Federation with Azure AD as Identity Service Provider – Oracle Fusion ERP
Overview :
Document discusses the steps needed to enable Oracle Fusion ERP identity federation with
Azure Active Directory. Azure AD provides Oracle fusion ERP as one of the SSO participating
application
The SSO enablement consists of following main steps.
Please note that the we must perform this for each of the OCI PODS (STG, PROD) provisioned
for the Oracle Fusion ERP
1. Pre-Requisites
2. Configure Azure AD SSO
3. Configure a Test User
4. Configure Oracle ERP SSO
Pre-Requisite
Enable “Oracle Fusion ERP” application
Perform these steps if Oracle Fusion ERP does not show up as one of enterprise application in
your Azure Active Directory
Login to Azure AD Portal https://portal.azure.com
On the left navigation pane, select the Azure Active Directory service.
• Navigate to Enterprise Applications and then select All Applications.
• To add new application, select New application.
• In the Add from the gallery section, type Oracle Fusion ERP in the search box.
• Select Oracle Fusion ERP from results panel and then add the app. Wait a few
seconds while the app is added to your tenant.
Service Provider XML
Download the Fusion Application Service Provider Metadata.xml (and save it FA-SPMetadata.xml). This is just for reference only
https://login-Enter URL. fa.ocs.oraclecloud.com/oamfed/sp/metadata?signid=osts_signing_sha256&e ncid=osts_encryption_sha256&sigalgm=SHA-256
Configure Azure AD SSO
In the Azure portal, on the Oracle Fusion ERP application integration page, find the
Manage section and select Single sign-on.
• On the Select a Single sign-on method page, select SAML.
• On the Set up Single Sign-On with SAML page, click the edit/pen icon for Basic
SAML Configuration to edit the settings as below
Entity ID: https://login.Enter URL. fa.ocs.oraclecloud.com:443/oam/fed
Reply URL: https://Enter URL. fa.ocs.oraclecloud.com/oam/server/fed/sp/sso
Sign on URL: https://Enter URL. fa.ocs.oraclecloud.com/fscmUI/faces/AtkHomePageWelcome
Note: The values for entity, reply and sign-on URL is different for different OCI POD
(DEV1, TEST1, PROD etc.). Service Provider Metadata XML for each of the OCI POD
provides that information.
• Save the configuration
• Copy the following URLs from your AD Single Sign-on configuration page to share
it with the Oracle ERP support team
1. App Federation URL,
2. Login URL
3. Logout URL
Create Test AD user
Create a Test User in the Azure portal
• From the left pane in the Azure portal, select Azure Active Directory, select Users,and then select All users.
• Select New user at the top of the screen.
• In the User properties, follow these steps:
• In the Name field, enter the name
• In the Username field, enter the username@companydomain.extension. For
• Select the Show password check box, and then write down the value that’s displayed
in the Password box.
• Click Create.
Assign User to the SSO Application
In this section, you’ll enable the above user to use Azure single sign-on by granting access to
Oracle Fusion ERP (please note this is not needed if single sign on is configured with “only
assigned users property turned off).
• In the Azure portal, select Enterprise Applications, and then select All applications.
• In the applications list, select Oracle Fusion ERP.
• In the app’s overview page, find the Manage section and select Users and groups.
• In the Users and groups dialog, select Test User from the Users list, then click
the Select button at the bottom of the screen.
• If you’re expecting any role value in the SAML assertion, in the Select Role dialog,
select the appropriate role for the user from the list and then click the Select button at
the bottom of the screen.
• In the Add Assignment dialog, click the Assign button.
Configure Oracle ERP SSO
Create the Test user in Oracle ERP
Login int Oracle ERP -> Navigate -> Tools -> Security Console -> Users
• Create a new Application user (using the same AD test user as the username name –
note email address will be used as the username)
• Assign Employee Abstract role
Configure Single Sing on
• Login int Oracle ERP -> Navigate -> Tools -> Security Console -> Single Sign on
• Click on “Crete Identity Provider” to open the identity provider details
• Click on the “Edit button to fill in the Identity Provider Details
• Enter the Name : “azureIDP” or (name of your choice) (Shown above)
• Select Name ID Format as “Email”
• Check the “Default Identity Provider”
• Paste the Apps Federation Provider XML URL as shown below
• Click Save and Close
Click on the Diagnostics and Activation
• Click the “Test” button or (https://login-Enter URL. saasfaprod1.fa.ocs.oraclecloud.com/oamfed/user/testspsso)
• Select the partner as “azureIDP”
• Click on the Start SSO as shown below and login using the Test user created in one of
the above steps
• Successful authentication should display a screen like the below (Upon successful
authentication only you can enable the identity provider)
• Go back to the Oracle Single sign on page and click the “Done”
• Refresh the page to see the Status as “Succeeded”
• Click on the Edit Button again under Diagnosis and Activation to enable the identity
provider
• Click on the “Save and close” button to save your changes
Configure Sign out and the Chooser Login Page
• Login int Oracle ERP -> Navigate -> Tools -> Security Console -> Single Sign on
• Click on the Edit button and enter the sign out URL (received from the AD team) E.g.
https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
• Check on the Enable Chooser Login page and Save the changes
Reference
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/oracle-fusion-erp-tutorial
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=212229636045093&id=25
63318.1&_adf.ctrl-state=8l95fr1uy_52