Best Practices from Oracle Development's A‑Team

Identity Cloud Service: Configuring SAML


As we begin to deliver our Identity Cloud Service (IDCS) to the world(https://www.oracle.com/middleware/identity-management/index.html), we on the A-Team have been working to provide patterns and how-to posts to implement some of the common use cases we see in the field.  One of the more common use cases is integrating with third party Service Providers (SP) with Identity Cloud Service (IDCS).  IDCS is then configured to direct users to an Identity Provider (IdP) to collect credentials. By configuring multiple SPs to IDCS you essentially have a 'hub and spoke' paradigm with Security Assertion Markup Language or SAML.


Main Article

The use case is simple.  Imagine an enterprise having many different vendors for whom they do business with; these vendor's have applications in the cloud. Many enterprises choose to keep their user's identity and password in an internal store such as Active DIrectory.  IDCS can be configured as an intermediary that supports multiple cloud services; which then chains the request to the identity provider.

Let's look at a picture:



In this example, service providers are third party vendors with applications exposed in the cloud.  The identity provider collects user credentials and is located on-premise.

Configuration Steps

The steps assume that you have an IdP and SP already configured.  In my test environment I used two Oracle Access Manager (OAM) systems as the IdP and SP.

Configure IDCS Identity provider (OAM)
Extract IdP metadata, again in my case, I'm using OAM as my IdP.  So to obtain the SAML metadata you will need to access a URL like below:


Import the metadata when creating a Identity Provider in IDCS.  Go to 'Settings' then select Identity Providers:



After clicking 'Add' you will have the option to load/import the meta-data you downloaded from your IdP:


Extract meta-data from IDCS

Now we need to extract the SAML meta-data from IDCS.  You can download this via an HTTP call:


The SP meta-data must be imported into your IdP (not shown).  Now the trust has been established between IDCS (SP) and your IdP.


Configure an IdP Partner in IDCS


Notice the federated SSO switch must be on.  You can test and validate your new IdP by clicking on the 'Test Login' link for the IdP.


When I click on the 'Test Login' page I should be directed to the IdP configured.  In my case, it is OAM that is using the default identity store, Weblogic embedded LDAP.

Login - Oracle Access Management 11g - Mozilla Firefox_062


Configure an SP Partner in IDCS
Extract metadata from IDCS


Import to your SP; I will not get into details on importing the meta-data to your SP.

Once your SP is setup you must export the SP meta-data and import it into IDCS.

There are two ways to create a SAML application 1) Using the REST API's or 2) you can use the IDCS UI.



You will need to make two rest calls.  The first call is to obtain the access token to be used in the second call that will actually create the service provider in IDCS.

./curl 'https://myTenantId.internal.oracle.com:8943/oauth2/v1/token'  \
-H "Content-type: application/x-www-form-urlencoded" \
-H "Accept: application/json" \
-H "Authorization: Basic YzhlNWQ5NjkzNDBkNGEyNDljNmI2YWU0NjMzMjNjNTI6ZDNkYWRjZmEtYTU2Zi00YTZlLWE0Y2ItYTY3OTViNTllNTg1" \
-d 'username=admin%40oracle.com&scope=urn%3Aopc%3Aidm%3A__myscopes__&password=ABcd1234&grant_type=password'

Notice the -d and -H flags.  The -d flag is the administrator user name and password for the tenant (myTenantId).  The -H flag is a base64 encoded value of the client application ID and the client secret; the format is 'clientID:ClientSecret'.  The client ID should have already been created with the appropriate grant types.  This post will not get into details on how to create an application is IDCS; this will be discussed as a separate topic.  All you have to know is that in order to obtain the access bearer token, you must authenticate as the administrator with the client ID and secret as described.

Once you have the access token, you can now add you SP to IDCS:

curl 'https://myTenantId.idcs.internal.oracle.com:8943/admin/v1/Apps'  \
-H "Content-type: application/scim+json" \
-H "Accept: application/scim+json,application/json" \
-H "Authorization: Bearer <ACCESS_TOKEN_HERE> \

The POST_DATA will look something like this:

{ "schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:App"], "active": true, "displayName": "testSAMLApp", "description": "SAML for Portal", "basedOnTemplate": { "value": "CustomSAMLAppTemplateId" }, "name": "testSAMLPartner", "appLoginPage": "www.test.com/login.jsp", "appErrorPage": "www.test.com/error.jsp", "isLoginTarget": true, "loginMechanism": "SAML", "isSamlServiceProvider": true, "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App": { "metadata": "<replace with xml metadata from your partner>", "signResponseOrAssertion": "Assertion", "nameIdFormat": "saml-emailaddress", "nameIdUserstoreAttribute": "emails.primary.value", "groupAssertionAttributes": [ { "name": "all", "condition": "All Groups" } ], "userAssertionAttributes": [ { "name": "email", "userStoreAttributeName": "emails.primary.value" }, { "name": "userid", "userStoreAttributeName": "userName" }, { "name": "firstname", "userStoreAttributeName": "name.givenName" }, { "name": "lastname", "userStoreAttributeName": "name.familyName" } ] } }

Keep in mind that you will need to do the above for every SP.  If access token above has expired then you will again need to get the access token from the first rest call.



From the UI you will need to create a new SAML Application.  Go to Applications then select the +Add button.

Screen Shot 2017-02-15 at 3.24.25 PM

Now you will need to enter in the data for the SP:

Screen Shot 2017-02-15 at 3.27.05 PM


Screen Shot 2017-02-15 at 3.27.40 PM


That's it.  You will need to do this for every SP application you want to protect using IDCS.


Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha