update the application and change the value of the enableAuthSyncNewUserNotification attribute to true.

curl -k -X POST -H "Content-Type:application/scim+json" -H "Authorization: Bearer ACCESS_TOKEN" -d "{\"schemas\":[\"urn:ietf:params:scim:api:messages:2.0:PatchOp\"],\"Operations\":[{\"op\":\"replace\",\"path\":\"urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:enableAuthSyncNewUserNotification\",\"value\":true}]}"  https://<IDCS-Service-Instance>.identity.oraclecloud.com/admin/v1/Apps/<app_id>

Note: Replace ACCESS_TOKEN with the token you acquired in step 2, <IDCS-Service-Instance> with the tenant name of your Oracle Identity Cloud Service, and <app_id> with the application ID from step 1.

Verify in the response the value of the enableAuthSyncNewUserNotification attribute is set to true.

After you perform the steps above, Oracle Identity Cloud Service sends a Welcome notification every time a user is created through synchronization.

Disable Oracle Fusion Applications Cloud Service Notification

If you enabled Oracle Identity Cloud Service to notify user creation, then you may need to disable Oracle Fusion Applications Cloud Service user account creation notification. If you don't disable Oracle Fusion Applications Cloud Service notification, then both services will notify users about the creation of their accounts.

Access Oracle Fusion Applications Cloud Service console, as an administrator.
In the console, click Security Console, click User Categories, click DEFAULT, and then click Notifications.
In the Notification Preferences page, click Edit, deselect Enable notifications, and then click Save. Alternatively you can disable the notification for the New user created event, by clicking the template name for this event, disabling, and then saving the event configuration.

Next time you synchronize user accounts from Oracle Fusion Applications Cloud Service into Oracle Identity Cloud Service, if a user is created in Oracle Identity Cloud Service, then Oracle Fusion Applications Cloud Service won't send the Welcome notification to the user's email address and Oracle Identity Cloud Service will notify the user creation.

Troubleshoot

Use this section to locate solutions to common integration issues.

Known Issues

Oracle Fusion Service displays the error, "System error. Please re-try your action. If you continue to get this error, please contact the Administrator."

Cause 1: The user name attribute sent to Oracle Identity Cloud Service during SSO doesn't match any existing user in Oracle Fusion.

Solution 1: Ensure that the user that you assign to the Oracle Fusion Applications Cloud Service application has an account in both Oracle Identity Cloud Service and Oracle Fusion Applications with the same user name.

Cause 2: The configuration setting in Oracle Applications Cloud console is not set correctly.

Solution 2: Verify that SSO in Oracle Applications Cloud console was configured correctly.

Oracle Identity Service displays the error, "You are not authorized to access the app. Contact your system administrator."

Cause: The SAML 2.0 integration between the Oracle Identity Cloud Service and Oracle Fusion Applications is deactivated.

Solution:

Access the Oracle Identity Cloud Service administration console, select Applications, and then select Oracle Fusion Applications.
Click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Unknown Issues

For unknown issues, contact Oracle Support:

Go to https://support.oracle.com.
Select Cloud Support, and then sign in with your support credentials.
In the Cloud Dashboard, confirm that there are no planned outages in Oracle Identity Cloud Service, and then click Create Service Request.
Select Oracle Identity Cloud Service as the service type.
Complete your service request.