Adding a Social Identity Provider

Administrators can add a social identity provider so that users can log in to Oracle Identity Cloud Service with their social credentials. Administrators can also allow users to self-register in Oracle Identity Cloud Service if they do not already have an account.

You can choose from any of the following predefined social login types:
  • Facebook

  • Google

  • LinkedIn

  • Microsoft

  • OpenID Connect

  • Twitter

Note:

Microsoft Azure is not supported for social login.

Some cloud services have applications that may have to connect to multiple instances of the same social identity provider. For example, for application A and application B, the Facebook social identity provider can be configured as an identity provider along with distinct configuration settings, such as a Client ID and Secret, social registration settings, and so on. To support such scenarios, Oracle Identity Cloud Service enables you to add multiple instances of the same social identity provider with different configuration settings for each instance.

After adding multiple instances of a social identity provider, you can choose which instances can be used to sign in to Oracle Identity Cloud Service by using an identity provider policy.

Prerequisites:
  1. Read use cases for social login. To learn about social login and use cases pertaining to it, see Understanding Social Login.

  2. Create an application for the social identity provider; for example, go to the Google developer site to create a Google application.

  3. Configure the redirectUrl in the application created in Step 2. The redirectUrl must have the format: https://<IDCS tenant base URL>/oauth2/v1/social/callback.

    At the time of this printing, each social identity provider calls these URLs by a different name. See the following list of the social identity providers and the names that they use for the URLs.
    • Facebook: Valid OAuth redirect URIs

    • Google and LinkedIn: Authorized redirect URL

    • Microsoft: Redirect URLs

    • Twitter: Callback URL

  4. Ensure that you retain the Client ID and the Client Secret from the application that you created at the social identity provider. You use this ID and Secret when configuring a social identity provider in Oracle Identity Cloud Service.

To add a social identity provider:
  1. In the Identity Cloud Service console, expand the Navigation Drawer, click Security, and then click Identity Providers.
  2. Click Add Social IDP.
  3. Choose a social login type.
  4. In the Name and Description fields, enter a name and description for the social identity provider, and then click Next.

    Note:

    The social identity provider name can contain spaces. However, it can't contain special characters.
  5. (Optional) For social login type OpenID Connect, upload an application icon, and then click Next.
  6. Enter the Client ID and the Client Secret for the social login type.
  7. For the OpenID Connect social login type, enter the Discovery Service URL.
    The discovery service URL is used to get authentication endpoints (URLs) to authenticate users for the social login type.
  8. Set the Account Linking option.
    • To allow users to link to their social accounts, turn on this option.
    • To prevent users from linking to their social accounts, turn off this option.

      Note:

      You can prevent users from linking to their social accounts for security or organizational purposes. For example, if a hacker accesses the user's social account, the hacker can't sign in to Oracle Identity Cloud Service to access resources and applications that are protected by Oracle Identity Cloud Service. Or, the administrator may want users to have separate profiles for their social accounts and Oracle Identity Cloud Service accounts.
  9. Set the Enable Registration option.
    • To allow users to register their social identities with Oracle Identity Cloud Service, turn on this option.
    • To prevent users from registering their social identities with Oracle Identity Cloud Service, turn off this option.
  10. Click Finish.
  11. Locate the social identity provider that you created and use the Action menu to activate the social identity provider.
  12. (Optional) Using the Action menu, click Edit and turn on Enable Registration.

    Important:

    After you add and activate the identity provider, you must add it to an identity provider policy. By doing so, it will appear in the Sign In page and can be used by a user who's trying to sign in to Oracle Identity Cloud Service, either when they're accessing a specific app or attempting to access resources that are protected by Oracle Identity Cloud Service, such as the My Profile console or the Identity Cloud Service console. See Adding an Identity Provider Policy.

    If you no longer want to display the identity provider in the Sign In page, then remove the identity provider from all identity provider policies and deactivate the identity provider. See Removing Identity Providers from the Policy and Deactivating an Identity Provider.

    Note:

    User social identity profile information auto-populates the Oracle Identity Cloud Service registration page only if profile information exists in the user’s social identity profile. For example, if a user’s Twitter profile has only a Twitter handle and not a first name or last name, the user has to enter a first and last name on the Oracle Identity Cloud Service registration page to create an account.
  13. Click Save.
  14. Log in with the social identity provider.

    Note:

    You might encounter this error: “Not Logged In: You are not logged in. Please log in and try again.”

    The most likely cause is that the application you created on the social identity provider side has the wrong Client ID or Redirect URL in the configuration. Check the Client ID and the Redirect URL configuration, and try to log in again.