Configuring Active Directory Federation Services 2.0 as an Identity Provider with Oracle Cloud as Service Provider

Purpose

This tutorial describes how to configure Active Directory Federation Services (ADFS) 2.0 as an Identity Provider( (IdP) to be used with Oracle Cloud as the Service Provider (SP).

Time to Complete

Approximately 1 hour

Introduction

The Oracle Cloud documentation at describes the tasks for configuring Oracle Cloud as a SP, using the SSO Configuration tab of the My Services UI. SP configuration, however, is only half of the configuration process. To enable SSO, you need to configure the IdP as well as the SP.

The My Services configuration page for SSO requires you to configure the SP first. To do that, you must have metadata from the IdP to upload into the SP. Therefore, you need to move back and forth between the IdP and the SP to perform the complete configuration. Specifically, you will:

1. Obtain the IdP metadata for SP configuration
2. Configure the SP
3. Obtain the SP metadata for IdP configuration
4. Configure the IdP
5. Test and enable SSO from the SP

Software Requirements

The following is a list of software requirements for the IdP:

• Active Directory and IIS web server are installed and configured on-premise. In this tutorial we shall assume AD domain is adfs20.fed.oracle.com
• The on-premise Active Directory Federation Services 2.0 must be:
  • Installed. In our tutorial we assume that there is pre-installed ADFS 2.0 on Windows Server 2008 R2 Enterprise SP1 machine. You can review the basic steps on how we setup ADFS 2.0 in our environment here. 
  • Configured for local user authentication by using either of the following authentication methods:
    • Windows Integrated Authentication (for example, Kerberos and HTTP Basic Authentication)
    • FORM Based Authentication
  • Enabled for SSL. To enable the server for SSL, its public endpoints are configured for SSL. For example, the reverse proxy fronting OIF configured for SSL Note: Well known Certificate Authorities issue the SSL certificates.

Prerequisites

Before starting this tutorial, you should:

• Decide whether to use the email address or the userID as the Federation attribute for identifying the user in the Federation message.
• Ensure that the each user in the LDAP directory at the IdP contains the attribute you will use to identify the user in the Federation message:
  • If you want to use the email address, then each user must have a specific attribute containing a unique email address. For example, if the LDAP directory is OID, mail would be such an attribute.
  • If you want to use the user identifier, then each user must have a specific attribute containing a unique userID. For example, if the LDAP directory is OID, uid would be such an attribute.
• Ensure that the user population has been synchronized between the IdP LDAP directory and the SP directory, with the attribute used to identify the user being the same in both directories for each user. Note: The user footprint must exist on Oracle Cloud without the password. For password validation local AD store for ADFS 2.0 IdP would be used.
  Importing a Batch of User Accounts in Getting Started with Oracle Cloud describes a method for synchronizing users between the two directories.

To obtain the Active Directory Federation Services 2.0 IdP metadata for configuring the Oracle Cloud SP, perform the following steps:

1. On the ADFS 2.0 machine, launch a browser.

2. Access the Active Directory Federation Services 2.0 IdP metadata. The URL is of the form: https://<host>/FederationMetadata/2007-06/FederationMetadata.xml

 

3. Save the file locally as IdP_metadata.xml.

You must configure the Oracle Cloud SP before you configure the IdP.

Perform the following steps:

1. If necessary, copy the metadata file you obtained from Active Directory Federation Services 2.0 IdP to the environment where you will configure Oracle Cloud SSO

2. In a browser, navigate to the SSO Configuration page of My Services in Oracle Cloud.

3. Click Configure SSO.
   
   1. Select Import identity provider metadata.
   2. Click Choose File and upload the identity provider metadata file (such as IdP_metadata.xml in our tutorial)
   3. For SSO Protocol, HTTP POST is recommended, and is the default.
   4. Select User identifier. This is the Oracle LDAP Directory attribute that is used to map the user information contained in the incoming SSO SAML Assertion to an Oracle Cloud User.
      It is either User's email address or UserID. Select User's email address for this tutorial.
   5. Select Contained in. If the User identifier is User's email address, Contained in must be NameID.
      If the User identifier is the User ID, Contained in must be SAML Attribute and you must specify the name of the SAML Attribute to use for Contained in such as SamAccountName in case of AD.
   6. Click Save.

   

4. Click Save. The screen now displays all four tasks to be performed on the SSO configuration page. You have performed the first task, Configure SSO.

