Identity Cloud Service: Configuring SAML

Introduction

As we begin to deliver our Identity Cloud Service (IDCS) to the world(https://www.oracle.com/middleware/identity-management/index.html), we on the A-Team have been working to provide patterns and how-to posts to implement some of the common use cases we see in the field.  One of the more common use cases is integrating with third party Service Providers (SP) with Identity Cloud Service (IDCS).  IDCS is then configured to direct users to an Identity Provider (IdP) to collect credentials. By configuring multiple SPs to IDCS you essentially have a ‘hub and spoke’ paradigm with Security Assertion Markup Language or SAML.

 

Main Article

The use case is simple.  Imagine an enterprise having many different vendors for whom they do business with; these vendor’s have applications in the cloud. Many enterprises choose to keep their user’s identity and password in an internal store such as Active DIrectory.  IDCS can be configured as an intermediary that supports multiple cloud services; which then chains the request to the identity provider.

Let’s look at a picture:

 

PIC1

In this example, service providers are third party vendors with applications exposed in the cloud.  The identity provider collects user credentials and is located on-premise.

Configuration Steps

The steps assume that you have an IdP and SP already configured.  In my test environment I used two Oracle Access Manager (OAM) systems as the IdP and SP.

Configure IDCS Identity provider (OAM)
Extract IdP metadata, again in my case, I’m using OAM as my IdP.  So to obtain the SAML metadata you will need to access a URL like below:

http:///oamfed/idp/metadata

Import the metadata when creating a Identity Provider in IDCS.  Go to ‘Settings’ then select Identity Providers:

Selection_056

 

After clicking ‘Add’ you will have the option to load/import the meta-data you downloaded from your IdP:

Selection_058

Extract meta-data from IDCS

Now we need to extract the SAML meta-data from IDCS.  You can download this via an HTTP call:

http://myTenantID.internal.oracle.com:8943/fed/v1/metadata

The SP meta-data must be imported into your IdP (not shown).  Now the trust has been established between IDCS (SP) and your IdP.

 

Configure an IdP Partner in IDCS

Selection_060

Notice the federated SSO switch must be on.  You can test and validate your new IdP by clicking on the ‘Test Login’ link for the IdP.

 

When I click on the ‘Test Login’ page I should be directed to the IdP configured.  In my case, it is OAM that is using the default identity store, Weblogic embedded LDAP.

Login - Oracle Access Management 11g - Mozilla Firefox_062

 

Configure an SP Partner in IDCS
Extract metadata from IDCS

http://myTenantId.internal.oracle.com:8943/fed/v1/metadata

Import to your SP; I will not get into details on importing the meta-data to your SP.

Once your SP is setup you must export the SP meta-data and import it into IDCS.  Currently there is no UI for importing SP meta-data.  Instead you will need to make two rest calls.  The first call is to obtain the access token to be used in the second call that will actually create the service provider in IDCS.

./curl ‘https://myTenantId.internal.oracle.com:8943/oauth2/v1/token’  \
-X POST \
-H “Content-type: application/x-www-form-urlencoded” \
-H “Accept: application/json” \
-H “Authorization: Basic YzhlNWQ5NjkzNDBkNGEyNDljNmI2YWU0NjMzMjNjNTI6ZDNkYWRjZmEtYTU2Zi00YTZlLWE0Y2ItYTY3OTViNTllNTg1” \
-d ‘username=admin%40oracle.com&scope=urn%3Aopc%3Aidm%3A__myscopes__&password=ABcd1234&grant_type=password’

Notice the -d and -H flags.  The -d flag is the administrator user name and password for the tenant (myTenantId).  The -H flag is a base64 encoded value of the client application ID and the client secret; the format is ‘clientID:ClientSecret’.  The client ID should have already been created with the appropriate grant types.  This post will not get into details on how to create an application is IDCS; this will be discussed as a separate topic.  All you have to know is that in order to obtain the access bearer token, you must authenticate as the administrator with the client ID and secret as described.

 

Once  you have the access token, you can now add you SP to IDCS:

