You are here: Integrating With CPQ Cloud > Integration Guides > Single Sign-On (SSO)

Single Sign-On (SSO)


CPQ Cloud allows customers to use their corporate infrastructure for authentication and to automatically log into CPQ Cloud without the need for multiple logins and re-authentication. CPQ Cloud Single Sign-On (SSO) is configurable at the User and Partner Org levels.

Three methods can be used:

ClosedWhat is SAML 2.0?

SAML is an XML-based solution that provides a secure solution for exchanging authentication and authorization of user security information between IPDs and the applications like CPQ Cloud.

To see your SAML metadata, enter the following into your browser: /sso/spmetadata.jsp.

You need this information to register CPQ Cloud as a service provider within an IDP.

ClosedWhat is an Identity Provider (IDP)?

Identity providers are sites or services that provide a security credential (such as an authentication or authorization assertion) on behalf of a user. In some cases this security credential may contain a set of attributes like a user's name or an employee number identifier.

An External ID is often used if a customer's security policy does not allow the username to be sent out of the IDP. Instead, the IDP sends out some other form of identification (employee number, alias, and so on) which has to match the External ID field in the User Object.

ClosedWhat is an Assertion?

An assertion carries authentication and authorization statements, or credentials, about a user that the IDP claims to be true. In this case, this information is sent to CPQ Cloud to be verified against your SSO configuration.

For example, an assertion encodes the following information:

The assertion ("1d2v5") was issued at time "2004-12-05T09:22:05Z" by identity provider ( regarding subject (user 123) exclusively for service provider (

The authentication statement, in particular, asserts the following:

The user identified in the <saml:Subject> element was authenticated at time "2004-12-05T09:22:00Z" by means of a password sent over a protected channel.

Likewise, the attribute statement asserts that:

The user identified in the <saml:Subject> element is a staff member at this institution.

ClosedAssertion Time and IDPs

Assertion time, also known as a heartbeat, TimeToLive, or NotOnOrAfter, is used by an IDP to check if an IDP session is still active.  If you have specified an assertion time on your IDP, CPQ Cloud will use it to check if the IDP session is still active. 

Assertion time is independent of the CPQ session timer (which is set internally by Ops), and elapses regardless of whether the time is spent idle or not.

Best practice suggests that the assertion time should be a very long time, usually several hours. The assertion time is set in the IDP.

ClosedSSO Integration Criteria

ClosedAutomatic IDP Redirect

You can choose to automatically redirect users without an active CPQ session to the IDP login page, without having to append /sso/saml_request.jsp to the URL.  The IDP login page becomes, in effect, the official login page for that CPQ Cloud site.  This option is implemented for an entire site.

With this option enabled, if a user manually enters the URL for a specific CPQ page, they will still be taken to the IDP login page.  However, relay logic is put in place so that the user is automatically directed to the desired endpoint (the specific CPQ page) after login.

Logging out of a CPQ session will do one of two things:

This ensures that the IDP is the session master, not CPQ Cloud. If this is not the desired functionality, specify the SAML Logout URL and SAML Single Logout Endpoint on the Single Sign On Settings page.  With this information, logging out of the CPQ session also logs out of the IDP session.

Automatic IDP redirect is not compatible with guest sessions. If guest sessions are enabled (on the Options-General page), automatic redirect will not work.

Instead of being redirected automatically to the IDP login page, the user will go to the CPQ Cloud login page.  Similarly, if automatic IDP redirect is enabled, validation will prevent guest sessions from being enabled.

Automatic IDP redirect is only supported if Single Sign-On Method (on the Single Sign On Settings page) is set to Federated Authentication or Federated and Remote.

This feature is disabled by default.  Open a ticket on My Oracle Support to enable this feature. 

ClosedSetup Tips

ClosedSigned Request Option

A signed request is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate.  This helps establish a level of trust to ensure that, for example, when CPQ Cloud makes a request to an IDP, the IDP can verify that it is actually CPQ Cloud that made the request, and not an attacker disguised as CPQ Cloud.

In the Single Sign On Settings page, a CPQ Cloud admin can now optionally provide a Java SAML Request Keystore file, along with a corresponding Request Keystore StorePass and Request Keystore KeyPass, so that SAML requests to the IDP are signed.

This is different than SAML Responses from the IDP, which must always be signed.

For more information on SAML standards, see the Related Topics section below.

Federated Authentication via SAML

Federated Authentication is a Single Sign-On method that leverages an IDP that supports SAML.

Before SSO via SAML can be used in CPQ Cloud, work must be completed outside of CPQ Cloud. The flowchart below illustrates what you need to obtain and how it relates to CPQ Cloud.

