Cloud Security: Seamless Federated SSO for PaaS and Fusion-based SaaS

October 13, 2016 by 5 Comments

Introduction

Oracle Fusion-based SaaS Cloud environments can be extended in many ways. While customization is the standard activity to setup a SaaS environment for your business needs, chances are that you want to extend your SaaS for more sophisticated use cases.

In general this is not a problem and Oracle Cloud offers a great number of possible PaaS components for this. However, user and login experience can be a challenge. Luckily, many Oracle Cloud PaaS offerings use a shared identity management environment to make the integration easier.

This article describes how the integration between Fusion-based SaaS and PaaS works in general and how easy the configuration can be done.

Background

At the moment, Oracle Fusion-based SaaS comes with its own identity management stack. This stack can be shared between Fusion-based SaaS offerings like Global Human Capital Management, Sales Cloud, Financials Cloud, etc.

On the other hand, many Oracle PaaS offerings use a shared identity management (SIM-protected PaaS) and can share it if they are located in the same data center and identity domain. If done right, integration of SIM-protected PaaS and Fusion-based SaaS for Federated SSO can be done quite easily.

Identity Domain vs Identity Management Stack

In Oracle Cloud environments the term identity is used for two different parts and can be quite confusing.

  • Identity Domain – Oracle Cloud environments are part of an Identity Domain that governs service administration, for example, start and restart of instances, user management, etc. The user management always applies to the service administration UI but may not apply to the managed environments.
  • Identity Management Stack – Fusion-based SaaS has its own Identity Management Stack (or IDM Stack) and is also part of an Identity Domain (for managing the service).

Federated Single Sign-On

As described in Cloud Security: Federated SSO for Fusion-based SaaS, Federated Single Sign-on is the major user authentication solution for Cloud components.

Among its advantages are a single source for user management, single location of authentication data and a chance for better data security compared to multiple and distinct silo-ed solutions.

Components

In general, we have two component groups we want to integrate:

  • Fusion-based SaaS Components – HCM Cloud, Sales Cloud, ERP Cloud, CRM Cloud, etc.
  • SIM-protected PaaS Components – Developer Cloud Service, Integration Cloud Service, Messaging Cloud Service, Process Cloud Service, etc.

Each component group should share the Identity Domain. For seamless integration both groups should be in the same Identity Domain.

Integration Scenarios

The integration between both component groups follows two patterns. The first pattern shows the integration of both component groups in general. The second pattern is an extension of the first, but allows the usage of a third-party Identity Provider solution. The inner workings for both patterns are the same.

Federated Single Sign-On

This scenario can be seen as a “standalone” or self-contained scenario. All users are maintained in the Fusion-based IDM stack and synchronized with the shared identity management stack. The SIM stack acts as the Federated SSO Service Provider and the Fusion IDM stack acts as the Identity Provider. Login of all users and for all components is handled by the Fusion IDM stack.

SaaS-SIM-1

Federated Single Sign-On with Third Party Identity Provider

If an existing third-party Identity Provider should be used, the above scenario can be extended as depicted below. The Fusion IDM stack will act as a Federation Proxy and redirect all authentication requests to the third-party Identity Provider.

SaaS-SIM-IdP-2

User and Role Synchronization

User and Role synchronization is the most challenging part of Federated SSO in the Cloud. Although a manageable part, it can be really challenging if the number of identity silos is too high. The lower the number of identity silos the better.

User and Role Synchronization between Fusion-based SaaS and SIM-protected PaaS is available for all environments created in October 2016 or later and can be configured in Fusion-based SaaS.

All configuration details and options are documented in Synchronizing Oracle Sales Cloud, Oracle HCM Cloud, and Oracle ERP Cloud User Identities and Roles to SIM.

Note: This documentation may contain an outdated navigation path in the section Register the SIM Endpoint. For Fusion Cloud R11 and later, the navigation path is Setup and Maintenance > Click the notepad symbol in the top, right section of screen > Manage Custom Setup Content. We’re sorry about this inconvenience and hope this will be fixed soon.

Requirements and Setup

To get the seamless Federated SSO integration between SIM-protected PaaS and Fusion-based SaaS these requirements have to be fulfilled:

  • All Fusion-based SaaS offerings should be in the same Identity Domain and environment (i.e., sharing the same IDM stack)
  • All SIM-based PaaS offerings should be in the same Identity Domain and data center
  • Fusion-based SaaS and SIM-based PaaS should be in the same Identity Domain and data center

After all, these are just a few manageable requirements which must be mentioned during the ordering process. Once this is done, the integration between Fusion-based SaaS and SIM-protected PaaS will be done automatically.

Integration of a third-party Identity Provider is still an on-request, Service Request based task (see Cloud Security: Federated SSO for Fusion-based SaaS). When requesting this integration adding Federation SSO Proxy setup explicitly to the request is strongly recommended!

Note: The seamless Federated SSO integration is a packaged deal and comes with a WebService level integration setting up the Identity Provider as the trusted SAML issuer, too. You can’t get the one without the other.

References

All site content is the property of Oracle Corp. Redistribution not allowed without written permission

Filed Under: Cloud, Fusion Applications, IaaS, Identity, Access Management and Security, IDM, Integration, PaaS, PaaS, SaaS, SaaS, SaaS Extension and Customization, SAML, SSO Tagged With:

Comments

  1. Ajay Nair says:
    May 3, 2018 at 9:43 AM

    Hi Olaf,

    How does the User Role migration process differ for a SIM-protected PaaS Component like Process Cloud Service, if it were to be a non-seamless integration. The core requirement is to support PCS customers on subscription setting up a new account and moving their data and metadata from existing instances to the Cloud instances

    Thanks
    Ajay

    • Olaf Heimburger says:
      May 3, 2018 at 10:24 PM

      Hi Ajay,
      SIM does not have a public API for automated user synchronization/provisioning. If Fusion HCM is the source of truth (or where the users are born) than the documented approach is the best. If any third-party identity store is the source of truth using IDCS would be a good choice.

      Regards,
      Olaf

  2. Uppi says:
    July 17, 2017 at 3:27 AM

    Nice Article.

    I have a question. If I have an application built on mobile platform (say Android/IoS) and want to authenticate against HCM identity management stack what are the options I have.

    • Olaf Heimburger says:
      July 17, 2017 at 3:41 AM

      Hi Uppi,
      it depends on how you connect to HCM.
      For normal UI usage, you can use these options, at the time of this writing:
      1. HCM local login
      2. Use any supported third-party Identity Provider that supports SAML 2.0 for HCM and mobile-aware Authentication or Authorization (OpenID Connect or OAuth) and is able to convert the tokens.

      For REST API usage:
      1. Basic Authentication
      2. SAML or JWT Bearer token is supported. You may have to file a SR to get the signing certificate registered for the service.

      Hope this helps,
      Olaf

Add Your Comment