Federation with Azure AD as Identity Service Provider – Oracle Fusion ERP

July 29, 2020 ERP

Overview :


Document discusses the steps needed to enable Oracle Fusion ERP identity federation with
Azure Active Directory. Azure AD provides Oracle fusion ERP as one of the SSO participating

The SSO enablement consists of following main steps.

Please note that the we must perform this for each of the OCI PODS (STG, PROD) provisioned
for the Oracle Fusion ERP

1. Pre-Requisites
2. Configure Azure AD SSO
3. Configure a Test User
4. Configure Oracle ERP SSO




Enable “Oracle Fusion ERP” application


Perform these steps if Oracle Fusion ERP does not show up as one of enterprise application in
your Azure Active Directory

Login to Azure AD Portal https://portal.azure.com

On the left navigation pane, select the Azure Active Directory service.
• Navigate to Enterprise Applications and then select All Applications.
• To add new application, select New application.
• In the Add from the gallery section, type Oracle Fusion ERP in the search box.
• Select Oracle Fusion ERP from results panel and then add the app. Wait a few
seconds while the app is added to your tenant.


Service Provider XML


Download the Fusion Application Service Provider Metadata.xml (and save it FA-SPMetadata.xml). This is just for reference only

https://login-Enter URL. fa.ocs.oraclecloud.com/oamfed/sp/metadata?signid=osts_signing_sha256&e ncid=osts_encryption_sha256&sigalgm=SHA-256

Configure Azure AD SSO


In the Azure portal, on the Oracle Fusion ERP application integration page, find the
Manage section and select Single sign-on.

• On the Select a Single sign-on method page, select SAML.
• On the Set up Single Sign-On with SAML page, click the edit/pen icon for Basic
SAML Configuration to edit the settings as below

Entity ID: https://login.Enter URL. fa.ocs.oraclecloud.com:443/oam/fed
Reply URL: https://Enter URL. fa.ocs.oraclecloud.com/oam/server/fed/sp/sso
Sign on URL: https://Enter URL. fa.ocs.oraclecloud.com/fscmUI/faces/AtkHomePageWelcome

Note: The values for entity, reply and sign-on URL is different for different OCI POD
(DEV1, TEST1, PROD etc.). Service Provider Metadata XML for each of the OCI POD
provides that information.

Configure Azure AD SSO

• Save the configuration
• Copy the following URLs from your AD Single Sign-on configuration page to share
it with the Oracle ERP support team

1. App Federation URL,
2. Login URL
3. Logout URL



Create Test AD user

Create a Test User in the Azure portal

• From the left pane in the Azure portal, select Azure Active Directory, select Users,and then select All users.
• Select New user at the top of the screen.
• In the User properties, follow these steps:
• In the Name field, enter the name
• In the Username field, enter the username@companydomain.extension. For
• Select the Show password check box, and then write down the value that’s displayed
in the Password box.
• Click Create.

Assign User to the SSO Application

In this section, you’ll enable the above user to use Azure single sign-on by granting access to
Oracle Fusion ERP (please note this is not needed if single sign on is configured with “only
assigned users property turned off).

• In the Azure portal, select Enterprise Applications, and then select All applications.
• In the applications list, select Oracle Fusion ERP.
• In the app’s overview page, find the Manage section and select Users and groups.

Users and group

• In the Users and groups dialog, select Test User from the Users list, then click
the Select button at the bottom of the screen.
• If you’re expecting any role value in the SAML assertion, in the Select Role dialog,
select the appropriate role for the user from the list and then click the Select button at
the bottom of the screen.
• In the Add Assignment dialog, click the Assign button.

Configure Oracle ERP SSO

Create the Test user in Oracle ERP

Login int Oracle ERP -> Navigate -> Tools -> Security Console -> Users

• Create a new Application user (using the same AD test user as the username name –
note email address will be used as the username)
• Assign Employee Abstract role

Configure Single Sing on

• Login int Oracle ERP -> Navigate -> Tools -> Security Console -> Single Sign on


• Click on “Crete Identity Provider” to open the identity provider details


• Click on the “Edit button to fill in the Identity Provider Details

fill in the Identity Provider

• Enter the Name : “azureIDP” or (name of your choice) (Shown above)
• Select Name ID Format as “Email”
• Check the “Default Identity Provider”
• Paste the Apps Federation Provider XML URL as shown below
• Click Save and Close


Click on the Diagnostics and Activation

• Click the “Test” button or (https://login-Enter URL. saasfaprod1.fa.ocs.oraclecloud.com/oamfed/user/testspsso)


• Select the partner as “azureIDP”
• Click on the Start SSO as shown below and login using the Test user created in one of
the above steps

• Successful authentication should display a screen like the below (Upon successful
authentication only you can enable the identity provider)


• Go back to the Oracle Single sign on page and click the “Done”
• Refresh the page to see the Status as “Succeeded”

Diagnostics and activation

• Click on the Edit Button again under Diagnosis and Activation to enable the identity

Single sign on Diagnostics and activation

• Click on the “Save and close” button to save your changes

Configure Sign out and the Chooser Login Page

• Login int Oracle ERP -> Navigate -> Tools -> Security Console -> Single Sign on
• Click on the Edit button and enter the sign out URL (received from the AD team) E.g.


• Check on the Enable Chooser Login page and Save the changes