7 Configuring Single Sign-On in Oracle Key Vault

You can configure Oracle Key Vault for Single Sign-On (SSO) once you have completed the configuration in Identity provider and Service provider.

• About Single Sign-On Authentication in Oracle Key Vault
  Oracle Key Vault supports SAML based Single Sign-On (SSO) authentication. Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. The SSO feature allows Oracle Key Vault to join in the systems supporting SSO.
• Configuring SAML Single Sign-On (SSO) Authentication
  SSO is an access control solution that allows users to authenticate once and get access to all enterprise resources connected to the SSO system. Oracle Key Vault SAML SSO can take advantage of the Multi-Factor-authentication supported by Identity Provider (IDP) if necessary.
• Managing Single Sign-On in Oracle Key Vault
  You can easily manage the SSO configuration using the Oracle Key Vault management console.
• Configuring Single Sign-On for Oracle Key Vault and Azure Active Directory
  You can configure Oracle Key Vault and Azure Active Directory for SAML based Single Sign-On (SSO).
• Configuring Single Sign-On for Oracle Key Vault and ADFS
  Oracle Key Vault supports SSO on self-hosted platform Active Directory Federation Service (ADFS) server.
• Guidelines for Managing Single Sign-On Configuration
  Consider these Oracle Key Vault guidelines for managing SSO configuration.

7.1 About Single Sign-On Authentication in Oracle Key Vault

Oracle Key Vault supports SAML based Single Sign-On (SSO) authentication. Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. The SSO feature allows Oracle Key Vault to join in the systems supporting SSO.

You are required to configure Identity Provider and Oracle Key Vault for SSO functionality. Oracle Key Vault SSO provides you the following features:

• SSO authentication helps you in complying with the laid-out regulations, ensuring effective access reporting.
• SSO helps in securing the user credential data by reducing the number of login's required for each application.
• The IDP supported SSO provides Multi-Factor Authentication (MFA). In this case, user needs to figure out how to configure their Identity provider.

7.2 Configuring SAML Single Sign-On (SSO) Authentication

SSO is an access control solution that allows users to authenticate once and get access to all enterprise resources connected to the SSO system. Oracle Key Vault SAML SSO can take advantage of the Multi-Factor-authentication supported by Identity Provider (IDP) if necessary.

• About Configuring SAML Single Sign-On Authentication
  You can configure the Single Sign-On (SSO) in Oracle Key Vault to enable users to log into Oracle Key Vault using their Identity Provider (IDP) credentials.
• Configuring Identity Provider for Single Sign-On for Oracle Key Vault
  You can configure the connection between Oracle Key Vault and IDP's to enable the Single Sign-On (SSO) in Oracle Key Vault.
• Configuring Oracle Key Vault for Single Sign-On(SSO)
  The configurations created in IDP's are required to be configured in Oracle Key Vault.
• Logging in to Oracle Key Vault as an SSO User
  An SSO user who is configured in Oracle Key Vault can log in to the Oracle Key Vault management console.

7.2.1 About Configuring SAML Single Sign-On Authentication

You can configure the Single Sign-On (SSO) in Oracle Key Vault to enable users to log into Oracle Key Vault using their Identity Provider (IDP) credentials.

As a System Administrator you need to configure the IDP in Oracle Key Vault before using the SAML based SSO. Oracle Key Vault supports the following IDP's:

1. Active Directory Federation Services (ADFS)
2. Microsoft Azure Active Directory
3. Other

The user must be provisioned as SSO user type in Oracle Key Vault. In a multi-master cluster environment each node is required to be configured for enabling SSO.

7.2.2 Configuring Identity Provider for Single Sign-On for Oracle Key Vault

You can configure the connection between Oracle Key Vault and IDP's to enable the Single Sign-On (SSO) in Oracle Key Vault.

Oracle Key Vault supports SAML based SSO authentication. You can authenticate at one application and access the service providers at different locations without the need to login multiple times.

• SAML SSO Configuration
  You need to configure the Identity Provider (IDP) before starting the SSO configuration in Oracle Key Vault.
• SAML Signing Certificate
  The SAML signing certificate is required for SSO user authentication.
• User Provisioning and Authorization
  Identity Provider (IDP) does the user provisioning and authorization for providing the user credentials to the Service Provider (SP).
• SAML Request Signing
  SAML Request Signing is required for user signature authentication.

