Single Sign-On (SSO)
Overview
Oracle CPQ allows customers to use their corporate infrastructure for authentication and to automatically log into Oracle CPQ without the need for multiple logins and re-authentication. Oracle CPQ Single Sign-On (SSO) is configurable at the User and Partner Org levels. Four methods can be used:
-
Federated Authentication via SAML (Security Assertion Mark-Up Language)
Users are managed with an Identity Provider or Portal (IDP) which supports SAML, so instead of visiting Oracle CPQ directly, users access this Id Provider site before clicking on a link to access Oracle CPQ. For more information, refer to Federation Authentication via SAML.
-
Remote Web Service
Users are also managed with an IDP, but one that doesn't support SAML. Partner applications can submit a login request through a SOAP API call to the Oracle CPQ Login web service. For more information, refer to Remote Web Service.
-
Federated and Remote
This is a combination of the Federated Authentication and Remote Web Service methods.
-
OpenID Connect
Users are managed using OpenID Connect (OIDC) as a Single Sign-On (SSO) option. OIDC is an extension of the existing OAuth Provider configuration available for use with Oracle Identity and Access Management (IAM)'s Identity Domains (formerly IDCS). OIDC adds an identity layer to OAuth 2.0 that enables a federated SSO solution between Oracle and Custom Applications configured in IAM. For more information, refer to OpenID Connect.
What is SAML 2.0?
SAML is an XML-based solution that provides a secure solution for exchanging authentication and authorization of user security information between IDPs and the applications like Oracle CPQ.
To see your SAML metadata, enter the following into:
yourbrowser:yourcompanyname.oracle.com/sso/spmetadata.jsp
You need this information to register Oracle CPQ as a service provider within an IDP.
What is an Identity Provider (IDP)?
Identity providers are sites or services that provide a security credential (such as an authentication or authorization assertion) on behalf of a user. In some cases this security credential may contain a set of attributes like a user's name or an employee number identifier.
An External ID is often used if a customer's security policy does not allow the username to be sent out of the IDP. Instead, the IDP sends out some other form of identification (employee number, alias, and so on) which has to match the External ID field in the User Object.
What is an Assertion?
An assertion carries authentication and authorization statements, or credentials, about a user that the IDP claims to be true. In this case, this information is sent to Oracle CPQ to be verified against your SSO configuration.
For example, an assertion encodes the following information:
The assertion ("1d2v5") was issued at time "2004-12-05T09:22:05Z" by identity provider (https://idp.example.org/SAML2) regarding subject (user 123) exclusively for service provider (https://sitename.oracle.com/SAML2).
The authentication statement, in particular, asserts the following:
The user identified in the <saml:Subject> element was authenticated at time "2004-12-05T09:22:00Z" by means of a password sent over a protected channel.
Likewise, the attribute statement asserts that:
The user identified in the <saml:Subject> element is a staff member at this institution.
Assertion Time and IDPs
Assertion time, also known as a heartbeat, TimeToLive, or NotOnOrAfter, is used by an IDP to check if an IDP session is still active. If you have specified an assertion time on your IDP, Oracle CPQ will use it to check if the IDP session is still active.
Assertion time is independent of the Oracle CPQ session timer (which is set internally by Ops), and elapses regardless of whether the time is spent idle or not.
- If the IDP session is still active, the Oracle CPQ session continues and the assertion timer resets and starts over again.
- If the IDP session is no longer active, the user is automatically redirected to the IDP login page to renew the IDP session. This will, in turn, renew the Oracle CPQ session as well.
- A user cannot bypass an expired assertion time by returning to an Oracle CPQ page. If a user tries to do this, they are redirected back to the IDP login page. If the IDP session is not renewed within two minutes, the IDP logs the user out of the Oracle CPQ session.
- When an IDP assertion check occurs, the user’s Oracle CPQ page refreshes briefly. After asserting the IDP session is still active, the user is taken back to the Oracle CPQ page they were on, but unsaved work will be lost.
- If an IDP assertion check occurs while the user is on a Transaction, and the IDP session has been confirmed as still active, the user is taken to an Access Denied page. From that page, the user has the option to Go Home. The user can then return to the Transaction from the Home Page.
Best practice suggests that the assertion time should be a very long time, usually several hours. The assertion time is set in the IDP.
SSO Integration Criteria
- Size: Small
- Frequency: Triggered during each login
- Format: SAML 2.0 or SOAP Web Service
- Transmission Synchronization: Synchronous
Automatic IDP Redirect
You can choose to automatically redirect users without an active Oracle CPQ session to the IDP login page, without having to append /sso/saml_request.jsp
to the URL. The IDP login page becomes, in effect, the official login page for that Oracle CPQ site. This option is implemented for an entire site.
With this option enabled, if a user manually enters the URL for a specific Oracle CPQ page, they will still be taken to the IDP login page. However, relay logic is put in place so that the user is automatically directed to the desired endpoint (the specific Oracle CPQ page) after login.
Logging out of an Oracle CPQ session will do one of two things:
- If the user no longer has an active IDP session, the user is redirected back to the IDP login page.
