Workplace by Facebook

Before You Begin

Introduction

This document describes how to configure Oracle Identity Cloud Service to provide Single Sign-On (SSO) and user provisioning for Workplace by Facebook.

About Workplace by Facebook

Workplace by Facebook is a collaborative platform run by Facebook, Inc. It is used to communicate via groups, to chat with colleagues, and offers the social networks feature in a corporate environment.

After integrating Workplace by Facebook with Oracle Identity Cloud Service:

• Users can access Workplace by Facebook using their Oracle Identity Cloud Service login credentials.
• Users can launch Workplace by Facebook using the Oracle Identity Cloud Service My Apps console.
• Admins can assign and revoke user access to the Workplace by Facebook app using the Oracle Identity Cloud Service administration console.

What Do You Need?

• An Oracle Identity Cloud Service account with authorization rights to manage apps and users (Identity Domain Administrator or Application Administrator).
• A Workplace by Facebook account with authorization rights to configure federated authentication and user provisioning.
• Ensure that the user name of each user account to be provisioned in Workplace by Facebook from Oracle Identity Cloud Service is in the email format.
• An active and verified domain name to register and activate the Workplace by Facebook app before configuring SSO.

Obtaining Account Name, Account ID, and Access Token from Workplace by Facebook

A dedicated account name, account ID, and access token are required before you can register and activate Workplace by Facebook. You obtain these values from Workplace by Facebook.

1. Make note of the Workplace by Facebook account name from the Workplace by Facebook home URL: https://<Account_Name>.facebook.com that you received in an email from Workplace by Facebook.

   Note: Use this account name value during Workplace by Facebook registration in the "Registering and Activating the Workplace by Facebook App" section.

2. Log in as an administrator to Workplace by Facebook using the URL: https://<Account_Name>.facebook.com. The News Feed page appears.

3. In the left navigation menu, hover over, and then click Admin Panel.

4. In the left navigation submenu, under the MORE section, click Security. The Security page appears.

5. Click the Authentication tab. The Security page displays the Authentication tab.

6. Under the Login section, select the Single sign-on (SSO) check box.

7. Under the SSO providers section, click + Add new SSO provider. The Single sign-on (SSO) setup pop-up window appears.

8. Locate the SAML configurations section and then make note of the Account ID value at the end of the Audience URL: https://www.facebook.com/company/<Account_ID>, and then close the pop-up window.

   Note: Use this account ID value during Workplace by Facebook registration in the "Registering and Activating the Workplace by Facebook App" section.

9. In the left navigation submenu, under the MANAGE section, click Integrations. The Integrations page appears.

10. Locate the Custom integrations section and then click Create Custom Integration. The Create custom integration pop-up window appears.

11. Enter your application Name and Description, and then click Create.

12. Under the Integration permissions section, locate and then select the Manage groups check box.

13. Select the Manage accounts check box.

    Note: To receive an invitation email after assigning a user to Workplace by Facebook in Oracle Identity Cloud Service, select Automatically invite people to Workplace as soon as they're added using this integration check box.

14. Locate the Integration details section and click Create Access Token. The New token created pop-up window displays the Access token.

15. Click Copy to copy the Access token.

    Note: It is recommended to note the access token immediately as the access token appears only once. The access token does not expire unless the user tries to Reset Access Token. Use this access token value while enabling user provisioning for the Workplace by Facebook app in Oracle Identity Cloud Service. See the "Enabling Provisioning" section.

16. Click the I understand check box, and then click Done.

17. Locate and click Save in the lower-right corner.

Configuring Workplace by Facebook in Oracle Identity Cloud Service

Use this section to register and activate Workplace by Facebook, and to enable provisioning and synchronization for Workplace by Facebook.

Registering and Activating the Workplace by Facebook App

1. Access the Oracle Identity Cloud Service administration console, select Applications, and then click Add.

2. Click App Catalog.

3. Search for Workplace by Facebook, and then click Add.

4. In the App Details section, enter your Workplace by Facebook Account Name, Account ID, and then click Next.

   Note: These are the values that you obtained while performing the steps in the "Obtaining Account Name, Account ID, and Access Token from Workplace by Facebook" section.

5. Click Download Signing Certificate.

Tip: Use this file later while configuring SSO for Workplace by Facebook in the "Configuring SSO for Workplace by Facebook" section.

1. Click Download Identity Provider Metadata. Alternatively, you can use the following URL to access the metadata: <https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/metadata>.

Tip: Use this file later while configuring SSO for Workplace by Facebook in the "Configuring SSO for Workplace by Facebook" section.

1. Click Next to enable provisioning and synchronization for Workplace by Facebook. Oracle Identity Cloud Service displays the Provisioning page.

Enabling Provisioning and Synchronization for Workplace by Facebook

Use this section to enable provisioning and synchronization for managing user accounts in Workplace by Facebook through Oracle Identity Cloud Service.