7.2.2.1 SAML SSO Configuration

You need to configure the Identity Provider (IDP) before starting the SSO configuration in Oracle Key Vault.

The IDP shares the SAML authentication with Oracle Key Vault after receiving a request from Oracle Key Vault. For the SAML request authentication, IDP validates the signatures using the public certificate received from Oracle Key Vault.

7.2.2.2 SAML Signing Certificate

The SAML signing certificate is required for SSO user authentication.

The SAML signing certificate is one of the important steps during SSO configuration by IDP. The SAML certificate authenticates the IDP to pass the user data to the service provider for using the SSO functionality.

7.2.2.3 User Provisioning and Authorization

Identity Provider (IDP) does the user provisioning and authorization for providing the user credentials to the Service Provider (SP).

Before using SAML based SSO, the IDP user needs to be provisioned as SSO user type in Oracle Key Vault and needs to add proper roles or privileges.

7.2.2.4 SAML Request Signing

SAML Request Signing is required for user signature authentication.

The SAML request signature authenticates the signatures received in signed request.

7.2.3 Configuring Oracle Key Vault for Single Sign-On(SSO)

The configurations created in IDP's are required to be configured in Oracle Key Vault.

• Oracle Key Vault SAML SSO Configuration
  Oracle Key Vault SAML SSO configuration is the next step once the SSO configuration is completed in Identity Provider (IDP).
• Add Single Sign-On Configuration
  The configurations created in IDP's are required to be added in Oracle Key Vault.
• Creating Single Sign-On User
  You need to create a SSO user in Oracle Key Vault by using the user name provided from Identity Provider (IDP).
• Authenticating Single Sign-On (SSO) User
  The Oracle Key Vault Single Sign-On user requires to be validated before using the SSO functionality.

7.2.3.1 Oracle Key Vault SAML SSO Configuration

Oracle Key Vault SAML SSO configuration is the next step once the SSO configuration is completed in Identity Provider (IDP).

Oracle Key Vault uses the public certificate from the IDP to validate the signature for incoming SAML response. Oracle Key Vault accepts the SAML response and redirect the response to the Oracle Key Vault management console.

7.2.3.2 Add Single Sign-On Configuration

The configurations created in IDP's are required to be added in Oracle Key Vault.

You need to add the SSO configuration in Oracle Key Vault before using the SSO functionality. Once you have configured the IDP's, perform the following steps to configure Oracle Key Vault.

1. Log in to the Oracle Key Vault management console as a user with the System Administrator role.
2. Select the Systems tab, then Single Sign-On Configuration navigation bar.
3. In the Manage Sign-On Configuration page, click Add. The Add Sign-On Configuration page displays.
   
   
   Description of the illustration 216_add_sso.png
   
   
4. Enter the identity provider name to save the SSO configuration in the Identity Provider field.
5. From the Provider Type drop-down list, select the service provider.
6. Select SAML 2.0 from the Protocol drop-down.
7. Provide the information in the SAML Sign in URL, SAML Sign Out URL, and Identity Provider Issuer.
8. Click Choose File and upload the signing certificate issued by the identity provider in the Identity Provider Signing Certificate field.

   Note:

   The information required for the SAML Sign in URL, SAML Sign Out URL, Identity Provider Issuer, and Identity Provider Signing Certificate fields are obtained from the IDP. For more information, see, Configuring Single Sign-On for Oracle Key Vault and Azure Active Directory or Configuring Single Sign-On for Oracle Key Vault and ADFS.
9. Click Add to save the provided information.

   Note:

   When you edit the already existing Single Sign-On configuration the Edit Sign-On Configuration page gets displayed. After updating the existing information , you need to click Save.

7.2.3.3 Creating Single Sign-On User

You need to create a SSO user in Oracle Key Vault by using the user name provided from Identity Provider (IDP).

Oracle Key Vault needs the SSO user information to validate the user principal extracted from the SAML response. To create an SSO user in Oracle Key Vault perform the following steps.

