Oracle Cloud

Before You Begin

Introduction

This document describes how to configure Oracle Identity Cloud Service to provide Single Sign-On (SSO) using SAML and provisioning for Oracle Cloud SaaS, PaaS, and IaaS apps.

About Oracle Cloud

Oracle Cloud is the industry’s broadest and most integrated public cloud. It offers best-in-class services across software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS), and even lets you put Oracle Cloud in your own data center. Oracle Cloud helps organizations drive innovation and business transformation by increasing business agility, lowering costs, and reducing IT complexity.

After integrating Oracle Cloud apps with Oracle Identity Cloud Service:

  • Users can access Oracle Cloud apps using their Oracle Identity Cloud Service login credentials.
  • Users can start Oracle Cloud apps using the Oracle Identity Cloud Service My Apps console.
  • Admins can assign and revoke user access to the Oracle Cloud apps using the Oracle Identity Cloud Service administration console.

What Do You Need?

  • An Oracle Identity Cloud Service account with authorization rights to manage apps and users (Identity Domain Administrator or Application Administrator).
  • An Oracle Cloud administrator account with administrative rights using an external Identity Provider.
  • Make sure that the User Name of each user in Oracle Cloud matches the User Name of the Oracle Identity Cloud Service account.
  • Identity Provider metadata. You can use the following URL to access the metadata: https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/metadata.

  • Oracle Cloud account details: Identity Domain Name, Login Server Data Center ID, My Services Application Data Center ID for Oracle Cloud Service account.

    Note:The identity domain name, login server data center ID, and my Services application data center ID are found in the Welcome e-mail from Oracle Cloud that is sent after your account is set up. You can also locate this information on the My Services page.

    • The Identity Domain Name is the Cloud Account Name, specified in the welcome e-mail.
    • The My Services application's Data Center ID and Tenant Name details are available in the My Services URL. URL Format: https://myservices.<MyServicesAppDataCenterID>.oraclecloud.com/<IdentityDomainName>/faces/dashboard.jspx
    • To obtain Login Server's Data Center ID, open My Services URL in a browser. When the browser prompts for credentials, the URL in the address bar is of the format. URL Format: https://login.<LoginServer's DataCenterID>.oraclecloud.com/oam/server/obrareq.cgi?...
    • In most cases, the My Services Application's Data Center ID remains same as the Login Server's Data Center ID. However, when services are deployed in the US or EMEA Public Cloud region, then these IDs are different.

Configuring SSO for Oracle Cloud

  1. Log in to the Oracle Cloud MyServices console using administrative credentials.

  2. Click Users on the upper-right corner of the page.

  3. Select the SSO Configuration tab, and then click Configure SSO.

  4. Click Import identity provider metadata.

  5. Click Browse, and then select the Identity Provider metadata XML file that you obtained from Oracle Identity Cloud Service in the “What Do You Need” section.

  6. Select HTTP-POST from the SSO Protocol drop-down list.

  7. Select User’s user ID from the User Identifier drop-down list.

  8. Select NameID from the contained in drop-down list.

  9. Click Save.

  10. Click Export Metadata, and then select Provider Metadata to save the metadata XML file. This file is used while configuring Oracle Identity Cloud Service.
  11. (Optional) To verify the SSO configuration, click Test.

  12. To enable the SSO configuration, click Enable SSO and click OK.

Saving the X509 Certificate in PEM Format

Use this section to convert the X509 Certificate value into a format that is suitable for Oracle Identity Cloud Service.

  1. In the SP metadata file, locate <ds:X509Certificate> under <samlmd:KeyDescriptor use="signing">.

  2. Copy the value between the <ds:X509Certificate> and </ds:X509Certificate> to a text file.

    Image img1.png displays a sample SAML 2.0 compliant SP metadata xml file with an arrow pointing to the certificate text to copy.

  3. Add -----BEGIN CERTIFICATE----- at the beginning of the file.

  4. Add -----END CERTIFICATE----- at the end of the file.

    Image img2.png displays the .cer file contents after manually converting to PEM format.

  5. Save and change the file extension to .cer.

Alternatively, you can use OpenSSL tools to convert this file.

  1. Copy the value between <ds:X509Certificate> and </ds:X509Certificate> to a text file (for example, inputfile.cer).

  2. Run the following command. This converts the input to DER encoded X509 and writes to a file that is named SPCertDER.cer: openssl base64 -d -A -in inputfile.cer -out SPCertDER.cer.

  3. Run the following command to convert the DER encoding to PEM: openssl x509 -in SPCertDER.cer -inform der -outform pem -out <outfilename>.

Configuring Oracle Cloud in Oracle Identity Cloud Service

Use this section to register and activate Oracle Cloud, and to enable provisioning and synchronization for Oracle Cloud. You can then assign users or groups to Oracle Cloud and start the user provisioning process.

