Configuring Oracle Access Management Identity Federation 11gR2 PS2 as an Identity Provider with Oracle Cloud as Service Provider

Purpose

This tutorial describes how to configure Oracle Access Management Identity Federation 11g Release 2 PS2 (11.1.2.2.0) as an Identity Provider( (IdP) to be used with Oracle Cloud as the Service Provider (SP).

Time to Complete

Approximately 1 hour

Introduction

Oracle Cloud documentation at http://www.oracle.com/pls/topic/lookup?ctx=cloud&id=CSIMG describes the tasks for configuring Oracle Cloud as a SP, using the SSO Configuration tab of the My Services UI. SP configuration, however, is only half of the configuration process. To enable SSO, you need to configure the IdP as well as the SP.

The My Services configuration page for SSO requires you to configure the SP first. To do that, you must have metadata from the IdP to upload into the SP. Therefore, you need to move back and forth between browser windows, one at the IdP and the other at the SP. Specifically, you will:

1. Obtain the IdP metadata for SP configuration
2. Configure the SP
3. Obtain the SP metadata for IdP configuration
4. Configure the IdP
5. Test and enable SSO from the SP

Software Requirements

The following is a list of software requirements for the IdP:

• Oracle Access Management Suite 11gR2 PS2 must be installed and configured. Download the software from otn.oracle.com or edelivery.oracle.com.

Prerequisites

Before starting this tutorial, you should:

• Ensure that OAM Suite is integrated with an LDAP directory (such as OUD, OID, AD) as the user data store. Integration is automatic if you are using the embedded LDAP in WebLogic Server.
• Ensure that OAM Suite is enabled for SSL by having its public endpoints configured for SSL, for example, with the reverse proxy fronting OAM/OIF configured for SSL
• Familiarize yourself with the documentation for configuring Oracle Cloud as an SP. See the SSO configuration topics at: http://www.oracle.com/pls/topic/lookup?ctx=cloud&id=CSIMG .
• Decide whether to use the email address or the userID as the Federation attribute for identifying the user in the Federation message.
• Ensure that the each user in the LDAP directory at the IdP contains the attribute you will use to identify the user in the Federation message:
  • If you want to use the email address, then each user must have a specific attribute containing a unique email address. For example, if the LDAP directory is OID, mail would be such an attribute.
  • If you want to use the user identifier, then each user must have a specific attribute containing a unique userID. For example, if the LDAP directory is OID, uid would be such an attribute.
• Ensure that the user population has been synchronized between the IdP LDAP directory and the SP directory, with the attribute used to identify the user being the same in both directories for each user.
  "Importing a Batch of User Accounts" in Getting Started with Oracle Cloud at: http://www.oracle.com/pls/topic/lookup?ctx=cloud&id=CSGSG describes a method for synchronizing users between the two directories.

To obtain the Oracle Access Management Suite Federation IdP metadata you need to provide when configuring the Oracle Cloud SP, perform the following steps:

1. Launch a browser. Access the Oracle Access Management federation IdP metadata. The URL is of the form: http://oam-runtime-host:oam-runtime-port/oamfed/idp/metadata

2. Save the file locally as IdP_metadata.xml.

You must configure the Oracle Cloud SP before you configure the IdP.

Perform the following steps:

1. If necessary, copy the metadata file you obtained from Oracle Access Management federation IdP to the environment where you will configure Oracle Cloud.

2. In a browser, navigate to the SSO Configuration tab on the Users page of My Services for Oracle Cloud.

3. Click on Configure SSO.
   

• Select Import identity provider metadata.
• Click Choose File and upload the identity provider metadata file (such as IdP_metadata.xml in our tutorial)
• For SSO Protocol, HTTP POST is recommended, and is the default.
• Select User identifier. This is the Oracle LDAP Directory attribute that is used to map the user information contained in the incoming SSO SAML Assertion to an Oracle Cloud User.
• It is either User's email address or UserID. Select User's email address for this tutorial.
• Select Contained in. If the User identifier is User's email address, Contained in must be NameID.
• If the User identifier is the User ID, Contained in must be SAML Attribute and you must specify the name of the SAML Attribute to use for Contained in such as SamAccountName in case of AD.
• Click Save.

        

4. The screen now shows the remaining tasks to be performed on the SSO configuration page. You have performed the first task, Configure SSO.
   

To obtain the Oracle Cloud SP metadata you need to provide when configuring Oracle Access Mangement Suite Federation as an IdP, perform the following steps:

1. Go to the Configure your Identity Provider Information section of the SSO Configuration page and click Export Metadata, then select Provider Metadata.

