Methods for Setting Up Identity Providers
You can configure identity providers using two different methods.
- Edit the SAML_20_SIGN_CERTS configuration setting and enter the certificate thumbprint of the IdP that posts the SAML assertion. This option is generally used with IdP-initiated SSO. See Define Single Sign-on Configuration Settings for a description of the configuration setting.
- Configure the IdP using the Single Sign-On Configurations editor. Identity providers configured using this method are used only for SP-initiated SSO. These are ignored when validating SAML assertions for IdP-initiated SSO. See Authentication Using an External Identity Provider on the B2C Service Login Window.
For B2C Service to accept SAML 2.0 open login assertions from external
identity providers, each identity provider must be configured to send the assertion URL to the
B2C Service application, either to the SSO launch page for agent login
or to the openlogin
controller for customer login (or to both):
- Identify the SAML subject used in the assertion for agent login.
- Identify the SAML subject used in the assertion for customer login.
B2C Service can accept authentications from multiple identity providers. Configuration details vary from provider to provider, so each one must be configured separately to make the application available through the identity provider. Because the procedures vary, we cannot provide specific details. However, this list includes some requirements and constraints you must consider as you configure an identity provider:
- B2C Service supports only the HTTP POST binding type, so the identity provider should be configured to send SAML responses and assertions using that method.
- The certificate used to sign the assertion must be included as part of the assertion in the XML signature.
- The identity provider server is expected to be time-synchronized with the Oracle server, so a validity range of plus or minus five minutes of the SAML assertion should be adequate.
PS C:/Users/Administrator> add-pssnapin microsoft.adfs.powershell
PS C:/Users/Administrator> set-adfsrelyingpartytrust -targetname "<relying party name>" -NotBeforeSkew 2
In this example, 2
means two minutes; however,
you can change the value as needed.