Registering and Activating Oracle Cloud

  1. Access the Oracle Identity Cloud Service administration console, select Applications, and then click Add.

  2. Click App Catalog.

  3. Search for Oracle Cloud, click Add, and then click Next.

  4. Specify the values for the Identity Domain Name, My Services Application Data Center ID, and Login Server Data Center ID for the Oracle Cloud services that are enabled for your account.

  5. Clear the Visible check box for any PaaS/IaaS apps that are not enabled for your account, and then click Next.

  6. Use the table to locate the required value for signing certificate. The table lists the values required from the Oracle Cloud SP metadata file that you downloaded in the "Configuring SSO for Oracle Cloud" section.

    The table lists the values required from the Oracle Cloud SP metadata file.
    Oracle Identity Cloud Service Field XML Element Name in the Metadata XML Attribute Name Value
    Signing Certificate <ds:X509Certificate> under <samlmd:KeyDescriptor use="signing"> NA Click Upload, browse to, and then select the .cer file that you created in the “Saving the X509 Certificate in PEM Format” section.

  7. Click Next to enable provisioning and synchronization for Oracle Cloud. For details, see the "Enabling Provisioning and Synchronization for Oracle Cloud" section.

  8. Click Finish. Oracle Identity Cloud Service displays a confirmation message.

  9. Click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Enabling Provisioning and Synchronization for Oracle Cloud

Use this section to enable provisioning and synchronization for managing user accounts in Oracle Cloud through Oracle Identity Cloud Service.

Important Warning:

The Identity Cloud Service user provisioning and sync feature is targeted for deprecation for this application (Oracle Cloud or Shared IDM). This application will support SAML SSO only. The deprecation schedule is as follows:

  • For all customers in 18.4.2 provisioning and sync will be disabled for this application (Oracle Cloud or Shared IDM) by end of March 2020. 

  • Provisioning and sync will not be available in any new release after 18.4.2 for this application (Oracle Cloud or Shared IDM).

Enabling Provisioning

  1. On the Provisioning page, select Enable Provisioning.

  2. Use the table to configure connectivity for establishing a connection with Oracle Cloud through Oracle Identity Cloud Service:

    This table lists the parameters that Oracle Identity Cloud Service requires to connect to Oracle Cloud.
    Parameter Value
    Shared IDM Tenant Admin User Name User name of the Oracle Cloud administrator account.
    Shared IDM Tenant Admin Password Password of the Oracle Cloud administrator account.
    Tenant Domain Name Enter the domain name of the Oracle Cloud tenant.

  3. Click Test Connectivity to verify the connection with Oracle Cloud. Oracle Identity Cloud Service displays a confirmation message.

  4. To view the predefined attribute mappings between the user account fields defined in Oracle Cloud and the corresponding fields defined in Oracle Identity Cloud Service, click Attribute Mapping, and then click OK.

    Note: To add a new attribute for provisioning, click Add Attribute, specify the attributes in the User and Oracle Cloud Account columns, and then click OK. For example, if you want to add the External ID field, enter $(user.externalId) in the User column, and then select the corresponding field from the drop-down list in the Oracle Cloud Account column.

  5. Specify the provisioning operations that you want to enable for Oracle Cloud:

    Note: By default, the Create Account and Delete Account check boxes are selected.

    • Create Account: Automatically creates an Oracle Cloud account when Oracle Cloud access is granted to the corresponding user in Oracle Identity Cloud Service.

    • Delete Account: Automatically removes an account from Oracle Cloud when Oracle Cloud access is revoked from the corresponding user in Oracle Identity Cloud Service.

Enabling Synchronization

  1. On the Provisioning page, select Enable Synchronization.

  2. From the User Identifier drop-down list, define a matching rule that links a record fetched from Oracle Cloud with an existing record in Oracle Identity Cloud Service:

    Note: By default, the Primary Email Address check box is selected. It is recommended to leave this default attribute for an accurate synchronization of user records.

    • Primary Email Address: Primary email address of the Oracle Identity Cloud Service user.

    • User Name: User name of the Oracle Identity Cloud Service user.

  3. From the When exact match is found drop-down list, select one of the following actions to be performed when a matching Oracle Identity Cloud Service user is found for an account:

  • Link and confirm: Automatically links and confirms the matched account to the corresponding Oracle Identity Cloud Service users based on the defined user identifier.

  • Link but do not confirm: Automatically links all the matched accounts to the corresponding Oracle Identity Cloud Service users based on the defined user identifier. You need to manually confirm the linked accounts.

  1. In the Max. number of creates field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be created during the synchronization run.

  2. In the Max. number of deletes field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be removed during the synchronization run.

  3. To specify a schedule for the synchronization, from the Synchronization Schedule drop-down list, select Never, Every Hour, Every Day, or Every Week.

