Learn About Federated SSO for Oracle PaaS with Oracle Fusion Applications Cloud Service

Oracle Fusion Applications Cloud Service can be extended in many ways. While you can directly customize Oracle Fusion Applications Cloud Service, chances are that you can fulfill some of your requirements by leveraging PaaS to extend the service. Oracle Cloud offers a number of possible PaaS components to enable such extensions. To enable PaaS-SaaS integration, you can use federated single sign-on (SSO) with, perhaps, some additional setup tasks, such as like user identity synchronization. This article describes how the federated single sign-on integration between Oracle Fusion Applications Cloud Service and Oracle PaaS works, and the prerequisites for the required configuration.

Learn About Federated SSO

Federated Single Sign-on is the major user authentication solution for Cloud components.

Among its advantages are a single source for user management, single location of authentication data and a chance for better data security compared to multiple and distinct siloed solutions.

Components

In general, we have two component groups we want to integrate:

  • Oracle Fusion Applications Cloud Service Components: The Oracle Fusion Applications Cloud Service services have an Identity Management stack.

  • PaaS Components: Oracle Cloud PaaS services, including Oracle Developer Cloud Service, Oracle Integration, Oracle Messaging Cloud Service, Oracle Process Cloud Service, and more. These components are protected by either SIM, or by Oracle Identity Cloud Service.

With SIM, each component group should share the Identity Domain. For seamless integration both groups should be in the same Identity Domain. If these conditions are met, SSO is preconfigured by Oracle when the services are provisioned.

With Oracle Identity Cloud Service, one instance of Oracle Fusion Applications Cloud Service can be federated with one instance of Oracle Identity Cloud Service in the same Data Region.

Integrations between these two component groups use one of the following patterns. The Federated Single Sign-On patterns show the integration of both component groups in general, and can be seen as a “standalone” or self-contained scenario. The Federated Single Sign-On with Third Party Identity Provider is an extension of the other patterns, but allows the usage of a third-party Identity Provider solution.

Federated Single Sign-On with SIM

In this scenario, all users are maintained in the SaaS IDM stack and synchronized to the PaaS SIM identity management stack. The SaaS IDM stack can act as the Federated SSO Identity Provider, with the other acting as the Service Provider. Login of all users and for all components is handled by the identity provider.

.Description of federated-sso.png follows
Description of the illustration federated-sso.png

Federated Single Sign-On with Oracle Identity Cloud Service

In this scenario, all users are maintained in either the Oracle Fusion Applications Cloud Service IDM stack or Oracle Identity Cloud Service. When the Oracle Fusion Applications Cloud Service IDM stack is used to maintain users, it is the Identity Provider, and users are always created in the Oracle Fusion Applications Cloud Service IDM.

.Description of federated-sso-idcs-sp.png follows
Description of the illustration federated-sso-idcs-sp.png

When Oracle Identity Cloud Service is the identity provider, the Oracle Fusion Applications Cloud Service IDM stack is the Service Provider; in this setup, you can create new users in either the identity provider or the service provider.

Description of federated-sso-idcs-ip.png follows
Description of the illustration federated-sso-idcs-ip.png

Roles and role assignments are always maintained in the Oracle Fusion Applications Cloud Service IDM stack and synchronized to Oracle Identity Cloud Service groups, even when Oracle Identity Cloud Service is the identity provider. Login of all users and for all components is handled by the identity provider.

Federated Single Sign-On with Third Party Identity Provider

If an existing third-party identity provider will be used, the other scenarios can be extended as depicted here. The Oracle Cloud service configured as the identity provider acts as a federation proxy and redirects all authentication requests to the third-party identity provider. Either the Oracle Fusion Applications Cloud Service IDM stack or Oracle Identity Cloud Service can serve this function.

.Description of federated-sso-idp-third.png follows
Description of the illustration federated-sso-idp-third.png

About Synchronizing Users and Roles

User and role synchronization between Oracle Fusion Applications Cloud Service and Oracle PaaS is supported for all environments.

When using Oracle Fusion Applications Cloud Service as the identity provider, the setup requires an administrator to configure a synchronization job in Oracle Enterprise Scheduler. This job can create, update, and delete user identities, roles, and role assignments in Oracle PaaS. When Oracle Identity Cloud Service is a part of your environment, you also configure OAuth and endpoint applications in Oracle Identity Cloud Service. Synchronization of roles and role assignments starts from Oracle Fusion Applications Cloud Service even when Oracle Identity Cloud Service is the identity provider. In the most complex scenarios, you may need to configure the Oracle Enterprise Scheduler job to synchronize roles and role assignments, and configure an Oracle Identity Cloud Service application to synchronize user identities.

About Federated SSO Requirements and Setup

For seamless federated single sign-on (SSO) between Oracle PaaS and Oracle Fusion Applications Cloud Service, you must meet these requirements:

  • All the Oracle Fusion Applications Cloud Service instances must be in the same identity domain and environment. They must share the same identity management stack.

  • You can purchase Oracle Fusion Applications Cloud Service as individual services, or you can purchase them as one deployment instance (sometimes called a pod). An Oracle Cloud account with Oracle Identity Cloud Service can federate with only one deployment of Oracle Fusion Applications Cloud Service.

When you order your services, keep these requirements in mind. After you configure SSO, you can set up the synchronization of users, roles, and role assignments.

Integrating with a third-party identity provider requires a service request (SR). When you request a third-party integration, you must mention Federation SSO Proxy setup in the SR.

Notes on Creating User Accounts

To successfully provision a user, you need to know where the user is created.

  • If the user is created in Oracle Fusion Applications Cloud Service and is ready for synchronization, all the Oracle Identity Cloud Service-required workflows should have been completed and the user will be linked to all required content (for example, username and email address for Oracle Identity Cloud Service synchronization or username, email address and person ID for the ESS synch job between the Oracle Identity Cloud Service user and role and Oracle Identity Cloud Service).

  • If the user is created in either or both Oracle Identity Cloud Service and any external identity provider, you will need to determine if that user has also been provisioned in any associated applications. The application might have additional, specific provisioning steps you’ll need to perform to make the "user" a proper account.