Supported SAML Single Sign-On Profiles
Oracle Utilities requires Service Provider (SP)-initiated SSO. SP-initiated SSO allows users to bookmark pages. Also, if an Oracle Utilities session expires while a user still has a window open, SP-initiated SSO allows them to log in again and automatically return to the resource they are using. Performing SP-initiated SSO requires that the utility have a functional SSO URL that Oracle Utilities can access to begin the SSO process.
Oracle Utilities also supports Identity Provider (IdP)-initiated SSO. Utilities may create links that take users to specific pages on Digital Self Service - Transactions by passing these URLs in the SAML RelayState parameter. Utilities must send Oracle Utilities a valid URL as a RelayState parameter. Oracle Utilities will provide utilities with the appropriate URL for Digital Self Service - Transactions, which should be used as the default RelayState parameter.
Whether user access attempts employ IdP-initiated or SP-initiated SSO, utilities must ensure that their federation server only authenticates users that have permission to access Digital Self Service - Transactions.
For further information on SAML SSO profiles, see the Security Assertion Markup Language (SAML) V2.0 Technical Overview.
SAML Bindings
Identity Provider to Service Provider Binding
Oracle Utilities accepts SAML assertions from IdPs using the HTTP POST binding method. This means that all SAML assertions are sent as HTTP POST requests to the Oracle Utilities federation server. Oracle Utilities requires using HTTP POST and having the browser transmit the SAML assertion to the Oracle Utilities federation server. Oracle Utilities does not support artifact binding for SAML 2.0.
Service Provider to Identity Provider Binding
Oracle Utilities supports either HTTP redirect binding, or HTTP POST binding when sending authentication requests to the IdP. By default, Oracle Utilities uses HTTP redirect binding. This means that when Oracle Utilities begins the SP-initiated SSO process, Oracle Utilities issues an HTTP redirect to the user’s browser directing them to the Identity Provider. The Identity Provider federation service will then receive an HTTP GET request from the consumer and initiate the authorization process. Oracle Utilities does not support artifact binding on communication from Oracle Utilities to the Identity Provider.