Infosys’ blog on industry solutions, trends, business process transformation and global implementation in Oracle.

« Uncover Dun & Bradstreet Data in Oracle Cloud with DaaS and CDM Cloud | Main

Enable SSO for OIC using IDCS and Federate with Third party IDP for Authentication.

In some scenarios if Customer is already using IDP (Identity Provider), they would like to use same for authentication for all Cloud and On-Premise applications..Some of the known IDPs are Microsoft AD, OpenLDAP, Okta, Ping Federate.
OIC Application's basic Authentication is managed within IDCS (Identity Cloud Service). 
This document covers how OIC application's login authentication can be done using Ping Federate and Authorization can be managed in IDCS.
Please note that Ping Federate Configuration are separate and not part of this document..

Key Features covered in Document
1) Setup federation of IDCS and Ping Federate for Authentication.
2) User and Application Authorization for OIC using IDCS GUI and REST API.

Brief about Federation Architecture and Details of Components

OIC_SSO_Federation_Architecture.jpg

1) Ping Federate:  
It serves as Authentication authority which allows user to access application securely.  In this scenario Ping Federate is located on Premise. We shall use it as universal IDP for only authentication.

2) IDCS:
IDCS manage user identities and perform access management.It integrate with cloud and On-Premise applications.
It provides integration with any third party IDP that support SAML based protocol. 
By setting up federation between Ping Federate and Oracle IDCS, it enable users' access to applications that are authenticated by Ping Federate.

3) OIC:
OIC is integration application which helps in design, monitor, and manage connections between applications. It helps Automate & Manage business Process and Build Applications Visually. We shall setup Single Sign On for OIC application.

Implementation steps

1) Setup Authentication via Ping Federate

Flow diagram of Handshake between IDCS and Ping Federate for Authentication.
OIC_SSO_Flow.jpg
i) Generate IDCS Metadata using below URL and provide it to Ping Federate to configure handshake.
https://idcs-XXXXXXXXXXX.identity.oraclecloud.com/fed/v1/metadata?adfsmode=true
Where idcs-xxxxxx is your identity domain id. 

ii) Obtain Metadata from Ping Federate and perform below configuration.
Ø  Create IDP store in IDCS. For Third party IDP except Microsoft AD, this is an additional configuration required.
OIC_SSO_Metadata_1.jpg
ØAdd Ping Federate as an Identity Provider.
OIC_SSO_Metadata_2.jpg

Ø Upload metadata provided by Ping Federate. Select Include Signing certificate. This will make sure that there is no issue in SSL handshake between IDP and IDCS.
OIC_SSO_Metadata_3.jpg

ØAdd User Attribute as a Primary Email address and format type to Email address which will rule SAML rules. Using this common attribute synchronization  between IDCS and Ping Federate will complete.
OIC_SSO_Metadata_4.jpg

ØComplete configuration and Test Login Page. It should redirect to Ping Federate for authentication.
OIC_SSO_Metadata_5.jpg

ØConfigure Policy Store and Add Application which requires SSO. In this case we need to add OIC application.
OIC_SSO_Metadata_6.jpg

OIC_SSO_Metadata_7.jpg
2) User and Application Management for Authorization using IDCS GUI and REST API.
i)   User and group Creation and assign it to OIC application - Using IDCS GUI  (Reference screenshots)
       
     ØCreate user and make sure you select Federated. This is important to sync with IDP. Assign Email Address which should be common for IDCS and Ping Federate IDP.
        OIC_SSO_Integration_1.png

     ØCreate Group and assign previously created federated user to it. Best practice is to assign User to relevant group (e.g. as per functionality, Instance Access).
         OIC_SSO_Integration_2.png

     Ø Assign the Group to OIC application. All users created under this group will have access to OIC application.
       OIC_SSO_Integration_3.png

       ii)    User and group creation and assign it to OIC application -Using REST API

          ØGather Application ID and Secret ID is required to fetch token. (Reference) 

      Application

       Application ID

      Secret ID

      Value for REST

      OICINST_OIC

       46009A2B43AE4C449A7ACDACB095_APPID

      a2a3a633-49ce-a1ce-360bcc496e00

       c9111dad4d668f958c7a6bc22c73

            ØAssign Identity Domain Administrator OR Me as a Role for each application to access Identity Cloud Service Admin APIs

         

           OIC_SSO_Metadata_8.jpg

    

       ØCommon Response Codes:

2     200 Response  à The request was successful.