ClosedClick here to view flowchart

ClosedSet Up SAML for CPQ Cloud Users

Each user that needs to access the CPQ Cloud application through SSO must have a CPQ Cloud user account.

Users must exist in CPQ Cloud, but SSO can be configured without a password if you are using Federated Authentication. When using Remote WebServices, CPQ Cloud will still require a password.

  1. Navigate to the User Administration List page.
  1. Click Admin to go to the Admin Home Page.
  2. Click Internal Users in the Users section.

    The User Administration List page appears.

  1. Click a Login.

    The User Administration page appears.
  2. Select an option from the Enable for SSO drop-down.

    If the User is enabled for Single Sign-On login, then when the site itself is enabled for SSO, the user can log in with SSO. If you know the user's External SSO ID, then that can be used for SSO. Otherwise, the User's Login will be used. There are three options to choose from:
    • Not Enabled: SSO is not available for this user; they must log in to CPQ Cloud directly.
    • Enabled for SSO: SSO is available for this user; they can log in to CPQ Cloud directly or through SSO.
    • SSO Only: SSO is available for this user; however, they cannot log in to CPQ Cloud directly.

In version 2015.1 and later, the property “SPNameQualifier” is no longer required in an IDP’s SAML response.

If a SAML assertion from an IDP is missing the signature tag, CPQ Cloud will reject the request and log the failure.

ClosedSetting up Single Sign-On in CPQ Cloud

  1. Click Admin to go to the Admin Home Page.
  2. Click Single Sign-On under Integration Platform.

    The Single Sign On Settings page appears.

  3. From the Single Sign On Method drop-down, select Federated Authentication. This enables SAML SSO.
  4. For BigMachines Issuer URL, enter
  5. Click Browse to locate and upload an Identity Provider Certificate.

    This file details how to communicate with each particular Identity Provider. For example, information such as the IP login and logout, and NameID formats, are in this file.

  6. If necessary, enter a SAML Requested Name Identifier Format.

    Each IDP supports different NameID formats, which can be found in the IDP configuration. FullAccess users can customize this field. If the field is left blank, the setting defaults to using the "transient" format.

    Common NameID Formats:

  7. Enter the URL that identifies the SAML Identity Provider.

    This is a required step because all assertions that are sent to CPQ Cloud need to have an Issuer value that is identical to this field.

  8. Enter a SAML Logout URL.

    Whenever a CPQ Cloud user is logged out (via a session timeout, or by the user manually logging out), the user will be redirected to the SAML Logout URL. If a SAML Logout URL is not defined, the user will land on the CPQ Cloud login screen after being logged out.

    In some implementations, you may wish to only show the login screen of the IDP and never show the CPQ Cloud login screen. In this scenario, set the SAML Logout URL to the URL of the IDP login screen.

  9. Enter a SAML Single Logout Endpoint.

    The SAML Single Logout Endpoint must be the API Endpoint URL of the logout Web Service of the partner system. Whenever a CPQ Cloud user is logged out (via a session timeout, or by the user manually logging out), CPQ Cloud will send a Web Service call to the SAML Single Logout Endpoint to trigger the logout of the user in the partner system.

    Adding a valid SAML Single Logout Endpoint essentially creates a “global logout” scenario, where whenever a user is logged out of CPQ Cloud, he/she will also be logged out of the partner system. Defining a valid SAML Single Logout Endpoint is a best practice of SSO integrations.

  10. Select the SAML User ID Type.

    This specifies which of two identifiers an assertion contains when being sent to CPQ Cloud:
  11. Select the SAML User ID Location. This specifies in which of two locations in the assertion a user will be identified.

  12. Click Apply to save your changes. Click Update to save your changes and return to the Admin Home Page. Click Back to return to the Admin Home Page without saving your changes.

Remote WebServices

Remote WebServices is a Single Sign-On method that leverages and IDP that does not support SAML. It allows a user logged into partner applications to access CPQ Cloud without having to login or re-authenticate. This method does not require that the IDP support SAML.

This method does not support Auto IDP Redirect. For more information, see the topic Automatic IDP Redirect.

All URL parameters (sessionid, sso=true, username) are melded in order to log in a user with Remote WebServices. The SSO settings have to be set to Remote WebServices and the user must be enabled for SSO for the login to succeed.

In order to access CPQ Cloud, the portal requires a customized SOAP call to the CPQ Cloud login WebService.

ClosedSSO Sample Login XML

<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="">


<bm:category xmlns:bm="">Security</bm:category>

<bm:xsdInfo xmlns:bm="">





<bm:login xmlns:bm="">









ClosedURL to Redirect a User after Login



For more information about Security Assertion Markup Language (SAML), consult the following resources:

    CPQ Cloud currently supports SAML 2.0, which is not backwards compatible.


Related Topics Link IconSee Also