Single Sign-On REST APIs

Overview

The following SSO are used to retrieve and configure the Security Assertion Markup Language (SAML) properties to enable Single Sign-On for multiple web applications. It works by passing authentication information in a particular format between two parties, usually an identity provider (idP) and a web application. To review CPQ SSO Integrations refer to Single Sign-On (SSO) and Setting up Single Sign-On in CPQ.

Administration

ClosedGet Single Sign-On Properties

Get SSO Properties GET Method

Description

This endpoint is used to retrieve SSO properties.

URI Endpoint

/rest/v17/ssoConfiguration

Endpoint Parameters

None

HTTP Method

GET

Request Body Parameters

None

Response Body Parameters

ssoMethod

SSO Method

Allowed Methods:

  • None
  • Federated Authentication
  • Remote Webservices
  • Federated and Remote

samlIssuerUrl

Oracle CPQ Issuer URL

idProviderCertificate

Identity Provider Certificate

samlNeedRequestSigned

Require Signed Request

Allowed values: true, false

A signed request is a message sent from an applicant to a certificate authority to apply for a digital identity certificate. This helps establish a level of trust to ensure when CPQ makes a request to an IDP, the IDP can verify that it is actually CPQ, and not an attacker disguised as CPQ. When "true" the Request Keystore StorePass and Request Keystore KeyPass SAML requests are provided to the IDP.

samlRequestKeyStore

Request Keystore file

samlStorePass

Request Keystore StorePass

The password that is used to protect the keystore file.

samlKeyPass

Request Keystore

KeyPass Specifies a filename and location for the keystore file.

requestedNameIdentifierFormat

SAML Requested Name Identifier Format

Each IDP supports different NameID formats, which can be found in the IDP configuration. FullAccess users can customize this field. If the field is left blank, the setting defaults to using the "transient" format.

Common Name ID Formats

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient
  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

samlIdpUrl

SAML Identity Provider URL

samlLogoutUrl

SAML Logout URL

When an Oracle CPQ user is logged out (via a session timeout, or by the user manually logging out), the user will be redirected to the SAML Logout URL. If a SAML Logout URL is not defined, the user will land on the CPQ login screen after being logged out.

samlSingleLogoutEndpoint

SAML Single Logout Endpoint

Adding a valid SAML Single Logout Endpoint essentially creates a “global logout” scenario. When a user is logged out of CPQ, they will also be logged out of the partner system. Defining a valid SAML Single Logout Endpoint is a best practice of SSO integrations.

samlSingleLogoutResponseEndpoint

SAML Single Logout Response Endpoint

samlUserIdType

SAML User ID Type

This specifies which of two identifiers an assertion contains when being sent to CPQ: The user's CPQ username or an External ID from the User Object

Allowed values:

  • assertionTypeUsername
  • assertionTypeExternal

samlUserIdLocation

SAML User ID Location

This specifies in which of two locations in the assertion a user will be identified. In the <Subject> or in an <AttributeValue>, for the specified <Attribute> of the assertion.

Allowed values:

  • idLocationSubject
  • idLocationAttribute

samlAttributeName

SAML User ID Attribute Name
If "idLocationAttribute" option is selected, the Attribute Name field appears. Enter the value that contains the User ID.

Note: Since the "Keypass" and "StorePass" values are encrypted they are not included in the response.

ClosedURI Endpoint Sample

https://sitename.oracle.com/rest/v17/ssoConfiguration


ClosedResponse Sample

{ "ssoMethod": "Federated and Remote", "samlIssuerUrl": "BigMachines Issuer URL value", "idProviderCertificate": "base64encodecertvalue", "samlNeedRequestSigned": "true", "samlRequestKeyStore": "base64encodedcertvalue", "requestedNameIdentifierFormat": "identifier format value", "samlIdpUrl": "identity provided url value", "samlLogoutUrl": "logout url", "samlSingleLogoutEndpoint": "logout endpoint", "samlSingleLogoutResponseEndpoint": "logout response endpoint", "samlUserIdType": "assertionTypeUsername", "samlUserIdLocation": "idLocationAttribute", "samlAttributeName": "AttributeValue" }


ClosedConfigure SSO

Configure Single Sign-On POST method

Description

This endpoint configures Security Assertion Markup Language (SAML) properties to enable exchanging authentication and authorization data between an identity provider (IdP), and a service provider, allowing for a Single Sign-On (SSO) experience.

URI Endpoint

/rest/v17/ssoConfiguration

Endpoint Parameters

None

HTTP Method

POST

Request Body Parameters

ssoMethod

SSO Method

Allowed Methods:

  • None
  • Federated Authentication
  • Remote Webservices
  • Federated and Remote

samlIssuerUrl

Oracle CPQ Issuer URL

idProviderCertificate

Identity Provider Certificate

samlNeedRequestSigned

Require Signed Request

Allowed values: true, false

A signed request is a message sent from an applicant to a certificate authority to apply for a digital identity certificate. This helps establish a level of trust to ensure when CPQ makes a request to an IDP, the IDP can verify that it is actually CPQ, and not an attacker disguised as CPQ. When "true" the Request Keystore StorePass and Request Keystore KeyPass SAML requests are provided to the IDP.

samlRequestKeyStore

Request Keystore file

samlStorePass

Request Keystore StorePass

The password that is used to protect the keystore file.

samlKeyPass

Request Keystore

KeyPass Specifies a filename and location for the keystore file.

requestedNameIdentifierFormat

SAML Requested Name Identifier Format

Each IDP supports different NameID formats, which can be found in the IDP configuration. FullAccess users can customize this field. If the field is left blank, the setting defaults to using the "transient" format.

Common Name ID Formats

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient
  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

samlIdpUrl

SAML Identity Provider URL

samlLogoutUrl

SAML Logout URL

When an Oracle CPQ user is logged out (via a session timeout, or by the user manually logging out), the user will be redirected to the SAML Logout URL. If a SAML Logout URL is not defined, the user will land on the CPQ login screen after being logged out.

samlSingleLogoutEndpoint

SAML Single Logout Endpoint

Adding a valid SAML Single Logout Endpoint essentially creates a “global logout” scenario. When a user is logged out of CPQ, they will also be logged out of the partner system. Defining a valid SAML Single Logout Endpoint is a best practice of SSO integrations.

samlSingleLogoutResponseEndpoint

SAML Single Logout Response Endpoint

samlUserIdType

SAML User ID Type

This specifies which of two identifiers an assertion contains when being sent to CPQ: The user's CPQ username or an External ID from the User Object

Allowed values:

  • assertionTypeUsername
  • assertionTypeExternal

samlUserIdLocation

SAML User ID Location

This specifies in which of two locations in the assertion a user will be identified. In the <Subject> or in an <AttributeValue>, for the specified <Attribute> of the assertion.

Allowed values:

  • idLocationSubject
  • idLocationAttribute

samlAttributeName

SAML User ID Attribute Name
If "idLocationAttribute" option is selected, the Attribute Name field appears. Enter the value that contains the User ID.

Request Body Parameters

200 Response

ClosedURI Endpoint Sample

https://sitename.oracle.com/rest/v17/ssoConfiguration


ClosedRequest Sample


Notes

For more information on the Interface Catalogs, see the topic Interface Catalog.

Related Topics

Related Topics Link IconSee Also