Identity Cloud Service and SAML
Identity Cloud Service or IDCS provides Identity Management capabilities hosted in the Cloud to Oracle customers, including:
-
User & Group Management
-
SAML SSO with SAML SPs and IdPs
-
OpenID Connect SSO with SPs
This article covers the SAML features supported by IDCS 17.2.2 and later.
SAML Support
Protocol
The following SAML 2.0 protocols and bindings are supported by IDCS:
-
SAML 2.0 SSO Protocol
-
Sending and receiving of the SAML AuthnRequest via HTTP-Redirect or HTTP-POST bindings
-
Sending and receiving of the SAML Response containing the SAML Assertion via the HTTP-POST binding
-
-
SAML 2.0 Logout Protocol Sending and receiving of the SAML
-
LogoutRequest
via HTTP-Redirect or HTTP-POST bindings -
Sending and receiving of the SAML
LogoutResponse
via HTTP-Redirect or HTTP-POST bindings
-
-
SAML 2.0 Metadata
-
The IDCS SAML Service can generate a SAML 2.0 Metadata document listing the services and certificates used for Federation SSO
-
The IDCS SAML Service can also consume a SAML 2.0 Metadata during Federation trust establishment.
-
Cryptography
The IDCS SAML service supports the following cryptographic features:
-
SHA-256 and SHA-1 as the signature hash algorithm
-
The inclusion of the IDCS Signing Certificate in outgoing SAML messages, when the message is sent using the HTTP-POST binding
-
When IDCS is acting as a SAML IdP during the SAML Assertion Generation:
-
Either the SAML Response or the SAML Assertion is signed
-
The SAML Assertion can be encrypted using AES-128-CBC, AES-192-CBC, AES-256-CBC or 3DES-CBC
-
When IDCS is acting as a SAML SP during the SAML Assertion Consumption:
-
-
Either the SAML Response or the SAML Assertion must be signed
SAML Assertion Generation
As an IdP, IDCS supports the following when issuing a SAML 2.0 Assertion
-
NameID
Format-
urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified
-
urn:oasis:names:tc:SAML:1.1:nameidformat:emailAddress
-
urn:oasis:names:tc:SAML:1.1:nameidformat:X509SubjectName
-
urn:oasis:names:tc:SAML:1.1:nameidformat:WindowsDomainQualifiedName
-
urn:oasis:names:tc:SAML:2.0:nameidformat:kerberos
-
urn:oasis:names:tc:SAML:2.0:nameidformat:persistent
-
urn:oasis:names:tc:SAML:2.0:nameidformat:transient
-
Custom NameID format
-
-
NameID Value
-
Username or Primary Email user attribute stored in the Identity Store for any NameID format except
urn:oasis:names:tc:SAML:2.0:nameidformat:transient
-
For
urn:oasis:names:tc:SAML:2.0:nameidformat:transient
, a one-time random identifier
-
-
SAML Attributes
-
The following user attributes stored in the Identity Store
-
Username
-
Given Name
-
Middle Name
-
Family Name
-
Primary Email Address
-
Work Email Address
-
Phone Numbers (home, mobile, work)
-
Title
-
Work Address attributes
-
User Groups
-
-
The SAML Attribute name can be set by the administrator
-
-
The SAML Assertion contains an attribute that holds the Identity Domain name:
-
Name:
oracle:cloud:identity:domain
-
Value: the customer’s identity domain name
-
SAML Assertion Consumption
As an SP, IDCS validates the incoming SAML Assertion and map it to an IDCS user record. The service supports the following:
-
NameID Format
-
urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified
-
urn:oasis:names:tc:SAML:1.1:nameidformat:emailAddress
-
urn:oasis:names:tc:SAML:1.1:nameidformat:X509SubjectName
-
urn:oasis:names:tc:SAML:1.1:nameidformat:WindowsDomainQualifiedName
-
urn:oasis:names:tc:SAML:2.0:nameidformat:Kerberos
-
urn:oasis:names:tc:SAML:2.0:nameidformat:persistent
-
urn:oasis:names:tc:SAML:2.0:nameidformat:transient
-
Custom NameID format
-
-
Assertion Mapping
-
Either based on the
NameID
contained in the Assertion that is mapped to a user record attribute in the Identity Store -
Or based on a SAML Attribute contained in the Assertion that is mapped to a user record attribute in the Identity Store
-
-
The information from the SAML Assertion is mapped to one of those user record attributes:
-
Username
-
Display Name
-
Given Name
-
Middle Name
-
Family Name
-
Primary Email Address
-
Any other email addresses (home, work, other, recovery)
-
Endpoints
The services implementing the SAML 2.0 protocol are published at:
-
/fed/v1/idp/sso
for the IdP Single Sign On Service, where the SP redirects the user with the SAML AuthnRequest to the IdP -
/fed/v1/idp/slo
for the IdP Single Logout Service, where the SP redirects the user with the SAMLLogoutRequest
orLogoutResponse
to the IdP -
/fed/v1/sp/sso
for the SP Assertion Consumer Service, where the IdP redirects the user with the SAML Response containing the SAML Assertion to the SP -
/fed/v1/sp/slo
for the SP Single Logout Service, where the IdP redirects the user with the SAMLLogoutRequest
orLogoutResponse
to the SP -
/fed/v1/metadata
for the SAML 2.0 Metadata
The SAML service also provides two endpoints to initiate a Federation SSO operation, ignoring whether or not the user is already authenticated at the target SP domain. As a consequence, these flows should not be primarily used, and instead the user should be sent to the target SSO service which determines whether or not an authentication involving Federation SSO is required. Both SAML services (IdP or SP) support starting a Federation SSO:
-
IdP Initiated SSO:
-
Endpoint:
/fed/v1/idp/initiatess
-
Query Parameters (one of
providerid
,partnerguid
orpartnername
is required;returnurl
is optional)-
providerid
: the SPProviderID
-
partnername
: the name of the SP as registered in IDCS -
partnerguid
: the unique GUID of the SP as registered in IDCS -
returnurl
: the location where the user should be redirected after the Federation SSO is completed
-
-
-
SP Initiated SSO:
-
Endpoint:
/fed/v1/sp/initiatess
-
Query Parameters (one of
providerid
,partnerguid
orpartnername
is required;returnurl
is optional)-
providerid
: the IdPProviderID
-
partnername
: the name of the IdP as registered in IDCS -
partnerguid
: the unique GUID of the IdP as registered in IDCS -
returnurl
: the location where the user should be redirected after the Federation SSO is completed
-
-
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Identity Cloud Service and SAML
F60447-01
September 2022
Copyright © 2022, Oracle and/or its affiliates.