Methods for Setting Up Identity Providers

You can configure identity providers using two different methods.

• Edit the SAML_20_SIGN_CERTS configuration setting and enter the certificate thumbprint of the IdP that posts the SAML assertion. This option is generally used with IdP-initiated SSO. See Define Single Sign-on Configuration Settings for a description of the configuration setting.
• Configure the IdP using the Single Sign-On Configurations editor. Identity providers configured using this method are used only for SP-initiated SSO. These are ignored when validating SAML assertions for IdP-initiated SSO. See Authentication Using an External Identity Provider on the B2C Service Login Window.

For B2C Service to accept SAML 2.0 open login assertions from external identity providers, each identity provider must be configured to send the assertion URL to the B2C Service application, either to the SSO launch page for agent login or to the openlogin controller for customer login (or to both):

• Identify the SAML subject used in the assertion for agent login.
• Identify the SAML subject used in the assertion for customer login.

B2C Service can accept authentications from multiple identity providers. Configuration details vary from provider to provider, so each one must be configured separately to make the application available through the identity provider. Because the procedures vary, we cannot provide specific details. However, this list includes some requirements and constraints you must consider as you configure an identity provider:

• B2C Service supports only the HTTP POST binding type, so the identity provider should be configured to send SAML responses and assertions using that method.
• The certificate used to sign the assertion must be included as part of the assertion in the XML signature.
• The identity provider server is expected to be time-synchronized with the Oracle server, so a validity range of plus or minus five minutes of the SAML assertion should be adequate.

Note: If Windows ADFS (Active Directory Federation Services) is used as the identity provider, the fixed validity ranges (five minutes for Subject.SubjectConfirmationData.NotOnOrAfter and one hour for Subject.Conditions.NotOnOrAfter) can cause validation errors if the application’s clock is behind the time of the identity provider, even if that difference is as small as one second. To mitigate the potential problem, a NotBeforeSkew parameter can be issued in these PowerShell prompts.

PS C:/Users/Administrator> add-pssnapin microsoft.adfs.powershell
PS C:/Users/Administrator> set-adfsrelyingpartytrust -targetname "<relying party name>" -NotBeforeSkew 2

In this example, 2 means two minutes; however, you can change the value as needed.