Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Configure Just-In-Time Provisioning for SAML based IDP in IDCS/Identity Domains

Introduction

SAML based Just-In-Time (JIT) Provisioning helps in automating the user creation of identities in Identity Cloud Service for new users. The user accounts are created when the user tries to access the target application via SSO. Along with user creation, JIT can also grant and revoke group memberships as a part of provisioning. JIT can also be used to update the provisioned users via mapping the source attributes (Service Provider - SP) to Identity Provider – IDP.

By enabling JIT Provisioning for your Identity Provider with IDCS, you will be able to manage users more efficiently and it will help you to reduce the administration cost of manually synchronizing the users.

Benefits of using JIT Provisioning

• For consumer users where you do not want to load all users into Identity Management Cloud Service (IDCS) initially but want to create them on the fly when the users try to login.

• Reducing the administration cost as users need not be created manually in IDP.

Objective

Configure Just-In-Time Provisioning for SAML based IDP in IDCS/Identity Domains via REST APIs.

Note: If your tenancy is already migrated to Identity Domains and if you would like to perform this setup via console, refer to the following link: Adding a Just-in-Time SAML IdP.

Prerequisites

• IDCS should have a Standard Licensing Tier for using the JIT Provisioning feature. JIT is available in all domain types when using Identity Domains subject to object limits for each tier. For more information, see Understand Identity Domain Types.

• JIT Provisioning feature in IDCS is disabled by default and must be enabled via Oracle service request.

• IDP should be configured with IDCS/Identity Domain for Single Sign-On using SAML. For more information, see Adding an Identity Provider.

• An IDCS/Identity Domain user account with security administrator privileges.

• Set up Postman for using Oracle Identity Cloud Service/ Identity Domains REST endpoints. For more information, see Using the Oracle Identity Cloud Service REST APIs with Postman.

Task 1: Fetch the list of Identity Providers configured in your IDCS/Identity Domains tenancy

• Use the following REST endpoint: https://idcs-xxxx.identity.oraclecloud.com/admin/v1/IdentityProviders (GET Operation) and locate the ID of the IDP for which you want to enable JIT Provisioning.

  Sample Output:

  

Task 2: Fetch the details of the configured SAML IDP

Fetch the details of the configured SAML IDP where you want to enable JIT Provisioning using the located Provider ID from Task 1.

• Use the following REST endpoint: https://idcs-xxxx.identity.oraclecloud.com/admin/v1/IdentityProviders/{IDP provider ID} (GET Operation).

  Sample output:

  

Task 3: Update the IDP provider settings to enable JIT Provisioning

Update the IDP provider settings to enable JIT Provisioning for your SAML IDP using a PATCH operation.

• Use the following REST endpoint: https://idcs-xxxx.identity.oraclecloud.com/admin/v1/IdentityProviders/{IDP provider ID} (PATCH Operation).

Note:

• The following sample code snippet is just for reference, and it is recommended to go through the Oracle documentation for more details about each attribute before enabling them.
• The Groups must be pre-created in IDCS if you want to add group memberships.

Sample Body:

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ],
  "Operations": [
    {
      "op": "replace",
      "path": "jitUserProvEnabled",
      "value": true
    },{
      "op": "replace",
      "path": "jitUserProvCreateUserEnabled",
      "value": true
    },
    {
      "op": "replace",
      "path": "jitUserProvAttributeUpdateEnabled",
      "value": true
    },
    {
      "op": "replace",
      "path": "jitUserProvGroupAssertionAttributeEnabled",
      "value": false
    },
    {
      "op": "replace",
      "path": "jitUserProvGroupSAMLAttributeName",
      "value": "groups"
    },
    {
      "op": "replace",
      "path": "jitUserProvGroupAssignmentMethod",
      "value": "Overwrite"
    }
  ]
}

The following table describes the above mentioned IDP properties.

