How do I set up the SSO authentication?
You must use the Service Provider initiated implementation method to have your users use SSO to sign in to iOS and Android installed apps. You can implement it using SAML or OpenID type of authentication.
- Use the full URL of login policy in browser application: To construct correct URL you must use the instance URL followed by the login policy label. For example, https://instance_name.fs.ocs.oraclecloud.com/login_policy_label/. Here, the instance name can be a name of your choice or automatically generated upon provisioning. The login policy label is configured manually and can be found on the Login Policies page. When you use this option, enter the full URL of the login policy in the browser address bar and the application redirects you to an Identity Provider for further authentication.
- Use the instance name and login policy label in installed apps: In the iOS and Android installed apps you must specify the instance name followed by the login policy label on the Instance page. Enter the name in the {instance_name}/{login_policy_label} format. When you do this and click Next, the application redirects you to an Identity Provider for further authentication.
- Configure the URL through the MDM configuration file: Use this approach for
Android and iOS installed applications. Here you must specify a URL in the
{instance URL + login policy label} format within the configuration file
managed by the MDM settings. When you open the app, the app uses this URL to
navigate you to your Identity Provider for authentication. Within the MDM
file the instance, the URL must be in the format:
https://{instance_name}.fs.ocs.oraclecloud.com/saml_idp/For example:
<?xml version="1.0" encoding="UTF-8"?> <managedAppConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="/com.mobileiron.onetouch/appconfig/appconfig.xsd"> <version>123</version> <bundleId>com.oracle.ofsc.mobile</bundleId> <dict> <string keyName="instance.name_1"> <defaultValue> <value>instance_name</value> </defaultValue> </string> <string keyName="instance.url_1"> <defaultValue> <value> https://{instance_name}.fs.ocs.oraclecloud.com/saml_idp/ </value> </defaultValue> </string> </dict> </managedAppConfiguration>
When you configure the SSO authentication, users must click Sign in with SSO on the Sign in page and follow the instructions.
Domains for Production Environments
- either instance name (mentioned as the 'instance_name' parameter in the example) or an alternate name
- domain zones available for an environment
- https://{instance_name}.fs.ocs.oraclecloud.com
- https://{instance_name}.fs.ocs.oraclecloud.com
- https://{instance_name}.etadirect.com
- https://{instance_name}.etadirect.com
Domains for Test Environments
The rules for provisioning end points for test environments are almost the same as those for production instances. The only difference is that for test environments, the application automatically adds the '.test' suffix after the name. This logic is applied to easily distinguish production and test environments. The example of an end point for a test environment is https://{instance_name}.test.fs.ocs.oraclecloud.com.
Example of How the Authentication Works
Assume that your identity provider is configured to accept requests from acme.fs.ocs.oraclecloud.com to perform SAML authentication. Also assume that there's a user that uses ofsc-1e800d.fs.ocs.oraclecloud.com, which is another valid address of your instance.
When the user tries to sign in to the instance, the application replaces ofsc-1e800d.fs.ocs.oraclecloud.com with acme.fs.ocs.oraclecloud.com in the request to the identity provider, which lets this user authenticate to the environment.