Setting up Single Sign-on Using Oracle Identity Cloud Service as an Identity Provider (for Classic EPM Cloud Only)

Oracle Identity Cloud Service, a comprehensive cloud-based identity management and security platform, supports a universal set of access controls, permissions, and password security constraints.

If you are on Classic Oracle Enterprise Performance Management Cloud, you can use Oracle Identity Cloud Service as the identify provider using the information in this section.

Activity flow in this SSO scenario:

  1. From a new browser session, a user accesses an EPM Cloud environment URL. Oracle Identity Cloud Service signin screen is displayed.
  2. The user enters an Oracle Identity Cloud Service user name and password.
  3. Oracle Identity Cloud Service authenticates the user. The EPM Cloud environment that the user requested is displayed. Access within the environment is determined by the service role assigned to the user.
  4. The user navigates to another environment that uses the same identity domain. Because the user is already authenticated, the requested environment is displayed without challenging the user for credentials.

For step-by-step instructions on configuring SSO using Oracle Identity Cloud Service, see Configuring Single Sign-On for Oracle Enterprise Performance Management Cloud.


  • A subscription to Oracle Identity Cloud Service.
  • Users who need SSO access were created in Oracle Identity Cloud Service.
  • Users who need SSO access were created and provisioned in the identity domains being configured for SSO.

    For detailed instructions to create and provision users, see "Adding Users and Assigning Roles" in Getting Started with Oracle Cloud.

Configuration Steps

Tasks to complete in Oracle Identity Cloud Service


Use Oracle Identity Cloud Service documentation to complete these steps.

For each EPM Cloud service for which you want to set up SSO, complete these actions:

  • Add the EPM Cloud service as a SAML application. Application links in the Oracle Identity Cloud Service SAML application should point to the test or production environment of a service. For example, create a SAML application for Planning with an application link to its test or production environment.

    If multiple environments share the same identity domain, you can create them as one SAML application or create a SAML application for each environment. Creating a SAML application for each environment allows you to invoke individual EPM Cloud environments.

    Complete these steps while creating each application:

    • Configure the SAML application for SSO.

      The entity id and assertion consumer URL must specify the identity domain for which SSO is being configured.

    • Download Oracle Identity Cloud Service application metadata and store it in a secure location. You will need to load this metadata into EPM Cloud while configuring the identity domain for SSO.
    • Assign users to the SAML application.
    • Activate the SAML application.
  • Import the signing certificates of the identity domain referenced by SAML applications.

    The signing certificate is generated from the identity domain that EPM Cloud service uses.

Tasks to complete in Classic EPM Cloud

For each identity domain that supports SSO, complete these actions:

  • Create Oracle Identity Cloud Service users as users in each identity domain and provision them.

    The Identity Domain Administrator can create users individually or use an upload file containing user data to create many users at once. See these topics in Getting Started with Oracle Cloud:

    Users who need to work with EPM Cloud client components; for example, EPM Automate, must be configured to maintain identity domain credentials. See Managing User Credentials in SSO-Enabled EPM Cloud Environments.

  • Enable SSO in EPM Cloud.

    See "Managing Oracle Single Sign-On" in Administering Oracle Cloud Identity Management.

    • Import the metadata of the Oracle Identity Cloud Service SAML application into the identity domain.
    • Export the signing certificate of the identity domain by selecting Signing Certificate from the drop-down list in the Configure your Identity Provider Information section.

      You must import the signing certificate into Oracle Identity Cloud Service.

    • Test the SSO configuration.
    • Start SSO.
  • Test SSO configuration by accessing EPM Cloud environments.