Administrators can add a social identity provider so that users can log in to Oracle Identity Cloud Service with their social credentials. Administrators can also allow users to self-register in Oracle Identity Cloud Service if they do not already have an account.
You can add an instance of an out-of-the-box social identity provider type by using either the Identity Cloud Service console or SCIM-based APIs. In this section, you learn how to add a social identity provider from a predefined type by using the Identity Cloud Service console. For more information about how to use SCIM APIs, see REST API for Oracle Identity Cloud Service.
If you don't see the social identity provider type for which you want to add an instance, then you can use SCIM-based APIs to create your own type and customize an icon for it. Through the API mechanism, you define the attributes for the social identity provider type, and then populate these attributes with values when you add an instance.
For example, you can define attributes for a custom social identity provider type that will enable it to retrieve an access token and user information from the social identity provider. When you add an instance of this social identity provider type, you provide the URLs that the social identity provider needs to retrieve this information.
You can also customize social identity provider types for particular identity domains. Suppose you have users in the United States accessing Oracle Identity Cloud Service from one identity domain, and users from India signing in to Oracle Identity Cloud Service from another identity domain. You want only the India-based users to be able to access Oracle Identity Cloud Service with their GitHub social credentials. So, you can customize a GitHub social identity provider type for the India identity domain only.
To remove a social identity provider type and the metadata associated with it cleanly and completely, first, remove the social identity provider type, and then, remove its metadata. Also, if you create a social identity provider type, add an instance of this social identity provider, and assign the instance to an identity provider policy, then don't update or remove the metadata associated with the social identity provider type. If you want to update or remove the metadata, then first remove the social identity provider type from the identity provider policy.
A social identity provider uses an access token to access a resource that's protected by Oracle Identity Cloud Service. This type of token has an expiration date and time. When the access token expires, a refresh token is used to obtain a renewed access token. Unlike access tokens, refresh tokens never expire.
For some social identity provider types (for example, Adobe e-Sign), separate URLs have to be provided for the access token endpoint and the refresh token endpoint. When this occurs, you must specify different URLs.
For more information about how to customize a social identity provider type, or to learn how to provide different URLs for the access token and refresh token endpoints, see REST API for Oracle Identity Cloud Service.
Some cloud services have applications that may have to connect to multiple instances of the same social identity provider. For example, for application A and application B, the Facebook social identity provider can be configured as an identity provider along with distinct configuration settings, such as a Client ID and Secret, social registration settings, and so on. To support such scenarios, Oracle Identity Cloud Service enables you to add multiple instances of the same social identity provider with different configuration settings for each instance.
After adding multiple instances of a social identity provider, you can choose which instances can be used to sign in to Oracle Identity Cloud Service by using an identity provider policy.
Read use cases for social login. To learn about social login and use cases pertaining to it, see Understand Social Login.
Create an application for the social identity provider; for example, go to the Google developer site to create a Google application.
redirectUrlin the application created in Step 2. The
redirectUrlmust have the format:
https://<IDCS tenant base URL>/oauth2/v1/social/callback.At the time of this printing, each social identity provider calls these URLs by a different name. See the following list of the social identity providers and the names that they use for the URLs.
Facebook: Valid OAuth redirect URIs
Google and LinkedIn: Authorized redirect URL
Microsoft: Redirect URLs
Twitter: Callback URL
Ensure that you retain the
Client IDand the
Client Secretfrom the application that you created at the social identity provider. You use this ID and Secret when configuring a social identity provider in Oracle Identity Cloud Service.
- In the Identity Cloud Service console, expand the Navigation Drawer, click Security, and then click Identity Providers.
- Click Add Social IDP.
- Choose a social login type.
- In the Name and Description fields, enter a name and description for the social identity provider, and then click Next.
Note:The social identity provider name can contain spaces. However, it can't contain special characters.
- (Optional) For social login type OpenID Connect, upload an application icon, and then click Next.
- Enter the Client ID and the Client Secret for the social login type.
- For the OpenID Connect social login type, enter the Discovery Service URL.The discovery service URL is used to get authentication endpoints (URLs) to authenticate users for the social login type.
- Set the Enable Account Linking option.
- To allow users to link to their social accounts, turn on this option.
- To prevent users from linking to their social accounts, turn
off this option.
Note:You can prevent users from linking to their social accounts for security or organizational purposes. For example, if a hacker accesses the user's social account, the hacker can't sign in to Oracle Identity Cloud Service to access resources and applications that are protected by Oracle Identity Cloud Service. Or, the administrator may want users to have separate profiles for their social accounts and Oracle Identity Cloud Service accounts.
- Click Finish.The social identity provider is added, but is deactivated by default. To use this provider, you must activate it.
- To activate the social identity provider:
- Click the Action menu to the right of the provider.
- Click Activate.
- In the Confirmation window, click OK.
- (Optional) Set the Enable Registration option so that users can register
their social identities with Oracle Identity Cloud
Service. To set this option, click the Action menu to the right of the social
identity provider, click Edit, and then make one of the
- To allow users to register their social identities with Oracle Identity Cloud Service, turn on the Enable Registration option.
- To prevent users from registering their social identities with Oracle Identity Cloud Service, turn off this option.
After you add and activate the identity provider, you must add it to an identity provider policy. By doing so, it will appear in the Sign In page and can be used by a user who's trying to sign in to Oracle Identity Cloud Service, either when they're accessing a specific app or attempting to access resources that are protected by Oracle Identity Cloud Service, such as the My Profile console or the Identity Cloud Service console. See Add an Identity Provider Policy.
If you no longer want to display the identity provider in the Sign In page, then remove the identity provider from all identity provider policies and deactivate the identity provider. See Remove Identity Providers from the Policy and Deactivate an Identity Provider.
- Click Save, and then click Close.
- Log in with the social identity provider.
You might encounter this error: “Not Logged In: You are not logged in. Please log in and try again.”
The most likely cause is that the application you created on the social identity provider side has the wrong Client ID or Redirect URL in the configuration. Check the Client ID and the Redirect URL configuration, and try to log in again.