Import Metadata for a SAML Identity Provider

You can use Oracle Identity Cloud Service to import metadata for a SAML 2.0 identity provider.

  1. In the Identity Cloud Service console, expand the Navigation Drawer, click Security, and then click Identity Providers.
  2. Click Add SAML IDP. The Add Identity Provider wizard appears.
  3. Use the following table to populate the Details pane of the wizard, and click Next:
    Task Description
    Name Enter the name of the identity provider.
    Description Enter explanatory information about the identity provider.
    Icon Click Upload to add an icon that represents the identity provider.
  4. Use the following table to populate the Configure pane of the wizard, and click Next:
    Task Description
    Import Identity Provider metadata Click this button because you want to configure SSO for the identity provider by importing metadata for it.
    Metadata Click Upload. Select the XML file that contains the metadata for the identity provider that you want to import.
    Signature Hashing Algorithm
    From the menu, select the secure hash algorithm used to encrypt the signing certificate for the identity provider.
    • By default, select the SHA-256 algorithm.
    • If the identity provider doesn't support SHA-256, then select SHA-1.

    Include Signing Certificate

    To include a signing certificate with your identity provider, select this check box. The signing certificate is used to verify the signature of the messages for the identity provider.

    If you don't want to include a signing certificate with your identity provider, then leave the check box deselected.

  5. Use the following table to populate the Map pane of the wizard, and click Next:
    Task Description
    Identity Provider User Attribute

    Select the attribute value received from the identity provider that can be used to uniquely identify the user.

    You can specify the user ID or another SAML attribute (such as the user's email address).

    Oracle Identity Cloud Service User Attribute

    Select the attribute in Oracle Identity Cloud Service to which you are mapping the attribute received from the identity provider

    You can specify the user name or another Oracle Identity Cloud Service attribute (such as the user's display name, primary or recovery email address, or an external ID). You use the external ID when you want to map the attribute received from the identity provider to a special ID that's associated with the provider.

    Requested NameID Format

    Select the format for mapping the user's attribute value in the identity provider to the corresponding attribute in Oracle Identity Cloud Service.

    If you don't want to provide a format, then select <None Requested>.

  6. Use the following table to populate or reference the Export pane of the wizard, and click Next:
    Task Description
    Service Provider Metadata

    To export metadata for Oracle Identity Cloud Service, click Download. Then, import this metadata into the identity provider.

    If the Federation Partner into which you are importing Identity Cloud Service metadata does CRL validation (for example ADFS does CRL validation) instead of using the metadata exported from this button, download the metadata from: https://[instancename.idcs.internal.oracle.com:port]/fed/v1/metadata?adfsmode=true

    Provider ID

    The Uniform Resource Identifier (URI) that uniquely identifies the identity domain.

    There's a one-to-one relationship between the provider ID and the identity provider because the provider ID identifies the identity provider uniquely. Because of this relationship, only one identity provider can be defined in Oracle Identity Cloud Service with a given provider ID.

    Assertion Consumer Service URL The Uniform Resource Locator (URL) of the service that receives and processes assertions from the identity provider
    Logout Service Endpoint URL The URL of the service that receives and processes logout requests from the identity provider
    Logout Service Return URL The URL of the service that receives and processes logout responses from the identity provider
    Service Provider Signing Certificate To download a signing certificate for the identity provider, click Download. Select the file that contains the signing certificate. This certificate is used to verify requests and responses signed by Oracle Identity Cloud Service.
    Service Provider Encryption Certificate To download an encryption certificate for the identity provider, click Download. Select the file that contains the encryption certificate. The identity provider can use this certificate to encrypt the assertion.

    To get the issuing Oracle Identity Cloud Service root certificate, see Obtain the Root CA Certificate from Oracle Identity Cloud Service.

  7. In the Test pane of the wizard, click Test Login to test the configuration settings for the identity provider.
  8. Click Next.
  9. In the Activate pane of the wizard, click Activate to activate the identity provider.
  10. Click Finish.