How do I set up SSO authentication?

Important: This information only applies to Oracle Field Service environments. You can verify whether you've Oracle Field Service or Oracle Fusion Field Service, by signing in and checking on the About page.

You must use the Service Provider initiated implementation method to have your users use SSO to sign in to iOS and Android installed apps. You can implement it using SAML or OpenID type of authentication.

These options are available to sign in using SAML or OpenID authentication:
  • Use the full URL of login policy in browser application: To construct correct URL you must use the environment URL followed by the login policy label. For example, https://environment_name.fs.ocs.oraclecloud.com/login_policy_label/. Here, the environment name can be a name of your choice or automatically generated upon provisioning. The login policy label is configured manually and can be found on the Login Policies page. When you use this option, enter the full URL of the login policy in the browser address bar and the application redirects you to an Identity Provider for further authentication.
  • Use the environment name and login policy label in installed apps: In the iOS and Android installed apps you must specify the environment name followed by the login policy label on the Environment page. Enter the name in the {environment_name}/{login_policy_label} format. When you do this and click Next, the application redirects you to an Identity Provider for further authentication.
  • Configure the URL through the MDM configuration file: Use this approach for Android and iOS installed applications. Here you must specify a URL in the {environment URL + login policy label} format within the configuration file managed by the MDM settings. When you open the app, the app uses this URL to navigate you to your Identity Provider for authentication. Within the MDM file the environment, the URL must be in the format: https://{environment_name}.fs.ocs.oraclecloud.com/saml_idp/
    For example:
    <?xml version="1.0" encoding="UTF-8"?>
    <managedAppConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="/com.mobileiron.onetouch/appconfig/appconfig.xsd">
        <version>123</version>
        <bundleId>com.oracle.ofsc.mobile</bundleId>
        <dict>
            <string keyName="environment.name_1">
                <defaultValue>
                    <value>environment_name</value>
                </defaultValue>
            </string>
            <string keyName="environment.url_1">
                <defaultValue>
                    <value> https://{environment_name}.fs.ocs.oraclecloud.com/saml_idp/ </value>
                </defaultValue>
            </string>
          </dict>
    </managedAppConfiguration>

When you configure the SSO authentication, users must click Sign in with SSO on the Sign in page and follow the instructions.

Domains for Production Environments

Each production environment might have several URLs depending on the provided alternate name and domain zones. These domains are always constructed from two parts:
  • either environment name (mentioned as the 'environment_name' parameter in the example) or an alternate name
  • domain zones available for an environment
The standard set of addresses for any environment is:
  • https://{environment_name}.fs.ocs.oraclecloud.com
  • https://{environment_name}.fs.ocs.oraclecloud.com
For legacy environments that are created before June 2021, the domains are also registered within the etadirect.com zone:
  • https://{environment_name}.etadirect.com
  • https://{environment_name}.etadirect.com

Domains for Test Environments

The rules for provisioning end points for test environments are almost the same as those for production environments. The only difference is that for test environments, the application automatically adds the '.test' suffix after the name. This logic is applied to easily distinguish production and test environments. The example of an end point for a test environment is https://{environment_name}.test.fs.ocs.oraclecloud.com.

Example of How the Authentication Works

Assume that your identity provider is configured to accept requests from acme.fs.ocs.oraclecloud.com to perform SAML authentication. Also assume that there's a user that uses ofsc-1e800d.fs.ocs.oraclecloud.com, which is another valid address of your environment.

When the user tries to sign in to the environment, the application replaces ofsc-1e800d.fs.ocs.oraclecloud.com with acme.fs.ocs.oraclecloud.com in the request to the identity provider, which lets this user authenticate to the environment.