Configuring Oracle Access Management Identity Federation 11gR2 PS2 as an Identity Provider with Oracle Cloud as Service Provider

Overview

Purpose

This tutorial describes how to configure Oracle Access Management Identity Federation 11g Release 2 PS2 (11.1.2.2.0) as an Identity Provider( (IdP) to be used with Oracle Cloud as the Service Provider (SP).

Time to Complete

Approximately 1 hour

Introduction

Oracle Cloud documentation at http://www.oracle.com/pls/topic/lookup?ctx=cloud&id=CSIMG describes the tasks for configuring Oracle Cloud as a SP, using the SSO Configuration tab of the My Services UI. SP configuration, however, is only half of the configuration process. To enable SSO, you need to configure the IdP as well as the SP.

The My Services configuration page for SSO requires you to configure the SP first. To do that, you must have metadata from the IdP to upload into the SP. Therefore, you need to move back and forth between browser windows, one at the IdP and the other at the SP. Specifically, you will:

  1. Obtain the IdP metadata for SP configuration
  2. Configure the SP
  3. Obtain the SP metadata for IdP configuration
  4. Configure the IdP
  5. Test and enable SSO from the SP

Software Requirements

The following is a list of software requirements for the IdP:

  • Oracle Access Management Suite 11gR2 PS2 must be installed and configured. Download the software from otn.oracle.com or edelivery.oracle.com.

Prerequisites

Before starting this tutorial, you should:

  • Ensure that OAM Suite is integrated with an LDAP directory (such as OUD, OID, AD) as the user data store. Integration is automatic if you are using the embedded LDAP in WebLogic Server.
  • Ensure that OAM Suite is enabled for SSL by having its public endpoints configured for SSL, for example, with the reverse proxy fronting OAM/OIF configured for SSL
  • Familiarize yourself with the documentation for configuring Oracle Cloud as an SP. See the SSO configuration topics at: http://www.oracle.com/pls/topic/lookup?ctx=cloud&id=CSIMG .
  • Decide whether to use the email address or the userID as the Federation attribute for identifying the user in the Federation message.
  • Ensure that the each user in the LDAP directory at the IdP contains the attribute you will use to identify the user in the Federation message:
    • If you want to use the email address, then each user must have a specific attribute containing a unique email address. For example, if the LDAP directory is OID, mail would be such an attribute.
    • If you want to use the user identifier, then each user must have a specific attribute containing a unique userID. For example, if the LDAP directory is OID, uid would be such an attribute.
  • Ensure that the user population has been synchronized between the IdP LDAP directory and the SP directory, with the attribute used to identify the user being the same in both directories for each user.
    "Importing a Batch of User Accounts" in Getting Started with Oracle Cloud at: http://www.oracle.com/pls/topic/lookup?ctx=cloud&id=CSGSG describes a method for synchronizing users between the two directories.

Obtaining IdP Metadata for SP Configuration

To obtain the Oracle Access Management Suite Federation IdP metadata you need to provide when configuring the Oracle Cloud SP, perform the following steps:

  1. Launch a browser. Access the Oracle Access Management federation IdP metadata. The URL is of the form: http://oam-runtime-host:oam-runtime-port/oamfed/idp/metadata

OAM console, Federation enabled

  1. Save the file locally as IdP_metadata.xml.

Perform Oracle Cloud SP Configuration

You must configure the Oracle Cloud SP before you configure the IdP.

Perform the following steps:

  1. If necessary, copy the metadata file you obtained from Oracle Access Management federation IdP to the environment where you will configure Oracle Cloud.

  2. In a browser, navigate to the SSO Configuration tab on the Users page of My Services for Oracle Cloud.

OAM console, Federation enabled

OAM console, Federation enabled

  1. Click on Configure SSO.
  • Select Import identity provider metadata.
  • Click Choose File and upload the identity provider metadata file (such as IdP_metadata.xml in our tutorial)
  • For SSO Protocol, HTTP POST is recommended, and is the default.
  • Select User identifier. This is the Oracle LDAP Directory attribute that is used to map the user information contained in the incoming SSO SAML Assertion to an Oracle Cloud User.
  • It is either User's email address or UserID. Select User's email address for this tutorial.
  • Select Contained in. If the User identifier is User's email address, Contained in must be NameID.
  • If the User identifier is the User ID, Contained in must be SAML Attribute and you must specify the name of the SAML Attribute to use for Contained in such as SamAccountName in case of AD.
  • Click Save.
         OAM console, Federation enabled
  1. The screen now shows the remaining tasks to be performed on the SSO configuration page. You have performed the first task, Configure SSO.

    OAM console, Federation enabled

     

Obtaining SP Metadata for IdP Configuration

To obtain the Oracle Cloud SP metadata you need to provide when configuring Oracle Access Mangement Suite Federation as an IdP, perform the following steps:

  1. Go to the Configure your Identity Provider Information section of the SSO Configuration page and click Export Metadata, then select Provider Metadata.

OAM console, Federation enabled

  1. Save the metadata to a local file as sp_metadata.xml. You have now performed the second task on the page, Configure your Identity Provider Information.

Enabling Identity Federation in OAM Admin Console

Perform the following steps to enable Oracle Access Management Federation:

  1. Go to the OAM Admin Console in a browser. The URL is of the form: http://adminhost:adminport/oamconsole

  2. Authenticate using OAM Admin user credentials.

  3. From the Launchpad Navigate to: Configuration -> Available Services

  4. Enable Identity Federation.

    OAM console, Federation enabled

     OAM console, Federation enabled

  5.  

