Step 2: Adding OCI IAM Identity Domain as a Service Provider (SP) in the Identity Provider (IdP)

  1. Add the OCI IAM Identity Domain as the service provider in your identity using the metadata downloaded earlier.
  2. Map the Name identifier (Name ID) value field as the username.
  3. The below table lists the SAML attributes that must be configured in identity provider to pass as assertion during the SAML response.

    Table 1-1 SAML Attributes

    SAML Attribute Name Attribute Description Mandatory Attribute

    oc_userid

    User Name

    Yes

    oc_surname

    Family Name

    Yes

    oc_emailaddress

    Primary Email

    Yes

    oc_userid

    User Name

    Yes

    oc_surname

    Family Name

    Yes

    oc_primaryworklocation

    User’s primary work location. This is a mandatory single value user attribute that indicates the user’s primary work location. The primary work location can have the following values:

    <ENTERPRISE ID>:E for multi-chain customers derived from the user profile for those users who are at the enterprise level.

    For customers having only a single chain, the source value can be set to constant <CHAIN CODE>:C for all users.

    Assign <PROPERTY CODE>:P derived from the user profile in the identity provider to assign users with a property code as their primary work location.

    Yes

    oc_role

    Group memberships (role memberships) of the user.

    Yes

    oc_actas

    You can send values for a new user's Act As field from your identity provider, which eliminates overhead for an admin to manually assign Act As for a new user in OPERA Cloud Role Manager.

    Possible Values:

    • Reservation Sales Person

    • Conference Sales Person

    • External System

    No

    oc_actat

    You can send values for a new user's Act At field from your identity provider, which eliminates overhead for an admin to manually assign Act At for a new user in OPERA Cloud Role Manager.

    Possible Values:

    • Property

    • Central

    No

    oc_preferredlanguage

    User Preferred Language

    No

    oc_givenname

    Given Name

    No

    oc_employeenumber

    Employee Number

    No

    oc_telephonenumber

    Mobile Number

    No

    oc_title

    Title

    No

    oc_displayname

    Display Name

    No

    oc_usertype
    User Type. The possible values are:

    • FULL-TIME EMPLOYEE

    • PART-TIME EMPLOYEE

    • TRAINEE

    • CONTRACTOR

    • CONSULTANT

    • OTHER

    No

    oc_orgcode

    Enterprise or Chain Code

    No

    oc_workphonenumber

    Work Phone Number

    No

    oc_userinitial

    Honorific Prefix

    No

    oc_middlename

    Middle Name

    No

    oc_honorificsuffix

    Honorific Suffix

    No

    oc_timezone

    User Timezone

    No

    oc_locale

    User Locale

    No

    oc_ownercode

    Owner code of the user

    No

    oc_hubs

    This SAML claim enables customers to map HUB(s) to a user in OPERA Cloud. This claim is mapped to a string array attribute in OCI IAM Identity Domain and allows multiple values. If the identity provider system does not support string array data types, then use the claim oc_hubs_string as described below. If no value is passed, the user is assigned to the default hub in OPERA Cloud.

    No

    oc_hubs_string

    This SAML claim enables customers to map HUB(s) to a user in OPERA Cloud. This claim is mapped to a string attribute in OCI IAM Identity Domain. Please note, only oc_hubs or oc_hubs_string can be used based on the data type supported in the identity provider. If no value is passed, the user is assigned to the default hub in OPERA Cloud.

    No

Parent topic: Steps to Configure Identity Federation in OCI IAM Identity Domains with Just-In-Time Provisioning