Overview

IDCS (Identity Cloud Service) is Oracle's next-gen Identity solution built in the cloud for the cloud. It is fully standards-compliant and implements various standards like SAML (Security Assertion Markup Language), OAuth, OIDC (OpenID Connect), etc. Those standards help customers integrate with other products implementing that same standard. One use case that I came across, a few times recently, is integrating Okta as Identity Provider to IDCS using SAML. I thought I should publish a blog so customers can use it to do the integration.

SAML, as most of you would already know, is a standard for logging users into applications based on their sessions in another context (Single Sign-On system). This single sign-on (SSO) login standard has significant advantages over logging in using a username/password or sharing/syncing username/password across other Single Sign-On systems.

Here are the detailed steps to do the integration, Again the use-case is, Okta as Identity Provider to IDCS as Service Provider

Pre-requisites

• Make sure users are synced in two Single Sign-On systems. That is one of the pre-requisite of SAML. Please note that you do not need to sync passwords from Okta to IDCS. IDCS offers various options to sync users like CSV bulk upload, Active Directory bridge, SCIM APIs. You can leverage any of those mechanisms to sync users with IDCS.
• Make sure every user's email address or username is common/same in both Okta and IDCS. Either one of them can be used for Single Sign-On.

Okta Configuration

First, log in to the Okta Admin Dashboard and go to the Applications tab.

Click on Add Application and choose to create a new SAML application.

Give SAML Application a name and click Next.

On the next screen configure the following parameters and click Next. Replace $IDCS_INSTANCE_ID with your IDCS instance or tenant ID.

• Single Sign-On URL: https://idcs-$IDCS_INSTANCE_ID/identity.oraclecloud.com/fed/v1/sp/sso (Also known as Assertion Consumer URL. Okta will redirect user with signed SAML assertion to this URL)
• Audience URI (SP Entity ID): https://idcs-$IDCS_INSTANCE_ID.identity.oraclecloud.com:443/fed
• Default RelayState: https://idcs-$IDCS_INSTANCE_ID.identity.oraclecloud.com/ui/v1/myconsole (This is the URL the user is logged into after Single Sign-On with IDCS. This can also be if you wanted to, an application URL that is protected by IDCS)
• Name ID format: EmailAddress
• Name ID format: Email (This is assuming email address is same for the user in both Okta and IDCS)

Next, click on Finish to complete the Okta configuration.

After you finish adding IDCS as SAML application, download Okta metadata by clicking on the "Identity Provider Metadata" link and save it as an XML file.

IDCS Configuration

Login to IDCS Admin console and go to Security -> Identity Providers tab. Click on Add SAML IDP to add/configure Okta as Identity Provider.

Provide a name to the Identity Provider and click Next.

Upload metadata that you downloaded in the last step of Okta Configuration and click Next.

To match with what has been configured in Okta above, select email as IDCS user attribute and NameID Format as Email Address. Click Next.

Click Next on the next screen if you want to test Single Sign-On now or you can Finish and test Single Sign-On later.

Activate Okta IDP as shown in the screenshot below.

Make sure to create an appropriate IDP policy. You can choose to use Okta IDP only for a specific set of applications or for every application including login to IDCS console. For testing, you can enable Okta IDP for every application by adding Okta IDP in Default Identity Provider policy.

Test Single Sign-On

Now browse to IDCS protected application or IDCS console and choose to login with Okta IDP. Good luck!