Add a Social Identity Provider

Administrators can add a social identity provider so that users can log in to Oracle Identity Cloud Service with their social credentials. Administrators can also allow users to self-register in Oracle Identity Cloud Service if they do not already have an account.

When adding an instance of a social identity provider, you can choose from any of the following predefined social identity provider types:
  • Facebook

  • Google

  • LinkedIn

  • Microsoft

  • OpenID Connect

  • Twitter

You can add an instance of an out-of-the-box social identity provider type by using either the Identity Cloud Service console or SCIM-based APIs. In this section, you learn how to add a social identity provider from a predefined type by using the Identity Cloud Service console. For more information about how to use SCIM APIs, see REST API for Oracle Identity Cloud Service.

A social identity provider uses an access token to access a resource that's protected by Oracle Identity Cloud Service. This type of token has an expiration date and time. When the access token expires, a refresh token is used to obtain a renewed access token. Unlike access tokens, refresh tokens never expire.

For some social identity provider types (for example, Adobe e-Sign), separate URLs have to be provided for the access token endpoint and the refresh token endpoint. When this occurs, you must specify different URLs.

For more information about how to customize a social identity provider type, or to learn how to provide different URLs for the access token and refresh token endpoints, see REST API for Oracle Identity Cloud Service.

Some cloud services have applications that may have to connect to multiple instances of the same social identity provider. For example, for application A and application B, the Facebook social identity provider can be configured as an identity provider along with distinct configuration settings, such as a Client ID and Secret, social registration settings, and so on. To support such scenarios, Oracle Identity Cloud Service enables you to add multiple instances of the same social identity provider with different configuration settings for each instance.

After adding multiple instances of a social identity provider, you can choose which instances can be used to sign in to Oracle Identity Cloud Service by using an identity provider policy.

Prerequisites:
  1. Read use cases for social login. To learn about social login and use cases pertaining to it, see Understand Social Login.

  2. Create an application for the social identity provider; for example, go to the Google developer site to create a Google application.

  3. Configure the redirectUrl in the application created in Step 2. The redirectUrl must have the format: https://<IDCS tenant base URL>/oauth2/v1/social/callback.

    At the time of this printing, each social identity provider calls these URLs by a different name. See the following list of the social identity providers and the names that they use for the URLs.
    • Facebook: Valid OAuth redirect URIs

    • Google and LinkedIn: Authorized redirect URL

    • Microsoft: Redirect URLs

    • Twitter: Callback URL

  4. Ensure that you retain the Client ID and the Client Secret from the application that you created at the social identity provider. You use this ID and Secret when configuring a social identity provider in Oracle Identity Cloud Service.

To add a social identity provider:
  1. In the Identity Cloud Service console, expand the Navigation Drawer, click Security, and then click Identity Providers.
  2. Click Add Social IDP.
  3. Choose a social login type.
  4. In the Name and Description fields, enter a name and description for the social identity provider, and then click Next.

    Note:

    The social identity provider name can contain spaces. However, it can't contain special characters.
  5. (Optional) For social login type OpenID Connect, upload an application icon, and then click Next.
  6. Enter the Client ID and the Client Secret for the social login type.
  7. For the OpenID Connect social login type, enter the Discovery Service URL.
    The discovery service URL is used to get authentication endpoints (URLs) to authenticate users for the social login type.
  8. Set the Enable Account Linking option.
    • To allow users to link to their social accounts, turn on this option.
    • To prevent users from linking to their social accounts, turn off this option.

      Note:

      You can prevent users from linking to their social accounts for security or organizational purposes. For example, if a hacker accesses the user's social account, the hacker can't sign in to Oracle Identity Cloud Service to access resources and applications that are protected by Oracle Identity Cloud Service. Or, the administrator may want users to have separate profiles for their social accounts and Oracle Identity Cloud Service accounts.
  9. Click Finish.
    The social identity provider is added, but is deactivated by default. To use this provider, you must activate it.
  10. To activate the social identity provider:
    1. Click the Action menu The Action menu to the right of the provider.
    2. Click Activate.
    3. In the Confirmation window, click OK.
  11. (Optional) Set the Enable Registration option so that users can register their social identities with Oracle Identity Cloud Service. To set this option, click the Action menu to the right of the social identity provider, click Edit, and then make one of the following choices:
    • To allow users to register their social identities with Oracle Identity Cloud Service, turn on the Enable Registration option.
    • To prevent users from registering their social identities with Oracle Identity Cloud Service, turn off this option.

    Important:

    After you add and activate the identity provider, you must add it to an identity provider policy. By doing so, it will appear in the Sign In page and can be used by a user who's trying to sign in to Oracle Identity Cloud Service, either when they're accessing a specific app or attempting to access resources that are protected by Oracle Identity Cloud Service, such as the My Profile console or the Identity Cloud Service console. See Add an Identity Provider Policy.

    If you no longer want to display the identity provider in the Sign In page, then remove the identity provider from all identity provider policies and deactivate the identity provider. See Remove Identity Providers from the Policy and Deactivate an Identity Provider.

  12. Click Save, and then click Close.
  13. Log in with the social identity provider.

    Note:

    You might encounter this error: “Not Logged In: You are not logged in. Please log in and try again.”

    The most likely cause is that the application you created on the social identity provider side has the wrong Client ID or Redirect URL in the configuration. Check the Client ID and the Redirect URL configuration, and try to log in again.