Configure SSO Between Oracle Integration and Fusion Applications

There are three main approaches to configure SSO between Fusion Applications and Oracle Integration. Select the option that best fits your enterprise architecture and identity management needs.

Configure SSO with Oracle Fusion Cloud Applications Identity Domain

Oracle Fusion Cloud Applications identity domains can be used to deploy extensions and integrations, which includes provisioning Oracle Integration in the same domain.

As the Oracle Fusion Cloud Applications identity domain is an Oracle App type, it supports extension use cases at no extra cost and simplifies operations and governance. This approach removes the need for additional OCI IAM identity domains, reducing licensing costs and administrative overhead. The Fusion Applications identity domain is designated as the identity provider (IdP).

Once provisioned, all Fusion Applications users are automatically available for assignment to the Oracle Integration instance. SSO is enabled between Oracle Fusion Cloud Applications and Oracle Integration, and Oracle Integration can be configured to securely call Fusion Applications APIs using OAuth.

To create an Oracle Integration instance, log in to the OCI console using this identity domain. When users access the Oracle Integration URL, they are redirected to the Fusion Applications identity domain for authentication.

The following diagram illustrates the authentication flow:


Description of sso-fusion-apps-idm.png follows
Description of the illustration sso-fusion-apps-idm.png

For instructions on provisioning Oracle Integration within the Fusion Applications identity domain, see Provision a Oracle Cloud Integration Service into the Fusion Applications Identity Domain in the Explore More section.

Configure SSO with Oracle Fusion Cloud Applications Identity Domain and an External Identity Provider

If you already use an external identity provider, such as Microsoft Entra ID or Okta, you can extend it as the IdP for Oracle Fusion Cloud Applications and Oracle Integration. This centralizes user and access management, reducing duplication and administrative effort.

Other external identity providers can also be configured as the IdP for the Fusion Applications identity domain (as the service provider or "SP") using standard SAML-based integration.

The following diagram illustrates the authentication flow:


Description of sso-fusion-apps-idm-external-idp.png follows
Description of the illustration sso-fusion-apps-idm-external-idp.png

Configure Oracle Fusion Cloud Applications as a Service Provider and Microsoft Entra ID as External Identity Provider

Configure SSO by designating the Oracle Fusion Cloud Applications identity domain as the service provider (SP) and using an external identity provider, such as Microsoft Entra ID. Oracle Integration is provisioned within the Fusion Cloud Applications identity domain. For further details, see SSO Between OCI and Microsoft Entra ID in the Explore More section.

The following steps show you how to configure Fusion Cloud Applications identity domain as the service provider and Microsoft Entra ID as the external identity provider.

  1. Download the metadata from the Oracle Fusion Cloud Applications identity domain configured as the service provider. You require metadata to configure the SAML application in Entra ID.
  2. Create an Enterprise Application in Microsoft Entra ID specifically for OCI Console access. This will register a new enterprise application in Entra ID.
  3. Configure SSO for the Microsoft Entra ID enterprise app using the metadata from Oracle Fusion Cloud Applications identity domain and update the application's attributes and claims to use the user's email address as the identifier. Finally, download the federation metadata XML from Microsoft Entra ID.
  4. Register Entra ID as an IdP in the Fusion Applications identity domain by importing the federation metadata XML from Entra ID into the identity provider configuration. Then, update the IDP policy rules to include Entra ID.
    1. In the OCI console, click Identity and Security, then click Domains.
    2. Select your Oracle Fusion Cloud Applications identity domain.
    3. Navigate to Federation, then click the Actions menu.
    4. Click Add SAML IDP.
    5. Enter a name, description, and upload an identity provider icon.
    6. Upload the Microsoft Entra ID metadata XML file (downloaded earlier).
    7. Define the user attribute mappings, such as mapping NameID to UserName or Email.
    8. On the Review and Create page, verify the configuration details.
    9. Click Activate to enable the new identity provider.
    10. Create a new identity provider policy rule, or edit an existing one to assign the newly created SAML IDP to the appropriate rule to enable federated authentication.
  5. Test the SSO configuration to verify successful federated authentication between Microsoft Entra ID and the Oracle Fusion Cloud Applications identity domain.

Configure SSO with Fusion Applications Identity Domain, OCI IAM Identity Domain, and an External Identity Provider

SSO is configured with the Oracle Fusion Cloud Applications identity domain as the service provider and Microsoft Entra ID as the identity provider. Oracle Integration is provisioned within the Fusion Applications identity domain, enabling user authentication to flow from the identity domain to Microsoft Entra ID.

To further streamline authentication, a separate federation is established between the OCI Identity Domain (service provider) and Microsoft Entra ID (identity provider). This allows users to access OCI services with authentication routed through OCI IAM to Microsoft Entra ID, providing a unified SSO experience across Oracle and non-Oracle platforms.

OCI IAM identity domains offer comprehensive identity and access management, including authentication, SSO, and identity lifecycle management for SaaS, cloud-hosted, and on-premises applications—both Oracle and non-Oracle. In environments using OCI services, PaaS (such as Oracle Integration), and Oracle Fusion Cloud Applications, user groups may vary.

The Fusion Applications Identity Domain manages users and groups for Fusion Applications and Oracle Integration, while a separate OCI IAM Identity Domain centrally manages users who require access to OCI services like OCI Object Storage, OCI Logging, and OCI Functions.

The following diagram illustrates this authentication flow:


Description of sso-fusion-apps-idm-oci.png follows
Description of the illustration sso-fusion-apps-idm-oci.png

Configure OCI IAM Identity Domain as a Service Provider and Microsoft Entra ID as an Identity Provider

The following steps show how to configure an OCI IAM identity domain as the service provider and Microsoft Entra ID as an identity provider.
  1. Download metadata from the OCI IAM identity domain configured as the service provider. This metadata is required for configuring the SAML application in Entra ID.
  2. Create an Enterprise Application in Microsoft Entra ID specifically for OCI Console access. This will register a new enterprise application in Entra ID.
  3. Configure SSO for the Microsoft Entra ID enterprise app using the metadata from OCI IAM identity domain and update the application's attributes and claims to use the user's email address as the identifier. Finally, download the federation metadata XML from Microsoft Entra ID.
  4. Register Entra ID as an IdP in the OCI IAM identity domain by importing the federation metadata XML from Entra ID into the identity provider configuration. Then, update the IDP policy rules to include Entra ID.
    1. In the OCI console, click Identity and Security, then click Domains.
    2. Select your OCI IAM identity domain.
    3. Navigate to Federation, then click the Actions menu.
    4. Click Add SAML IDP.
    5. Enter a name, description, and upload an identity provider icon.
    6. Upload the Microsoft Entra ID metadata XML file (downloaded earlier).
    7. Define the user attribute mappings, such as mapping NameID to UserName or Email.
    8. On the Review and Create page, verify the configuration details.
    9. Click Activate to enable the new identity provider.
    10. Create a new identity provider policy rule, or edit an existing one to assign the newly created SAML IDP to the appropriate rule to enable federated authentication.
  5. Test the SSO configuration to verify successful federated authentication between Microsoft Entra ID and the OCI IAM identity domain.