Configuring Active Directory Federation Services 3.0 as an Identity Provider with Oracle Cloud as Service Provider 

Purpose

This tutorial describes how to configure Active Directory Federation Services (ADFS) 3.0 as an Identity Provider( (IdP) to be used with Oracle Cloud as the Service Provider (SP).

Time to Complete

Approximately 1 hour

Introduction

The Oracle Cloud documentation describes the tasks for configuring Oracle Cloud as a SP, using the SSO Configuration tab of the My Services UI. SP configuration, however, is only half of the configuration process. To enable SSO, you need to configure the IdP as well as the SP.

The My Services configuration page for SSO requires you to configure the SP first. To do that, you must have metadata from the IdP to upload into the SP. Therefore, you need to move back and forth between the IdP and the SP to perform the complete configuration. Specifically, you will:

1. Obtain the IdP metadata for SP configuration
2. Configure the SP
3. Obtain the SP metadata for IdP configuration
4. Configure the IdP
5. Test and enable SSO from the SP

Software Requirements

The following is a list of software requirements for the IdP:

• Active Directory and IIS web server are installed and configured on-premise. In this tutorial we shall assume AD domain is adfs30.fed.oracle.com
• The on-premise Active Directory Federation Services 3.0 must be:
  • Installed. In our tutorial we assume that there is pre-installed ADFS 3.0 on Windows Server 2012 R2 Data Center machine. You can review the basic steps on how we setup ADFS 3.0 in our environment here.  
  • Configured for local user authentication by using either of the following authentication methods:
    • Windows Integrated Authentication (for example, Kerberos and HTTP Basic Authentication)
    • FORM Based Authentication
  • Enabled for SSL. To enable the server for SSL, its public endpoints are configured for SSL. For example, the reverse proxy fronting OIF configured for SSL Note: Well known Certificate Authorities issue the SSL certificates.

Prerequisites

Before starting this tutorial, you should:

• Familiarize yourself with the documentation for configuring Oracle Cloud as an SP.
• Decide whether to use the email address or the userID as the Federation attribute for identifying the user in the Federation message.
• Ensure that the each user in the LDAP directory at the IdP contains the attribute you will use to identify the user in the Federation message:
  • If you want to use the email address, then each user must have a specific attribute containing a unique email address. For example, if the LDAP directory is OID, mail would be such an attribute.
  • If you want to use the user identifier, then each user must have a specific attribute containing a unique userID. For example, if the LDAP directory is OID, uid would be such an attribute or if AD is the directory, SamAccountName would be such an attribute.
• Ensure that the user population has been synchronized between the IdP LDAP directory and the SP directory, with the attribute used to identify the user being the same in both directories for each user. Note: Only the user footprint (not the password) should exist on Oracle Cloud. Password validation would be done using the ADFS 3.0 IdP.
  Importing a Batch of User Accounts in Getting Started with Oracle Cloud describes a method for synchronizing users between the two directories.

To obtain the Active Directory Federation Services 3.0 IdP metadata for configuring the Oracle Cloud SP, perform the following steps:

1. Launch a browser.

2. Access the Active Directory Federation Services 3.0 IdP metadata. The URL is of the form: https://<host>/FederationMetadata/2007-06/FederationMetadata.xml

   

3. Save the file locally as IdP_metadata.xml.

You must configure the Oracle Cloud SP before you configure the Identity Provider.

Perform the following steps:

1. If necessary, copy the metadata file you obtained from Active Directory Federation Services 3.0 IdP to the environment where you will configure Oracle Cloud

2. In a browser, navigate to the SSO Configuration page of My Services in Oracle Cloud.

3. Click Configure SSO.

• Select Import identity provider metadata.
• Click Browse and upload the identity provider metadata file (such as IdP_metadata.xml in our tutorial)
• For SSO Protocol, HTTP POST is recommended, and is the default.
• Select User identifier. This is the Oracle LDAP Directory attribute that is used to map the user information contained in the incoming SSO SAML Assertion to an Oracle Cloud User.
• It is either User's email address or UserID. Select User's email address for this tutorial.
• Select Contained in. If the User identifier is User's email address, Contained in must be NameID.
• If the User identifier is the User ID, Contained in must be SAML Attribute and you must specify the name of the SAML Attribute to use for Contained in such as SamAccountName in case of AD.
• Click Save.