Enabling Provisioning

1. On the Provisioning page, select Enable Provisioning.

2. Under Configure Connectivity, enter the Access Token.

   Note: This is the access token that you obtained while performing the steps in the "Obtaining Account Name, Account ID, and Access Token from Workplace by Facebook" section.

3. Click Test Connectivity. A success message is displayed stating that the connection is successful.

4. To view predefined attribute mappings between the user account fields defined in Workplace by Facebook and the corresponding fields defined in Oracle Identity Cloud Service, click Attribute Mapping, and then click OK.

   Note: To add a new attribute for provisioning, click Add Row, specify the attributes in the User and Workplace by Facebook Account columns, and then click OK. For example, if you want to add the External ID field, enter $(user.externalId) in the User column, and then select the corresponding field from the drop-down list in the Workplace by Facebook Account column.

5. Specify the provisioning operations that you want to enable for Workplace by Facebook:

   Note: By default, the Create Account, Update Account, De-activate Account, and Delete Account check boxes are selected.

   Create Account: Automatically creates a Workplace by Facebook account when Workplace by Facebook access is granted to the corresponding user in Oracle Identity Cloud Service.

   Note: When the user account is created, the user receives an email to activate the account. Initially, the user is in the Awaiting invitation status. The user can either activate the account by clicking the email link or by initiating SSO. After the activation, the user status is changed to Claimed.

   Update Account: Automatically updates a Workplace by Facebook account when the corresponding user account is edited in Oracle Identity Cloud Service.

   De-activate Account: Automatically deactivates or activates a Workplace by Facebook account when the Workplace by Facebook access is deactivated or activated for the corresponding user in Oracle Identity Cloud Service.

   Delete Account: Automatically removes an account from Workplace by Facebook when Workplace by Facebook access is revoked from the corresponding user in Oracle Identity Cloud Service.

   Note: Administrator can delete a user account only if the user is in the Invited or Awaiting invitation status. If the user has accessed the Workplace by Facebook account previously, then the user will be in the Claimed status. Once the user status is changed to Claimed, then the user cannot be deleted in Workplace by Facebook and cannot be re-assigned in Oracle Identity Cloud Service.

Enabling Synchronization

1. On the Provisioning page, select Enable Synchronization.

2. Under Application Refresh, click Refresh Application Data to get the group information from Workplace by Facebook.

   Note: Users created in the Workplace by Facebook app cannot be imported to Oracle Identity Cloud Service. Only the group names created in Workplace by Facebook are listed in Oracle Identity Cloud Service while assigning a user in the Assign Application pop-up window.

3. From the User Identifier drop-down list, select the Oracle Identity Cloud Service user attribute that you want to match with the corresponding record fetched from Workplace by Facebook:

   Note: By default, the User Name option is selected from the drop-down list. It is recommended to leave this default attribute for accurate synchronization of user records.

   Primary Email Address: Primary email address of the Oracle Identity Cloud Service user.

   User Name: User name of the Oracle Identity Cloud Service user.

4. To match a Workplace by Facebook account attribute with the existing Oracle Identity Cloud Service user, select an attribute from the Application Identifier drop-down list.

    Note: By default, the name option is selected that represents the username attribute of the Workplace by Facebook account. It is recommended not to change this default option.    

1. From the When exact match is found drop-down list, select one of the following actions to be performed when a matching Oracle Identity Cloud Service user is found for an account:

   Link and confirm: Automatically links and confirms the matched account to the corresponding Oracle Identity Cloud Service users based on the defined User Identifier and Application Identifier fields. 

   Link but do not confirm: Automatically links all the matched accounts to the corresponding Oracle Identity Cloud Service users based on the defined User Identifier and Application Identifier fields. You need to manually confirm the linked accounts. 

2. In the Max. number of creates field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be created during the synchronization run.

3. In the Max. number of deletes field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be deleted during the synchronization run.

   After enabling provisioning and synchronization for Workplace by Facebook, you can synchronize the existing account details from Workplace by Facebook and link them to the corresponding Oracle Identity Cloud Service users. For more information on performing synchronization tasks, see the Importing User Accounts from a Software as a Service Application section in Administering Oracle Identity Cloud Service.

   You can also manage Workplace by Facebook accounts through Oracle Identity Cloud Service. For more information on performing provisioning tasks, see the Managing Oracle Identity Cloud Service Users and Managing Oracle Identity Cloud Service Groups sections in Administering Oracle Identity Cloud Service.

4. Click Finish, and Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Configuring SSO for Workplace by Facebook

1. Log in as an administrator to Workplace by Facebook using the URL: https://<Account_Name>.facebook.com. The News Feed page appears.

