Oracle Identity Cloud Service Integration with Active Directory Federation Services (ADFS)
In the previous posts we had posted details about how to integrate IDCS with salesforce and Oracle Marketing Cloud Service. Continuing our exploration on IDCS, this week we decided to integrate IDCS with Active Directory Federation Services (ADFS). As a part of this exercise we also did set up the Identity Bridge between AD and IDCS.
The series of integrations has so far provided Single Sign on Capabilities to users in Active Directory when accessing different cloud applications. The Single Sign On capability for the users in AD can be provided either by the IDCS Bridge which syncs the users to IDCS identity store or by using ADFS which leverages the SAML 2.0 protocol. We tried both the scenarios and below we list down the summary of the process.
The high level steps can be summarized below.
Step 1: Create test users in Active Directory. Using Identity Bridge synchronize Users between the AD and Oracle Identity Cloud Service.
Step 2: Extract Identity Provider metadata from ADFS and import in Oracle Identity Cloud Service.
Step 3: Extract Service Provider metadata from Oracle Identity Cloud Service and import it into ADFS.
Step 4: Test and Enable the IDP Connection
Step 5: Test the Integration.
Detailed Steps
The details of the each of the steps are listed below.
Step 1: Create users in AD and sync them to IDCS.
a. Login to AD admin console
b. Navigate to the organization where the users’ needs to be created.
c. Right Click on OU à New à User: Enter User Details
d. Click on Finish button.
Now synchronize the users from the Active Directory to Oracle Identity Cloud Service
e. Login to Oracle Identity Cloud Service.
f. Click on Setting’s tab
g. Click on Identity Bridge followed by sync. The identity bridge was already set up. On instructions on how to set up Identity bridge refer here.
h. Go back to IDCS console and click on users tab.
i. Validate the newly created users.
Step 2: Extract the Identity Provider metadata from AD and import it in Oracle Identity cloud service
Follow the below steps to extract metadata from ADFS.
a. Access the ADFS metadata file: https://adfs.example.com/FederationMetadata/2007-06/FederationMetadata.xml (replace adfs.example.com with your ADFS host)
b. Save the FederationMetadata.xml file.
Follow the below steps to import the metadata in IDCS.
c. Login to IDCS, click on Settings and then click Identity Providers.
d. Click Add.
e. Enter a Name and Description for the identity provider and click Next.
f. Select Import Identity Provider metadata and then click Upload. Select the FederationMetadata.xml file, click Open, and then click next.
g. Select Primary Email Address as Oracle Identity Cloud Service User Attribute and Email Address as Requested NameID Format, and then click next.
h. In the Service Provider Metadata field, click Download. Save the Metadata.xml file.
i. Click Finish.
j. In the Identity Providers page, confirm that the new identity provider is displayed.
Step 3: Extract Service Provider Metadata from Oracle Identity Cloud Service and import it into ADFS
a. Log in to IDCS. https://xxxxx.identity.oraclecloud.com/fed/v1/Metadata
b. Enter user name and password to log in.
c. Click on the file menu and save the IDP meta data
Import the IDCS Metadata into AD by following the steps below.
d. Launch the ADFS Management utility (in Windows 2012 Server, click Server Manager > Tools > ADFS Management).
e. Click Action > Add Relying Party Trust.
f. In the Add Relying Party Trust Wizard window, click Start.
g. Select Import data about the relying party from a file and click Browse.
h. Select the Metadata.xml (previously downloaded from Oracle Identity Cloud Service), and click Next.
i. Provide a Display Name (for example, Oracle Cloud), a description in the Notes field, and then click Next.
j. Proceed with the default options until the Finish step is displayed and then click Close. The Edit Claim Rules window is displayed.
The Claim Rules define what information from a logged user will be sent from ADFS to Oracle Identity Cloud Service after a successful authentication.
k. Configure Claim Rules
i. In this step, you configure two claim rules for Oracle Identity Cloud Service as a relying party
ii. Email: This rule defines that the email address from logged users will be sent to Oracle Identity Cloud Service.
iii. Name ID: This rule defines that the email address will be presented as Name ID to Oracle Identity Cloud Service.
iv. In the Edit Claim Rules window, click Add Rule.
v. From the Claim rule template, drop-down list, select Send LDAP Attributes as Claims and then click Next.
vi. Enter Email as Claim rule name and select Active Directory as Attribute Store.
vii. In the Mapping of LDAP attributes table, select E-Mail-Addresses as LDAP Attribute and E-Mail Address as Outgoing Claim Type.
viii. Click Finish.
l. Click Add Rule.
i. Select Transform an Incoming Claim as Claim rule template and then click Next.
ii. Enter Name ID as Claim rule name.
iii. Select E-Mail Address as Incoming Claim Type.
iv. Select Name ID as Outgoing Claim Type.
v. Select Email as Outgoing name ID format and then click Finish
vi. In the Edit Claim Rules window, confirm that both the Email and the Name ID rules are created.
vii. Click OK.
At this moment, both ADFS and Oracle Identity Cloud Service have enough information to establish a Single Sign-On (SSO).In the next steps, we test the Single Sign-On integration.
Step 4: Test and Enable the IDP Connection
We test the authentication between Oracle Identity Cloud Service and ADFS. If the authentication is successful, we enable the identity provider for end-users.
Test the Connection
a. Restart your browser and access the Oracle Identity Cloud Service UI.
b. After login, click Settings and then click Identity Providers.
c. Under the Identity Provider entry, we previously created, click Test Login. The ADFS Login form appears in a new window or tab.
d. Sign in with a user that exists on ADFS and Oracle Identity Cloud Service.
e. Confirm that the message”Your connection is successful” is displayed.
Enable the Connection
a. Return to Oracle Identity Cloud Service's Identity Providers page.
b. Click the switch next to your Identity Provider. In the Confirmation dialog, click Activate.
c. Click the Activate Federated SSO and the Activate Login Chooser switch.
d. Important: At this point, it's highly recommended that you keep the Login Chooser activated. Do not turn off the Login Chooser until you have all users synchronized between ADFS and Oracle Identity Cloud Service.
e. The ADFS Identity Provider integration is enabled.
Step 5: Test the Integration.
Log in to Oracle Identity Cloud Service with AD Credentials
a. Restart the browser and access the Oracle Identity Cloud Service UI.
b. Verify that the Login page displays a new option for login with the external IDP.
c. Click the link to Sign-in with your Identity Provider. The ADFS login page is displayed.
d. Sign in with a user that exists both on ADFS and Oracle Identity Cloud Service.
e. The Identity Cloud Service home page is displayed.
Please contact me at akumar@astcorporation.com for any further questions on IDCS and ADFS set up.
Further reading:http://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs_adfs_obe/adfs.html
No comments:
Post a Comment