Introduction
Oracle Fusion-based SaaS Cloud environments can be extended in many ways. While customization is the standard activity to setup a SaaS environment for your business needs, chances are that you want to extend your SaaS for more sophisticated use cases.
In general this is not a problem and Oracle Cloud offers a great number of possible PaaS components for this. However, user and login experience can be a challenge. Luckily, many Oracle Cloud PaaS offerings use a shared identity management environment to make the integration easier.
This article describes how the integration between Fusion-based SaaS and PaaS works in general and how easy the configuration can be done.
Background
At the moment, Oracle Fusion-based SaaS comes with its own identity management stack. This stack can be shared between Fusion-based SaaS offerings like Global Human Capital Management, Sales Cloud, Financials Cloud, etc.
On the other hand, many Oracle PaaS offerings use a shared identity management (SIM-protected PaaS) and can share it if they are located in the same data center and identity domain. If done right, integration of SIM-protected PaaS and Fusion-based SaaS for Federated SSO can be done quite easily.
Identity Domain vs Identity Management Stack
In Oracle Cloud environments the term identity is used for two different parts and can be quite confusing.
- Identity Domain – Oracle Cloud environments are part of an Identity Domain that governs service administration, for example, start and restart of instances, user management, etc. The user management always applies to the service administration UI but may not apply to the managed environments.
- Identity Management Stack – Fusion-based SaaS has its own Identity Management Stack (or IDM Stack) and is also part of an Identity Domain (for managing the service).
Federated Single Sign-On
As described in Cloud Security: Federated SSO for Fusion-based SaaS, Federated Single Sign-on is the major user authentication solution for Cloud components.
Among its advantages are a single source for user management, single location of authentication data and a chance for better data security compared to multiple and distinct silo-ed solutions.
Components
In general, we have two component groups we want to integrate:
- Fusion-based SaaS Components – HCM Cloud, Sales Cloud, ERP Cloud, CRM Cloud, etc.
- SIM-protected PaaS Components – Developer Cloud Service, Integration Cloud Service, Messaging Cloud Service, Process Cloud Service, etc.
Each component group should share the Identity Domain. For seamless integration both groups should be in the same Identity Domain.
Integration Scenarios
The integration between both component groups follows two patterns. The first pattern shows the integration of both component groups in general. The second pattern is an extension of the first, but allows the usage of a third-party Identity Provider solution. The inner workings for both patterns are the same.
Federated Single Sign-On
This scenario can be seen as a “standalone” or self-contained scenario. All users are maintained in the Fusion-based IDM stack and synchronized with the shared identity management stack. The SIM stack acts as the Federated SSO Service Provider and the Fusion IDM stack acts as the Identity Provider. Login of all users and for all components is handled by the Fusion IDM stack.
Federated Single Sign-On with Third Party Identity Provider
If an existing third-party Identity Provider should be used, the above scenario can be extended as depicted below. The Fusion IDM stack will act as a Federation Proxy and redirect all authentication requests to the third-party Identity Provider.
User and Role Synchronization
User and Role synchronization is the most challenging part of Federated SSO in the Cloud. Although a manageable part, it can be really challenging if the number of identity silos is too high. The lower the number of identity silos the better.
User and Role Synchronization between Fusion-based SaaS and SIM-protected PaaS is available for all environments created in October 2016 or later and can be configured in Fusion-based SaaS.
All configuration details and options are documented in Synchronizing Oracle Sales Cloud, Oracle HCM Cloud, and Oracle ERP Cloud User Identities and Roles to SIM.
Requirements and Setup
To get the seamless Federated SSO integration between SIM-protected PaaS and Fusion-based SaaS these requirements have to be fulfilled:
- All Fusion-based SaaS offerings should be in the same Identity Domain and environment (i.e., sharing the same IDM stack)
- All SIM-based PaaS offerings should be in the same Identity Domain and data center
- Fusion-based SaaS and SIM-based PaaS should be in the same Identity Domain and data center
After all, these are just a few manageable requirements which must be mentioned during the ordering process. Once this is done, the integration between Fusion-based SaaS and SIM-protected PaaS will be done automatically.
Integration of a third-party Identity Provider is still an on-request, Service Request based task (see Cloud Security: Federated SSO for Fusion-based SaaS). When requesting this integration adding Federation SSO Proxy setup explicitly to the request is strongly recommended!
References
- Cloud Security: Federated SSO for Fusion-based SaaS
- Synchronize Oracle Fusion Applications Cloud Service User Identities and Roles with a Traditional Account
- Where is the “Manage Third Party Applications” menu option in Fusion Applications Release 11?
- Learn About Federated SSO for Oracle PaaS with Oracle Fusion Applications Cloud Service (updated version of this blog)
All site content is the property of Oracle Corp. Redistribution not allowed without written permission
Hi Olaf,
How does the User Role migration process differ for a SIM-protected PaaS Component like Process Cloud Service, if it were to be a non-seamless integration. The core requirement is to support PCS customers on subscription setting up a new account and moving their data and metadata from existing instances to the Cloud instances
Thanks
Ajay
Hi Ajay,
SIM does not have a public API for automated user synchronization/provisioning. If Fusion HCM is the source of truth (or where the users are born) than the documented approach is the best. If any third-party identity store is the source of truth using IDCS would be a good choice.
Regards,
Olaf
Nice Article.
I have a question. If I have an application built on mobile platform (say Android/IoS) and want to authenticate against HCM identity management stack what are the options I have.
Hi Uppi,
it depends on how you connect to HCM.
For normal UI usage, you can use these options, at the time of this writing:
1. HCM local login
2. Use any supported third-party Identity Provider that supports SAML 2.0 for HCM and mobile-aware Authentication or Authorization (OpenID Connect or OAuth) and is able to convert the tokens.
For REST API usage:
1. Basic Authentication
2. SAML or JWT Bearer token is supported. You may have to file a SR to get the signing certificate registered for the service.
Hope this helps,
Olaf
Thanks Olaf. I will try these options are let you know.