Return to main navigation Page
CPQ Cloud allows customers to use their corporate infrastructure for authentication and to automatically log into CPQ Cloud without the need for multiple logins and re-authentication. CPQ Cloud Single Sign-On (SSO) is configurable at the User and Partner Org levels.
Three methods can be used:
Federated Authentication via SAML (Security Assertion Mark-Up Language)
Users are managed with an Identity Provider or Portal (IDP) which supports SAML, so instead of visiting CPQ Cloud directly, users access this Id Provider site before clicking on a link to access CPQ Cloud.
See Federated Authentication via SAML for more information.
Users are also managed with an IDP, but one that doesn't support SAML. Partner applications can submit a login request through a SOAP API call to the CPQ Cloud Login web service.
See Remote WebServices for more information
This is a combination of the "Federated Authentication" and "Remote WebService" methods.
What is SAML 2.0?
SAML is an XML-based solution that provides a secure solution for exchanging authentication and authorization of user security information between IPDs and the applications like CPQ Cloud.
To see your SAML metadata, enter the following into your browser:
You need this information to register CPQ Cloud as a service provider within an IDP.
What is an Identity Provider (IDP)?
Identity providers are sites or services that provide a security credential (such as an authentication or authorization assertion) on behalf of a user. In some cases this security credential may contain a set of attributes like a user's name or an employee number identifier.
An External ID is often used if a customer's security policy does not allow the username to be sent out of the IDP. Instead, the IDP sends out some other form of identification (employee number, alias, and so on) which has to match the External ID field in the User Object.
What is an Assertion?
An assertion carries authentication and authorization statements, or credentials, about a user that the IDP claims to be true. In this case, this information is sent to CPQ Cloud to be verified against your SSO configuration.
For example, an assertion encodes the following information:
("1d2v5") was issued at time "2004-12-05T09:22:05Z" by identity provider
(https://idp.example.org/SAML2) regarding subject (user 123)
exclusively for service provider
The authentication statement, in particular, asserts the following:
The user identified
in the <saml:Subject> element was authenticated at time
"2004-12-05T09:22:00Z" by means of a password sent over a protected
Likewise, the attribute statement asserts that:
The user identified in the <saml:Subject> element is a staff member at this institution.
Assertion Time and IDPs
Assertion time, also known as a heartbeat, TimeToLive, or NotOnOrAfter, is used by an IDP to check if an IDP session is still active. If you have specified an assertion time on your IDP, CPQ Cloud will use it to check if the IDP session is still active.
Assertion time is independent of the CPQ session timer (which is set internally by Ops), and elapses regardless of whether the time is spent idle or not.
Best practice suggests that the assertion time should be a very long time, usually several hours. The assertion time is set in the IDP.
SSO Integration Criteria
|Frequency||Triggered during each login|
|Format||SAML 2.0 or SOAP Web Service|
Automatic IDP Redirect
You can choose to automatically redirect users without an active CPQ session to the IDP login page, without having to append
to the URL. The IDP login page becomes, in effect, the official
login page for that CPQ Cloud site. This option is implemented for
an entire site.
With this option enabled, if a user manually enters the URL for a specific CPQ page, they will still be taken to the IDP login page. However, relay logic is put in place so that the user is automatically directed to the desired endpoint (the specific CPQ page) after login.
Logging out of a CPQ session will do one of two things:
This ensures that the IDP is the session master, not CPQ Cloud. If this is not the desired functionality, specify the SAML Logout URL and SAML Single Logout Endpoint on the Single Sign On Settings page. With this information, logging out of the CPQ session also logs out of the IDP session.
Automatic IDP redirect is not compatible with guest sessions. If guest sessions are enabled (on the Options-General page), automatic redirect will not work.
Instead of being redirected automatically to the IDP login page, the user will go to the CPQ Cloud login page. Similarly, if automatic IDP redirect is enabled, validation will prevent guest sessions from being enabled.
Automatic IDP redirect is only supported if Single Sign-On Method (on the Single Sign On Settings page) is set to Federated Authentication or Federated and Remote.
This feature is disabled by default. Open a ticket on My Oracle Support to enable this feature.
Perform the following two tasks before contacting Customer Service to enable automatic IDP redirect:
If you need help accessing your site without SSO privileges, open a ticket on My Oracle Support.
There are no settings to observe to determine if Automatic IDP Redirect is turned on; open a ticket on My Oracle Support to see if Automatic IDP Redirect is on or off. Admins, however, must turn off guest sessions either before or after this feature is enabled.
