Add a SAML Identity Provider

There are two ways that you can add a SAML 2.0 identity provider (IDP) in Oracle Identity Cloud Service:

You can import metadata for the IDP. Identity provider metadata summarizes the basic information about data associated with the IDP. This metadata makes finding and working with this data easier. See Import Metadata for a SAML Identity Provider.
You can enter metadata for the IDP. See Enter Metadata Manually for a SAML Identity Provider.

Oracle Identity Cloud Service provides you with a wizard to add a SAML 2.0 IDP. This wizard contains six panes:

Details: Provide a name, description, and icon for the SAML IDP.

Tip:
Make sure that the file you want to upload adheres to the recommended dimensions and file size before uploading it. See Customize the Interface.
Configure: Configure SSO for the IDP by either importing metadata for it or entering metadata for it.
Map: Map a user's attribute value received from the IDP to a corresponding attribute value for the user in Oracle Identity Cloud Service.

After providing information in the Map pane of the wizard, Oracle Identity Cloud Service adds and deactivates the IDP. You may want to export metadata for the IDP, test it, or activate it. The wizard has the Export, Test, and Activate panes.
Export: Export metadata for Oracle Identity Cloud Service and import this metadata into the IDP. The IDP requires this information to communicate with Oracle Identity Cloud Service for authentication purposes.

Tip:
If the IDP doesn't support importing metadata, then the information for Oracle Identity Cloud Service appears in the Export pane. You can enter this metadata into the IDP manually.

To learn about the other options that can be used to access SAML metadata, see Access SAML Metadata.
Test: Test the configuration settings for the IDP to confirm that the IDP is working properly. You can use the credentials of the IDP to log in to Oracle Identity Cloud Service through an external website.
Activate: Activate the IDP.

To add an IDP, you must be assigned to either the identity domain administrator role or the security administrator role. See Add or Remove a User Account from an Administrator Role.

Import Metadata for a SAML Identity Provider

You can use Oracle Identity Cloud Service to import metadata for a SAML 2.0 identity provider (IDP).

In the Identity Cloud Service console, expand the Navigation Drawer, click Security, and then click Identity Providers.
Click Add SAML IDP. The Add Identity Provider wizard appears.

Use the following table to populate the Details pane of the wizard, and click Next:

Task	Description
Name	Enter the name of the IDP.
Description	Enter explanatory information about the IDP.
Icon	Click Upload to add an icon that represents the IDP. The icon should be 48 x 48 pixels in size and have a transparent background. Supported file formats are png, fig, jpg, jpeg.

Use the following table to populate the Configure pane of the wizard, and click Next:

Task	Description
Import Identity Provider metadata	Click this button if you want to configure SSO for the IDP by importing metadata for it.
Metadata	Click Upload. Select the XML file that contains the metadata for the IDP that you want to import.
Signature Hashing Algorithm	Select the SHA-1 or SHA-256 hash algorithm to use when signing SAML messages to the Identity Provider.
Include Signing Certificate	To include the Oracle Identity Cloud Service signing certificate with signed SAML messages sent to the IDP, select this check box. If you don't want to include a signing certificate with your signed SAML messages, then leave the check box deselected.

Use the following table to populate the Map pane of the wizard, and click Next:

Task	Description
Identity Provider User Attribute	Select the element in the SAML assertion received from the IDP, where the unique user identifier will be found. If you select Name ID, then Oracle Identity Cloud Service will match the user based on the value of the Subject NameID element in the assertion. If you select SAML Attribute, then you must enter the name of an Attribute element in the SAML assertion. The user will be matched based on the value of that attribute.
Oracle Identity Cloud Service User Attribute	Select the user identity attribute in Oracle Identity Cloud Service that will be matched with the user identity attribute received in the SAML assertion from the IDP.
Requested NameID Format	Select the NameID format that Oracle Identity Cloud Service will specify in SAML authentication requests sent to the Identity Provider. If you don't want to provide a format, then select <None Requested>.

Task

Description

Identity Provider User Attribute

Select the element in the SAML assertion received from the IDP, where the unique user identifier will be found.

If you select Name ID, then Oracle Identity Cloud Service will match the user based on the value of the Subject NameID element in the assertion.
If you select SAML Attribute, then you must enter the name of an Attribute element in the SAML assertion. The user will be matched based on the value of that attribute.

Oracle Identity Cloud Service User Attribute

Select the user identity attribute in Oracle Identity Cloud Service that will be matched with the user identity attribute received in the SAML assertion from the IDP.

Requested NameID Format

Select the NameID format that Oracle Identity Cloud Service will specify in SAML authentication requests sent to the Identity Provider.

If you don't want to provide a format, then select <None Requested>.

