Configure Single Sign-On
To enable single sign-on in your environment, complete the settings in the Single Sign-on Configuration section on the Security Console. This configuration lets you enable a login page and a page to which users must be redirected to after logging out of the application.
Do these steps:
-
On the Security Console, click the Single Sign-On tab.
-
In the Single Sign-On Configuration section, click Edit.
-
Enter the Sign Out URL. Users are redirected to this page once they sign out from the application.
Note: The Sign Out URL is the same for all the identity providers that you configure. -
If Enable Chooser Login Page isn't enabled already, select it to display the service provider's single sign-on page along with your company's login page.
-
Click Save.
To configure Oracle Applications Cloud as the service provider, you must do the following:
-
Review the service provider details
-
Add an identity provider
-
Test the identity provider
-
Enable the identity provider
On the Security Console, go to the Single Sign-On tab and click Create Identity Provider.
Review Service Provider Details
-
Service provider metadata. The URL references to an XML file that you can download and view.
-
Service provider signing certificate.
-
Service provider encryption certificate.
You must share these details with the identity providers so that they can use them to configure your application as the associated service provider.
Add an Identity Provider
You can add as many identity providers as required to facilitate single sign-on for all your users. However, one of them must be the default identity provider.
Before you begin:
One of the important steps in adding an identity provider is to import the metadata content of the identity provider. The metadata file contains the authentication information and also the signed and encrypted certificates of the identity provider. Make sure you have the metadata XML file or the URL readily available. Without the file, the setup isn't complete.
-
On the Security Console, click .
-
On the Identity Provider Details page, click Edit and enter the identity provider details:
-
Provide a Name and Description for the identity provider. Ensure that the identity provider name is unique for the partnership.
-
Select the relevant Name ID Format. If you have an email as the name of the identity provider, select Email. Otherwise, leave it as Unspecified.
-
Enter the Relay State URL. Users are directed to this URL to sign and authenticate irrespective of which application they want to access.
-
Select the Default Identity Provider check box to make this identity provider the default one.
-
-
Import the identity provider metadata:
-
If it's an XML file, click Browse and select it.
-
If it's available on a web page, select the External URL check box and enter the URL. External URL isn't stored in this configuration and is used only for importing the identity provider metadata during identity provider creation or modification.
Note: The metadata XML file must be Base64 encoded. -
-
Click Save and Close.
Note: Oracle Applications Cloud can't be used as an identity provider.
Test the Identity Provider
Click the Diagnostics and Activation tab to verify if the identity provider that you added works as expected.
-
Click the Test button to run the diagnostics. The Initiate Federation SSO page appears.
-
Click the Start SSO button. You're prompted to enter the user credentials of any user registered with the identity provider. The test validates whether the federation single sign-on is successful or not. The result summary includes the following details:
-
Status of authentication: success or failure
-
The attributes passed in the assertion
-
The assertion message in XML
-
You can review the log messages that appear in the Federation Logs section to identify if there are any configuration issues with the identity provider.
Enable the Identity Provider
If everything looks fine, you can go ahead and enable the identity provider. While you're on the Diagnostics and Activation page, click Edit and select the Enable Identity Provider check box. The identity provider is now active.