Testing single sign-on
After you've set up the identity provider in Oracle Eloqua, and the service provider in your single sign-on vendor platform, you are ready to test.
In addition to the testing instructions below, try to leverage any testing tools provided by your identity provider. These tools might help speed up the testing process.
Before you begin:
- In Oracle Eloqua, set up a single test user to test single sign on. Since Oracle Eloqua does not synchronize users with your identity provider, you must create a user account in Oracle Eloqua.
- The test user must meet the following criteria:
- Must exist in your identity provider’s user store.
- Must have their Oracle Eloqua user account set up. The user account must be configured with the user ID expected by the identity provider. For example, if the identity provider identifies users with their email address, the user must be configured with the same email address in both systems. What user account field is used to identify users depends on the User Identity Mapping you configured. For more on setting up a user account, see Creating individual users.
- We recommend turning on debug mode before you begin testing. This will provide additional error messages that will be useful for troubleshooting. To turn on debug mode, in Oracle Eloqua, open the identity provider. Click Edit and select the Debug Mode check box. After you finish testing, you should turn off this setting.
To test single sign-on:
- To manually login:
- In a browser, navigate to https://login.eloqua.com, and then click Sign in with single sign-on or another account.
- Enter your company name and click Sign In.
-
To login using the SAML auto-login method:
- In a browser, navigate to https://login.eloqua.com/auth/saml2/autologin?LoginPrefix={prefix}.
LoginPrefix values are a unique four-character code for your Eloqua instance. To add this parameter to your URL, enter LoginPrefix={prefix} where {prefix} is replaced with the four-character company name. You can obtain your company's login prefix in Eloqua by navigating to Settings > Display Preferences > Company Defaults.
If you have multiple identity providers, the default IDP will be used. Learn more.
- In a browser, navigate to https://login.eloqua.com/auth/saml2/autologin?LoginPrefix={prefix}.
-
This should redirect you to your single sign-on login page. If your browser already has a SAML session with the identity provider, you are logged in directly to Oracle Eloqua. Otherwise, login with the test user login credentials.
- You know that single sign-on worked if you are directed to Oracle Eloqua. If not, refer to the troubleshooting information below.
After you finish: If you are setting up single logout, you should configure single logout before setting up the rest of your users. Otherwise, continue to Setting up SSO users.
Troubleshooting
If you cannot login using your single sign-on credentials, you can try the following solutions:
- Verify the identity provider information that you configured in Oracle Eloqua. The identity provider settings must exactly match the information provided by the identity provider. These settings are case sensitive.
- If you receive the error "Your request either didn't include a SAML response or the SAML response was malformed", try the following:
- Ensure you have debug mode turned on. Debug mode should provide you with further error information. To turn on debug mode, in Oracle Eloqua, open the identity provider. Click Edit and select the Debug Mode check box.
- If you have debug mode turned on and you still receive the error, verify that Oracle Eloqua's entity ID is configured correctly in your identity provider. The entity ID is case sensitive.
- If you receive the error “Your user is unknown”, verify that the test user exists in Oracle Eloqua and that the account is setup with the user identity expected by the identity provider (for example, the same email addresses). The user identity in Oracle Eloqua must exactly match the user identity in the identity provider. How accounts are linked depends on how you setup the identity provider.
- If you receive the error "The signature of your request is invalid", the SAML response is signed with a different certificate than what was configured in Oracle Eloqua or the certificate expired. You must update the certificate in Oracle Eloqua. Learn more about checking for and updating expired certificates.