Setting up SSO users
After you’ve verified your single sign-on setup, you must add your users to Oracle Eloqua. Users must be created in Oracle Eloqua in order to use single sign-on. Oracle Eloqua does not synchronize user accounts with your identity provider.
Note: The information below is intended for a single sign-on implementation that uses a SAML compliant identity provider. If you purchased the Oracle Eloqua Identity Cloud Service for Salesforce, see Salesforce SSO integration to enable single sign-on and automatically synchronize users with Salesforce.
Planning your user setup
- Identity the users that should have access to Oracle Eloqua.
- Identify the roles that these users should have in Oracle Eloqua and map those roles to your Oracle Eloqua security groups. Security groups manage what users can do within Oracle Eloqua. Learn more about security groups.
- Review the user account requirements for single sign-on users.
- Identify how you are going to add your single sign-on users to Oracle Eloqua. You can use the following methods:
User account requirements
If you are using single sign-on with an identity provider, users are not synced automatically with Oracle Eloqua. You must manually add users to Oracle Eloqua before they can use their single sign-on credentials to login to Oracle Eloqua.
At a minimum, Oracle Eloqua user accounts must include the following:
- First name
- Last name
- Email address
- User name
- User display name
In addition, each user account must be configured with the user ID expected by the identity provider. For example, if the identity provider identifies users with their email address, the user must be configured with the same email address in both systems. What user account field is used to identify users depends on the User Identity Mapping you configured.
The following table shows how the user identity mapping setting links to an Oracle Eloqua user account field.
| SAML assertion identity method | Oracle Eloqua user account field |
|---|---|
| User's Id |
Internal Eloqua ID
Note: You can only retrieve this ID using the Oracle Eloqua REST API. |
| Username from the user object | User Name |
| Email address from the user object | Email Address |
| Federation Id from the user object | Federation ID |
Enforcing SSO
When adding users to Oracle Eloqua, you can require that single sign-on is the only method to access Oracle Eloqua. If you do not enforce single sign-on, users can login using their Oracle Eloqua login credentials.
Consider using the following account settings if you decide to enforce single sign-on usage.
| Oracle Eloqua user account field | Setting |
|---|---|
| User Must Change Password at next login? | No |
| User's Password Expires? | No |
| User is SSO only? | Yes |
| Send New User Welcome Email? | No |
User account maintenance
After you add single sign-on users to Oracle Eloqua, take note of the following information:
- Single sign-on users must manage their passwords using the identity provider. Users cannot use Oracle Eloqua's password reset functionality.
- Oracle Eloqua password settings (such as password complexity or expiry settings) do not apply to single sign-on users.
- When users logout, you can set up a redirect page. Otherwise users are directed to the Oracle Eloqua login page when they logout. For more information, see Redirecting SSO users to a custom URL on logout.