Skip to content

SSO Setup Overview

SSO (Single Sign-On) enables per-user authentication through your corporate identity provider. Each user authenticates with their own credentials, and Oracle's security profiles determine what data they can access.

How SSO Works

AgentCube SSO uses a two-layer authentication model:

  1. Layer 1 — Inbound Authentication: The AI platform (Claude, Copilot Studio) initiates an OAuth flow with your identity provider. The user authenticates via corporate SSO, and AgentCube receives a validated token containing the user's identity.

  2. Layer 2 — Oracle Token Exchange: AgentCube exchanges the user's identity for an Oracle-scoped access token via the OCI Identity Domain. All Oracle API calls are made as the authenticated user.

sequenceDiagram
    participant User
    participant AI Platform
    participant IdP as Identity Provider
    participant AC as AgentCube
    participant OCI as OCI Identity Domain
    participant Oracle as Oracle EPM

    User->>AI Platform: Ask a question
    AI Platform->>AC: MCP tool call
    AC->>IdP: Redirect for authentication
    IdP->>User: Corporate login page
    User->>IdP: Enter credentials
    IdP->>AC: Validated token (user identity)
    AC->>OCI: JWT assertion (user identity)
    OCI->>AC: Oracle access token
    AC->>Oracle: API call (as authenticated user)
    Oracle->>AC: User-scoped data
    AC->>AI Platform: Tool result
    AI Platform->>User: Answer with real data

Supported Identity Providers

Provider Configuration Guide
Microsoft Entra ID OIDC_PROVIDER=azure Entra setup
Okta, Auth0, Keycloak, or any OIDC provider OIDC_PROVIDER=oidc Generic OIDC setup

Setup Steps

  1. Configure your identity provider — Register an application for AgentCube
  2. Set up OCI Identity DomainCreate a confidential app and import the signing certificate
  3. Generate the signing keyCreate the RSA key pair for Oracle token exchange
  4. Deploy the containerConfigure environment variables and deploy
  5. VerifyTest the full authentication chain

Prerequisites

  • An OIDC-compliant identity provider (Entra ID, Okta, Auth0, Keycloak, etc.)
  • An OCI Identity Domain (free tier is sufficient)
  • Users in the OCI Identity Domain with usernames matching their corporate email addresses