Saturday, August 28, 2021

How to enable SSO between Fusion Application and IDCS with IDCS as IDP and Fusion as Service Provider

This is a very common use case where we need to enable SSO between Oracle Fusion and PaaS IDCS.

We generally have a company SSO provider like Onelogin, Okta etc(We will see this in different Post to enable IDCS with third party SSO provider) .

In this post we will see how we can create SSO between Fusion SaaS and IDCS.

We may need this for embedding VBCS pages in SaaS pages(This is separate from adding VBCS link in Fusion) or having all Oracle application authentication from a single IDP.

One of the use case will be  , we have created a VBCS page and we want to embed this page in Fusion standard page(in X-frame)


We can follow below steps to  achieve the same:

Note: 

We need to have below roles to perform the steps:

1). Fusion Applictaion-> It Security Manager (ORA_FND_IT_SECURITY_MANAGER_JOB)

2).  IDCS: Application Administrator roles and User Administrator

3). Fusion Application : Admin user to enable the IDP and SSO(this will be the last step) 

 

This post is for  enabling SSO for Fusion Release13.

  There are 3 parts to for the SSO enablement.

  • Fusion Application Setups
  • IDCS Setups
  • Testing and enabling SSO

 

Since we are making IDCS as our IDP so we need to download the IDCS metadata file:

  1. Sign in to the Oracle Identity Cloud Service console as an administrator.

  2. In the web browser address bar enter the following URL to access the metadata: https://<IDCS-Tenant-Instance>.identity.oraclecloud.com/fed/v1/metadata, where \<IDCS-Tenant-Instance\> is the tenant name of your Oracle Identity Cloud Service instance.

  3. Save the XML content of your web browser to a file on your desktop with the name like idp_metadata.xml.

    if we try the point 2 without logging in then we might get error, the reason could be that access signing certificate without logging might not be enabled.

    Below screenshot is for the same:



    The Metadata XML would look like below:



    Fusion Application Setups

    Now we will create the IDCS as IDP in Fusion application.

    For this login to your fusion application having the role mentioned in the beginning.

    1. Go to navigator-> Tools, click Security Console

       

    2. Click on Single Sign-On on the left menu and in the Single Sign-On page, click Create Identity Provider.


       

       

    3. In the Single Sign-On Configuration: Identity Provider Details page, click Edit.

       

       

    4. Provide the details as below and in the Import Identity Provider Metadata section, click Browse, browse to the Identity Provider metadata file on your desktop which you had downloaded in the beginning, and then click Open.

       



      Parameter Value
      Name The name of the identity provider can't contain spaces or special characters, For example, OracleIdentityCloudService
      Name ID Format Unspecified
      Default Identity Provider Selected
      Enable Chooser Login Page You select this field so that the Oracle Fusion Applications Cloud Service administrator (local user) can access Oracle Applications Cloud console. Once you have a user created in Oracle Identity Cloud Service which synchronizes with the Oracle Fusion Applications Cloud Service administrator account, then you can deselect Enable Chooser Login Page

     

    Also Provide a signout url(where it should go if we logout from application).

     

     Click Save and Close

    In the Single Sign-On Configuration: Identity Provider Details page, click Service Provider Details, click the download icon for the Service Provider SHA 256 Metadata URL, and then save the file on your local desktop with the name like fa_sha256_metadata.xml.

     

     Open the the file downloaded in previous step  fa_sha256_metadata.xml , locate the <dsig:X509Certificate> tag under <md:KeyDescriptor use="signing">, and then copy the value between <dsig:X509Certificate> and </dsig:X509Certificate>.

    The value to be copied will be like below highlighted in yellow:

    <dsig:X509Certificate>
          abcd1234EFGH5678ijklj0=
       </dsig:X509Certificate>
     
     
     
    Create a new .pem file and paste the certificate text like below and save the file with any name. For example
    fa_cert.pem 
     

     

     

    Now Open the same fa_sha256_metadata.xml file and locate the following and make a note of the following value.Refer the screenshots attached for each.