1. Log in to the Oracle Key Vault management console as a user with the System Administrator role.
2. Select the Users tab, and then Manage Users from the left navigation bar.
3. Click Create. The Create User page displays.
   
   
   Description of the illustration 216_create_user_sso.png
   
   
4. From the User Type drop-down list, select SSO.

   Note:

   In order to see User Type in creating user, SSO configuration should be enabled first.
5. Enter the user name in User Name field.
6. Enter Full Name.
7. Click Save.

7.2.3.4 Authenticating Single Sign-On (SSO) User

The Oracle Key Vault Single Sign-On user requires to be validated before using the SSO functionality.

The System Administrator assigns the different roles and privileges to the SSO user based on the requirement. By default, all SSO type users have no role or privilege assigned to them.

To authenticate an SSO user in Oracle Key Vault perform the following steps:

1. Log in to the Oracle Key Vault management console as a user with the System Administrator role.
2. Select the Users tab, and then Manage Users from the left navigation bar.
3. Select the User Type drop-down list, select SSO.
4. Enter the user name in User Name field.

   Note:

   The user name in case of SSO should be the user name as created in IDP. The SSO user name is an email address when the user type in Oracle Key Vault is SAML based SSO.
5. Enter Full Name.
6. Click Save.

7.2.4 Logging in to Oracle Key Vault as an SSO User

An SSO user who is configured in Oracle Key Vault can log in to the Oracle Key Vault management console.

1. Log in to the Oracle Key Vault management console as a user with the System Administrator role
2. Select the Systems tab, then Single Sign-On Configuration from the left navigation bar.
3. In the Manage Sign-On Configuration page, click Add. The Add Sign-On Configuration page appears.
4. From the Select Provider, select the Identity Provider to enable for SSO login.
   
   

   
   Description of the illustration 216_manage_sso.png

   
   
5. Log out from the Oracle Key Vault management console.

   If SSO is enabled for the user, the Oracle Key Vault login screen display the Login with SSO button.

   
   

   
   Description of the illustration 216_sso_login.png

   
   
6. Select Login with SSO. You will be redirected to IDP's login screen.
7. Enter credential in the IDP's login screen.

7.3 Managing Single Sign-On in Oracle Key Vault

You can easily manage the SSO configuration using the Oracle Key Vault management console.

• Download Oracle Key Vault Single Sign-On (SSO) Certificate
  You need to download the SSO certificate from the Oracle Key Vault management console for completing the SSO configuration with the service provider.
• Adding Single Sign-On (SSO) Configuration in Oracle Key Vault
  Oracle Key Vault requires the configurations created in IDP's to be added.
• Enabling Single Sign-On (SSO) Configuration
  You are required to enable the SSO in Oracle Key Vault once the SSO configuration is complete.
• Disabling Single Sign-On (SSO) Configuration
  You can deactivate the existing SSO functionality using the disable function.
• Deleting Single Sign-On Configuration
  You can permanently delete the existing SSO functionality from the Oracle Key Vault management console using the delete function.

7.3.1 Download Oracle Key Vault Single Sign-On (SSO) Certificate

You need to download the SSO certificate from the Oracle Key Vault management console for completing the SSO configuration with the service provider.

The service provider requires the SSO certificate to complete the configuration with the Oracle Key Vault.

1. Log in to the Oracle Key Vault management console as a user with the System Administrator role.
2. Select the Systems tab, then Single Sign-On Configuration navigation bar.
   The Manage Single Sign-On Configuration page displays.
   

   
   Description of the illustration 216_manage_sso.png

   
   
3. On the Manage Single Sign-On Configuration page, click Download Certificate to download the certificate on your machine.
4. Choose the location to download and save the certificate on your machine.
5. Click Save.
   The certificate gets downloaded at the provided location.

7.3.2 Adding Single Sign-On (SSO) Configuration in Oracle Key Vault

Oracle Key Vault requires the configurations created in IDP's to be added.

You need to add the SSO configuration in Oracle Key Vault before using the SSO functionality. Once you have configured the IDP's, perform the following steps to configure Oracle Key Vault.

