This topic describes how to integrate Oracle HCM SSO with Azure AD via Proxy.
Before you begin, make sure you have the following prerequisites:
- Admin access to Azure AD IdP.
- Access to Skyhigh CASB and appropriate role/rights to manage the Oracle HCM service.
- Admin access to Oracle HCM.
Configure SAML Proxy for Oracle HCM
Perform the following activities to configure SAML proxy for Oracle HCM.
Step 1: Download IdP Certificate from Azure AD
- Log in to Azure AD as an admin and go to Azure Active Directory > Enterprise Applications.
- Search for Oracle HCM and add it.
- Click the Oracle HCM app and select the Single Sign-On option to configure SSO.
- Under Set up Single Sign-On with SAML, click Edit.
- Under Basic SAML Configuration, configure the URIs, and an example is shown below for URL format:
- Identifier (Entity ID). Enter the URL in the following format : https://<instance-name>oraclecloud.com/oam/fed.
- Reply URL (Assertion Consumer Service URL). Enter the URL in the following format : https://<instance-name>oraclecloud.com/oam/server/fed/sp/sso.
- Sign on URL. Enter the URL in the following format : https://<instance-name>oraclecloud.com/oam/sp/samlv20. Click Save.
- Under SAML Signing Certificate, click the Certificate (Base64) Download link to download the IdP (Azure) certificate and save it in your local folder. This is your IdP Certificate used to configure the SAML proxy in Skyhigh CASB.
Step 2: Download SP Certificate from Oracle HCM
- Log in to Oracle HCM.
- Download the SP Certificate. This SP Certificate is used to configure the SAML proxy in Skyhigh CASB.
NOTE: To know more details on Service Provider, see Review Service Provider Details.
Step 3: Configure SAML Proxy in Skyhigh CASB
- Log in to Skyhigh CASB.
- Go to Settings > Service Management.
- Select your Oracle HCM instance from the Services list. (If no services are listed, contact Skyhigh Security Support for help.)
- Click the Setup tab, and under Proxy, click Get Started.
NOTE: To create and configure the proxy for the Oracle HCM instance, see Configure Proxy for Oracle HCM.
- Under Configure SAML, click Configure.
- Under Upload Identity Provider Certificate, upload the IdP Certificate downloaded in Step 1 and click Next.
- Under Upload Service Provider Certificate, upload the SP Certificate downloaded in Step 2 and click Next.
- Under Download SAML Certificate, download the Proxy Certificate and save it in your local folder. This certificate is used in Step 5.
Step 4: Configure SSO in Azure AD
- Log in to Azure AD admin portal.
- Go to Enterprise application > Oracle HCM > Single Sign-on > SAML-based Sign-on.
- Click the pencil icon to edit Basic SAML Configuration. Modify the Reply URL with the Proxy URL.
- Under SAML Signing Certificate, click the Federation Metadata XML Download link.
- In the downloaded metadata XML file, find the sections within the tags <X509Certificate> and </X509Certificate>. You might notice multiple sections with this tag. For each of these sections, replace the existing IdP Certificate with the Skyhigh CASB Proxy Certificate downloaded earlier to configure SAML Proxy in Step 3.
- Save the modified IdP Metadata file. This file is used in Step 5 to add IdP metadata for Oracle HCM.
Step 5: Add IdP Metadata in Oracle HCM
To integrate SSO for Oracle HCM:
- Log in to Oracle HCM.
- In the IdP Details page, upload the new metadata file obtained in Step 4.
Now an additional IdP (Skyhigh CASB is added to Oracle HCM).
NOTE: For more details on adding IdP in Oracle HCM, see Add an Identity Provider.
Step 6: Validate the SSO Flow via Proxy
To validate the SSO flow via proxy for Oracle HCM:
- Connect to your Oracle HCM instance and login using your Azure AD account.
NOTE: Remember, you must have the same user in Oracle HCM as well.
- Post login you should be directed to Oracle HCM via the Skyhigh CASB reverse proxy.