1. Administering Oracle Identity Cloud Service
  2. Configure Security Settings
  3. Manage Oracle Identity Cloud Service Identity Providers
  4. Add a Social Identity Provider

Add a Social Identity Provider

Administrators can add a social identity provider so that users can log in to Oracle Identity Cloud Service with their social credentials. Administrators can also allow users to self-register in Oracle Identity Cloud Service if they do not already have an account.

If users don't already have accounts in Oracle Identity Cloud Service, administrators can create an account by using a registration page.

You can configure the social identity provider that you're adding so that users can link to their social accounts manually. You can also prevent users from linking to their social accounts for security or organizational purposes. For example, if a hacker accesses the user's social account, the hacker can't sign in to Oracle Identity Cloud Service to access resources and applications that are protected by Oracle Identity Cloud Service. Or, you may want users to have separate profiles for their social accounts and Oracle Identity Cloud Service user accounts.

When adding an instance of a social identity provider, you can choose from any of the following predefined social identity provider types:

  • Facebook

  • Google

  • LinkedIn

  • Microsoft

  • OpenID Connect

  • Twitter

You can add an instance of an out-of-the-box social identity provider type by using either the Identity Cloud Service console or SCIM-based APIs. In this section, you learn how to add a social identity provider from a predefined type by using the Identity Cloud Service console. For more information about how to use SCIM APIs, see REST API for Oracle Identity Cloud Service.

If you don't see the social identity provider type for which you want to add an instance, then you can use SCIM-based APIs to create your own type and customize an icon for it. Through the API mechanism, you define the attributes for the social identity provider type, and then populate these attributes with values when you add an instance.

For example, you can define attributes for a custom social identity provider type that will enable it to retrieve an access token and user information from the social identity provider. When you add an instance of this social identity provider type, you provide the URLs that the social identity provider needs to retrieve this information.

You can also customize social identity provider types for particular identity domains. Suppose you have users in the United States accessing Oracle Identity Cloud Service from one identity domain, and users from India signing in to Oracle Identity Cloud Service from another identity domain. You want only the India-based users to be able to access Oracle Identity Cloud Service with their GitHub social credentials. So, you can customize a GitHub social identity provider type for the India identity domain only.

To remove a social identity provider type and the metadata associated with it cleanly and completely, first, remove the social identity provider type, and then, remove its metadata. Also, if you create a social identity provider type, add an instance of this social identity provider, and assign the instance to an identity provider policy, then don't update or remove the metadata associated with the social identity provider type. If you want to update or remove the metadata, then first remove the social identity provider type from the identity provider policy.

A social identity provider uses an access token to access a resource that's protected by Oracle Identity Cloud Service. This type of token has an expiration date and time. When the access token expires, a refresh token is used to obtain a renewed access token. Unlike access tokens, refresh tokens never expire.

For some custom social identity provider types (for example, Adobe e-Sign), separate URLs have to be provided for the access token endpoint and the refresh token endpoint. When this occurs, you must specify different URLs.

For more information about how to customize a social identity provider type, or to learn how to provide different URLs for the access token and refresh token endpoints, see REST API for Oracle Identity Cloud Service.

Some cloud services have applications that may have to connect to multiple instances of the same social identity provider. For example, for application A and application B, the Facebook social identity provider can be configured as an identity provider along with distinct configuration settings, such as a Client ID and Secret, social registration settings, and so on. To support such scenarios, Oracle Identity Cloud Service enables you to add multiple instances of the same social identity provider with different configuration settings for each instance.

After adding multiple instances of a social identity provider, you can choose which instances can be used to sign in to Oracle Identity Cloud Service by using an identity provider policy.

Prerequisites:

  1. Create an application for the social identity provider; for example, go to the Google developer site to create a Google application.

  2. Configure the redirectUrl in the application created in Step 1. The redirectUrl must have the format: https://<IDCS tenant base URL>/oauth2/v1/social/callback.

    Note:

    For social identity providers created before release 22.1.49, ensure that the redirectUrl doesn't contain port number :443. If it does, update the existing URL to remove the port number or add a new URL without the port number to the identity provider application using the external provider developers' website.

    For example, if your configuration looks like the following:

    https://<IDCS tenant base URL>:443/oauth2/v1/social/callback

    change it to:

    https://<IDCS tenant base URL>/oauth2/v1/social/callback.

    At the time of this printing, each social identity provider calls these URLs by a different name. See the following list of the social identity providers and the names that they use for the URLs.

    • Facebook: Valid OAuth redirect URIs

    • Google and LinkedIn: Authorized redirect URL

    • Microsoft: Redirect URLs

    • Twitter: Callback URL

  3. Ensure that you retain the Client ID and the Client Secret from the application that you created at the social identity provider. You use this ID and Secret when configuring a social identity provider in Oracle Identity Cloud Service.

To add a social identity provider:
  1. In the Identity Cloud Service console, expand the Navigation Drawer, click Security, and then click Identity Providers.
  2. Click Add Social IDP.
  3. Choose a social login type.
  4. In the Name and Description fields, enter a name and description for the social identity provider, and then click Next.

    Note:

    The social identity provider name can contain spaces. However, it can't contain special characters.
  5. (Optional) For social login type OpenID Connect, upload an application icon, and then click Next.
  6. Enter the Client ID and the Client Secret for the social login type.
  7. For the OpenID Connect social login type, enter the Discovery Service URL.
    The discovery service URL is used to get authentication endpoints (URLs) to authenticate users for the social login type.
  8. Set the Account Linking option.
    • To allow users to link to their social accounts, turn on this option.
    • To prevent users from linking to their social accounts, turn off this option.

      Note:

      You can prevent users from linking to their social accounts for security or organizational purposes. For example, if a hacker accesses the user's social account, the hacker can't sign in to Oracle Identity Cloud Service to access resources and applications that are protected by Oracle Identity Cloud Service. Or, the administrator may want users to have separate profiles for their social accounts and Oracle Identity Cloud Service accounts.
  9. Set the Enable Registration option.
    • To allow users to register their social identities with Oracle Identity Cloud Service, turn on this option.
    • To prevent users from registering their social identities with Oracle Identity Cloud Service, turn off this option.
  10. Click Finish.
  11. Locate the social identity provider that you created and use the Action menu to activate the social identity provider.
  12. (Optional) Using the Action menu, click Edit and turn on Enable Registration.

    Note:

    After you add and activate the identity provider, you must add it to an identity provider policy. By doing so, it will appear in the Sign In page and can be used by a user who's trying to sign in to Oracle Identity Cloud Service, either when they're accessing a specific app or attempting to access resources that are protected by Oracle Identity Cloud Service, such as the My Profile console or the Identity Cloud Service console. See Add an Identity Provider Policy.

    If you no longer want to display the identity provider in the Sign In page, then remove the identity provider from all identity provider policies and deactivate the identity provider. See Remove Identity Providers from the Policy and Deactivate an Identity Provider.

    Note:

    User social identity profile information auto-populates the Oracle Identity Cloud Service registration page only if profile information exists in the user’s social identity profile. For example, if a user’s Twitter profile has only a Twitter handle and not a first name or last name, the user has to enter a first and last name on the Oracle Identity Cloud Service registration page to create an account.
  13. Click Save.
  14. Log in with the social identity provider.

    Note:

    You might encounter this error: “Not Logged In: You are not logged in. Please log in and try again.”

    The most likely cause is that the application you created on the social identity provider side has the wrong Client ID or Redirect URL in the configuration. Check the Client ID and the Redirect URL configuration, and try to log in again.