To determine if automatic IDP redirect is working or even enabled:
A signed request is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. This helps establish a level of trust to ensure that, for example, when CPQ Cloud makes a request to an IDP, the IDP can verify that it is actually CPQ Cloud that made the request, and not an attacker disguised as CPQ Cloud.
In the Single Sign On Settings page, a CPQ Cloud admin can now optionally provide a Java SAML Request Keystore file, along with a corresponding Request Keystore StorePass and Request Keystore KeyPass, so that SAML requests to the IDP are signed.
This is different than SAML Responses from the IDP, which must always be signed.
For more information on SAML standards, see the Related Topics section below.
Federated Authentication is a Single Sign-On method that leverages an IDP that supports SAML.
Before SSO via SAML can be used in CPQ Cloud, work must be completed outside of CPQ Cloud. The flowchart below illustrates what you need to obtain and how it relates to CPQ Cloud.
Click here to view flowchart
Set Up SAML for CPQ Cloud Users
Each user that needs to access the CPQ Cloud application through SSO must have a CPQ Cloud user account.
Users must exist in CPQ Cloud, but SSO can be configured without a password if you are using Federated Authentication. When using Remote WebServices, CPQ Cloud will still require a password.
Click Internal Users in the Users section.
The User Administration List page appears.
In version 2015.1 and later, the property “SPNameQualifier” is no longer required in an IDP’s SAML response.
If a SAML assertion from an IDP is missing the signature tag, CPQ Cloud will reject the request and log the failure.
Setting up Single Sign-On in CPQ Cloud
Click Single Sign-On under Integration Platform.
The Single Sign On Settings page appears.
Click Browse to locate and upload an Identity Provider Certificate.
This file details how to communicate with each particular Identity Provider. For example, information such as the IP login and logout, and NameID formats, are in this file.
If necessary, enter a SAML Requested Name Identifier Format.
Each IDP supports different NameID formats, which can be found in the IDP configuration. FullAccess users can customize this field. If the field is left blank, the setting defaults to using the "transient" format.
Common NameID Formats:
Enter the URL that identifies the SAML Identity Provider.
This is a required step because all assertions that are sent to CPQ Cloud need to have an Issuer value that is identical to this field.
Enter a SAML Logout URL.
Whenever a CPQ Cloud user is logged out (via a session timeout, or by the user manually logging out), the user will be redirected to the SAML Logout URL. If a SAML Logout URL is not defined, the user will land on the CPQ Cloud login screen after being logged out.
In some implementations, you may wish to only show the login screen of the IDP and never show the CPQ Cloud login screen. In this scenario, set the SAML Logout URL to the URL of the IDP login screen.
Enter a SAML Single Logout Endpoint.
The SAML Single Logout Endpoint must be the API Endpoint URL of the logout Web Service of the partner system. Whenever a CPQ Cloud user is logged out (via a session timeout, or by the user manually logging out), CPQ Cloud will send a Web Service call to the SAML Single Logout Endpoint to trigger the logout of the user in the partner system.
Adding a valid SAML Single Logout Endpoint essentially creates a “global logout” scenario, where whenever a user is logged out of CPQ Cloud, he/she will also be logged out of the partner system. Defining a valid SAML Single Logout Endpoint is a best practice of SSO integrations.
Select the SAML User ID Location. This specifies in which of two locations in the assertion a user will be identified.
Attribute Element: User ID is located in an <AttributeValue>, located in the <Attribute> of the assertion.
Remote WebServices is a Single Sign-On method that leverages and IDP that does not support SAML. It allows a user logged into partner applications to access CPQ Cloud without having to login or re-authenticate. This method does not require that the IDP support SAML.
This method does not support Auto IDP Redirect. For more information, see the topic Automatic IDP Redirect.
All URL parameters (
are melded in order to log in a user with Remote WebServices. The SSO
settings have to be set to Remote WebServices and the user must be
enabled for SSO for the login to succeed.
In order to access CPQ Cloud, the portal requires a customized SOAP call to the CPQ Cloud login WebService.
SSO Sample Login XML
<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
URL to Redirect a User after Login
CPQ Cloud is configured with the Remote WebServices SSO method.
From the Admin Home Page, choose Single Sign-On under Integration Platform.
A CPQ Cloud user is enabled for SSO in CPQ Cloud and has an account in their IDP.
From the Admin Home Page, choose Internal Users under Users. Then click a user's Login.
The login SOAP API contains an sso tag, for example:
For more information about Security Assertion Markup Language (SAML), consult the following resources: