Oracle Enterprise Performance Management (EPM) is a robust cloud-based enterprise planning service. EPM is based on Hyperion Planning, and it supports a comprehensive suite of business activities including planning and budgeting, consolidation and close, account reconciliation, profitability and cost management, tax reporting, enterprise data management, and narrative reporting.
Single Sign-On (SSO) is a security activity that enables users belonging to an identity provider to access multiple services such as Oracle EPM Cloud, Oracle Fusion Cloud, etc.
Users use their corporate credentials to authenticate once, for example, to an EPM Cloud instance, and then seamlessly access other configured service providers such as Fusion Cloud or others without being challenged for credentials.
In this blog post we will provide an overview of the general SSO setup process, followed by describing what’s needed to setup SSO between EPM and other applications (focusing specifically on Fusion Cloud, but the discussion applies elsewhere as well).
In general, the process of setting up SSO between any two applications requires the following steps :
Now that we understand the high-level flow, we can take a look at the specific steps required to enable SSO for EPM Cloud, and some of the gotchas along the way.
Most of the EPM tenants reside on what’s called as Shared Identity Manager or SIM. SIM is an older version of Identity Administration in Oracle Cloud, but most EPM customers use it if they purchase EPM standalone.
With SIM, the process of enabling SSO is documented in detail here , below are the high-level steps :
With these steps,the user can authenticate to the IdP once, and access EPM Cloud and other configured apps all at once, without having to login again. For example, the customer could choose Oracle IDCS to be their Identity Provider, and have Fusion Cloud and EPM Cloud as two configured SPs, and the customer could log on to IDCS once and access both the applications.
Now, this setup and the steps work for “most ”of the EPM customers. But sometimes when a customer buys EPM along with Fusion, the provisioning process pre-configures SSO between EPM and Fusion, with Fusion as the IdP.
As mentioned above, Fusion Cloud comes with a fully-featured Identity Management System, and it can act as an IdP on its own.
Customers should check first if SSO has indeed been preconfigured. To confirm that, the easiest way is to look at the EPM access URL. The URL is of the form https://
While a pre-configured SSO is a good thing, sometimes it throws customers off because they cannot edit their SSO configuration in MyServices as mentioned above ( on account of it being preconfigured ).
If customers want, they can break this federation by logging an SR with Oracle, and after that they can edit the SSO configuraion in myservices. But breaking this federation is an irreversible activity, and customers should be doubly sure before going through with this.