Understand Identity Providers

In this topic, you learn about digital certificates, identity providers, and identity provider certificates that Oracle Identity Cloud Service uses.

About Digital Certificates

In this topic, you learn about digital certificates that Oracle Identity Cloud Service uses.

A digital certificate is like an electronic passport that allows a person, computer, or organization to exchange information securely over the Internet using the public key infrastructure (PKI). A digital certificate may be referred to as a public key certificate.

Just like a passport, a digital certificate provides identifying information, is forgery resistant, and can be verified because it is issued by an official, trusted agency. The certificate can contain the name of the certificate holder, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures) and the digital signature of the certificate-issuing authority (CA) so that a recipient can verify that the certificate is real.

To provide evidence that a certificate is genuine and valid, it's digitally signed by a root certificate that belongs to a trusted CA. Operating systems and browsers maintain lists of trusted CA root certificates so they can easily verify certificates that the CAs have issued and signed.

There are two types of Oracle Identity Cloud Service certificates: certificates for identity providers and certificates for trusted partners. See Understand Trusted Partner Certificates for more information about trusted partner certificates.

About Identity Providers

In this topic, you learn about Identity providers that Oracle Identity Cloud Service uses.

An identity provider, known as an Identity Assertion provider, provides identifiers for users who want to interact with Oracle Identity Cloud Service using a website that's external to Oracle Identity Cloud Service. A service provider is a website such as Oracle Identity Cloud Service that hosts applications. You can enable an identity provider and define one or more service providers. Your users can then access the applications hosted by the service providers directly from the identity provider.

For example, a website can allow users to log in to Oracle Identity Cloud Service with Google credentials. Google acts as the identity provider and Oracle Identity Cloud Service functions as the service provider. Google verifies that the user is an authorized user and returns information to Oracle Identity Cloud Service (for example, the user name and the email address of the user, if the email address differs from the user name).

A user must be authenticated only once. For this example, the user obtains a security token. This security token is then validated by Google so that the user can access Oracle Identity Cloud Service. This method is known as federated single sign-on (SSO), where a single token for the user is trusted across multiple IT systems. The same token can be used to authenticate the user against both the identity provider and the service provider (for this example, Google and Oracle Identity Cloud Service).

Oracle Identity Cloud Service uses identity provider certificates that support several security token types, including Security Assertion Markup Language (SAML) 2.0 and X.509.