Learn About Federated SSO for Oracle PaaS with Oracle Fusion Applications Cloud Service

Oracle Fusion Applications Cloud Service can be extended in many ways. While you can directly customize Oracle Fusion Applications Cloud Service, chances are that you can fulfill some of your requirements by leveraging PaaS to extend the service. Oracle Cloud offers a number of possible PaaS components to enable such extensions. To enable PaaS-SaaS integration, you can use federated single sign-on (SSO) with, perhaps, some additional setup tasks, such as like user identity synchronization. This article describes how the federated single sign-on integration between Oracle Fusion Applications Cloud Service and Oracle PaaS works, and the prerequisites for the required configuration.

About Federated SSO Architectures

Federated single sign-on is the major user authentication solution for Cloud components. Among its advantages are an improved user experience across Cloud services, the use of a single source for user management, the use of a single location for authentication data, and better data security compared to multiple and distinct siloed solutions.

About the Components in a Federated SSO Setup

The following are the component groups that you federate:

  • Oracle Fusion Applications Cloud Service components: Each instance of Oracle Fusion Applications Cloud Service has a dedicated identity management stack.

  • Oracle PaaS services: Services such as Oracle Developer Cloud Service, Oracle Integration Cloud, Oracle Messaging Cloud Service, and Oracle Process Cloud Service are protected by Oracle Identity Cloud Service.

One instance of Oracle Fusion Applications Cloud Service can be federated with one instance of Oracle Identity Cloud Service.

You can also federate with an identity provider outside Oracle Cloud (for example, a third-party, on-premises identity provider).

About Federated SSO with Traditional Cloud Accounts

When you want to use Single Sign-On (SSO), and optionally to synchronize user accounts, roles, and role assignments between a Traditional Cloud Account and your Oracle Fusion Applications Cloud Service, you need Federated SSO.

In this scenario, all users are maintained in the SaaS identity management stack and synchronized to the PaaS Traditional Account’s identity management stack. The SaaS stack can act as the Federated SSO Identity Provider, with the PaaS stack acting as the Service Provider. Login of all users and for all components is handled by the identity provider. You create users and roles and make role assignments in Oracle Fusion Applications Cloud Service. Optionally, you can synchronize user accounts, roles, and role assignments to your Traditional Account, where they are available for use by your applications deployed on Oracle Java Cloud Service - SaaS Extension.

If you want to use an identity provider outside Oracle Cloud, such as an on-premises identity management system, then your Oracle Fusion Applications Cloud Service, configured as the identity provider, can act as a federation proxy, and can redirect authentication requests to the identity provider outside Oracle Cloud. The other Oracle Cloud services consider the proxy that provides pass-through authentication as the actual identity provider, enabling seamless integration.

About Synchronizing Users and Roles

User and role synchronization between Oracle Fusion Applications Cloud Service and Oracle PaaS is supported for all environments.

When using Oracle Fusion Applications Cloud Service as the identity provider, the setup requires an administrator to configure a synchronization job in Oracle Enterprise Scheduler. This job can create, update, and delete user identities, roles, and role assignments in Oracle PaaS. Synchronization of roles and role assignments starts from Oracle Fusion Applications Cloud Service.

About Federated SSO Requirements and Setup

For seamless federated single sign-on (SSO) between Oracle PaaS and Oracle Fusion Applications Cloud Service, you must meet these requirements:

  • All the Oracle Fusion Applications Cloud Service instances must be in the same identity domain and environment. They must share the same identity management stack.

  • You can purchase Oracle Fusion Applications Cloud Service as individual services, or you can purchase them as one deployment instance (sometimes called a pod).

When you order your services, keep these requirements in mind. After you configure SSO, you can set up the synchronization of users, roles, and role assignments.

Integrating with a third-party identity provider requires a service request (SR). When you request a third-party integration, you must mention Federation SSO Proxy setup in the SR.