Single Sign-On REST APIs
Overview
The following SSO are used to retrieve and configure the Security Assertion Markup Language (SAML) properties to enable Single Sign-On for multiple web applications. It works by passing authentication information in a particular format between two parties, usually an identity provider (idP) and a web application. To review CPQ SSO Integrations refer to Single Sign-On (SSO) and Setting up Single Sign-On in CPQ.
Administration
Description |
This endpoint is used to retrieve SSO properties. |
|
---|---|---|
URI Endpoint |
/rest/v17/ssoConfiguration |
|
Endpoint Parameters |
None |
|
HTTP Method |
GET |
|
Request Body Parameters |
None | |
Response Body Parameters |
ssoMethod |
SSO Method |
Allowed Methods:
|
||
samlIssuerUrl |
Oracle CPQ Issuer URL | |
idProviderCertificate |
Identity Provider Certificate | |
samlNeedRequestSigned |
Require Signed Request | |
Allowed values: true, false A signed request is a message sent from an applicant to a certificate authority to apply for a digital identity certificate. This helps establish a level of trust to ensure when CPQ makes a request to an IDP, the IDP can verify that it is actually CPQ, and not an attacker disguised as CPQ. When "true" the Request Keystore StorePass and Request Keystore KeyPass SAML requests are provided to the IDP. |
||
samlRequestKeyStore |
Request Keystore file |
|
samlStorePass |
Request Keystore StorePass The password that is used to protect the keystore file. |
|
samlKeyPass |
Request Keystore KeyPass Specifies a filename and location for the keystore file. |
|
requestedNameIdentifierFormat |
SAML Requested Name Identifier Format Each IDP supports different NameID formats, which can be found in the IDP configuration. FullAccess users can customize this field. If the field is left blank, the setting defaults to using the "transient" format. |
|
Common Name ID Formats
|
||
samlIdpUrl |
SAML Identity Provider URL | |
samlLogoutUrl |
SAML Logout URL When an Oracle CPQ user is logged out (via a session timeout, or by the user manually logging out), the user will be redirected to the SAML Logout URL. If a SAML Logout URL is not defined, the user will land on the CPQ login screen after being logged out. |
|
samlSingleLogoutEndpoint |
SAML Single Logout Endpoint Adding a valid SAML Single Logout Endpoint essentially creates a “global logout” scenario. When a user is logged out of CPQ, they will also be logged out of the partner system. Defining a valid SAML Single Logout Endpoint is a best practice of SSO integrations. |
|
samlSingleLogoutResponseEndpoint |
SAML Single Logout Response Endpoint | |
samlUserIdType |
SAML User ID Type | |
This specifies which of two identifiers an assertion contains when being sent to CPQ: The user's CPQ username or an External ID from the User Object Allowed values:
|
||
samlUserIdLocation |
SAML User ID Location | |
This specifies in which of two locations in the assertion a user will be identified. In the <Subject> or in an <AttributeValue>, for the specified <Attribute> of the assertion. Allowed values:
|
||
samlAttributeName |
SAML User ID Attribute Name | |
If "idLocationAttribute" option is selected, the Attribute Name field appears. Enter the value that contains the User ID. | ||
Note: Since the "Keypass" and "StorePass" values are encrypted they are not included in the response. |
https://sitename.oracle.com/rest/v17/ssoConfiguration
{ "ssoMethod": "Federated and Remote", "samlIssuerUrl": "BigMachines Issuer URL value", "idProviderCertificate": "base64encodecertvalue", "samlNeedRequestSigned": "true", "samlRequestKeyStore": "base64encodedcertvalue", "requestedNameIdentifierFormat": "identifier format value", "samlIdpUrl": "identity provided url value", "samlLogoutUrl": "logout url", "samlSingleLogoutEndpoint": "logout endpoint", "samlSingleLogoutResponseEndpoint": "logout response endpoint", "samlUserIdType": "assertionTypeUsername", "samlUserIdLocation": "idLocationAttribute", "samlAttributeName": "AttributeValue" }