- If the user still has an active IDP session, the user is redirected back to Oracle CPQ with a renewed session. To the user, it is as if they have not logged out.
This ensures that the IDP is the session master, not Oracle CPQ. If this is not the desired functionality, specify the SAML Logout URL and SAML Single Logout Endpoint on the Single Sign On Settings page. With this information, logging out of the Oracle CPQ session also logs out of the IDP session.
Automatic IDP redirect is not compatible with guest sessions. If guest sessions are enabled (on the Options-General page), automatic redirect will not work.
Instead of being redirected automatically to the IDP login page, the user will go to the Oracle CPQ login page. Similarly, if automatic IDP redirect is enabled, validation will prevent guest sessions from being enabled.
Automatic IDP redirect is only supported if Single Sign-On Method (on the Single Sign On Settings page) is set to Federated Authentication or Federated and Remote.
This feature is disabled by default. Open a ticket on My Oracle Support to enable this feature.
Setup Tips
Perform the following two tasks before contacting Customer Service to enable automatic IDP redirect:
There are no settings to observe to determine if Automatic IDP Redirect is turned on; open a ticket on My Oracle Support to see if Automatic IDP Redirect is on or off. Administrators, however, must turn off guest sessions either before or after this feature is enabled.
To determine if automatic IDP redirect is working or even enabled:
- If the feature is enabled and working properly, the automatic redirect will occur.
- If the feature is enabled but the user is taken to the Oracle CPQ login page, there will be an entry in the error logs about why the automatic redirect did not occur. For troubleshooting purposes, there are two main causes for this:
- SSO is set to None or Web Services
- Guest Sessions are enabled.
- If the automatic redirect to the IDP does not occur and there is no error entry indicating the cause, then the feature is not enabled on the site.
Signed Request Option
A signed request is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. This helps establish a level of trust to ensure that, for example, when Oracle CPQ makes a request to an IDP, the IDP can verify that it is actually Oracle CPQ that made the request, and not an attacker disguised as Oracle CPQ.
In the Single Sign On Settings page, an Oracle CPQ admininistrator can now optionally provide a Java SAML Request Keystore file, along with a corresponding Request Keystore StorePass and Request Keystore KeyPass, so that SAML requests to the IDP are signed.
This is different than SAML Responses from the IDP, which must always be signed.
For more information on SAML standards, see the Notes section below.
Federated Authentication via SAML
Federated Authentication is a Single Sign-On method that leverages an IDP that supports SAML.
Before SSO via SAML can be used in CPQ, work must be completed outside of CPQ.
View flowchart to review what you need to obtain and how it relates to CPQ
Set Up SAML for Oracle CPQ Users
Each user that needs to access the Oracle CPQ application through SSO must have an Oracle CPQ user account.
Users must exist in CPQ, but SSO can be configured without a password if you are using Federated Authentication. When using Remote WebServices, Oracle CPQ will still require a password.
- Navigate to the Admin Home Page.
- Click Internal Users in the Users section.
- Click a Login.
-
Select an option from the Enable for SSO drop-down.
If the User is enabled for Single Sign-On login, then when the site itself is enabled for SSO, the user can log in with SSO. If you know the user's External SSO ID, then that can be used for SSO. Otherwise, the User's Login will be used. There are three options to choose from:
If a SAML assertion from an IDP is missing the signature tag, Oracle CPQ will reject the request and log the failure.
Setting up Single Sign-On in CPQ
- Navigate to the Admin Home Page.
-
Click Single Sign-On under Integration Platform.
- Select Federated Authentication from the Single Sign On Method drop-down.
- For Oracle CPQ Issuer URL, enter
https://yoursitename.oracle
-
Click Choose File to locate and upload an Identity Provider Certificate.
This file details how to communicate with each particular Identity Provider. For example, information such as the IP login and logout, and NameID formats, are in this file.
-
If necessary, enter a SAML Requested Name Identifier Format.
Each IDP supports different NameID formats, which can be found in the IDP configuration. FullAccess users can customize this field. If the field is left blank, the setting defaults to using the "transient" format.
Common NameID Formats:
-
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
-
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
-
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
-
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
-
Enter the SAML Identity Provider URL.
This is a required step because all assertions that are sent to Oracle CPQ need to have an Issuer value that is identical to this field.
-
Enter the SAML Logout URL.
Whenever an Oracle CPQ user is logged out (via a session timeout, or by the user manually logging out), the user will be redirected to the SAML Logout URL. If a SAML Logout URL is not defined, the user will land on the Oracle CPQ login screen after being logged out.
In some implementations, you may wish to only show the login screen of the IDP and never show the Oracle CPQ login screen. In this scenario, set the SAML Logout URL to the URL of the IDP login screen.
-
Enter the SAML Single Logout Endpoint.
The SAML Single Logout Endpoint may be the API Endpoint URL of the logout Web Service of the partner system. In this scenario, whenever an Oracle CPQ user is logged out (via a session timeout, or by the user manually logging out), Oracle CPQ will send a Web Service call to the SAML Single Logout Endpoint to trigger the logout of the user in the partner system.
Adding a valid SAML Single Logout Endpoint essentially creates a “global logout” scenario, where whenever a user is logged out of CPQ, they will also be logged out of the partner system. Defining a valid SAML Single Logout Endpoint is a best practice of SSO integrations.
If the SAML Logout URL or SAML Single Logout Endpoint has a destination that ends the SSO session, other applications may lose data.
-
Select the SAML User ID Type.This specifies which of two identifiers an assertion contains when being sent to CPQ:
- User's Oracle CPQ username
- External ID from the User Object
-
Select the SAML User ID Location. This specifies in which of two locations in the assertion a user will be identified.
- Subject Statement: User ID is located in the <Subject> statement of the assertion.
-
Attribute Element: User ID is located in an <AttributeValue>, located in the <Attribute> of the assertion.
If this option is selected, the Attribute Name field appears. Enter the value that contains the User ID.
- Click one of the following options:
- Apply to save your changes.
- Update to save your changes and return to the Admin Home Page.
- Back to return to the Admin Home Page without saving your changes.
Remote Web Services
Remote Web Services is a Single Sign-On method that leverages and IDP that does not support SAML. It allows a user logged into partner applications to access Oracle CPQ without having to login or re-authenticate. This method does not require that the IDP support SAML.
This method does not support Auto IDP Redirect. For more information, see the section Import & Export of Data Tables.
All URL parameters (sessionid, sso=true, username) are melded in order to log in a user with Remote Web Services. The SSO settings have to be set to Remote Web Services and the user must be enabled for SSO for the login to succeed.
In order to access CPQ, the portal requires a customized SOAP call to the Oracle CPQ login Web Service.
SSO Sample Login XML
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<bm:category xmlns:bm="urn:soap.bigmachines.com">Security</bm:category>
<bm:xsdInfo xmlns:bm="urn:soap.bigmachines.com">
<bm:schemaLocation>https://testsite.bigmachines.com/bmfsweb/testsite/schema/v1_0/security/Security.xsd</bm:schemaLocation>
</bm:xsdInfo>
</soapenv:Header>
<soapenv:Body>
<bm:login xmlns:bm="urn:soap.bigmachines.com">
<bm:userInfo>
<bm:username/>
<bm:password/>
<bm:sessionCurrency/>
</bm:userInfo>
</bm:login>
</soapenv:Body>
</soapenv:Envelope>
URL to Redirect a User after Login
https://sitename.oracle.com/?sessionId=SESSION_ID&username=USER_LOGIN&sso=true
Verify:
- Oracle CPQ is configured with the Remote WebServices SSO method.
- From the Admin Home Page, choose Single Sign-On in the Integration Platform section.
- A Oracle CPQ user is enabled for SSO in Oracle CPQ and has an account in their IDP.
- From the Admin Home Page, choose Internal Users under Users. Then click a user's Login.
- The login SOAP API contains an sso tag, for example:
<bm:sso>1</bm:sso>.
OpenID Connect
Oracle CPQ 23B and later adds support for OpenID Connect (OIDC) as a Single Sign-On (SSO) option. OIDC is an extension of the existing OAuth Provider configuration available for use with Oracle Identity and Access Management (IAM)'s Identity Domains and Oracle Identity Cloud Services (IDCS). OIDC adds an identity layer to OAuth 2.0 that enables a federated SSO solution between Oracle and Custom Applications configured in IAM.
OpenID Connect is based on RESTful web services using JSON schema that include an ID token for sharing user information, such as the type of credential used for authentication, when a user is authenticated, and user properties (e.g., first name, last name, email id).
Before you can enable OpenID Connect for Single Sign-on, configure an OAuth Provider integration with OpenID Connect in the Oracle CPQ Integration Center. Refer to OAuth Provider Integration and the OpenID Connect Single Sign-On for Oracle CPQ with Oracle Identity Cloud Service Integration Guide for more information.
Enable OpenID Connect for Single Sign-On
Once the OAuth Provider with OpenID Connect Integration is setup, complete the following steps to enable OpenID Connect for Single Sign-On.
1. Click Single Sign-On in the Integration Platform section of the Oracle CPQ Home page. The Single Sign-On Settings page displays.
2. Select OpenID Connect from the Single Sign-On Method drop-down.
3. Click Apply. The OAuth Provider with OpenID Connect Integration is connected with the Single Sign-On settings.
4. (Optional) Log a Service Request (SR) with My Oracle Support to include the site domains in the iframe domain allowlist. This step is only required if you are embedding Oracle CPQ in another application that is not already registered in the allowlist.
Notes
Oracle CPQ currently supports SAML 2.0, which is not backwards compatible.
The Company Administrator List page provides a drop-down to enable or disable Single Sign-On for a company. The Company Administrator List page is available from the Admin Home page > Partner Organizations link.
For more information about Security Assertion Markup Language (SAML), consult the following resources:
Related Topics
See Also