2. In the left navigation menu, hover over, and then click Admin Panel.

3. In the left navigation submenu, under the MORE section, click Security. The Security page appears.

4. Select the Authentication tab. The Security page displays the Authentication tab.

5. Click + Add new SSO provider in the SSO providers section. The Single sign-on (SSO) setup pop-up window appears.

6. Use the table to update the federated authentication attributes:

   Attribute	Value
   Name of the SSO provider	Enter the name of the SSO provider.
   SAML URL	Enter the Sign-in URL/SSO Endpoint: https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/idp/sso.
   SAML issuer URL	Enter the Entity ID/Issuer URL. Use the metadata file that you downloaded during the Workplace by Facebook registration in Oracle Identity Cloud Service. See the "Registering and Activating the Workplace by Facebook App" section. The Entity ID/Issuer URL information is located in the first line of the metadata.
   SAML certificate	Copy the content of the identity provider certificate that you downloaded during the Workplace by Facebook registration in the "Registering and Activating the Workplace by Facebook App" section.

7. Locate and click Test SSO. You will be redirected to Oracle Identity Cloud Service.

8. Enter the credentials of Workplace by Facebook user in Oracle Identity Cloud Service. A confirmation message is displayed stating that the SSO is authenticated.

9. Click Close Window.

10. On the Single sign-on (SSO) setup pop-up window, click Save Changes.

    Note: Enabling SSO deactivates the ability to log in using the user name and password. To allow password access for the users, click Assign under the Users tab of the Workplace by Facebook app in Oracle Identity Cloud Service. Click Assign next to the required user. On the Assign Application window, locate the Log in with drop-down list and then select password. Click Save to save the changes.

Verifying the Integration

Use this section to verify that SSO works when initiated from Oracle Identity Cloud Service (IdP initiated SSO) and Workplace by Facebook (SP initiated SSO).

Verifying Identity Provider Initiated SSO from Oracle Identity Cloud Service

1. Access the Oracle Identity Cloud Service My Profile console using the URL: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole.

2. Log in using credentials for a user that is assigned to the Workplace by Facebook app. Oracle Identity Cloud Service displays a shortcut to Workplace by Facebook under My Apps.

3. Click Workplace by Facebook. The News Feed page appears.

   Note: When the user initiates SSO for the first time, the Create Account page appears. Click Create Account. The Workplace by Facebook News Feed page appears.

4. In the lower-left corner, click the user icon, and then confirm that the user that is logged in is the same for both Workplace by Facebook and Oracle Identity Cloud Service.

   This confirms that SSO that is initiated from Oracle Identity Cloud Service works.

Verifying Service Provider Initiated SSO from Workplace by Facebook

1. Access Workplace by Facebook using the URL: https://<Account_Name>.facebook.com. The log in page appears.

   Note: This is the Account Name value that you obtained earlier while performing the steps in the "Obtaining Account Name, Account ID, and Access Token from Workplace by Facebook" section.

2. Click Log in With SSO. You are redirected to the Oracle Identity Cloud Service login page.

3. Log in using credentials for a user that is assigned to the Workplace by Facebook app. The News Feed page appears.

   Note: When the user initiates SSO for the first time, the Create Account page appears. Click Create Account. The Workplace by Facebook News Feed page appears.

4. In the lower-left corner, click the user icon, and then confirm that the user that is logged in is the same for both Workplace by Facebook and Oracle Identity Cloud Service.

   This confirms that SSO that is initiated from Workplace by Facebook works.

Troubleshooting

Use this section to locate solutions to common integration issues.

Known Issues

Workplace by Facebook displays the message, "Account Closed"

Cause: The user account assigned to Workplace by Facebook is deactivated in the People page of the Workplace by Facebook app, and the user attempts to initiate single sign-on.

Solution: Ensure that the user account is activated in the People page of the Workplace by Facebook application.

Oracle Identity Cloud Service displays the message, "You are not authorized to access the app. Contact your system administrator."

Cause 1: The SAML 2.0 integration and user provisioning between the Oracle Identity Cloud Service Workplace by Facebook app and Workplace by Facebook is deactivated.

Solution 1:

• Access the Oracle Identity Cloud Service administration console, select Applications, and then select Workplace by Facebook.
• In the App Details section, click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Cause 2: The administrator revokes access for the user at the same time that the user tries to access the Workplace by Facebook app using Oracle Identity Cloud Service.

Solution 2:

• Access the Oracle Identity Cloud Service administration console, select Applications, and then select Workplace by Facebook.
• In the App Details section, select Users, and then click Assign to re-assign the user. For more information, see the Enabling Provisioning section.

Cause 3: The user assigned to Workplace by Facebook is deactivated in Oracle Identity Cloud Service under the Workplace by Facebook application's Users tab, and the user attempts to initiate single sign-on from Workplace by Facebook.

Solution 3: Ensure that the user account is activated under the Users tab of the Workplace by Facebook app in Oracle Identity Cloud Service.

Unknown Issues

For unknown issues, contact Oracle Support:

1. Go to https://support.oracle.com.

2. Select Cloud Support, and then sign in with your support credentials.

3. In the Cloud Dashboard, confirm that there are no planned outages in Oracle Identity Cloud Service, and then click Create Service Request.

4. Select Oracle Identity Cloud Service as the service type.

5. Complete your service request.