X

Best Practices from Oracle Development's A‑Team

Integrating Okta as Identity Provider to IDCS

Kiran Thakkar
Consulting Solutions Architect

Overview

IDCS (Identity Cloud Service) is Oracle's next-gen Identity solution built in the cloud for the cloud. It is fully standards-compliant and implements various standards like SAML (Security Assertion Markup Language), OAuth, OIDC (OpenID Connect), etc. Those standards help customers integrate with other products implementing that same standard. One use case that I came across, a few times recently, is integrating Okta as Identity Provider to IDCS using SAML. I thought I should publish a blog so customers can use it to do the integration.

SAML, as most of you would already know, is a standard for logging users into applications based on their sessions in another context (Single Sign-On system). This single sign-on (SSO) login standard has significant advantages over logging in using a username/password or sharing/syncing username/password across other Single Sign-On systems.

Here are the detailed steps to do the integration, Again the use-case is, Okta as Identity Provider to IDCS as Service Provider

Pre-requisites

  • Make sure users are synced in two Single Sign-On systems. That is one of the pre-requisite of SAML. Please note that you do not need to sync passwords from Okta to IDCS. IDCS offers various options to sync users like CSV bulk upload, Active Directory bridge, SCIM APIs. You can leverage any of those mechanisms to sync users with IDCS.
  • Make sure every user's email address or username is common/same in both Okta and IDCS. Either one of them can be used for Single Sign-On.

Okta Configuration

First, log in to the Okta Admin Dashboard and go to the Applications tab.

Click on Add Application and choose to create a new SAML application.

Give SAML Application a name and click Next.

On the next screen configure the following parameters and click Next. Replace $IDCS_INSTANCE_ID with your IDCS instance or tenant ID.

  • Single Sign-On URL: https://idcs-$IDCS_INSTANCE_ID/identity.oraclecloud.com/fed/v1/sp/sso (Also known as Assertion Consumer URL. Okta will redirect user with signed SAML assertion to this URL)
  • Audience URI (SP Entity ID): https://idcs-$IDCS_INSTANCE_ID.identity.oraclecloud.com:443/fed
  • Default RelayState: https://idcs-$IDCS_INSTANCE_ID.identity.oraclecloud.com/ui/v1/myconsole (This is the URL the user is logged into after Single Sign-On with IDCS. This can also be if you wanted to, an application URL that is protected by IDCS)
  • Name ID format: EmailAddress
  • Name ID format: Email (This is assuming email address is same for the user in both Okta and IDCS)

Next, click on Finish to complete the Okta configuration.

After you finish adding IDCS as SAML application, download Okta metadata by clicking on the "Identity Provider Metadata" link and save it as an XML file.

IDCS Configuration

Login to IDCS Admin console and go to Security -> Identity Providers tab. Click on Add SAML IDP to add/configure Okta as Identity Provider.

Provide a name to the Identity Provider and click Next.

Upload metadata that you downloaded in the last step of Okta Configuration and click Next.

To match with what has been configured in Okta above, select email as IDCS user attribute and NameID Format as Email Address. Click Next.

Click Next on the next screen if you want to test Single Sign-On now or you can Finish and test Single Sign-On later.

Activate Okta IDP as shown in the screenshot below.

Make sure to create an appropriate IDP policy. You can choose to use Okta IDP only for a specific set of applications or for every application including login to IDCS console. For testing, you can enable Okta IDP for every application by adding Okta IDP in Default Identity Provider policy.

Test Single Sign-On

Now browse to IDCS protected application or IDCS console and choose to login with Okta IDP. Good luck!

Join the discussion

Comments ( 4 )
  • Lakshmana Bandaru Monday, January 20, 2020
    Thanks Kiran for your detailed explanation.

    We have already setup the OKTA with OCI.
    We got an notificataion from Oracle saying the certificatae for SAML is getting expired. We need to import the metadata from OCI to OKTA. But in OKTA we don't see the import feature. Can you please guide me to proceed further on this activity?

    We have short time to finish this activity. The quick help is much appreciated.
    Please see the following notification what we got from Oracle.

    Notification from Oracle:-
    IMPORTANT: Please share this notification with all of your technical teams – internal IT groups, externalconsultants, customers, etc.

    Your shared identity management service provider certificate responsible for SAML signing and federation will expire on 20 February 2020. After the expiration, the federated authentication flow initiated by the service provider will encounter interruptions due to a signature mismatch.

    Action Required

    To prevent interruptions, you MUST perform the following steps prior to 20 February 2020:
    1. Login to the Oracle Cloud Console (legacy My Services dashboard)
    2. Click on "users" located at the upper left side of the screen, under the Hamburger menu (Account Management)
    3. Click on "SSO Configuration"
    4. On this page, you will see a section called "Configure your Identity Provider Information"
    5. In this section, you will see "Export Metadata" button
    6. Click the "Export Metadata" button , and choose the option "Provider Metadata (SAML 2.0)"
    7. The Oracle Cloud Console metadata will be downloaded automatically, save it on your local machine.
    8. Import the file into your IdP
  • Kiran Thakkar Tuesday, January 21, 2020
    Hi Lakshmana

    Thanks for the comment. That is Okta functionality. You should create a support ticket with Okta and they should be able to help you with that.
  • Lakshmana Bandaru Tuesday, January 21, 2020
    Hi Kiran,
    We have verified the "X509Certificate" configured in OKTA is valid till Jan 18, 2028.

    But we are wondering why we got the notification from Oracle cloud saying the SAML signing certificate is getting expired on Feb 20, 2020.

    Do we need to still update the Oracle metadata in OKTA since our certificate isn't getting expired?
  • Kiran Thakkar Tuesday, January 21, 2020
    Hi Lakshmana

    The email that you sent says, OCI SAML certificate is expiring. So you have to export OCI metadata (the steps are given in the email) and import it into Okta.
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha