9Single Sign-On

This chapter contains the following:

Your users are likely to access different internal and external applications to perform their tasks. They may require access to different applications hosted by partners, vendors, and suppliers. Certainly, users won't like authenticating themselves each time they access a different application. This is where you as the IT Manager can make a difference. You can provide your users with a seamless single sign-on experience, when you set up Oracle Applications Cloud as a single sign-on service provider.

Your users are registered with identity providers who store and manage their identity and credentials. In Security Console, you can add those identity providers so that you can verify those users without having to store that information.

Initial Login

On a typical working day, when users sign in for the first time, they request access to an application or a web page. Oracle Applications Cloud, which is set up as a service provider, sends a verification request to the user's identity provider who's already added to the Security Console. The identity provider verifies the user credentials and sends the authorization and authentication response back to the service provider. After successful authentication, users are granted access to the required application or web page. Because the authentication is valid across your enterprise network, users don't have to sign in again when accessing different applications available on the same network. This entire trust chain between the service provider and the various identity providers is established using the Security Assertion Markup Language (SAML) 2.0 standards.

Final Sign-out

Single sign-on also applies to signing out of the enterprise network. When users sign out from one application, they're automatically signed out from all applications on the network. This is to prevent unauthorized access and to ensure that data remains secure all the time.

To enable single sign-on in your environment, complete the settings in the Single Sign-on Configuration section on the Security Console. This configuration lets you enable a login page and a page to which users must be redirected to after logging out of the application. If single sign-on is enabled in your environment but you don't want it, then you can disable it using the corresponding button. By default, this button is disabled.

Do these steps:

  1. On the Security Console, click the Single Sign-On tab.

  2. In the Single Sign-On Configuration section, click Edit.

  3. Enter the Sign Out URL. Users are redirected to this page once they sign out from the application.

    Note: The Sign Out URL is the same for all the identity providers that you configure.
  4. If Enable Chooser Login Page isn't enabled already, select it to display the service provider's single sign-on page along with your company's login page.

  5. Click Save.

To configure Oracle Applications Cloud as the service provider, you must do the following:

  • Add an identity provider

  • Review the service provider details

  • Test the identity provider

  • Enable the identity provider

On the Security Console, go to the Single Sign-On tab and click Create Identity Provider.

Note: Oracle Cloud Applications support all SAML 2.0 compatible federation servers.

Add an Identity Provider

You can add as many identity providers as required to facilitate single sign-on for all your users. However, one of them must be the default identity provider.

Before you begin:

One of the important steps in adding an identity provider is to import the metadata content of the identity provider. The metadata file contains the authentication information and also the signed and encrypted certificates of the identity provider. Make sure you have the metadata XML file or the URL readily available. Without the file, the setup isn't complete.

Note: Including encryption certificate in the metadata file is optional.
  1. On the Security Console, click Single Sign-On > Create Identity Provider.

  2. On the Identity Provider Details page, click Edit and enter the identity provider details:

    • Provide a Name and Description for the identity provider.

    • Select the relevant Name ID Format. If you have an email as the name of the identity provider, select Email. Otherwise, leave it as Unspecified.

    • Enter the Relay State URL. Users are directed to this URL to sign and authenticate irrespective of which application they want to access.

    • Select the Default Identity Provider check box to make this identity provider the default one.

  3. Import the identity provider metadata:

    • If it's an XML file, click Browse and select it.

    • If it's available on a web page, select the External URL check box and enter the URL.

    Note: The metadata XML file must be Base64 encoded.
  4. Click Save and Close.

Review Service Provider Details

The Service Provider Details and the Diagnostics and Activation tabs are enabled only if the identity provider details are entered. Click the Service Provider Details tab and review the following information available on the page:

  • ID of the service provider. In this case, it's the ID of Oracle Applications Cloud.

  • Service provider metadata. The URL references to an XML file that you can download and view.

  • Service provider signing certificate.

  • Service provider encryption certificate.

You must share these details with the identity providers so that they can use them to configure your application as the associated service provider.

Test the Identity Provider

Click the Diagnostics and Activation tab to verify if the identity provider that you added works as expected.

  1. Click the Test button to run the diagnostics. The Initiate Federation SSO page appears.

  2. Click the Start SSO button. You're prompted to enter the user credentials of any user registered with the identity provider. The test validates whether the federation single sign-on is successful or not. The result summary includes the following details:

    • Status of authentication: success or failure

    • The attributes passed in the assertion

    • The assertion message in XML

You can review the log messages that appear in the Federation Logs section to identify if there are any configuration issues with the identity provider.

Note: You must run the test whenever there's a change in the identity provider configuration.

Enable the Identity Provider

If everything looks fine, you can go ahead and enable the identity provider. While you're on the Diagnostics and Activation page, click Edit and select the Enable Identity Provider check box. The identity provider is now active.

Note: You can enable an identity provider only after you import service provider metadata into the identity provider.

FAQs for Single Sign-On

Does the service provider store user passwords?

No. Passwords are stored with the identity providers. When a user signs in, the identity provider authenticates the password, authorizes the request to access an application, and sends that confirmation back to the service provider. The service provider then allows users to access the application or web page.

Can I set up an identity provider without enabling it?

Yes, you can set up an identity provider and test it thoroughly before enabling it. By default, an identity provider remains disabled. You can disable an identity provider at any time.

On the Security Console, go to Single Sign-On > Identity Provider Details page and make sure that the Enable Chooser Login Page check box is selected.

When your users access the main portal page, they can sign in using one of the following options:

  • The single sign-on credentials registered with the identity provider

  • The single sign-on credentials registered with their company

What should I do to extend the validity of certificates provided by the identity provider?

Pay attention to the notifications you receive about certificate expiry. Request your identity provider to share with you the updated metadata file containing renewed certificate validity details. Once you upload the metadata file, the validity of the certificate is automatically renewed. You will have to monitor this information at intervals to ensure that the certificates remain valid at all times.

How can the identity provider obtain renewed certificates from the service provider?

The identity provider can submit a service request to the service provider asking for the renewed signing and encryption certificates.

You must request access to the Administration Activity page using the URL provided to the administrators. Make sure you have the following privileges:

  • ASE_ADMINISTER_SSO_PRIV

  • ASE_ADMINSTER_SECURITY_PRIV

After you request access to the Administration Activity page, you get an email at your registered email ID containing a URL with the following format:

https://<FA POD>/hcmUI/faces/AdminActivity

Click the URL and you're directed to a secure Administrator Activity page. Select the Disable Single Sign On option and click Submit. You receive a confirmation that single sign-on is disabled. Immediately, you're redirected to the Oracle Applications Cloud login page where you can sign in using your registered user name and password.

What are the different events and notifications associated with the Single Sign-On functionality?

Automatic notifications are sent for the following events associated with single sign-on:

  • When an administrator requests access to the Administration Activity page to disable single sign-on

  • When the single sign-on functionality is disabled

  • When the external identity provider's signing certificate is about to expire

  • When the service provider's signing certificate is about to expire

  • When the service provider's encryption certificate is about to expire

Note: Notifications are sent to users who are assigned the Manage SSO privilege, as per the following schedule:
  • First notification - 60 days before the expiry date

  • Second notification - 30 days before the expiry date

  • Last notification - 10 days before the expiry date.