When integrating SalesCloud with a 3rd party application you often need to pass the users identity to the 3rd party application so that 

• The 3rd party application knows who the user is
• The 3rd party application needs to be able to do WebService callbacks to Sales Cloud as that user. 

Until recently without using SAML, this wasn't easily possible and one workaround was to pass the username, potentially even the password, from Sales Cloud to the 3rd party application using URL parameters..

With Oracle Fusion R8 we now have a proper solution and that is called "JWT Token support". This is based on the industry JSON Web Token standard , for more information see here

JWT Works by allowing the user the ability to generate a token (lasts a short period of time) for a specific application. This token is then passed to the 3rd party application as a GET parameter.  The 3rd party application can then call into SalesCloud and use this token for all webservice calls, the calls will be executed as the user who generated the token in the first place, or they can call a special HR WebService (UserService-findSelfUserDetails() ) with the token and Fusion will respond with the users details.

Some more details 

The following will go through the scenario that you want to embed a 3rd party application within a WebContent frame (iFrame) within the opportunity screen. 

1. Define your application using the topology manager in setup and maintenance

•  See this documentation link on topology manager

This snippet generates a URL which contains

• The Hostname/endpoint of the 3rd party application
• Two Parameters
• The opportunityId stored in parameter "param1"
• The JWT Token store in  parameter "jwt"