This tutorial describes how to configure Oracle Access Management Identity Federation 11g Release 2 PS2 (220.127.116.11.0) as an Identity Provider( (IdP) to be used with Oracle Cloud as the Service Provider (SP).
Time to Complete
Approximately 1 hour
Oracle Cloud documentation at http://www.oracle.com/pls/topic/lookup?ctx=cloud&id=CSIMG describes the tasks for configuring Oracle Cloud as a SP, using the SSO Configuration tab of the My Services UI. SP configuration, however, is only half of the configuration process. To enable SSO, you need to configure the IdP as well as the SP.
The My Services configuration page for SSO requires you to configure the SP first. To do that, you must have metadata from the IdP to upload into the SP. Therefore, you need to move back and forth between browser windows, one at the IdP and the other at the SP. Specifically, you will:
- Obtain the IdP metadata for SP configuration
- Configure the SP
- Obtain the SP metadata for IdP configuration
- Configure the IdP
- Test and enable SSO from the SP
The following is a list of software requirements for the IdP:
- Oracle Access Management Suite 11gR2 PS2 must be installed and configured. Download the software from otn.oracle.com or edelivery.oracle.com.
Before starting this tutorial, you should:
- Ensure that OAM Suite is integrated with an LDAP directory (such as OUD, OID, AD) as the user data store. Integration is automatic if you are using the embedded LDAP in WebLogic Server.
- Ensure that OAM Suite is enabled for SSL by having its public endpoints configured for SSL, for example, with the reverse proxy fronting OAM/OIF configured for SSL
- Familiarize yourself with the documentation for configuring Oracle Cloud as an SP. See the SSO configuration topics at: http://www.oracle.com/pls/topic/lookup?ctx=cloud&id=CSIMG .
- Decide whether to use the email address or the userID as the Federation attribute for identifying the user in the Federation message.
- Ensure that the each user in the LDAP directory at the IdP
contains the attribute you will use to identify the user in the
- If you want to use the email address, then each user must have a specific attribute containing a unique email address. For example, if the LDAP directory is OID, mail would be such an attribute.
- If you want to use the user identifier, then each user must have a specific attribute containing a unique userID. For example, if the LDAP directory is OID, uid would be such an attribute.
- Ensure that the user population has been synchronized between
the IdP LDAP directory and the SP directory, with the attribute
used to identify the user being the same in both directories for
"Importing a Batch of User Accounts" in Getting Started with Oracle Cloud at: http://www.oracle.com/pls/topic/lookup?ctx=cloud&id=CSGSG describes a method for synchronizing users between the two directories.
Obtaining IdP Metadata for SP Configuration
To obtain the Oracle Access Management Suite Federation IdP metadata you need to provide when configuring the Oracle Cloud SP, perform the following steps:
- Launch a browser. Access the Oracle Access Management federation IdP metadata. The URL is of the form: http://oam-runtime-host:oam-runtime-port/oamfed/idp/metadata
- Save the file locally as IdP_metadata.xml.
Perform Oracle Cloud SP Configuration
You must configure the Oracle Cloud SP before you configure the IdP.
Perform the following steps:
If necessary, copy the metadata file you obtained from Oracle Access Management federation IdP to the environment where you will configure Oracle Cloud.
- In a browser, navigate to the SSO Configuration tab on the Users page of My Services for Oracle Cloud.
- Click on Configure
- Select Import identity provider metadata.
- Click Choose File and upload the identity provider metadata file (such as IdP_metadata.xml in our tutorial)
- For SSO Protocol, HTTP POST is recommended, and is the default.
- Select User identifier. This is the Oracle LDAP Directory attribute that is used to map the user information contained in the incoming SSO SAML Assertion to an Oracle Cloud User.
- It is either User's email address or UserID. Select User's email address for this tutorial.
- Select Contained in. If the User identifier is User's email address, Contained in must be NameID.
- If the User identifier is the User ID, Contained in must be SAML Attribute and you must specify the name of the SAML Attribute to use for Contained in such as SamAccountName in case of AD.
- Click Save.
- The screen now shows the remaining tasks to be
performed on the SSO configuration page. You have performed the
first task, Configure SSO.
Obtaining SP Metadata for IdP Configuration
To obtain the Oracle Cloud SP metadata you need to provide when configuring Oracle Access Mangement Suite Federation as an IdP, perform the following steps:
- Go to the Configure your Identity Provider Information section of the SSO Configuration page and click Export Metadata, then select Provider Metadata.
- Save the metadata to a local file as sp_metadata.xml. You have now performed the second task on the page, Configure your Identity Provider Information.
Enabling Identity Federation in OAM Admin Console
Perform the following steps to enable Oracle Access Management Federation:
Go to the OAM Admin Console in a browser. The URL is of the form: http://adminhost:adminport/oamconsole
Authenticate using OAM Admin user credentials.
