3 Set Up Federation With External Identity Provider

Identity Providers

You can use Oracle Identity Cloud Service as your primary identity provider for federating users and Oracle Identity and Access Management to manage users. However, if you have an existing identity provider that's compliant with Security Assertion Markup Language (SAML) 2.0, you can use that as your primary identity provider.

To use a third-party identity provider, you must associate that identity provider with Oracle Cloud Infrastructure. This lets you use the existing users in your identity provider or directory service. You don't have to recreate them in Oracle Identity Cloud Service. Instead, enable SAML Just-In-Time Provisioning to automate the user creation in Oracle Identity Cloud Service. Remember that you can't perform bulk migration of users with this setup.

After you set up the federation, configure default access rules and provide mapping to a predefined role in your application based on the user's role in your directory service. You must map restricted roles to limit access to your application. For more information, see the Create Users and Assign Roles chapter.

How to Set Up Federation With External Identity Provider

You can set up federation between Oracle Identity Cloud Service and the external identity provider in one of these ways:

  • Set up the external identity provider as the primary identity provider. This enables you to manage users in your external identity provider and synchronize them with Oracle Identity Cloud Service.
  • Set up the external identity provider as a service provider. This enables you to manage users in Oracle Identity Cloud Service and synchronize them with your external identity provider.

Note:

You must have administrator credentials for your Oracle Identity Cloud Service tenancy and the external identity provider to perform this task.

Set Up External Identity Provider as Primary Identity Provider

Here's a general process that you go through to set up an SAML2 identity provider. The actual steps may vary depending on the external identity provider that you want to set up.
  1. In your external identity provider, configure the external identity provider as an SAML2 identity provider and download its metadata file in the XML format. You need this metadata file later in these steps.
  2. In the Oracle Identity Cloud Service console, add and configure an SAML2 Identity Provider. While configuring the identity provider, ensure that you do these steps:
    1. Import the metadata file that you downloaded in step 1 into Oracle Identity Cloud Service.
    2. Download the following files from Oracle Identity Cloud Service. You need these files later in the steps. For detailed steps, refer to the Add a SAML Identity Provider topic in the Administering Oracle Identity Cloud Service guide.
      • Service Provider Metadata (in the XML format)
      • Service Provider Signing Certificate (in the PEM format)
      • Service Provider Encryption Certificate (in the PEM format)

  3. In your external identity provider, configure Oracle Identity Cloud Service as the remote service provider. While configuring the remote service provider, ensure that you import these files that you downloaded in step 2 into your external identity provider. Ensure that you import Service Provider Signing Certificate and Service Provider Encryption Certificate into your external identity provider's keystore. For example:

    keytool -import -alias -file IDCS_IDP_FILES/IDCSCertificate.pem -keystore IDCS_IDP/keystore.jceks - storetype JCEKS -storepass <storepass>

  4. Verify the federation setup by following these steps:
    1. In the Identity Cloud Service console, navigate to Security and then select Identity Provider.
    2. Select your external identity provider and then select Test from the right-click menu. Your external identity provider sign-in page appears.
    3. Sign in with the user in your directory service. The connection successful confirmation message appears.

For detailed steps, refer to your external identity provider documentation and the Federating with SAML 2.0 Identity Providers chapter in the Oracle Cloud Infrastructure documentation.

With this setup, you can use SAML Just-In-Time Provisioning to automate user creation in Oracle Identity Cloud Service. For enabling this feature, refer to the Service Request Features for Oracle Identity Cloud Service topic in the Administering Oracle Identity Cloud Service guide. For configuring this feature, see the Configuring SAML JIT Provisioning topic in the REST API for Oracle Identity Cloud Service documentation.

Set Up External Identity Provider as Service Provider

Here's a general process that you go through to set up an SAML2 service provider. The actual steps may vary depending on the external identity provider that you want to set up.
  1. In the Oracle Identity Cloud Service console, configure Oracle Identity Cloud Service as the primary identity provider by following these steps:
    1. Add a SAML Application in Oracle Identity Cloud Service. For detailed steps, refer to the Add a SAML Application topic in the Administering Oracle Identity Cloud Service guide. While you add the application, ensure that you download these files:
      • Identity Provider Signing Certificate (in the PEM format). This certificate is used by the SAML application to verify that the SAML assertion is valid.

      • Identity Provider Metadata (in the XML format). You need this metadata file later in the steps. The URL looks like:

        https://<your_tenancy>.identity.oraclecloud.com/fed/v1/metadata.

    2. Assign the SAML application to your users in Oracle Identity Cloud Service. For detailed steps, refer to the Assign Applications Oracle Identity Cloud User Using Account Form topic in the Administering Oracle Identity Cloud Service guide.
  2. In your external identity provider, do the following:
    1. Import the signing certificate that you downloaded in step 1 into your external identity provider's keystore. For example:

      keytool -import -alias -file IDCS_IDP_FILES/IDCSCertificate.pem -keystore IDCS_IDP/keystore.jceks -storetype JCEKS -storepass <storepass>

    2. Configure Oracle Identity Cloud Service as the remote identity provider. While configuring the identity provider, ensure that you do these steps:
      • Select SAML as the single sign-on method.
      • Import the Oracle Identity Cloud Service Identity Provider Metadata file that you downloaded in step 1 into your external identity provider.
      • Enter the Oracle Identity Cloud Service console URL as the Sign-on URL.

For detailed steps, refer to your external identity provider documentation.