Identity Provider Property	Description
jitUserProvEnabled	Boolean property to enable/disable the SAML JIT Provisioning feature for the configured IDP.
jitUserProvCreateUserEnabled	Boolean property for user creation, based on the incoming assertion, if the user does not yet exist.
jitUserProvAttributeUpdateEnabled	Boolean property for user update based on the incoming assertion if the user already exists.
jitUserProvGroupAssertionAttributeEnabled	Boolean property indicating whether group memberships should be assigned to the user based on a list of group names received from the IDP in a SAML attribute.
jitUserProvGroupSAMLAttributeName	The name of the SAML assertion attribute that will contain groups to be assigned to the user, if the property jitUserProvGroupAssertionAttributeEnabled is true.
jitUserProvGroupAssignmentMethod	String property that controls how group memberships will be assigned to the Identity Cloud Service user- Overwrite/ Merge.

Post this operation, your JIT Provisioning should be enabled for the SAML IDP and you can confirm this by running the GET operation mentioned in Task 2. The following image shows the sample output.

This will now give you the Mapped Attribute ID which will be used in the next endpoint for mapping the SP attributes with IDP attributes.

Task 4: Set the jitUserProvAttributes Mapping for your SAML Identity Provider for user provisioning

After enabling the JIT Provisioning for your SAML IDP, the next step is to map the Service Provider Attributes with the Identity Provider Attributes. Use the Mapped Attribute ID from Task 3 with the REST endpoint described in this section.

Note:

• Before patching the attributes to this endpoint, it is recommended to check the SAML assertion to find the managedObjectAttributeName (SP side assertion details). From the assertion check for <saml:AttributeStatement> which will contain the information about the SAML attributes. Use the value under saml:Attribute Name and map it to the corresponding IDCS attribute.
• Use this endpoint now as a PATCH operation with the following sample Body code to update the attribute mapping. You can confirm this by running a GET operation on the same endpoint and check for updated values of the mapped attributes.

• Use the following REST endpoint: https://idcs-xxxx.identity.oraclecloud.com/admin/v1/MappedAttributes/{Mapped Attribute ID} (GET Operation)

  Note:This is the sample code snippet (only for reference) for the attribute mapping. Update it accordingly as per your configured SAML IDP’s assertion and save it.

  {
   "schemas": [
       "urn:ietf:params:scim:api:messages:2.0:PatchOp"
   ],    "Operations": [
       {
           "op": "replace",
           "path": "attributeMappings",
           "value": [
               {
                   "managedObjectAttributeName": "$(assertion.mail)",
                   "idcsAttributeName": "userName"
               },
               {
                   "managedObjectAttributeName": "$(assertion.firstname)",
                   "idcsAttributeName": "name.givenName"
               },
               {
                   "managedObjectAttributeName": "$(assertion.lastname)",
                   "idcsAttributeName": "name.familyName"
               },
               {
                   "managedObjectAttributeName": "$(assertion.mail)",
                   "idcsAttributeName": "emails[primary eq true and type eq \"work\"].value"
               }
           ]
       }
   ]
  }
  

Task 5: Configure the jitUserProvAttributes Mapping Update attribute

Configure the jitUserProvAttributes Mapping Update attribute from Service Provider - SP to Identity Provider - IDP.

• Use the following REST endpoint: https://idcs-xxxx.identity.oraclecloud.com/admin/v1/MappedAttributes/{Mapped Attribute ID} (PATCH Operation) and PATCH the REST endpoint with the code from Task 4 in the Body.

• Confirm the changes have been updated by running the GET operation.

Task 6: Test the JIT Provisioning

1. In a fresh browser session, try to login to IDCS my console.
2. IDCS will display the login screen.
3. Select the configured IDP which is now enabled with JIT Provisioning.
4. IDCS will route you to the IDP login page for signing in.
5. Enter the valid credentials of the user which does not exist in IDCS.
6. Post successful login you should route to IDCS my console screen.
7. Validate via admin account that the user was successfully created in IDCS.

Related Links

• Working with Identity Providers
• Using the Oracle Identity Cloud Service REST APIs with Postman

Acknowledgments

Author - Chetan Soni (Cloud Solutions Engineer)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Configure Just-In-Time Provisioning for SAML based IDP in IDCS/Identity Domains

F76244-01

January 2023

Copyright © 2023, Oracle and/or its affiliates.