1. Using Oracle CASB Cloud Service
  2. Administrative Tasks
  3. Performing Miscellaneous Administrative Tasks
  4. Setting Up an Identity Provider Instance

Setting Up an Identity Provider Instance

To accommodate single sign-on (SSO) for a cloud service you are registering in Oracle CASB Cloud Service, configure an identity provider instance as the SSO provider.

Managing Identity Providers (IDPs)

Oracle CASB Cloud Service provides two strategic options for setting up identity providers (IDPs). These two options are mutually exclusive. You get one by default, and you can switch to the other by request.

  1. Standalone IDP

    • Oracle Identity Cloud Service (IDCS) is supported as an IDP.

    • IDP is set up through the Configuration submenu, Identity Management Providers page.

    • Oracle CASB Cloud Service tracks login events for registered applications thru the IDP's API.

    • This is the recommended IDP option, but it is not the default.

      To enable this feature, contact Oracle Support (http://support.oracle.com). If you have not registered yet, you will need your Customer Support Identifier (CSI) in order to register to submit service request tickets. As an alternative, you can also contact your Oracle CASB Cloud Service Customer Success Manager.

  2. IDP as a Managed Application

    • Only IDCS is supported as IDP.

    • IDCS is set up as an IDP is by registering an IDCS instance as a managed application, through the Add/Update Apps option on the Applications page.

    • Oracle CASB Cloud Service tracks login events for registered applications thru the IDP's API, as with the Standalone IDP option, and the service also tracks security controls, policy alerts, and other features deployed with the monitoring IDP.

    • This is the default option that is enabled when your Oracle CASB Cloud Service tenant is first deployed.

Configuring the Recommended Standalone IDP Option

  1. To enable the Standalone IDP option, contact Oracle Support (http://support.oracle.com).  If you have not registered yet, you will need your Customer Support Identifier (CSI) in order to register to submit service request tickets.  As an alternative, you can also contact your Oracle CASB Customer Success Manager.

  2. Specify the IDCS IDP when you add a new application instance, or update an existing application instance.

Configuring the IDP as a Managed Application Opeion

  1. Perform the setup steps required in the SSO provider.

  2. Configure an IDP through the Configuration submenu, Identity Management Providers page.

    See Setting Up an Oracle Identity Cloud Service (IDCS) IDP Instance.

  3. Specify the IDP instance you configured when you add a new application instance, or update an existing application instance.

Setting Up an Oracle Identity Cloud Service (IDCS) IDP Instance

Create a trusted application in Oracle Identity Cloud Service, then configure an identity provider (IDP) instance in Oracle CASB Cloud Service.

An Oracle Identity Cloud Service IDP instance enables communication between Oracle CASB Cloud Service and Oracle Identity Cloud Service.

Prerequisite: We recommend that you prepare and register your cloud application before setting up Oracle Identity Cloud Service as an IDP. See Preparing Cloud Applications for Monitoring and Registering Cloud Applications with Oracle CASB Cloud Service.
  1. Log in to the Oracle Identity Cloud Service console and select Applications from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.
  2. Click Add.
  3. On the Add Application page, select Confidential Application.
  4. In the Add Confidential Application wizard's Detail page, in the App Details section, enter a Name for the application.
  5. Click Next.

    A confirmation message indicates that the application has been added in a deactivated state.

  6. On the Add Confidential Application wizard’s Client page, click Configure this application as a client now.
  7. In the Authorization section that opens, select these two Allowed Grant Types:
    • Client Credentials
    • JWT Assertion
  8. In the Grant the client access to Identity Cloud Service Admin APIs section at the bottom, click Add.
  9. In the Add App Role dialog box, select these roles:
    • Identity Domain Administrator
    • Me
  10. Click Add to close the Add App Role dialog box.
  11. At the top of the Add Confidential Application wizard’s Client page, click Next.
  12. On the Add Confidential Application wizard’s  Resources page, click Configure this application as a resource server now.
  13. In the Configure application APIs that need to be OAuth protected section that opens, enter a Primary Audience description that indicates this is for use by Oracle CASB Cloud Service.

    For example, you could enter OCCS here.

  14. Click Next.
  15. On the Add Confidential Application wizard’s  Web Tier Policy page, click Next.
  16. On the Add Confidential Application wizard’s  Authorization page, click Finish.

    You should see an Application Added message that contains values for a Client ID and a Client Secret.

  17. Copy and paste the Client ID and Client Secret values somewhere for later use.
  18. Copy the URL for the Oracle Identity Cloud Service console to the same location for later use.

    Copy the first part of the URL, from https: through the port number. For example, this bolded portion:

    https://myoracleidentitycloudservice.com:8943/ul/v1/adminconsole/?root=732

  19. Click Close.

    The new application’s details page is displayed.

  20. At the top of the page, to the right of the application name, click Activate.
  21. In the Activate Application? dialog box, click Activate Application.

    You have now created and configured a confidential application in Oracle Identity Cloud Service. Next you must configure an identity provider (IDP) instance in Oracle CASB Cloud Service.

  22. Ensure that you have activated the trusted application that you set up in the Oracle Identity Cloud Service console.
  23. ​In the Oracle CASB Cloud Service console, select ConfigurationManage Identity Providers, then click Add IDP.
  24. In the Add and IDP instance dialog box, from the Provider drop-down list, select Oracle Identity Cloud Service.
  25. Copy and paste the three pieces of information you recorded when you set up the application in Oracle Identity Cloud Service: the Client ID, the Client Secret, and the URL to the provider.
  26. Enter descriptive labels in the Instance Name and Description fields, and then click Save.

    For the IDP instance to be created:

    • Both the client ID and client secret values must match the values from the trusted application setup in Oracle Identity Cloud Service.

    • The URL to the provider must access the Oracle Identity Cloud Service console.

    • The server for the URL to the Oracle Identity Cloud Service console must be available.