1. Log in to the Oracle Key Vault management console as a user with the System Administrator role.
2. Select the Systems tab, then Single Sign-On Configuration navigation bar.
3. In the Manage Single Sign-On Configuration page, click Add. The Add Single Sign-On Configuration page appears.
   
   
   Description of the illustration 216_add_sso.png
   
   
4. Enter the name of the identity provider name to save the SSO configuration in the Identity Provider field.
5. From the Provider Type drop-down list, select the service provider.
6. Provide the information in the SAML Sign in URL, Same Sign Out URL, and Identity Provider Issuers.
7. Enter the URL for Identity Provider Domain.
8. Click Choose File and upload or paste the signing certificate issues by the identity provider in the Identity Provider Signing Certificate field.

   Note:

   The information required for the SAML Sign in URL, Same Sign Out URL, Identity Provider Issuers, and Identity Provider Signing Certificate fields are obtained from the IDP. For more information, see, Configuring Single Sign-On for Oracle Key Vault and Azure Active Directory or Configuring Single Sign-On for Oracle Key Vault and ADFS.
9. Click Add to save the provided information.

   Note:

   For the SSO configuration to come into effect, user needs to perform the enable function after saving the configuration.

7.3.3 Enabling Single Sign-On (SSO) Configuration

You are required to enable the SSO in Oracle Key Vault once the SSO configuration is complete.

The SSO functionality must be configured in Oracle Key Vault before using the enable or disable.

1. Select the Service Provider to enable from the Manage Single Sign-On Configuration page.
2. Click Enable.
3. Click OK in the displayed dialogue box.
4. Log out from the Oracle Key Vault management console.
5. On the Oracle Key Vault login screen, Click Login with SSO.This opens the service provider login screen.
6. Login using the Single Sign-On credentials. For more information, see,Configuring Single Sign-On for Oracle Key Vault and Azure Active Directory orConfiguring Single Sign-On for Oracle Key Vault and ADFS.
   Successful login ensures the selected service provider's SSO Configuration is enabled for you in Oracle Key Vault.

7.3.4 Disabling Single Sign-On (SSO) Configuration

You can deactivate the existing SSO functionality using the disable function.

The SSO configuration is enabled in Oracle Key Vault before using the disable functionality.

1. Select the Service Provider to disable from the Manage Single Sign-On Configuration page.
2. Click Disable.
3. Click OK in the displayed dialogue box.
   The selected service provider's SSO configuration is disabled in Oracle Key Vault.

7.3.5 Deleting Single Sign-On Configuration

You can permanently delete the existing SSO functionality from the Oracle Key Vault management console using the delete function.

The SSO configuration is exisiting in the Manage Single Sign-On Configuration page in Oracle Key Vault before using the delete functionality.

1. Select the Service Provider to delete from the Manage Single Sign-On Configuration page.
2. Click Delete.
3. Click OK in the displayed dialogue box.
   The selected service provider's SSO configuration is deleted from the Oracle Key Vault management console.

7.4 Configuring Single Sign-On for Oracle Key Vault and Azure Active Directory

You can configure Oracle Key Vault and Azure Active Directory for SAML based Single Sign-On (SSO).

1. In the Azure portal, select Azure Active Directory on the left navigation pane
2. Select Enterprise applications in Azure Active Directory.
   The Enterprise applications page appears.
3. Select New application from the menu bar. The Browse Azure AD Gallery page appears.
4. Select Create your own application.
5. Provide the application name for Oracle Key Vault and select Integrate any other application you don't find in the gallery (Non-gallery).
6. Select your application to configure single sign-on
7. Navigate to Set up single sign on under Getting Started.
8. Select SAML as the single sign-on method.
9. In the Set up Single Sign-On with SAML - preview page, navigate to the Basic SAML Configuration section.
10. Click on Edit for Basic SAML Configuration.
11. Enter the following values, based on apex_authentication.saml_metadata from your APEX server:
    • Identifier (Entity ID): https://<okv IP address>/ords/apex_authentication.saml_callback
    • Reply URL: https://<okv IP address>/ords/apex_authentication.saml_callback Logout
    • URL: https://<okv IP address>/ords/apex_authentication.saml_callback
12. Click Save.
13. Click Edit for SAML Signing Certificate.
14. Verify that Azure signs both the response and the assertion in SAML Singing Certificate..
15. Save the changes.

