Introduction
This article describes high level steps to integrate Oracle Identity and Cloud Service (IDCS) with OAM to provide Single Sign On (SSO) service to the Cloud Applications. This is an important step during the migration of all your On-premise Applications to the Cloud. Oracle IDCS provides out-of-the-box integration with SAML 2.0 compliant IdPs.
SAML 2.0 features:
- Works with federated SSO solutions that are compatible with SAML 2.0, such as Oracle Access Management.
- Allows users to log into Oracle Identity Cloud Service using their credentials from the IdP.
- Can force the IdP authentication for all users or offer the IdP authentication as a Login Chooser option.
Architecture
In this architectural diagram, the on-premises access management system represents the legacy authentication mechanism, and Oracle Identity Cloud Service represents the cloud-based one. The corporate user trusted source is represented by an enterprise Lightweight Directory Access Protocol (LDAP) server. Users from the enterprise LDAP server are synchronized to Oracle Identity Cloud Service by the bridge.
Authentication Flow
- The user requests access to a cloud application.
- The cloud application redirects the user browser to Oracle Identity Cloud Service for authentication.
- Oracle Identity Cloud Service redirects the user browser to OAM as the identity provider (IdP) for authentication.
- OAM presents its sign in page to the user.
- User submits credentials to OAM.
- After the user successfully authenticates in OAM, the browser is redirected to Oracle Identity Cloud Service with a valid SAML Token.
- Oracle Identity Cloud Service consumes the SAML token, creates a user session, and then redirects the browser back to the cloud application.
- The cloud application creates its own user session and then presents the home page to the user.
Requirements
- Access to Oracle Identity Cloud Service with authorization to manage Identity Providers.
- An OAM environment with federation services enabled.
- Users synchronized between the OAM Identity Store and Oracle Identity Cloud Service. This can be accomplished with either the Microsoft Active Directory Bridge or a Provisioning Bridge.
- A shared unique attribute, such as email address, must be present and populated in both Oracle Identity Cloud Service and the directory for OAM.
- Synchronized server clocks where each service runs. The SAML assertion must be processed within it’s valid time window.
- To maintain the existing process to manage user passwords in OAM, the authoritative source for login credentials.
- Security Administrator Role in IDCS for Managing Identity Providers.
- System Administrator Role in OAM to access the OAM console and change federation settings.
- Verify OAM Identity Federation is enabled.
Configure OAM as an Identity Provider (IdP)
- Export SAML 2.0 Metadata from OAM, This metadata will later be used to add the IdP in Oracle Identity Cloud Service.
- Add an Identity Provider in Oracle Identity Cloud Service using the metadata file you exported from OAM. These steps assume you are using email address for the unique user attribute.
- Register Oracle Identity Cloud Service as a Trusted Relying Party by Add a new service provider partner in Oracle Access Management (OAM).
- Test the Identity Provider Connection.
- Enable the OAM Identity Provider in Oracle Identity Cloud Service.
- Add the Identity Provider to the Default Identity Provider Policy in Oracle Identity Cloud Service.
Test the Federation Service
- Test the IdP configuration in the Oracle Identity Cloud Service console by logging into Oracle Identity Cloud Service using OAM credentials.
- Mark the test user as federated in Oracle Identity Cloud Service.