   

To obtain the Oracle Cloud SP metadata for configuring Active Directory Federation Services 2.0 as an IdP, perform the following steps:

1. Go to the Configure your Identity Provider Information section of the SSO Configuration page and click Export Metadata, then select Provider Metadata.

   

2. Save the metadata to a local file as SP_metadat.xml. You have performed the second task on the page, Configure your Identity Provider Information.

Now you must return to your Identity Provider to configure Oracle Cloud as a Service Provider.

To configure Active Directory Federation Services 2.0 as the IdP, you must add Oracle Cloud SP as a Trusted Relying Party. Perform the following steps on the Windows server:

1. If necessary, copy the metadata file (SP_metadata.xml) you obtained from the Oracle Cloud SP in the previous section to the Windows server.

2. From Start > All Programs > Administrative Tools select AD FS 2.0 Management

3. Expand AD FS 2.0 > Trust Relationships > Relying Party Trusts

   

4. Right-click Relying Party Trusts, then click Add Relying Party Trust. The Add Relying Part Trust Wizard Welcome screen opens.

   

5. Click Start. The Select Data Source screen appears.

6. In the Select Data Source screen, do the following:
   
   1. Select Import data about the relying party from a file.
   2. Browse and select the Metadata file you saved from the Oracle Cloud SP, and click Open.

   

7. Click Next.

8. If a message box like the following one is displayed, click OK.

   

9. The Specify Display Name screen appears. Enter a name for the Oracle Cloud SP.

   

10. Click Next. The Choose Issuance Authorization Rules screen appears.

11. Select Permit all users to access this relying party.

    

12. Click Next. The Ready to Add Trust screen appears. Verify the settings on various tabs and click Next. .

    

13. Click Next. The Finish screen appears.
14. In the Finish screen, deselect Open the Edit Claims dialog for this relying party trust when the wizard closes.

15. Click Close.

16. In the main screen, right-click on Oracle Cloud SP Relying Party Trusts, Then click Properties.

    

17. Click the Advanced tab. Select SHA-2 in the Properties dialog.
    

    

18. Click OK.

Perform the configuration in this section ONLY if you are using the email address to identify the user in the Federation message. Note: This will depend upon if email address was configured in

Step 3 d of Perform Oracle Cloud SP Configuration section.

This section describes how to configure the newly added relying party entry to instruct ADFS 2.0 IdP to send the user’s email address as the NameID with the Email Address NameID format.

Perform the following steps to configure ADFS 2.0 to send the user’s email address to the Oracle Cloud SP:

1. In the Start menu, go to Programs.

2. Select Administrative Tools.

3. Start AD FS 2.0 Management.

4. Expand AD FS 2.0, expand the Trust Relationships subtab, and select Oracle Cloud SP under Relying Party Trusts.
   

   

5. Right-click Oracle Cloud SP, and click Edit Claim Rules. The Edit Rule window appears

 

 

6. Click Add Rule.

7. In the Select Rule Template screen, select Send LDAP Attributes as Claims.

   

8. Click Next.

9. Enter a name for the claim rule name field in the Configure Rule screen such as Email NameID.

10. Select Active Directory as the attribute store.

11. In the the Mapping of LDAP attributes to outgoing claim types table, select E-Mail-Addresses as the LDAP Attribute, and E-Mail Address as the Outgoing Claim type.

    

12. Click Finish. The list of rules is displayed.
    

    

13. Click Add Rule.

14. In the Select Rule Template screen, select Transform an Incoming Claim from the menu.

    

15. Click Next.

16. In the Configure Rule screen, do the following:
    
    1. Enter a name in the Claim rule name field such as Email NameID Transform.
    2. In the Incoming claim type field, select E-Mail Address.
    3. In the Outgoing claim type field, select Name ID.
    4. In the Outgoing name ID format field, select Email.
    5. Select Pass through all claim values.

    

17. Click Finish. The list of claim rules is displayed in the Edit Claim Rules screen.
    

    

18. Click OK.

Perform the configuration in this section ONLY if you are using the UserID to identify the user in the Federation message. Note: This will depend upon if User ID was configured in Step 3 d of Perform Oracle Cloud SP Configuration section.

