SSO with a SAML compliant identity provider
Oracle Eloqua uses the Security Assertion Markup Language 2.0 (SAML 2.0) standard to enable secure user authentication with your organization's single sign-on vendor. In order to enable Oracle Eloqua single sign-on, your single sign-on vendor must support SAML 2.0. Oracle Eloqua supports any SAML 2.0 compliant identity provider.
About service providers and identity providers
When planning to enable single sign-on, it is important to understand a few terms:
- Service Provider: A website that hosts applications. When you enable single sign-on, Oracle Eloqua is the service provider.
- Identity Provider: A trusted provider that can authenticate users and allow single sign-on to access other websites. Your single sign-on vendor is the identity provider. Oracle Eloqua cannot act as an identity provider.
User login with SSO
Oracle Eloqua supports both identity provider initiated logins as well as service provider initiated logins:
- Identity provider initiated login: When a user initiates a login flow using the identity provider. In this case, the identity provider sends the authenticated login request to Oracle Eloqua.
- Service provider initiated login: When a user initiates the login flow using Oracle Eloqua. In this case, Oracle Eloqua requests the identity provider to authenticate a user.
The following steps describe how a user logs in using a service provider initiated scenario (that is Oracle Eloqua):
- The user browses to https://login.eloqua.com and selects Sign in with single sign-on or another account.
- Oracle Eloqua generates a SAML authentication request and redirects the browser to the identity provider.
- The identity provider decodes and extracts the information from the request, prompts the user for their identity provider credentials and authenticates the user.
- The identity provider generates a SAML response that contains an attribute to identify the Oracle Eloqua user. The response is digitally signed with the identity provider’s private key.
- The identity provider encodes the SAML response and state information, and returns it to the browser. The browser then sends this information to Oracle Eloqua.
- Oracle Eloqua verifies the SAML response using the identity provider’s public key, and logs the user into Oracle Eloqua.
SSO requirements
Before you enable single sign-on, review the following requirements:
- Oracle Eloqua supports any SAML 2.0-compliant identity provider. Oracle Eloqua does not support SAML 1 authentication.
- Oracle Eloqua requires SAML assertions to be signed using an X.509 certificate.
- Oracle Eloqua does not support auto synchronization of user accounts. You must create your users in Oracle Eloqua for single sign-on to work.
- Oracle Eloqua supports SHA-1 and SHA-256 algorithms.
- Oracle Eloqua recommends SAML assertions that use HTTP POST binding.
- Oracle Eloqua supports service provider initiated and identity provider initiated authentication requests. You can control whether to support both of these options in your implementation.
- Oracle Eloqua cannot act as an identity provider.
- Oracle Eloqua supports single SAML logout if supported by your identity provider. See Single logout for more information.
Get started
Steps to enable SSO with a SAML compliant identity provider
Creating an identity provider in Oracle Eloqua
Configuring Oracle Eloqua as a service provider