1. Security Guide
  2. Federated Single Sign-On

Federated Single Sign-On

A Federated Single Sign-on (SSO) is a system where your sign-on information is stored in separate identity management systems (IDMs). Identity Federation allows Oracle Identity Management to refer the user authentication to an external Identity Provider.

Important Identity Cloud Service Terminology

  • Identity Provider: An identity provider, also known as an "authentication authority", provides external authentication for users who want to sign into Identity Cloud Service using their external provider’s credentials.
  • Identity Provider Policy: An identity provider policy allows identity domain administrators, security administrators, and application administrators to define which identity providers are visible in the Sign In page.
  • Sign-On Policy: A sign-on policy allows identity domain administrators, security administrators, and application administrators to define criteria that is used to determine whether to allow a user to sign in.

Transportation and Global Trade Management has multiple instances grouped under a single "Cloud Account". Configuration for enabling Federated SSO is done with Identity and Access Management within the Cloud Portal. When the setup is complete, User Authentication will be re-directed from Oracle Identity Management to the External Identity Provider. The following diagram depicts a typical configuration with Federated SSO enabled.

A flow diagram showing a user connecting with OTM IDCS and then an External SSO. The External SSO authenticates users and communicates that back to the OTM IDCS. The OTM IDCS then connects to external applications, production, test, and Dev1 and Dev 2 instances.
The high level steps to configure the Federated SSO are:
  1. Download the Identity Provider (IDP) metadata XML file from your External SSO system.
  2. Create an Identity Provider using the metadata XML file.
  3. Assign the new Identity Provider to the Default Identity Provider Policy.
  4. Assign the new Identity Provider to the Default Sign-On Policy.

The following My Oracle Support Note will help guide you through the process of configuring Federated SSO: "How to Set Up Federated SSO for OTM on GEN2 (Doc ID 2932400.1)".

Federated SSO is configured within the Oracle Cloud Portal. The menu navigation varies depending on the version of the Cloud Portal Associated with your service. Please refer to the "Oracle Cloud Console" section for more details on how to determine the version of the Cloud Portal.

Oracle Cloud Classic (OCI)

  1. Click on the menu icon in the top left of the screen and select Users > Identity (Primary).
  2. Click on the “Identity Console” button on the far right side of the screen.
  3. Click on the hamburger menu on the top left and you should see a menu like the following. Expanding the “Security” sub-menu will reveal menu options for configuring Identity Providers and Sign-On Policies as shown below.
The Oracle Cloud Classic (OCI) user interface. A menu with the Security option expanded, showing Identity Providers as an option.

Oracle Cloud Console (OCI)

With the new Oracle Cloud Console, Identity Management for Oracle Cloud Services is on the menu option Identity & Security > Identity > Domains. Select the "root" Compartment. Click on the “Default” Domain. Clicking on the “Security” menu option will review menu options for “Identity Providers” and “Sign-On Policies” as shown below.A screen showing a menu where Identity Providers is selected.

Refer to the Oracle Identity and Access Management documentation for more details on Identity Providers and Sign-On Policies.

Customer Identity Provider PolicyA screen showing the final step of adding identity provider policy. The option displayed is to assign apps to the policy.

Custom Sign-On PolicyA screen showing the final steps of adding a sign-on policy. The Assign Apps button is the next step.

Configuring Custom Identity Providers and Sign-On Policies for Environments

The preferred approach for Oracle Transportation and Global Trade Management is to use the default Provider and Policy as documented in the previous section, which applies to all environments. However, it's possible to configure custom Identity Provider Policies and Sign-On Policies for each environment. This is done by creating new Identity Provider Policies and/or Sign-On Policies and by assigning the corresponding Application on the last step of configuring the policies. There's an Application corresponding to each environment. The name of the application is "OTMGTM_" followed by the environment name that was specified when creating the environment. A separate Disaster Recovery Application is created for the production environment in the Disaster Recovery region. Customers must also associate this Applications with their custom Identity Provider/Sign-On Policy to ensure business continuity.

Note: A new Application is also created for each Environment during Quarterly Updates. It is necessary for the customer to associate this new Application immediately following the Quarterly Update.