9 Using Federated Single Sign-On
Overview
Federated Single Sign-On (SSO) allows your organization to use an external identity management system to provide online authentication for the application instances within your cloud subscription.
- The configuration and verification of the Federated Single Sign On should be available after the subscription is live.
- The Federated Single Sign-On only concerns online access; it is not applicable for the integration and other non-human accounts.
- The option to federate IAM Identity Domain with an external Identity and Access Management system is supported with as part of Oracle Utilities cloud service subscription.
Setup External Identity Provider
Configure a SAML 2.0 external identity provider such as Active Directory Federation Services (AD FS) for federated SSO with the IAM Identity Domain.
Configuration steps include:
- Setup the SAML 2.0 Identity Provider.
- Verify Federated Single Sign-On.
- Establish user synchronization between the Identity Domain and the SAML Identity Provider. It is necessary to copy users into Identity Domain because the access to the service is granted by assigning users to the Application Roles in Oracle Cloud Services.
- Configure Microsoft Active Directory Bridge or implement user data synchronization via REST SCIM API, flat file import, or using one of the pre-defined provisioning Applications from the IAM catalog. Refer to the IAM documentation for more details.
To access detailed configuration instructions provided by IAM:
- Return to the Oracle Cloud Infrastructure console, expand the hamburger menu on the top left corner and select Identity. Click the Identity link and load the Overview page. Use one of the quick links to access documentation and tutorials on SAML SSO configuration.
Note on Identity Bridge setup only: Federated authentication is enabled by default. This configuration means the user credentials will be validated against a configured Identity Provider. When configuring Identity Bridge define the federated authentication as follows:
- To continue validate credentials and maintain passwords and password rules in the external identity management system leave the Federated Authentication checkbox checked
- To validate credentials and manage passwords in IAM uncheck the Federated Authentication checkbox. IAM will generate the password for the users and send the notification by email (the email attribute must be filled in Microsoft Active Directory and mapped to the Identity Domain).
Service Access for Federated Users
Federated users should be granted access to the environments the same way as the users created directly in the Identity Domain.
See Setting Up an Online Application User and Setting Up Application Users for the instructions on how to assign user to the online access application roles.
Possible approaches:
- Process users one by one: locate user in Identity Cloud Service and assign to the application roles
- Process multiple users:
Just In Time Provisioning for Federated Users
In the federated SSO scenario the Identity Cloud Service users and groups are imported from the external identity provider's data repository.
- Evaluate the groups created in the Identity Domain as a result of sync with external Identity Provider and determine whether to use them for Just In Time provisioning purpose.
- Login to the OUAF-based application and set up Template Users that represent authorization levels corresponding to the IAM groups synchronized from the external provider.
- Configure the Group - Template User mapping in the Identity Management Integration Master Configuration.
See Configuring Just in Time Provisioning for more detailed configuration instructions.