curl ‘https://myTenantId.idcs.internal.oracle.com:8943/admin/v1/ServiceProviders’  \
-X POST \
-H “Content-type: application/scim+json” \
-H “Accept: application/scim+json,application/json” \
-H “Authorization: Bearer eyJ4NXQjUzI1NiI6Ijg1a3E1MFVBVmNSRDJOUTR6WVZMVDZXbndUZmVidjBhNGV2YUJGMjFqbU0iLCJ4NXQiOiJNMm1hRm0zVllsTUJPbjNHZXRWV0dYa3JLcmsiLCJraWQiOiJTSUdOSU5HX0tFWSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI2Mjk5ZWViNWU2MjU0ZTI1YTI4NGE4ZWEzNzM3MzQ1YSIsInVzZXIudGVuYW50Lm5hbWUiOiJ0ZW5hbnR2ayIsInN1Yl9tYXBwaW5nYXR0ciI6InVzZXJOYW1lIiwiaXNzIjoiaHR0cHM6XC9cL2lkZW50aXR5Lm9yYWNsZWNsb3VkLmNvbVwvIiwidG9rX3R5cGUiOiJBVCIsImNsaWVudF9pZCI6IjYyOTllZWI1ZTYyNTRlMjVhMjg0YThlYTM3MzczNDVhIiwiYXVkIjpbImh0dHBzOlwvXC90ZW5hbnR2ay5pZGNzLmludGVybmFsLm9yYWNsZS5jb206ODk0MyIsInVybjpvcGM6bGJhYXM6bG9naWNhbGd1aWQ9dGVuYW50dmsiXSwiY2xpZW50QXBwUm9sZXMiOlsiR2xvYmFsIFZpZXdlciIsIkF1dGhlbnRpY2F0ZWQgQ2xpZW50IiwiSWRlbnRpdHkgRG9tYWluIEFkbWluaXN0cmF0b3IiLCJDbG91ZCBHYXRlIl0sInNjb3BlIjoidXJuOm9wYzppZG06dC5vYXV0aCB1cm46b3BjOmlkbTp0Lmdyb3Vwcy5tZW1iZXJzIHVybjpvcGM6aWRtOnQuYXBwIHVybjpvcGM6aWRtOnQuZ3JvdXBzIHVybjpvcGM6aWRtOnQubmFtZWRhcHBhZG1pbiB1cm46b3BjOmlkbTp0LnNlY3VyaXR5LmNsaWVudCB1cm46b3BjOmlkbTp0LnVzZXIuYXV0aGVudGljYXRlIHVybjpvcGM6aWRtOnQuZ3JhbnRzIHVybjpvcGM6aWRtOnQuaW1hZ2VzIHVybjpvcGM6aWRtOnQuYnVsayB1cm46b3BjOmlkbTp0LmJ1bGsudXNlciB1cm46b3BjOmlkbTp0LmpvYi5zZWFyY2ggdXJuOm9wYzppZG06dC5kaWFnbm9zdGljc19yIHVybjpvcGM6aWRtOnQuaWRicmlkZ2UgdXJuOm9wYzppZG06dC5pZGJyaWRnZS51c2VyIHVybjpvcGM6aWRtOnQudXNlci5tZSB1cm46b3BjOmlkbTpnLmFsbF9yIHVybjpvcGM6aWRtOnQudXNlci5zZWN1cml0eSB1cm46b3BjOmlkbTp0LnNldHRpbmdzIHVybjpvcGM6aWRtOnQuYXVkaXRfciB1cm46b3BjOmlkbTp0LmpvYi5hcHAgdXJuOm9wYzppZG06Zy5zaGFyZWRmaWxlcyB1cm46b3BjOmlkbTp0LnVzZXJzIHVybjpvcGM6aWRtOnQucmVwb3J0cyB1cm46b3BjOmlkbTp0LmpvYi5pZGVudGl0eSB1cm46b3BjOmlkbTp0LnNhbWwgdXJuOm9wYzppZG06dC5lbmNyeXB0aW9ua2V5IHVybjpvcGM6aWRtOnQuYXBwb25seV9yIiwiY2xpZW50X3RlbmFudG5hbWUiOiJ0ZW5hbnR2ayIsImV4cCI6MTQ3OTQyNjk2MiwiaWF0IjoxNDc5NDIzMzYyLCJjbGllbnRfbmFtZSI6IklEQ1NDTElfQ01KIiwidGVuYW50IjoidGVuYW50dmsiLCJqdGkiOiI5Y2MyMTQwMC03YjY5LTQzNWMtYWQ2MC1mYTg4MWQ1NzllMDcifQ.UJb5IuumPLG87xlQRYaf-SdWQI4AJ-Be1jvA2gn1zepbqaUy0Hxngc3Av1RX6GcRGSXle0h5GWsF76hec1lVKWpdrMNux9DG0d4w6Js3Wuyd_e2oyHhJZ8BX0_BaDQ7fBVQktjooVGgDJajTEbGX-4tiiA4vMyNWLYZOxJeqUus” \
-H “User-agent: Oracle-IDCS-CLI/0.0” \
-d ‘{“partnerName”: “OAM-SP”, “includeSigningCertInSignature”: true, “nameIdUserstoreAttribute”: “emails.primary.value”, “enabled”: true, “nameIdFormat”: “saml-emailaddress”, “logoutBinding”: “Redirect”, “schemas”: [“urn:ietf:params:scim:schemas:oracle:idcs:ServiceProvider”], “metadata”: “##\n# Host Database\n#\n# localhost is used to configure the loopback interface\n# when the system is booting.  Do not change this entry.\n##\n127.0.0.1\tlocalhost\n255.255.255.255\tbroadcasthost\n::1             localhost \n\n// Rob’s IDCS instance`\n<IP Address>  <Hostname> tenantvk.idcs.internal.oracle.com \n”}’

Keep in mind that you will need to do the above for every SP.  If access token above has expired then you will again need to get the access token from the first rest call.

 

Add Your Comment