2. Save the metadata to a local file as sp_metadata.xml. You have now performed the second task on the page, Configure your Identity Provider Information.

Perform the following steps to enable Oracle Access Management Federation:

1. Go to the OAM Admin Console in a browser. The URL is of the form: http://adminhost:adminport/oamconsole

2. Authenticate using OAM Admin user credentials.

3. From the Launchpad Navigate to: Configuration -> Available Services

4. Enable Identity Federation.

   

 

To configure the IdP, perform the following steps:

1. If necessary, copy the metadata file (sp_metadata.xml) you obtained from the Oracle Cloud SP to the environment where you are configuring the IdP.

2. Return to the browser page containing the OAM Console, where you enabled Federation.

3. Authenticate again if necessary.

4. Navigate to Launch Pad > Identity Federation > Identity Provider Administration

5. Click Create Service Provider Partner.

6. Enter a name such as Oracle Cloud SP.

7. Ensure Enable Partner is selected.

8. Select SAML 2.0 as the protocol (which is the default).

9. Select Load from Provider Metadata and click Load the Metadata and upload the Oracle Cloud SP metadata that you exported from the Oracle Cloud UI.

10. Specify the NameID Format Settings. What you specify depends on which attribute you use to define the user.

    If you define the user by the email address, use Email Address as the format. Configure the settings as follows:

    1. Select Email Address as the Name ID format

    2. Select User ID Store Attribute as the Name ID Value

    3. Enter the User Attribute in the LDAP user record containing the user's email address. For example, if Oracle Internet Directory or Oracle Unified Directory are the User Data Store, the attribute is mail.

    

    If you define the user by the userID, use Unspecified NameID as the format. Configure the Assertion settins as follows:

    1. Select Unspecified as the NameID format

    2. Select User ID Store Attribute as the NameID Value

    3. Enter the User Attribute in the LDAP user record containing the user's identifier. For example, if Oracle Internet Directory or Oracle Unified Directory is the User Data Store, the attribute is uid.

      

        Click Save.

The test consists of performing an SP Initiated SSO by:

•  Accessing OIF Test SP service and starting a Federation SSO operation with the Identity Provider
•  Being authenticated by the on-premise customer IdP
•  Being redirected from the IdP service to the SP service with a SAML Assertion containing user data
•  Being successfully logged into Oracle Cloud after Oracle Cloud (SP) validates the SAML Assertion

To complete the testing, proceed as follows:

1. Return to the browser window containing the SSO Configuration page of My Services in Oracle Cloud. Under Test your SSO, Click on Test button.

   

2. On the Initiate Federation SSO page, click on Start SSO.

   

3. On the OAM SSO Login page screen (IdP challange), enter a valid user credentials (Note: This user must exist in IdP's LDAP repository as well as in Oracle Cloud - under Users tab of MyServices page).

4. For Federation to work the above user must exist in Oracle Cloud as well as IdP's on-premise LDAP repository. The user's password is only stored in IdP's on-premise LDAP repository.

5. If the federation setup is correct, you should see the Authentication Success message under Federation SSO Operation Result. Note the User Identifier and Attributes for assertion fields.

6. After the test has completed successfully, go to the Enable SSO section of the page. Note that the Status is SSO is Not Enabled.

7. Click the Enable SSO button to enable SSO for all Cloud services. Unit you do this, SSO is not enabled. Click OK on the Enable Sign Sign-On screen.

8. The Enable SSO section of the page now shows Status: SSO is Enabled

9. Navigate to MyServices Oracle Cloud URL. You will be prompted to enter your Identity Domain (you can save this for subsequent logins). Enter your Identity Domain Name and click on Go.

10. You should be able to authenticate through the IdP, after selecting Sign In using Company option.

11. Enter user credentials on the IdP's OAM SSO screen.

12. The first time you login, you can save your preference for Language and Time Zone.

13. You should now see your MyServices home page. Notice the top right corner, which shows you are logged in as ahall user to the docs identity domain and SSO is enabled.

In this tutorial, you learned to:

• Obtain a file containing OAM Federation metadata to use for SP configuration
• Perform Oracle Cloud SSO SP Configuration
• Configure OAM Configuration as the IdP, using metadata from Oracle Cloud SSO
• Use the Oracle Cloud SSO documentation to test and enable SSO at the SP

Resources

• Cloud SSO documentation http://www.oracle.com/pls/topic/lookup?ctx=cloud&id=CSIMG
• "Importing a Batch of User Accounts" in Getting Started with Oracle Cloud at: http://www.oracle.com/pls/topic/lookup?ctx=cloud&id=CSGSG

Credits

• Lead Author: Vishal Parashar
• Technical Contributor : Damien Carru