How do I add a login policy for LDAP, SAML, or OpenID Connect authentication method?

Login policies determine the authentication method and options for users to access Oracle Field Service. The application includes a default login policy; you can add login policies for LDAP, SAML, and OpenID Connect authentication methods. You can also add multiple policies with multiple authentication methods.

Before you start

Before you implement OpenID Connect: Create or register Oracle Field Service as an application in your identity provider. Get the Configuration URL, Logout URL, Client ID, and Client secret from the identity provider. Further, define an attribute that will be used for the username.

Here's what to do

Click Configuration.
In the Users and Security section, click Login Policies.
Click Add new.
The Add Policy dialog box appears.

Complete these fields:

Field	Action
Label	Enter a unique identifier label. For SAML login policy, enter only alphabets, numbers, and undersrores ( _ ).
Policy name	Enter a name for this policy. Enter the name in English and in all the languages that are active in the application.
Authenticate using	Select the type of authentication method used for this login policy.
These fields are displayed for Internal authentication method:
Max login attempts	Enter the number of invalid login attempts after which the user is blocked. When this field is set to 0 (zero), the feature is disabled. However, disabling this feature is not recommended for security reasons. Default value is 5.
Login block timer	Enter the number of minutes during which the user remains blocked after reaching the maximum number of invalid login attempts. Default value is 5 minutes.
Force password change after	Enter the number of days after which the user must change their password to access the application. When this field is set to 0 (zero), the feature is disabled. Note: If the customer's LDAP server allows setting the period of forced password change, it is recommended that the period set in the application is shorter than the one set on the LDAP server. This way, the password changes initiated by the application occur earlier than those initiated by the LDAP server which ensures correct and reliable performance.
User inactivity timeout	Enter the duration of the idle time after which the user is prompted to re-enter the password upon an attempt of any action in the application. Default value is 240 minutes.
Relogin timeout	Enter the period after which the user is prompted to re-enter the password regardless of whether the user was active or not. Default value is 480 minutes.
Max sessions	Enter the maximum number of simultaneous sessions allowed to the user. Default value is 3.
Min password length	Enter the minimum number of characters in the password. Default is 8.
Password must contain uppercase and lowercase letters	Select whether the password must contain alphabets. This option is selected by default.
Password must contain digits	Select whether the password must contain numbers. This option is selected by default.
Password must contain special symbols	Select whether the password must contain special characters and symbols. This option is selected by default.
Password must not contain personal details	Select whether the password must not contain personal details such as the user’s first name or last name. This option is selected by default.
Password must differ from old password	Select whether the password must be different from a previous password. This option is selected by default.
Allow access only for certain IP addresses	Select whether you want to restrict access to specific IP addresses. By default, a login policy is created without any restrictions to the IP addresses from which the user may log in. Select the check box to enable the restriction. When this check box selected, the Allowed IP address list field appears, where you can enter the IP addresses that can access the application.
These fields are displayed for the LDAP authentication method, along with the fields listed earlier:
LDAP server URL	Enter the actual host name or IP address of the LDAP server.
LDAP DN pattern	If you want to select the LDAP server is MS Active Directory check box, enter the part of the UPN (User Principal Name) common among the users. In this case the LDAP DN pattern must always contain the UPN pattern. UPN (User Principal Name) is a string of characters used to represent a resource available in Active Directory. It should be used when communicating with MS Active Directory servers. An example of this field value is %s@test.corp, where %s is a special placeholder to be substituted with the user's login. If the LDAP server is MS Active Directory check box is not selected, this field contains the common path to the LDAP tree for the users, their DN pattern. DN (Distinguished Name) is a string of characters used to represent a resource available in the LDAP directory. An example of this field value is cn=%s,dc=example,dc=com, where %s is a special placeholder to be substituted with the user's login in the application.
