Oracle by Example branding Setting Up Federation Between Okta and Oracle Identity Cloud Service

section 0Before You Begin

Purpose

This 15 minute tutorial shows you how to integrate Oracle Identity Cloud Service, acting as a Service Provider (SP), with Okta, acting as an Identity Provider (IdP). By setting up federation between Okta and Oracle Identity Cloud Service, you enable users’ access to applications in Oracle Identity Cloud Service using user credentials that are authenticated by Okta.

Background

Oracle Identity Cloud Service provides integration with IdPs that support the SAML protocol. This integration:

  • Works with federated Single Sign-On (SSO) solutions that are compatible with Okta as an IdP.
  • Allows users to log in to Oracle Identity Cloud Service using the credentials from their own Okta.
  • Can force IdP authentication for all users or offer IdP authentication as an option (Login Chooser option).

The IdP integration provides the following benefits:

  • SSO across cloud and on-premises solutions: Oracle Identity Cloud Service provides SSO for cloud applications and on-premises applications while the IdP provides the authentication. Users log in only once, using their IdP credentials.
  • Support multiple SSO scenarios in parallel: By combining the Login Chooser with an IdP, you offer different SSO scenarios per user. This option can be used for the following scenarios:
    • Employees authenticate using their enterprise IdP credentials.
    • Contractors authenticate directly in Oracle Identity Cloud Service.
  • Enable defense in-depth strategies in the Cloud: The IdP integration, when wisely planned and coupled with other security controls, can enable a hybrid cloud defense-in-depth (apply your on-premises security controls on cloud solutions). For example, if you implement IdP authentication as the only option for your employees, and your IdP is accessible only through the Intranet or VPN, you ensure that Oracle Identity Cloud Service is accessed only when your employees are in your network-safe environment.

What Do You Need?

  • Access to Oracle Identity Cloud Service with authorization to manage IdPs (Identity Domain Administrator or Security Administrator).
  • Access to an Okta instance.
  • Users synchronized between an Okta domain and Oracle Identity Cloud Service.

Note: You must have an Oracle Cloud Account with Identity Cloud Service.

section 1Configure Okta as the IdP

In this section, you can configure Okta to act as an IdP for Oracle Identity Cloud Service.

  1. Log in to the Okta administrator console, and then navigate to the Applications tab to create a new application.
  2. Click Add Application and then Create New App.
  3. In the Create a New Application Integration window:
    • Select Web as the Platform.
    • Select SAML 2.0 as the Sign on method.
    Create new SAML Application in Okta
    Description of the illustration [okta_create_new_saml_app]
  4. Click Create to continue.
  5. On the General Settings page, enter a name for the application in the App name field, and click Next.

    Note: On the Configure SAML page in SAML Settings, you need to provide values for Single sign on URL which is the assertion consumer URL and Audience URI (SP Entity ID) which is the service provider entity ID. Federation will work only if the Audience URI (SP Entity ID) is correct.

  6. To find out the exact Single sign on URL and SP Entity ID URL for your tenant, log into Oracle Identity Cloud Service.
  7. In the Oracle Identity Cloud Service URL, add /.well-known/idcs-configuration after oraclecloud.com and press Enter. https://MYTENANT.identity.oraclecloud.com/.well-known/idcs-configuration
  8. On this page, scroll down to SAML configuration, copy the value of saml_sp_sso_endpoint, and paste this URL in the Single sign on URL field. The sample format, but not necessarily the correct URL for your tenant, is as follows:

    https://MYTENTANT.identity.oraclecloud.com/fed/v1/sp/sso

  9. On the same page, find metadata_endpoint under SAML configuration. , copy the URL, and paste it in a new browser. In this new page, search for entityID, copy the URL, and paste it in the Audience URI (SP Entity ID) field. The sample format, but not necessarily the correct URL for your tenant, is as follows:

    https://MYTENTANT.identity-test.oraclecloud.com/fed

    10. Note: In the Single sign on URL and the Audience URI, replace MYTENANT with your Oracle Identity Cloud Service domain.

