Oracle HCM SSO Integration with Microsoft Entra ID via Proxy

This topic describes how to integrate Oracle HCM SSO with Microsoft Entra ID (formerly Azure AD) via Proxy.

Prerequisites

Before you begin, make sure you have the following prerequisites:

Admin access to Microsoft Entra ID IdP.
Access to Skyhigh CASB and appropriate role/rights to manage the Oracle HCM service.
Admin access to Oracle HCM.

Perform the following activities to configure the SAML proxy for Oracle HCM.

Log in to Azure as an admin and go to Microsoft Entra ID > Enterprise Applications.
Search for Oracle HCM and add it.
Click the Oracle HCM app and select the Single Sign-On option to configure SSO.
Under Set up Single Sign-On with SAML, click Edit.
Under Basic SAML Configuration, configure the URIs, and an example is shown below for URL format:
- Identifier (Entity ID). Enter the URL in the following format: https://<instance-name>oraclecloud.com/oam/fed.
- Reply URL (Assertion Consumer Service URL). Enter the URL in the following format: https://<instance-name>oraclecloud.com/oam/server/fed/sp/sso.
- Sign on URL. Enter the URL in the following format: https://<instance-name>oraclecloud.com/oam/sp/samlv20. Click Save.
Under SAML Certificate, click the Certificate (Base64) Download link to download the IdP (Azure) certificate and save it in your local folder. This is your IdP Certificate used to configure the SAML proxy in Skyhigh CASB.

Log in to Oracle HCM.
Download the SP Certificate. This SP Certificate is used to configure the SAML proxy in Skyhigh CASB.

NOTE: To know more details on the Service Provider, see Review Service Provider Details.

Log in to Skyhigh CASB.
Go to Settings > Service Management.
Select your Oracle HCM instance from the Services list. (If no services are listed, contact Skyhigh Security Support for help.)
Click the Setup tab, and under Proxy, click Get Started.

NOTE: To create and configure the proxy for the Oracle HCM instance, see Configure Proxy for Oracle HCM.

Under Configure SAML, click Configure.
Under Upload Identity Provider Certificate, upload the IdP Certificate downloaded in Step 1 and click Next.
Under Upload Service Provider Certificate, upload the SP Certificate downloaded in Step 2 and click Next.
Under Download SAML Certificate, download the Proxy Certificate and save it in your local folder. This certificate is used in Step 5.

Log in to the Azure admin portal.
Go to Microsoft Entra ID > Enterprise application > Oracle HCM > Single Sign-on > SAML-based Sign-on.
Click the pencil icon to edit Basic SAML Configuration. Modify the Reply URL with the Proxy URL.
Under SAML Certificate, click the Federation Metadata XML Download link.
In the downloaded metadata XML file, find the sections within the tags <X509Certificate> and </X509Certificate>. You might notice multiple sections with this tag. For each of these sections, replace the existing IdP Certificate with the Skyhigh CASB Proxy Certificate downloaded earlier to configure SAML Proxy in Step 3.
Save the modified IdP Metadata file. This file is used in Step 5 to add IdP metadata for Oracle HCM.

To integrate SSO for Oracle HCM:

Log in to Oracle HCM.
In the IdP Details page, upload the new metadata file obtained in Step 4.
Now, an additional IdP (Skyhigh CASB is added to Oracle HCM.

NOTE: For more details on adding an IdP in Oracle HCM, see Add an Identity Provider.

To validate the SSO flow via proxy for Oracle HCM:

Connect to your Oracle HCM instance and log in using your Microsoft Entra ID account.

NOTE: You must have the same user in Oracle HCM as well.