        

The screen now displays the remaining tasks to be performed on the SSO configuration page:

 

To obtain the Oracle Cloud SP metadata for configuring Active Directory Federation Services 3.0 as an IdP, perform the following steps:

1. Go to the Configure your Identity Provider Information section of the SSO Configuration page and click Export Metadata, then select Provider Metadata.

2. Save the metadata to a local file as SP_metadata.xml
   

   

To configure Active Directory Federation Services 3.0 as the Identity Provider, you must add Oracle Cloud SP as a Trusted Relying Party. Perform the following steps on the Windows server:

1. If necessary, copy the metadata file (SP_metadata.xml) you obtained from the Oracle Cloud SP to the Windows server.

2. If Server Manager is not running, invoke it from the Start menu. by using either of these methods:
   
   1. On the Start menu, right-click Computer (This PC), then click Manage
   2. On the Start menu, point to Administrative Tools, then click Server Manager

3. Click Tools > AD FS Management
4. Expand AD FS > Trust Relationships > Relying Party Trusts

   

5. Right-click Relying Party Trusts, then click Add Relying Party Trust. The Add Relying Part Trust Wizard opens.

   

6. Click Start.
7. Select Import data about the relying party from a file.
8. Browse and select the Metadata file you saved from the Oracle Cloud SP, and click Open.

   

9. Click Next.
10. If a message box like the following one is displayed, click OK.

         

11. Enter a name for the Oracle Cloud SP.

    

12. Click Next.

13. Select I do not want to configure multi-factor authentication settings for this relying party trust at this time or Configure multi-factor authentication settings for this relying party trust, depending on your requirements. (See the Microsoft documentation for more information.) Note: In this example, I do not want to configure multi-factor authentication settings for this relying party trust at this time is selected.
    
    

    

14. Click Next.

15. Select Permit all users to access this relying party.

    

16. Click Next. A summary window appears.

    

17. Click Next.

18. Deselect the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes check box.

    

19. Click Close.

    

20. Right-click the newly created relying party, and click Properties.

21. Click the Advanced tab.

22. Select SHA-2.
    

    

23. Click OK.

Perform the configuration in this section ONLY if you are using the email address to identify the user in the Federation message.

This section describes how to configure the newly added relying party entry to instruct ADFS 3.0 IdP to send the user’s email address as the NameID with the Email Address NameID format.

Perform the following steps to configure ADFS 3.0 to send the user’s email address to the Oracle Cloud SP:

1. In Server Manager, click Tools > AD FS Management.

2. Expand AD FS > Trust Relationships > Relying Party Trusts. Right-click the newly created relying party, and click Edit Claim Rules

   

3. The Edit Rule window appears
   

   

4. Click Add Rule.

5. Select Send LDAP Attributes as Claims.

   

6. Click Next.

7. Enter a name for the claim rule, such as, Email NameID.

8. Select Active Directory as the attribute store.

9. In the first row, select E-Mail-Addresses as the LDAP Attribute, and E-Mail Address as the outgoing claim type.

   

10. Click Finish. The list of rules is displayed.
    

    

11. Click Add Rule.

12. Select Transform an Incoming Claim as the claim rule template.

    

13. Click Next.

14. Enter a name for the rule, such as, Email NameID Transform.

15. Select E-Mail Address as the incoming claim type.

16. Select NameID as the outgoing claim type.

17. Select Email as the outgoing name ID format.

18. Select Pass through all claim values.

    

19. Click Finish. The list of claim rules is displayed.
    

    

20. Click OK.

Perform the configuration in this section ONLY if you are using the UserID to identify the user in the Federation message.

