This topic describes how to integrate Oracle HCM SSO with Azure AD via Proxy.
Before you begin, make sure you have the following prerequisites:
- Admin access to Azure AD IdP.
- Access to MVISION Cloud and appropriate role/rights to manage the Oracle HCM service.
- Admin access to Oracle HCM.
Configure SAML Proxy for Oracle HCM
Perform the following activities to configure SAML proxy for Oracle HCM.
Step 1: Download IdP Certificate from Azure AD
- Log in to Azure AD as an admin and go to Azure Active Directory > Enterprise Applications.
- Search for Oracle HCM and add it.
- Click the Oracle HCM app and select the Single Sign-On option to configure SSO.
- Under Set up Single Sign-On with SAML, click Edit.
- Under Basic SAML Configuration, configure the URIs, and an example is shown below for URL format:
- Identifier (Entity ID). Enter the URL in the following format : https://<instance-name>oraclecloud.com/oam/fed. For example, https://dnn-dev7.fa.em2.oraclecloud.com:443/oam/fed
- Reply URL (Assertion Consumer Service URL). Enter the URL in the following format : https://<instance-name>oraclecloud.com/oam/server/fed/sp/sso. For example, https://dnndev7.login.em2.oraclecloud.com/oam/server/fed/sp/sso
- Sign on URL. Enter the URL in the following format : https://<instance-name>oraclecloud.com/oam/sp/samlv20. For example, https://dnn-dev7.login.em2.oraclecloud.com/oam/sp/samlv20
- Click Save.
- Under SAML Signing Certificate, click the Certificate (Base64) Download link to download the IdP (Azure) certificate and save it in your local folder. This is your IdP Certificate used to configure the SAML proxy in MVISION Cloud.
Step 2: Download SP Certificate from Oracle HCM
- Log in to Oracle HCM.
- Download the SP Certificate. This SP Certificate is used to configure the SAML proxy in MVISION Cloud.
NOTE: To know more details on Service Provider, see Review Service Provider Details.
Step 3: Configure SAML Proxy in MVISION Cloud
- Log in to MVISION Cloud.
- Go to Settings > Service Management.
- Select your Oracle HCM instance from the Services list. (If no services are listed, contact MVISION Cloud Support for help.)
- Click the Setup tab, and under Proxy, click Get Started.
NOTE: To create and configure the proxy for the Oracle HCM instance, see Configure Proxy for Oracle HCM.
- Under Configure SAML, click Configure.
- Under Upload Identity Provider Certificate, upload the IdP Certificate downloaded in Step 1 and click Next.
- Under Upload Service Provider Certificate, upload the SP Certificate downloaded in Step 2 and click Next.
- Under Download SAML Certificate, download the Proxy Certificate and save it in your local folder. This certificate is used in Step 5.
Step 4: Configure SSO in Azure AD
- Log in to Azure AD admin portal.
- Go to Enterprise application > Oracle HCM > Single Sign-on > SAML-based Sign-on.
- Click the pencil icon to edit Basic SAML Configuration. Modify the Reply URL with the Proxy URL as shown:
- Original URL: https://dnndev7.login.em2.oraclecloud.com/oam/server/fed/sp/sso
- Modified Proxy URL: https://dnn-dev7.login.em2.oraclecloud.com.oracleoct.ocl.raksusprod.myshn.net/oam/server/fed/sp/sso?shnsaml
- Under SAML Signing Certificate, click the Federation Metadata XML Download link.
- In the downloaded metadata XML file, find the sections within the tags <X509Certificate> and </X509Certificate>. You might notice multiple sections with this tag. For each of these sections, replace the existing IdP Certificate with the MVISION Cloud Proxy Certificate downloaded earlier to configure SAML Proxy in Step 3.
- Save the modified IdP Metadata file. This file is used in Step 5 to add IdP metadata for Oracle HCM.
Step 5: Add IdP Metadata in Oracle HCM
To integrate SSO for Oracle HCM:
- Log in to Oracle HCM.
- In the IdP Details page, upload the new metadata file obtained in Step 4.
Now an additional IdP (MVISION Cloud is added to Oracle HCM).
NOTE: For more details on adding IdP in Oracle HCM, see Add an Identity Provider.
Step 6: Validate the SSO Flow via Proxy
To validate the SSO flow via proxy for Oracle HCM:
- Connect to your Oracle HCM instance and login using your Azure AD account.
NOTE: Remember, you must have the same user in Oracle HCM as well.
- Post login you should be directed to Oracle HCM via the MVISION Cloud reverse proxy.
Oracle HCM Known Behavior
When collaborating in Oracle HCM, you might notice the following known behaviors:
- Unable to save the SSO setting for dev10 instance. If you are trying to save SSO integration with dev10 instance, then you are unable to save the SSO setting in the Oracle HCM application, and you can view the Single Sign-in error message as "Signature verification failed". As a workaround, in the tenant CAP is added as Redirect All. After adding CAP, you can save the SSO configuration successfully in Oracle HCM, and SSO login via proxy is also successful.