    Note:

    If you later need to change the Signing Option, for example, because this step was forgotten, make sure to verify the certificate. Azure might serve a different one after changing this option.
16. Click on Download for Certificate (Base64).. Oracle Key Vault use this for Identity Provider Signing Certificate.
17. Copy the Login URL, Azure AD Identifier and Logout URL to configure SAML SSO in Oracle Key Vault.
18. In the Oracle Key Vault management console, go to System, Setting and then Single Sign-on.
19. Save the SAML configuration and enable SAML Authentication. The SAML Sign In URL, SAML Sign Out URL, and Identity Provider Issuer and the downloaded Identity Provider Signing Certificate from Azure are required.

• Adding User for Oracle Key Vault in Azure Active Directory (AD)
  You need to add the user to Azure AD before using the Single Sign-On in Oracle Key Vault.

7.4.1 Adding User for Oracle Key Vault in Azure Active Directory (AD)

You need to add the user to Azure AD before using the Single Sign-On in Oracle Key Vault.

1. Login to the Azure portal using Azure credentials.
2. Click Azure Active Directory.
3. In the left pane, click Enterprise applications.
4. Select + New Application.
5. Select + Create your own application.
6. Provide a name for your application in the name field. For example, Oracle Key Vault Service.
7. Select the Integrate any other application you don't find in the galley (Non-gallery).
8. Click Create. Azure will take few moments to create the application.
9. On application's overview page, click Single Sign-On in the left pane under Manage.
10. Select SAML for the single sign-on method.
11. In the Set up Single Sign-On with SAML page, navigate to the Basic SAML Configuration section.
12. Click Edit. Enter the following values, based on apex_authentication.saml_metadata from your APEX server:
    • Identifier (Entity ID): https://<okv IP address>/ords/apex_authentication.saml_callback
    • Reply URL: https://<okv IP address>/ords/apex_authentication.saml_callback
    • Logout Url: https://<okv IP address>/ords/apex_authentication.saml_callback
13. Click Save.
14. Click Edit for SAML Signing Certificate.
15. Verify the Signing Option field display Sign SAML response and assertion in SAML Singing Certificate.
16. Click Save.

    Note:

    Make sure to verify the certificate if you later wants to change the Signing Option, Azure generates a new certificate, after changing this option.
17. Click Download at Certificate (Base64) option. This certificate is Identity Provider Signing Certificate used in Oracle Key Vault.
    Optional, click Edit in Verification certificates(optional) and upload the certificate downloaded from SSO configuration page in Oracle Key Vault management console. Check on the Require verification certificates and then Save.
18. From the Set up Node Name page, copy the Login URL, Azure AD Identifier, Logout URL. You can use this information while configuring the SAML SSO in Oracle Key Vault.

    Note:

    Go to Oracle key Vault to create, save, and enable SAML SSO configuration. See Configuring SAML Single Sign-On (SSO) Authentication

    .
19. Under Enterprise Application, go to Oracle Key Vault.
20. Select Assign users and groups.
21. In the left pane, Select Users and Groups.
22. Click + Add user/group.
23. On the Add Assignment pane, select None Selected under Users and groups or Users.
24. Click Save.
25. From the right-side Users pane, select the user.
26. On the Add Assignment pane, assign the selected user to the Oracle Key Vault enterprise application.
27. Select Assign at the bottom of the pane.
28. Navigate to the User and groups option.
29. The User and Groups page displays the assigned user information with access to the Oracle Key Vault application.

7.5 Configuring Single Sign-On for Oracle Key Vault and ADFS

Oracle Key Vault supports SSO on self-hosted platform Active Directory Federation Service (ADFS) server.

You need to configure ADFS for using SSO in Oracle Key Vault.

