1. Using Oracle WebCenter Portal on Marketplace in Oracle Cloud Infrastructure
  2. Configure SAML2 IDCS Single Sign-On in WebCenter Portal

5 Configure SAML2 IDCS Single Sign-On in WebCenter Portal

Learn to configure SAML2 IDCS Single Sign-On in WebCenter Portal.

Prerequisites

Complete the following before running the configuration script.

Create a WebCenter Portal Stack

A WebCenter Portal stack should have been created from OCI Marketplace on which SAML2 IDCS SSO configuration needs to be configured.

Create an OAuth Client for IDCS

Follow the below instructions based on whether OCI Tenancy IAM is with Identity Domains or not.

  • For OCI accounts where IAM is with Identity Domains (tenancy with IAM domains), complete the following:
    1. Log in to OCI console.
    2. Navigate to Identity and then Domains.
    3. Select the domain which needs to be used for SSO log-in.
    4. Go to Integrated Applications and click Add application.
    5. Choose Confidential Application and launch the workflow.
    6. On the Add Application Details page, fill the Name and Description fields, and then click Next.
    7. On the Configure OAuth page, select the Configure this application as a client now option under Client configuration section.
    8. In the Authorization section, select the Client credentials check box for the Allowed Grant Types field.
    9. Scroll down and select the Add app roles check box. In the App roles section, add the Identity Domain Administrator role.
    10. Click Next. Leave the default settings for the next page as is and click Finish.
    11. Make a note of the client ID and client secret. These values will be needed when you run the script.
    12. Activate the application.
  • For OCI accounts where IDCS is not yet migrated to IAM Domains (tenancy without IAM domains), complete the following:
    1. Log in to the IDCS administration console of the federated IDCS.

      For example, https://idcs-abcde.identity.oraclecloud.com/ui/v1/adminconsole.

    2. Navigate to Applications. Click + to add an application. Choose Confidential Application in the wizard:
      1. Add a name and a description on the App details page.
      2. Click Next. Select the Configure this application as a client now option.
      3. In the Authorization section, select the Client credentials check box for the Allowed Grant Types field.
      4. In the Grant the client access to Identity Cloud Service Admin APIs section, click Add to add the application roles. You need to add the Identity Domain Administrator role.
      5. Click Next. Leave the default settings for the next pages as is and click Finish.
      6. Make a note of the client ID and client secret. These values will be needed when you run the script.
      7. Activate the application.

Configuration in Stack

A configuration helper script will be available in every stack VM. It can be executed from Admin compute VM or VM-1 (*-wls-1) for WebCenter Portal and WebCenter Content domains.

The script expects the following inputs.

Argument Description
idcs_tenant

IDCS tenant name

For example, if IDCS URL is idcs-abcde.identity.example.com, then IDCS tenant name would be idcs-abcde.

idcs_domain

IDCS domain

For example, if IDCS URL is idcs-abcde.identity.example.com, then IDCS domain would be identity.example.com.

idcs_client Client ID of the OAuth client created in prerequisites
idcs_client_secret Client secret of the OAuth client created in prerequisites
service_host

Service host with DNS record mapped to load balancer IP

For example, wcpstack1.xyz.com, wccstack1.xyz.com.

If service host is not available, a load-balancer IP can be provided here for testing.
idcs_user_name IDCS user who is configured as WebCenter product administrator user

For WebCenter Portal Domain

Complete the following steps to execute the script:

Run the configure sso script for WebCenter Portal domain from VM having a name like <*>-wcp-wls-1 with service host value for WebCenter Portal load balancer DNS host or IP. 

ssh -o ProxyCommand="ssh -W %h:%p -i <key> opc@<bastion-ip>" -i <key> opc@<wcp-vm-1-ip>
 
sudo su - oracle
cd /u01/scripts/sh
 
nohup sh configure_sso.sh --idcs_tenant <idcs-tenant> --idcs_domain identity.oraclecloud.com --idcs_client <idcs_client> --idcs_client_secret <idcs_client> --idcs_username <idcs_username> --service_host <wcp_service_host> &

The script execution progress can be monitored from /u01/logs/provisioning.log. Once the execution completes without any error, the configuration is completed in the stack environment.

Note:

If the configuration was done with load-balancer IP, then the above script needs to be executed again with the service host once the DNS mapping to WebCenter Portal load-balancer IP is created.

For WebCenter Content Domain

Run the configure sso script for WebCenter Content domain from VM having a name like <*>-wcc-wls-1 with service host value for WebCenter Content load balancer DNS host or IP. 

ssh -o ProxyCommand="ssh -W %h:%p -i <key> opc@<bastion-ip>" -i <key> opc@<wcc-vm-1-ip>
 
sudo su - oracle
cd /u01/scripts/sh
 
nohup sh configure_sso.sh --idcs_tenant <idcs-tenant> --idcs_domain identity.oraclecloud.com --idcs_client <idcs_client> --idcs_client_secret <idcs_client> --idcs_username <idcs_username> --service_host <wcc_service_host> &

The script execution progress can be monitored from /u01/logs/provisioning.log. Once the execution completes without any error, the configuration is completed in the stack environment.

Note:

If the configuration was done with load-balancer IP, then the above script needs to be executed again with the service host once the DNS mapping to WebCenter Content load-balancer IP is created.

Configuration in your IDCS Tenant

Once the SAML configuration is completed on WebCenter Portal, SAML applications will be created under Integrated Applications in the IDCS domain. The WebCenter Portal/WebCenter Content role mapping groups (as described in the tables below) are also created.

WebCenter Portal Group Description
WebcenterGroup

The admin role is assigned to the system administrator. By default, this role has Admin permission to all security groups and all accounts, and has rights to all the administration tools.
WebCenter Content Groups Description
admin

The admin role is assigned to the system administrator. By default, this role has Admin permission to all security groups and all accounts, and has rights to all the administration tools.
contributor The contributor role has Read and Write permissions to the Public security group, which enables users to search for, view, check in, and check out content.
guest The guest role has Read permission to the Public security group, which enables users to search for and view content.
sysmanager The sysmanager role has privileges to access the Admin Server links from the Administration menu in the user interface.

The Admin user is granted membership to the WebcenterGroup/admin group and can be used to access the service.

The SAML applications will be prefixed with the stack service name. Examples: wcp12_wcp_saml, wcp12_wcc_saml.

Add Users to Groups

To add a new user other than the administrator, you would need to add the user to the IDCS WebCenter Portal/WebCenter Content groups based on the permissions required for their usage.

Verification

After the configuration of SAML, verify the WebCenter Portal application URLs and validate that the IDCS SSO log-in is working.

Portal Server: https://<WebCenter Portal service_host|lb_ip>:8888/webcenter/portal

Content Server: https://<WebCenter Content service_host|lb_ip>:16200/cs

Web UI: https://<WebCenter Content service_host|lb_ip>:16225/wcp

Capture: https://<WebCenter Content service_host|lb_ip>:16400/dc-console

Imaging: https://<WebCenter Content service_host|lb_ip>:16000/imaging