My Oracle Support Banner

Enabling Federated Identity Single Sign-On (SSO) Through SAML 2.0 For Primavera Products Hosted In Oracle Cloud Infrastructure (OCI) (Doc ID 2497983.1)

Last updated on NOVEMBER 06, 2020

Applies to:

Primavera P6 Enterprise Project Portfolio Management Cloud Service
Primavera P6 Standard Project and Portfolio Management Cloud Service
Primavera Gateway
Primavera Analytics Cloud Service
Primavera Unifier Cloud Service
Information in this document applies to any platform.

Purpose

Customers migrating to OCI will have to re-import SAML Metadata.

NOTE: This change will require NO DOWNTIME for your Cloud environment(s).

WHO WILL BE IMPACTED?

WHO WILL NOT BE IMPACTED?

SUPPORTED PROTOCOLS

 

 Primavera Unifier, P6 EPPM and Primavera Unifier Cloud Services support Federated Identity Single Sign-On (SSO) through Security Assertion Markup Language (SAML).

 

Overview of Federated Authentication Services

A federated identity in information technology is the means of linking a persons electronic identity and attributes, stored across multiple distinct identity management systems. Related to federated identity is single sign-on (SSO), in which a users single authentication ticket, or token, is trusted across multiple IT systems or even organizations. SSO is a subset of federated identity management, as it relates only to authentication and is understood on the level of technical interoperability.

Centralized identity management solutions were created to help deal with user and data security where the user and the systems they accessed were within the same network – or at least the same domain of control. Increasingly however, users are accessing external systems which are fundamentally outside their domain of control, and external users are accessing internal systems. The increasingly common separation of user from the systems requiring access is an inevitable by-product of the decentralization brought about by the integration of the Internet into every aspect of both personal and business life. Evolving identity management challenges, and especially the challenges associated with cross-company, cross-domain access, have given rise to a new approach to identity management, known now as federated identity management (FIdM).

FIdM, or the federation of identity, describes the technologies, standards and use-cases which serve to enable the portability of identity information across otherwise autonomous security domains. The ultimate goal of identity federation is to enable users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration. Federation is enabled through the use of open industry standards and/or openly published specifications, such that multiple parties can achieve interoperability for common use-cases. Typical use-cases involve things such as cross-domain, web-based single sign-on, cross-domain user account provisioning, cross-domain entitlement management and cross-domain user attribute exchange.

Security Assertion Markup Language (SAML) will be the technology supported by Primavera Products for identity federation SSO in Oracle Cloud.

Overview of SAML

SAML is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between a service provider and an identity provider.

What are a Service Provider and Identity Provider?

  • A Service Provider (SP) is an entity that provides Web Services, for example an Application Service Providers (ASP). Service Provider technologies important to Identity Management include Software-as-a-Service (Saas), software offered using an Application Service Provider (ASP) model. A Service Provider relies on a trusted Identity Provider (IdP) or Security Token Service (STS) for authentication and authorization. In SAML 2.0, the XML-standard for exchanging data, the security domains that information is passed between are a Service Provider (SP) and an Identity Provider (IdP). The SP depends on receiving assertions from a SAML authority or asserting party, an IdP. Oracle Cloud will act as the Service Provider.
  • An Identity Provider (IdP), is an online service or website that authenticates users on the Internet by means of security tokens (SAML 2.0 for example, which will be supported in the Oracle Cloud). Service Providers depend on an Identity Provider or Security Token Service to do the user authentication. You (the customer) will act as the Identity Provider configured to your own identity store for authenticating users in your organization.

In-text Citation:

Refer to the following diagram for a general overview of the processes that occur when a user attempts to log in to a Primavera application after SAML authentication and identity federation has been successfully configured:

When a user attempts to log in to a Primavera application instance that requires SAML authentication, the following processes occur:

The purpose of this document is to outline the procedure to initiate implementation of Federated Identity Single Sign-On through SAML in your Cloud environment.

Note: When you configure SAML for the STAGE environment, this will not show up in the PRODUCTION page, e.g. Cloud landing page. This will only show when going to the STAGE URL - oraclecloud.com/p6/stage or oraclecloud.com/unifier/stage/bluedoor

Scope

Intended Audience

Identity Federated SSO and SAML Technical Notes

Primavera Product Technical Notes

IdP Technical Notes and Requirements

Process Overview

Details

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Purpose
 WHO WILL BE IMPACTED?
 WHO WILL NOT BE IMPACTED?
 SUPPORTED PROTOCOLS
Scope
 Primavera Product Technical Notes
 IdP Technical Notes and Requirements
Details
 Step 1: Complete username creation / scrubbing prerequisite requirements
 For New Cloud customers
 For Existing Cloud customers
 Step 2: Implement Federated Identity
 [Required] Complete self-service steps to configure the IDCS Identity Provider [These are for IDCS Administrators]
 
[Required] Complete self-service steps to configure IDCS IdP Policies [These are for IDCS Administrators]
 [Optional For P6 EPPM customers] Configure P6 Web Services
 Post Configuration notes
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.