Datawiza
Back to blog
Updated July 19, 2026Blog

OneLogin SSO for Oracle EBS: SAML or OIDC Login and MFA Without OAM or the EBS Asserter

Abstract feature image for OneLogin SSO and Oracle EBS
Table of contents

OneLogin can be the workforce identity provider for Oracle E-Business Suite through either SAML or OIDC. The challenge is that EBS itself does not speak either protocol natively. OneLogin can authenticate the user and enforce MFA, but EBS still expects a valid FND_USER and ICX session.

Datawiza Access Proxy sits in front of EBS and acts as the bridge. OneLogin performs SAML or OIDC authentication and applies the OneLogin MFA policy. Datawiza validates the signed assertion or token, maps the OneLogin username, email, or claim to the right EBS FND_USER, and uses the configured EBS service-account and DBC-file flow to create the user's ICX session. The user lands in EBS as themselves, with normal responsibilities.

Why OneLogin SSO for Oracle EBS Needs a Bridge

Oracle EBS was built before modern identity standards became common. There is no native OneLogin connector inside EBS and no built-in SAML or OIDC endpoint that OneLogin can call directly. Without a bridge, teams usually end up considering OAM, OCI IAM with the EBS Asserter, or custom integration work.

The proxy path is narrower. It keeps OneLogin as the IdP, keeps EBS unchanged, and avoids deploying Oracle identity middleware just to modernize EBS login. For the broader comparison, see Oracle EBS SSO: The Complete Implementation Guide.

SAML or OIDC: Which One Should You Use with OneLogin?

Both patterns work. Use SAML if your OneLogin application catalog, admin process, or compliance documentation already standardizes on SAML for enterprise web apps. Use OIDC if your identity team prefers OAuth/OIDC flows, token-based claims, or a newer app integration model. In both cases, Datawiza handles the protocol exchange with OneLogin and translates the authenticated identity into the EBS session model.

How the Flow Works

  1. A user requests Oracle EBS through the Datawiza-protected URL.
  2. Datawiza redirects the browser to OneLogin for SAML or OIDC authentication and any required OneLogin MFA or sign-on policy.
  3. OneLogin returns either a signed SAML assertion or OIDC tokens to Datawiza.
  4. Datawiza validates the assertion or token, then maps the OneLogin username, email, or claim to the matching EBS FND_USER.
  5. Datawiza uses the configured EBS service account and DBC-file flow to establish the user's ICX session.
  6. The user reaches Oracle EBS as their own EBS account, with existing EBS responsibilities and security unchanged.

What You Avoid

  • No Oracle Access Manager deployment just for EBS login.
  • No Oracle Internet Directory synchronization requirement.
  • No EBS Asserter WebLogic application to deploy, secure, and operate.
  • No app-tier plugin or EBS code change that must be retested during patch cycles.

Identity Mapping: OneLogin Claims to FND_USER

The main design step is deciding which OneLogin attribute or claim maps to the EBS username. Many teams use email or username, but the right choice depends on how FND_USER was created and maintained. Datawiza handles that mapping at the access layer, so the EBS user model can remain stable.

OneLogin MFA and Sign-On Policies

OneLogin MFA, network rules, device policies, and sign-on rules can be enforced before EBS access. EBS does not need to implement or understand those policies; it only receives an authenticated session after the policy succeeds.

Frequently Asked Questions

Does Oracle EBS support OneLogin SAML or OIDC natively?

No. Oracle EBS has no native SAML or OIDC support, so OneLogin SSO requires a component that performs the identity-provider exchange and establishes the EBS session.

Should we use SAML or OIDC for OneLogin and Oracle EBS?

Either can work. SAML is common for enterprise web SSO, while OIDC may fit teams that prefer token-based claims and OAuth/OIDC patterns. The important point is that EBS does not consume either protocol directly; Datawiza validates the OneLogin response and creates the EBS session.

Do we need OAM or the EBS Asserter for OneLogin SSO?

No. Datawiza can connect OneLogin directly to Oracle EBS without OAM, OID, OCI IAM, or the EBS Asserter. The proxy handles SAML or OIDC with OneLogin and creates the EBS session through the configured EBS service-account and DBC-file flow.

Can OneLogin MFA protect Oracle EBS?

Yes. OneLogin MFA and sign-on policies are enforced during the OneLogin login flow before the user reaches EBS.

Which EBS releases are supported?

The proxy approach is commonly used for EBS 12.1 and 12.2 environments because it does not install an app-tier plugin inside EBS.

Bottom Line

OneLogin can be your modern identity layer for EBS without turning the project into an Oracle middleware program. See the Oracle EBS SSO and MFA solution page or book a demo to review your EBS release, OneLogin protocol choice, MFA policies, and rollout plan.

Datawiza is Easy to Get Started

Sign up to secure your AI agents and critical enterprise apps

Try Datawiza