400 Response à   Bad or Invalid Request (ERROR).

401 Response à The supplied credentials, if any, are not sufficient to access the resource. (ERROR).

404 Response à The requested resource was not found. (ERROR)

500 Response à We couldn't return the representation due to an internal server error. (ERROR).


Sr.

no

IDCS Operation

REST API Calls (Examples)

Reference Oracle site : https://docs.oracle.com/en/cloud/paas/identity-cloud/rest-api/rest-endpoints.html

1

Authentication Token

 curl -k -X POST -u "46009A2B43AE4C759A7ACDACB095C7E2_APPID:a2a3a633-e23a-49ce-a1ce-360bcc496e99" -d "grant_type=client_credentials&scope=urn:opc:idm:__myscopes__" " https://tenant-base-url/oauth2/v1/token" -o access_token.json

Output Expected: access_token.json file with below output.

2

Federated User Creation

Curl -X POST -H "Content-Type:application/scim+json" -H "Authorization: Bearer <Access Token Value>" https://idcs-xxxxxx.identity.oraclecloud.com/admin/v1/Users -d user_input.json

 

Contents of user_input.json.

{

"schemas": [

"urn:ietf:params:scim:schemas:core:2.0:User",

"urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User"

],

"name": {

"givenName": "Test User",

"familyName": "abc"

},

"userName": "abc@xyz.com",

"emails": [

{

"value": "abc@xyz.com",

"type": "work",

"primary": true

},

{

"value": " abc@xyz.com ",

"primary": false,

"type": "recovery"

}

],

"urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User":{

"isFederatedUser":true

}

}

3

Add User to Group

Curl -X PATCH -H "Content-Type:application/scim+json" -H "Authorization: Bearer <Access Token Value>" https://idcs-b7f708681abe4978b5356628d364c7d4.identity.oraclecloud.com/ admin/v1/ Groups/{{groupid}}  -d add_user_group.json

 

Contents of add_user_group.json

{

  "schemas": [

    "urn:ietf:params:scim:api:messages:2.0:PatchOp"

  ],

  "Operations": [

    {

      "op": "add",

      "path": "members",

      "value": [

        {

          "value": "94ef26732baf44f591dacedd2035d86b",

          "type": "User"

        }

      ]

    }

  ]

}

4

Add Application to Group

Curl

-X POST -H "Authorization: Bearer <Access Token Value>"

https://tenant-base-url/ admin/v1/Grants -d group_app.json

 

Contents of group_app.json

{

    "grantee": {

        "type": "Group",

         "value": ""

    },

    "app": {

        "value": ""

    },

    "grantMechanism" : "ADMINISTRATOR_TO_GROUP",

    "schemas": [

    "urn:ietf:params:scim:schemas:oracle:idcs:Grant"

  ]

}'

5

Get All User

curl -k -X GET -H "Authorization: Bearer Token" https://tenant-base-url/admin/v1/Users" -o user_list.json

6

Get All Applications

Curl -k -X GET -H "Authorization: Bearer Token"https://tenant-base-url/admin/v1/Apps?attributes=displayName" -o list_of_applications.json

7

Get All Groups

curl -X POST -H "Content-Type:application/scim+json" -H "Authorization: Bearer Token" https://tenant-base-url// admin/v1/Groups

 

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Please key in the two words you see in the box to validate your identity as an authentic user and reduce spam.

Subscribe to this blog's feed

Follow us on

Blogger Profiles