Learn About Setting up SSO between Azure AD and Oracle Identity Cloud Service

When you move your E-Business Suite application to the cloud and provide access to the application through Microsoft Azure, then users have to sign in to Azure portal and also re-enter credentials to sign in to E-Business Suite applications.

Federated SSO makes the integration seamless and allows the users to authenticate only once to access multiple applications, without signing in separately to access each application.

Identity federation helps enterprises reduce cost, because user accounts don’t need to be created and managed separately in each identity management system. The user-synchronization process ensures that identities are propagated to all the federated systems.

Before You Begin

Before you begin to run an application in Microsoft Azure connected to a database in Oracle Cloud, understand the networking architecture for connecting workloads deployed on Oracle Cloud and Microsoft Azure.

See Learn about interconnecting Oracle Cloud with Microsoft Azure.


This architecture diagram covers a pattern for setting up SSO with Oracle applications like E-Business Suite in which Oracle Identity Cloud Service acts as a bridge between the applications and Azure AD. This setup enables scenarios in which users can host Oracle Database in Oracle Cloud Infrastructure while using Azure AD as their identity provider.

The diagram shows how the E-Business Suite Asserter and E-Business Suite interacts with Oracle Identity Cloud Service. The E-Business Suite Asserter is deployed to a separate Oracle WebLogic Server instance and it interacts with Oracle Identity Cloud Service through OpenID Connect (OIDC). The E-Business Suite Asserter redirects the user's web browser to Oracle Identity Cloud Service and to E-Business Suite.

Description of ebs-arch-diag.png follows
Description of the illustration ebs-arch-diag.png

Authentication Flow

When you run an application in Microsoft Azure connected to a database in Oracle Cloud, Azure AD can be the identity provider (IDP) to hold user credentials.

The following diagram shows the user authentication flow. Description of ebs-auth-flow.png follows
Description of the illustration ebs-auth-flow.png

A user accesses the E-Business Suite application directly by going to the E-Business Suite AppsLogin page or the My Apps portal. The following steps explain the authentication flow between the different components:

  1. The user requests access to an Oracle E-Business Suite protected resource.
  2. Oracle E-Business Suite redirects the user browser to the E-Business Suite Asserter application.
  3. The E-Business Suite Asserter uses an Oracle Identity Cloud Service SDK to generate the authorization URL and then redirects the browser to Oracle Identity Cloud Service.
  4. Oracle Identity Cloud Service redirects the user to Azure AD.
  5. The user provides the credentials needed to sign in to the application.
  6. After Azure AD performs user authentication, it generates a SAML token and sends it to Oracle Identity Cloud Service via browser.
  7. Oracle Identity Cloud Service consumes the authentication token, generates an OpenID Connect (OIDC) token, and issues the token to E-Business Suite Asserter.
  8. The E-Business Suite Asserter creates an Oracle E-Business Suite cookie and redirects the user browser to Oracle E-Business Suite.
  9. Oracle E-Business Suite presents the user requested protected resource.

Network Security and High Availability of E-Business Suite Asserter

To communicate with Identity Cloud Service, check if your E-Business Suite Asserter VM has a public IP address or if your asserter is behind a public load balancer, then make sure that the asserter can reach the Oracle Identity Cloud Service token endpoint.

For added security, you should place the E-Business Suite Asserter virtual machine in its own subnet within the Azure Virtual Network (VNet) and configuring the network security group (NSG) to control the network traffic flow.

Description of ebs-security-topology.png follows
Description of the illustration ebs-security-topology.png

About Required Services, Products and Roles

An Oracle Identity Cloud Service administrator must be able to access the Oracle Identity Cloud Service console to configure and activate applications.

You must have access to the following services and products:
  • Oracle Identity Cloud Service
  • Oracle Cloud Infrastructure
  • A fully functional Oracle's E-Business Suite instance deployed on Microsoft Azure
  • Microsoft Azure

These are the roles needed for each service.

Service Name: Role Required to...
Server administrator Configure E-Business Suite and change security settings
Identity domain administrator: Security administrator Register an application
Azure contributor or greater privileged account Get Azure subscription
Application administrator or Global administrator Handle configuration and set up on the Azure side

See Learn how to get Oracle Cloud services for Oracle Solutions to get the cloud services you need.