From the Launchpad Navigate to: Configuration -> Available Services
Enable Identity Federation.
Configuring the IdP, using Metadata from Oracle Cloud SP
To configure the IdP, perform the following steps:
If necessary, copy the metadata file (sp_metadata.xml) you obtained from the Oracle Cloud SP to the environment where you are configuring the IdP.
Return to the browser page containing the OAM Console, where you enabled Federation.
Authenticate again if necessary.
- Navigate to Launch Pad > Identity Federation > Identity Provider Administration
- Click Create Service Provider Partner.
Enter a name such as Oracle Cloud SP.
Ensure Enable Partner is selected.
Select SAML 2.0 as the protocol (which is the default).
Select Load from Provider Metadata and click Load the Metadata and upload the Oracle Cloud SP metadata that you exported from the Oracle Cloud UI.
- Specify the NameID Format Settings. What you specify depends
on which attribute you use to define the user.
If you define the user by the email address, use Email Address as the format. Configure the settings as follows:
Select Email Address as the Name ID format
Select User ID Store Attribute as the Name ID Value
Enter the User Attribute in the LDAP user record containing the user's email address. For example, if Oracle Internet Directory or Oracle Unified Directory are the User Data Store, the attribute is mail.
If you define the user by the userID, use Unspecified NameID as the format. Configure the Assertion settins as follows:
Select Unspecified as the NameID format
Select User ID Store Attribute as the NameID Value
- Enter the User Attribute in the LDAP user record
containing the user's identifier. For example, if Oracle
Internet Directory or Oracle Unified Directory is the User
Data Store, the attribute is uid.
Test Federation SSO between OAM Identity Federation 11g R2 as IdP and Oracle Cloud as SP
The test consists of performing an SP Initiated SSO by:
- Accessing OIF Test SP service and starting a Federation SSO operation with the Identity Provider
- Being authenticated by the on-premise customer IdP
- Being redirected from the IdP service to the SP service with a SAML Assertion containing user data
- Being successfully logged into Oracle Cloud after Oracle Cloud (SP) validates the SAML Assertion
- Return to the browser window containing the SSO Configuration
page of My Services in Oracle Cloud. Under Test your SSO, Click
on Test button.
- On the OAM SSO Login page screen (IdP challange), enter a valid user credentials (Note: This user must exist in IdP's LDAP repository as well as in Oracle Cloud - under Users tab of MyServices page).
- For Federation to work the above user must exist in Oracle Cloud as well as IdP's on-premise LDAP repository. The user's password is only stored in IdP's on-premise LDAP repository.
- If the federation setup is correct, you should see the Authentication Success message under Federation SSO Operation Result. Note the User Identifier and Attributes for assertion fields.
- After the test has completed successfully, go to the Enable SSO section of the page. Note that the Status is SSO is Not Enabled.
- Click the Enable SSO button to enable SSO for all Cloud services. Unit you do this, SSO is not enabled. Click OK on the Enable Sign Sign-On screen.
- The Enable SSO section of the page now shows Status: SSO is Enabled
- Navigate to MyServices Oracle Cloud URL. You will be prompted to enter your Identity Domain (you can save this for subsequent logins). Enter your Identity Domain Name and click on Go.
- You should be able to authenticate through the IdP, after selecting Sign In using Company option.
- Enter user credentials on the IdP's OAM SSO screen.
- The first time you login, you can save your preference for Language and Time Zone.
- You should now see your MyServices home page. Notice the top right corner, which shows you are logged in as ahall user to the docs identity domain and SSO is enabled.
In this tutorial, you learned to:
- Obtain a file containing OAM Federation metadata to use for SP configuration
- Perform Oracle Cloud SSO SP Configuration
- Configure OAM Configuration as the IdP, using metadata from Oracle Cloud SSO
- Use the Oracle Cloud SSO documentation to test and enable SSO at the SP
- Cloud SSO documentation http://www.oracle.com/pls/topic/lookup?ctx=cloud&id=CSIMG
- "Importing a Batch of User Accounts" in Getting Started with Oracle Cloud at: http://www.oracle.com/pls/topic/lookup?ctx=cloud&id=CSGSG
- Lead Author: Vishal Parashar
- Technical Contributor : Damien Carru
To navigate this Oracle by Example tutorial, note the following:
- Topic List:
- Click a topic to navigate to that section.
- Expand All Topics:
- Click the button to show or hide the details for the sections. By default, all topics are collapsed.
- Hide All Images:
- Click the button to show or hide the screenshots. By default, all images are displayed.
- Click the button to print the content. The content that is currently displayed or hidden is printed.
To navigate to a particular section in this tutorial, select the topic from the list.