    1. entityID 
    2. Assertion Consumer URL
    3. Single Logout URL
    4. Logout Response URL


    •  entityID attribute in the <md:EntityDescriptor tag, and make note of the value.

     For example, if the fa_sha256_metadata.xml file contains:

    <?xml version="1.0" encoding="UTF-8"?>
    <md:EntityDescriptor
        xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
        xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
        xmlns:enc="http://www.w3.org/2001/04/xmlenc#"
        ...
        entityID="https://eeho.login.us2.oraclecloud.com:443/oam/fed"
        validUntil="2029-07-23T06:24:39Z">

     Refer below screenshot

     The value will be like below:



    Assertion Consumer URL

    For this find the Location attribute in <md:AssertionConsumerService under the <md:SPSSODescriptor element from the element that has <md:Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

    It will be like below:

    https://xxxx-dev3.login.us6.oraclecloud.com/oam/server/fed/sp/sso

     

     

    Single Logout URL

    For this find Location attribute in the <md:SingleLogoutService element under the <md:SPSSODescriptor element.
    Make a note of the value from the element that has <md:Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".

    It will be like below:

    https://xxxx-dev3.login.us6.oraclecloud.com/oamfed/sp/samlv20 



    Logout Response URL

    For this get the value of <md:ResponseLocation attribute in the <md:SingleLogoutService element under the <md:SPSSODescriptor element.
    from the element that has <md:Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".


    It will be like below: 

    https://xxxx-dev3.login.us6.oraclecloud.com/oamfed/sp/samlv20



     

 We would need landing page URLs of  Fusion CRM, ERP,HCM etc.

 Alternatively we can use Fusion home page  url as common for all Landing URLs and then after logging in to Fusion we can navigate to respective modules. 

The Fusion home page which we will be using will be like below:

Fusion Application Homepage URL:

https://xxxx-dev3.fa.us6.oraclecloud.com/fscmUI/faces/AtkHomePageWelcome

At this point we are done with the initial setups from Fusion application side.

Now we need to do configurations in PaaS IDCS.


                                                                IDCS Setups

Here we will register and activate the Oracle Fusion Applications in Oracle Identity Cloud Service to enable SSO between the Fusion environment and Oracle Identity Cloud Service. 
Use the following steps for Oracle Fusion Applications Cloud Service Release 13 19B (11.13.19.04) and later versions.
 
Login to Oracle Identity Cloud Service administration console
 

 
 
 
Click on  Applications, and then click Add.


A new window appears, select App Catalog.


 

Now we will search for and then click  on Add


In the Details tab, update the name of the application as per your Oracle Fusion Applications Cloud Service environment's name. For example, XXXX Dev3 FA


By default, all Oracle Fusion Applications apps are selected (CRM, ERP, HCM, and SCM). Uncheck the apps that aren't required, and then click Next. Here we have checked ERP

For the Application URL / Relay State eneter the "Assertion Consumer URL" which we obtained in Fusion application setup task.

 The value will be like: 

 https://xxxx-dev3.login.us6.oraclecloud.com/oam/server/fed/sp/sso


For each app specific landing page URL(Here it is ERP for us), we will use the Fusion application homepage URL which we noted at the last step in Fusion application setup tasks.

The value will be like:

https://xxxx-dev3.fa.us6.oraclecloud.com/fscmUI/faces/AtkHomePageWelcome

Refer the below screenshot:



 Click Next and Now in the SSO configuration tab enter the Entity Id that we noted in Fusion Application setup task.

The value will be like below:

https://xxxx-dev3.login.us6.oraclecloud.com:443/oam/fed 

For Assertion Consumer URL, eneter the "Assertion Consumer URL" which we obtained in Fusion application setup task.

The value will be like below:

 https://xxxx-dev3.login.us6.oraclecloud.com/oam/server/fed/sp/sso

 

Expand Advanced Settings and enter the following:

For the Single Logout URL eneter the Single Logout URL we noted in Fusion application setup task.

 The value will be like below:

https://xxxx-dev3.login.us6.oraclecloud.com/oamfed/sp/samlv20


For the Logout Response URL eneter the Logout Response URL we noted in Fusion application setup task.