Use the following table to export the Oracle Identity Cloud Service SAML configuration details, and click Next:

Task	Description
Service Provider Metadata	To export metadata for Oracle Identity Cloud Service, click Download. Use this XML metadata to configure the Identity Provider service. If the Federation Partner into which you are importing Identity Cloud Service metadata does CRL validation (for example ADFS does CRL validation) instead of using the metadata exported from this button, download the metadata from: `https://[instancename.idcs.internal.oracle.com:port]/fed/v1/metadata?adfsmode=true` To learn about the other options that can be used to access SAML metadata, see Access SAML Metadata.
Provider ID	The URI that uniquely identifies the Oracle Identity Cloud Service identity domain as a SAML provider. (Provider ID is also known as Issuer ID or Entity ID.)
Assertion Consumer Service URL	The URL of the Oracle Identity Cloud Service SAML service to which the IDP will send SAML assertions.
Logout Service Endpoint URL	The URL of the Oracle Identity Cloud Service SAML service to which the IDP will send SAML logout requests.
Logout Service Return URL	The URL of the Oracle Identity Cloud Service SAML service to which the IDP will send SAML logout responses, after the Oracle SAML provider has sent it a SAML logout request.
Service Provider Signing Certificate	Click Download to retrieve the signing certificate of the Oracle Identity Cloud Service SAML provider. This certificate is used by the IDP to verify SAML requests and responses signed by Oracle Identity Cloud Service.
Service Provider Encryption Certificate	Click Download to retrieve the encryption certificate of the Oracle Identity Cloud Service SAML provider. This certificate can be used by the IDP to encrypt SAML assertions sent to Oracle Identity Cloud Service.

To get the issuing Oracle Identity Cloud Service root certificate, see Obtain the Root CA Certificate from Oracle Identity Cloud Service.

In the Test pane of the wizard, click Test Login to test the configuration settings for the IDP.
Click Next.
In the Activate pane of the wizard, click Activate to activate the IDP.
Click Finish.

Enter Metadata Manually for a SAML Identity Provider

You can use Oracle Identity Cloud Service to enter metadata for a SAML 2.0 identity provider (IDP).

In the Identity Cloud Service console, expand the Navigation Drawer, click Security, and then click Identity Providers.
Click Add SAML IDP.
Populate the Details pane of the Add Identity Provider wizard and click Next. See the table in Import Metadata for a SAML Identity Provider for more information about the options.

Use the following table to populate the Configure pane of the wizard, and click Next:

Field	Description
Enter Identity Provider metadata manually	Click this button if you want to configure SSO for the IDP by entering metadata for it.
Issuer ID	Enter the URI that identifies the Identity Provider in SAML messages. (Issuer ID is also known as Entity ID or Provider ID.)
Signing Certificate	To upload the Identity Provider's signing certificate, click Upload and select the file that contains the certificate.
SSO Service URL	Enter the URL of the Identity Provider's SAML SSO service, to which Oracle Identity Cloud Service will send SAML authentication requests.
SSO Service Binding	This menu contains two options for web-based SSO associated with the IDP: Redirect and POST. Select Redirect to send SAML authentication requests to the IDP using the HTTP-Redirect binding. Select POST to send SAML authentication requests to the IDP using the HTTP-POST binding.
Global Logout Activated	To activate SAML global logouts between Oracle Identity Cloud Service and the IDP, select this check box. Otherwise, leave the check box deselected. If you select the check box, then you must enter values for two URLs for the IDP: logout request and logout response, and specify whether you want Oracle Identity Cloud Service to initiate a logout with a HTTP-Redirect or HTTP-POST binding.
Logout Request URL	Enter the IDP service endpoint URL to which Oracle Identity Cloud Service will send SAML logout requests.
Logout Response URL	Enter the IDP service endpoint URL to which Oracle Identity Cloud Service will send SAML logout responses, after receiving a logout request from the IDP.
Logout Binding	This menu contains two options to initiate a logout: Redirect and POST. To initiate a logout with the HTTP-Redirect binding, select Redirect. To initiate a logout using the HTTP-POST binding, select POST.
Signature Hashing Algorithm	Select the SHA-1 or SHA-256 hash algorithm to use when signing SAML messages to the Identity Provider.
Include Signing Certificate	To include the Oracle Identity Cloud Service signing certificate with signed SAML messages sent to the IDP, select this check box. If you don't want to include a signing certificate with your signed SAML messages, then leave the check box deselected.

Populate the Map pane of the Add Identity Provider wizard, and click Next. See the table in Import Metadata for a SAML Identity Provider for more information about the options.
Export the Oracle Identity Cloud Service SAML configuration details, and click Next.

See the table in Import Metadata for a SAML Identity Provider for more information about the options.

To learn about the other options that can be used to access SAML metadata, see Access SAML Metadata.
In the Test pane of the wizard, click Test Login to test the configuration settings for the IDP.
Click Next.
In the Activate pane of the wizard, click Activate to activate the IDP.
Click Finish.