Creating People with SSO Enabled

When SSO is enabled, create people in People Management and in the external identity provider, and keep the configured sign-in mapping attributes aligned.

Creating people when SSO is enabled is generally the same as creating people without SSO. Use People Management to create the person in Simphony, assign the person's enterprise role and enterprise level, and then add any required employment details, application access, reporting data access, or point of sale operational settings. For federated people, also create the person in the external IdP.

High-Level Process

At a high level, creating a person includes the following actions:

Create the person in People Management. See Add a Person.
Create the corresponding person in the external IdP.
Make sure the mapping attributes used for SSO match between Simphony and the IdP. Depending on your SSO configuration, the user name, email address, or both values must match.

When federation is enabled, new people are created as Federated by default. Users with the appropriate privilege can use the Federation Status list to create or update federated and non-federated people. Users without that privilege can create only federated people.

Note:

You cannot federate a person if another federated person already uses the same email address. Keep the email address unique for each federated person.

API Creation Summary

Oracle recommends using an integration, such as through the Labor API or the Configuration and Content API, to reduce human error when creating people in Simphony and in the IdP.

API Summary

Labor Management API

API	Summary
Labor Management API	The Labor API includes the `isFederated` flag for APIs that get, create, or update portal users, including `getPortalUser`, `getEntHREmployeePortalUser`, `createPortalUser`, `modifyPortalUser`, and `makeEntHREmployeeAPortalUser`. Use the flag to specify whether the person is federated. If the request does not include the flag, the enterprise default is used. Requests return an error if another federated person already uses the same email address. The Labor API cannot create a federated person in the Only POS Access role.
Configuration and Content API	The Configuration and Content API has no SSO-specific changes for creating people. It can create new people only in the Only POS Access role, and it does not include the Labor API federation status flag.

The Labor API includes the isFederated flag for APIs that get, create, or update portal users, including getPortalUser, getEntHREmployeePortalUser, createPortalUser, modifyPortalUser, and makeEntHREmployeeAPortalUser.

Use the flag to specify whether the person is federated. If the request does not include the flag, the enterprise default is used. Requests return an error if another federated person already uses the same email address. The Labor API cannot create a federated person in the Only POS Access role.

Configuration and Content API

The Configuration and Content API has no SSO-specific changes for creating people. It can create new people only in the Only POS Access role, and it does not include the Labor API federation status flag.