1. Getting Started with Oracle Enterprise Performance Management Cloud for Administrators
  2. Securing EPM Cloud
  3. Managing User Credentials in SSO-Enabled EPM Cloud Environments

Managing User Credentials in SSO-Enabled EPM Cloud Environments

Once you have enabled Single Sign-On (SSO) in your environments, both Classic Oracle Enterprise Performance Management Cloud and OCI EPM Cloud give you two sign-in options — Company Sign-In (SSO) and Traditional Cloud Account Sign-In.

However, some Oracle EPM Cloud client components in Classic; for example, EPM Agent and EPM Automate, do not work with the SSO credentials that you use to access your organization's network resources. In some cases, you may also want the users to not be able to login with Traditional Cloud Account Sign-In and only login using SSO login.

Here are the instructions on how you can ensure that appropriate users are allowed to login only using SSO login.

Classic Environments

In Classic EPM Cloud environment, by default, users will be able to login using SSO credentials only, unless they are configured to maintain identity domain credentials. In that case, the classic users will see both sign-in options when they use a browser to access an environment. All other users will see only the SSO option.

To modify a Classic user account to maintain identity domain credentials:

  1. Sign into My Services (Classic) as an Identity Domain Administrator. See Accessing My Services.
  2. Click Users.
  3. Click Action next to the user whose account is to be modified to maintain identity domain credentials, and then select Modify.
  4. Select Maintain Identity Domain Credentials.
  5. Click Save.

OCI Environments

The SSO-enabled OCI EPM Cloud environments automatically maintains the identity domain credentials. By default, when the OCI EPM Cloud users use a browser to access an environment, they see both sign-in options. If you want the browser users to not see Traditional Cloud Account Sign In option and login only using SSO, do the following:

OCI Customers Using Oracle Cloud Identity Console:
  1. Sign into My Services (OCI). See Accessing My Services (OCI).
  2. Access Oracle Cloud Identity Console. See Accessing the Oracle Cloud Identity Console (IDCS).
  3. Expand the Navigation Drawer, click Security, and then click IDP Policies.
  4. In the Identity Provider Policies page, click the Action menu to the right of the default identity provider (IdP) policy, and then select Edit.
  5. To view IdPs assigned to the policy, click Identity Provider Rules.
    1. Click the Action menu for Default IDP Rule and select Edit.
    2. Scroll down to the Allowed Identity Providers section and remove Username-Password from the Assign Identity Providers box.
  6. Click Save.

OCI Customers Using Oracle Cloud Console (IAM):

  1. Sign into Oracle Cloud Console (IAM). See Accessing the Oracle Cloud Console (IAM).
  2. Click Security, and then click IdP policies.
    IdP Policy
  3. Click the default IdP policy.
  4. To view IdPs assigned to the policy, click Identity provider rules under Resources.
  5. Select the IdP policy rule and click Edit IdP rule action menu next to it.
    Edit default IdP rule
  6. Remove Username-Password from the Assign identity providers box.
  7. Click Save changes.

Avoiding Password Expiry Emails

When the credentials of the users are stored in identity domain, they get password expiry emails when those passwords are expired. If you have setup SSO with an IdP after these users are created and you don’t want the credentials for these users to be stored in the identity domain and for them to not get password expiry emails, you must delete these users and recreate them after enabling SSO.