Configuring the IdP, using Metadata from Oracle Cloud SP

To configure the IdP, perform the following steps:

  1. If necessary, copy the metadata file (sp_metadata.xml) you obtained from the Oracle Cloud SP to the environment where you are configuring the IdP.

  2. Return to the browser page containing the OAM Console, where you enabled Federation.

  3. Authenticate again if necessary.

  4. Navigate to Launch Pad > Identity Federation > Identity Provider Administration

OAM console, Federation enabled

  1. Click Create Service Provider Partner.

OAM console, Federation enabled

  1. Enter a name such as Oracle Cloud SP.

  2. Ensure Enable Partner is selected.

  3. Select SAML 2.0 as the protocol (which is the default).

  4. Select Load from Provider Metadata and click Load the Metadata and upload the Oracle Cloud SP metadata that you exported from the Oracle Cloud UI.

  5. Specify the NameID Format Settings. What you specify depends on which attribute you use to define the user.

    If you define the user by the email address, use Email Address as the format. Configure the settings as follows:

    1. Select Email Address as the Name ID format

    2. Select User ID Store Attribute as the Name ID Value

    3. Enter the User Attribute in the LDAP user record containing the user's email address. For example, if Oracle Internet Directory or Oracle Unified Directory are the User Data Store, the attribute is mail.

    Service Provider Partners screen, settings for email address

     

    If you define the user by the userID, use Unspecified NameID as the format. Configure the Assertion settins as follows:

    1. Select Unspecified as the NameID format

    2. Select User ID Store Attribute as the NameID Value

    3. Enter the User Attribute in the LDAP user record containing the user's identifier. For example, if Oracle Internet Directory or Oracle Unified Directory is the User Data Store, the attribute is uid.


       Service Provider Partners screen, settings for userID

        Click Save.
  1.     Click on Identity Provider Administration tab within OAM Console and under Search Service Provider Partners click on Search to make sure you can view Oracle Cloud SP.

          Service Provider Partners screen, settings for userID

      

Test Federation SSO between OAM Identity Federation 11g R2 as IdP and Oracle Cloud as SP

The test consists of performing an SP Initiated SSO by:

  •  Accessing OIF Test SP service and starting a Federation SSO operation with the Identity Provider
  •  Being authenticated by the on-premise customer IdP
  •  Being redirected from the IdP service to the SP service with a SAML Assertion containing user data
  •  Being successfully logged into Oracle Cloud after Oracle Cloud (SP) validates the SAML Assertion
To complete the testing, proceed as follows:
  1. Return to the browser window containing the SSO Configuration page of My Services in Oracle Cloud. Under Test your SSO, Click on Test button.

    Service Provider Partners screen, settings for userID

  2. On the Initiate Federation SSO page, click on Start SSO.

    Service Provider Partners screen, settings for userID

  3. On the OAM SSO Login page screen (IdP challange), enter a valid user credentials (Note: This user must exist in IdP's LDAP repository as well as in Oracle Cloud - under Users tab of MyServices page).

Service Provider Partners screen, settings for userID

  1. For Federation to work the above user must exist in Oracle Cloud as well as IdP's on-premise LDAP repository. The user's password is only stored in IdP's on-premise LDAP repository.

Service Provider Partners screen, settings for userID

  1. If the federation setup is correct, you should see the Authentication Success message under Federation SSO Operation Result. Note the User Identifier and Attributes for assertion fields.

Service Provider Partners screen, settings for userID

Service Provider Partners screen, settings for userID

Service Provider Partners screen, settings for userID

  1. After the test has completed successfully, go to the Enable SSO section of the page. Note that the Status is SSO is Not Enabled.

Service Provider Partners screen, settings for userID

  1. Click the Enable SSO button to enable SSO for all Cloud services. Unit you do this, SSO is not enabled. Click OK on the Enable Sign Sign-On screen.

Service Provider Partners screen, settings for userID

  1. The Enable SSO section of the page now shows Status: SSO is Enabled

Service Provider Partners screen, settings for userID

  1. Navigate to MyServices Oracle Cloud URL. You will be prompted to enter your Identity Domain (you can save this for subsequent logins). Enter your Identity Domain Name and click on Go.

Service Provider Partners screen, settings for userID

  1. You should be able to authenticate through the IdP, after selecting Sign In using Company option.

Service Provider Partners screen, settings for userID

  1. Enter user credentials on the IdP's OAM SSO screen.

Service Provider Partners screen, settings for userID

  1. The first time you login, you can save your preference for Language and Time Zone.

Service Provider Partners screen, settings for userID

  1. You should now see your MyServices home page. Notice the top right corner, which shows you are logged in as ahall user to the docs identity domain and SSO is enabled.

Service Provider Partners screen, settings for userID


Summary

In this tutorial, you learned to:

  • Obtain a file containing OAM Federation metadata to use for SP configuration
  • Perform Oracle Cloud SSO SP Configuration
  • Configure OAM Configuration as the IdP, using metadata from Oracle Cloud SSO
  • Use the Oracle Cloud SSO documentation to test and enable SSO at the SP

Resources

Credits

  • Lead Author: Vishal Parashar
  • Technical Contributor : Damien Carru

To navigate this Oracle by Example tutorial, note the following:

Topic List:
Click a topic to navigate to that section.
Expand All Topics:
Click the button to show or hide the details for the sections. By default, all topics are collapsed.
Hide All Images:
Click the button to show or hide the screenshots. By default, all images are displayed.
Print:
Click the button to print the content. The content that is currently displayed or hidden is printed.

To navigate to a particular section in this tutorial, select the topic from the list.