SSO Setup Overview¶
SSO (Single Sign-On) enables per-user authentication through your corporate identity provider. Each user authenticates with their own credentials, and The data source's security profiles determine what data they can access.
How SSO Works¶
AgentCube SSO uses a two-layer authentication model:
-
Layer 1 — Inbound Authentication: The AI platform (Claude, Copilot Studio) initiates an OAuth flow with your identity provider. The user authenticates via corporate SSO, and AgentCube receives a validated token containing the user's identity.
-
Layer 2 — Oracle Token Exchange: AgentCube exchanges the user's identity for an Oracle-scoped access token via the OCI Identity Domain. All API calls are made as the authenticated user.
sequenceDiagram
participant User
participant AI Platform
participant IdP as Identity Provider
participant AC as AgentCube
participant OCI as OCI Identity Domain
participant Oracle as Oracle EPM
User->>AI Platform: Ask a question
AI Platform->>AC: MCP tool call
AC->>IdP: Redirect for authentication
IdP->>User: Corporate login page
User->>IdP: Enter credentials
IdP->>AC: Validated token (user identity)
AC->>OCI: JWT assertion (user identity)
OCI->>AC: Oracle access token
AC->>Oracle: API call (as authenticated user)
Oracle->>AC: User-scoped data
AC->>AI Platform: Tool result
AI Platform->>User: Answer with real dataSupported Identity Providers¶
| Provider | Configuration | Guide |
|---|---|---|
| Microsoft Entra ID | OIDC_PROVIDER=azure | Entra setup |
| Okta, Auth0, Keycloak, or any OIDC provider | OIDC_PROVIDER=oidc | Generic OIDC setup |
Setup Steps¶
- Configure your identity provider — Register an application for AgentCube
- Set up OCI Identity Domain — Create a confidential app and import the signing certificate
- Generate the signing key — Create the RSA key pair for Oracle token exchange
- Deploy the container — Configure environment variables and deploy
- Verify — Test the full authentication chain
Multi-Connector Deployments¶
If you are deploying both the Essbase and Planning connectors with SSO, several components can be shared:
| Component | Shared across connectors? | Notes |
|---|---|---|
| RSA signing key pair | Yes | The same key pair is used for all connectors. Upload the public certificate once per OCI Identity Domain. |
| Identity provider app registration | Yes | Register one application (e.g., one Entra app) and add a redirect URI for each connector: https://{connector_hostname}/auth/callback |
| OCI confidential application | One per Identity Domain | Each OCI Identity Domain requires its own confidential application. If Essbase and Planning are on different tenants, each needs its own OCI app. |
This means adding a second connector to an existing SSO deployment only requires:
- Add a redirect URI to your existing IdP app registration
- If on a different OCI tenant: create a new OCI confidential app and upload the same signing certificate
- Set the OIDC environment variables on the new connector
Prerequisites¶
- An OIDC-compliant identity provider (Entra ID, Okta, Auth0, Keycloak, etc.)
- An OCI Identity Domain (free tier is sufficient)
- Users in the OCI Identity Domain with usernames matching their corporate email addresses