1. Implementing Recruiting
  2. Single Sign-On Flows

Single Sign-On Flows

There are two types of Single Sign-On flows: Identity Provider (IdP)-initiated and Service Provider (SP)-initiated.

Identity Provider (IdP)-initiated Flow

In the IdP-initiated flow, the user logs in first to the IdP. The person then requests access to the Service Provider (SmartOrg or career section) – often through an SSO Portal. The Identity Provider will initiate an SSO connection to the Oracle Taleo Enterprise Edition product and provide an assertion. The assertion contains the identity, attributes and entitlements of the requesting user. Oracle will grant access to the user based on the assertion information.

The image represents an Identity Provider (IdP)-initiated flow.


Image showing an Identity Provider (IdP)-initiated Flow. The user logs in first to the IdP. The person then requests access to the Service Provider (SmartOrg or career section) – often through an SSO Portal. The Identity Provider will initiate an SSO connection to the Oracle Taleo Enterprise Edition product and provide an assertion. The assertion contains the identity, attributes and entitlements of the requesting user. Oracle will grant access to the user based on the assertion information.

The IdP-initiated flow is the most commonly used configuration.

When SSO is configured, the IdP-initiated flow is activated by default.

Multiple IdPs are supported for IdP-initiated flows. Each IdP can redirect users to the Service Provider (SmartOrg and career section). The Service Provider accepts request from each IdP as long as the IdP is properly defined.

Service Provider (SP)-initiated Flow

In the Service Provider-initiated flow, the user accesses the Oracle Taleo Enterprise Edition product (SP) directly. For example, this can be done by typing the URL of the zone in the browser. The Service Provider then redirects the user to the Identity Provider. After authenticating the user, the IdP generates and sends an assertion back to the SP. The assertion contains the identity, attributes and entitlements of the requesting user. Oracle grants access to the user based on the assertion information.

The Challenge URL setting, depicted in the following illustration, is used to set up a Service Provider-initiated flow.


Image showing a Service Provider-initiated flow. The user accesses the Oracle Taleo Enterprise Edition product (SP) directly. For example, this can be done by typing the URL of the zone in the browser. The Service Provider then redirects the user to the Identity Provider. After authenticating the user, the IdP generates and sends an assertion back to the SP. The assertion contains the identity, attributes and entitlements of the requesting user. Oracle grants access to the user based on the assertion information.

The customer can choose to optionally activate SP-initiated flow as well.

For SP-initiated flow from SmartOrg, only one IdP can be configured. All SP-initiated requests from SmartOrg are redirected to this IdP.

For SP-initiated flow from career sections, by default all requests are redirected to a single default IdP. However, individual career sections can be set up to redirect requests to a different IdP.

The following illustration depicts a single Identity Provider, SmartOrg and single career section:


Image showing a single Identity Provider, SmartOrg and a single career section.

  • Users can access both SmartOrg and the career section from the Idp (IdP-initiated flows).

  • When users access SmartOrg directly, they are redirected to the IdP for authentication (SP-initiated flows).

  • When users access the career section directly, they are redirected to the IdP for authentication (SP-initiated flows).

Note: This is the most commonly used configuration.

The following illustration depicts an SSO setup with two Identity Providers, SmartOrg and three career sections:


The illustration depicts an SSO setup with two Identity Providers, SmartOrg and three career sections.

  • Users can access both SmartOrg and each career section from the Idp-01 (IdP-initiated flows).

  • Users can access both SmartOrg and each career section from the Idp-02 (IdP-initiated flows).

  • When users access SmartOrg directly, they are redirected to the IdP-02 for authentication (SP-initiated flows).

  • When users access career section 1 directly, they are redirected to the IdP-01 for authentication (SP-initiated flows).

  • When users access career section 2 directly, they are redirected to the IdP-02 for authentication (SP-initiated flows).

  • When users access career section 3 directly, they are not redirected to any IdPs. Instead, they are prompted for their credentials.

Note: This configuration is very rare.