This section describes how to configure the newly added relying party entry to instruct ADFS 2.0 IdP to send the user’s identifier as the NameID with the Unspecified NameID format.
Perform the following steps to configure ADFS 2.0 to send the user’s identifier address to Oracle Cloud SP:

1. In the Start menu, go to Programs.
2. Select Administrative Tools.
3. Start AD FS 2.0 Management.
4. Expand AD FS 2.0 node, expand the Service sub-tab, and select Claim Descriptions.

   

5. Right-click Claim Descriptions, and click Add Claim Description.

6. In the Add a Claim Description screen, provide the following information:
   
   1. In the Display name field, enter SamAccountName.
   2. In the Claim identifier field, enter the following URL: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/samAccountName

   

7. Click OK.

8. Expand AD FS 2.0 node, expand the Trust Relationships sub-tab, and select Relying Party Trusts. The Relying Party Trusts screen appears.
   

   

9. Right-click Oracle Cloud SP under Relying Party Trusts, and select Edit Claim Rules. The Edit Rule window appears.

   

10. Click Add Rule.

11. In the Select Rule Template Screen, under Claim rule template field, select Send LDAP Attributes as Claims.

    

12. Click Next.

13. In the Configure Rule screen, do the following:
    
    1. Enter a name in the Claim rule name field such as User ID Claim.
    2. In the Attribute Store field, select Active Directory.
    3. In the LDAP Attribute field, select Sam-Account-Name.
    4. In the Outgoing claim type field, select SamAccountName.

    

14. Click Finish. The list of rules appears in the Edit Claim Rules screen.
    

    

15. Click Add Rule.

16. In the Select Rule Template screen, under Claim rule template, select Transform an Incoming Claim.

    

17. Click Next.

18. In the Configure Rule screen, do the following:
    
    1. Enter a name in the Claim rule name field such as User ID Transform.
    2. In the Incoming claim type field, select SamAccountName.
    3. In the Outgoing claim type field, select Name ID.
    4. In the Outgoing name ID format field, select Unspecified..
    5. Select Pass through all claim values.

    

19. Click Finish. The list of claim rules appears in the Edit Claim Rules screen.

    

20. Click OK.

To complete the configuration, proceed as follows:

1. Return to the browser window containing the SSO page of My Services in Oracle Cloud.
   In the Test your SSO section of the page, click Test.

   

2. In the Initiate Federation SSO page, click Start SSO to initiate testing.

   

3. This triggers a Federation SSO flow. You are redirected to the IdP and challenged for authentication. Log in as an valid existing user on AD (on-premise LDAP directory) using it's UPN (UserPrincipalName).

   

4. Note: For the federation to work successfully, Vishal Parashar user must exist both on AD (on-premise LDAP directory) and Oracle Cloud. The user password is however only stored in AD .

 

5. Once the Federation SSO is performed, the result is displayed in the Test SSO page. If the test is successful, the Authentication Result will be Authentication Successful. Notice the Assertion attribute is set to email address

   

 

6. After the test has completed successfully, go to the Enable SSO section of the page. Note that the Status is SSO is Not Enabled.
   Click the Enable SSO button to enable SSO for all Cloud services. Unit you do this, SSO is not enabled. You should see Enable SSO pop up window, click OK to confirm
   The Enable SSO section of the page now shows Status: SSO is Enabled.

   

 

7. Once you have tested and validation that SSO configuration is working correctly, navigate to My Services Sign In URL. You will be prompted to enter your Identity Domain (you can save this for subsequent logins). Enter your Identity Domain Name and click on Go.

   

8. You should be able to authenticate through the IdP, after entering your AD credentials (UPN - UserPrincipalName for Vishal Parashar user) and selecting Sign In using Company option.

   

9. The first time you login, you can save your preference for Language and Time Zone.

10. You should now see your MyServices home page. Notice the top right corner, which shows you are logged in as Vishal.Parashar@adfs20.fed.oracle.com user (UPN login username) to the docs identity domain and SSO is enabled

 

In this tutorial, you learned to:

• Obtain a file containing Active Directory Federation Services 2.0 metadata to use for SP configuration
• Perform Oracle Cloud SP Configuration
• Configure Active Directory Federation Services 2.0 as the IdP, using metadata from Oracle Cloud SSO
• Use the Oracle Cloud SSO documentation to test and enable SSO at the SP

Resources

• Administering Oracle Cloud Identity Management
• Importing a Batch of User Accounts in Getting Started with Oracle Cloud

Credits

• Lead Author: Vishal Parashar
• Technical Contributor: Damien Carru