After enabling provisioning and synchronization for Oracle Cloud, you can synchronize the existing account details from Oracle Cloud and link them to the corresponding Oracle Identity Cloud Service users. For more information on performing synchronization tasks, see the Importing User Accounts from a Software as a Service Application section in Administering Oracle Identity Cloud Service.

You can also manage Oracle Cloud accounts through Oracle Identity Cloud Service. For more information on performing provisioning tasks, see the Managing Oracle Identity Cloud Service Users and Managing Oracle Identity Cloud Service Groups sections in Administering Oracle Identity Cloud Service.

Verifying the Integration

Use this section to verify that SSO and single log-out (SLO) work when initiated from Oracle Identity Cloud Service (IdP Initiated SSO, IdP Initiated SLO) and Oracle Cloud (SP Initiated SSO).

Verifying Identity Provider Initiated SSO from Oracle Identity Cloud Service

  1. Access the Oracle Identity Cloud Service My Profile console: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole.

  2. Log in using credentials for a user that is assigned to the Oracle Cloud app. Oracle Identity Cloud Service displays a shortcut for each of the configured PaaS/IaaS apps under My Services.

  3. Click Oracle Cloud My Apps. The corresponding home page appears.

  4. On the home page, confirm that the user that is logged in is the same as the user logged in to Oracle Identity Cloud Service.

    This confirms that SSO that is initiated from Oracle Identity Cloud Service works.

Verifying Service Provider Initiated SSO from Oracle Cloud

  1. Access the Oracle Cloud My Services URL.

  2. Click Company Sign In. The Oracle Identity Cloud Services sign-in page appears.

  3. Enter the credentials of a user account that has access to Oracle Cloud App in Oracle Identity Cloud Service. The Oracle Cloud My Services dashboard for that user appears.

    This confirms that SSO initiated from Oracle Cloud works.

Verifying Service Provider Initiated SLO

  1. On the Oracle Cloud home page, click the user name in the upper-right corner, and then select Sign Out from the drop-down list. A confirmation window appears.

  2. On the confirmation window, click OK.

  3. Access the Oracle Identity Cloud Service My Apps page, and then confirm that the login page appears.

    This confirms that SLO works and that the user is no longer logged in to Oracle Cloud and Oracle Identity Cloud Service.

Verifying Identity Provider Initiated SLO

  1. On the Oracle Identity Cloud Service home page, click the user name in the upper-right corner, and then select Sign Out from the drop-down list. A confirmation window appears.

  2. Click OK when the confirmation message is displayed.

  3. On the Oracle Cloud Service home page, perform any operation. The Oracle Cloud Login Page appears.

    This confirms that SLO works and that the user is no longer logged in to Oracle Cloud and Oracle Identity Cloud Service.

Troubleshooting

Use this section to locate solutions to common integration issues.

Known Issues

Oracle Cloud displays the message, "System error. Please re-try your action. If you continue to get this error, please contact the Administrator" during SSO.

Cause: Either the user account doesn't exist in Oracle Cloud or the SSO configuration in Oracle Cloud is incorrect.

Solution: Check your SSO configuration and verify that the user account exists in Oracle CLoud.

Oracle Identity Cloud Service displays the message "You are not authorized to access the app. Contact your system administrator".

Cause 1: The SAML 2.0 integration between the Oracle Identity Cloud Service and Oracle Cloud is deactivated.

Solution 1:

  • Access the Oracle Identity Cloud Service administration console, select Applications, and then Oracle Cloud.
  • Click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Cause 2: The administrator revokes access for the user at the same time that the user tries to access the Oracle Cloud app using Oracle Identity Cloud Service.

Solution 2: Access the Oracle Identity Cloud Service administration console, select Applications, Oracle Cloud, Users, and then click Assign to re-assign the user.

Oracle Cloud displays the message, “javax.security.auth.login.LoginException: java.lang.SecurityException: User: , failed to be authenticated”.

Cause: If a customer configures multiple Oracle Cloud applications like test, production, and so on in Oracle Identity Cloud Service using the same administrator credentials, authentication fails.

Solution: Customer must use different administrator credentials while configuring each Oracle Cloud application. To do so, login as administrator to the Oracle Cloud application, create a new user and grant the "Identity Domain Administrator" role to the user. Ensure that you use these user credentials while configuring Oracle Cloud application in Oracle Identity Cloud Service.

Unknown Issues

For unknown issues, contact Oracle Support:

  1. Go to https://support.oracle.com.

  2. Select Cloud Support, and then sign in with your support credentials.

  3. In the Cloud Dashboard, confirm that there are no planned outages in Oracle Identity Cloud Service, and then click Create Service Request.

  4. Select Oracle Identity Cloud Service as the service type.

  5. Complete your service request.