 The value will be like below:

https://xxxx-dev3.login.us6.oraclecloud.com/oamfed/sp/samlv20

 

Optionally, in the Authentication and Authorization section, select the Enforce Grants as Authorization check box. When enabled, Oracle Identity Cloud Service performs a validation on the user authorization status for the application. Only users assigned to this application in Oracle Identity Cloud Service can access the application.

Note:

This (Enforce Grants as Authorization check box) is not mandatory ,  here we want to verify the validation on users so we have checked it.

We can leave it unchecked if we do not want IDCS to perform validations on user  authorization status.

 

Refer the below screenshot for entering the above values:


 

 Click Next and then Finish

Click Activate and then click OK in the Confirmation window. Oracle Identity Cloud Service displays a message that your Oracle Fusion Applications Cloud Service has been activated.

 

 



Since we have checked Enforce Grants as Authorization check box in the Authentication and Authorization section, So we need to add users to this App in IDCS, otherwise it will give below error if we try testing in Our Fusion (Here Dev3) for this IDP with a user which is not assigned to this app in IDCS. 

When Enforce Grants as Authorization is enabled, Oracle Identity Cloud Service performs a validation on the user authorization status for the application. Only users assigned to this application in Oracle Identity Cloud Service can access the application.

 Note:

 If we do not check the checkbox for Enforce Grants as Authorization under
Authentication and Authorization in the Fusion app we created in IDCS then we do not need to assign users. We will not get below error while testing .

Also if we go to myconsole of PaaS IDCS where we had created the app, we will not be able to see this app if we do not assign user.

It will show like below(since we have only one App created in IDCS as of now and my user is not yet assigned to it):


 

So open the App which we created in IDCS "XXXX Dev3 FA".

Go to Users tab as Shown in Screenshot below:

 

Click on Assign and then seach for the User you want to assign. Select the user and click on OK


Now we can see this user in assigned users list.

Now if we go to IDCS myconsole with this user then we will be able to see the application there.

 

 

                                    Testing and enabling SSO 


Now we will use Oracle Fusion Applications console(Here our Dev3 Env) to test the SSO configuration between your Oracle Fusion Applications Cloud Service environment and Oracle Identity Cloud Service, and then activate the identity provider.

Sign in to the Oracle Fusion Cloud Applications console, click Tools, then click Security Console, and then click Single Sign-On.

Now Click the name of the identity provider we created for IDCS.
 
 
On the left menu, click Diagnostic and Activation, click Test, and then click Yes in the warning dialog. A new web browser window or tab opens to test SSO.
 
 
 
 
 

 


On the Initiate Federation SSO page, select Partner (Our identity provider name) for Oracle Identity Cloud Service, and then click Start SSO . The Oracle Identity Cloud Service Sign In page opens.



 

 




Sign in to Oracle Identity Cloud Service using Oracle Identity Cloud Service’s user credential. After successful sign in, the Federation SSO Operation Result page opens with information on the SSO integration.

 

 

 In the Federation SSO Operation Result page, verify SSO Primary Status Code has status SUCCESS, and then close the new browser or tab.

 Refer the Below screenshot.

 

 

now the last step is enabling our identity provider(IDP).

For this,  in the Single Sign-On Configuration: Diagnostic and Activation page, click Edit, click Enable Identity Provider, and then click Save and Close.

We can see that our IDP is enabled now:

 

 

 -----------------------------------------------------------------------------------------------------------------------

 ------------------------------------------------------------------------------------------------------------------------

 

Now let us test by unchecking  Enforce Grants as Authorization under
Authentication and Authorization in the Fusion app we created in IDCS.

 

 

In this case we do not need user assignment to the app. So we will revoke the users.

 

Also our IDCS myconsole won't have any apps for this user :

 

Now repeat the Federation SSO test steps from Fusion Application for our IDP which we did earlier.

The Federation SSO Operation Result will be like below:


Since we have enabled SSO along with Chooser login page so we will get both the option(SSO +local username and password login) when we try logging in:

For the current setup our login page would look like below:


 

We will see Provisioning and Synchronization and integration with third party SSO in next posts.