LDAP server is MS Active Directory	Select whether the LDAP server is a MS Active Directory.
These fields are displayed for the SAML authentication method:
Specify SAML IdP	Select the way in which you want to select the SAML identity provider. The options are: Upload metadata XML Specify metadata URL Oracle IDCS Manual populate
IdP Metadata XML	This field is displayed if you select Upload metadata XML in the Specify SAML IdP field. Click Upload to upload the XML file that contains the metadata details for the identity provider. If the uploaded file is incomplete, or does not contain the details in the proper format, the message, `Cannot download metadata from the specified XML: XML parser error` is displayed. Contact your Identity Service Provider to get this metadata XML. Ensure that the XML includes or conforms to this information: Metadata XML must be in accordance with SAML 2.0 specifications. The file contains "SAML Issuer" (parameter "entityID" of the node "EntityDescriptor"). The file provides identity provider certificate (nodes "md:EntityDescriptor/md:IDPSSODescriptor/KeyDescriptor/KeyInfo/X509Data/X509Certificate/").
IdP Metadata URL	This field is displayed if you select Specify metadata URL in the Specify SAML IdP field. Type the URL from which you want to take the SAML metadata details for the identity provider. If the URL is unresolved, the message, `Cannot download metadata from the specified URL: no route to host` is displayed.
IDCS Metadata XML	This field is displayed if you select Oracle IDCS in the Specify SAML IdP field. Click Upload to upload the XML file that contains the metadata details for Oracle IDCS. Contact your implementation consultant for more details on Oracle IDCS.
OFS Metadata XML	Click Download and select the domain that you want to use to redirect the requests from the identity provider to Oracle Field Service. The metadata file is downloaded to your computer and the address is displayed under OFS Domain. You must pair your identity provider with Oracle Field Service. Use the downloaded XML file to register Oracle Field Service with your identity provider.
Max sessions	Enter the maximum number of simultaneous sessions allowed to the user.
SAML issuer	Enter the identifier used to identify asserts from the Identity provider (IdP). It can be any string provided by IdP, not only URL. It is used for IdP and Service provider (SP) initiated connections.
SAML identity provider certificate	Enter the IdP public key used to sign requests.
SAML identity provider login URL	Enter the IdP URL to redirect to for login. It is needed only for SP initiated logins.
SAML identity provider logout URL	Enter the IdP URL to redirect to for logout. It is needed only for SP initiated logins.
SAML attribute containing username	Enter the SAML assertion attribute name where IdP must store the user name (login name for Oracle Field Service). Example: `[saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrnameformat: basic"] [saml:AttributeValue xsi:type="xs:string"]dispatcher[/saml:AttributeValue] [/saml:Attribute]` If it is empty then Oracle Field Service gets the user name from the Name Identifier element of Subject statement. Example: `[saml:Subject] [saml:NameID SPNameQualifier="https://sp.com/sp/module.php/ saml/sp/metadata.php/ default-sp" Format="urn:oasis:names:tc:SAML:2.0:nameidformat: persistent"]dispatcher[/saml:NameID] [/saml:Subject]`
These fields are displayed for the Open ID Connect authentication method:
Max sessions	Enter the maximum number of simultaneous sessions allowed to the user.
Select linkback URL	Click Select linkback URL and select the domain that you want to use to redirect the requests from the identity provider to Oracle Field Service.
Configuration login URL	Enter the Identity Provider URL to start authentication.
Logout URL	Enter the URL to which the user is redirected after logout. It may be the URL for logout from the Identity Provider.
Attribute containing username	Enter the name of the OpenId attribute where the Identity Provider must store the user's name (login name for Oracle Field Service). Example: email.
Client ID	Enter the value of the field containing data from registered OpenID provider (for example, Client ID).
Client secret	Enter the value of the field containing data from registered OpenID provider (for example, Client Secret).

In your OpenID application, configure a link back URL. Use the URL displayed in this dialog box for the option that you have selected.
Your Identity Provider uses this link to redirect users to Oracle Field Service upon successful login.
Click Add.
A warning appears if any of the security parameters is blank. If not, the Login Policy is saved. The application generates the metadata based on the options you have selected. Use this metadata to link your identity provider with the instance. Note down the instance URL that you must use when setting up an external identity provider.

Sample metadata XML file for SAML identity provider:

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://idp-saml.ua3.int/simplesaml/saml2/idp/metadata.php">
  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIID7TCCAtWgAwIBAgIJANn3qP9lF7M3MA0GCSqGSIb3DQEBCwUAMIGMMQswCQYDVQQGEwJVQTEXMBUGA1UE
		  CAwOS2hhcmtpdiBSZWdpb24xEDAOBgNVBAcMB0toYXJrb3YxDzANBgNVBAoMBk9yYWNsZTEYMBYGA1UEAwwPc3RzeWJvdi12bTEudWEzMScw
		  JQYJKoZIhvcNAQkBFhhzZXJnaWkudHN5Ym92QG9yYWNsZS5jb20wHhcNMTUxMjI1MTIyMjU5WhcNMjUxMjI0MTIyMjU5WjCBjDELMAkGA1UE
		  BhMCVUExFzAVBgNVBAgMDktoYXJraXYgUmVnaW9uMRAwDgYDVQQHDAdLaGFya292MQ8wDQYDVQQKDAZPcmFjbGUxGDAWBgNVBAMMD3N0c3lib
		  3Ytdm0xLnVhMzEnMCUGCSqGSIb3DQEJARYYc2VyZ2lpLnRzeWJvdkBvcmFjbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCA
		  QEAw4OFwuUNjn6xxb/OuAnmQA6mCWPY2hKMoOz0cAajUHjNZZMwGnuEeUyPtEcULfz2MYo1yKQLxVj3pY0HTIQAzpY8o+xCqJFQmdMiakb
		  PFHlh4z/qqiS5jHng6JCeUpCIxeiTG9JXVwF1ErBEZbwZYjVxa6S+0grVkS3YxuH4uTyqxskuGnHK/AviTHLBrLfSrbFKYuQUrXyy6X22wpzo
		  bQ3Z+4bhEE8SXQtVbQdy7K0MKWYopNhX05SMTv7yMfUGp8EkGNyJ5Km8AuQt6ZCbVao6cHL2hSujQiN6aMjKbdzHeA1QEicppnnoG/Zefyi/
		  okWdlLAaLjcpYrjUSWQJZQIDAQABo1AwTjAdBgNVHQ4EFgQUIKa0zeXmAJsCuNhJjhU0o7KiQgYwHwYDVR0jBBgwFoAUIKa0zeXmAJsCuNhJj
		  hU0o7KiQgYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAJawU5WRXqkW4emm+djpJAxZ0076qPgEsaaog6ng4MLAlU7RmfIY/
		  l0VhXQegvhIBfG4OfduuzGaqd9y4IsQZFJ0yuotl96iEVcqg7hJ1LEY6UT6u6dZyGj1a9I6IlwJm/9CXFZHuVqGJkMfQZ4gaunE4c5gjbQA5/
		  +PEJwPorKn48w8bojymV8hriqzrmaP8eQNuZUJsJdnKENOE5/asGyj+R2YfP6bmlOX3q0ozLcyJbXeZ6IvDFdRiDH5wO4JqW/ujvdvC553y
		  CO3xxsorB4xCupuHu/c7vkzNpaKjYdmGRkqhEqBcCqYSxdwIFc1xhOwYPWKJzgn7pGQsT7yNJg==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIID7TCCAtWgAwIBAgIJANn3qP9lF7M3MA0GCSqGSIb3DQEBCwUAMIGMMQswCQYDVQQGEwJVQTEXMBUGA1
		  UECAwOS2hhcmtpdiBSZWdpb24xEDAOBgNVBAcMB0toYXJrb3YxDzANBgNVBAoMBk9yYWNsZTEYMBYGA1UEAwwPc3RzeWJvdi12bTEud
		  WEzMScwJQYJKoZIhvcNAQkBFhhzZXJnaWkudHN5Ym92QG9yYWNsZS5jb20wHhcNMTUxMjI1MTIyMjU5WhcNMjUxMjI0MTIyMjU5WjCB
		  jDELMAkGA1UEBhMCVUExFzAVBgNVBAgMDktoYXJraXYgUmVnaW9uMRAwDgYDVQQHDAdLaGFya292MQ8wDQYDVQQKDAZPcmFjbGUxGDA
		  WBgNVBAMMD3N0c3lib3Ytdm0xLnVhMzEnMCUGCSqGSIb3DQEJARYYc2VyZ2lpLnRzeWJvdkBvcmFjbGUuY29tMIIBIjANBgkqhkiG9w0B
		  AQEFAAOCAQ8AMIIBCgKCAQEAw4OFwuUNjn6xxb/OuAnmQA6mCWPY2hKMoOz0cAajUHjNZZMwGnuEeUyPtEcULfz2MYo1yKQLxVj3pY0HT
		  IQAzpY8o+xCqJFQmdMiakbPFHlh4z/qqiS5jHng6JCeUpCIxeiTG9JXVwF1ErBEZbwZYjVxa6S+0grVkS3YxuH4uTyqxskuGnHK/
		  AviTHLBrLfSrbFKYuQUrXyy6X22wpzobQ3Z+4bhEE8SXQtVbQdy7K0MKWYopNhX05SMTv7yMfUGp8EkGNyJ5Km8AuQt6ZCbVao6cHL2h
		  SujQiN6aMjKbdzHeA1QEicppnnoG/Zefyi/okWdlLAaLjcpYrjUSWQJZQIDAQABo1AwTjAdBgNVHQ4EFgQUIKa0zeXmAJsCuNhJjhU0o
		  7KiQgYwHwYDVR0jBBgwFoAUIKa0zeXmAJsCuNhJjhU0o7KiQgYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAJawU5WRXq
		  kW4emm+djpJAxZ0076qPgEsaaog6ng4MLAlU7RmfIY/l0VhXQegvhIBfG4OfduuzGaqd9y4IsQZFJ0yuotl96iEVcqg7hJ1LEY6UT6u6d
		  ZyGj1a9I6IlwJm/9CXFZHuVqGJkMfQZ4gaunE4c5gjbQA5/+PEJwPorKn48w8bojymV8hriqzrmaP8eQNuZUJsJdnKENOE5/
		  asGyj+R2YfP6bmlOX3q0ozLcyJbXeZ6IvDFdRiDH5wO4JqW/ujvdvC553yCO3xxsorB4xCupuHu/c7vkzNpaKjYdmGRkqhEqBcCqYSxd
		  wIFc1xhOwYPWKJzgn7pGQsT7yNJg==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp-saml.ua3.int/simplesaml/saml2/idp/SingleLogoutService.php"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp-saml.ua3.int/simplesaml/saml2/idp/SSOService.php"/>
  </md:IDPSSODescriptor>
  <md:ContactPerson contactType="technical">
    <md:SurName>Administrator</md:SurName>
    <md:EmailAddress>name@emailprovider.com</md:EmailAddress>
  </md:ContactPerson>
</md:EntityDescriptor>