Description |
This endpoint configures Security Assertion Markup Language (SAML) properties to enable exchanging authentication and authorization data between an identity provider (IdP), and a service provider, allowing for a Single Sign-On (SSO) experience. |
|
---|---|---|
URI Endpoint |
/rest/v17/ssoConfiguration |
|
Endpoint Parameters |
None |
|
HTTP Method |
POST |
|
Request Body Parameters |
ssoMethod |
SSO Method |
Allowed Methods:
|
||
samlIssuerUrl |
Oracle CPQ Issuer URL | |
idProviderCertificate |
Identity Provider Certificate | |
samlNeedRequestSigned |
Require Signed Request | |
Allowed values: true, false A signed request is a message sent from an applicant to a certificate authority to apply for a digital identity certificate. This helps establish a level of trust to ensure when CPQ makes a request to an IDP, the IDP can verify that it is actually CPQ, and not an attacker disguised as CPQ. When "true" the Request Keystore StorePass and Request Keystore KeyPass SAML requests are provided to the IDP. |
||
samlRequestKeyStore |
Request Keystore file |
|
samlStorePass |
Request Keystore StorePass The password that is used to protect the keystore file. |
|
samlKeyPass |
Request Keystore KeyPass Specifies a filename and location for the keystore file. |
|
requestedNameIdentifierFormat |
SAML Requested Name Identifier Format Each IDP supports different NameID formats, which can be found in the IDP configuration. FullAccess users can customize this field. If the field is left blank, the setting defaults to using the "transient" format. |
|
Common Name ID Formats
|
||
samlIdpUrl |
SAML Identity Provider URL | |
samlLogoutUrl |
SAML Logout URL When an Oracle CPQ user is logged out (via a session timeout, or by the user manually logging out), the user will be redirected to the SAML Logout URL. If a SAML Logout URL is not defined, the user will land on the CPQ login screen after being logged out. |
|
samlSingleLogoutEndpoint |
SAML Single Logout Endpoint Adding a valid SAML Single Logout Endpoint essentially creates a “global logout” scenario. When a user is logged out of CPQ, they will also be logged out of the partner system. Defining a valid SAML Single Logout Endpoint is a best practice of SSO integrations. |
|
samlSingleLogoutResponseEndpoint |
SAML Single Logout Response Endpoint | |
samlUserIdType |
SAML User ID Type | |
This specifies which of two identifiers an assertion contains when being sent to CPQ: The user's CPQ username or an External ID from the User Object Allowed values:
|
||
samlUserIdLocation |
SAML User ID Location | |
This specifies in which of two locations in the assertion a user will be identified. In the <Subject> or in an <AttributeValue>, for the specified <Attribute> of the assertion. Allowed values:
|
||
samlAttributeName |
SAML User ID Attribute Name | |
If "idLocationAttribute" option is selected, the Attribute Name field appears. Enter the value that contains the User ID. | ||
Request Body Parameters |
200 Response |
https://sitename.oracle.com/rest/v17/ssoConfiguration
{ "ssoMethod": "Federated and Remote", "samlIssuerUrl": "BigMachines Issuer URL value", "idProviderCertificate": "base64encodecertvalue", "samlNeedRequestSigned": "true", "samlRequestKeyStore": "base64encodedcertvalue", "samlStorePass": "storePassValue", "samlKeyPass": "keyPassValue", "requestedNameIdentifierFormat": "identifier format value", "samlIdpUrl": "identity provided url value", "samlLogoutUrl": "logout url", "samlSingleLogoutEndpoint": "logout endpoint", "samlSingleLogoutResponseEndpoint": "logout response endpoint", "samlUserIdType": "assertionTypeUsername", "samlUserIdLocation": "idLocationAttribute", "samlAttributeName": "AttributeValue" }
Notes
For more information on the Interface Catalogs, see the topic Interface Catalog.