1. From the windows menu, click Server Manager.
2. Click AD FS Management in the Tools menu.
3. From the Service folder, select Certificates.
4. Double click Token-signing option in Certificates window pane.
5. From Certificates, select the Details tab.
6. Select Copy to File.... The certificate Export Wizard page displays.
7. Select the Base-64 encoded X.509 (.CER).
8. Click Next, and save the certificate as adfs_for_okv.cer.
9. Go to the Service folder again and select the Relying Party Trust folder.
10. Right click to open the menu options, select the Add Relying Party Trust.
11. From the Add Relaing Party Trust Wizard, select Claims aware.
    
    
    Description of the illustration 216_add_relaying_party_trust_wizards.png
    
    
12. Go to the Select Data Source option in the left.
13. Select the Enter data about the replying party manually.
14. For Specify Display Name option, type the name for the relying party.

    Note:

    The relying party name will be used as a target name in ADFS command.
15. For the Configure Certificate, click Next.
16. For Configure URL, select Enable support for the SAML 2.0 Web SSO protocol .
17. Enter https://<OKV IP address>/ords/apex_authentication.saml_callback in Relying party SAML 2.0 SSO service URL:.
18. For Configure Identifier, enter https://<OKV IP address>/ords/apex_authentication.saml_callback in Relying party trust identifier:.

    Note:

    This should be the unique identifier in the given ADFS.
19. For Choose Access Control Policy, select the required access policy from the Choose the access control policy field.
20. For Ready Add Trust, click Next.
21. On the Finish option, make sure the Configure claim insurance policy for the application is selected.
22. Click Close.
    The Edit Claim Issuance Policy window displays.
23. In the Issuance Transform Rules, click Add Rule.
24. In the Add transform Claim Rule Wizard, for Claim Rule Template, select Send LDAP Attribute as Claims.
25. Click on Next.
26. In Configure Claim Rule, for Claim rule name:, provide the name and select Active Directory from the Attribute Store drop-down.
27. In the Mapping of LDAP attributes to outgoing claim types, select E-Mail-Address on LDAP Attribute and Name ID on Outgoing Claim Type.
28. Click Add Rule to add another rule.
29. Again from Add Transform Claim Rule Wizard, for Claim rule template, select Transform an Incoming Claim.
30. Click Next.
31. In Configure Claim Rule for the Claim rule name:, provide the claim rule name.
32. Select the E-mail Address from the Incoming claim type drop-down.
33. Select Name ID from the Outgoing claim type drop-down .
34. Select Email from the Outgoing name ID format drop-down.
35. Select Pass through all claim values .
36. Click Finish.

    Note:

    Before proceeding, make sure that the configured rules are added and available.
37. Click Apply.
38. In Server Manager, Select AD FS management, from the Tools menu.
39. Go to Relying Party Trusts.
40. Double-click the newly added relying party trust.
41. From the displayed Properties window, select the Signature tab.
42. Click Add to upload the server certificate downloaded from the Oracle Key Vault management console.
43. Click OK.
44. Select the Endpoints tab and click Add SAML....
45. Select SAML Logout from the Endpoint type: drop-down.
46. Select Redirect from the Binding drop-down.
47. Enter https://<OKV IP address>/ords/f?p=7700:LOGIN in the Trusted URL field.
48. Click OK, and then Apply.
49. In the displayed windows powershell, execute the following the commands.
    <target name>.Set-ADFSRelyingPartyTrust -TargetName <target name> -SigningCertificateRevocationCheck None Set-AdfsRelyingPartyTrust -targetname <target name>-SamlResponseSignature MessageAndAssertion

    where the target name is the name provided as display name in Specify Display Name option.

50. In Oracle Key Vault, make sure to provide the NTP server and populates SAML configuration and enable SAML authentication.
51. The logout URL is required for ADFS.

7.6 Guidelines for Managing Single Sign-On Configuration

Consider these Oracle Key Vault guidelines for managing SSO configuration.

Guidelines for Microsoft Azure Active Directory / Active Directory Federation Services

• The user must be provisioned as SSO user type in Oracle Key Vault.
• In a multi-master cluster environment, each node has its own SSO configuration. Each node should has its own enterprise application(Azure) or target(ADFS) because of different IP address for login or log out URL and SAL metadata.
• In a multi-master cluster environment, each node has its own SSO configuration. Each node should has its own enterprise application(Azure) or target(ADFS) because of different IP address for login or log out URL and SAL metadata.