When you setup Service Providers and Identity Providers for Federated SSO, you need to download the metadata file and the signing and encryption certificates. However, these certificates are not self-signed and are issued by a root certificate. Hence, for a proper setup and function, you need to get the root certificate and install it at the Federation partner. Follow the procedure below to obtain the root certificate.
- In the Identity Cloud Service console, expand the Navigation Drawer, click Settings, and then click Default Settings.
- Turn on the switch under Access Signing Certificate to enable clients to access the tenant signing certificate without logging in to Oracle Identity Cloud Service.
- Click Save to save the default settings.
- Refer to the REST API document for the detailed installation of cURL.
- Use this URL
https://tenant-base-url/admin/v1/SigningCert/jwkas the endpoint.
- Execute the following cURL command to save the root certification file:
curl -k -i -H "Accept: application/scim+json,application/json" --request GET "https://tenant-base-url/admin/v1/SigningCert/jwk"After you execute the command, the following code is returned:
- Open a Notepad and paste the key in the following manner:
-----BEGIN CERTIFICATE----- [Paste the highlighted key here] -----END CERTIFICATE-----
For example (abbreviated):
- Save this file as your root certification file.