Managing User Credentials for SSO-Enabled Cloud EPM and Oracle Enterprise Data Management Cloud Environments

Once you have enabled Single Sign-On (SSO) in your environments, you get two sign-in options — Company Sign-In (SSO) and Traditional Cloud Account Sign-In.

However, some client components do not work with SSO credentials; for example:

  • The basic authentication used by EPM Agent and EPM Automate does not work with the SSO credentials.
  • Cross-environment connections do not work with the SSO credentials of the Service Administrator.

In these scenarios, it is crucial to ensure that these users maintain their identity domain credentials. Additionally, you may also want the users to not be able to login with Traditional Cloud Account Sign-In and only login using SSO login.

Here are the instructions on how you can ensure that appropriate users are allowed to login using SSO credentials and/or identity domain credentials:

The SSO-enabled Oracle Fusion Cloud Enterprise Performance Management and Oracle Enterprise Data Management Cloud environments automatically maintain the identity domain credentials. By default, when the users use a browser to access an environment, they see both sign-in options. If you want the browser users to not see the Traditional Cloud Account Sign In option and login only using SSO, do the following:

  1. Sign into IAM Interface. See Accessing IAM Interface.
  2. Click Security, and then click IdP policies.
    IdP Policy
  3. Click the default IdP policy.
  4. To view IdPs assigned to the policy, click Identity provider rules under Resources.
  5. Select the IdP policy rule and click Edit IdP rule action menu next to it.
    Edit default IdP rule
  6. Remove Username-Password from the Assign identity providers box.
  7. Click Save changes.

Avoiding Password Expiry Emails

When the credentials of the users are stored in identity domain, they get password expiry emails when those passwords are expired. If you have setup SSO with an IdP after these users are created and you don’t want the credentials for these users to be stored in the identity domain and for them to not get password expiry emails, you must delete these users and recreate them after enabling SSO.