    To learn about the other options that can be used to access SAML metadata, see Access SAML Metadata

  10. On the Configure SAML page in SAML Settings, enter values for the following fields, and click Next:
    • Name ID format: Identifies the SAML processing rules and constraints for the assertion's subject statement. Select EmailAddress.
    • Application username: Determines the default value for an user’s application user name. The application user name is used as the assertion's subject statement. Select Email.
  11. On the Help Okta Support understand how you configured this application section, select I'm an Okta customer adding an Internal app, and then click Finish.
  12. Click Application tab, navigate to the new app, and then select the Sign On tab.
  13. Click Identity Provider metadata link and open it in a new tab. 
  14. Save the metadata with .xml extension.
    • If you are using Firefox browser, navigate to File menu, select Save Page As, and then save the metadata with .xml extension.
    • If you are using Chrome browser, right-click on the page, select Save As, and then save the metadata with .xml extension.
    SAML Application in Okta
    Description of the illustration [okta_oracle_saaml]

    In order to successfully test the federation between Okta and Oracle Identity Cloud Service, you need to assign the application to the user account in Okta.

  15. To assign users, select the Assignments tab in the Application page.
  16. From Assign drop-down, select Assign to People.
  17. In the page that opens, select Assign for each of the users that you want to assign to the application. Once assigned, click Done.

The user is now assigned to the application. Use the same user to test the federation between Okta and Oracle Identity Cloud Service.

section 2Configure Oracle Identity Cloud Service as a Service Provider

In this section, you can configure Oracle Identity Cloud Service to federate Okta as an IdP.

  1. In the Identity Cloud Service administrator console, expand the Navigation Drawer Navigation Drawer Icon, and then click Security.
  2. Navigate to Identity Providers, and then click Add SAML IDP.
  3. On the Add Identity Provider page, enter the name and description for the SAML 2.0 IdP, and then click Next.
  4. On the Configure page, import the IdP metadata file that you saved from the application Sign-On tab in Okta. To import, click Upload, browse and select the metadata file, and then click Next.
  5. On the Map page, map a user's attribute value from the IdP to a corresponding user attribute in Oracle Identity Cloud Service in the following ways, and click Next:
    • Identity Provider User Attribute: Select Name ID (or a SAML attribute for a custom configuration).
    • Oracle Identity Cloud Service User Attribute: Select Primary Email Address (or a corresponding value in Oracle Identity Cloud Service).
    • Requested NameID Format: Select Email Address.
      • Add an IDP
      Description of the illustration [idcs_add_idp]
  6. On the Export page, click Next.
  7. On the Test page, click Next to activate the federation.
    Test Login
    Description of the illustration [idcs_testlogin]

    Note: To test, use a user name account that exists in the IdP (Okta) and the Service Provider (Oracle Identity Cloud Service). Otherwise, the assertion fails.

  8. On the Activate page, click Activate. The IdP is now activated.
  9. Click Finish.

    10. The IdP is now available on the Identity Providers page.

  10. To add the IdP to the Login page, click the action menu for the IdP, and then select Show on Login Page.
    Show on Login Page
    Description of the illustration [idcs_showonlogin]
  11. On the Show Identity Provider? dialog box, select Show.

    12. The IdP is now available to be used in the IDP Policies configuration.

section 3Assign the Okta IdP to an IdP Policy

In this section, you can assign the IdP to an IdP policy to enable an alternate sign-in through the IdP.

  1. On the Identity Cloud Service administrator console, expand the Navigation Drawer Navigation Drawer, and then click Security.
  2. Click IDP Policies.
  3. On the Identity Provider Policies page, do one of the following:
    • To assign the IdP to the default IdP policy, click Default Identity Provider Policy to assign the IdP.
    • To create a new IdP policy and assign the IdP, click Add.
  4. On the Identity Providers tab, click Assign to add the IdP.
  5. On the Assign Identity Providers page, select the check box of the Okta IdP, and then click OK.

    6. The assigned IdP appears on the Default Identity Provider Policy page.

section 4Test the Federation

In this section, you can test the federation to ensure that it works correctly before enabling the IdP.

  1. On the Identity Cloud Service administrator console, select the user, and then select Sign Out to test the federation.
  2. On the Oracle Identity Cloud Service Login page, click the IdP link to login using Okta credentials.
    3. Sign-in page with Okta
    Description of the illustration [sign-in_page_with_okta]

    Okta authenticates the user and the user is signed into Oracle Identity Cloud Service.

more informationWant to Learn More?