This section describes how to configure the newly added relying party entry to instruct ADFS 3.0 IdP to send the user’s identifier as the NameID with the Unspecified NameID format.

Perform the following steps to configure ADFS 3.0 to send the user’s identifier, SamAccountName, to Oracle Cloud SP:

1. From the Start menu, select Server Manager. Click Tools > AD FS Management.

2. Expand the Service node on the left side, and select Claim Descriptions.

   

3. Right-click Claim Description, and click Add Claim Description.

4. Enter SamAccountName as the display name.

5. Enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/samAccountName as the claim identifier.

6. Leave the two check boxes deselected.

   

7. Click OK.

8. Expand ADFS > Trust Relationships > Relying Party Trusts. Right Click and select Edit Claim Rules.
   

   

9. Click Add Rule on the Edit Rule window.

   

10. Select Send LDAP Attributes as Claims.

    

11. Click Next.

12. Enter a name for the claim rule, such as, User ID Claim.

13. Select Active Directory as the attribute store.

14. In the first row, select SAM-Account-Name as the LDAP attribute, and SamAccountName as the outgoing claim type.

    

15. Click Finish. The list of rules appears.
    

    

16. Click Add Rule.

17. Select Transform an Incoming Claim.

    

18. Click Next.

19. Enter a name for the rule, such as, UserID Transform.

20. Select SamAccountName as the incoming claim type.

21. Select NameID as the outgoing claim type.

22. Select Unspecified as the outgoing name ID format.

23. Select Pass through all claim values.

    

24. Click Finish. The list of claim rules appears.

    

25. Click OK.

To complete the configuration, proceed as follows:

1. Return to the browser window containing the SSO Configuration page of My Services in Oracle Cloud.

   In the Test your SSO section of the page, click Test.

    

   2. In the Initiate Federation SSO page, click Start SSO to initiate testing.

   

   3. This triggers a Federation SSO flow. You are redirected to the IdP and challenged for authentication. Log in using the UserPrincipalName for ahall user.



Note: For the federation to work successfully, ahall user must exist both on AD (on-premise LDAP directory) and Oracle Cloud. The user password is however only stored in AD.







4. If the test authentication is successful, you should see Federation SSO operation result page with Authentication Success message. Notice the Assertion attribute is set to email address.







5. After the test has completed successfully, go to the Enable SSO section of the page. Note that the Status is SSO is Not Enabled.

   
   Click the Enable SSO button to enable SSO for all Cloud services. Until you do this, SSO is not enabled. You should see Enable SSO pop up window, click OK to confirm. The Enable SSO section of the page now shows Status: SSO is Enabled.

   



 

6. Once you have tested and validation that SSO configuration is working correctly, navigate to MyServices Oracle Cloud Sign in URL. You will be prompted to enter your Identity Domain (you can save this for subsequent logins). Enter your Identity Domain Name and click on Go.



7. You should be able to authenticate through the IdP, after entering your AD credentials (UPN - UserPrincipalName for Andy Hall user) and selecting Sign In using Company option.



 

8. The first time you login, you can save your preference for Language and Time Zone.



9. You should now see your MyServices home page. Notice the top right corner, which shows you are logged in as ahall user (UPN login username) to the docs identity domain and SSO is enabled.

 

In this tutorial, you learned to:

• Obtain a file containing Active Directory Federation Services 3.0 metadata to use for SP configuration
• Perform Oracle Cloud SP Configuration
• Configure Active Directory Federation Services 3.0 as the IdP, using metadata from Oracle Cloud
• Use the Oracle Cloud documentation to test and enable SSO at the SP

Resources

• Administering Oracle Cloud Identity Management
• Importing a Batch of User Accounts in Getting Started with Oracle Cloud

Credits

• Lead Author: Vishal Parashar
• Technical Contributor: Damien Carru